5

Ubuntu 16.04.2

Please, be informed that I'm a newbie, and the question may be clumsy. I've read some theoretical materials, but don't have enough practice.

Let's suppose, we have a VPS bought from a hoster.

I'm afraid of accessing via ssh a bit. There may be situations when one may spoil everything and can't access (for example organize iptables to deny everything, or just loose one's private key etc.).

Let's suppose that we want to update OpenSSL.

Well, as far as I can understand, we have to download it, extract, configure and make. Then reboot the server to be on the safe side.

What if ssh will not work? So, we rebooted, and can't access. I'm afraid that my hoster will not help me to restore access to the server.

Maybe I should open telnet access in UFW while I'm reinstalling OpenSSL? It's not safe.

Maybe I should pay a bit more money to my ISP for a static IP, organize UFW to allow access via Telnet only from my static IP? It's a bit better.

Can the control panel (like ISP manager) be useful here?

Well, could you tell me what is the right way of updating OpenSSL.

Michael
  • 553
  • 4
  • 7
  • 11

2 Answers2

8

First of all, never allow telnetd (telnet server) to listen for connections on a public interface. There's really no reason to ever use it on a modern system. Everything you can accomplish with telnet can be accomplished with SSH, and SSH is secure (connections are only allowed from authenticated clients, and communications are encrypted "on the wire"). Back up your private keys in a secure location.

To update openssl, assuming it's already installed:

sudo apt update && sudo apt install openssl

thinkmassive
  • 783
  • 5
  • 9
  • 6
    confused as to why this is accepted? sudo apt upgrade ssl doesn't upgrade ssl, it upgrades all packages on the system. The correct way to check is sudo apt-get install openssl and it will tell you if it is the newest version or not – John Allard Nov 28 '18 at 20:06
4

It really depends on why you are wanting to 'update' OpenSSL. Given that you have a recent LTS version of Ubuntu, ordinarily, all the usual bug fixes/vulnerabilities are ported into the packaged versions of OpenSSL and OpenSSH are handled for you. As such, building OpenSSL from source should be the last option.

In your situation, I would recommend that, unless you are looking for a specific unsupported feature, you use the packages in the Ubuntu package repositories.

In which case, the regular process for carrying out this sort of operation would be to run:

sudo apt-get update
sudo apt-get upgrade

If you know there is a newer version of OpenSSL you are attempting to use, you can simply upgrade that package individually by running:

sudo apt-get install openssl

If this returns 0 packages updated then there were no updates to the packages anyway.

Then look at the packages that Ubuntu wants to upgrade and make a more informed choice. If the package upgrade list looks sensible for what you are needing, then typing Y and enter will allow the upgrade process to proceed.

Of course, the best way to mitigate against the sort of 'I can't gain network access to my box' is to have console access to the box. Unfortunately, without knowing who your provider is, I cannot advise you as to whether that is possible, or by what mechanism you would do it. However, many provisioning systems give you at least some KVM functionality, so it may be possible. You would have to read the documentation from your host as to how to achieve this.

Stuart Harland
  • 41