How to force www or non-www in htaccess

Posted on 12. July 2015 by MP

You need to create  a .htaccess file under the webroot directory of your domain and store the following code in it

.

Be sure to replace ‘test.com‘ with your actual domain name. NOTE: do not place both selections of code in the file as it will cause an error.

#Force www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^test.com [NC]
RewriteRule ^(.*)$ http://www.test.com/$1 [L,R=301,NC]

 

#Force non-www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.test\.com [NC]
RewriteRule ^(.*)$ http://test.com/$1 [L,R=301]

Now, when you type in your domain name with either www in front or not, it should display as you have set it in the .htaccess file.

Posted in Linux | Leave a comment

Setting up TCP Wrappers and local firewall on a remote host

Posted on 18. March 2015 by MP

If you use local firewall rules and tcp wrappers on a remote host where you might get locked out, with no easy way to get logged in again, here is a quick howto on playing it safe. The trick is to setup a couple cron jobs to undo whatever you stuffed up.

I scheduled two 10 minute recurring jobs. Gives you 10 minute windows of configuring/testing before security resets.

Set two cron jobs:

[root@kanyakonil root]# crontab -l
/10 * * * * cp /root/hosts.deny /etc/hosts.deny
/10 * * * * /sbin/iptables --flush

Tcp wrappers:

I made a copy of /etc/hosts.deny file in /root and then waited for the next cron run to test if the copy is really working as expected.

It looked good after cron ran.

# cat /etc/hosts.deny
#
...
#ALL: ALL

Now uncomment the ALL: ALL line in the real /etc/hosts.deny and start testing /etc/hosts.allow rules.

# more /etc/hosts.allow
...
# Host allowed to SSH
sshd: xx.xx.xx.xx

Test from non allowed and allowed host.

Feb 24 05:32:56 kanyakonil sshd[12346]: pam_unix(sshd:session): session opened for user aharon by (uid=0)
Feb 24 05:33:43 kanyakonil sshd[12380]: refused connect from host.domain.com (::ffff:xx.xx.xx.xx)
Feb 24 05:34:34 kanyakonil sshd[12386]: Accepted password for aharon from xx.xx.xx.xx port 37415 ssh2
Feb 24 05:34:34 kanyakonil sshd[12386]: pam_unix(sshd:session): session opened for user aharon by (uid=0)

Now lets go tune the firewall rules…

List rules:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcache
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Saved rules in this file:

# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Delete unneeded rules:

# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT

Check (and test using something like nmap):

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

kanyakonil@philip:~$ sudo nmap -A -T4 192.168.1.3

Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-16 22:42 WIT

Interesting ports on 192.168.1.3:

Not shown: 1693 filtered ports

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.0 ((Linux/SUSE))

113/tcp closed auth

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: HOME)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: HOME)

MAC Address: 00:0D:88:B3:72:F3 (D-Link)

Device type: general purpose|WAP|specialized|storage-misc|broadband router

Running (JUST GUESSING) : Linux 2.6.X|2.4.X (97%), Siemens linux (93%), Atmel Linux 2.6.X (92%), Inventel embedded (89%), Linksys Linux 2.4.X (89%), Asus Linux 2.4.X (89%), Maxtor Linux 2.4.X (89%), Netgear embedded (87%)

Aggressive OS guesses: Linux 2.6.13 – 2.6.18 (97%), Siemens Gigaset SE515dsl wireless broadband router (93%), Linux 2.6.11 – 2.6.15 (Ubuntu or Debian) (93%), Linux 2.6.15-27-686 (Ubuntu Dapper, X86) (93%), Atmel AVR32 STK1000 development board (runs Linux 2.6.16.11) (92%), Linux 2.6.14 – 2.6.17 (92%), Linux 2.6.17 – 2.6.18 (x86) (92%), Linux 2.6.17.9 (X86) (92%), Linux 2.6.9-42.0.2.EL (RedHat Enterprise Linux) (92%), Linux 2.6.9 – 2.6.12 (x86) (92%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .

Nmap finished: 1 IP address (1 host up) scanned in 58.830 seconds


Save the rules:

# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

Check stored rules:

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Fri Feb 24 05:48:21 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [734:96465]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Feb 24 05:48:21 2012

Check running rules:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Posted in Security | Leave a comment

Some Shell Scripts

Posted on 27. October 2014 by MP

Shell Script to add zone to DNS server.

NS1 = ns1.example.net
NS2 = ns2.example.net

#!/bin/bash
# check to see if the script is being run as root or not
grep=`which grep`
rndc=`which rndc`
if [ "$(id -u)" != "0" ]; then
echo "You must be root in order to run this script. You are `whoami`."
exit 1
fi
# if this is a cPanel server, exit the script as a DNS zone can be created from WHM
if [ -d "/usr/local/cpanel" ]; then
echo "This is a cPanel box. You can create the DNS zone from WHM."
exit 1;
# if this is a Plesk server, exit the script as the DNS zone can be created from Plesk itself
elif [ -d "/usr/local/psa" ]; then
echo "This is a Plesk box. You can create the DNS zone from the Plesk Control Panel."
exit 1;
else
domain=$1
echo "Please enter the domain name"
read domain
ip=$2
echo "Please enter the IP address for the domain"
read ip
test=`echo "${ip}." | $grep -E "([0-9]{1,3}\.){4}"`
if [ "$test" ]
then
echo "$ip" | nawk -F. '{
if ( (($1>=0) && ($1<=255)) &&    (($2>=0) && ($2<=255)) &&    (($3>=0) && ($3<=255)) &&    (($4>=0) && ($4<=255)) ) { print($0 " is a valid IP address. Using this IP." ); } else { print($0 ": Please specify a correct IP address." ); exit 1; } }' else echo "${ip} is not a valid IP address, exiting script!" exit 1; fi fi //echo "The zone file for the domain $domain will be created using $ip." //admin=$3 //echo "Please enter the administrator for this domain's DNS in a admin.domain.com form" //read admin //ns1=$4 //echo "Please enter the primary nameserver for $domain" //read ns1 //ns2=$5 //echo "Please enter the secondary nameserver for $domain" //read ns2 # ok, so enough with the chit-chat, let's move on to the DNS stuff serial=`date +%Y%m%d00` folder=`echo $domain|cut -c1` mkdir /var/named/$folder touch /var/named/$folder/$domain.zone echo -e "\$ORIGIN ." >> /var/named/$domain.zone
echo -e "\$TTL 600     ; 10 minutes" >> /var/named/$folder/$domain.zone
echo "$domain   IN     SOA    ns1.$domain. root.ns1.example.net. (" >> /var/named/$folder/$domain.zone
echo "               $serial    ; serial, todays date + todays serial" >> /var/named/$folder/$domain.zone
echo "               7200           ; refresh, seconds" >> /var/named/$folder/$domain.zone
echo "               3600            ; retry, seconds" >> /var/named/$folder/$domain.zone
echo "               43200         ; expire, seconds" >> /var/named/$folder/$domain.zone
echo "               3600 )            ; minimum, seconds" >> /var/named/$folder/$domain.zone
echo "                  IN       A    $ip" >> /var/named/$folder/$domain.zone
echo "                  IN       NS    ns1.example.net" >> /var/named/$folder/$domain.zone
echo "                  IN       NS    ns2.example.net" >> /var/named/$folder/$domain.zone
echo "                  IN       MX    5 mail.$domain." >> /var/named/$folder/$domain.zone
echo -e "\$ORIGIN $domain." >> /var/named/$folder/$domain.zone
echo "mail.$domain. IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "www           IN     CNAME $domain." >> /var/named/$folder/$domain.zone
echo "ftp           IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "sql           IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "ns1           IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "ns2           IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "Done creating DNS zone, adding the zone to named.conf in named.zone file"
echo "zone \"$domain\" IN {" >> /etc/named/named.zone
echo "     type master;" >> /etc/named/named.zone
echo "     file \"/var/named/$folder/$domain.zone\";" >> /etc/named/named.zone
echo "     allow-transfer {" >> /etc/named/named.zone
echo "     10.10.11.243;" >> /etc/named/named.zone
echo "     };" >> /etc/named/named.zone
echo "};" >> /etc/named/named.zone
echo "Zone addded to named.conf. Restarting rndc & named"
sleep 2
$rndc reload
/etc/init.d/named restart
echo "All done"

Script to check if IP is blacklisted

#!/bin/sh
# -- $Id: blcheck.xml,v 1.8 2007/06/17 23:38:00 j65nko Exp $ --

#*/15 * * * * sh /root/spam.sh 38.111.101.66|mail -s "Spam Report in 15 Min" inct@rohtan.com
#*/15 * * * * sh /root/spam.sh 38.111.101.100|mail -s "Spam Report in 15 Min" inct@rohtan.com

# Check if an IP address is listed on one of the following blacklists
# The format is chosen to make it easy to add or delete
# The shell will strip multiple whitespace

BLISTS="
    cbl.abuseat.org
    dnsbl.sorbs.net
    bl.spamcop.net
    zen.spamhaus.org
    combined.njabl.org
"

# simple shell function to show an error message and exit
#  $0  : the name of shell script, $1 is the string passed as argument
# >&2  : redirect/send the message to stderr

ERROR() {
  echo $0 ERROR: $1 >&2
  exit 2
}

# -- Sanity check on parameters
[ $# -ne 1 ] && ERROR 'Please specify a single IP address'

# -- if the address consists of 4 groups of minimal 1, maximal digits, separated by '.'
# -- reverse the order
# -- if the address does not match these criteria the variable 'reverse will be empty'

reverse=$(echo $1 |
  sed -ne "s~^\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)$~\4.\3.\2.\1~p")

if [ "x${reverse}" = "x" ] ; then
      ERROR  "IMHO '$1' doesn't look like a valid IP address"
      exit 1
fi

# Assuming an IP address of 11.22.33.44 as parameter or argument

# If the IP address in $0 passes our crude regular expression check,
# the variable  ${reverse} will contain 44.33.22.11
# In this case the test will be:
#   [ "x44.33.22.11" = "x" ]
# This test will fail and the program will continue

# An empty '${reverse}' means that shell argument $1 doesn't pass our simple IP address check
# In that case the test will be:
#   [ "x" = "x" ]
# This evaluates to true, so the script will call the ERROR function and quit

# -- do a reverse ( address -> name) DNS lookup
REVERSE_DNS=$(dig +short -x $1)

echo IP $1 NAME ${REVERSE_DNS:----}

# -- cycle through all the blacklists
for BL in ${BLISTS} ; do

    # print the UTC date (without linefeed)
    printf $(env TZ=UTC date "+%Y-%m-%d_%H:%M:%S_%Z")

    # show the reversed IP and append the name of the blacklist
    printf "%-40s" " ${reverse}.${BL}."

    # use dig to lookup the name in the blacklist
    #echo "$(dig +short -t a ${reverse}.${BL}. |  tr '\n' ' ')"
    LISTED="$(dig +short -t a ${reverse}.${BL}.)"
    echo ${LISTED:----}

done

# --- EOT ------
Posted in Linux, Shell Script | Leave a comment

Monitor linux services using bash script

Posted on 25. October 2014 by MP

# Vi check_httpd.sh

#!/bin/sh
run=`ps ax | grep /usr/local/apache/bin/httpd | grep -v grep | cut -c1-5 | paste -s -`
if [ “$run” ];
then
echo “apache is running” > /home/admin/check_httpd.log
else
/usr/local/apache/bin/apachectl -k restart
mail -s “Apache server restarted by check-httpd script ” admin [at]adminlogs[dot]info < /usr/local/apache/logs/error.log
fi

Or ( only for apache )

# Vi check_httpd.sh

#!/bin/sh
cd /tmp
wget adminlogs.info:80
if [ $? -gt 0 ]; then
/usr/local/apache/bin/apachectl -k restart
mail -s “Apache server restarted by check-httpd script ” admin [at]adminlogs[dot]info < /usr/local/apache/logs/error.log
fi

$? contains the return code of the last executed process. -gt means greater than. Usually programs return zero on success or something else on failure

Add the script to crontab ( It will check the status in every 5 minutes )

*/5 * * * * /bin/bash check_httpd.sh

Its worked fine and now I have no worry about that website and getting good sleep :)

Posted in Apache, Linux, Optimize, Shell Script | Leave a comment

CentOs Fix for Bash Bug ( CVE-2014-6271 & CVE-2014-7169 )

Posted on 25. October 2014 by MP

Bash, aka the Bourne-Again Shell, has a newly discovered security hole which has been officially documented as CVE-2014-6271 & CVE-2014-7169. And, for many Unix or Linux Web servers, it’s a major problem.

The flaw involves how Bash evaluates environment variables. With specifically crafted variables, a hacker could use this hole to execute shell commands. This, in turn, could render a server vulnerable to ever greater assaults.

 

After couple of days trouble today we got a fix from Centos for the so famous bash security issue ( For known loop holes

CVE-2014-6271 & CVE-2014-7169 )

CentOS 5 Fix :-

* i386:

( sha256sum ) 9755e86ad8536c908f95340be308190b52989bfa0d9268a461c40a3f0d493bc7 : bash-3.2-33.el5_10.4.i386.rpm

* x86_64:

( sha256sum) b1e14edd0d675c6fb0be64cb875fbd9fac208a58e427ea32f373c9359b35642c : bash-3.2-33.el5_10.4.x86_64.rpm

CentOS 6 Fix: –

* x86_64:

http://mirror.centos.org/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm

* i386:

http://mirror.centos.org/centos/5/updates/i386/RPMS/bash-3.2-33.el5_10.4.i386.rpm

Test Output : –

[root@ ~]# rpm -qa | grep bash

bash-3.2-32.el5

[root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;

bash: X: line 0: syntax error near unexpected token `=’

bash: X: line 0: `X () { (a)= >\’

bash: error importing function definition for `X’

date

[root@ ~]#

* After updating to latest bash rpm.

[root@ ~]# rpm -qa | grep bash

bash-3.2-33.el5_10.4

[root@ ~]#

[root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;

date

[root@ ~]#

 

Posted in Linux | Leave a comment

shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

Posted on 25. October 2014 by MP

Today I saw an interesting error ,while restarting apache
=======
]# /etc/init.d/httpd restart
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
Stopping httpd: [ OK ]
Starting httpd: shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
[ OK ]
]#
===========
may be you also face this or already faced.
Don’t surprise …Just do a  ” cd  / ”   , or  cd  to any direcotry ..  it will fix the error !!

This happen as the current working directory from which the command was fired does not exits on the server.

Posted in Linux | Leave a comment

Heart Bleeding

Posted on 25. October 2014 by MP

One of the Google Security Engineer ( Thanks for Neel Mehta of Google Security and team of security engineers (Riku, Antti and Matti) at Codenomicon for discovering the bug)  reported a serious bug with current openssl  on 3rd of April 2014 . ( TLS heartbeat read overrun (CVE-2014-0160) )

As per openssl , Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. And its advised to upgrade to OpenSSL 1.0.1g ( https://www.openssl.org/source/openssl-1.0.1g.tar.gz )  to fix this issue or recompile affected versions with the option -DOPENSSL_NO_HEARTBEATS.

You may need to recompile other services which are associated with openssl like Apache , nginx , php etc . Also its better to renew your ssl cert’s to make sure everything is safe/fine.

How to Check Whether your server/website is affected or not ?

http://possible.lv/tools/hb

Posted in Linux | Leave a comment

POODLE: SSLv3.0 vulnerability

Posted on 25. October 2014 by MP

What is POODLE ?

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

How to Fix ?

At present there is no working patch for this bug . So that Admin needs to manually disable SSLv3 on their servers .

Disable SSLv3 – Apache

1) Add ” SSLProtocol All -SSLv2 -SSLv3 ” to httpd.conf

2) Restart apache service .

Disable SSLv3 – Nginx

1) Add ” ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ” to nginx.conf under ssl section .

2) Restart nginx service .

Disable SSLv3 – PostFix

1) change smtpd_tls_mandatory_protocols to ” smtpd_tls_mandatory_protocols =!SSLv2,!SSLv3 ”

2) Restart postfix server .

Disable SSLv3 – Weblogic

Start weblogic with the following JVM option ” -Dweblogic.security.SSL.protocolVersion=TLS1 ”

How to Diagnose ?

# openssl s_client -connect localhost:443 -ssl3

==> If you have already disabled sslv3 , then the output will be as follows

CONNECTED(00000003)

20888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40

20888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

==> If you are not disabled the sslv3 and you are getting the following output , then your server is vulnerable to POODLE !!.

CONNECTED(00000003)

depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com

verify error:num=18:self signed certificate

verify return:1

depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com

verify return:1

Certificate chain

0 s:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com

i:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com

 

If you manage an entire data center or a corporate intranet, the problem is a little harder to solve than disabling SSL 3.0 in a browser. Regardless of the mitigation strategy you choose, you need to know which of your servers are currently running SSL 3.0. To that end, here a couple of quick scripts based on open source tools that will help you take control of the situation.

The first script, ssl3_cipher_check.sh, checks a single target for the presence of SSL 3.0 ciphers. The results will be similar to the following:

# ssl3_cipher_check.sh 192.168.1.51 443

Testing 192.168.1.51:443 for support of SSL3.0 ciphers…

NULL-MD5…NO (ssl handshake failure)

NULL-SHA…NO (ssl handshake failure)

EXP-RC4-MD5…NO (ssl handshake failure)

RC4-MD5…NO (ssl handshake failure)

RC4-SHA…NO (ssl handshake failure)

EXP-RC2-CBC-MD5…NO (ssl handshake failure)

IDEA-CBC-SHA…NO (no cipher match)

EXP-DES-CBC-SHA…NO (ssl handshake failure)

DES-CBC-SHA…NO (ssl handshake failure)

DES-CBC3-SHA…YES – SSL 3.0 cipher detected

EXP-DH-DSS-DES-CBC-SHA…NO (no cipher match)

DH-DSS-DES-CBC-SHA…NO (no cipher match)

DH-DSS-DES-CBC3-SHA…NO (no cipher match)

EXP-DH-RSA-DES-CBC-SHA…NO (no cipher match)

DH-RSA-DES-CBC-SHA…NO (no cipher match)

DH-RSA-DES-CBC3-SHA…NO (no cipher match)

EXP-DHE-DSS-DES-CBC-SHA…NO (no cipher match)

DHE-DSS-CBC-SHA…NO (no cipher match)

DHE-DSS-DES-CBC3-SHA…NO (no cipher match)

EXP-DHE-RSA-DES-CBC-SHA…NO (no cipher match)

DHE-RSA-DES-CBC-SHA…NO (no cipher match)

DHE-RSA-DES-CBC3-SHA…NO (no cipher match)

EXP-ADH-RC4-MD5…NO (ssl handshake failure)

ADH-RC4-MD5…NO (ssl handshake failure)

EXP-ADH-DES-CBC-SHA…NO (ssl handshake failure)

ADH-DES-CBC-SHA…NO (ssl handshake failure)

ADH-DES-CBC3-SHA…NO (ssl handshake failure)

SSL3 ciphers were detected on server 192.168.1.51:443

The second script, ssl3_scan.sh, allows you to test an entire network range. Using a network range specified in CIDR notation or a format compatible with nmap, the script detects and checks the standard and alternate ports commonly used for HTTPS on all hosts in the network range. Results will be similar to the following:

# ./ssl3_scan.sh 192.168.1.0/24

Beginning test… please be patient…

192.168.1.17:443 – SSL3.0 ciphers NOT supported

192.168.1.35:443 – SSL3.0 ciphers NOT supported

192.168.1.34:443 – SSL3.0 ciphers NOT supported

192.168.1.51:443 – SSL3.0 ciphers supported

192.168.1.58:443 – SSL3.0 ciphers supported

How you decide to mitigate the risk is a decision you will have to make.

http://www.symantec.com/connect/sites/default/files/ssl3_check_scripts.tar.gz

Posted in Linux | Leave a comment

Setup mysql master slave replication over ssl

Posted on 25. October 2014 by MP

Master Server : 10.10.1.1

Slave Server : 10.10.1.2

Confirm your mysql server is compiled/enabled to support ssl connections using the following command

# mysql -u root -p

mysql > show variables like ‘%ssl%’ ;

If you are getting an output some thing like as follows then you can confirm mysql is compiled to support ssl connections

mysql> show variables like ‘%ssl%’;

| have_openssl | DISABLED |

| have_ssl | DISABLED |

The above shows that mysql is compiled with ssl support but it not enabled in the configuration .

Create Certificates

# cd /var/lib/mysql

# mkdir ssl

>>> Create CA Certificate

# openssl genrsa 2048 > ca-key.pem
# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

>>> Create Server Certificate

# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
# openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

>>> Create Client Sertificate .

# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
# openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

Copy the keys to Slave server

# scp ca-cert.pem client-cert.pem client-key.pem root@10.10.1.2:/var/lib/mysql/ssl

Master Side configuration

# vi /etc/my.cnf

#bind-address = 127.0.0.1

ssl

ssl-ca=/var/opt/mysql/ssl/ca-cert.pem

ssl-cert=/var/opt/mysql/ssl/server-cert.pem

ssl-key=/var/opt/mysql/ssl/server-key.pem

binlog-do-db=mydatabase

server-id = 1

log_bin = /var/lib/mysql/mysql-bin.log

Note that server id should be unique here for master its 1.

Restart mysql and confirm now ssl values are showing properly in ” mysql > show variables like ‘%ssl%’ ; ”

# mysql –u root –p

GRANT all privileges ON *.* TO replication@'10.10.1.2' IDENTIFIED BY 'password' REQUIRE SSL;

Slave Side Configuration

# vi /etc/my.cnf

bind-address = 0.0.0.0

server-id=2

master-host=10.10.1.1

master-connect-retry=60

replicate-do-db=mydatabase

replicate_ignore_db=dataold

replicate_ignore_db=data_duplicate

slave-skip-errors=all

relay-log=mysql-relay-bin.log

check master status on the master node

mysql > show master status ;

| File | Position | Binlog_do_db | Binlog_ignore_db | +

| mysql-bin.002 | 80600 | mydatabase | | +

 

Update the log location and Position on Slave

Msql > slave stop;

Mysql > CHANGE MASTER TO MASTER_HOST='10.10.1.1', MASTER_USER='replication', MASTER_PASSWORD='password', MASTER_LOG_FILE=' mysql-bin.002', MASTER_LOG_POS=80600, MASTER_SSL=1, MASTER_SSL_CA = '/var/opt/mysql/ssl/ca-cert.pem', MASTER_SSL_CERT = '/var/opt/mysql/ssl/client-cert.pem', MASTER_SSL_KEY = '/var/opt/mysql/ssl/client-key.pem';

Mysql > slave start ;

Mysql > show slave status \G ;

*************************** 1. row ***************************

Slave_IO_State: Waiting for master to send event

Master_Host: 10.10.1.1

Master_User: replication

Master_Port: 3306

Connect_Retry: 60

Master_Log_File: mysql-bin.000003

Read_Master_Log_Pos: 12345100

Relay_Log_File: mysql-relay-bin.000002

Relay_Log_Pos: 11381900

Relay_Master_Log_File: mysql-bin.000003

Slave_IO_Running: Yes

Slave_SQL_Running: Yes

Replicate_Do_DB: mydatabase

Replicate_Ignore_DB:

The above lines which are marked in green shows that replication is working fine from master to slave.

Posted in Linux, MySQL | Leave a comment