stevedoria.net

unzip ; strip ; touch ; grep ; finger ; mount ; fsck ; more ; yes ; umount ; sleep

Upgraded to GoDaddy VPS – CentOS 7

I lost access to my GoDaddy VPS CentOS 6 server after fat-fingering an openssl update and clobbering sshd in the process. GoDaddy technical support was unable to reinstall openssl then restart the server. They might not have physical access or a means of simulating physical access to my VPS instance. (With physical access to a non-virtual server, one would boot into single-user mode, reinstall openssl, and reboot normally.) It is my fault that I lost a server that was operational for almost 10 years. I learned not to hot update system libraries, ordered a new VPS running CentOS 7, and I am rebuilding. I am so glad I established data backup procedures!

I want to now share my experience with the GoDaddy VPS CentOS 7 installation.

Iptables is incomplete.

I recommend disabling iptables (“systemctl disable iptables”) before experimenting with it. This allows the server to reboot without the risk of applying inadvertently saved bad iptable rules, especially when a rule causes SSH to be inaccessible unexpectedly.

I have used iptables for my GoDaddy VPS running CentOS 6, but upon a fresh provisioning of GoDaddy VPS running CentOS 7, the following status is returned for iptables:

  # systemctl -l status iptables
  iptables: Applying firewall rules: iptables-restore: line 14 failed

Iptables can be started (“systemctl start iptables”) after fixing the “line 14 failed” issue with the following command:

  # /usr/libexec/iptables/iptables.init save

In particular, issuing the following command fails:

  # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables: No chain/target/match by that name.

The iptables extension module responsible for ‘state’ is installed but unloadable. Attempts to load the modules are ignored.

SELinux also does not work.
The configuration file, /etc/selinux/config, suggests that it is enforcing, but getenforce shows that SELinux is disabled. Furthermore, setenforce apparently ignores the command and confirms SELinux is disabled:

  # setenforce Enforcing
  setenforce: SELinux is disabled

swapon also does not work.

Entering the following commands yields the following:

  # fallocate -l 4G /.swapfile
  # chmod 600 /.swapfile
  # mkswap /.swapfile
  Setting up swapspace version 1, size = 4194300 KiB
  no label, UUID=722XXXXX-XXXX-XXXX-XXXX-000000004a36
  # swapon /.swapfile
  swapon: /.swapfile: swapon failed: Operation not permitted

The VPS I ordered only has 1GB of memory. I am prevented from enabling a swap file, but I accept the challenge of maximally utilizing constrained resources.

Although GoDaddy’s VPS configuration prevents me from deploying iptables and SELinux, I successfully hardened my installation by configuring MariaDB, rh-php720-php-fpm, and rbcbind to bind to 127.0.0.1 or ::1. I also deployed httpd with a certificate from Let’s Encrypt. Port scanners identified as open only ports that I exposed. Qualys SSL Labs SSL Server Test gave my server an “A” overall rating. And, I am pleased with the results of my effort.

Questions, comments, and responses are welcomed. Spam is really not.

One Response to “Upgraded to GoDaddy VPS – CentOS 7”

  1. Steve Says:

    To secure rpcbind, the following files were updated to contain the listed content:

    #### /etc/sysconfig/rpcbind { ####
    #
    # Optional arguments passed to rpcbind. See rpcbind(8)
    RPCBIND_ARGS=”-l -s -h 127.0.0.1″

    #### } /etc/sysconfig/rpcbind ####

    #### /usr/lib/systemd/system/rpcbind.socket { ####
    [Unit]
    Description=RPCbind Server Activation Socket

    [Socket]
    ListenStream=/var/run/rpcbind.sock

    # RPC netconfig can’t handle ipv6/ipv4 dual sockets
    BindIPv6Only=ipv6-only
    ListenStream=127.0.0.1:111
    ListenDatagram=127.0.0.1:111
    #ListenStream=[::]:111
    #ListenDatagram=[::]:111

    [Install]
    WantedBy=sockets.target
    #### } /usr/lib/systemd/system/rpcbind.socket ####

Leave a Reply