Category Archives: Server project

SUDO CVE-2021-3156 and how to upgrade CentOS 6

Sudo is a powerful utility built in almost all Linux distributions and we have a bad news for you – a recent privilege escalation vulnerability (CVE-2021-3156) has been discovered.

The vulnerability affects all the following sudo versions:

All legacy versions from 1.8.2 to 1.8.31p2
All stable versions from 1.9.0 to 1.9.5p1

A successful exploitation allows any unprivileged user to escalate its privileges to root on the vulnerable host. Of course, since it’s a privilege escalation vulnerability, it requires access to a local user on the vulnerable host in order to actually exploit it.

To test your host for this vulnerability just execute the next command

sudoedit -s /

In case you receive the next response

usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...

your host is safe but in case you receive the something like

sudoedit: /: not a regular file

please upgrade

For CentOS 7 and CentOS 8 this is not a problem (yum -y update sudo) but if you’re using CentOS 6 then there are no way to upgrade from the official mirrors (since CentOS 6 is EOL)

You can download the rpm files from HERE (

Or directly

Then install the rpms with

rpm -U sudo-1.9.5-3.el6.x86_64.rpm
rpm -U sudo-logsrvd-1.9.5-3.el6.x86_64.rpm

Time and date on CentOS 7 Howto

NTP stands for Network Transport Protocol and it is used to keep the time on the servers synced with each other using a common reliable source to get the time.

The example below is for a basic NTP client/server setup.

NTP client

Install NTP with

yum install ntp

Then check timezone with


If you’re not satisfied with your timezone and you wish to change, first list available zones with

timedatectl list-timezones

and set your time zone with command below: (e.g. Berlin)

timedatectl set-timezone Europe/Berlin

Active the NTPD service at boot:

systemctl enable ntpd
systemctl start ntpd

To get a basic report you can use commands ntpstat or date

And to get some information about the time synchronization process

ntpq -p

All of your NTP configurations is available in /etc/ntp.conf file.

To be able to use your server as a NTP server for local network, please be sure you have a line

restrict mask nomodify notrap

where is a local network you want to sync with your NTP server.

You can get the public NTP servers specific to your region from

PostgreSQL on CentOS 7 – Howto

In this post I’ll try to show you how to install PostgreSQL 9.6 on CentOS 7.3 which is the current versions of PostgreSQL and CentOS.

The default PostgreSQL version on CentOS 7.3 is PostgreSQL 9.2 which is still maintained, but in case you’re more for a “cutting edge” technology, try to follow the next steps

First, remove the already installed version (in case you installed the default version)

yum remove postgresql-server postgresql-contrib

Install official PostgreSQL Yum repo with

yum -y install

which will create a new repo file /etc/yum.repos.d/pgdg-96-centos.repo with the next content

name=PostgreSQL 9.6 $releasever - $basearch
name=PostgreSQL 9.6 $releasever - $basearch - Source
name=PostgreSQL 9.6 $releasever - $basearch
name=PostgreSQL 9.6 $releasever - $basearch - Source

Now install PostgreSQL with

yum -y groupinstall "PostgreSQL Database Server 9.6 PGDG"

and initialize it with

/usr/pgsql-9.6/bin/postgresql96-setup initdb

Start and enable service with

systemctl start postgresql-9.6.service
systemctl enable postgresql-9.6.service

Switch to the postgres user with

su postgres -

and connect to the server (currently running only on localhost)


Check the installed version with

SELECT version();

You should get something like

 PostgreSQL 9.6.1 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4), 64-bit
(1 row)

The default PostgreSQL installation listens only on localhost so if you want to connect from the remote host you’ll need to change a few things.

Open /var/lib/pgsql/9.6/data/postgresql.conf and find the line #listen_addresses = ‘localhost’… and replace it with the listen_addresses = ‘*’


# - Connection Settings -
#listen_addresses = 'localhost'         # what IP address(es) to listen on;
                                        # comma-separated list of addresses;
                                        # defaults to 'localhost'; use '*' for all
                                        # (change requires restart)
#port = 5432                            # (change requires restart)
max_connections = 100                   # (change requires restart)


# - Connection Settings -
#listen_addresses = 'localhost'         # what IP address(es) to listen on;
listen_addresses = '*'
                                        # comma-separated list of addresses;
                                        # defaults to 'localhost'; use '*' for all
                                        # (change requires restart)
#port = 5432                            # (change requires restart)
max_connections = 100                   # (change requires restart)

Now open /var/lib/pgsql/9.6/data/pg_hba.conf and add at the end

host    all             all             YOUR_CLIENT_IP_ADDRESS/32            md5

save the file and restart service with

systemctl restart postgresql-9.6.service

The last step before you test it is to change the password for postgres user with

su postgres -
bash-4.2$ psql
psql (9.6.1)
Type "help" for help.
postgres=# \password
Enter new password:
Enter it again:
postgres=# \q

Now add new server in pgAdmin and test it

Huawei E1552/E1800/E173 on CentOS 6

Today I had a chance to test Huawei E173 USB dongle and it works perfectly on my Mint Linux. All I had to do was to plug it in and turn on via network manager applet.

I wanted to test this dongle with CentOS 6 and the main idea was to use this device for SMS monitoring. Using online SMS providers is much cheaper and easier (a bunch of APIs) but the online services are useless when your network is disconnected.

There are a lot differences between RH based server distros and the new/cutting edge distro like Mint. To be honest, I expected the problems with CentOS.

The first thing was to check the USB dongle

[root@server ~]# dmesg |grep usb
usb 2-4: new high speed USB device number 2 using ehci_hcd
usb 2-4: New USB device found, idVendor=12d1, idProduct=1446
usb 2-4: New USB device strings: Mfr=3, Product=2, SerialNumber=0
usb 2-4: Product: HUAWEI Mobile
usb 2-4: Manufacturer: HUAWEI Technology
usb 2-4: configuration #1 chosen from 1 choice
usb-storage: device found at 2
usb-storage: waiting for device to settle before scanning
usb-storage: device found at 2
usb-storage: waiting for device to settle before scanning
usbcore: registered new interface driver usb-storage
usb-storage: device scan complete
usb-storage: device scan complete

Ops… the device is detected as USB storage which I didn’t expect (and I don’t want).

[root@server ~]# lsusb
Bus 002 Device 002: ID 12d1:1446 Huawei Technologies Co., Ltd. E1552/E1800/E173 (HSPA modem)

After some googling I discovered that the first thing I need to do is to install usb_modeswitch and smstools packages. The first package will be used to switch USB dongle from usb storage into modem mode. The second one will be used for SMS operations.

In the moment I tested this, I was far away from the server and I couldn’t try the simple plug/unplug method. The solution was to invoke the next command

[root@server ~]# usb_modeswitch -c /etc/usb_modeswitch.d/12d1\:1446 -v 0x12d1 -p 0x1446
Looking for target devices ...
 No devices in target mode or class found
Looking for default devices ...
   found matching product ID
   adding device
 Found device in default mode, class or configuration (1)
Accessing device 002 on bus 002 ...
Getting the current device configuration ...
 OK, got current device configuration (1)
Using first interface: 0x00
Using endpoints 0x01 (out) and 0x81 (in)
Inquiring device details; driver will be detached ...
Looking for active driver ...
 No driver found. Either detached before or never attached
SCSI inquiry data (for identification)
  Vendor String: HUAWEI  
   Model String: Mass Storage    
Revision String: 2.31
USB description data (for identification)
Manufacturer: HUAWEI Technology
     Product: HUAWEI Mobile
  Serial No.: not provided
Setting up communication with interface 0
Using endpoint 0x01 for message sending ...
Trying to send message 1 to endpoint 0x01 ...
 OK, message successfully sent
Resetting response endpoint 0x81
 Could not reset endpoint (probably harmless): -71
Resetting message endpoint 0x01
 Could not reset endpoint (probably harmless): -19
 Device is gone, skipping any further commands
-> Run lsusb to note any changes. Bye.

As the output recommended, I tried again with lsusb

[root@server ~]# lsusb
Bus 002 Device 003: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem

Also, after this step, you should have

[root@server smsd]# ls /dev/ttyUSB*
/dev/ttyUSB0  /dev/ttyUSB1  /dev/ttyUSB2

I found that the settings file /etc/smsd.conf (for SMSTools) should be something like this:

devices = GSM1
logfile = /var/log/smsd/smsd.log
loglevel = 7
user = smstools
infofile = /var/run/smsd/smsd.working
pidfile = /var/run/smsd/
# 3.1.5 introduced smart logging
# once your configuration is OK, set log level lower (5 is good in most cases)
smart_logging = yes
init = AT+CPMS="ME","ME","ME"
device = /dev/ttyUSB0
incoming = yes

You can find more information about the configuration parameters on the next link

Start smsd service with service smsd start

To send SMS message go into /var/spool/sms/outgoing/ dir and create the file testSMS (for example) and add the next content inside

To: 38765655849

The other option is to use smssend command.

In case that something doesn’t work, check the logs inside /var/log/smsd/ dir.

CentOS – setup utility

For RH based distros, the “setup” utility is a must. With this tool you can easily maintain basic system settings (firewall settings, network, start-up services, etc).

If you choose to install minimum system, this tool won’t be available and you’ll need to add it manually.

yum –y install setuptool system-config-network* system-config-firewall* system-config-securitylevel-tui system-config-keyboard ntsysv

MyDumper – CentOS HowTo

Mydumper – MySQL backup tool created by Domas Mituzas and later supported by several other devs.

The main benefits are multi-threaded and fast backups with almost no locking (if not using non innodb tables), built-in compression, separate files for each table, making it easy to restore single tables or schema. It also has support to hard link files which can reduce the space needed for history of backups. Much faster than mysqldump. The main benefit for separate files is the ability to create backups in multiple threads (the same works for restoring process)

In short – Mydumper is how MySQL DBA and support engineer would imagine mysqldump.

To install mydumper follow the next steps

Install necessary devel libs and cmake

yum install glib2-devel mysql-devel zlib-devel pcre-devel openssl-devel cmake

Download mydumper – (or directly here

Extract the tar.gz archive with

tar -xvzf mydumper-0.6.2.tar.gz
cd mydumper-0.6.2
cmake .

Creating backup


Note: My advice is to create separate dir for every database.

Restore from backup


CentOS server – NFS client/server howto

NFS stands for Network File System and through NFS, a client can read and/or write a remote share on an NFS server (like on local hard disk)

The first step to set up NFS client/server is to install nfs-utils and nfs-utils-lib packages on both systems (server and client)

yum install nfs-utils nfs-utils-lib
chkconfig --levels 235 nfs on 
service nfs start

For example, the server IP is and the client

I’d like to use /test and /var/test directories from the client system. To make them accessible we must “export” them on the server.

From the client system, the NFS share is usually accessed as the user “nobody”. If the directory isn’t owned by nobody, the read/write access from NFS client should be made as root.
In this howto, the /test dir will be used as root while the /var/test will be used as “nobody”. If /var/test directory doesn’t exist, create the dir and change the ownership to the user/group 65534 (nonexistant user/group).

mkdir /var/test
chown 65534:65534 /var/test

The next step (on the server side) is to modify /etc/exports

nano /etc/exports

and add the next lines

/test ,sync,no_root_squash,no_subtree_check)

The no_root_squash parameter means access dir as root (all files copied/created from client will be owned by root).

After you modify /etc/exports, run exportfs -a to make the changes effective.

exportfs -a

The next step (on the client side) is to create the directories where you want to mount the NFS shares

mkdir -p /mnt/test
mkdir -p /mnt/var/test

Mount NFS shares with

mount /mnt/test
mount /mnt/var/test

Verify the settings with:

df -h

The result should be something like

[root@client ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
....    100G  25G   75G  25% /mnt/test
                       100G  25G   75G  25% /mnt/var/test



The result should be something like

[root@client ~]# mount
.... on /mnt/test type nfs (rw,addr= on /mnt/var/test type nfs (rw,addr=

To mount the NFS shares at boot time, add the next lines in /etc/fstab file  /mnt/test   nfs      rw,sync,hard,intr  0     0  /mnt/var/test   nfs      rw,sync,hard,intr  0     0

Don’t forget to check the settings after reboot

Heart Bleed Bug – OpenSSL

A massive vulnerability has been found in OpenSSL, the open-source software package broadly used to encrypt Web communications. The flaw allows attackers to steal the information that is normally protected by SSL/TLS encryption (web applications, e-mail, instant messaging, VPNs, etc).

Essentially, that means a lot of Internet users are affected and passwords and credit card information could be available to hackers.

CentOS released the updated OpenSSL packages which should fix this issue.

# yum update openssl
# service httpd restart

For more information:

EoIP tunnel on Linux

Ethernet over IP (EoIP) Tunneling is a MikroTik RouterOS protocol (stateless and light ethernet point to point tunnel protocol with 28 bytes static overhead) that creates an Ethernet tunnel between two routers on top of an IP connection. The EoIP tunnel may run over IPIP tunnel, PPTP tunnel or any other connection capable of transporting IP.

To connect Linux with Mikrotik over EoIP tunnel, you’ll need THIS.

The install procedure:

# wget
# tar -xvzf linux-eoip-0.5.tar.gz
# cd linux-eoip-0.5
# ./configure
# make
# make install

Copy eoip.cfg to /etc dir, change settings inside according to your needs and save the file. If you use dynamic=1 option, take attention that there is no authorization,
and it is not secure. It is not good idea to use this feature with public ip or insecure(not completely under your control, each host) network.

For not lets suppose you need only one tunnel to remote IP address


On Mikrotik create EoIP tunnel with the same ID (1) and set your server’s IP address as remote IP.  Run eoio with

# /usr/local/bin/eoip /etc/eoip.cfg

Add IP address to your eoip interface

# /sbin/ifconfig zeoip0 netmask up

And optionally add routes (if you have any)

# route add -net gw

Add the last few lines inside rc.local to enable tunnel after reboot. The eoip interface can be threaten just like any other interface.

# ifconfig
zeoip0    Link encap:Ethernet  HWaddr 5B:25:C9:44:6A:79  
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::5425:d9ff:fe80:6b79/64 Scope:Link
          RX packets:167397 errors:0 dropped:0 overruns:0 frame:0
          TX packets:138861 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:14934574 (14.2 MiB)  TX bytes:12520192 (11.9 MiB)
# ps ax|grep dhcp
5180 ?        Ss     0:02 /usr/sbin/dhcpd eth1 zeoip0
27356 pts/1    S+     0:00 grep dhcp

As you can see, you can run dhcp server on eoip interface. Just open /etc/sysconfig/dhcpd and add DHCPDARGS=”eth1 zeoip0″ inside. Save the file and restart dhcp server.

CentOS server – nginx howto

Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Nginx now hosts nearly 12.18% (22.2M) of active sites across all domains. Nginx is known for its high performance and low resource consumption.

To add nginx yum repository, create a file named /etc/yum.repos.d/nginx.repo and paste one of the configurations below:

For CentOS

name=nginx repo


name=nginx repo

Due to differences between how CentOS, RHEL, and Scientific Linux populate the $releasever variable, it is necessary to manually replace $releasever with either “5” (for 5.x) or “6” (for 6.x), depending upon your OS version.

Now, be sure that apache is not started

#service httpd stop
#chkconfig --level 235 httpd off

and install nginx with

#yum install nginx