Repros for Squeeze LTS
/etc/apt/sources.list
deb http://http.debian.net/debian/ squeeze main contrib non-free
deb-src http://http.debian.net/debian/ squeeze main contrib non-free
deb-src http://http.debian.net/debian/ squeeze main contrib non-free
deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free
Update Repros
apt-get update
Install latest Squeeze security update
apt-get upgrade
Reboot
reboot
Repros for wheezy upgrade
/etc/apt/sources.list
#official repository for Debian
deb http://ftp.debian.org/debian wheezy main contrib non-free
deb-src http://ftp.debian.org/debian wheezy main contrib non-free
deb http://ftp.debian.org/debian wheezy-updates main contrib non-free
deb http://ftp.debian.org/debian wheezy main contrib non-free
deb-src http://ftp.debian.org/debian wheezy main contrib non-free
deb http://ftp.debian.org/debian wheezy-updates main contrib non-free
deb http://http.debian.net/debian wheezy main contrib non-free
deb-src http://http.debian.net/debian wheezy main contrib non-free
deb http://http.debian.net/debian wheezy-updates main contrib non-free
deb-src http://http.debian.net/debian wheezy-updates main contrib non-free
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
#official repository for Zen Load Balancer Updates
deb http://zenloadbalancer.sourceforge.net/apt/x86 v3/
Update Repros and add keys
apt-get update
gpg –keyserver pgpkeys.mit.edu –recv-key 9D6D8F6BC857C906
gpg -a –export 9D6D8F6BC857C906 | apt-key add –
gpg –keyserver pgpkeys.mit.edu –recv-key 7638D0442B90D010
gpg -a –export 7638D0442B90D010 | apt-key add –
gpg -a –export 9D6D8F6BC857C906 | apt-key add –
gpg –keyserver pgpkeys.mit.edu –recv-key 7638D0442B90D010
gpg -a –export 7638D0442B90D010 | apt-key add –
Upgrade to Wheezy
apt-get dist-upgrade
Reboot
reboot
Pound and SSL update for Zen Load Balancer
Debian Wheezy upgrade required!
Preparations
install required tools
apt-get install build-essential devscripts m4 quilt debhelper zlib1g-dev bc gcc++ cmake
install Hoard for Pound (increase speed)
apt-get install libpcrecpp0 libpcre3-dev libpcre3 libpcre++0 libpcre++-dev libtcmalloc-minimal4 libgoogle-perftools4 libgoogle-perftools-dev
mkdir hoard
cd hoard/
cd hoard/
wget https://github.com/emeryberger/Hoard/releases/download/3.10/Hoard-3.10-source.tar.gz
gunzip Hoard-3.10-source.tar.gz
tar -xf Hoard-3.10-source.tar
cd Hoard/src
make linux-gcc-x86
cp libhoard.so /usr/lib/.
load Hoard library
export LD_PRELOAD=/usr/lib/libhoard.so
In /etc/profile folgendes eintragen
export LD_PRELOAD=/usr/lib/libhoard.so
ldd /bin/ls
Upgrade SSL security
configure OpenSS
cd ~
mkdir openssl
cd openssl
apt-get source openssl
cd openssl-*
quilt pop -a
disable compression, not secure chipers, SSLv2 and SSLv3
vi debian/rules
CONFARGS = -no-comp –prefix=/usr –openssldir=/usr/lib/ssl –libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 no-ssl3 #Include no-ssl3 for even better security.
quilt push -a
dpkg-source –commit
debuild -uc -us
cd ..
dpkg -i *ssl*.deb
Configure OpenSSL Packet as not upgradeable
apt-mark hold libssl-dev libssl-doc libssl openssl libssl1.0.0 libssl1.0.0-dbg
reboot
Pound upgrade
mkdir pound
cd pound
wget https://fossies.org/linux/www/Pound-2.7.tgz
tar -xf Pound-2.7.tgz
cd Pound-2.7
./configure
make
cp pound /usr/local/zenloadbalancer/app/pound/sbin/pound2.7
cp poundctl /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.7
cp /usr/local/zenloadbalancer/app/pound/sbin/pound /usr/local/zenloadbalancer/app/pound/sbin/pound2.5
cp /usr/local/zenloadbalancer/app/pound/sbin/poundctl /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.5
cp /usr/local/zenloadbalancer/app/pound/sbin/pound2.7 /usr/local/zenloadbalancer/app/pound/sbin/pound
cp /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.7 /usr/local/zenloadbalancer/app/pound/sbin/poundctl
cd ~
cp poundctl /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.7
cp /usr/local/zenloadbalancer/app/pound/sbin/pound /usr/local/zenloadbalancer/app/pound/sbin/pound2.5
cp /usr/local/zenloadbalancer/app/pound/sbin/poundctl /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.5
cp /usr/local/zenloadbalancer/app/pound/sbin/pound2.7 /usr/local/zenloadbalancer/app/pound/sbin/pound
cp /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.7 /usr/local/zenloadbalancer/app/pound/sbin/poundctl
cd ~
Change Ciphers for SSL in Zen Loadbalancer
Pound upgrade required!
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Intermediate Ciphers from https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
Add the following two lines to the Pound configuration (/usr/local/zenloadbalancer/config/<FARM>_pound.cfg):
SSLHonorCipherOrder 1
SSLAllowClientRenegotiation 0
http://sysadminosaurus.blogspot.de/