Wednesday, October 29, 2014

Rolling back after minor Redhat RHEL OS upgrade

There is no easy way to rollback if you have upgraded Redhat Linux from say RHEL 6.1 to 6.5.

I have use below steps to roll-back OS to previous version.


1-Collect details of installed rpms before OS upgrade


mkdir /var/tmp/backup
rpm -qa --last > /var/tmp/rpm-qa-last-before.txt 


2-Do following if you want to roll-back rpm to older version

rpm -qa --last > /tmp/rpm-qa-last-after.txt
sdiff -s /var/tmp/rpm-qa-last-before.txt /tmp/rpm-qa-last-after.txt | sed 's/ .* |//g'|awk '{print $1, $2}' >/var/tmp/backup/old-new-rpm-version.txt
echo "yum downgrade `echo $(awk '{print $1}'  /var/tmp/backup/old-new-rpm-version.txt )`"


3-Copy and paste above output to some where for further reference. Execute below to downgrade rpm to older versions

yum downgrade `echo $(awk '{print $1}'  /var/tmp/backup/old-new-rpm-version.txt )`


4-If above fails because of any dependencu error, exclude those package and deal with them later after above steps completed.

 --exclude=package1*,package2*


5- Reboot system


6- Downgrade redhat-release-* rpm to older version if it has not been downgraded

grep redhat-release /var/tmp/rpm-qa-last-before.txt 
rpm -qa |grep redhat-release
yum downgrade redhat-release-xxxx-n.m.-v


This is not perfect process, but works. Preserving OS image of creating some kind of snap/mirror/clone of filesystem is better approach - but this need additional time and resources.


Do you use any better method ?

Posted by at 1 comment:

Thursday, October 9, 2014

Using lftp client to test an ftps connection with ftp servers

FTPS is secure ftp


Few facts


  • This is not FTP over SSL and not FTP over SSH [1] 
  • FTPS use X.509 ( SSL/TLS protocol under FTP)  certificate and validate certificate chain while SFTP use ssh keys.
  • FTP servers exclusively need to be configured for TLS/SSL support. Not all ftp servers support ftps

Does a ftp server support ftps ?


Below command will tell if ftp servers support ftps. You will get warning if ftp server is using self sign certificate or certificate or certificate presented by ftp server cannot be verified by client . In this case last line will be - return code :1 ( though certificate can not be verified, data exchange will still be encypted)

$ openssl s_client -connect dropbox.redhat.com:21 -starttls ftp
CONNECTED(00000003)
---
Certificate chain
 0 s:/2.5.4.15=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=2945436/streetAddress=100 Eas
t Davie St./postalCode=27601/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./CN=dropbox.redhat.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/2.5.4.15=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=2945436/streetAddress=100
East Davie St./postalCode=27601/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./CN=dropbox.redhat.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4571 bytes and written 469 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 5B2D03F4E9682534FA8C83E51FF0D742481B017DC27A90007CD1E3C7DA0FCA9C
    Session-ID-ctx:
    Master-Key: A6E9F2D2F06DDB651C311A6B0C2200CD89DC5EB4D70B75E97C962415F52DF9D67E2069FEC6E21A62680EE7C16706F033
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1412838506
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Test a ftpa connection


Assuming you have an ID ftp_user_id and password is xxxxxx. I am using lftp client . Use lftp-3.7.11-7 or newer version . Older client has Bug

$ cd /tmp
$ cal >test_file_to_upload.txt
$ lftp
debug 9
set ftps:initial-prot ""
set ftp:ssl-allow true
set ftp:ssl-force true
set ssl:verify-certificate no
set ftp:ssl-protect-data true
set ftp:ssl-auth TLS
set ftp:passive-mode true
set ftp:ssl-data-use-keys yes
open dropbox.redhat.com:21
user ftp_user_id  xxxxxx
ls
put test_file_to_upload.txt
ls

---- Resolving host address...
user anonymous  test@something.com
---- 1 address found: 209.132.183.100
lftp dropbox.redhat.com:~> user anonymous  test@something.com
lftp anonymous@dropbox.redhat.com:~> ls
---- Connecting to dropbox.redhat.com (209.132.183.100) port 21

<--- 220="" font="">
---> FEAT
<--- 211-features:="" font="">
<--- font="" nbsp="" ssl="">
<--- font="" nbsp="" tls="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- font="" nbsp="" stream="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- font="" nbsp="">
<--- 211="" end="" font="">
---> AUTH TLS
<--- 234="" font="" negotiation.="" proceed="" with="">
---> OPTS UTF8 ON
Certificate:
 Issued by:        C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
 Checking against: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
WARNING: Certificate verification: Not trusted
Certificate: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
 Issued by: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA
WARNING: Certificate verification: Not trusted
<--- 200="" always="" font="" in="" mode.="" utf8="">
---> USER anonymous
<--- 331="" font="" password.="" please="" specify="" the="">
---> PASS test@something.com
<--- 230="" font="" login="" successful.="">
---> PWD
<--- 257="" font="">
---> PBSZ 0
<--- 0.="" 200="" font="" pbsz="" set="" to="">
---> PROT P
<--- 200="" font="" now="" private.="" prot="">
---> PROT P
<--- 200="" font="" now="" private.="" prot="">
---> PASV
<--- 227="" entering="" font="" mode="" passive="">
---- Address returned by PASV seemed to be incorrect and has been fixed
---- Connecting data socket to (209.132.183.100) port 6338
---- Data connection established
---> LIST
<--- 550="" denied.="" font="" permission="">
---- Closing data socket
ls: Access failed: 550 Permission denied. ( it is fine - this website do not allow listing)


Few Issues


Error : gnutls_handshake: Insufficient credentials for that request.
Solution : Use 'set ftp:ssl-data-use-keys yes' and use latest lftp rpm version

Error : gnutls_handshake: A record packet with illegal version was received - while using open ftps://ftp.something.com:21
Solution : Remove ftps:// - just use 'open ftp.something.com:21'


[1] https://www.eldos.com/security/articles/4672.php?page=all
[2] s_cleint documentation 
Posted by at No comments:
Subscribe to: Posts (Atom)