RedShift wrote: > On 11/07/10 06:17, Philip Amadeo Saeli wrote: >> I'm maintaining an internet-facing web server which is now running httpd >> 2.0.63 (httpd-2.0.63-2.el4s1.centos.2) which is now neary 2.5 years >> old(!?!). I need to move to either 2.0.64 or 2.2.12 or later. However, >> I've been unable to find available RPMs for such releases for CentOS >> 4.x. >> >> I have to believe that others have these needs also. In light of this, >> how do others keep up with security upgrades for the httpd? I'm rather >> new to this aspect of things, so am still in the process of sorting >> things out in this regard. >> >> Any help would be appreciated. >> >> Thanks! >> >> --Phil >> > > Upgrade to the latest 5 release. It's not that easy to do that much of an upgrade. But since the EOL announcement for release 3 was posted recently, it definitely needs to be done. This is how I would proceed. 1. Backup all data and configuration info on that server. 2. Set up a test server with the current release (CentOS 5). 3. Restore all data and configuration info on the test server. Plan on spending time to rewrite configuration files to match current formats and settings. 4. Once you finish tweaking the configuration, test all of your software, web pages, etc. 5. When you are sure everything works, install the current OS on the production server, restore the data and reconfigure it to match the test server. 5. Do a complete acceptance test on the production server. (We actually use a second Internet facing server for acceptance tests before committing changes to the production server.) 7. Use YUM to update your test server at least once a week. 8. As soon as you finish testing all of the updates each week, use YUM to install them on the production server. (But don't ever do this on Friday. If you missed something, you don't want to have to work on the weekend.) 9. Subscribe to announcements and several security mailing lists to get advanced warning of any known issues that need to be patched immediately. 10. Start tracking RedHat/CentOS 6 release candidates ASAP. Officially, by PCI rules we have 30 days after release of an OS update to get it installed on Internet facing systems. So the auditors will give us one pass on their monthly validation cycle before they start to complain. This does give us some time to test for problems and correct them before updating the production servers. But this requires a test server that is configured exactly like the production server so we can make sure the updates won't break any of our applications before we will install them in production. We have one developer from each product team, one QA manager, one Support tech and an IT tech that track these issues and make sure our servers are up to date. As one of the developers in that group, I monitor CentOS announcements and two security lists, forwarding relevant messages to the entire group. There is a similar but larger group tracking Microsoft updates. In addition to CentOS and Apache, we also track updates to PHP, PostgreSQL and a couple dozen supporting packages and maintenance tools. Bob McConnell N2SPP