How to enable SSL on Red Hat Linux server

How do I speak HTTPS manually for testing purposes?

While you usually just use

$ telnet localhost 80

GET / HTTP/1.0 (enter)

$ telnet 172.16.5.2 80
Trying 172.16.5.2…
Connected to 172.16.5.2.
Escape character is ‘^]’.
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 25 Mar 2015 15:31:05 GMT
Server: Apache/2.2.15 (Red Hat)
Last-Modified: Fri, 15 Feb 2013 21:40:12 GMT
ETag: “158-53-4d5ca385c499c”
Accept-Ranges: bytes
Content-Length: 83
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title>Red Hat Enterprise Linux</title>
<body>
hello
</body>
</html>
Connection closed by foreign host.

for simple testing of Apache via HTTP, it’s not so easy for HTTPS because of the SSL protocol between TCP and HTTP. With the help of OpenSSL’s s_client command, however, you can do a similar check via HTTPS:

$ openssl s_client -connect localhost:443 -state -debug

GET / HTTP/1.0

Before the actual HTTP response you will receive detailed information about the SSL handshake. For a more general command line client which directly understands both HTTP and HTTPS, can perform GET and POST operations, can use a proxy, supports byte ranges, etc. you should have a look at the nifty cURL tool. Using this, you can check that Apache is responding correctly to requests via HTTP and HTTPS as follows:

$ curl http://localhost/

$ curl http://172.16.5.2
<html>
<head>
<title>Red Hat Enterprise Linux</title>
<body>
hello
</body>
</html>
$ curl https://localhost/

$ curl -k https://172.16.5.2
<html>
<head>
<title>Red Hat Enterprise Linux</title>
<body>
hello
</body>
</html>

**If you’d like to turn off curl’s verification of the certificate, use
 the -k (or –insecure) option. otherwise it will warn you the certificate can not be authenticated.

25.8. Apache HTTP Secure Server Configuration

This section provides basic information on the Apache HTTP Server with the mod_ssl security module enabled to use the OpenSSL library and toolkit. The combination of these three components are referred to in this section as the secure Web server or just as the secure server.
 
The mod_ssl module is a security module for the Apache HTTP Server. The mod_ssl module uses the tools provided by the OpenSSL Project to add a very important feature to the Apache HTTP Server — the ability to encrypt communications. In contrast, regular HTTP communications between a browser and a Web server are sent in plain text, which could be intercepted and read by someone along the route between the browser and the server.
This section is not meant to be complete and exclusive documentation for any of these programs. When possible, this guide points to appropriate places where you can find more in-depth documentation on particular subjects.
This section shows you how to install these programs. You can also learn the steps necessary to generate a private key and a certificate request, how to generate your own self-signed certificate, and how to install a certificate to use with your secure server.
The mod_ssl configuration file is located at /etc/httpd/conf.d/ssl.conf. For this file to be loaded, and hence for mod_ssl to work, you must have the statement Include conf.d/*.conf in the /etc/httpd/conf/httpd.conf file. This statement is included by default in the default Apache HTTP Server configuration file.
 
 
25.8.1. An Overview of Security-Related Packages

To enable the secure server, you must have the following packages installed at a minimum:
httpd
The httpd package contains the httpd daemon and related utilities, configuration files, icons, Apache HTTP Server modules, man pages, and other files used by the Apache HTTP Server.
mod_ssl
The mod_ssl package includes the mod_ssl module, which provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
openssl
The openssl package contains the OpenSSL toolkit. The OpenSSL toolkit implements the SSL and TLS protocols, and also includes a general purpose cryptography library.
 

How to get and install mod_ssl

 

$ sudo yum install mod_ssl
….

Dependencies Resolved

============================================================================================================================
 Package                  Arch                    Version                                 Repository                   Size
============================================================================================================================
Installing:
 mod_ssl                  x86_64                  1:2.2.15-15.el6_2.1                     ipnsg-rhel                   87 k

Transaction Summary
============================================================================================================================
Install       1 Package(s)

Total download size: 87 k
Installed size: 183 k
Is this ok [y/N]: y
Downloading Packages:
mod_ssl-2.2.15-15.el6_2.1.x86_64.rpm                                                                 |  87 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 1 pre-existing rpmdb problem(s), ‘yum check’ output follows:
sssd-1.8.0-32.el6.x86_64 has missing requires of openldap >= (‘0′, ‘2.4.23’, ’20’)
  Installing : 1:mod_ssl-2.2.15-15.el6_2.1.x86_64                                                                              1/1
Installed products updated.
  Verifying  : 1:mod_ssl-2.2.15-15.el6_2.1.x86_64                                                                              1/1

Installed:
  mod_ssl.x86_64 1:2.2.15-15.el6_2.1

*** You can find it right now over before restart the http server.

/etc/httpd/module/mod.ssl.so

/etc/httpd/conf.d/ssl.conf

How to test it?

$more /etc/httpd/conf.d/ssl.conf

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you’ve both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

  

$wget https://172.16.5.2
–2015-03-25 17:38:20–  https://172.16.5.2/
Connecting to 172.16.5.2:443… connected.
ERROR: cannot verify 172.16.5.2âs certificate, issued by /C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=host/emailAddress=root@host
                     Self-signed certificate encountered

.
How do I create a self-signed SSL Certificate for testing purposes?

  1. Make sure OpenSSL is installed and in your PATH.
  2. Run the following command, to create server.key and server.crt files:
    $ openssl req -new -x509 -nodes -out server.crt -keyout server.key
  3. If you need a stronger key like 2048 instead of 1024

$ openssl req -new -x509 -nodes -sha1 -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
3. These can be used as follows in your /etc/httpd/conf.d/ssl.conf file:

             SSLCertificateFile    /path/to/this/server.crt
             SSLCertificateKeyFile /path/to/this/server.key

4. It is important that you are aware that this server.key does not have any passphrase. To add a passphrase to the key, you should run the following command, and enter & verify the passphrase as requested.
$ openssl rsa -des3 -in server.key -out server.key.new
$ mv server.key.new server.key

 

How do I create a real SSL Certificate?

Here is a step-by-step description:

  1. Make sure OpenSSL is installed and in your PATH.
  2. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):$ openssl genrsa -des3 -out server.key 1024

$openssl genrsa 2048 -out server.key
Generating RSA private key, 2048 bit long modulus…..

Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:

$ openssl rsa -noout -text -in server.key

If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:

$ openssl rsa -in server.key -out server.key.unsecure

 

Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):$ openssl req -new -key server.key -out server.csrMake sure you enter the FQDN (“Fully Qualified Domain Name”) of the server when OpenSSL prompts you for the “CommonName”, i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter “www.foo.dom” here. You can see the details of this CSR by using

$ openssl req -noout -text -in server.csr

 You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) to be signed. Once the CSR has been signed, you will have a real Certificate, which can be used by Apache. You can have a CSR signed by a commercial CA, or you can create your own CA to sign it.

How can I get rid of the pass-phrase dialog at Apache startup time?

The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server – proceed with caution!

Remove the encryption from the RSA private key (while keeping a backup copy of the original file):

$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key

How do I verify that a private key matches its Certificate?

A private key contains a series of numbers. Two of these numbers form the “public key”, the others are part of the “private key”. The “public key” bits are included when you generate a CSR, and subsequently form part of the associated Certificate.

To check that the public key in your Certificate matches the public portion of your private key, you simply need to compare these numbers. To view the Certificate and the key run the commands:

$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key

The `modulus’ and the `public exponent’ portions in the key and the Certificate must match. As the public exponent is usually 65537 and it’s difficult to visually check that the long modulus numbers are the same, you can use the following approach:

$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

What SSL Ciphers are supported by mod_ssl?

Usually, any SSL ciphers supported by the version of OpenSSL in use, are also supported by mod_ssl. Which ciphers are available can depend on the way you built OpenSSL. Typically, at least the following ciphers are supported:

To determine the actual list of ciphers available, you should run the following:

$ openssl ciphers -v

How to verify the certificate

$ openssl x509 -in server2.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e5:cc:7d:a6:ae:52:34:b0
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=New York, L=NYC, O=ATT, OU=CSO, CN=server

Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

 

How to disable SSLv3?

modify the /etc/httpd/conf.d/ssl.conf

SSLProtocol all -SSLv3

or

SSLProtocol -all -TLSv1

will completely disables the SSLv3 protocol and allow those browsers to work. A better workaround is to disable only those ciphers which cause trouble.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

$ openssl s_client -connect 172.16.5.2:443 -state -ssl3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read server hello A

$ openssl s_client -connect 172.16.5.2:443 -state -tls1
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = US, ST = New York, L = NYC, O = ATT, OU = CSO, CN = server
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = New York, L = NYC, O = ATT, OU = CSO, CN = server
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A

WordPress Tips 38: How to fix wp-admin not accessible problem

The /wp-admin is not accessible any more after domain moving.

Here’re the steps,

1. Edit the wp-config.php file.

2. After the “define” statements (just before the comment line that says “That’s all, stop editing!”), insert a new line, and type: define('RELOCATE',true);

3. Save your wp-config.php file.

4. Open a web browser and manually point it to wp-login.php on the new server. For example, if your new site is at http://www.yourdomainname.com, then type http://www.yourdomainname.com/wp-login.php into your browser’s address bar.

Like:

http://www.cathaycenturies.com/blog/wp-login.php

5. You will be able to login and change “site address” information under Settings.

6. Once this has been fixed, edit wp-config.php and either completely remove the line that you added (delete the whole line), comment it out (with //) or change the true value to false if you think it’s likely you will be relocating again.

Note: When the RELOCATE flag is set to true, the Site URL will be automatically updated to whatever path you are using to access the login screen. This will get the admin section up and running on the new URL, but it will not correct any other part of the setup. Those you will still need to alter manually.

Changing the URL directly in the database

If you know how to access phpMyAdmin on your host, then you can edit these values directly to get you up and running again.

  1. Backup your database and save the copy off-site.
  2. Login to phpMyAdmin.
  3. Click the link to your Databases.
  4. A list of your databases will appear. Choose the one that is your WordPress database.
  5. All the tables in your database will appear on the screen.
  6. From the list, look for wp_options. Note: The table prefix of wp_ may be different if you changed it when installing.
  7. Click on the small icon indicated as Browse.
  8. A screen will open with a list of the fields within the wp_options table.
  9. Under the field option_name, scroll down and look for siteurl.
  10. Click the Edit Field icon which usually is found at the far left at the beginning of the row.
  11. The Edit Field window will appear.
  12. In the input box for option_value, carefully change the URL information to the new address.
  13. Verify this is correct and click Go to save the information.
  14. You should be returned to your wp_options table.
  15. Look for the home field in the table and click Edit Field. Note There are several pages of tables inside wp_options. Look for the > symbol to page through them.
  16. In the input box for option_value, carefully change the URL information to the new address.
  17. Verify this is correct and click Go to save the information.

Juniper Tips 37: How to apply packet filter

1. Build a firewall filter

0> show configuration firewall family inet filter CPE1
term CUST-PROTECTED-IP {
from {
source-address { 10.2.208.0/27; }
}
then {
count CPE1;
accept;
}
}

term ALLOW-NETFLOW {
from {
source-address {
10.2.208.60/32;
}
destination-port 2055;
}
then {
count ALLOW-NETFLOW;
accept;
}
}

term DROP-ALL-ELSE {
then {
count DROP-ALL-ELSE;
log;
discard;
}
}

2. Apply Filter into the intended interface

> show configuration interfaces ge-0/0/0.100
family inet {
filter {
input-list [ COMMON-FILTER CPE1 ];
}
service {
input { service-set NAT-GROUP-1; }
output {service-set NAT-GROUP-1; }
}
address 192.168.100.33/30;
}

 3. Verify the filter

since the filter was applied as the filter set. It will not show the counter, as the single filter can be used in multiple interfaces.

#show firewall filter

Filter: gr-0/0/0.100-i
Counters:
Name Bytes Packets
ALLOW-BGP-gr-0/0/0.100-i 2165275 43751
ALLOW-ICMP-gr-0/0/0.100-i 2436 29
ALLOW-NETFLOW-gr-0/0/0.100-i 5195740 31641
ALLOW-REMOTE-GRE-PACKET-gr-0/0/0.100-i 2874504 119771
CPE1-gr-0/0/0.100-i 844762395 7679678
DROP-ALL-ELSE-gr-0/0/0.100-i 2780 88
GRE-KEEPALIVE-gr-0/0/0.100-i 0 0

#show firewall filter CPE1 <-which only work if one filter in place

Filter: CPE1
Counters:
Name Bytes Packets
ALLOW-NETFLOW 0 0
DROP-ALL-ELSE 0 0
CPE1 0 0

Hacking Tools 1: hping

 Installation

Step 1: Install tcl-dev using command “sudo apt-get install tcl-dev”

or you will run into error during make.

/usr/bin/ld: cannot find -ltcl8.5
collect2: ld returned 1 exit status

Step 2 : Fix the warning message from TCL scripting support.

#hping3-20051105$ ./configure
build byteorder.c…
create byteorder.h…
===> Found Tclsh in: /usr/bin/tclsh8.4
==> WARNING: no Tcl header files found!
————————————–
system type: LINUX

LIBPCAP      : PCAP=-lpcap
PCAP_INCLUDE :
MANPATH      : /usr/local/man
USE_TCL      :
TCL_VER      : 8.4
TCL_INC      :
LIBTCL       : -ltcl8.5 -lm -lpthread
TCLSH        : /usr/bin/tclsh8.4

(to modify try configure –help)
————————————–
creating Makefile…
creating dependences…
now you can try `make’

or you will run into error when run hping command.

#./hping3
Sorry, this hping binary was compiled without TCL scripting support

go back to step 1. recompile with TCL support.

$ sudo find / -name “tcl.h”
/usr/include/tcl8.5/tcl.h
/usr/include/tcl8.5/tcl-private/generic/tcl.h

It’s running on tcl8.5, the configure script does not have 8.5 support. need to be modified.

for TCLPATH_TRY in “/usr/bin/” “/usr/local/bin/” “/bin/”
do
  for TCLVER_TRY in “8.5” “8.4” “8.2” “8.1” “8.0”
do
if [ -z $TCLSH ]
then
TCLSH_TRY=${TCLPATH_TRY}tclsh${TCLVER_TRY}
if [ -f $TCLSH_TRY ]
then
TCLSH=$TCLSH_TRY
echo “===> Found Tclsh in: $TCLSH”
…..

Step 3:  Install libpcap-dev by using command “sudo apt-get install libpcap-dev”

Otherwise you will run into error during make.

fatal error: pcap.h: No such file or directory compilation terminated.

Step 4: Creating softlink for net/bpf.h

#find / -name “bpf.h”

# sudo ln -s /usr/include/pcap/bpf.h /usr/include/net/bpf.h

libpcap_stuff.c:20:21: net/bpf.h: No such file or directory
make: *** [libpcap_stuff.o] Error 1

And it should work now!

HOW TO USE HPING

Hping Examples:

/hping3 -S -V  192.168.1.6 -s 7550 -p 339

-S Syn Packet, -F fin, -R RST, -U URG, -P PUSH, -A ACK,

-V verbose output, -s source port, -p destination port

If the port is not listening, you will receive RST ACK instead of SA.

hping3 –rand-source –S –L 0 –p <target port> <target IP>Here we are sending SYN packets (set value by replacing 0) with a random source.

hping3 –rand-source –SA –p <open port> <target IP>Here we are sending SYN + ACK packets from a random source.
hping3 –rand-source -–udp <target IP> –floodFlooding the target IP with UDP packets.
hping3 –rand-source –SAFRU –L 0 –M 0 –p <port> <target> — we are sending SYN+ACK+FIN+RST+URG packets with TCP ack (-L) and TCP seq (-M). Change the values after -L and -M.
hping3 –icmp –spoof <target address> <broadcast address> –floodFlooding with ICMP packets by spoofed IP (–spoof).

Ubuntu Tips 16: How to upgrade from an older version

I was seeing errors from apt-get install or apt-get update like:

W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/oneiric-security/main/source/Sources  404  Not Found

And errors from apt-get upgrade like:

Err http://archive.ubuntu.com/ubuntu/ oneiric-updates/main ncurses-bin i386 5.9-1ubuntu5.1
403  Forbidden

Luckily ubuntu provides a repository for old releases, aptly named old-releases.ubuntu.com. To use it, open /etc/apt/sources.list replace all occurrences of archive.ubuntu.com or security.ubuntu.com as the following.

deb http://old-releases.ubuntu.com/ubuntu/ oneiric main
deb-src http://old-releases.ubuntu.com/ubuntu/ oneiric main
deb http://old-releases.ubuntu.com/ubuntu/ oneiric-updates main
deb-src http://old-releases.ubuntu.com/ubuntu/ oneiric-updates main
deb http://old-releases.ubuntu.com/ubuntu/ oneiric universe
deb-src http://old-releases.ubuntu.com/ubuntu/ oneiric universe
deb http://old-releases.ubuntu.com/ubuntu/ oneiric-updates universe
deb-src http://old-releases.ubuntu.com/ubuntu/ oneiric-updates universe
deb http://old-releases.ubuntu.com/ubuntu oneiric-security main
deb-src http://old-releases.ubuntu.com/ubuntu oneiric-security main
deb http://old-releases.ubuntu.com/ubuntu oneiric-security universe
deb-src http://old-releases.ubuntu.com/ubuntu oneiric-security universe

Now you should run a full update to the latest release:

$ sudo do-release-update