#!/bin/sh
wget --no-check-certificate -O file1 --save-cookies cookies.txt --keep-session-cookies https://URL/
COOKIE=`cat cookies.txt tail -1 awk'{print$NF}'`
USER=admin
PASS=password
CORP=corpname
HASH=`echo -n $CORP$USER$PASS sha1sum awk '{print $1}'`
wget --debug --no-check-certificate -O file2 --load-cookies cookies.txt --post-data "LoginId=$USER&Password=$PASS&Corporation=$CORP&sessionid=${COOKIE}" https://URL/
wget --debug --no-check-certificate -O file3 --load-cookies cookies.txt --header="Content-Type: multipart/form-data; boundary=FILEUPLOAD" --post-file postfile https://url/
sleep 10
wget --debug --no-check-certificate -O file4 --load-cookies cookies.txt https://url2/
wget --debug --no-check-certificate -O file5 --load-cookies cookies.txt --post-data "module=a&screen=b&action=c" https://url3/
note:
1. use httpliveheader firefox addon to get all the http header and request/response
2. sleep 10 to wait for the processing finish
3. --save-cookies cookies.txt --keep-session-cookies -> make multiple wget command to be like in the same browser session.
4. for upload text file, that's to say, use ' form-based file upload in html', the RFC is at
http://www.faqs.org/rfc/rfc1867.html
5. for postfile content:
-bash-3.1# more postfile
--FILEUPLOAD
Content-Disposition: form-data; name="module"
a
--FILEUPLOAD
Content-Disposition: form-data; name="screen"
b
--FILEUPLOAD
Content-Disposition: form-data; name="action"
c
--FILEUPLOAD
Content-Disposition: form-data; name="description"
test
--FILEUPLOAD
Content-Disposition: form-data; name="fileName"; filename="data.txt"Content-Type: text/plain
20070201 0758 a1000 I
20070201 2031 a1000 O
--FILEUPLOAD--
note: with --FILEUPLOAD, the separator is just 'FILEUPLOAD', and the last line is --FILEUPLOAD--
use wget to keep session cookie and use form-based file upload
at 12/22/2008 02:29:00 AM 0 comments
Labels: session cookie, wget
system rescue basic
1. add init=/bin/sh to grub or lilo to quickly bootup system , but ctrl-c or ctrl-z might not work
2. mount -t proc none /proc to get command like ps to work, or anything else use /proc file system
3. mount -o remount,rw /
4 .fuser -am /mnt/muic
fuser -km /mnt/music
ps axwwl | grep processidnumber
lsof /mnt/music
5. dd if=/dev/hda of=filename bs=512 count=1
restore partition table:
dd if=filename of=/dev/hda bs=1 count=64 skip=446 seek=446
to cloning bad disk
dd if=/dev/hda of=/dev/hdb conv=noerror,sync
ddrescue --max-retries=-1 /dev/hda /dev/hdb
6. recover lost partition
gpart /dev/hdb (guess partition table)
gpart -b filename -W /dev/hda /dev/hda
note: scan /dev/hda ,backup the existing MBR, then write to /dev/hda
7. in case the bad block on hard disk is in journal file system, so remove journal might help
tune2fs -f -O ^has_journal /dev/hda1
tune2fs: attempt to read block from file system resulted in short read while reading journal inode
# debugfs /dev/hda1
debugfs: features
defugfs : open /dev/hda1
debugfs: quit
OpenBSD basic
- ip forwarding is off by default, enable it by putting the following into /etc/rc.local
note: see http://www.openbsd.org/faq/pf.nat.html
or put into /etc/sysctl.conf
net.inet.ip.forwarding=1
- set up ip alias
# cat /etc/hostname.fxp0
inet 192.168.0.2 255.255.255.0
inet alias 192.168.0.3 255.255.255.0
manually add:
ifconfig fxp0 inet alias 192.168.0.3 netmask 255.255.255.0
delete:
ifconfig fxp0 inet -alias 192.168.0.3 netmask 255.255.255.0
to view these aliases: use 'ipconfig -A'
- pf disable and enable
pfctl -d (disable)
use pfctl -e to confirm it's running
- pf show rules up
pfctl -s nat
pfctl -s all
- static routing , put it into /etc/rc.local
/sbin/route delete -net 192.168.0.0/16
put gateway ip address into /etc/mygate:
10.0.0.1
- to mount USB under openbsd
mkdir /mnt/usb
mount -t msdos /dev/sd0i /mnt/usb
- mount hard disk under openbsd
cd /mnt
mkdir hd
mount /dev/wd0a hd
- openbsd 4.5 tips and tricks - www.openbsd101.com
- how to use serial port as bootup and login terminal
tty00 "/usr/libexec/getty std.9600" unknown offto read something like:
tty00 "/usr/libexec/getty std.9600" vt220 on secure
note: for using baud 115200, change like this:
put additional line in /etc/boot.conf: stty com0 115200
then
change /etc/ttys -> tty00 line ,change std.9600 to std.115200
Labels: openbsd
freebsd 6.3 knowledge
- static routes (add into /etc/rc.conf)
static_routes="lan mumoffice foo"
route_lan="-net 192.168.1.0/24 192.168.1.254"
route_mumoffice="-net 10.0.0.0/8 10.30.110.5"
route_foo="-host 1.2.3.4 5.6.7.8"
note:
1.cannot write as follows:
static_routes="lan"
route_lan="-net 192.168.1.0/24 192.168.1.254"
static_routes="mumoffice"
route_mumoffice="-net 10.0.0.0/8 10.30.110.5"
otherwise, only mumoffice static routes will be added.
2. manually add static routing
route add -net
10.0.0.0/8 10.30.110.5
route add -host 1.2.3.4 4.5.6.7
note: for RHEL 5, static routing:
To set static routes, use the /etc/sysconfig/network-scripts/route-<interface> files which read at network service initialization time. For example to add static route for eth0, create a file /etc/sysconfig/network-scripts/route-eth0 and add the routes as explained below.
default via X.X.X.X dev bond0
10.10.10.0/24 via X.X.X.X dev bond0
- mounting usb thumb drive
mount -t msdos /dev/da0s1 /mnt/usb
- ifconfig in /etc/rc.conf
for alias on fxp0, put:
ifconfig_em0="inet 10.20.110.2 netmask 255.255.255.192 "
ifconfig_em0_alias0="inet 10.20.1.226 netmask 255.255.255.0"
ifconfig_em0_alias1="inet 10.20.1.227 netmask 255.255.255.0"
ifconfig_em0_alias2="inet 10.20.1.228 netmask 255.255.255.0"
manual way:add alias: ifconfig em0 inet alias 10.20.1.226 netmask 255.255.255.0
remove alias: ifconfig em0 inet -alias 10.20.1.226 netmask 255.255.255.0
note: enabling ip alias is normally required for doing port forwarding (rdr)
- gateway enable
gateway_enable="yes"
note:
for manually enabling gateway: run command : sysctl -w net.inet.ip.forwarding=1
- DNS and ssh slowness response issue
- add user 'jephe' to allow to use 'su -'
- enable raid1 mirror for hp lp1000r server (refer to http://www.freebsd.org/doc/handbook/geom-mirror.html )
2. run commands below
# sysctl kern.geom.debugflags=16
#gmirror label -v -b round-robin gm0 /dev/da0
#echo geom_mirror_load=YES >> /boot/loader.conf
# vi /etc/fstab (to change all /dev/da0 to /dev/mirror/gm0, :%s#da0#mirror\/gm0#g)
bsd# more /etc/fstab
/dev/mirror/gm0s2b none swap sw 0 0
/dev/mirror/gm0s1a / ufs rw 1 1
/dev/mirror/gm0s4d /usr ufs rw 2 2
# reboot
after reboot, you can use command 'gmirror status' or 'gmirror list' to check the raid1 status
for adding the second hard disk /dev/da1 to raid array, run
# gmirror forget gm0 (optional, depends)
# gmirror insert gm0 /dev/da1
Note: testing raid1
after rebuilding finished (gmirror status to check), you can actually shutdown da0, just use da1 to boot up.
I have tested okay.
- compile kernel to enable ipsec and carp
cp GENERIC /root/MYKERNEL
ln -sf /root/MYKERNEL
vi MYKERNEL to add the following:
# enable IPSEC
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
# or enable CARP
device pf
device pflog
device pfsync
device carp
cd /usr/src
make buildkernel KERNCONF=MYKERNEL
make installkernel KERNCONF=MYKERNEL
reboot
- put in /etc/rc.conf for enabling pf
pf_flags=""
pf_rules="/etc/pf.conf"
pflog_logfile="/var/log/pflog"
pflog_flags=""
- mounting cdrom and usb
insert usb thumb drive
mkdir /mnt/usb
mount -t msdos /dev/da0s1 /mnt/usb
- error message '/dev/pf no such file or device'
- add alias
to remove alias
ifconfig bge0 inet -alias 10.0.202.80 netmask 255.255.255.0
to review alias
# ifconfig (without parameters)
Labels: freebsd, static-route
how to do basic configuration and setup for freebsd 6.3 pf firewall
Jephe Wu - http://linuxtechres.blogspot.com
Environment: FreeBSD PF firewall.
Objective: understanding Packet Filter firewall
Steps:
1. OS installation part
1. use 'F - DD' mode to configure partition since we are using the server dedicated for FreeBSD only, no other OS.
2. use 'Automatic' mode to make partitions
3. select 'full binary, doc and kernel source only' category to install
2. user and dns configuration
If your environment doesn't have DNS server, you have to wait for a long time before getting a login prompt when you try to ssh into the server. The solution is to vi /etc/nsswitch.conf to take out 'dns' from hosts line.
3. setup up PF firewall
a. put to /etc/rc.conf:
pf_enable="YES"
pf_flags=""
pf_rules="/etc/pf.conf"
pflogd_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
b. edit the default /etc/pf.conf
ext_if="fxp0" # replace with actual external interface name i.e., dc0
int_if="fxp1" # replace with actual internal interface name i.e., dc1
scrub in all # normalize all packets
block in log all # default deny policy
# enable ssh from the specific internal IP to internal NIC of firewall
pass in on $int_if proto tcp from 192.168.0.2 to $int_if port 22 keep state
# enable all outgoing traffic on internet NIC for tcp and udp
pass out on $int_if proto { tcp, udp } all keep state
#enable incoming ssh from trusted external IP
pass in on $ext_if from x.y.z.a keep state
pass out on $ext_if from $ext_if to x.y.z.a keep state
how to do port forwarding(rdr) in freebsd 6.1
purpose: setup a port forwarding firewall on freebsd 6.1
environment: fxp0 is for external NIC interface(192.168.1.1/24), fxp1 is internal one(192.168.0.1/24), servera is on the lan
steps:
- configuring ip alias on fxp0
# ifconfig fxp0 inet alias 192.168.1.3 netmask 255.255.255.0
- add configuration into /etc/rc.conf
ifconfig_fxp0_alias0="inet 192.168.1.2 netmask 255.255.255.0"
ifconfig_fxp0_alias1="inet 192.168.1.3 netmask 255.255.255.0"
- in /etc/pf.conf, after 'scrub in', before 'block all'
or
rdr on $fxp0 proto tcp from any to 192.168.1.2 port 3389 -> $servera port 3390
# servera
#pass external user to servera at port 3389 because after RDR, the destination become servera instead of 192.168.1.2, no need to specify RDR tcp ip pair rules because that will happen before traffic going through PF rules.
pass in quick on $fxp0 proto tcp from any to $servera port 3389 flags S/SA keep state (after rdr)
note: here uses $servera, not 192.168.1.2 which is the external ip alias, because you don't have to specify rules for RDR, here is after RDR rules)
pass out quick on $fxp1 proto tcp from any to $servera port 3389 flags S/SA keep state (direct pass after rdr tcpip payload to servera, servera needs to have routing going back to the source)
==========================
note: this method, the servera will see the real source ip, if you want to NAT also after doing RDR, NAT the source ip to the internal IP of 192.168.0.1, you can add the following to the just after above RDR or just before RDR:
nat on $fxp1 proto tcp from any to $servera - > 192.168.0.1
This way, the servera will see the traffic is coming from 192.168.0.1
but the pf rules will change also, after NAT, the sourceip become 192.168.0.1,so it becomes:
pass in quick on $fxp0 proto tcp from any to $servera port 3389 flags S/SA keep state (after rdr)
pass out quick on $fxp1 proto tcp from 192.168.0.1 to $servera port 3389 flags S/SA keep state (after nat, servera only needs to reply back to internal ip of firewall which is 192.168.0.1.
Important rules:
RDR happens before the actual PF filtering rules, once traffic coming in, it goes to RDR first before going through filtering rules.
NAT happens before the actual PF filtering rules also, before traffic going out the interface, it applies to NAT first, then applying the actual ip pf filtering rules.
RDR->incoming pf rules->|Server Interface 1_>NAT-> Server Interface 2|->outgoing pf rules
Labels: freebsd, port forwarding, rdr
configuring sudosh and sendmail masquerading, as well as working with syslog-ng
Jephe Wu - http://linuxtechres.blogspot.com
Objective: Basically, we’d like to only allow IS staffs to remote ssh into production servers and use sudo sudosh or sudo –u db2inst1 sudosh to switch to root or db2inst1 so that every command including vi keystroke will be logged, at the same time, email will be triggered whenever anyone use sudo to switch to root or db2inst1 user.
Use sudosh2 for accountability, swatch for sending alert out once someone logs in db2inst1 or root. Use openssh allowusers syntax to only allow system administrators to remote ssh.
Environment: RHEL 5 or CentOS 5
Steps:
1. sudosh2 software installation and configuration
Search google for sudosh2 then download the software sudosh2-1.0.4. Please refer to website
http://www.shortcutsolutions.net/sudosh2-software/55-introduction-sudosh2-user-shell-auditing.html
for installation steps which is mentioned on http://sourceforge.net/projects/sudosh2/
# tar xvfz sudosh2-1.0.4.tar.gz
# cd sudosh2-1.0.4
# ./configure
# make
# make install
# sudosh
2. visudo
ssh into server and become root as normal
# useradd jephe -c "Jephe Wu"
# passwd jephe
# visudo
add the following to the /etc/sudoers
Cmnd_Alias SUDOSH=/usr/local/bin/sudosh
jephe ALL=(root)SUDOSH, (db2inst1)SUDOSH
Note: Cmnd_Alias line must be on the top of jephe ALL line, otherwise, sudo sudosh doesn't work
Please refer to http://www.shortcutsolutions.net/sudosh2-shell-auditing-software/89-configuration-of-sudosh2.html for sudosh2 configuration and installation
3. ssh configuration
vi /etc/ssh/sshd_config to add the followings:
PermitRootLogin no
Protocol 2
banner /etc/motd.ssh
allowusers jephe anotheruser
then put the security warning message into /etc/motd.ssh
then run 'sshd -t' to test ssh daemon configuration syntax
then run 'service sshd restart' to restart sshd
then run 'ssh localhost' to test it.
4. su configuration
vi /etc/pam.d/su to uncomment the following line to require only members in wheel group are able to su
auth required /lib/security/$ISA/pam_wheel.so use_uid
5. Sendmail
For enabling sending email from database server to centralized mail server mailrelay, we need to put the following to the default sendmail.mc as follows:
e.g. servername is server.domain.com, we need to masquerade all sender address including envelope address as from root@server.domain.com to root@newdomain.com, then deliver it to the centralized mail server mailrelay.
Dnl EXPOSED_USER(`root’)dnl
MASQUERADE_AS(newdomain.com’)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(loclahost.localdomain)dnl
MASQUERADE_DOMAIN(domain.com)dnl
Then put the following into /etc/mail/mailertable, after that, run
makemap hash /etc/mail/mailertable < /etc/mail/mailertable
newdomain.com relay:[mailrelay]
Then put the following into /etc/hosts
10.0.0.1 mailrelay
enable root alias as follows:
add the following line to /etc/alias then run newalias
root: jephe_wu@newdomain.com
1. Note:
a. no need to give SMART_HOST since we only need to relay newdomain.com to the centralized mailrelay server.
b. No need to disable only listening on localhost since we only need to send out email, not for receiving.
so, now, any email sending to local user root will be delivered to jephe_wu@newdomain.com on the mailrelay server.
6. Swatch
register your redhat subscription using rhn_register (interactive, require to type in username and password for RHN)
or there's no need to register if you are using CentOS 5
install rpmforge rpm from DAG website at http://dag.wieers.com/rpm/FAQ.php#B ,
wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -Uvh http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
put the proxy setting in /etc/yum.conf like
proxy=http://10.0.0.1:3128
yum install swatch
then the rpm packages will be downloaded at /var/lib/yum and install it
Put the following to /etc/swatch.conf
watchfor /sudo:.*/
mail root,subject=--- DB1 sudo alert! ---
watchfor /su:.*/
mail root,subject=--- DB1 su alert!---
watchfor /login: ROOT LOGIN.*/
mail root,subject=---DB1 console login alert!---
note: must use small letter watchfor , not Watchfor, small letter mail root, not Mail root.
If swatch exits from ps command after a while, use
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure
to run and try to ssh then check if there's any error.
put the following lines to /etc/rc.local
/usr/bin/swatch –c /etc/swatch.conf –t /var/log/secure --daemon
change /etc/logrotate.conf for week 52 to rate a year and compress
configure /etc/logrotate.d/syslog
use the following
/var/log/messages /var/log/mailog /var/log/spooler /var/log/secure /var/log/boot.log /var/log/cron {
sharedscripts
potstrotate
/bin/kill –HUP `cat /var/log/syslogd.pid 2> /dev/null` 2> /dev/null true
##added by Jephe####
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/secure --daemon
###end#####
endscript
}
finally, run command in /etc/rc.local
/usr/bin/swatch –c /etc/swatch.conf –t /var/log/secure --daemon
===========
syslog-ng and swatch standard input
Objective: use syslog-ng default log output file to pipeline to swatch
* syslog-ng configuration
destination swatch {
program("/usr/bin/swatch -c /etc/swatch.conf --read-pipe=\"cat /dev/fd/0\"");
};
#send all logs to swatch
log { source(s_sys); destination(swatch); };
* /etc/swatch.conf
watchfor /sudo:.*/
mail root,subject=--- SERVER1 sudo alert! ---
watchfor /su:.*/
mail root,subject=--- SERVER1 su alert! ---
watchfor /login: ROOT LOGIN.*/
mail root,subject=--- SERVER1 console login alert! ---
note:
1. no need to run swatch as deamon
2. no need to modify /etc/logrotate.d/syslog
3. /dev/fd/0 is different from /dev/fd0 which is floppy disk
References:
Central Loghost Mini-HOWTO at http://www.campin.net/newlogcheck.html
note:
1. SEC(http://www.estpak.ee/~risto/sec/) is better than swatch
How to tune Apache performance and harden it
- understand How Apache works first
- Apache and keepalive issue - reduce keepalive value to 2 seconds to allow Apache to terminate the connection soon enough, also
If there's no keepalive, each connection will only serve one file which needs to be downloaded for browser display, this is not efficient method since normally a website page contains a few files in order to be properly displayed.
You can reduce the KeepAlive timeout to 2 seconds (do not turn if off). 2 seconds is enough to let the client has the enouchg time to request all the files needed for a page display, also without having to open more than one connection, also let Apache to terminate the connection soon enough so that it can handle more clients then normal.
- use a worker threaded MPM
- Some other tips
HostnameLookups off
Setting Options -Indexes FollowSymLinks (so Apache doesn't have to check if the file is symbolic link or not, it just follow)
reasonable connection timeout value than 300 (use 30 seconds or less to avoid those modem user hog the connection)
- use thttpd for static files
- Apache is the only service on the web server
You can have a big StartServers value and MinSpareServer(0) and MaxSpareServers value the same as StartServers value.
If you trust your application, you can set MaxRequestPerClient a very big value.
- hardening
use 'TraceEnable Off' to disable trace/track in main httpd.conf
use
ServerTokens Prod
Labels: apache
Understanding SSL certificate
- Commonly used public key algorithms include RSA(for web), El Gamal(for gpg) and Diffie-Hellman (for ssh).
- Generate a 1024 bit RSA private key
Execute command: “openssl genrsa -out private_key.pem 1024”
e.g.
$ openssl genrsa -out private_key.pem 1024 Generating RSA private key, 1024 bit long modulus .............................++++++ ................................................................++++++ e is 65537 (0x10001)
Generating a public key from a private key
Execute command: "openssl rsa -pubout -in private_key.pem -out public_key.pem"
e.g.
$ openssl rsa -pubout -in private_key.pem -out public_key.pem writing RSA key
A new file is created, public_key.pem, with the public key.
Viewing the key elements
Execute command: "openssl rsa -text -in private_key.pem"
For security purposes, the integers p and q should be chosen uniformly at random and should be of similar bit-length
Compute n = pq.
- n is used as the modulus for both the public and private keys
All parts of private_key.pem are printed to the screen. This includes the modulus (also referred to as public key and n), public exponent (also referred to as e and exponent; default value is 0x010001 - 65537), private exponent, and primes used to create keys (prime1, also called p, and prime2, also called q), as well as a few other variables used to perform RSA operations faster and the Base64 PEM encoded version of the key.
The "public key" actually represents a pair of parameters (numbers): a Modulus and a public exponent E. The public exponent is usually chosen to be relatively small (often 3 bytes). The size of the Modulus in bits is referred to as the "key size". A Modulus of size 128 bytes represents a "1024 bit RSA key".
The "private key" is usually described as a number pair consisting of the same key Modulus and a private exponent D. D is usually chosen to be about the same size as the modulus (~128 bytes). Random selection of Modulus, E and D starts by random selection of two large prime numbers.
- openssl genrsa command generates a pair of private key and public key actually, not only private key.
- how to verify a ssl certificate, nowadays, CA use SHA1withRSAencryption to sign the public key as certificate.
To validate the certificate, one needs the certificate that matches the Issuer (Thawte Server CA) of the first certificate. First one verifies that the second certificate is of a CA kind; that is, that it can be used to issue other certificates. This is done by inspecting a value of the CA attribute in the X509v3 extension section. Then the RSA public key from the CA certificate is used to decode the signature on the first certificate to obtain a MD5 hash, which must match an actual MD5 hash computed over the rest of the certificate
- how to verify CA root certificate itself
- how to show SSL connection information from the browser
- Internet Explorer
SSL 3.0, RC4 with 128 bit encryption (High); RSA with 1024 bit exchange
or right click on page blank area, choose properties.
Version 7.0 - firstly, show file menu by choosing tools/menu bar, then use the same method as above.
2. Firefox
right click on the blank area of SSL website homepage, choose 'view page info'. You will see something like this:
Connection encrypted: high-grade encryption, AES-256 256bit
- Useful OpenSSL commands
$ openssl genrsa -des3 -out server.key 1024
or
$ openssl genrsa -out server.key 1024
note: the most browser only supports RSA 1024bit key. Not either DSA or 2048bit key.
2. View RSA private key details
$ openssl rsa -noout -text -in server.key
3. Create a decrypted PEM version of rsa private/public key pair
$ openssl rsa -des3 -in server.key -out server.key.new
$ mv server.key.new server.key
or
$ openssl rsa -in server.key -out server.key.unsecure
4. create CSR file from private/public key pair file, will be in PEM format
$ openssl req -new -key server.key -out server.csr
5. view CSR file details
$ openssl req -noout -text -in server.csr
6. view CRT file detail
$ openssl x509 -noout -text -in server.crt
- Creating a certificate authority and certificates with openssl
The short answer is to use the
CA.sh
or CA.pl
script provided by OpenSSL (/usr/share/ssl/misc/CA)- How do I verify that a private key matches its Certificate? (http://www.modssl.org/docs/2.8/ssl_faq.html )
$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key
The `modulus' and the `public exponent' portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it's bothering comparing long modulus you can use the following approach:
$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5
And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. BTW, if I want to check to which key or certificate a particular CSR belongs you can compute
$ openssl req -noout -modulus -in server.csr | openssl md5
- convert PEM to DER format
cert.pem
into the corresponding DER file cert.der
with the following command:
$ openssl x509 -in cert.pem -out cert.der -outform DER
- how to generate .pem/.csr/.crt/ etc certificate files.
make server.pem
make server.crt
etc
- How to apply new SSL certificate in Apache without restarting service
then run kill -USR1 pidnum to make sure it generates new log file
Please refer to http://httpd.apache.org/docs/1.3/stopping.html
- How to test to make sure the server has been restarted with new certificate?
openssl s_client help to get the the help manual
openssl s_client -connect 10.0.201.104:443 -tls1 to retrieve the certificate content.
or use curl directly
- Useful URLs
tomcat keystore and cacerts
Jephe Wu - http://linuxtechres.blogspot.com
Objective: create SSL certificate for tomcat
Enrironment: Linux server, tomcat, keytool, keystore, cacerts
Concept:
.keystore file which resides /usr/local/tomcat is the default keystore file for tomcat. It's SSL certificate container for server itself, the CA certs file is under /usr/local/jdk/jre/lib/security/.
The self signed SSL certificate generated by keytool or openssl has to be imported to ca certs file in order to avoid SSL warning when the https URL is being accessed from one server to another, without using browser.
Steps:
1. list the existing keys, the default file is .keystore under /usr/local/tomcat folder
# cd /usr/local/tomcat
# keytool -list -v -storepass changeit
2. delete the existing keys( key alias :tomcat)
# cd /usr/local/tomcat
# keytool -delete -alias tomcat -storepass changeit
3. generate self-signed key
# keytool -h for usage
# keytool -genkey -alias tomcat -keysize 1024 -validity 3650 -keypass changeit -storepass changeit
What is your first and last name?
[Unknown]: jephe
What is the name of your organizational unit?
[Unknown]: IS
What is the name of your organization?
[Unknown]: Jephe
What is the name of your City or Locality?
[Unknown]: Singapore
What is the name of your State or Province?
[Unknown]: Singapore
What is the two-letter country code for this unit?
[Unknown]: SG
Is CN=jephe, OU=IS, O=somename, L=Singapore, ST=Singapore, C=SG correct?
[no]: yes
for above self-generated key to work without SSL warning, you need to import to ca certs file
4. list the existing CA certificates from /usr/local/jdk/jre/lib/security/cacerts
# cd /usr/local/jdk/jre/lib/security
# keytool -list -v -keystore cacerts
5. in order to add self-signed key to cacerts, export it first from .keystore file
# keytool -export -alias jephe -keypass changeit -storepass changeit -file /tmp/jephe.der
6. then import to cacerts file under /usr/local/jdk/jre/lib/security/cacerts
# cd /usr/local/jdk/jre/lib/security
# keytool -import -alias jephe -trustcacerts -keystore cacerts -file /tmp/jephe.der -storepass changeit
note: add this key to trusted cacerts and give alias as jephe
you can add one more, but have to give the different alias name
7. you can delete the existing cacert key:
# cd /usr/local/jdk/jre/lib/security
#keytool -delete -keystore cacerts -alias jephe
8. import a openssl generated self signed pem format certificate from openldap server into ca certs file on tomcat server (for ldaps connection from tomcat server to openldap server)
# cd /usr/local/jdk/jre/lib/security
# keytool -import -alias jephe -trustcacerts -keystore cacerts -file /tmp/jephe.pem -storepass changei
References:
1. convert pem to der format
openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER
Use RIP CD and MBRFix to easily fix the Windows MBR issue
Jephe Wu - http://linuxtechres.blogspot.com
Whenever your Windows MBR got corrupted or after restoring the back image, you have to fix the MBR issue. With RIP(Recovery Is Possible - http://www.tux.org/pub/people/kent-robotti/looplinux/rip/) and MBRFix - http://www.sysint.no/nedlasting/mbrfix.htm, It becomes very easy job to get it done.
Environment:
Let's say your Windows server MBR is corrupted or you just restored a Windows partition using ntfsclone (http://linuxtechres.blogspot.com/2007/07/cloning-windows-server-using-rip-and.html). Now you need to update MBR to boot up Windows automatically.
It's especially useful when you cannot boot up to Windows console to run 'fdisk /mbr' due to whatever reason.
Steps:
1. boot up with RIP CD (non-X version is enough, we just need to boot it up and use 'Boot partition #1 on first hard drive' option to boot up Windows normally)
2. Windows MBRfix program at http://www.sysint.no/nedlasting/mbrfix.htm
3. Run command below to fix MBR issue.
c:\> MbrFix /drive 0 fixmbr /yes
4. eject out RIP CD, reboot Windows to verify it.
that's it.
resize (enlarge) the Windows ntfs partition using RIP and ntfsresize
Jephe Wu - http://linuxtechres.blogspot.com
- Environment
2. how to do it
use RIP (Recovery Is Possible) cdrom which you can download it from http://www.tux.org/pub/people/kent-robotti/looplinux/rip/ to boot up HP server, then use fdisk to enlarge the partition size first, after that, use ntfsresize program to resize the file system size to 40g.
3. steps
a. backup your important data just in case.
b. reboot server from RIP CD, login in as root without password, run commands below:
ifconfig eth0 10.0.0.145 up
/usr/sbin/sshd
passwd root
note : passwd root to change root password so that you can ssh to this server 10.0.0.145 remotely, use your network environment IP instead.
c. ssh into HP server remotely
, run command below to enlarge partition size:
fdisk -l /dev/cciss/c0d0 > fdisk-backup # backup the current partition table first
fdisk /dev/cciss/c0d0 # to delete the the first partition which is ntfs, then create a new partition with 40g size, then give the partition id as number '7' (compare it with your fdisk-backup file generated in previous step), taggle it as active partition to make it bootable (otherwise you cannot boot up windows anyway)
save the partition, exit
d. resize
ntfsresize -n -s 40g /dev/cciss/c0d0p1
above command just tests first, if it's okay. run it once more time without -n parameter to do the real writing.
ntfsresize -s 40g /dev/cciss/c0d0p1
reboot
Labels: ntfsresize, RIP, windows
Setup IPSec VPN between 2 FreeBSD 6.3 servers
Environment:
1 HP lp1000r with 2 18G hard disk is sitting in datacenter; another PC is sitting in office. Both are running FreeBSD 6.3.
lp1000r: vpndc has IP pair d.1.2.3 k/di.1.2.3 in datacenter (d for datacenter, the behind network is di.1.2.0/24)
another pc:vpnsg has IP pair o.1.2.3/oi.1.2.3 in office (o for office, the behind network is oi.1.2.0/24)
2 firewalls doing port forwarding and seperate DMZ and internal office/datacenter network
___Internetl corporate network____"FW"oi.1.2.4____oi.1.2.0/24---oi.1.2.3"vpnsg"o.1.2.3 ++++++++d.1.2.3"vpndc"di.1.2.3__di.1.2.0/24____di.1.2.4"FW"____internal datacenter network___
Objective:
Setup VPN over IPSec between 2 FreeBSD servers so that it can connect 2 private network through Internet.
Steps:
- install OS
- SSH and PF configuration
=================
ext_if="fxp0"
int_if="fxp1"
scrub in all
block in log all
pass in on $int_if proto tcp from any to $int_if port 22 keep state
pass out on $int_if proto { tcp, udp } all keep state
=================
for final pf.conf on vpndc and can be used for ipsec, I use:
ext_if="fxp0"
int_if="fxp1"
scrub in all
block in log all
# allow icmp type 3 code 4
pass in log quick on $ext_if inet proto icmp all icmp-type unreach code 4
pass in log quick on $int_if inet proto icmp all icmp-type unreach code 4
pass out log quick on $ext_if inet proto icmp all icmp-type unreach code 4
pass out log quick on $int_if inet proto icmp all icmp-type unreach code 4
block in log quick on $ext_if proto icmp from any to any
block in log quick on $int_if proto icmp from any to any
block out log quick on $ext_if proto icmp from any to any
block out log quick on $int_if proto icmp from any to any
# for $int_if
# allow ssh to vpndc itself from FW on inside DMZ
pass in on $int_if proto tcp from di.1.2.4 to $int_if port 22 keep state
# allow the whole DMZ can reply back tcpip packet to the office uses, actually, this rule might contain the above ssh one
pass in on $int_if from di.1.2.0/24 keep state
#allow office users' request going to DMZ in datacenter
pass out on $int_if from any to di.1.2.0/24 keep state
####for $ext_if ,almost same as above
pass in on $ext_if from o.1.2.3 to $ext_if keep state
pass out on $ext_if from $ext_if to o.1.2.3 keep state
- DNS and ssh slow response issue
vi /etc/nsswitch.conf
to take out 'dns' from hosts line
- add user jephe for 'su -'
to add user 'jephe' to 'wheel' group
- enable raid1 mirror for hp lp1000r server
We assume /dev/da0 is the first hard disk we installed OS on, we need to add /dev/da1 which is the second hard disk to the raid1 mirror system.
# sysctl kern.geom.debugflags=16
# gmirror label -v -b round-robin gm0 /dev/da0
# echo geom_mirror_load=YES >> /boot/loader.conf
# vi /etc/fstab (to change all /dev/da0 to /dev/mirror/gm0, :%s#da0#mirror\/gm0#g)
bsd1# more /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/mirror/gm0s2b none swap sw 0 0
/dev/mirror/gm0s1a / ufs rw 1 1
/dev/mirror/gm0s4d /usr ufs rw 2 2
/dev/mirror/gm0s3d /var ufs rw 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
# reboot
After reboot, you can use command 'gmirror status' or 'gmirror list' to check the raid1 status.
For adding the second hard disk /dev/da1 to raid array, run
#gmirror forget gm0 (optional, depends)
#gmirror insert gm0 /dev/da1
- compile kernel to enable ipsec
cp GENERIC /root/MYKERNEL
ln -sf /root/MYKERNEL
vi MYKERNEL to add the following:
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
cd /usr/src
make buildkernel KERNCONF=MYKERNEL
make installkernel KERNCONF=MYKERNEL
reboot
- install racoon
put it under /home/jephe
tar xvfz ipsec-tools-0.7.tar.gz
cd ipsec-tools-0.7
./configure ;make
su - as root to make install
binary racoon will be installed to /usr/local/sbin/racoon
then you need to put racoon.conf.sample to /usr/local/etc/racoon.conf
and psk.txt.sample to /usr/local/etc/psk.txt
you can run 'find . -name "psk.txt*" and 'find . -name "racoon.conf*" from ipsec-tools-0.7 directory to find out the path of two files psk.txt.sample and racoon.conf.sample.
- configure racoon
then copy racoon.conf.sample there as racoon.conf.
after that, copy psk.txt.sample to /usr/local/etc also, then vi racoon.conf to change the following line:
path pre_shared_key "/usr/local/etc/psk.txt";
So, change it to use /usr/local/etc/psk.txt, before it was /usr/local/etc/v6/psk.txt .
chown root:wheel psk.txt
chmod 600 psk.txt
the above commands are very important, otherwise, after you run racoon, it won't establish vpn normally.
inside psk.txt, configure one line for peer end, make it looks like this:
remotesiteipaddress sharedkey
- configuring /etc/rc.conf on vpndc
pf_enable="YES"
pf_flags=""
pf_rules="/etc/pf.conf"
pflogd_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
#enable ipsec
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
#for gif interface on datacenter freebsd 6.3
###
gif_interfaces="gif0"
gifconfig_gif0="d.1.2.3 o.1.2.3"
ifconfig_gif0="inet di.1.2.3 oi.1.2.3 netmask 0xffffffff"
static_routes="vpn"
route_vpn="-net oi.1.2.0/24 oi.1.2.3 "
- configure /etc/ipsec.conf
spdadd o.1.2.3/32 d.1.2.3 ipencap -P in ipsec esp/tunnel/o.1.2.3-d.1.2.3/require;
spdadd di.1.2.0/24 oi.1.2.0/24 any -P out ipsec esp/tunnel/d.1.2.3-o.1.2.3/require;
spdadd oi.1.2.0/24 di.1.2.0/24 any -P in ipsec esp/tunnel/o.1.2.3-d.1.2.3/require;
- configure /etc/rc.local
# start up racoon, the default configuration file is /usr/local/etc/racoon.conf, you can run 'strings /usr/local/sbin/racoon | grep racoon.conf' to know that.
/usr/local/sbin/racoon [ -l /var/log/racoon.log ]
- reboot server and 'racoon' should be started automatically , after that , try to ping each other, e.g. from office freebsd server vpnsg, ping di.1.2.3, then sniff the traffic on datacenter freebsd server using command 'tcpdump -n -i fxp0 host o.1.2.3'
- same examples of configuration
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default x.x.x.x UGS 2 34 fxp0
127.0.0.1 127.0.0.1 UH 0 90 lo0
oi.1.2.0/24 oi.1.2.3 UGS 8874 8877 gif0
oi.1.2.3 di.1.2.3 UH 8 7 gif0
di.1.2.0/24 link#2 UC 0 0 fxp1
d.1.2.0/24 link#1 UC 0 0 fxp0
note: from above routing table, going to office internal network oi.1.2.0/24 will be sent to gif0 and office vpnsg inside ip oi.1.2.3; and going to oi.1.2.3 will be sent to di.1.2.3 and gif0