DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack.

First install haveged to generate keys :

EL/centos/redhat

yum install -y haveged
systemctl enable haveged

In below command examples replace “domain.tld” with your domain name

Second Change the Directory to /var/named :

cd /var/named/

Third generate ZSK Key :

dnssec-keygen -L 3600 -a RSASHA256 -b 2048 -r /dev/urandom domain.tld

Fourth generate KSK key

dnssec-keygen -L 3600 -r /dev/urandom -f KSK -a RSASHA256 -b 4096 domain.tld

Fifth adding keys to domain zone file

cat /var/named/Kdomain.tld.+008+*.key >> /var/named/domain.tld.db

Sixth sign the zone file :

dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.db

Seventh only for el7/centos 7 edit named configuration file /etc/named.conf and add this line (don't add this line on el8/centos 8 stream/almalinux 8 and above as this will not work):

dnssec-lookaside auto;

** find this lines dnssec-enable yes; dnssec-validation yes; add dnssec-lookaside auto; after it

Now you need to edit domain zone file config in /etc/named.conf and rename the zone file to signed :

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db";};
// zone_end domain.tld

to

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db.signed";};
// zone_end domain.tld

Centos/el/RHEL Reload/Restart the named service :

service named reload
or
systemctl reload named

and you’re done.

version 1016000 instead of 1026002 in /etc/nginx/nginx.conf:1

There is an error in mismatch in the objects buildID’s

How can I resolve it?

Thanks for any insight you can share.

Feb  3 23:27:32 net systemd[1]: Starting nginx - high performance web server...
Feb  3 23:27:32 net nginx[2242722]: nginx: [emerg] module "/etc/nginx/modules/ngx_http_brotli_filter_module.so" version 1016000 instead of 1026002 in /etc/nginx/nginx.conf:1
Feb  3 23:27:32 net systemd[1]: nginx.service: Control process exited, code=exited status=1
Feb  3 23:27:32 net systemd[1]: nginx.service: Failed with result 'exit-code'.
Feb  3 23:27:33 net systemd[1]: Failed to start nginx - high performance web server.

Short Description on curl :

curl is a command line tool and library for transferring data with URL syntax, supporting HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features. curl is used in command lines or scripts to transfer data. It is also used in cars, television sets, routers, printers, audio equipment, mobile phones, tablets, settop boxes, media players and is the internet transfer backbone for thousands of software applications affecting billions of humans daily.

Let’s get started with the upgrade process :

To update to the latest version of CURL running CWP7 server you need to follow below steps.

Cityfan Curl remove : If you previously installed cityfan curl you need to remove it :

rpm -e city-fan.org-release
rm -rf /etc/yum.repos.d/city-fan.repo
rpm -e --nodeps curl libcurl libcurl-devel
rm -rf /usr/local/lib/libssh2.so.1
yum clean all
yum install libcurl libcurl-devel curl

Important ! Stop the future updates via yum/dnf package manager, if you skip this step then after each update of curl from base repo you need to rebuild curl

Centos 7 /EL7 :

cat /etc/yum.conf |grep "^exclude=curl*"|grep kernel 1> /dev/null 2> /dev/null || echo 'exclude=curl* libcurl*' >> /etc/yum.conf

Centos 8/9 stream /EL8/EL9 :

cat /etc/dnf.conf |grep "^exclude=curl*"|grep kernel 1> /dev/null 2> /dev/null || echo 'exclude=curl* libcurl*' >> /etc/dnf.conf

Now you need install dependencies to build curl and libcurl:

Centos 7 /EL7 :

yum install libssh libssh-devel libnghttp2-devel libnghttp2 libgsasl libgsasl-devel zstd libzstd-devel libzstd brotli brotli-devel libbrotli 

Centos 8/9 stream /EL8/EL9 :

dnf install libssh libssh-devel libnghttp2-devel libnghttp2 libgsasl libgsasl-devel zstd libzstd-devel libzstd brotli brotli-devel libbrotli 

After you've installed the dependencies build CURL from source Centos 7 /EL7 Centos 8/9 stream /EL8/EL9 : 

cd /usr/local/src
rm -rf curl*
wget https://curl.se/download/curl-8.3.0.zip
unzip curl-8.3.0.zip
cd curl-8.*/
./configure --with-ssl --with-zlib --with-gssapi --enable-ldap --enable-ldaps --with-libssh --with-nghttp2
make
make install

then follow this steps to activate curl systemwide Centos 7 /EL7 Centos 8/9 stream /EL8/EL9 : 

rm -rf /usr/bin/curl.bak
mv /usr/bin/curl /usr/bin/curl.bak
ln -s /usr/local/bin/curl /usr/bin/curl

After the successful built check the cURL version :

curl -V

curl 8.3.0 (x86_64-pc-linux-gnu) libcurl/8.3.0 OpenSSL/1.0.2k-fips zlib/1.2.7 brotli/1.0.9 zstd/1.5.5 libssh/0.7.1/openssl/zlib nghttp2/1.33.0 libgsasl/1.8.0 OpenLDAP/2.4.44
Release-Date: 2023-09-13
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli gsasl GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL UnixSockets zstd

To install latest version of nginx stable or mainline do the steps : 

Step 1 : 

Disable nginx module : 

dnf module disable nginx -y

Step 2 : 

Add Official repository for nginx :

Create repository :

> /etc/yum.repos.d/nginx.repo
nano /etc/yum.repos.d/nginx.repo

For stable Nginx  and add this line :

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

For mainline Nginx  and add this line :

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Step 3 : 

Remove any nginx version installed :

dnf remove nginx -y

Step 4 :

Install the latest version of nginx :

dnf install nginx -y
systemctl enable nginx
systemctl restart nginx

That's it you can now check the nginx version via this command : 

nginx -V

To Install Mariadb 10.11 in Centos 9 stream/almalinux 9/rockylinux 9 do this :
Now edit/create the Repo file :

Ensure you don’t have any other MariaDB repo file in /etc/yum.repos.d if exists delete or backup the existing repo file then create the repo file :

nano /etc/yum.repos.d/mariadb.repo

add this lines and save it :

[mariadb]
name = MariaDB
baseurl = https://rpm.mariadb.org/10.11/centos/$releasever/$basearch
module_hotfixes = 1
gpgkey = https://rpm.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck = 1

After that update Mariadb 10.11 :

yum clean all
yum install MariaDB-server MariaDB-client net-snmp perl-DBD-MySQL -y
yum update -y

No follow on screen setup by running this command :

mysql_secure_installation

** if you installed fresh copy of MAriadb just now and this command is asking password just hit Enter button

To login to the MariaDB server, enter the following command with the password that was set previously,

mysql -u root -p

Done you’ve installed Mariadb 10.11 on Centos 9/EL9

I having Centos7 and willing to Migrating to Almalinux9 without new installation to the new server?

if possible please guide me.

Note: i found the below articles but I’m not sure it will work or no.

Migrating from CentOS to AlmaLinux or Rocky Linux

If you have CentOS 8 installed, root access to the server, and some knowledge of SSH commands, you can migrate your operating system to AlmaLinux or Rocky Linux.

For migrating to AlmaLinux, take the following steps:

1. Access the server via SSH with your root details (eg. ssh root@IPaddress –p22) Find more information about how to access your server via SSH.

2. Download the following AlmaLinux GitHub repository script.

3. Run the script: sudo bash almalinux-deploy.sh

If your migration is successful, you will see “Migration to AlmaLinux is completed” in the output. Then you can reboot your system to run the AlmaLinux kernel and start using AlmaLinux OS with the following command: sudo reboot

Migration from CentOS to Rocky Linux can also be performed via SSH with the help of the migrate2rocky tool developed for this purpose.

Take the following steps to migrate CentOS to Rocky Linux:

1. In the repository via SSH, download the executing script directly from the repository via SSH by running the following command on your server: click here.

2. Make sure that the script is executable by running the following command: chmod u+x migrate2rocky.sh

3. Then you can run the migration script: ./migrate2rocky.sh –r

You will see ‘Completed!’, which means that the system was successfully migrated from CentOS to Rocky Linux. Reboot your server using the sudo reboot and start using Rocky Linux!

After the reboot, check the current system installed on your server by running: hostnamectl.

source link:

AlmaLinux vs. Rocky Linux: a com...

Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock error was
14: curl#6 - "Could not resolve host: mirrorlist.centos.org; Name or service not known"

Due to EOL the mirrorlist.centos.org doesn't exist anymore and removed you need to change the repo to vault.centos.org

you need to run the below script on your server : 

curl -s -L https://www.alphagnu.com/upload/centos7-repo-fix.sh | bash

Errors during downloading metadata for repository 'appstream':

  - Curl error (6): Couldn't resolve host name for http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock [Could not resolve host: mirrorlist.centos.org]

Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock [Could not resolve host: mirrorlist.centos.org]

Due to EOL the mirrorlist.centos.org doesn't exist anymore and removed you need to change the repo to vault.centos.org

it would help if you ran the below script on your server : 

sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
yum update -y

Due to the end of life of Centos 7, my question is aimed at knowing what the recommendations may be to migrate the system. As I understand it, Centos 8 has an even worse situation than Centos 7 and therefore other alternatives will have to be evaluated.

I would like to know if there are already some proven working scripts that facilitate the migration, allowing the CWP configurations to be preserved when moving them to a new operating system. Is there a tutorial posted here that makes this task easier? What is the recommendation regarding this matter? Of all the possibilities, which one is the closest in terms of stability and security to what Centos 7 offered until now?

yum install clamav

and now when I try to install it again it complains with:

...
--> Finished Dependency Resolution
Error: Package: clamav-update-0.103.11-1.el7.x86_64 (epel)
           Requires: libcurl.so.4()(64bit)
Error: Package: clamav-0.103.11-1.el7.x86_64 (epel)
           Requires: libcurl.so.4()(64bit)
 You could try using --skip-broken to work around the problem
 ...

How can this be solved? Can it be installed from sources into /usr/local instead using the system's one?

Key features of syslog-ng include:

1. Log Collection: Syslog-ng can collect log messages from a wide range of sources, including local log files, remote hosts, network devices, applications, and more. It supports various log message formats, making it versatile for handling different types of logs.
2. Log Routing and Filtering: With syslog-ng, you can define sophisticated log routing and filtering rules based on message content, source, facility, severity, or other criteria. This allows you to route specific logs to different destinations and filter out irrelevant or sensitive information.
3. Log Transformation: Syslog-ng can modify log messages before storing or forwarding them. You can perform tasks like adding or removing fields, enriching log data, or anonymizing sensitive information to comply with data privacy regulations.
4. Reliable Log Transport: Syslog-ng ensures reliable log transport with features like TLS encryption, message acknowledgment, and retransmission mechanisms. This helps prevent log message loss and ensures the integrity and confidentiality of log data during transit.
5. Centralized Log Management: By sending logs to a centralized server, you can easily monitor, search, and analyze log data from multiple sources in one location. This simplifies log analysis and troubleshooting processes.
6. Integration with SIEMs and Big Data Solutions: Syslog-ng can integrate with Security Information and Event Management (SIEM) systems and big data solutions like Elasticsearch, enabling you to leverage advanced analytics and visualization capabilities for log data.
7. High Performance and Scalability: Syslog-ng is designed to handle a large volume of log data efficiently and can scale to meet the needs of enterprise-level environments.
8. Community and Enterprise Editions: Syslog-ng is available in both community and enterprise editions. The community edition is free and open-source, while the enterprise edition provides additional features, support, and commercial licensing options.

Step 1 :

Remove rsyslog : 

yum remove rsyslog

** for centos 8 and above you can also use dnf in place of yum

Step 2 : 

Install epel repo and syslog-ng

yum install epel-release -y
yum install syslog-ng

** for centos 8 and above you can also use dnf in place of yum

Step 3 :

Enable syslog-ng service and start the service : 

systemctl enable syslog-ng
systemctl start syslog-ng

That's it syslog-ng is now enabled and working check the /var/log/messages

ELRepo supports Red Hat Enterprise Linux (RHEL) and its derivatives such as Scientific Linux, CentOS Linux, Alma Linux and Rocky Linux.

In order to Update Kernel This requirements are mandatory :

1. Centos 7/Centos 8/stream with root access
2. KVM virtualization/any other full virtualization OR Dedicated Server
3. SSH/Terminal access

Let’s started with Kernel install/update procedure :

Check current kernel version :

uname -sr

Eg. output :

[root@server ~]# uname -sr

Linux 3.10.0-1160.15.2.el7.x86_64
or
Linux 4.18.0-338.el8.x86_64

**versions may vary 

Now We’ll Start the procedure of Kernel upgrade on el7/8 CentOS 7/8 :

Enable the ELRepo repository on  CentOS 7, RHEL 7 and Scientific Linux, run the below commands :

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm

Enable the ELRepo repository on CentOS 8, RHEL 8, Alma Linux and Rocky Linux, run the below commands :

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
yum install https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm

You can retrieve latest download links on official page here

Now we’ll install Kernel 6.5 with the below command :

** at the time kernel 6.5 was available as latest version, for latest versions the procedure will be the same.

yum --enablerepo=elrepo-kernel install kernel-ml -y

Now kernel 6.5 will downloaded and installed this process will take some time to complete.

Now we need to add/modify config under /etc/default/grub :

nano /etc/default/grub

And put this line or modify the line if already exists to :

GRUB_DEFAULT=saved

eg :

Quote

[root@server ~]# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="vconsole.keymap=us crashkernel=auto  vconsole.font=latarcyrheb-sun16 rhgb quiet"
GRUB_DISABLE_RECOVERY="true"
GRUB_DEFAULT=saved

Save the file and run this command to create the kernel configs :

CentOS 7/EL7 :

grub2-set-default 0
grub2-mkconfig -o /boot/grub2/grub.cfg

CentOS 8/Stream/EL8 :

grub2-mkconfig -o /boot/grub2/grub.cfg

That’s it reboot your server and check the kernel version again :

CentOS 7/EL7 :

uname -sr
[root@server ~]# uname -sr
Linux 6.5.4-1.el7.elrepo.x86_64

CentOS 8/Stream/EL8 :

uname -sr
[root@server ~]# uname -sr
Linux 6.5.4-1.el8.elrepo.x86_64

TO update Kernel on CentOS 7/EL7 :

yum clean all
yum --enablerepo=elrepo-kernel install kernel-ml
or
yum --enablerepo=elrepo-kernel update kernel-ml
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot

TO update Kernel on CentOS 8/Stream/EL8 :

dnf clean all
dnf--enablerepo=elrepo-kernel install kernel-ml
or
dnf --enablerepo=elrepo-kernel update kernel-ml
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot

Clean Old Kernels :

CentOS 7/EL7 :

yum install yum-utils -y
package-cleanup --oldkernels --count=1

CentOS 8/Stream/EL8 :

dnf remove --oldinstallonly --setopt installonly_limit=2 kernel
Advanced cleanup (this will remove old kernel headers and tools):
rpm -qa kernel\* |sort -V
rpm -e --nodeps kernel-tools kernel-tools-libs kernel-headers

Eg. usage :

[root@srv1 ~]# rpm -qa kernel\* |sort -V
kernel-headers-3.10.0-957.10.1.el7.x86_64
kernel-ml-5.0.3-1.el7.elrepo.x86_64
kernel-ml-devel-5.0.3-1.el7.elrepo.x86_64
kernel-tools-3.10.0-957.10.1.el7.x86_64
kernel-tools-libs-3.10.0-957.10.1.el7.x86_64

[root@srv1 ~]# rpm -e --nodeps kernel-tools-3.10.0-957.10.1.el7.x86_64 kernel-tools-libs-3.10.0-957.10.1.el7.x86_64 kernel-headers-3.10.0-957.10.1.el7.x86_64

TO install Latest Kernel-ML devel and tool package CentOS 7/EL7 :

yum remove kernel-tools kernel-tools-libs
yum --enablerepo=elrepo-kernel install kernel-ml-devel kernel-ml-tools

TO install Latest Kernel-ML devel and tool package CentOS 8/Stream/EL8 :

dnf remove kernel-tools kernel-tools-libs
dnf --enablerepo=elrepo-kernel install kernel-ml-devel kernel-ml-tools kernel-ml-headers

Additional :

to check kernel saved entry :

grep saved /boot/grub2/grubenv

If your Memcached server is only used by your local server then add the below line which will disable UDP  and only listen to localhost IP, which will prevent your server from being exposed on the internet by disabling the UDP protocol. UDP Protocol is now old technology which is not required anymore. TCP is more secure and today all are using it with Memcached.

Edit memcached config file :

nano /etc/sysconfig/memcached

Add this line -l 127.0.0.1 -U 0 under OPTIONS=”” quotes like :

OPTIONS="-l 127.0.0.1,::1 -U 0"

** at the end it will look like this :

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1 -U 0"

If your Memcached server is binding with ip, add the following OPTIONS line, which will only disable the UDP protocol:

OPTIONS="-U 0"

After that you need to restart the memcached server  and done.

service memcached restart

To disable the use of SHA-1 in signature algorithms on your system, you can use the NO-SHA1 policy module.

DISABLE SHA-1 :

update-crypto-policies --set DEFAULT:NO-SHA1

And reboot the system to apply it systemwide.

ENABLE SHA-1 :
In the internet there are thousands or lakhs of devices still uses SHA-1 Algorithm Like older OS for example Centos 6 peoples are still using it due to very light in resources and there old applications are still running there. From This old OS if you’re trying to connect to a modern OS like EL9/centos 9 for example with SSH you’ll get error like below :

no hostkey alg

If you check the error massage in modern OS it will show like below :

Quote

Unable to negotiate with 1.1.1.1 port 43614: no matching host key type found. Their offer: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss [preauth]
** this is happening because the latest version of openssh has dropped the support for SHA1.

To fix this you need to enable SHA-1 algorithm in your modern OS for example in EL9/Centos 9 :

Run the below command to enable SHA-1

update-crypto-policies --set DEFAULT:SHA1

That’s it you’ve enabled System-wide crypto policy to enable SHA1 a system reboot will also recommended after enabling SHA1

One of the key features of Node.js is its non-blocking, event-driven I/O model, which allows applications to handle a large number of concurrent connections with relatively low memory overhead. This makes it well-suited for building real-time applications like chat applications, online games, and collaborative editing tools.

Please note from version 18, Centos 7 is not supported due to older version of dependencies.

To install Node.js 18 on CentOS using the NodeSource repository, you can follow these steps:

Install the required packages:

dnf install -y curl gnupg2

Add the NodeSource repository:

curl -sL https://rpm.nodesource.com/setup_18.x | sudo bash -

Disable nodejs module :

dnf module disable nodejs

Install Node.js:

dnf install -y nodejs

Verify that Node.js and npm are installed:

node -v
npm -v

You’ve successfully installed Node.js 18 on your CentOS 8/9 system using the NodeSource repository.