All Products
Search

This Product

    :Solutions to historical Linux image problems

    Document Center

    :Solutions to historical Linux image problems

    Last Updated:Oct 12, 2021

    Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

    Problem description

    The ECS instances created from historical Linux images may not have NTP or YUM configured, and may have the recent security vulnerability. Follow the steps described in this article to fix this issue, which makes your ECS more secure. You can use the NTP provided by Alibaba Cloud for free time synchronization, you can also use the YUM service provided by Alibaba Cloud to install software.

    Solution

    Configure NTP

    Tips: This step does not distinguish the release version of the system.

    First backup/Etc/ntp. conf File, and replace its content with the following.

    # ntp.conf
#
# ntpd config for aliyun ecs.
#
# 6LAN+6LAN+3WAN
#               shijun.cao@alibaba-inc.com
#               2014.8.11
#
driftfile  /var/lib/ntp/drift
pidfile   /var/run/ntpd.pid
logfile /var/log/ntp.log
# Access Control Support
restrict    default ignore
restrict -6 default ignore
restrict 127.0.0.1
restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap nopeer noquery
restrict 172.16.0.0 mask 255.240.0.0 nomodify notrap nopeer noquery
restrict 100.64.0.0 mask 255.192.0.0 nomodify notrap nopeer noquery
restrict 10.0.0.0 mask 255.0.0.0 nomodify notrap nopeer noquery
restrict ntp1.aliyun.com nomodify notrap nopeer noquery
restrict ntp2.aliyun.com nomodify notrap nopeer noquery
restrict ntp3.aliyun.com nomodify notrap nopeer noquery
restrict ntp4.aliyun.com nomodify notrap nopeer noquery
restrict ntp5.aliyun.com nomodify notrap nopeer noquery
restrict ntp6.aliyun.com nomodify notrap nopeer noquery
# local clock
server 127.127.1.0
fudge  127.127.1.0 stratum 10
#public ntp server
server ntp1.aliyun.com iburst minpoll 4 maxpoll 10
server ntp2.aliyun.com iburst minpoll 4 maxpoll 10
server ntp3.aliyun.com iburst minpoll 4 maxpoll 10
server ntp4.aliyun.com iburst minpoll 4 maxpoll 10
server ntp5.aliyun.com iburst minpoll 4 maxpoll 10
server ntp6.aliyun.com iburst minpoll 4 maxpoll 10
#Private ntp server
server ntp1.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp2.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp3.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp4.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp5.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp6.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
#New private ntp server
server ntp7.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp8.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp9.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp10.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp11.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp12.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10

    Update software sources

    1. Select one of the following methods to confirm the current Linux system release of the image.
      • RunLsb_release-aCommand to view the Linux version.
      • RunCat/etc/issue Command to view the Linux version.
    2. CentOS system. Backup/Etc/yum. repos. d/CentOS-Base.repo and the epel. repo files in the directory. Based on the CentOS system version, run the following command to download the repo file, and then runYum makecache Command.
      1. CentOS 5 
        sudo wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
        sudo wget -O /etc/yum.repos.d/fedora.repo http://mirrors.aliyun.com/repo/fedora.repo
      2. CentOS 6 
        sudo wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
        sudo wget -O /etc/yum.repos.d/fedora.repo http://mirrors.aliyun.com/repo/fedora.repo
      3. CentOS 7 
        sudo wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
        sudo wget -O /etc/yum.repos.d/fedora.repo http://mirrors.aliyun.com/repo/fedora.repo
    3. Aliyun 5.7 system. Backup/Etc/yum. repos. d/CentOS-Base.repo Run the following command to download the repo file.Yum makecache Command. 
      sudo wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
    4. Ubuntu. Backup/Etc/apt/sources. list Based on the release version, run the following command to download the repo file, and then runApt-get update Command.
      1. Ubuntu 12.04 
        Wget-qO/etc/apt/sources. list http://mirrors.aliyun.com/repo/ubuntu1204-lts.list
      2. Ubuntu 14.04 
        wget -qO /etc/apt/sources.list http://mirrors.aliyun.com/repo/ubuntu1404-lts.list
    5. Debian system. Backup/Etc/apt/sources. list File. Then, based on the release version, run the following command to download the repo file, and then runApt-get update Command.
      1. Debian 6 
        wget -qO /etc/apt/sources.list http://mirrors.aliyun.com/repo/debian6-lts.list
      2. Debian 7 
        Wget-qO/etc/apt/sources. list http://mirrors.aliyun.com/repo/debian7-lts.list

    Security vulnerability repair

    To fix major security vulnerabilities in known software, you need to upgrade the software package, including bash, glibc, openssl, wget, and ntp.

    Before running the following commands, make sure that the current software source has been configured correctly.

    • For CentOS and Aliyun systems, run the following command. 
      Yum update bash glibc openssl wget ntp
    • For Ubuntu and Debian systems, run the following command. 
      Ubuntu and Debian: apt-get install bash libc6 libc-bin openssl wget ntp

    Application scope

    • ECS