All Products
Search

This Product

    :Fix issues with legacy Linux images

    Document Center

    :Fix issues with legacy Linux images

    Last Updated:Dec 16, 2025

    Note

    This document may contain information about third-party products. This information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, about the performance and reliability of third-party products, or any potential effects from using them.

    Problem description

    Elastic Compute Service (ECS) instances that are created from legacy Linux images may have unconfigured Network Time Protocol (NTP) and Yellowdog Updater, Modified (YUM) services. These instances may also have recently disclosed high-risk security vulnerabilities. This topic describes how to fix these issues to improve the security of your ECS instances. You can use the free Alibaba Cloud NTP service for time synchronization and the Alibaba Cloud YUM service to install software.

    Solutions

    Note

    • Before you perform risky operations, such as modifying instance configurations or data, ensure that you have a disaster recovery and fault tolerance plan in place to maintain data security.

    • Before you modify the configurations or data of an instance, such as an ECS or ApsaraDB RDS instance, create a snapshot or enable a feature such as log backup.

    • If you have granted permissions or submitted sensitive information, such as logon credentials, on the Alibaba Cloud platform, change the information immediately.

    Configure NTP

    Note

    This step applies to all Linux distributions.

    Back up the /etc/ntp.conf file and replace its content with the following configuration.

    # ntp.conf
#
# ntpd config for aliyun ecs.
#
# 6LAN+6LAN+3WAN
#               shijun.***@alibaba-inc.com
#               2014.8.11
#
driftfile  /var/lib/ntp/drift
pidfile   /var/run/ntpd.pid
logfile /var/log/ntp.log
# Access Control Support
restrict    default ignore
restrict -6 default ignore
restrict 127.0.0.1
restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap nopeer noquery
restrict 172.16.0.0 mask 255.240.0.0 nomodify notrap nopeer noquery
restrict 100.64.0.0 mask 255.192.0.0 nomodify notrap nopeer noquery
restrict 10.0.0.0 mask 255.0.0.0 nomodify notrap nopeer noquery
restrict ntp1.aliyun.com nomodify notrap nopeer noquery
restrict ntp2.aliyun.com nomodify notrap nopeer noquery
restrict ntp3.aliyun.com nomodify notrap nopeer noquery
restrict ntp4.aliyun.com nomodify notrap nopeer noquery
restrict ntp5.aliyun.com nomodify notrap nopeer noquery
restrict ntp6.aliyun.com nomodify notrap nopeer noquery
# local clock
server 127.127.1.0
fudge  127.127.1.0 stratum 10
#public ntp server
server ntp1.aliyun.com iburst minpoll 4 maxpoll 10
server ntp2.aliyun.com iburst minpoll 4 maxpoll 10
server ntp3.aliyun.com iburst minpoll 4 maxpoll 10
server ntp4.aliyun.com iburst minpoll 4 maxpoll 10
server ntp5.aliyun.com iburst minpoll 4 maxpoll 10
server ntp6.aliyun.com iburst minpoll 4 maxpoll 10
#Private ntp server
server ntp1.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp2.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp3.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp4.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp5.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp6.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
#New private ntp server
server ntp7.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp8.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp9.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp10.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp11.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10
server ntp12.cloud.aliyuncs.com iburst minpoll 4 maxpoll 10

    Update software repositories

    CentOS 6 reached end of life (EOL). In accordance with Linux community rules, all content was removed from the following CentOS 6 repository address: http://mirror.centos.org/centos-6/. If you continue to use the default CentOS 6 repository on Alibaba Cloud, an error is reported. To use specific installation packages of CentOS 6, change the CentOS 6 repository address. For more information, see How do I change CentOS 6 repository addresses?

    1. Run one of the following commands to check the Linux distribution of your instance.

      • Run the lsb_release -a command.

      • Run the cat /etc/issue command.

    2. For CentOS systems, back up the CentOS-Base.repo and epel.repo files in the /etc/yum.repos.d/ directory. Then, based on your CentOS version, run the corresponding commands to download the repo files and run the yum makecache command.

      1. CentOS 6 

        wget -qO /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
wget -qO /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo

      2. CentOS 7 

        wget -qO /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -qO /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

    3. For Alibaba Cloud Linux 5.7, back up the /etc/yum.repos.d/CentOS-Base.repo file. Then, run the following command to download the repo file and run the yum makecache command. 

      wget -qO /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/aliyun-5.repo

    4. For Ubuntu systems, back up the /etc/apt/sources.list file. Then, based on your distribution version, run the corresponding command to download the .list file and run the apt-get update command.

      1. Ubuntu 12.04 

        wget -qO /etc/apt/sources.list http://mirrors.aliyun.com/repo/ubuntu1204-lts.list

      2. Ubuntu 14.04 

        wget -qO /etc/apt/sources.list http://mirrors.aliyun.com/repo/ubuntu1404-lts.list

    5. For Debian systems, back up the /etc/apt/sources.list file. Then, based on your distribution version, run the corresponding command to download the .list file and run the apt-get update command.

      1. Debian 6 

        wget -qO /etc/apt/sources.list http://mirrors.aliyun.com/repo/debian6-lts.list

      2. Debian 7 

        wget -qO /etc/apt/sources.list http://mirrors.aliyun.com/repo/debian7-lts.list

    Fix security vulnerabilities

    To fix known major security vulnerabilities, upgrade software packages, including bash, glibc, openssl, wget, and ntp.

    Before you run the following commands, ensure that the system's software repository is configured correctly.

    • For CentOS and Alibaba Cloud Linux systems, run the following command. 

      yum update bash glibc openssl wget ntp

    • For Ubuntu and Debian systems, run the following command. 

      apt-get install bash libc6 libc-bin openssl wget ntp

    Applicable to

    • Elastic Compute Service (ECS)