use wget to keep session cookie and use form-based file upload

#!/bin/sh
wget --no-check-certificate -O file1 --save-cookies cookies.txt --keep-session-cookies https://URL/
COOKIE=`cat cookies.txt tail -1 awk'{print$NF}'`
USER=admin
PASS=password
CORP=corpname
HASH=`echo -n $CORP$USER$PASS sha1sum awk '{print $1}'`
wget --debug --no-check-certificate -O file2 --load-cookies cookies.txt --post-data "LoginId=$USER&Password=$PASS&Corporation=$CORP&sessionid=${COOKIE}" https://URL/

wget --debug --no-check-certificate -O file3 --load-cookies cookies.txt --header="Content-Type: multipart/form-data; boundary=FILEUPLOAD" --post-file postfile https://url/

sleep 10

wget --debug --no-check-certificate -O file4 --load-cookies cookies.txt https://url2/
wget --debug --no-check-certificate -O file5 --load-cookies cookies.txt --post-data "module=a&screen=b&action=c" https://url3/

note:
1. use httpliveheader firefox addon to get all the http header and request/response
2. sleep 10 to wait for the processing finish
3. --save-cookies cookies.txt --keep-session-cookies -> make multiple wget command to be like in the same browser session.
4. for upload text file, that's to say, use ' form-based file upload in html', the RFC is at
http://www.faqs.org/rfc/rfc1867.html
5. for postfile content:

-bash-3.1# more postfile
--FILEUPLOAD
Content-Disposition: form-data; name="module"
a
--FILEUPLOAD
Content-Disposition: form-data; name="screen"
b
--FILEUPLOAD
Content-Disposition: form-data; name="action"
c
--FILEUPLOAD
Content-Disposition: form-data; name="description"
test
--FILEUPLOAD
Content-Disposition: form-data; name="fileName"; filename="data.txt"Content-Type: text/plain
20070201 0758 a1000 I
20070201 2031 a1000 O
--FILEUPLOAD--
note: with --FILEUPLOAD, the separator is just 'FILEUPLOAD', and the last line is --FILEUPLOAD--

system rescue basic


1. add init=/bin/sh to grub or lilo to quickly bootup system , but ctrl-c or ctrl-z might not work
2. mount -t proc none /proc to get command like ps to work, or anything else use /proc file system
3. mount -o remount,rw /
4 .fuser -am /mnt/muic
fuser -km /mnt/music
ps axwwl | grep processidnumber
lsof /mnt/music

5. dd if=/dev/hda of=filename bs=512 count=1
restore partition table:
dd if=filename of=/dev/hda bs=1 count=64 skip=446 seek=446

to cloning bad disk
dd if=/dev/hda of=/dev/hdb conv=noerror,sync
ddrescue --max-retries=-1 /dev/hda /dev/hdb

6. recover lost partition
gpart /dev/hdb (guess partition table)
gpart -b filename -W /dev/hda /dev/hda
note: scan /dev/hda ,backup the existing MBR, then write to /dev/hda

7. in case the bad block on hard disk is in journal file system, so remove journal might help
tune2fs -f -O ^has_journal /dev/hda1
tune2fs: attempt to read block from file system resulted in short read while reading journal inode

# debugfs /dev/hda1
debugfs: features
defugfs : open /dev/hda1
debugfs: quit

OpenBSD basic


  • ip forwarding is off by default, enable it by putting the following into /etc/rc.local
sysctl net.inet.ip.forward=1
note: see http://www.openbsd.org/faq/pf.nat.html

or put into /etc/sysctl.conf
net.inet.ip.forwarding=1

  • set up ip alias
put into /etc/hostname.fxp0 or other file /etc/hostname.bge0

# cat /etc/hostname.fxp0
inet 192.168.0.2 255.255.255.0
inet alias 192.168.0.3 255.255.255.0

manually add:
ifconfig fxp0 inet alias 192.168.0.3 netmask 255.255.255.0

delete:
ifconfig fxp0 inet -alias 192.168.0.3 netmask 255.255.255.0

to view these aliases: use 'ipconfig -A'

  • pf disable and enable
pfctl -e (enable)
pfctl -d (disable)

use pfctl -e to confirm it's running

  • pf show rules up
pfctl -s rules
pfctl -s nat
pfctl -s all

  • static routing , put it into /etc/rc.local
/sbin/route add -net 192.168.0.0/16 192.168.4.251
/sbin/route delete -net 192.168.0.0/16

put gateway ip address into /etc/mygate:

10.0.0.1
  • to mount USB under openbsd
dmesg
mkdir /mnt/usb
mount -t msdos /dev/sd0i /mnt/usb

  • mount hard disk under openbsd
in case you mess up, you can boot from openbsd cdrom, then 'boot -s' to single user mode, then choose 'shell', then mount hard disk:
cd /mnt
mkdir hd
mount /dev/wd0a hd


  • how to use serial port as bootup and login terminal
  1. http://www.openbsd.org/faq/faq7.html
note: basically, you just put 'set tty com0' in /etc/boot.conf(create it), then edit the line that reads:
     tty00   "/usr/libexec/getty std.9600"   unknown off
to read something like:
     tty00   "/usr/libexec/getty std.9600"   vt220   on secure

note: for using baud 115200, change like this:
put additional line in /etc/boot.conf: stty com0 115200
then
change /etc/ttys -> tty00 line ,change std.9600 to std.115200

freebsd 6.3 knowledge

  • static routes  (add into /etc/rc.conf)
static_routes="lan mumoffice foo"
route_lan="-net 192.168.1.0/24 192.168.1.254"


route_mumoffice="-net 10.0.0.0/8 10.30.110.5"
route_foo="-host 1.2.3.4 5.6.7.8"


note:
1.cannot write as follows:
static_routes="lan"
route_lan="-net 192.168.1.0/24 192.168.1.254"
static_routes="mumoffice"
route_mumoffice="-net 10.0.0.0/8 10.30.110.5"

otherwise, only mumoffice static routes will be added.

2. manually add static routing
route add -net
10.0.0.0/8 10.30.110.5
route add -host 1.2.3.4 4.5.6.7


note: for RHEL 5, static routing:

To set static routes, use the /etc/sysconfig/network-scripts/route-<interface> files which read at network service initialization time. For example to add static route for eth0, create a file /etc/sysconfig/network-scripts/route-eth0 and add the routes as explained below.

There are two possible formats for this file.  The first is with ip command arguments and the second is with  network/netmask directives.

Format 1:

For ip commands, the ifup-route script supplies ip route add and the contents of the file are all parameters necessary to set up the route. For example, to set up a default route, the file would contain the following:

default via X.X.X.X dev bond0
10.10.10.0/24 via X.X.X.X dev bond0

  • mounting usb thumb drive
mkdir /mnt/usb
mount -t msdos /dev/da0s1 /mnt/usb
  • ifconfig in /etc/rc.conf
ifconfig_fxp0="inet 1.2.3.4 netmask 255.255.255.0"
for alias on fxp0, put:

ifconfig_em0="inet 10.20.110.2 netmask 255.255.255.192 "
ifconfig_em0_alias0="inet 10.20.1.226 netmask 255.255.255.0"
ifconfig_em0_alias1="inet 10.20.1.227 netmask 255.255.255.0"
ifconfig_em0_alias2="inet 10.20.1.228 netmask 255.255.255.0"
manual way:
add alias: ifconfig em0 inet alias 10.20.1.226 netmask 255.255.255.0
remove alias: ifconfig em0 inet -alias 10.20.1.226 netmask 255.255.255.0

note: enabling ip alias is normally required for doing port forwarding (rdr)

  • gateway enable
in order to automatic enable a freebsd box as gateway machine which normally has 2 NICs and it will do ip forwarding, put the following into /etc/rc.conf
gateway_enable="yes"
note:
for manually enabling gateway: run command : sysctl -w net.inet.ip.forwarding=1

  • DNS and ssh slowness response issue
vi /etc/nssswitch.conf to take out 'dns' from hosts line
  • add user 'jephe' to allow to use 'su -'
vi /etc/group to add user 'jephe' to 'wheel' group
1. we assume /dev/da0 is the first hard disk which has OS installed , we need to add /dev/da1 which is the second hard disk to the raid1 mirror system
2. run commands below
# sysctl kern.geom.debugflags=16
#gmirror label -v -b round-robin gm0 /dev/da0
#echo geom_mirror_load=YES >> /boot/loader.conf
# vi /etc/fstab (to change all /dev/da0 to /dev/mirror/gm0, :%s#da0#mirror\/gm0#g)

bsd# more /etc/fstab
/dev/mirror/gm0s2b none swap sw 0 0
/dev/mirror/gm0s1a / ufs rw 1 1
/dev/mirror/gm0s4d /usr ufs rw 2 2
# reboot
after reboot, you can use command 'gmirror status' or 'gmirror list' to check the raid1 status
for adding the second hard disk /dev/da1 to raid array, run
# gmirror forget gm0 (optional, depends)
# gmirror insert gm0 /dev/da1

Note: testing raid1
after rebuilding finished (gmirror status to check), you can actually shutdown da0, just use da1 to boot up.
I have tested okay.

  • compile kernel to enable ipsec and carp
cd /usr/src/sys/i386/conf
cp GENERIC /root/MYKERNEL
ln -sf /root/MYKERNEL
vi MYKERNEL to add the following:

# enable IPSEC
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG

# or enable CARP
device pf
device pflog
device pfsync
device carp

cd /usr/src
make buildkernel KERNCONF=MYKERNEL
make installkernel KERNCONF=MYKERNEL
reboot
  • put in /etc/rc.conf for enabling pf
pf_enable="YES"
pf_flags=""
pf_rules="/etc/pf.conf"
pflog_logfile="/var/log/pflog"
pflog_flags=""

  • mounting cdrom and usb
mount /cdrom ( see /etc/fstab)
insert usb thumb drive
mkdir /mnt/usb
mount -t msdos /dev/da0s1 /mnt/usb

  • error message '/dev/pf no such file or device'
solution: add pf_load="YES" to /boot/loader.conf, then reboot or run 'kldload pf' with reboot

  • add alias
ifconfig bge0 inet alias 10.0.202.80 netmask 255.255.255.0

to remove alias
ifconfig bge0 inet -alias 10.0.202.80 netmask 255.255.255.0
to review alias
# ifconfig (without parameters)

how to do basic configuration and setup for freebsd 6.3 pf firewall

Jephe Wu - http://linuxtechres.blogspot.com

Environment: FreeBSD PF firewall.
Objective: understanding Packet Filter firewall


Steps:

1. OS installation part

    use just first CD of FreeBSD 6.3.
    1. use 'F - DD' mode to configure partition since we are using the server dedicated for FreeBSD only, no other OS.
    2. use 'Automatic' mode to make partitions
    3. select 'full binary, doc and kernel source only' category to install

    2. user and dns configuration
      During OS installation, you need to create a normal user (e.g. jephe), because you cannot login as root after OS finishs installation. Also, in order to 'su - ' as root, you have to add user 'jephe' to 'wheel' group

      If your environment doesn't have DNS server, you have to wait for a long time before getting a login prompt when you try to ssh into the server. The solution is to vi /etc/nsswitch.conf to take out 'dns' from hosts line.

      3. setup up PF firewall
        After OS installation, it's no firewall enabled by default, you can configure the following to enable it:

        a. put to /etc/rc.conf:
        pf_enable="YES"
        pf_flags=""
        pf_rules="/etc/pf.conf"
        pflogd_enable="YES"
        pflog_logfile="/var/log/pflog"
        pflog_flags=""


        b. edit the default /etc/pf.conf
        ext_if="fxp0" # replace with actual external interface name i.e., dc0
        int_if="fxp1" # replace with actual internal interface name i.e., dc1
        scrub in all  # normalize all packets
        block in log all  # default deny policy


        # enable ssh from the specific internal IP to internal NIC of firewall
        pass in on $int_if proto tcp from 192.168.0.2 to $int_if port 22 keep state

        # enable all outgoing traffic on internet NIC for tcp and udp
        pass out on $int_if proto { tcp, udp } all keep state

        #enable incoming ssh from trusted external IP
        pass in on $ext_if from x.y.z.a keep state
        pass out on $ext_if from $ext_if to x.y.z.a keep state

        how to do port forwarding(rdr) in freebsd 6.1


        purpose: setup a port forwarding firewall on freebsd 6.1

        environment: fxp0 is for external NIC interface(192.168.1.1/24), fxp1 is internal one(192.168.0.1/24), servera is on the lan
        steps:

        • configuring ip alias on fxp0
        # ifconfig fxp0 inet alias 192.168.1.2 netmask 255.255.255.0
        # ifconfig fxp0 inet alias 192.168.1.3 netmask 255.255.255.0
        • add configuration into /etc/rc.conf
        ifconfig_fxp0="inet 192.168.1.1 netmask 255.255.255.0"
        ifconfig_fxp0_alias0="inet 192.168.1.2 netmask 255.255.255.0"
        ifconfig_fxp0_alias1="inet 192.168.1.3 netmask 255.255.255.0"
        • in /etc/pf.conf, after 'scrub in', before 'block all'
        rdr on $fxp0 proto tcp from any to 192.168.1.2 port 3389 -> $servera
        or
        rdr on $fxp0 proto tcp from any to 192.168.1.2 port 3389 -> $servera port 3390

        # servera
        #pass external user to servera at port 3389 because after RDR, the destination become servera instead of 192.168.1.2, no need to specify RDR tcp ip pair rules because that will happen before traffic going through PF rules.
        pass in quick on $fxp0 proto tcp from any to $servera port 3389 flags S/SA keep state (after rdr)
        note: here uses $servera, not 192.168.1.2 which is the external ip alias, because you don't have to specify rules for RDR, here is after RDR rules)
        pass out quick on $fxp1 proto tcp from any to $servera port 3389 flags S/SA keep state (direct pass after rdr tcpip payload to servera, servera needs to have routing going back to the source)
        ==========================
        note: this method, the servera will see the real source ip, if you want to NAT also after doing RDR, NAT the source ip to the internal IP of 192.168.0.1, you can add the following to the just after above RDR or just before RDR:

        nat on $fxp1 proto tcp from any to $servera - > 192.168.0.1


        This way, the servera will see the traffic is coming from 192.168.0.1

        but the pf rules will change also, after NAT, the sourceip become 192.168.0.1,so it becomes:
        pass in quick on $fxp0 proto tcp from any to $servera port 3389 flags S/SA keep state (after rdr)
        pass out quick on $fxp1 proto tcp from 192.168.0.1 to $servera port 3389 flags S/SA keep state (after nat, servera only needs to reply back to internal ip of firewall which is 192.168.0.1.

        Important rules:
        RDR happens before the actual PF filtering rules, once traffic coming in, it goes to RDR first before going through filtering rules.

        NAT happens before the actual PF filtering rules also, before traffic going out the interface, it applies to NAT first, then applying the actual ip pf filtering rules.

        RDR->incoming pf rules->|Server Interface 1_>NAT-> Server Interface 2|->outgoing pf rules

        configuring sudosh and sendmail masquerading, as well as working with syslog-ng

        Jephe Wu - http://linuxtechres.blogspot.com

        Objective: Basically, we’d like to only allow IS staffs to remote ssh into production servers and use sudo sudosh or sudo –u db2inst1 sudosh to switch to root or db2inst1 so that every command including vi keystroke will be logged, at the same time, email will be triggered whenever anyone use sudo to switch to root or db2inst1 user.

        Use sudosh2 for accountability, swatch for sending alert out once someone logs in db2inst1 or root. Use openssh allowusers syntax to only allow system administrators to remote ssh.

        Environment
        : RHEL 5 or CentOS 5


        Steps:
        1. sudosh2 software installation and configuration


        Search google for sudosh2 then download the software sudosh2-1.0.4. Please refer to website
        http://www.shortcutsolutions.net/sudosh2-software/55-introduction-sudosh2-user-shell-auditing.html
        for installation steps which is mentioned on http://sourceforge.net/projects/sudosh2/

        # tar xvfz sudosh2-1.0.4.tar.gz
        # cd sudosh2-1.0.4
        # ./configure
        # make
        # make install
        # sudosh

        Important: run sudosh command once to create necessary directories first.

        configuration file for sudo is at /etc/sudosh.conf

        2. visudo
        ssh into server and become root as normal
        # useradd jephe -c "Jephe Wu"
        # passwd jephe
        # visudo


        add the following to the /etc/sudoers

        Cmnd_Alias SUDOSH=/usr/local/bin/sudosh
        jephe ALL=(root)SUDOSH, (db2inst1)SUDOSH



        Note: Cmnd_Alias line must be on the top of jephe ALL line, otherwise, sudo sudosh doesn't work


        Please refer to http://www.shortcutsolutions.net/sudosh2-shell-auditing-software/89-configuration-of-sudosh2.html for sudosh2 configuration and installation

        3. ssh configuration

        vi /etc/ssh/sshd_config to add the followings:

        PermitRootLogin no
        Protocol 2
        banner /etc/motd.ssh
        allowusers jephe anotheruser


        then put the security warning message into /etc/motd.ssh

        then run 'sshd -t' to test ssh daemon configuration syntax
        then run 'service sshd restart' to restart sshd
        then run 'ssh localhost' to test it.

        4. su configuration
        vi /etc/pam.d/su to uncomment the following line to require only members in wheel group are able to su
        auth required /lib/security/$ISA/pam_wheel.so use_uid

        5. Sendmail

        For enabling sending email from database server to centralized mail server mailrelay, we need to put the following to the default sendmail.mc as follows:

        e.g. servername is server.domain.com, we need to masquerade all sender address including envelope address as from root@server.domain.com to root@newdomain.com, then deliver it to the centralized mail server mailrelay.

        Dnl EXPOSED_USER(`root’)dnl
        MASQUERADE_AS(newdomain.com’)dnl
        FEATURE(masquerade_envelope)dnl
        FEATURE(masquerade_entire_domain)dnl
        MASQUERADE_DOMAIN(localhost)dnl
        MASQUERADE_DOMAIN(loclahost.localdomain)dnl
        MASQUERADE_DOMAIN(domain.com)dnl


        Then put the following into /etc/mail/mailertable, after that, run
        makemap hash /etc/mail/mailertable < /etc/mail/mailertable

        newdomain.com relay:[mailrelay]

        Then put the following into /etc/hosts
        10.0.0.1 mailrelay

        enable root alias as follows:
        add the following line to /etc/alias then run newalias
        root: jephe_wu@newdomain.com

           1. Note:
              a. no need to give SMART_HOST since we only need to relay newdomain.com to the centralized mailrelay server.
              b. No need to disable only listening on localhost since we only need to send out email, not for receiving.

        so, now, any email sending to local user root will be delivered to jephe_wu@newdomain.com on the mailrelay server.

        6. Swatch
        register your redhat subscription using rhn_register (interactive, require to type in username and password for RHN)
        or there's no need to register if you are using CentOS 5

        install rpmforge rpm from DAG website at http://dag.wieers.com/rpm/FAQ.php#B ,
        wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
        rpm -Uvh http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

        put the proxy setting in /etc/yum.conf like
        proxy=http://10.0.0.1:3128

        yum install swatch
        then the rpm packages will be downloaded at /var/lib/yum and install it

        Put the following to /etc/swatch.conf

        watchfor /sudo:.*/
        mail root,subject=--- DB1 sudo alert! ---


        watchfor /su:.*/
        mail root,subject=--- DB1 su alert!---


        watchfor /login: ROOT LOGIN.*/
        mail root,subject=---DB1 console login alert!---


        note: must use small letter watchfor , not Watchfor, small letter mail root, not Mail root.
        If swatch exits from ps command after a while, use 
        /usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure
        to run and try to ssh then check if there's any error.



        put the following lines to /etc/rc.local
        /usr/bin/swatch –c /etc/swatch.conf –t /var/log/secure --daemon

        change /etc/logrotate.conf for week 52 to rate a year and compress

        configure /etc/logrotate.d/syslog

        use the following
        /var/log/messages /var/log/mailog /var/log/spooler /var/log/secure /var/log/boot.log /var/log/cron {
        sharedscripts
        potstrotate
        /bin/kill –HUP `cat /var/log/syslogd.pid 2> /dev/null` 2> /dev/null true
        ##added by Jephe####
        kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
        sleep 5
        /usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
        ###end#####
        endscript
        }


        finally, run command in /etc/rc.local
        /usr/bin/swatch –c /etc/swatch.conf –t /var/log/secure --daemon

        ===========
        syslog-ng and swatch standard input
        Objective: use syslog-ng default log output file to pipeline to swatch

            * syslog-ng configuration
        destination swatch {
        program("/usr/bin/swatch -c /etc/swatch.conf --read-pipe=\"cat /dev/fd/0\"");
        };

        #send all logs to swatch
        log { source(s_sys); destination(swatch); };



            * /etc/swatch.conf
        watchfor /sudo:.*/
        mail root,subject=--- SERVER1 sudo alert! ---

        watchfor /su:.*/
        mail root,subject=--- SERVER1 su alert! ---

        watchfor /login: ROOT LOGIN.*/
        mail root,subject=--- SERVER1 console login alert! ---



        note:
        1. no need to run swatch as deamon
        2. no need to modify /etc/logrotate.d/syslog
        3. /dev/fd/0 is different from /dev/fd0 which is floppy disk



        References:
        Central Loghost Mini-HOWTO at http://www.campin.net/newlogcheck.html

        note:
        1. SEC(http://www.estpak.ee/~risto/sec/) is better than swatch

        How to tune Apache performance and harden it


        • understand How Apache works first
        the main process is responsible to accept the new incoming connections and pass it to "worker" process, once the worker finishs its job which is reading user's request and send back response. it tells the main process it has done the job and waiting for the new connection

        • Apache and keepalive issue - reduce keepalive value to 2 seconds to allow Apache to terminate the connection soon enough, also
        Imagine there're 1000 users connecting to your website at the same moment, how do you handle it? by default, Apache has setting for keepalive 15 seconds and timeout 300 seconds(5 minutes).

        If there's no keepalive, each connection will only serve one file which needs to be downloaded for browser display, this is not efficient method since normally a website page contains a few files in order to be properly displayed.

        You can reduce the KeepAlive timeout to 2 seconds (do not turn if off). 2 seconds is enough to let the client has the enouchg time to request all the files needed for a page display, also without having to open more than one connection, also let Apache to terminate the connection soon enough so that it can handle more clients then normal.
        • use a worker threaded MPM
        use a work thread MPM will use less memory and increase the connection it will be able to handle.

        • Some other tips
        Disable ExtendedStatus
        HostnameLookups off
        Setting Options -Indexes FollowSymLinks (so Apache doesn't have to check if the file is symbolic link or not, it just follow)
        reasonable connection timeout value than 300 (use 30 seconds or less to avoid those modem user hog the connection)
        • use thttpd for static files
        You can farm all your static files like images to thttpd , make sure it supports keep alive.

        • Apache is the only service on the web server
        You can tune StartServers, MinSpareServers, MaxSpareServers, MaxClients and MaxRequestsPerChild parameters accordingly if you are running 3-tier archtecture such as Apache, Java-enabled middle server and database backend.

        You can have a big StartServers value and MinSpareServer(0) and MaxSpareServers value the same as StartServers value.

        If you trust your application, you can set MaxRequestPerClient a very big value.

        • hardening
        user apache 2.2 builtin chroot (chrootdir /path)
        use 'TraceEnable Off' to disable trace/track in main httpd.conf
        use ServerTokens Prod 





        Understanding SSL certificate


        •  Commonly used public key algorithms include RSA(for web), El Gamal(for gpg) and Diffie-Hellman (for ssh).
        • Generate a 1024 bit RSA private key
          Execute command: “openssl genrsa -out private_key.pem 1024”
          e.g.


          $ openssl genrsa -out private_key.pem 1024
          Generating RSA private key, 1024 bit long modulus
          .............................++++++
          ................................................................++++++
          e is 65537 (0x10001)

          Generating a public key from a private key

          Execute command: "openssl rsa -pubout -in private_key.pem -out public_key.pem"
          e.g.



          $ openssl rsa -pubout -in private_key.pem -out public_key.pem
          writing RSA key
          A new file is created, public_key.pem, with the public key.


          Viewing the key elements

          Execute command: "openssl rsa -text -in private_key.pem"


          For security purposes, the integers p and q should be chosen uniformly at random and should be of similar bit-length

          Compute n = pq.


          • n is used as the modulus for both the public and private keys

          All parts of private_key.pem are printed to the screen. This includes the modulus (also referred to as public key and n), public exponent (also referred to as e and exponent; default value is 0x010001 - 65537), private exponent, and primes used to create keys (prime1, also called p, and prime2, also called q), as well as a few other variables used to perform RSA operations faster and the Base64 PEM encoded version of the key.

          The "public key" actually represents a pair of parameters (numbers): a Modulus and a public exponent E. The public exponent is usually chosen to be relatively small (often 3 bytes). The size of the Modulus in bits is referred to as the "key size". A Modulus of size 128 bytes represents a "1024 bit RSA key".
          The "private key" is usually described as a number pair consisting of the same key Modulus and a private exponent D. D is usually chosen to be about the same size as the modulus (~128 bytes). Random selection of Modulus, E and D starts by random selection of two large prime numbers.

        • openssl genrsa command generates a pair of private key and public key actually, not only private key.
        • how to verify a ssl certificate, nowadays, CA use SHA1withRSAencryption to sign the public key as certificate.
        To validate the certificate, one needs the certificate that matches
        the Issuer (Thawte Server CA) of the first certificate. First one
        verifies that the second certificate is of a CA kind; that is, that it
        can be used to issue other certificates. This is done by inspecting a
        value of the CA attribute in the X509v3 extension
        section. Then the RSA public key from the CA certificate is used to
        decode the signature on the first certificate to obtain a MD5 hash,
        which must match an actual MD5 hash computed over the rest of the
        certificate
        
        • how to verify CA root certificate itself
        This is an example of a self-signed certificate, as the issuer and subject are the same. There's no way to verify this certificate except by checking it against itself; instead, these top-level certificates are manually stored by web browsers. Thawte is one of the root certificate authorities recognized by both Microsoft and Netscape. This certificate comes with the web browser and is trusted by default. As a long-lived, globally trusted certificate that can sign anything (as there are no constraints in the X509v3 Basic Constraints section), its matching private key has to be closely guarded.

        • how to show SSL connection information from the browser
        1. Internet Explorer
        Version 6.0 - from file menu, choose properties, you will see something like this:
        SSL 3.0, RC4 with 128 bit encryption (High); RSA with 1024 bit exchange
        or right click on page blank area, choose properties.

        Version 7.0 - firstly, show file menu by choosing tools/menu bar, then use the same method as above.

        2. Firefox
        right click on the blank area of SSL website homepage, choose 'view page info'. You will see something like this:
        Connection encrypted: high-grade encryption, AES-256 256bit


        • Useful OpenSSL commands
        1. generate a pair of RSA private and public key (will be triple-DES encrypted and PEM format which has begin certificate and end certificate)
        $ openssl genrsa -des3 -out server.key 1024
        or
        $ openssl genrsa -out server.key 1024

        note: the most browser only supports RSA 1024bit key. Not either DSA or 2048bit key.

        2. View RSA private key details
        $ openssl rsa -noout -text -in server.key

        3. Create a decrypted PEM version of rsa private/public key pair
        $ openssl rsa -des3 -in server.key -out server.key.new
        $ mv server.key.new server.key
        or
        $ openssl rsa -in server.key -out server.key.unsecure

        4. create CSR file from private/public key pair file, will be in PEM format
        $ openssl req -new -key server.key -out server.csr

        5. view CSR file details
        $ openssl req -noout -text -in server.csr

        6. view CRT file detail
        $ openssl x509 -noout -text -in server.crt


        • Creating a certificate authority and certificates with openssl
        (refer to http://www.octaldream.com/~scottm/talks/ssl/opensslca.html)

        The short answer is to use the CA.sh or CA.pl script provided by OpenSSL (/usr/share/ssl/misc/CA)

        The private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key". The "public key" bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the commands:
        $ openssl x509 -noout -text -in server.crt
        $ openssl rsa -noout -text -in server.key
        The `modulus' and the `public exponent' portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it's bothering comparing long modulus you can use the following approach:
        $ openssl x509 -noout -modulus -in server.crt | openssl md5
        $ openssl rsa -noout -modulus -in server.key | openssl md5
        And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. BTW, if I want to check to which key or certificate a particular CSR belongs you can compute
        $ openssl req -noout -modulus -in server.csr | openssl md5
        • convert PEM to DER format
        The default certificate format for SSLeay/OpenSSL is PEM, which actually is Base64 encoded DER with header and footer lines. For some applications (e.g. Microsoft Internet Explorer) you need the certificate in plain DER format. You can convert a PEM file cert.pem into the corresponding DER file cert.der with the following command:
        $ openssl x509 -in cert.pem -out cert.der -outform DER


        • how to generate .pem/.csr/.crt/ etc certificate files.
        cd /usr/share/ssl/certs
        make server.pem
        make server.crt
        etc
        • How to apply new SSL certificate in Apache without restarting service
        ps -efH to find out the pidnum of parent httpd
        then run kill -USR1 pidnum to make sure it generates new log file
        Please refer to http://httpd.apache.org/docs/1.3/stopping.html

        • How to test to make sure the server has been restarted with new certificate?
        use openssl s_client command to check if it get retrieve the new certificate:

        openssl s_client help to get the the help manual
        openssl s_client -connect 10.0.201.104:443 -tls1  to retrieve the certificate content.

        or use curl directly
        curl -v https://10.0.0.1 will display the certificate, even decrypted for PEM certificate, you can see the start date and end date directly on the screen.
        • Useful URLs
        1. http://www.modssl.org/docs/2.8/ssl_faq.html#ToC27
        2. http://www.herongyang.com/crypto/openssl_rsa.html

        tomcat keystore and cacerts

        Jephe Wu - http://linuxtechres.blogspot.com

        Objective: create SSL certificate for tomcat
        Enrironment: Linux server, tomcat, keytool, keystore, cacerts


        Concept:
        .keystore file which resides /usr/local/tomcat is the default keystore file for tomcat. It's SSL certificate container for server itself, the CA certs file is under /usr/local/jdk/jre/lib/security/.

        The self signed SSL certificate generated by keytool or openssl has to be imported to ca certs file in order to avoid SSL warning when the https URL is being accessed from one server to another, without using browser.




        Steps:

        1. list the existing keys, the default file is .keystore under /usr/local/tomcat folder
        # cd /usr/local/tomcat
        # keytool -list -v -storepass changeit

        2. delete the existing keys( key alias :tomcat)
        # cd /usr/local/tomcat
        # keytool -delete -alias tomcat -storepass changeit

        3. generate self-signed key
        # keytool -h for usage
        # keytool -genkey -alias tomcat -keysize 1024 -validity 3650 -keypass changeit -storepass changeit
        What is your first and last name?
        [Unknown]: jephe
        What is the name of your organizational unit?
        [Unknown]: IS
        What is the name of your organization?
        [Unknown]: Jephe
        What is the name of your City or Locality?
        [Unknown]: Singapore
        What is the name of your State or Province?
        [Unknown]: Singapore
        What is the two-letter country code for this unit?
        [Unknown]: SG
        Is CN=jephe, OU=IS, O=somename, L=Singapore, ST=Singapore, C=SG correct?
        [no]: yes


        for above self-generated key to work without SSL warning, you need to import to ca certs file

        4. list the existing CA certificates from /usr/local/jdk/jre/lib/security/cacerts
        # cd /usr/local/jdk/jre/lib/security
        # keytool -list -v -keystore cacerts

        5. in order to add self-signed key to cacerts, export it first from .keystore file
        # keytool -export -alias jephe -keypass changeit -storepass changeit -file /tmp/jephe.der

        6. then import to cacerts file under /usr/local/jdk/jre/lib/security/cacerts
        # cd /usr/local/jdk/jre/lib/security
        # keytool -import -alias jephe -trustcacerts -keystore cacerts -file /tmp/jephe.der -storepass changeit

        note: add this key to trusted cacerts and give alias as jephe
        you can add one more, but have to give the different alias name


        7. you can delete the existing cacert key:
        # cd /usr/local/jdk/jre/lib/security
        #keytool -delete -keystore cacerts -alias jephe

        8. import a openssl generated self signed pem format certificate from openldap server into ca certs file on tomcat server (for ldaps connection from tomcat server to openldap server)

        # cd /usr/local/jdk/jre/lib/security
        # keytool -import -alias jephe -trustcacerts -keystore cacerts -file /tmp/jephe.pem -storepass changei


        References:
        1. convert pem to der format

        openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER

        Use RIP CD and MBRFix to easily fix the Windows MBR issue

        Jephe Wu - http://linuxtechres.blogspot.com

        Whenever your Windows MBR got corrupted or after restoring the back image, you have to fix the MBR issue. With RIP(Recovery Is Possible - http://www.tux.org/pub/people/kent-robotti/looplinux/rip/) and MBRFix - http://www.sysint.no/nedlasting/mbrfix.htm, It becomes very easy job to get it done.


        Environment:
        Let's say your Windows server MBR is corrupted or you just restored a Windows partition using ntfsclone (http://linuxtechres.blogspot.com/2007/07/cloning-windows-server-using-rip-and.html). Now you need to update MBR to boot up Windows automatically.

        It's especially useful when you cannot boot up to Windows console to run 'fdisk /mbr' due to whatever reason.


        Steps:

        1. boot up with RIP CD (non-X version is enough, we just need to boot it up and use 'Boot partition #1 on first hard drive' option to boot up Windows normally)

        2. Windows MBRfix program at http://www.sysint.no/nedlasting/mbrfix.htm

        3. Run command below to fix MBR issue.
        c:\> MbrFix /drive 0 fixmbr /yes

        4. eject out RIP CD, reboot Windows to verify it.

        that's it.

        resize (enlarge) the Windows ntfs partition using RIP and ntfsresize


        Jephe Wu - http://linuxtechres.blogspot.com

        1. Environment
        HP DL360G5 server with 2x146G hard disk, Windows 2003 server R2 service pack 1, the first partition is 10G, we need to resize to 40G.


        2. how to do it
        use RIP (Recovery Is Possible) cdrom which you can download it from http://www.tux.org/pub/people/kent-robotti/looplinux/rip/ to boot up HP server, then use fdisk to enlarge the partition size first, after that, use ntfsresize program to resize the file system size to 40g.

        3. steps

        a. backup your important data just in case.

        b. reboot server from RIP CD, login in as root without password, run commands below:

        ifconfig eth0 10.0.0.145 up
        /usr/sbin/sshd
        passwd root

        note : passwd root to change root password so that you can ssh to this server 10.0.0.145 remotely, use your network environment IP instead.

        c. ssh into HP server remotely
        , run command below to enlarge partition size:

        fdisk -l /dev/cciss/c0d0 > fdisk-backup # backup the current partition table first
        fdisk /dev/cciss/c0d0 # to delete the the first partition which is ntfs, then create a new partition with 40g size, then give the partition id as number '7' (compare it with your fdisk-backup file generated in previous step), taggle it as active partition to make it bootable (otherwise you cannot boot up windows anyway)

        save the partition, exit

        d. resize

        ntfsresize -n -s 40g /dev/cciss/c0d0p1

        above command just tests first, if it's okay. run it once more time without -n parameter to do the real writing.

        ntfsresize -s 40g /dev/cciss/c0d0p1

        reboot

        Setup IPSec VPN between 2 FreeBSD 6.3 servers


        Environment:
        1 HP lp1000r with 2 18G hard disk is sitting in datacenter; another PC is sitting in office. Both are running FreeBSD 6.3.

        lp1000r: vpndc has IP pair d.1.2.3 k/di.1.2.3 in datacenter (d for datacenter, the behind network is di.1.2.0/24)
        another pc:vpnsg has IP pair o.1.2.3/oi.1.2.3 in office (o for office, the behind network is oi.1.2.0/24)
        2 firewalls doing port forwarding and seperate DMZ and internal office/datacenter network

        ___Internetl corporate network____"FW"oi.1.2.4____oi.1.2.0/24---oi.1.2.3"vpnsg"o.1.2.3 ++++++++d.1.2.3"vpndc"di.1.2.3__di.1.2.0/24____di.1.2.4"FW"____internal datacenter network___

        Objective:
        Setup VPN over IPSec between 2 FreeBSD servers so that it can connect 2 private network through Internet.

        Steps:

        • install OS
        Use the first CD of FreeBSD 6.3, use 'F - DD' mode to configure partition since we are using FreeBSD for the dedicated server, use 'Automatic' mode of making partitions. use 'full binary, doc and kernel source only' category to install.

        • SSH and PF configuration
        Just after installing OS, by default ,it's no firewall enabled, you can configure the following to enable ssh on internal NIC.
        =================
        ext_if="fxp0"
        int_if="fxp1"
        scrub in all
        block in log all
        pass in on $int_if proto tcp from any to $int_if port 22 keep state
        pass out on $int_if proto { tcp, udp } all keep state
        =================
        for final pf.conf on vpndc and can be used for ipsec, I use:
        ext_if="fxp0"
        int_if="fxp1"
        scrub in all
        block in log all

        # allow icmp type 3 code 4
        pass in log quick on $ext_if inet proto icmp all icmp-type unreach code 4        
        pass in log quick on $int_if inet proto icmp all icmp-type unreach code 4       
        pass out log quick on $ext_if inet proto icmp all icmp-type unreach code 4      
        pass out log quick on $int_if inet proto icmp all icmp-type unreach code 4     

        block in log quick on $ext_if proto icmp from any to any
        block in log quick on $int_if proto icmp from any to any
        block out log quick on $ext_if proto icmp from any to any
        block out log quick on $int_if proto icmp from any to any

        # for $int_if
        # allow ssh to vpndc itself from FW on inside DMZ
        pass in on $int_if proto tcp from di.1.2.4 to $int_if port 22 keep state

        # allow the whole DMZ can reply back tcpip packet to the office uses, actually, this rule might contain the above ssh one
        pass in on $int_if from di.1.2.0/24 keep state

        #allow office users' request going to DMZ in datacenter
        pass out on $int_if from any to di.1.2.0/24 keep state
        ####for $ext_if ,almost same as above
        pass in on $ext_if from o.1.2.3 to $ext_if keep state
        pass out on $ext_if from $ext_if to o.1.2.3 keep state
        • DNS and ssh slow response issue
        If your environment doesn't have DNS server, the ssh startup and login will be very slow, to address this issue, you can disable DNS as folllows:
        vi /etc/nsswitch.conf
        to take out 'dns' from hosts line

        • add user jephe for 'su -'
        vi /etc/group
        to add user 'jephe' to 'wheel' group
        • enable raid1 mirror for hp lp1000r server
        to enable raid1 mirror, do the following:
        We assume /dev/da0 is the first hard disk we installed OS on, we need to add /dev/da1 which is the second hard disk to the raid1 mirror system.
        # sysctl kern.geom.debugflags=16
        # gmirror label -v -b round-robin gm0 /dev/da0
        # echo geom_mirror_load=YES >> /boot/loader.conf
        # vi /etc/fstab (to change all /dev/da0 to /dev/mirror/gm0, :%s#da0#mirror\/gm0#g)

        bsd1# more /etc/fstab
        # Device Mountpoint FStype Options Dump Pass#
        /dev/mirror/gm0s2b none swap sw 0 0
        /dev/mirror/gm0s1a / ufs rw 1 1
        /dev/mirror/gm0s4d /usr ufs rw 2 2
        /dev/mirror/gm0s3d /var ufs rw 2 2
        /dev/acd0 /cdrom cd9660 ro,noauto 0 0
        # reboot
        After reboot, you can use command 'gmirror status' or 'gmirror list' to check the raid1 status.
        For adding the second hard disk /dev/da1 to raid array, run
        #gmirror forget gm0 (optional, depends)
        #gmirror insert gm0 /dev/da1
        • compile kernel to enable ipsec
        cd /usr/src/sys/i386/conf
        cp GENERIC /root/MYKERNEL
        ln -sf /root/MYKERNEL
        vi MYKERNEL to add the following:

        options IPSEC
        options IPSEC_ESP
        options IPSEC_DEBUG

        cd /usr/src
        make buildkernel KERNCONF=MYKERNEL
        make installkernel KERNCONF=MYKERNEL
        reboot

        • install racoon
        download it from Internet, it's an open source software
        put it under /home/jephe
        tar xvfz ipsec-tools-0.7.tar.gz
        cd ipsec-tools-0.7
        ./configure ;make
        su - as root to make install
        binary racoon will be installed to /usr/local/sbin/racoon
        then you need to put racoon.conf.sample to /usr/local/etc/racoon.conf
        and psk.txt.sample to /usr/local/etc/psk.txt

        you can run 'find . -name "psk.txt*" and 'find . -name "racoon.conf*" from ipsec-tools-0.7 directory to find out the path of two files psk.txt.sample and racoon.conf.sample.

        • configure racoon
        You can use command 'strings /usr/local/sbin/racoon | grep racoon.conf' to find out the path of racoon.conf
        then copy racoon.conf.sample there as racoon.conf.
        after that, copy psk.txt.sample to /usr/local/etc also, then vi racoon.conf to change the following line:

        path pre_shared_key "/usr/local/etc/psk.txt";

        So, change it to use /usr/local/etc/psk.txt, before it was /usr/local/etc/v6/psk.txt .

        chown root:wheel psk.txt
        chmod 600 psk.txt

        the above commands are very important, otherwise, after you run racoon, it won't establish vpn normally.
        inside psk.txt, configure one line for peer end, make it looks like this:

        remotesiteipaddress sharedkey
        • configuring /etc/rc.conf on vpndc
        #enable pf
        pf_enable="YES"
        pf_flags=""
        pf_rules="/etc/pf.conf"
        pflogd_enable="YES"
        pflog_logfile="/var/log/pflog"
        pflog_flags=""

        #enable ipsec
        ipsec_enable="YES"
        ipsec_file="/etc/ipsec.conf"

        #for gif interface on datacenter freebsd 6.3
        ###
        gif_interfaces="gif0"
        gifconfig_gif0="d.1.2.3 o.1.2.3"
        ifconfig_gif0="inet di.1.2.3 oi.1.2.3 netmask 0xffffffff"
        static_routes="vpn"
        route_vpn="-net oi.1.2.0/24 oi.1.2.3 "

        • configure /etc/ipsec.conf
        spdadd d.1.2.3/32 o.1.2.3/32 ipencap -P out ipsec esp/tunnel/d.1.2.3-o.1.2.3/require;
        spdadd o.1.2.3/32 d.1.2.3 ipencap -P in ipsec esp/tunnel/o.1.2.3-d.1.2.3/require;

        spdadd di.1.2.0/24 oi.1.2.0/24 any -P out ipsec esp/tunnel/d.1.2.3-o.1.2.3/require;
        spdadd oi.1.2.0/24 di.1.2.0/24 any -P in ipsec esp/tunnel/o.1.2.3-d.1.2.3/require;


        • configure /etc/rc.local
        vpn# more rc.local
        # start up racoon, the default configuration file is /usr/local/etc/racoon.conf, you can run 'strings /usr/local/sbin/racoon | grep racoon.conf' to know that.

        /usr/local/sbin/racoon [ -l /var/log/racoon.log ]

        • reboot server and 'racoon' should be started automatically , after that , try to ping each other, e.g. from office freebsd server vpnsg, ping di.1.2.3, then sniff the traffic on datacenter freebsd server using command 'tcpdump -n -i fxp0 host o.1.2.3'
        • same examples of configuration
        $ netstat -nr
        Routing tables

        Internet:
        Destination Gateway Flags Refs Use Netif Expire
        default x.x.x.x UGS 2 34 fxp0
        127.0.0.1 127.0.0.1 UH 0 90 lo0
        oi.1.2.0/24 oi.1.2.3 UGS 8874 8877 gif0
        oi.1.2.3 di.1.2.3 UH 8 7 gif0
        di.1.2.0/24 link#2 UC 0 0 fxp1
        d.1.2.0/24 link#1 UC 0 0 fxp0

        note: from above routing table, going to office internal network oi.1.2.0/24 will be sent to gif0 and office vpnsg inside ip oi.1.2.3; and going to oi.1.2.3 will be sent to di.1.2.3 and gif0