Hello, i have a server with burst.net, i have been following a thread on cpanel.net concerning upgrading to new apache build, mainly because of php security issues.

It seems that on 6..2 machine there can issues due to lib etc.

I have decided to pass this on to support as it is beyond my present skills if system goes belle up, there are also a couple of other things that need sorting out.

My question is: what do others recommend for inclusion in updating of machine? i am thinking of apache/php modules config but other stuff that people think important would be welcome.


cheers

When upgrading, there's a lot of things to consider and do, when doing a full upgrade. It's good to keep up to date on all the new, faster, more stable and secure software anyway. Definitely check to see if the following (I'll just list some, there's a lot more and it depends on what you use/run) and if it's insecure or the new version has an option you need (and condsider if you need it bad enough, as it might result in a new issue, not to mention the trouble);

The kernel, BIND, SSH, Apache, Apache's modules (PHP (and anything PHP uses -- components, libs, etc.), mod_perl, fastcgi, especially things like mod_negotiation and mod_rewrite (they've been known to have issues), etc.), FTP, telnet (if you use telnet), OpenSSL, MySQL, gcc, glibc, things like pine (if you use them), python, perl, Qmail, or Sendmail or Exim (whatever you use), any editors you use, like vi, pico, ee (or whatever you have), man, rpm, make, patch, etc. Basically, anything that needs to be updated due to it's age, stability or mainly security issues. It's good to keep up to date -- not just for the sake of using all the newest versions of everything, but usually some things are fixed, improved, made more stable or a security bug as been fixed. Rather than listing off 100+ things I know have had issues in the last year or so, I think you said you run 6.2. In that case, check this link out and it'll give you a big list (not everything, but a lot of it) that needs to or should be updated, if you haven't already (and it explains why, too);
http://www.redhat.com/support/errata/rh62-errata-general.html

Check security sites often and really read up on it. Also, subscribe to some security alert lists. A lot of it depends on what you run and have enabled. However, as for just upgrading one thing, like mod_php for Apache, you don't need to rebuild an entire Apache server. Just use "apxs" to compile in a new mod_php module -- and be sure to compile in all the modules PHP uses into it first too, of course. Depending on how you have things compiled or set up (i.e., a loaded module or a core module, etc.), some things might require an entire rebuild, while other things might be easier. I'm speaking not just about Apache, but any of the things listed above or on RedHat's Errata pages.

Thanks for reply, my burst.ney cpanel machine runs a daily script which appears to update a lot crucial files.

the main thing i was looking for was what was best to add/keep on the apache modules and php config, thing like modPerl fast cgi, curl etc.

i had a recent kernel update but the systems has been sending my warning to get it updated again so this was on the agenda.

Well, depending on what the Apache server is running and doing, what it uses, as well as the modules it uses, some are more likely to be more urgent than others'. Definitely upgrade to the newest PHP if you haven't already -- but you know that. As for Cpanel's updates, don't count on it. It does some stuff, but it doesn't do a lot or everything. You should make sure that you're running the newest/latest builds of certain tools though. If CPanel updates some of them, it might save you time, if you agree with how it updates them. I usually build from source though, so I can configure it the way I want when it's built or updated, for example. Anyway, if you're mostly concerned with Apache stuff, you'd have to list what you're using. However, if you know, you can check the sites for those components and just see if you're running the newest version anyway, and you can see if they posted any alerts or information about any new versions if they are newer than the one you are currently using. So, I'm not sure how anyone could help in that case.