Home –  security
Tag Archives: security

Protect your web server with SSL certificate

If you are a system administrator who is running a web server then you may want to protect it so that no one can hack into it and misuse the important data. Networks by themseleves are not secure enough, you will have to find other ways to make your server more secure. Here in this article we will examine ways in which you can help guard your important data.

Nowadays all the E-commerce applications (banking and online shopping for example) are encrypted using either SSL or TLS specifications. SSL stands for Secure Socket Layer and TLS means Transport Layer Security. Actually TLS is based on SSL 3.0 hence they are very similar in nature. For secure web connections first of all the SSL connection is established and then the HTTP communication is “tunneled” through it.

Note: Since name-based virtual hosting occurs at HTTP layer and as I said that SSL gets established before any HTTP communication, it causes problems with name-based virtual hosting. In short name-based virtual hosting does not work easily with SSL.

To verify the identities and for establishing session parameters along with a session key, asymmetric cryptography is used during connection establishment between an SSL client and SSL server. Then a symmetric encryption algorithm (DES or RC4) is used with the negotiated key to encrypt all the data which is being transmitted during the session. This means that asymmetric encryption (during the handshaking phase) provides safe communication whereas symmetric encryption works on the session data (for faster and more practical use).

For the client to verify the identity of the server, the server must have a private key and a certificate (which contains the public key and information about the server). The client also contains a public key, which it uses to verify the certificate of the server (matches public key of client with the public key of server which is mentioned in the certificate).

Certificates are generally digitally signed by third-party certificate authorities (CA) which have verified the identities of the requester and the validity of the requests to have the certificate signed. In most of the cases CA is a company which contacts with vendors of web browsers to have its own certificate installed and trusted by default client installations. Then certificate authorities earn by charging server operators for its services.

There are many commercial certificate authorities which differ in features, price but as people say “Price is not always an indication of quality“. VeriSign, InstantSSL and Thawte are some popular CAs.

Instead of going for certificate authorities you can create self-signed certificates, but those should be used only for testing if the number of people who will be accessing your server are less.

Another option is to run your own certificate authority but we are not going to cover that in this article.

Generating SSL keys

Delete the old key and certificate

chankey@linuxstall:$ rm /etc/pki/tls/private/localhost.key
chankey@linuxstall:$ rm /etc/pki/tls/certs/localhost.crt

Create your own key

chankey@linuxstall:$ cd /etc/pki/tls/certs
chankey@linuxstall:$ make genkey
umask 77 ; \
	/usr/bin/openssl genrsa -aes128 2048 > /etc/pki/tls/private/localhost.key
Generating RSA private key, 2048 bit long modulus
.................+++
.......................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:

Creating self-signed certificate

chankey@linuxstall:$ make testcert
umask 77 ; \
	/usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0
Enter pass phrase for /etc/pki/tls/private/localhost.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Rajasthan
Locality Name (eg, city) [Default City]:Jaipur
Organization Name (eg, company) [Default Company Ltd]:Linux Stall
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.linuxstall.com
Email Address []:admin@linuxstall.com

This is how it looked on my server:

ssl certificate linux

This will create a file localhost.crt in /etc/pki/tls/certs/. Now open the file ssl.conf which is located at /etc/httpd/conf.d/ and edit it with the content given below:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

Restart your web server

chankey@linuxstall:$ service httpd restart

Now you’re done. Open your browser and use httpd in front of each URL instead of http. You can ignore the certification validation message which your web browser may prompt.

Removing password encryption on private key

You will notice that whenever you restart your server it asks for certificate password. This is for security purpose so that no one can break into your server and steal your private key. You are safe in the knowledge that the private key is a jumbled mess. The cracker will not be able to make use of it but without such protection, a cracker could get your private key and easily masquerade as you, appearing to be legitimate in all cases.

If you are willing to accept the risk and cannot stand having to enter the password every time your server starts, you can remove the password encryption on private key by entering the command given below:

chankey@linuxstall:$ cd /etc/pki/tls/private
chankey@linuxstall:$ /usr/bin/openssl rsa -in localhost.key -out localhost.key
Enter pass phrase for localhost.key: *******

Now you will be able to restart the server without entering a pass phrase.

Troubleshooting

Following tips will help if you are having problems with your SSL certificate:

  • You should know that only one SSL certificate can be used for one IP. If you want to add more than one web site (SSL enabled) to your server, you must bind another IP address to the network interface.
  • Don’t block port 443 on your server. All https request come on port 443. If this port is blocked then you will not be able to get secure pages.
  • The certificate expires after one year. Don’t forget to renew your certificate with your CA before expiration.
  • mod_ssl package should be installed on your server. If it is not then you will not be able to serve any SSL-enabled traffic.

How to block a country using iptables?

If you are an admin of a website and you see a lot of bogus traffic coming from some countries which give no profit to you, and you want to block those countries from accessing your website then you can use the bash script given below.

There are two ways to block countries. First is to configure your Apache server and second is to set iptables commands. We will do this using iptables. First of all download the list of IP zone files of the country which you want to block from here.

The script will not work if people of that country are using any proxy server or they have spoofed their IP address.

#!/bin/bash
### Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code ###
ISO="af cn"
 
### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
 
### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
 
cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}
 
# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
 
# clean old rules
cleanOldRules
 
# create a new iptables list
$IPT -N $SPAMLIST
 
for c  in $ISO
do
	# local zone file
	tDB=$ZONEROOT/$c.zone
 
	# get fresh zone file
	$WGET -O $tDB $DLROOT/$c.zone
 
	# country specific log message
	SPAMDROPMSG="$c Country Drop"
 
	# get
	BADIPS=$(egrep -v "^#|^$" $tDB)
	for ipblock in $BADIPS
	do
	   $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
	   $IPT -A $SPAMLIST -s $ipblock -j DROP
	done
done
 
# Drop everything
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST
 
# call your other iptable script
# /path/to/other/iptables.sh
 
exit 0

You must be logged in as a ‘root’ user to run this script. Mention the country names which you want to block in ‘ISO’.

To run the script

# /path/block_country.sh

You can add this script to crontab so that it will run automatically.

@weekly /path/block_country.sh

Below is an another script which does the same work:

#!/bin/bash
###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE###
COUNTRIES="AK,AR"
WORKDIR="/root"
#######################################
cd $WORKDIR
wget -c --output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES
if [ -f iptables-blocklist.txt ]; then
  iptables -F
  BLOCKDB="iptables-blocklist.txt"
  IPS=$(grep -Ev "^#" $BLOCKDB)
  for i in $IPS
  do
    iptables -A INPUT -s $i -j DROP
    iptables -A OUTPUT -d $i -j DROP
  done
fi
rm $WORKDIR/iptables-blocklist.txt

Understanding file permissions and access rights in Linux

In Linux everything is a file. To set access rights on the specific files we use chmod command. To see what are the access rights/ permissions of a specific file we use ls -l command. Below we will learn how to see permission of a file and change it.

Note: To change permissions of a file you must be login as root user.

Suppose you have a file named as linuxstall.txt in a directory named as LinuxStall which is in /tmp. Use ls -l command to see its permissions as:

ls -l /tmp/LinuxStall/linuxstall.txt

The output will be as

-rwxr--r--. 1 root root 0 Jan 5 15:39 /tmp/LinuxStall/linuxstall.txt

Let us first understand what does the above line means by breaking it down in different parts.

The left most bit can be of two types either d or .
If it is d then it means that it is a directory.
If it is then it means that it is a file.

Here in our example it is means it is a file.

Part 1: r w x (Shows owner’s access rights)
Explanation:
First bit is which means it is a file, if it is d then it means it is directory.
First bit is r which means read i.e the owner can open this file.
Second bit is w which means write i.e the owner can edit this file.
Third bit is x which means execute i.e the owner can execute this file.

Part 2: r – – (shows group’s access rights)
Explanation:
First bit is r which means read i.e the group members can open this file.
Second bit is which means group members can not edit this file.
Third bit is which means group members can not execute this file.

Part 3: r – – (shows other users which are neither owner nor group members)
Explanation:
First bit is r which means read i.e the other users can open this file.
Second bit is which means other users can not edit this file.
Third bit is which means other users can not execute this file.

 

Changing file permission using chmod command

chmod stands for change file mode bits

There are two methods of changing file permission using chmod command.

Syntax: chmod permission path_of_file

Method 1: Numerical Method

In this method we use numeric bits which corresponds to r w x. The numeric values for these are

r = 4, w = 2, x = 1

chmod 444 /tmp/LinuxStall/linuxstall.txt

will change the file permission of file linuxstall.txt to

-r – – r – – r – – which means owner, group, others can only read this file.

chmod 555 /tmp/LinuxStall/linuxstall.txt

will change the file permissions of file linuxstall.txt to

-r – x r – x r – x which means owner, group, other can read and execute the file.

chmod 666 /tmp/LinuxStall/linuxstall.txt

will change the file permissions of file linuxstall.txt to

-r w – r w – r w – which means owner, group, other can read and edit the file.

chmod 644 /tmp/LinuxStall/linuxstall.txt

will change the file permissions of file linuxstall.txt to

-r w – r – – r – – which means owner can read and edit the file, group and other can only read the file.

Hence we saw that first numeric bit is for owner, second numeric bit is for group and third one is for other users. You can set the numeric bits to 1,2,4 for execute, write and read purpose respectively.

Method 2: Alphabetical Method

There are 4 alphabets associated with it, they are u,g,o and a.

u stands for owner

g stands for group

o stands for others

a stands for all

To add permission we use + and to remove permission we use

Example 1: To grant read permission to all group users

chmod g+r /tmp/LinuxStall/linuxstall.txt

Example 2: To remove read permission from group users

chmod g-r /tmp/LinuxStall/linuxstall.txt

Example 3: To grant read,write,execute permission to owner

chmod u+rwx /tmp/LinuxStall/linuxstall.txt

Example 4: To remove execute permission from other users

chmod o-x /tmp/LinuxStall/linuxstall.txt

Example 5: To grant read and write permission to all users

chmod a+rw /tmp/LinuxStall/linuxstall.txt

Noticed use of a? It sets permission for all users.

 

Conclusion: We saw that each file in Linux has access rights associated with it. It is divided in 3 parts, one is owner, second is group users and third are other users. We can use chmod command to change the file permission. There are two methods, one is numerical and other is alphabetical method. Numerical method of setting permission is preferred though.