Solved

How to safely update PHP and apache server to most recent versions CentOS 6.4

Posted on 2013-06-17
8
1,008 Views
Last Modified: 2013-06-18
Hi,

My server must become PCI DSS compliant and as part of this i must update PHP, openssl, openssh, and apache to the most current versions.  

I want to know the best practice for doing this on a CentOS 6.4 server, what to look out for/what can go wrong, and how to rollback changes if i make a mistake.

There are a number of sites on this server, each is controlled by a cPanel account(to which i have complete access), but only one of them handles credit card data.  Initially, i would like to update php for this cpanel account only.

Apache info:
Server version: Apache/2.2.21 (Unix)
Server built:   Jan 21 2012 20:57:54
Cpanel::Easy::Apache v3.8.5 rev9999
Server loaded:  APR 1.4.5, APR-Util 1.3.12
Compiled using: APR 1.4.5, APR-Util 1.3.12
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/local/apache"
 -D SUEXEC_BIN="/usr/local/apache/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

The PHP version displays as 5.2.17 but i'm not convinced that this is true as the cpanel php.ini files are located in /usr/local/cpanel/3rdparty/php/53/* which looks like it's some kind of 5.3.x.

I'm not entirely sure what data you will need from me; so please advise.

Thanks
0
Comment
Question by:EyeBallInSalt
  • 4
  • 2
  • 2
8 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39255441
"My server must become PCI DSS compliant and as part of this i must update PHP, openssl, openssh, and apache to the most current versions.  "

I am curious who told you that because I don't think it is true.  To update to the very latest versions, you must download and compile the source code yourself.  Binaries other than the supported packages are not normally available for Linux systems.
0
 

Author Comment

by:EyeBallInSalt
ID: 39255532
Thanks for posting.
I got these recommendations from the Trustwave vulnerability scan preformed on my server.  

"Binaries other than the supported packages are not normally available for Linux systems."

Are you saying that the most recent versions of PHP, OpenSSL, OpenSSH, and Apache are not supported packages for CentOS 6.4?
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39255691
There are many different versions available.
Version #
Beta
Latest
Latest-Stable is version 5.4.16
Earlier Versions

i.e. php
The very latest version is available via git from the git repository (source)

BTW Centos is at version 6.5

Apache
Stable Release - Latest Version:
    2.4.4 (released 2013-02-25)
Stable Release - 2.2 Branch:
    2.2.24 (released 2013-02-26)
Legacy Release:
    2.0.64 (released 2010-10-19)

11-Feb-2013:          OpenSSL 1.0.1e is now available, including bug fixes

openssh latest update 20130516

Doesn't Centos have an updater?  You MUST always keep your software up to date with the latest patches otherwise the cracker-hackers will use the vulnerabilities to gain access to your system.
0
 

Author Comment

by:EyeBallInSalt
ID: 39255714
Sorry about the versions; i wasn't clear.  It is the most recent stable version that i need to update to in all cases.

Centos DOES have an updater!  That's great and thanks for pointing that out.
But doesn't that lead me to the same issue?  I want to safely update the software without breaking my sites.
If i use the updater; am i not exposing myself to mishap as ALL of the software will be updated simultaneously?
For example, PHP 5.4.16 breaks at least one of my sites on my development machine.
Ideally, I'd like to update php for the site that is to become compliant only and leave the others for a later date.

Also; I don't know what what can go wrong when updating apache/OpenSSL/OpenSSH.
0
New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 39255747
why does php 5.4.16 break that site... is something I'd be investigating.

What I do is go through the changelog(s) sometimes there is a sweeping change to something I don't use.. and what I do use isn't mentioned..

If you want to test things a lab is always a good idea. update the lab, check things out.. if nothing seems broken.. then stage it to the production servers.  Sometimes authors use undocumented calls or rely on depreciated calls in their code. Those are the major code breakers..
0
 

Author Comment

by:EyeBallInSalt
ID: 39256401
"If you want to test things a lab is always a good idea. "

I think you've hit the nail on the head there.  I've been struggling to replicate my production environment in a VMWare Esxi virtual server but i think that i need to persevere with that so that i gain experience and become more confident when it comes to doing the updates.

Thanks for taking the time to respond.
0
 

Author Closing Comment

by:EyeBallInSalt
ID: 39256408
You made me realise where i need to focus my attention.  Thanks
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39257133
Depending on your coding, moving from PHP 5.2 to 5.3 and 5.4 can break everything if you were depending on a feature that got obsoleted.  And if your code was written for PHP 4, it can be a huge step.

The repositories for your distribution, the place where binaries of supported software versions are stored, are unlikely to have the very latest versions of everything.  They generally do not put a new version up until they have had a chance and a reason to update it.

Also, major hosting companies rarely update the version of PHP on a server though their newer servers tend to have newer versions of PHP.  I got a big project updating a site when Godaddy stopped supporting PHP 4 and forced everyone to update to PHP 5.2/5.3.  I do have one site that is still running on PHP 4 and MySQL 4.0.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Virus On motherboard 6 45
Account Lockouts 25 150
Centos 6.4 ModSecurity: Output filter: Content-Length Error 2 43
NAS - HP DataVault X510 and Windows Home Server 14 29
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now