JM4's questions

I am not asking how to do anything here, rather trying to understand best practices and the "right" way to handle server security. To prevent brute force password attacks, I have secured my server in a number of ways, one of which being password protected SSH Keys for login on any user (right now it is a single developer box). Obviously any time a user needs to login he will need access to both the key and the password for that key.

However, I am trying to understand how I should handle a system password for that (or any) particular user, specifically when dealing with sudo. A few questions:

• is there value in giving each user a password at all (so he/she can use sudo)?
• if so, is it overkill to use an insanely secure password for such (i.e. 384 bits+)
• assuming the answer above is no:
  • How could any user remember this password every time they need to run a sudo command (yes lastpass, dashlane, 1pass, etc are options but having to open/authenticate/find and copy that really long password seems like a huge pain the ass).
  • What is secure enough for these passwords and does it matter if dictionary attacks would find the sudo password in 3 seconds anyway?

Thank you ahead of time!

I am trying to improve my development workflow but am running into some major roadblocks. Currently, we develop on local Windows machines running XAMPP then after tested on an individual machine, push the changes to our live server one by one via FTP. This (I know) is highly inefficient.

We use Mediatemple's Dedicate Virtual servers for our hosting services and I have recently been learning about he advantages of developing locally using virtual machines with provisioning services. This led me to learn about Vagrant and Chef. Getting vagrant up and running is easy enough but I am struggling to try and re-produce our live server given how they are provisioned (mainly because of the Plesk interface) and that I need to use specific versions of programs. For example, my server is running CentOS 5.9 the following:

Apache

• /usr/sbin/httpd -v
• Apache/ 2.2.22 (Unix)

PHP

• php -v
• PHP 5.3.5

NGINX (used as a front-end for apache to handle PHP files)

• /usr/sbin/nginx -v
• nginx/1.3.0

These are just a few of the items I am needing to create in a chef cookbook. I am using Hosted Chef however and cannot instructions on how to specify versions of the software I need to add to mimic my live server.

Has anybody had luck doing this? I'm not 100% tied to chef (could also use Puppet) but have heard recommendations on Chef over puppet primarily.

Thank you!

I am in the arduous and painful process of setting up secure users on a new web LEMP server with Ubuntu 12.04. I was initially going to setup something like vsftpd or proftpd but many have suggested just to use SFTP directly so I will. Ultimately, I have one primary user (which I use simply to prevent root logins). I created this new user, generated a public-key pair, uploaded the public key to the users ~/.ssh directory as authorized_key, changed the SSH port number, removed root login and also set passwordauthentication to NO so the user is forced to use his/her key to log in. Easy enough (though working on a PC seems to be much more of a headache for this than my OSX/NIX counterparts).

I am now trying to create new users (for my web developers) which will simply have SFTP access and limit their exposure simply to the web directory of their charge. Each directory has the following format:

/var/www/sitename.com/public/

My headache starts now. Create a new user? Easy. Add password? Don't really need to given I am requiring public/private keys (and they will never have sudo access) but ok. I am struggling however with the following:

• How do I actually store THIS new user's public key on the server? If I login as my root user and simply create the authorized_keys file within their home directory, it will have root owner and group permissions and they are unable to log in to the server. Similary, these new users cannot login and create it themselves, well, duh because they aren't permitted to login via password.

(note: I am also struggling with setting up the sftp and limiting them to their respective web directories but I think I can figure that out later on my own).

Any advice?

Edit

Currently the process is this:

• get public key from the individual
• go through the following commands:

#sudo mkdir -p /home/newuser/.ssh
#sudo nano /home/newuser/.ssh/authorized_key
#(copy key into single line and save)
#chown -R newuser:newuser /home/newuser
#chmod 700 /home/newuser/.ssh
#chmod 600 /home/newuser/.ssh/authorized_key

I suppose this isn't absolutely horrible but if we have a large number of developers (plus the amount of time it is about to take me to set them up with the SFTP portion and limit to directories) it seems like a huge pain.

I have achieved my "goal" several times before but am running into an issue I have not yet experienced before. I have a webserver setup with Nginx on Ubuntu 12.04 LTS. I have my system setup the way I normally would and am attempting to create a symbolic link for the site "virtual host" from the sites-available to the sites-enabled directory. Typically, this is achieve with the following from the primary nginx directory (as root):

ln -s /etc/nginx/sites-available/site.com /etc/nginx/sites-enabled/site.com

While I can move into the enabled directory and view the symbolic link has "worked", when I try and edit the file directly in the sites-enabled directory I see the file is blank and treated as a new file. As a result, my server does not work as expected and pages do not load. When I simply hard copy or hard link the file into the directory:

ln /etc/nginx/sites-available/site.com /etc/nginx/sites-enabled/site.com

It works without any issue. I however am stuck with two copies of the same file and no symbolic link.

What the heck gives?

Note: here is the structure of my current Nginx directory:

[email protected]:/etc/nginx# ls -l
total 44
drwxr-xr-x 2 root root 4096 Mar  4 17:28 conf.d
-rw-r--r-- 1 root root  964 Feb 12 08:41 fastcgi_params
-rw-r--r-- 1 root root 2837 Feb 12 08:41 koi-utf
-rw-r--r-- 1 root root 2223 Feb 12 08:41 koi-win
-rw-r--r-- 1 root root 3463 Feb 12 08:41 mime.types
-rw-r--r-- 1 root root 1022 Mar  4 21:15 nginx.conf
-rw-r--r-- 1 root root  596 Feb 12 08:41 scgi_params
drwxr-xr-x 2 root root 4096 Mar  4 21:15 sites-available
drwxr-xr-x 2 root root 4096 Mar  4 21:19 sites-enabled
-rw-r--r-- 1 root root  623 Feb 12 08:41 uwsgi_params
-rw-r--r-- 1 root root 3610 Feb 12 08:41 win-utf

Thank you for your help ahead of time!

Edit 1: Showing the contents of the sites-enabled folder with ls -l:

[email protected]:/etc/nginx/sites-enabled# ls -l
total 0
lrwxrwxrwx 1 root root 3 Mar  5 10:23 www -> www

Final Answer

So after help from the @Insyte and @Michael Hampton, I figured out how to reproduce my error occassionally. The scenario played out as follows:

[email protected]:/etc/nginx# cd sites-available
[email protected]:/etc/nginx/sites-available# ls
www
[email protected]:/etc/nginx/sites-available# ln -s www /etc/nginx/sites-enabled/www
[email protected]:/etc/nginx/sites-available# cd /etc/nginx/sites-enabled
[email protected]:/etc/nginx/sites-enabled# ls -l
total 0
lrwxrwxrwx 1 root root 3 Mar  5 10:48 www -> www

I am not aware of "why" but turns out that if I use full absolute paths each time then the issue does not exist.

On my Media Temple DV 4.0 server I am getting permission denied errors:

-bash: cd: httpdocs: Permission denied

If I switch from my login user to sudo (sudo su) or switch to root using su-, I can access the directory with any issue. This is just my site's files directory though so not sure why I'm being denied.

Additionally, I added my user to the visudo commands file with:

user ALL=(ALL) ALL

Any suggestions to what else could be the issue?

I am trying to install composer (though to be honest I really have no idea how it fully works and documentation seems to be quite poor) on my MediaTemple DV machine. I am using their instructions

Trying to install globally using:

$ curl -s https://getcomposer.org/installer | php

My command line (again using putty and logged into my server as root) thinks for a second, then sets up for next prompt. I run a simple ls -l to check for the file it should have downloaded with no luck.

Any idea what could be causing the issue? I have tested and do in fact have curl installed.

UPDATE 1

Based on the first answer, the verbose response is:

$ curl -vs https://getcomposer.org/installer | php
* About to connect() to getcomposer.org port 443
*   Trying 37.59.4.156... connected
* Connected to getcomposer.org (37.59.4.156) port 443
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt   CApath: none
* SSLv2, Client hello (1): SSLv3, TLS handshake, Server hello (2): SSLv3, TLS handshake, CERT (11): SSLv3, TLS handshake, Server key exchange (12): SSLv3, TLS handshake, Server finished (14): SSLv3, TLS handshake, Client key exchange (16): SSLv3, TLS change cipher, Client hello (1): SSLv3, TLS handshake, Finished (20): SSLv3, TLS change cipher, Client hello (1): SSLv3, TLS handshake, Finished (20): SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*        subject: /C=CH/CN=dl.packagist.org/[email protected]
*        start date: 2012-07-07 23:25:35 GMT
*        expire date: 2013-07-10 02:55:12 GMT
* SSL: certificate subject name 'dl.packagist.org' does not match target host name 'getcomposer.org'
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

I am looking to install the HttpGeoipModule for NGINX but learning I have to recompile the entire thing from source in order to do so. I have a new Media Temple DV 4.0 server and that comes with nginx v 1.3.0 stock and have never had to recompile from source before and a bit nervous to make changes without being able to revert to a previous state in the event something messes up (that and the fact it is affecting a live server so no idea what downtime is).

My plan was to copy all the existing modules used (nginx -V to list them all and copy the modules already compiled). Then rebuild from source with the copied info above and including the ./configure --with-http_geoip_module reference.

Is is possible to backup the existing nginx configuration in the event something goes wrong?

I know the common command to send email from shell is:

mail -s 'Some Subject' [email protected]

When I do this however, things just hang. No errors returned, no messages sent and seemingly nothing put in the qmail queue. When I try to email my personal email address, the thing just hangs and does not create any entries in the qmail log files.

Are there other things I could be checking to see what the issue might be?

I just installed a new LAMP server running NGINX on the backside. While it does not occur every time - certain HTTPS requests are seeking port 7081 in the URL. For example:

• http://www.nacdbenefits.com appears fine
• clicking the contact us redirects to https just fine
• clicking the link at the bottom right of the page (My Admin) shows a port 7081 and in turn causes errors once logged into the page.

Is this expected behavior from NGINX? I believe it is almost certainly related to NGINX because disabling it (and running off apache only) does not create this error.

NGINX conf

#user  nginx;
worker_processes  1;

#error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

#pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    #tcp_nodelay        on;

    #gzip  on;
    #gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    server_tokens off;

    include /etc/nginx/conf.d/*.conf;
}

site vhost nginx conf

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.


server {
    listen 216.70.86.230:443 ssl;

    server_name nacdbenefits.com;
    server_name www.nacdbenefits.com;
    server_name ipv4.nacdbenefits.com;

    ssl_certificate             /usr/local/psa/var/certificates/cert-rcx4WK;
    ssl_certificate_key         /usr/local/psa/var/certificates/cert-rcx4WK;
    ssl_client_certificate      /usr/local/psa/var/certificates/cert-Wj9EsP;
    ssl_session_timeout         5m;

    ssl_protocols               SSLv2 SSLv3 TLSv1;
    ssl_ciphers                 HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    client_max_body_size 128m;

    location / {
        proxy_pass https://127.0.0.1:7081;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header X-Accel-Internal /internal-nginx-static-location;
        access_log off;
    }

    location /internal-nginx-static-location/ {
        alias      /var/www/vhosts/nacdbenefits.com/httpdocs/;
        access_log /var/www/vhosts/nacdbenefits.com/statistics/logs/proxy_access_ssl_log;
        add_header X-Powered-By PleskLin;
        internal;
    }
}



server {
    listen 216.70.86.230:80;

    server_name nacdbenefits.com;
    server_name www.nacdbenefits.com;
    server_name ipv4.nacdbenefits.com;


    client_max_body_size 128m;

    location / {
        proxy_pass http://127.0.0.1:7080;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header X-Accel-Internal /internal-nginx-static-location;
        access_log off;
    }

    location /internal-nginx-static-location/ {
        alias      /var/www/vhosts/nacdbenefits.com/httpdocs/;
        access_log /var/www/vhosts/nacdbenefits.com/statistics/logs/proxy_access_log;
        add_header X-Powered-By PleskLin;
        internal;
    }
}

UPDATE 1

I think it must have something to do with switching directories in HTTPS. Any pages will exist on the same domain level (such as the contact us page) do not cause this error. However, once a https connection is made from a sub directory (for sample the admin site), the Port 7081 takes place (which is the newly reconfigured ssl port for Apache since NGINX took over the 443 port).

UPDATE 2

Using Firebug - I noticed that my server seems to be applying an automatic 301 redirect. Note: I do not have this in my current .htaccess file so not sure where it is coming from:

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 15 Aug 2012 22:27:50 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 314
Connection: keep-alive
Location: https://www.nacdbenefits.com:7081/myadmin/

UPDATE 3

I have noticed that if the trailing slash is added to the actual link, the issue does not occur anymore. It is almost as if NGINX is taking the requested URI, attempting to access the directory as a file and it passes it off to Apache which causes the 301 redirect. Adding a trailing slash eliminates this but is not exactly the solution I am hoping for. Surely there is a configuration within NGINX to resolve this.

I am fairly new to server administration, and I have seen a lot of sites recommending to assign sudo privileges to a user created by the root user and giving the root user an insanely long password for security enhancement.

If the newly created user can perform the same functions as a root user however, what is the actual benefit of doing this at all?

I am in the process of migrating several websites to a new server. While the data transfer itself is going fine - I am running into issue testing the sites on the new hardware setup. Typically, this is done before any DNS changes are made and can be done by accessing the IP Address directly.

My current issue however lies in how my new server (or perhaps all) is handling pulling css (and other) files while using the PHP $_SERVER['DOCUMENT_ROOT']. The location is correct (using the IP address of course) but for some reason the css files are not loading. When I try to access the css files directly (using IP as the root), I get 403 Forbidden errors.

I also have modified my local windows hosts file to recognize a test address mapping to the sites IP address.

Is this common when trying to use IP addresses? Is there a way around so I can test?

Update

Looking at the error_log, I see several files coming back with the folling error:

client denied by server configuration

followed by the actual file name.

Issue Found (*)

I found the issue was related to my .htaccess file though not quite sure why. It is the same setup I used on my previous server.

AuthType Basic
AuthName "Protected Area"
AuthUserFile /var/www/vhosts/site.com/.htpasswd
Require valid-user

order deny,allow
deny from all
allow from ... (list of different ip addresses)
Satisfy Any

I am trying to figure out how to clean up my server, better monitor its processes and memories, and more. I came across the 'top' command and see several instances of 'smbd' and 'sshd'. I assume the latter shows active connections/processes using SSH but I am not familiar with smbd.

I tend to think this is 'samba' (and even if it was I have no idea what that is or what it does). Any advice if it is necessary or what the process actually does?

I have a Media Temple (MT) DV 3.5 running CentOS 5.7 for reference.

I am hosted on a Media Temple DV 3.5 server and looking to upgrade from mysql 5.0.90 to the latest mysql so I can use triggers and foreign keys. I am a bit nervous to do so because I don't have a 'test' server to match my production server.

We have full server backups so in the event something goes wrong, I know I can always revert but I am curious, is there a way to backup ALL mysql data (all databases, all users, everything), run the mysql update with Yum package manager (we have CentOS 5.3) and then import the missing data if any exists once upgraded?

I do not have much experience with upgrading software on a Linux system but am of course familiar with 'yum update' commands. I am currently running a Media Temple DV 3.5 CentOS 5 server with MySQL 5.0.90 running. I want to upgrade to the latest (5.5) because I am looking to start using 'event schedulers', something not available until MySQL 5.1.

I have two respected repositories that are able to provide the yum software update but I am afraid that running the update on the repo could cause data loss, bad table manipulation/recreation, etc.

Any advice on this or past experience doing so?

(note, I would be usign remi and/or webtatic repos for reference to do the updates)

I am familiar with modifying .htaccess files but my initial attempts to do so continue to fail.

Ultimately, I want to point users to 'imaginary' subdomains (those which do not exist) so that the subdomain can be parsed correctly with PHP and MySQL to find the particular member's information. It is my assumption that MediaTemple has something configured to always check for a true subdomain directory prior to any access so the .htaccess file settings are never touched and in turn just generate errors.

For example:

When somebody goes to www.example.com currently, it shows the parent site including information on how to become a member. Once a person is a member, their 'unique' URL is:

www.example.com?MemberID=12345

ultimately, forcing the member to remember the question mark agent equals can be confusing along with the need to remember the proper capitalization and such.

I would 'like' to achieve the following:

www.12345.example.com 

redirects to

www.example.com/index.php?MemberID=12345

(index.php reads the 12345 like a $_GET function to properly lookup the ID, valid and return response based on that.)

I believe we could? achieve the same using information after the slash:

e.g. www.example.com/12345

The issue is we already have other pages using /xxxx to modify client content as well as I don't want to block anybody's ability to simply visit: www.example.com/contact for example as a live link.

(where the site redirects to index, tries to look up memberid = 'contact' and does not find any results).

My .htaccess is currently:

ErrorDocument 404 /404.php
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php
RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{HTTP_HOST} ^(.+)\.example\.com
RewriteRule .* http://example.com/processing_page.php?ID=%1 [L,R]

I would expect based off my needs that typing www.something.example.com I would be redirected to: www.example.com/processing_page.php?something

Instead, it just redirects to my mediatemple hosting page (essentially stating no subdomain named 'something' exists).

I am running our server on a Media Temple DV 3.5 server running CentOS5 and LAMP stack.

We have a system running CentOS 5 with Plesk 8.6 and Qmail running. Our primary domain is hosted through Media Temple. When Plesk and Qmail are hosted on a single Dedicated Virtual server, it reads the primary server IP and domain and reports that when sending emails from the system.

Our pages are written in PHP so we are using the mail() function. While our email goes out to everybody, several enterprise email domains reject our email because it shows a different originating IP (our primary server IP and domain) than the domain we list in the 'from' address. This is not modifiable. Every domain we own of course does have its own IP as well underneath our primary server IP.

I have seen several places online that provide a patch, specifically - which allows Domain Binding:

"DomainBindings -- For servers that host multiple domains or have multiple IP addresses assigned to them, it is sometimes useful (or important) to have qmail use a specific IP address for its outgoing mail. By default, qmail uses whatever address the OS chooses for all outbound connections. With this patch, you can specify which address to use. It uses a control file similar to smtproutes to specify the outbound IP address to use, based on the sender's domain (local copy) (pyropus.ca)"

Qmail Link

First off I do not have netqmail installed so I'll need to find another source, but also I am completely unfamiliar with applying patches to qmail. Will I lose email services if I patch? Is it a simple apply and use process? Will my existing email accounts and data be restored after the patch?

I am very, very new to unix/linux so this does make me a bit nervous but I am the only person who can make the change and it is one our company "HAS" to have. Any ideas?

I have a PHP script which needs to point to my server openssl directory but am lost. I know the directory resides at /usr/bin/openssl while my site pages rest at /var/www/vhosts/domain/httpdocs/test.php.

Within test.php, I try to call the openssl directory using relative paths at /usr/bin/openssl but I know this is causing an issue. Can anybody help?

PHP script which is trying to call openssl for certificate encryption:

<?php

//earlier in the file $operatingos was set to true or false based on the OS.
if(!$operatingos) {

#PRIVATE KEY FILE
$MY_KEY_FILE = "my-prvkey.pem";

#PUBLIC KEY FILE
$MY_CERT_FILE = "my-pubcert.pem";

#PAYPAL PUBLIC CERTIFICATE
if(!$testingservices) {
    $PAYPAL_CERT_FILE = "paypal_cert.pem"; //LIVE
} else {
    $PAYPAL_CERT_FILE = "paypal_cert_sandbox.pem"; //SANDBOX
}

#PATH TO OPENSSL BINARY
$OPENSSL = "/usr/bin/openssl";      

} else {

#PRIVATE KEY FILE
$MY_KEY_FILE = "C:\\xampp\\htdocs\\privkey.pem";

#PUBLIC KEY FILE
$MY_CERT_FILE = "C:\\xampp\\htdocs\\pubcert.pempem";

#PAYPAL PUBLIC CERTIFICATE
if(!$testingservices) {
    $PAYPAL_CERT_FILE = "C:\\xampp\\htdocs\\pppubcert.pem";
} else {
    $PAYPAL_CERT_FILE = "C:\\xampp\\htdocs\\pppubcert_sandbox.pem";
}

#PATH TO OPENSSL BINARY
$OPENSSL = "C:\\OpenSSL-Win32\\bin\\openssl.exe"; 

}

$form = array('cmd' => '_xclick',
        'business' => 'email',
        'cert_id' => 'certid',
        'lc' => 'US',
        'custom' => 'test',
        'invoice' => '',
        'currency_code' => 'USD',
        'no_shipping' => '1',
        'item_name' => 'Donation',
        'item_number' => '1',
    'amount' => '10'
    );


    $encrypted = paypal_encrypt($form);


function paypal_encrypt($hash)
{
    global $MY_KEY_FILE;
    global $MY_CERT_FILE;
    global $PAYPAL_CERT_FILE;
    global $OPENSSL;

    if (!file_exists($MY_KEY_FILE)) {
        echo "ERROR: MY_KEY_FILE $MY_KEY_FILE not found\n";
    }
    if (!file_exists($MY_CERT_FILE)) {
        echo "ERROR: MY_CERT_FILE $MY_CERT_FILE not found\n";
    }
    if (!file_exists($PAYPAL_CERT_FILE)) {
        echo "ERROR: PAYPAL_CERT_FILE $PAYPAL_CERT_FILE not found\n";
    }


    //Assign Build Notation for PayPal Support
    $hash['bn']= 'domain.PHP_EWP2';

    $data = "";
    foreach ($hash as $key => $value) {
        if ($value != "") {
            //echo "Adding to blob: $key=$value\n";
            $data .= "$key=$value\n";
        }
    }

    $openssl_cmd = "($OPENSSL smime -sign -signer $MY_CERT_FILE -inkey $MY_KEY_FILE " .
                        "-outform der -nodetach -binary <<_EOF_\n$data\n_EOF_\n) | " .
                        "$OPENSSL smime -encrypt -des3 -binary -outform pem $PAYPAL_CERT_FILE";

    exec($openssl_cmd, $output, $error);

    if (!$error) {
        return implode("\n",$output);
    } else {
        return "ERROR: encryption failed";
    }
};
?> 

I have read several places NEVER to build RPM's as the root user. As such, I defined a new user and have tried building out RPM structures there, however, using the

rpmbuild --rebuild src.name.rpm

returns an error which states the topdir cannot be accessed:

Installing curl-7.20.1-1.src.rpm

error: cannot write to %sourcedir /usr/src/redhat/SOURCES

error: curl-7.20.1-1.src.rpm cannot be installed

does anybody know how to make this change? I have a correct /src/ directory set up under the new user.

I am trying to run through the following instructions: install ssh

when I get to the line "make" in the installation for zlib (first box), the following error is returned:

make: *** No targets specified and no makefile found. Stop.

any ideas?

EDIT

I have downloaded the latest packages so I am using theese instructions as a guide, not with old version numbers gents. Also, I am now running into a similar error. When trying to run ./config, I am returned:

[root@123 openssl-1.0.0]# ./config -bash: ./config: /bin/sh: bad interpreter: Permission denied

I am so new to updating server technologies it is unbelievable but we are trying to become PCI Compliant and have to update some of our server technologies. One in particular is OpenSSL.

We are currently running arch i686 0.9.8e but we have to upgrade to ATLEAST 0.9.8g.

When I run a yum update command, there are no updates available. If I run "yum info openssl" it says available packages are: arch i386 0.9.8e but the only difference is smaller file size.

I am running the following repositories:

Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * addons: mirrors.netdna.com * atomic: www6.atomicorp.com * base: mirrors.igsobe.com * extras: mirror.vcu.edu * updates: mirror.vcu.edu

any help out there?

EDIT

I am running CentOS release 5.5 (Final)

When I try to manually compile using the following code:

• cd /usr/local/src
• rm -fR openssl-0.9.*
• wget -N http://www.openssl.org/source/openssl-0.9.8g.tar.gz
• gzip -d -c openssl-0.9.8n.tar.gz | gtar xvf -
• cd openssl-0.9.8g
• ./config
• make
• make install
• alias cp=cp
• cp -f /usr/local/ssl/bin/openssl /usr/bin/openssl
• cd /usr/local/include
• mv openssl openssl.old
• ln -s /usr/local/ssl/include/openssl openssl

I get the following error:

gtar: This does not look like a tar archive gtar: Error exit delays from previous errors