Archive for the 'linux' Category

Jan 20 2008

How to obtain and install SSL certificates on CentOS 4.5

Published by under linux,Security,SSL

This article describes what needs to be done to have a SSL ( HTTPS) enabled site on CentOS 4.5. This should work on other distro’s as well but i have not tested.

Assumptions

Apache 2 Webserver

OpenSSL is installed and functional

In possession of Domain Name. If not obtain one from many Domain Name sellers like GoDaddy

  1. Generate a RSA Private Key
    sudo openssl genrsa -out my.key 1024
  2. Generate a CSR ( Certificate Signing Request ). The CSR must be signed by private key “my.key” generated in the step 1. Please note you must enter at least your domain name as highlighted below in bold.

openssl req -new -key my.key -out mysite.csr

Country Name (2 letter code) [GB]:SG
State or Province Name (full name) [Berkshire]:Singapore
Locality Name (eg, city) [Newbury]:Singapore
Organization Name (eg, company) [My Company Ltd]:NA
Organizational Unit Name (eg, section) []:NA
Common Name (eg, your name or your server’s hostname) []:your.domain.com
Email Address []:your@email.com

Now you need to take mysite.csr to a Certificate signing authority to get your SSL Certificate.

I used a free Certificate authority named CAcert.org . Very highly recommended by open source community. But the issue is that many mainstream browsers do not automatically recognize CAcert. So for first time visitors, a warning will pop up. Just accept it permanently. After this, the pop up wont show when ever you visit from the same browser.

  1. First signup with CACert. Once done, then go to the next step.
  2. Then click on “Domains->Add” as shown below
  3. Then add your domain in the provided textbox
  4. Cacert will do a domain verification by sending an email to your registered email address. Open your email and click on the link sent to you by the CAcert.
  5. Then Click on “Server Certificate ->New” to get a new certificate for your site.
  6. Open the CSR file “mysite.csr” you created above and cut and paste the content of the file into the provided text box and click submit
  7. CAcert will show the certificate file. Copy and store it on a file named mysite.crt. (filename can be anything )
  8. Configure SSL options in httpd.conf file.

An example SSL enabled virtual host configuration is shown below for your reference

NameVirtualHost *:443
<VirtualHost *:443>

ServerName your.domain.com
DocumentRoot /var/www/public

SSLEngine on
SSLCertificateFile /etc/httpd/mysite.crt
SSLCertificateKeyFile /etc/httpd/my.key
SSLVerifyClient optional

</VirtualHost>

Comments Off on How to obtain and install SSL certificates on CentOS 4.5

Jan 13 2008

Howto Build and Install Php 5.2.x on a CentOS 4.5 System

Published by under linux

Download php5.2.x source code

wget http://sg.php.net/get/php-5.2.5.tar.bz2/from/us2.php.net/mirror

Configure Php 5.2.x build options.

./configure –with-apxs2=/usr/sbin/apxs –with-mysql=/usr/lib/mysql –enable-track-vars –enable-sockets –with-config-file-path=/etc –enable-ftp –with-zlib –with-openssl –enable-force-cgi-redirect –enable-exif –with-gd –enable-memory-limit –disable-debug –disable-rpath –disable-static –with-pic –enable-calendar –enable-sysvsem –enable-sysvshm –enable-sysvmsg –enable-trans-sid –enable-bcmath –with-bz2 –enable-ctype –with-db4 –with-iconv –with-gettext –enable-mbstring –enable-shmop –enable-wddx –with-xmlrpc –enable-yp –with-zlib –without-pgsql –enable-dbx –without-mm –with-jpeg-dir=/usr –enable-gd-native-ttf –with-imap-ssl –enable-soap –with-xml

THE PROBLEMS i FACED and how i resolved it are show below

apxs is required to build Apache2 modules. My installation of apache did not have this tool. So i had to install httpd-devel package

If any of the packages are missing, configuer script will spit out an error. Install those packages and re-run configure script as above until it is successful.

For example, if libpng is not installed in your system, configure will abort. Then install libpng and re-run configure.

Download and install libpng package, if needed

download from http://libpng.org/pub/png/libpng.html

Unzip and untar the file in a temp directory

Then do a ./configure

Then make install ( with root permission )

You may also need to install libjpeg files. Download from

http://freeware.sgi.com/source/libjpeg/

Then do the following

./configure

make

make install.

Please note, the header files of jpeglib must be in PHP5 compilation include path. For example, /usr/local/include for cent OS 4.5

Once “configure” completes successfully, then need to compile and install PHP5

make
make test ( To ensure that you compilation went right )
make install ( run this with root permission )

Comments Off on Howto Build and Install Php 5.2.x on a CentOS 4.5 System

Aug 04 2007

Securing Linux with Netfilter, IPTABLES and Tcp Wrappers

Published by under linux,Security

First, Netfilter, IPTables are huge subjects that requires lots of time and practice to master it and i don’t claim to be a master of this art. Hence, this post is targeted towards those people who subscribe to a Virtual Private Server (VPS) plan and need to secure their instance against unwanted intruders.

Even though Netfilter and IPTABLES are pretty involved subjects, it turns out that for filtering out unwanted packets it is pretty straight forward, at least in my case.

Before venturing into IPTABLE configuration, i would like to provide few links that i referred to setup my firewall rules.

IPTABLE Tutorial

A Neat write up on securing Cent OS

Example Filter Script

Here is the filter rule that I use. The filter rule must be in /etc/sysconfig/iptables for CentOS. i have tested it on CentOS only.

*filter

# By Default Drop all incoming and forwarded packets

:INPUT DROP [0:0]
:FORWARD DROP [0:0]

#By default allow all packets that originates from your machine to the outside world

:OUTPUT ACCEPT [0:0]

#now allow the incoming packets from an established outgoing connection from your machine
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow required Incoming ports. Here  i am allowing packets whose destination port is for

# http, https, and SSH
-A INPUT -p tcp –dport 80 -j ACCEPT
-A INPUT -p tcp –dport 443 -j ACCEPT
-A INPUT -p tcp –dport 22 -j ACCEPT

# accept from local host.
-A INPUT -i lo -j ACCEPT

# accept echo requests. This will be good to test whether your server is alive
-A INPUT -p icmp –icmp-type ping -j ACCEPT

COMMIT

 

Save the file

To be safe make the file readable only by root

$chmod 600 /etc/sysconfig/iptables

 

Now restart iptables service as follows in CentOS. This should be similar in other flavours as well.

$service iptables restart  /* if you are a root*/
OR
$sudo service iptables restart  /*if you have privilege to gain root permission*/

 

Test it out

Enabling TCP WRAPPERS TO Add Another Layer of Security

 Many network applications consults two files named hosts.deny and hosts.allow before granting access to the users who want to use those network applications. In securing linux, it is recommended to add several layers of security. So even if one is compromised, others could hold gaurd. TCP Wrappers is another layer of security against the network intruders.

Any application that consults these two files has the following flow:

  1. hosts.allow is checked for “service name:connection address” pair match
  2. If it matches then access is granted.
  3. if it does not match then hosts.deny is checked. If “service name:connection address” pari matches, then access is denied.
  4. If it does not match in hosts.deny as well, then access is granted.

 

Here are  the basic rules for hosts.allow

#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.
#

#allow connection from 127.0.0.1 (localhost) to all INET services
ALL: 127.0.0.1

#Allow connection from all internet address to sshd service
sshd: ALL

 

Here are the basic rules for hosts.deny

# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.
#

#Simple Deny access from any address to any service. This is like “Deny first, allow required” #policy
ALL: ALL

 

Saves the files. Now you are set.

Comments Off on Securing Linux with Netfilter, IPTABLES and Tcp Wrappers

Aug 03 2007

Doing Away with the Need for Root Account in Linux

Published by under linux,Security

After your installation of Linux, it is a better idea to do away with root account. This is part of making your system as secure as possible. Almost all Linux installations comes with a program named sudo that provides root privileges to normal users without knowing the root password. This way you can execute commands that are meant to be executed by root. Please follow the steps below to enable any user to obtain the root privileges:

  • Need to enable any user or group, who want to gain root privileges, in /etc/sudoers. The normal practice is to enable the users belonging to group wheel to run all root privileged commands.
  • /etc/sudoers is edited by visudo. You need to be root to edit this file.
  • $visudo
    =========== File snippet below =====================
    # sudoers file.
    #
    # This file MUST be edited with the ‘visudo’ command as root.
    #
    # See the sudoers man page for the details on how to write a sudoers file.
    #
    # Host alias specification # User alias specification # Cmnd alias specification

    # Defaults specification

    # User privilege specification
    root ALL=(ALL) ALL

    # Uncomment to allow people in group wheel to run all commands. Uncomment the following line
    %wheel ALL=(ALL) ALL

    # Same thing without a password
    # %wheel ALL=(ALL) NOPASSWD: ALL

  • Now add the user you want to have root privilege into group wheel
    $usermod -a -G wheel “username here without the quotes”
    Now test whether that particular user can gain root privilege. First login to the system with username you want to test
    $wc /etc/sudoers
    wc: /etc/sudoers: Permission denied
    $sudo wc /etc/sudoers
    password: # enter your account password here
    28 94 579 /etc/sudoers
    if you can count the words in that file, that means you can any command that requires root privilege.

If you are using SSH to login to your machine remotely, then follow the procedure below to disallow “root” to login

  • Again it is a good practice to create a group whose users will be allowed SSH access.
  • create a group named sshusers.
  • $sudo groupadd sshusers
    $sudo usermod -a -G sshusers “username who needs to ssh access without quotes”
    Now open /etc/ssh/sshd_config to diable root login and enable the group sshusers
    $sudo vi /etc/sshd/sshd_config=========== File snippet. Only the required portion is shown=
    #LoginGraceTime 2m
    PermitRootLogin no
    #Add this line into the file AllowGroups sshusers

    Test it out just by logging in as root. You should get Access Denied message

    Now try to login using a user that belongs to sshusers group. You should be able to login

Comments Off on Doing Away with the Need for Root Account in Linux

« Prev