How to stop BIND from being overwritten by cPanel daily update

[SupaDucta]

Yesterday we have upgraded BIND to 9.3.0 and chrooted it.

At 4 AM, when running updates, cPanel overwrote it and reverted back to 9.2.1, so I had to:

killall named
mv /usr/sbin/named /usr/sbin/named.old
ln /urs/local/sbin/named /usr/sbin/named
chmod 777 /var/run

and restart BIND, so we had 9.3.0 running again.

Where can I exclude BIND from being updated by software and cPanel version updates?

 

[Jemshi]

Not sure, but I think cpanel is trying to update (reinstall) the rpm packages already installed in server. If you are not using the rpm bind, you can just do

rpm -e bind_package_name

HTH

 

[SupaDucta]

Hm, I have managed to find a few instances in /scripts/ where bind is handled:

sysup
rpmup
rpmup2.

rpmup:

@IGNORERPMS=("wu-ftpd","perl","kernel","httpd","apache","php","gnupg","pine","exim","proftpd","MySQL","webmin");

I wonder, if I added "bind" here, maybe it would be ignored?

 

[Jemshi]

no use - all scripts under /scripts will be overwritten on the next cp upgrade

 

[SupaDucta]

I wouldn't have a problem with that, because I have turned off automatic cPanel updates due to some former issues with rewriting, so I would be satidfied with updating those scripts every time after cPanel update.

Strange, no? cPanel doesn't update BIND, running 9.2.1 which has a few security flaws, but if you try to update and compile some never version manually, it reverts it back to 9.2.1.

 

[haze]

SupaDucta: What OS are you using ?

 

[SupaDucta]

RedHat 7.3, and I was just informed a few gours ago that RedHat patches versions it packs, and that RedHat's Bind 9.2.1 doesn't have a security leak like usual 9.2.1

Hope it's true...

 

[haze]

RedHat 7.3, and I was just informed a few gours ago that RedHat patches versions it packs, and that RedHat's Bind 9.2.1 doesn't have a security leak like usual 9.2.1

Hope it's true...

That is true. Redhat patches known workin versions and includes certain features from newer software releases and incorperates them into older versions. That said, Redhat no longer support their redhat linux line of OS's. You are going to have to upgrade your system. If you want to stay with Redhat, check out redhat enterprise. If you need something that's easier to upgrade and less expensive, check out CentOS.org. Its a clone of RHEL, but without the pricetag and "official" support.

It's supprising you were not aware of this, as it happened quite a while ago. I would suggest you start auditing the software installed on the system to see what does and doesn't need updated, that done i'd start making up a plan to start considering your OS migration options. Also note, that FedoraLegacy.org has taken up the job of updating the OS, however they don't have enough help to make it all happen. You may want to check fedoralegacy out to see what they might have available, update wise, for the OS, but i'll tell you honestly, you'll still be far behind, security wise.

 

[haze]

Also, if you want to install the source bind, make sure and add bind/named to your package skip list in whatever update client software you use. Thats what is most likely causing the issue for you.

 

[SupaDucta]

Thanks Haze,

we are at the moment building up a new webserver (in early testing stage) on Debian Sarge and other testing platform on CentOS, so we'll see how each turns out before making a final choice.

The machine this thread is about is a Virtuozzo-based VPS with old kernel and RedHat 7.3 and we can't update it or secure it properly due to VPS limitations, so we're buildning up a new dedicated platform from scratch.

Thanks, you are very kind and helpful

 

[haze]

You mention old kernel, perhaps you should ask your host to upgrade it if you feel it interferes with your sites security. If they use the Virtuozzo platform, sw-soft should have a patched kernel available, as they roll out their own kernels, if i'm not mistaken.

If it was a newer kernel, such as source + virtuozzo patched ( if possible ) you could be able to interchange between certain redhat linux versions, such as CentOS ( RHEL, would be very difficult via remote means ).

If you want to stick to your budget and use a more flexible solution, perhaps something along the lines of http://www.linode.com would fit your requirements.