Code, Security and Server Stuff

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

"If you're not still learning, you're already dying."
- Ryan Holiday - Ego is the Enemy

Follow me on Twitter: @FearbySoftware

View All Posts.

16.04

How to install PHP 7.2.latest on Ubuntu 16.04

How to install PHP 7.2.latest on Ubuntu 16.04/ Ubuntu 18.04/Debian etc/

Advertisement:



I have a number of guides on moving away from CPanel, Setting up VM’s on UpCloud, AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. PHP is my programming language of choice.

PHP has a support page that declares the support date ranges and support types: http://php.net/supported-versions.php

 

PHP 7.0 going EOL

A version of PHP is either actively supported, security fix supported or end of life. Read this post to check WordPress for PHP compatibility.

 

From time to time vulnerabilities come up that require PHP updates to be applied.

Source Link here

Advertisement:



I have guides on setting up PHP 7 here on Digital Ocean, here on AWS and here on Vultr. I have tried upgrading to PHP 7.1 in the past with no luck (I forgot to change something and rolled back to 7.0).

FYI: I have a guide on setting up PHP child workers so the output from some commands below may be different than yours. Here are the steps I performed to install PHP 7.2 alongside 7.0 then switch. to 7.2.

Backup your system

Do perform a Snapshot or Backup before proceeding. Nothing beats a quick restore if things fail.

Note: Use this information at your own risk.

Updating php 7.2.12 to 7.2.12

Update your Ubuntu systems

Updating from an older php (e.g 5.x, 7.1, 7.1 to say 7.2.12)

Backup PHP

Install Helper

This software provides an abstraction of the used apt repositories. It allows you to easily manage your distribution and independent software vendor software sources. More Info

Add the main PHP repo (more information)

Update the package lists

“In a nutshell, apt-get update doesn’t actually install new versions of the software. Instead, it updates the package lists for upgrades for packages that need upgrading, as well as new packages that have just come to the repositories.” from here

List Installed Packages (optional)

Install PHP 7.2

Install common PHP modules

Install PHP FPM

Update all packages (may be needed to update from php 7.2.4 to 7.2.5)

Edit your NGINX sites-available config

Edit your NGINX sites-enabled config

I edited these lines

Edit your PHP config (and make desired changes)

Edit your PHP pool config file (as required). See this guide here.

e.g.

> cgi.fix_pathinfo=0
> max_input_vars = 1000
> memory_limit = 1024M
> max_file_uploads = 8M
> post_max_size = 8M

Make sure you set: listen = /run/php/php7.2-fpm.sock

Advertisement:



Set PHP 7.2 as the default PHP

Check your PHP version

Reload PHP

Reload NGINX

Check the status of your PHP (and child workers)

Check your website.

Advertisement:



Troubleshooting

Guides that helped me.

https://thishosting.rocks/install-php-on-ubuntu/

https://websiteforstudents.com/wordpress-supports-php-7-2-heres-how-to-install-with-nginx-and-mariadb-support/

Check your log files

Debug FPM Service

Remove PHP 7.0

PHP 7.0 Removed 🙂

Remove other unused packages

At the time of writing (November the 18th 2018) PHP 7.2.12 is the latest version of PHP and PHP 7.3 will be out at the end of the year.

Good luck and I hope this guide helps someone

Advertisement:



Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

Revision History

v1.4 Updated the post to mention PHP 7.0 EOL

v1.3 Updated to add PHP 7.2.12 information

v1.2 PHP 7.2.9 and PHP 7.2 updates

v1.1 Remove PHP 7.0 steps

v1.0 Initial post

Moving an Ubuntu 16.04 VM on Vultr from one data centre to another via snapshots

This guide will show how you can move an Ubuntu VM server domain between Vultr data centres via snapshots.

Advertisement:



I have a number of guides on moving away from CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. Sometimes you need to move a sever between locations and/or upgrade the server (to have more memory t install WordPress).

Moving an existing Vultr server

If you don’t have an Ubuntu server click here (follow this guide).

Login to Vultr and specify a source server, click Snapshots and click Take Snapshot.

Make snapshot

Wait for the snapshot to finish (It may take 1 hour).

Snapshot Started

Great, the snapshot is done.

Snapshot Ready

Now I can create a new server (in a different data centre).

Add

Deploy New Instance

Choose a location (Australia is at capacity, so I’ll deploy to Silicon Valley then move again in a few weeks), choose the snapshot to restore, choose a plan, I enabled IPV6/Auto Backups and Private Networking.

TIP: The password for the server will be the same as the source server so write it down.

Deploy

Click Deploy Now

Deploy

After a few minutes, you can see the new servers IP address, you can log in to your domain name provider (in my case Namecheap) and update the target IPV4 and IPV6 address.

You can find IPV4 and IPV6 addresses by opening your server, clicking settings then IPxV4 or IPV6.

ip

You will need to update Vultr DNS settings (login to Vultr, Click Servers, Click DNS then edit your existing Domain DNS entry).  Add you’re new serves IP addresses.

Vultr DNS

Update: I added an IPV6/AAAA record too.

Wait for DNS Replication

Goto https://www.whatsmydns.net/ and check the global DNS propagation for your new domain’s server.

DNS Propigation

If you are happy that the server has been migrated (snapshot restored) and that the domain DNS is pointing to your new server you can delete the old server in the Vultr server list.

Servers

Post-Migrate Actions

I hope this guide helps someone.

Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

Revision History

v1.1 Vultr Link

v1.0 Initial post

Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare

This guide will show you how to enable the latest Transport Layer Security (TLS) 1.3 protocol with it’s predecessor Secure Sockets Layer (SSL) with NGINX and OpenSSL for better website security on an Ubuntu 16.04 server

Advertisement:



I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. Making sure your server is up to date and running the latest SSL software is important. I have updated Open SSL before and blogged about this here.  Do backup your server before changing settings and if you use  Cloudflare (if you don’t do it now) enable Development Mode (and disable caching until changes are made).

For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).

TLS 1.3 is the latest SSL security protocol that can be used between clients and servers to encrypt connections on the web.

TLS 1.3 uptake is only 60% according to https://caniuse.com/#search=TLS%201.3

TLS 1.3

Read why TLS 1.3 is important and news on TLS 1.3 can be found here: https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/

The Good and Bad

Done be like this commercial site with very poor security (tested with SSL labs and asafaweb)

Bad SSL

Here is what the top 1 million sites do

Installing Open SSL on Ubuntu

Connect to your Ubuntu 16.04 server via SSH (I connected to my Vultr server)

Check what version of OpenSSL you have? My OpenSSL is out of date.

Tip: What Ciphers does your Open SSL Support?

Time to update Open SSL

OpenSSL 1.1.1 beta is available and supports TLS 1.3  but it is n BETA form.  OpenSSL code is available here.

I did the following to download and build the latest version of OpenSSL.

I tried to check the open SSL version but had an error?

A quick GitHub ticket revealed I needed to set a path variable.

Open SSL now reports it’s version.

What version NGINX do you have (1.13 supports TLS 1.3read here

Backup your NGINX

Do backup your server files and take a snapshot if need be.  I am not responsible;e for a broken server,

Edit NGINX Configuration

Update NGINX configuration: /etc/nginx/sites-available/default

tip: Review other NGINX hardening settings here.  Also remove TLSv1.0

I tested my NGINX config loaded them and restarted NGINX

Check the status of NGINX

If you have configured Cloudflare then log in and enable TLS support.

Cloudflare TLS Settings

Enable TLS 1.3 in Chrome by visiting chrome://flags/#tls13-variant This should be automatic in later versions of Chrome and other browsers.

Enable TLS in Chrome

Verify TLS

I used the developer tools in Chrome to confirm the page was verified in TLS 1.3.

Verify TLS

Updated to 1.1.1-pre6-dev

Don’t forget to test your SSL strength with https://dev.ssllabs.com/ssltest/

SSL Test 2018

I hope this guide helps someone.

Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

Revision History

v1.4 fixed typo

v1.3 added bad ssl cert.

v1.2 ssl test v1.1 updated to 1.1.1-pre6-dev

v1.0 Initial post

Ubuntu 16.04: Spectre, Meltdown Security Vulnerabilities (and how to patch).

Below is a post about the Spectre and Meltdown Security vulnerabilities and mostly how it relates to Ubuntu.

Advertisement:



Spectre and Meltdown Background

Google Project Zero found a server-side hardware bug (undocumented feature) that allows reading of privileged memory by leveraging a CPU (and possibly any GPU and SOC) feature to execute code ahead of time in “if” code branches before the result of the “if” case is known. This execute code ahead of demand feature was added to speed up processors to assists the FETCH, DECODE, EXECUTE and WRITE-BACK stages in the execution pipeline preparation.

Processors hate reading from main memory (it is too slow) so if data can be PREFETCHED or CACHED before being executed in the CPU allowing the CPU can do more work. This bug/flaw is not really a bug/flaw IMHO but an insecure efficiency feature.

Read more on the Spectre and Meltdown bug here at Wired.

CPU History

Aside: Check out the Red Hill Hardware guide and the evolution (documentation) of early CPU’s.

You can read more about the Pentium 4’s cache, rapid execution engine and instruction set additions to learn more about the evolution of CPU efficiency here.

Making processors faster (adding more MHZ) may be futile if the cache is too small or slow, and simply adding more cache can increase costs. Branch prediction was a way to increase performance (by using idle clock cycles or saving clock cycles) without adding extra cache or silicone (extra cost). I suspect in the future branch prediction and read ahead features may be locked down or processor manufacturers may swing back to adding more MHZ/Cores/Cache.

Anandtech https://www.anandtech.com have a great article on branch prediction (I can’t find the article now but will add it when I find it later) but this guide gives the gist.

CPU 101

A CPU is much like a checkout area at a grocery store, and a multi-core CPU is like a grocery store with multiple checkouts.

  • Things (processing and reading to/from memory) happen sequentially (per core).
  • Only one item can be scanned (processed) at a time (per core).
  • Customers trolleys and items are like program threads and items to scan (to be calculated in the CPU).
  • Customers trolleys (programs with things to calculate) line up and wait for the CPU (attendant) to scan (execute) items. PRE-FETCH and other CPU tasks help organize data related to instructions.
  • One checkout line (core) cannot read or affect items at another checkout (thread safety).

When a price check is called on an item (causing huge delays while the price is being checked by a runner (reading from main memory)) the checkout attendant (CPU core) processes the next items at the checkout (items in the processor execution pipeline). Branch predicting will read ahead in idle times to prevent idle delays or cache-misses to prevent slowdown. Processors usually make sure things are in the processors L3, L2 or L1 memory before they are executed but some commands with pre-requisite data cannot be pre-cached.

CPU instruction information

Here is a list of x86 instructions

Troy Hunt in Weekly Update 68 https://www.troyhunt.com/weekly-update-68/ mentioned a twitter thread by Graham Sutherland (@gsuberland) https://twitter.com/gsuberland/status/948907452786933762 that summaries speculative execution more succinctly. Meltdown and Spectre bugs are due to the speculative execution in the processor.

Official Information on Spectre and Meltdown

Spectre (Security Vulnerability Wikipedia Article)

Meltdown (Security Vulnerability Wikipedia Article)

Proof of concepts exploits in the wide

Proof of concept and exploits are no doubt in the wild (as reported by Michael Schwarz@misc0110)

Ubuntu Impact

I have a number of Ubuntu servers and I have updated them to fix Spectre and Meltdown issues.

UpCloud is my favourite cloud provider.

    Ubuntu said here that is has been notified by Intel of this issue since November 09 2017.

    Ubuntu Timeline (16.04 related snip from here)

      • 2017 Nov 09: the Ubuntu Security team is notified by Intel under NDA.
      • 2017 Nov 20: the CRD is established as 2018-01-09.
      • 2017 Dec: the Ubuntu Security team receives notifications from additional silicon vendors about the impact to their products.
      • 2018 Jan 03: issue becomes public a few days before the CRD.
      • 2018 Jan 04: Canonical publicly communicates the planned update schedule.
      • 2018 Jan 04: Mozilla releases timing attack mitigations.
      • 2018 Jan 05: Ubuntu Firefox updates are made available in USN 3516-1.
      • 2018 Jan 07: Candidate kernels are beginning to be made available for testing at ppa:canonical-kernel-team/pti. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds. Kernels currently available are as follows. We will continue to update this table as more become available:
      • Package: linux, Version: 4.4.0-108.131, Series: Xenial 16.04
      • -2018 Jan 09: NVIDIA driver updates published, see USN-3521-1.
      • Cloud image updates.
      • Core image updates.

      At this time it looks like this has been fixed on Ubuntu 16.04 LTS (Xenial Xerus) with released (57.0.4+build1-0ubuntu0.16.04.1). Consider updating your Ubuntu servers.

      You can follow the Ubuntu CVE listing here to be ahead of future security issues.
      https://people.canonical.com/~ubuntu-security/cve/main.html

      Spectre and Meltdown related Ubuntu CVE’s

      Spectre – CVE-2017-5715

      Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

      Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html

      Spectre – CVE-2017-5753

      Description: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

      Ubuntu-Description: Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory.

      Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html

      Meltdown – CVE-2017-5754

      Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

      Ubuntu-Description: Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory.

      Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html

      Links

      Ubuntu Security News https://usn.ubuntu.com/usn/

      Subscribe to the Ubuntu Security Announcement Distribution List https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

      Ubuntu CVE Tracker (Main) http://people.canonical.com/~ubuntu-security/cve/main.html

      Links from CVE articles

      https://spectreattack.com/
      https://meltdownattack.com/
      https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
      https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
      https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
      https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
      http://www.amd.com/en/corporate/speculative-execution
      https://developer.arm.com/support/security-update
      https://www.qemu.org/2018/01/04/spectre/
      https://usn.ubuntu.com/usn/usn-3516-1
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
      http://nvidia.custhelp.com/app/answers/detail/a_id/4611
      https://usn.ubuntu.com/usn/usn-3521-1
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
      https://github.com/IAIK/KAISER
      https://gruss.cc/files/kaiser.pdf
      https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
      https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html

      FYI: Ubuntu 17.04 will not be getting the Spectre and Meltdown fixes, this is a good reason why not to use a non-LTS (long time support) release of Ubuntu (abandoned after 9 months):
      https://lists.ubuntu.com/archives/ubuntu-announce/2018-January/000227.html

      How to update Ubuntu

      As always backup your server and configuration first (consider taking a snapshot). I run the following command to update my system and reboot.

      Warning: Some packages may overwrite in-production configuration files (or break production servers) so take your time updating, use test servers (green and blue or dev, test and prod) and only upgrade production when you are ready.

      fyi: AWS related Speculative Execution post: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

      Impact on Future Program Build Times

      Twitter user Peter Czanik (@PCzanik https://twitter.com/PCzanik) reports that compile times that fix speculative execution have increased his build times from 4 minutes to 21 minutes.

      Windows Impacts

      Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

      https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

      OSX Impacts
      Report: Intel CPUs suffer from major security flaw, fix could bring notable performance hit to macOS

      Web Browser and JavaScript Impacts

      General

      Here’s what every Chrome user should do in the wake of #Spectre

      http://mashable.com/2018/01/04/google-chrome-spectre-precaution-meltdown/

      Microsoft reveals how Spectre updates can slow your PC down

      https://www.theverge.com/2018/1/9/16868290/microsoft-meltdown-spectre-firmware-updates-pc-slowdown

      Microsoft halts AMD Meltdown and Spectre patches after reports of unbootable PCs

      Review: https://twitter.com/search?q=spectre%20meltdown

      Viewing the Change log of updatable packages

      View the change log of updatable packages for a certain Cve.

      sudo apt-get update

      sudo apt-get changelog ntp | grep CVE-2017-5715

      The output will show matches of updatable packages that match.

      Ubuntu Cloud Tips

      Read my guide on Useful Linux Terminal Commands https://fearby.com/article/useful-linux-terminal-commands/

      Read my guide on how to setting up a Vultr VM (Ubuntu) and configuring it https://fearby.com/article/setting-vultr-vm-configuring/

      Good luck.

      Scott Manleys breakdown of Spectre and Meltdown

      More Reading

      Anandtech – Understanding Meltdown & Spectre: What To Know About New Exploits That Affect Virtually All CPUs.

      More Fearby.com Reading

      Donate and make this blog better

      Ask a question or recommend an article

      Your Name (required)

      Your Email (required)

      Your Question

      Revision History

      v1.4 Scott Manleys link

      v1.3 Added Anandtech article.

      v1.2 Wired link.

      v1.1 view the changelog of updatable packages.

      v1.0 Initial Copy.

      Hope this helps someone.

      Updating PHP 7.0 to 7.1 on an Ubuntu 16.04 Vultr VM

      Here is how you can quickly update PHP 7.0 to 7.1 on a Vultr Ubuntu domain.

      Advertisement:



      I have configured a number of Vultr domains with NGINX and PHP 7.1 FPM and today I realised I need to update PHP 7.0 to 7.1 to fix a  few security exploits (read more here and here on securing Ubuntu in the cloud). PHP has a good page where you can keep up to date with PHP news here https://secure.php.net/. You can also view the PHP bug tracker to view bugs here. PHP aggregation user @php_net on twitter is good to follow, the official PHP twitter account is @official_php.

      I have not noticed in daily Ubuntu package updates no option to update PHP 7.0 to 7.1, I must have to update manually.

      WARNING: Backup your site and test this on a non production server before doing it on a live server.  I had an issue with PHP 7.1 breaking WordPress 3.9 (mysql issues with some plugins) and I had to roll back to 7.0 (see rollback tips in troubleshooting below). WordPress says it is PHP 7.1 compatible but issues exist. WordPress 3.9 ditches “mysql” and used “mysqli” and when instead PHP 7.1 WordPress could not find “mysqli”?

      List packages with updates

      You can run the following to view upgradable packages (TIP: Backup NGINX and other configuration files before any upgrades).

      Update your server packages

      Reboot

      You should now see this on startup

      You can view your installed PHP configuration file and installed version by typing to following in your servers command line.

      Now let’s install a package viewer

      Search installed packages (or non-installed) PHP packages.

      Uninstall all local PHP related packages

      Confirm packages are uninstalled

      Install PHP 7.1 and common packages

      Verify PHP 7.1 installation

      Reboot

      See if the PHP 7.1 FPM service has started

      sudo systemctl | grep php
> php7.1-fpm.service

      Restart PHP 7.1 FPM Service

      Edit your /etc/nginx/sites-enabled/default and change the fastcgi_pass from “7.0” to “7.1

      Edits:

      Reload NGINX configuration and restart NGINX

      Your website should now be back up and running PHP 7.1

      PHP 7.1

      Post Install Tasks

      View this blog post on other useful linux commands.

      Run a Lynis security scan.

      Edit your PHP.ini file and add required changes (e.g upload sizes).

      sudo nano /etc/php/7.1/fpm/php.ini
# upload_max_filesize = 2M
+ upload_max_filesize = 8M

      Troubleshooting

      View PHP configuration values (add this to a debug.php and load in in a browser)

      <?php

// Show all information, defaults to INFO_ALL
phpinfo();

// Show just the module information.
// phpinfo(8) yields identical results.
phpinfo(INFO_MODULES);

?>

      I broke my WordPress 3.9 when I tried to update to PHP 7.1 so I rolled back to 7.0.

      Google help had me stuck for a while when I had issues purging php 7.1.

      Purge Error

      Because my blog (with install steps) was down I used this site to help be find the commands to run.

      Conclusion

      Sometimes going with cutting edge tech you will go out on a limb, ensure you know and can restore a working site if need be.

      Always have a backup and restore plan.

      Hope this guide helps.

      Donate and make this blog better


      Ask a question or recommend an article

      Your Name (required)

      Your Email (required)

      Your Question

      v1.35 WordPress 3.9 error with PHP 7.1