LinuxBabu ………..

The private key contains a series of numbers. Two of those numbers form the “public key”, the others are part of your “private key”. The “public key” bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the commands:

$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key

The `modulus’ and the `public exponent’ portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it’s bothering comparing long modulus you can use the following approach:

$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. As a “one-liner”:

$ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5

And with auto-magic comparison (If more than one hash is displayed, they don’t match):

$ (openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5) | uniq

BTW, if I want to check to which key or certificate a particular CSR belongs you can compute

$ openssl req -noout -modulus -in server.csr | openssl md5

Telnet should be disabled on all web servers, and you should use SSH which is more secure.

Telnet sends password in plain text passwords and usernames through logins, and

‘crackers/hackers’ can obtain these passwords easily as compared to SSH.

TELNET server listens for incoming messages on port 23, and sends outgoing messages to port 23.

1. Login to your server through SSH and su to root.

2. Type pico /etc/xinetd.d/telnet

3. Look for the line: disable = no and replace with disable = yes

4. Now restart the inetd service: /etc/rc.d/init.d/xinetd restart

5. Turn off it through chkconfig as well because it can still start through that.
/sbin/chkconfig telnet off

6. Scan your server to ensure port 23 is closed.
nmap -sT -O localhost
Also run ps -aux | grep telnet and if you find anything other than “grep telnet” as result kill the process.

Create a strong CSR and private key
openssl req -new -nodes -newkey rsa:2048 -out server.crt -keyout server.key

Parsing out the data within a certificate
openssl asn1parse -in server.crt

Checking a certificate/key modulus to see if they correspond
openssl rsa -in server.key -modulus -noout | openssl md5
openssl x509 -in server.crt -modulus -noout | openssl md5

Convert a key from PEM -> DER
openssl rsa -inform PEM -in key.pem -outform DER -out keyout.der

Convert a key from DER -> PEM
openssl rsa -inform DER -in key.der -outform PEM -out keyout.pem

Remove the password from an encrypted private key
openssl rsa -in server.key -out server-nopass.key

Reviewing a detailed SSL connection
openssl s_client -connect 192.168.1.1:443

Installing new hardware may mean that new kernel need to be loaded when your server boots up. There’s a two step process to making a new initrd file:

First, add the appropriate line to your /etc/modules.conf or /etc/modprobe.conf which corresponds to your new kernel module.

Next, rebuild the initial ram disk after making a backup of the current one:

# cp /boot/initrd-`uname -r`.img /boot/initrd-`uname -r`.img.bak
# mkinitrd -f initrd-`uname -r`.img `uname -r`

Reboot the server now and make sure the new driver is loaded properly.

rhn_register that will register your server over at RHN.

Well if you want to upgrade your kernel… you’ll have to edit the config to NOT skip the kernel

up2date –configure
type 24
and then type C and hit enter
and then hit enter again

Type:
up2date -p
that will update the packages your server to reflect the packages available to update over at RH.

Then type
up2date -u
and it will install any updates that are available

But remember you’ll have to setup an account over at Red Hat Network — if you haven’t already, type rhn_register, and that will register your server over at RHN.

And that’s it!

One question I hear quite often is “how do I add IP aliases in FreeBSD?” It’s not terribly intuitive, but you can follow these steps:

Example:
Server’s primary IP: 192.168.1.11

Additional IP’s to add: 192.168.1.12, 192.168.1.13, and 192.168.1.14

Boot-time configuration:
Add it to /etc/rc.conf first (so you don’t forget). In this example, we have a Realtek card called rl0:
ifconfig_rl0="inet 192.168.1.11 netmask 255.255.255.0"
ifconfig_rl0_alias0="inet 192.168.1.12 netmask 255.255.255.0"
ifconfig_rl0_alias1="inet 192.168.1.13 netmask 255.255.255.0"
ifconfig_rl0_alias2="inet 192.168.1.14 netmask 255.255.255.0"

IMPORTANT NOTE: Start with the number 0 (zero) any time that you make IP alias configurations in /etc/rc.conf.
This is BAD form:

ifconfig_rl0="inet 192.168.1.11 netmask 255.255.255.0"
ifconfig_rl0_alias1="inet 192.168.1.12 netmask 255.255.255.0"
ifconfig_rl0_alias2="inet 192.168.1.13 netmask 255.255.255.0"
ifconfig_rl0_alias3="inet 192.168.1.14 netmask 255.255.255.0"

If you do it the wrong way (which means starting alias with anything but alias0), only the primary comes up. Keep that in mind.

Bringing up the new IP’s:
You can do things the extraordinarily dangerous way:
# /etc/rc.network restart

Or, you can follow the recommended steps:
# ifconfig rl0 alias 192.168.1.12 netmask 255.255.255.0
# ifconfig rl0 alias 192.168.1.13 netmask 255.255.255.0
# ifconfig rl0 alias 192.168.1.14 netmask 255.255.255.0

Test your work:
Any good system administrator knows to test things once their configured. Make sure to ping your new IP’s from a source on your network and outside your network (if possible/applicable).

cron is a unix, solaris utility that allows tasks to be automatically run in the background at regular intervals by the cron daemon. These tasks are often termed as cron jobs in unix , solaris.
Crontab (CRON TABle) is a file which contains the schedule of cron entries to be run and at specified times.

Crontab syntax

A crontab file has five fields for specifying day , date and time  followed by the command to be run at that interval.

* in the value field above means all legal values as in braces for that column.
The value column can have a * or a list of elements separated by commas. An element is either a number in the ranges shown above or two numbers in the range separated by a hyphen (meaning an inclusive range).

Crontab Example

min      hour      day/month      month      day/week       Execution time
30     0     1     1,6,12     *     — 00:30 Hrs  on 1st of Jan, June & Dec.

0     20     *     10     1-5     –8.00 PM every weekday (Mon-Fri) only in Oct.

0     0     1,10,15     *     *     — midnight on 1st ,10th & 15th of month

5,10     0     10     *     1     — At 12.05,12.10 every Monday & on 10th of every month

By default cron jobs sends a email to the user account executing the cronjob. If this is not needed put the following command At the end of the cron job line .

>/dev/null 2>&1

To collect the cron execution execution log in a file :

30 18  *    *   *    rm /home/someuser/tmp/* > /home/someuser/cronlogs/clean_tmp_dir.log

Sometimes we may require to remove APF from the server. Here is a guide which shows how to remove APF completely from the server.

Stop the firewall first
service apf stop
/bin/rm -rfv /etc/apf
Remove the cron for APF
/bin/rm -fv /etc/cron.daily/fw
/bin/rm -fv /etc/init.d/apf
lastly disable at startup
chkconfig apf off

This should remove APF completely from the server as we removed the APF daemon, cron and files.

APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: http://www.rfxnetworks.com/apf.php

This guide will show you how to install and configure APF firewall, one of the better known Linux firewalls available.10

Requirements:
- Root SSH access to your server

Lets begin!
Login to your server through SSH and su to the root user.
cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3. tar -xvzf apf-current.tar.gz

4. cd  apf-9.6-5/ or whatever the latest version is.

5. Run the install file: ./install.sh
You will receive a message saying it has been installed

Installing APF 9.6-5: Completed.
Installation Details:
Install path:         /etc/apf/
Config path:          /etc/apf/conf.apf
Executable path:      /usr/local/sbin/apf
Other Details
Listening TCP ports: 53,2086,2087,3306
Listening UDP ports: 53,39437
Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

6. Lets configure the firewall: nano -w /etc/apf/conf.apf
We will go over the general configuration to get your firewall running. This isn’t a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

We like to use DShield.org’s “block” list of top networks that have exhibited
suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"

7. Configuring Firewall Ports:

Cpanel Servers
We like to use the following on our Cpanel Servers

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

Ensim Servers
We have found the following can be used on Ensim Servers – although we have not tried these ourselves as I don’t run Ensim boxes.

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

Save the changes: Ctrl+X then Y

8. Starting the firewall
/usr/local/sbin/apf -s

Other commands:
usage ./apf [OPTION]
-s|--start ......................... load firewall policies
-r|--restart ....................... flush & load firewall
-f|--flush|--stop .................. flush firewall
-l|--list .......................... list chain rules
-st|--status ....................... firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall

9. After everything is fine, change the DEV option
Stop the firewall from automatically clearing itself every 5 minutes from cron.
We recommend changing this back to “0″ after you’ve had a chance to ensure everything is working well and tested the server out.

nano -w /etc/apf/conf.apf

FIND: DEVM="1"
CHANGE TO: DEVM="0"

10. Checking the APF Log

Will show any changes to allow and deny hosts among other things.
tail -f /var/log/apf_log