Smashing Theory

Friday, September 1, 2017

CentOS: Enabling SSL (Doesn't work perfectly)

Command:

# cd /etc/httpd/conf.d/
# diff /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.org

Result:

105,106c105
< #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
< SSLCertificateFile /etc/pki/tls/certs/ca.crt
---
> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
113,114c112
< #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
< SSLCertificateKeyFile /etc/pki/tls/private/ca.key
---
> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Command:

# sudo openssl genrsa -out ca.key 2048

Result:

Generating RSA private key, 2048 bit long modulus
........................................................................................+++
..........+++
e is 65537 (0x10001)

Command:

# sudo openssl req -new -key ca.key -out ca.csr

Result:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: US
State or Province Name (full name) []: SOMEWHERE1
Locality Name (eg, city) [Default City]: SOMEWHERE2
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: www.myserver.com
Email Address []:admin@myserver.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: PASSWORD
An optional company name []:

Command:

# sudo openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Result:

Signature ok
subject=/C=US/ST=SOMEWHERE1/L=SOMEWHERE2/O=Default Company Ltd/CN=www.myserver.com/emailAddress=admin@myserver.com
Getting Private key

Command:

# sudo cp ca.crt /etc/pki/tls/certs
# sudo cp ca.key /etc/pki/tls/private/ca.key
# sudo cp ca.csr /etc/pki/tls/private/ca.csr

Command:

# diff /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.org

Result:

105,106c105
< #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
< SSLCertificateFile /etc/pki/tls/certs/ca.crt
---
> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
113,114c112
< #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
< SSLCertificateKeyFile /etc/pki/tls/private/ca.key
---
> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Command:

# apachectl restart

Result:

[Fri Sep 01 05:21:33 2017] [warn] module ssl_module is already loaded, skipping

Command:

# sudo mkdir -p /var/www/html/ssl
# sudo mkdir -p /etc/httpd/sites-available
# sudo mkdir -p /etc/httpd/sites-enabled

# apachectl restart
# vi httpd.conf
# diff httpd.conf httpd.conf.bkup20170901

Result:

217d216
< #LoadModule ssl_module modules/mod_ssl.so
1012,1021d1010
<
< #Listen 443
< #<VirtualHost *:443>
< # ServerName www.myserver.com
< # SSLEngine on
< # SSLCertificateFile "/path/to/www.example.com.cert"
< # SSLCertificateKeyFile "/path/to/www.example.com.key"
< #</VirtualHost>
<
< IncludeOptional sites-enabled/*.conf

Command:

# cat ssl.conf

Result:

<VirtualHost *:443>
ServerAdmin admin@myserver.com
DocumentRoot "/var/www/html/ssl/"
ServerName Myserver
ServerAlias myserver
ErrorLog /var/www/html/ssl/error.log

<Directory "/var/www/html/ssl/">
DirectoryIndex index.html index.php
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>

Command:

# sudo ln -s /etc/httpd/sites-available/ssl.conf /etc/httpd/sites-enabled/ssl.conf
# apachectl restart

Result:

apachectl: Configuration syntax error, will not run "restart":
Syntax error on line 1021 of /etc/httpd/conf/httpd.conf:
Invalid command 'IncludeOptional', perhaps misspelled or defined by a module not included in the server configuration

Command:

# diff httpd.conf httpd.conf.bkup20170901

Result:

217d216
< #LoadModule ssl_module modules/mod_ssl.so
1012,1021d1010
<
< #Listen 443
< #<VirtualHost *:443>
< # ServerName www.myserver.com
< # SSLEngine on
< # SSLCertificateFile "/path/to/www.example.com.cert"
< # SSLCertificateKeyFile "/path/to/www.example.com.key"
< #</VirtualHost>
<
< Include sites-enabled/

Command:

# apachectl restart

Result:

[Fri Sep 01 05:42:50 2017] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

Reference:

http://www.techrepublic.com/article/how-to-enable-https-on-apache-centos/

CentOS: Installing mod_ssl & openssl

Command:

# sudo yum install mod_ssl openssl

Result:

Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
epel/metalink | 5.4 kB 00:00
* base: ftp.tsukuba.wide.ad.jp
* epel: ftp.riken.jp
* extras: ftp.tsukuba.wide.ad.jp
* updates: ftp.tsukuba.wide.ad.jp
base | 3.7 kB 00:00
cr | 2.9 kB 00:00
epel | 4.3 kB 00:00
epel/primary_db | 5.9 MB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.2.15-60.el6.centos.5 will be installed
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.14 will be updated
---> Package openssl.x86_64 0:1.0.1e-57.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================================================================
Package Arch Version Repository Size
=================================================================================================================================================================
Installing:
mod_ssl x86_64 1:2.2.15-60.el6.centos.5 updates 98 k
Updating:
openssl x86_64 1.0.1e-57.el6 base 1.5 M

Transaction Summary
=================================================================================================================================================================
Install 1 Package(s)
Upgrade 1 Package(s)

Total download size: 1.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): mod_ssl-2.2.15-60.el6.centos.5.x86_64.rpm | 98 kB 00:00
(2/2): openssl-1.0.1e-57.el6.x86_64.rpm | 1.5 MB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 16 MB/s | 1.6 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : openssl-1.0.1e-57.el6.x86_64 1/3
Installing : 1:mod_ssl-2.2.15-60.el6.centos.5.x86_64 2/3
Cleanup : openssl-1.0.1e-16.el6_5.14.x86_64 3/3
Verifying : openssl-1.0.1e-57.el6.x86_64 1/3
Verifying : 1:mod_ssl-2.2.15-60.el6.centos.5.x86_64 2/3
Verifying : openssl-1.0.1e-16.el6_5.14.x86_64 3/3

Installed:
mod_ssl.x86_64 1:2.2.15-60.el6.centos.5

Updated:
openssl.x86_64 0:1.0.1e-57.el6

Complete!

Wednesday, August 30, 2017

CentOS: iptables

This worked!

Command:

# cat /etc/sysconfig/iptables

Result:

# (1) ポリシーの設定 OUTPUTのみACCEPTにする
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# (2) ループバック(自分自身からの通信)を許可する
-A INPUT -i lo -j ACCEPT

# (3) データを持たないパケットの接続を破棄する
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# (4) SYNflood攻撃と思われる接続を破棄する
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# (5) ステルススキャンと思われる接続を破棄する
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# (6) icmp(ping)の設定
# hashlimitを使う
# -m hashlimit hashlimitモジュールを使用する
# —hashlimit-name t_icmp 記録するファイル名
# —hashlimit 1/m リミット時には1分間に1パケットを上限とする
# —hashlimit-burst 10 規定時間内に10パケット受信すればリミットを有効にする
# —hashlimit-mode srcip ソースIPを元にアクセスを制限する
# —hashlimit-htable-expire 120000 リミットの有効期間。単位はms
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name t_icmp --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT

# (7) 確立済みの通信は、ポート番号に関係なく許可する
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

# (8) 任意へのDNSアクセスの戻りパケットを受け付ける
-A INPUT -p udp --sport 53 -j ACCEPT

# (9) SSHを許可する設定
# hashlimitを使う
# -m hashlimit hashlimitモジュールを使用する
# —hashlimit-name t_sshd 記録するファイル名
# —hashlimit 1/m リミット時には1分間に1パケットを上限とする
# —hashlimit-burst 10 規定時間内に10パケット受信すればリミットを有効にする
# —hashlimit-mode srcip ソースIPを元にアクセスを制限する
# —hashlimit-htable-expire 120000 リミットの有効期間。単位はms
-A INPUT -p tcp -m state --syn --state NEW --dport 22 -m hashlimit --hashlimit-name t_sshd --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT

# (10) 個別に許可するプロトコルとポートをここに書き込む。
# この例では、HTTP(TCP 80)とHTTPS(TCP 443)を許可している。
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

COMMIT

Reference:

http://knowledge.sakura.ad.jp/beginner/4048/

CentOS: iptables: Fixing Webserver Accessibility (How secure now?)

Command:

# diff /etc/sysconfig/iptables /etc/sysconfig/iptables.org

Result:

1c1,2
< # Generated by iptables-save v1.4.7 on Wed Aug 30 00:09:28 2017
---
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
3,11c4,12
< :INPUT DROP [0:0]
< :FORWARD DROP [0:0]
< :OUTPUT ACCEPT [24:2320]
< -A INPUT -i lo -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
< -A INPUT -p udp -m udp --dport 53 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
---
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
13d13
< # Completed on Wed Aug 30 00:09:28 2017

Reference:

http://programmerbox.com/2013-12-24_vps_construct_procedure_manual/

Tuesday, August 29, 2017

CentOS: iptables: Opening HTTP and HTTPS Ports

Command:

# diff /etc/sysconfig/iptables /etc/sysconfig/iptables.org

Result:

13,14d12
< -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Command:

# service iptables restart

Result:

iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]

CentOS: Adding User

Command:

# useradd USERNAME
# passwd USERNAME

Result:

Changing password for user USERNAME.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Command:

# su USERNAME
$ cd ~
$ ls
$ pwd

Result:

/home/USERNAME

SSH: Accessing Virtual Private Server Using RSA Private Key File

Command:

$ cat vps.key

Result:

-----BEGIN RSA PRIVATE KEY-----
fasdfsadfsadJAyxNgvFkJoMF+MEyWV4Qfasdfasd
gTf2LsM2mo6Jodh+VVffsadfsadfsdafsadfa0QPTlY+905/z3e24DYtKHbP
eRfem0kq/H17eguWk4BounPWfJKrYGR1rS00K5OeWfoTAoz6osc3rN8LXwIBIwKB
gQCZXb8ppDdM50Ki7A04CSoEb/qWChMJtIRFGfMI3A+MvFuj/50Wi7zGoQz9wDxW
gv0cNaT/Z/B1z40AAAAAAAAAAAAAAAAAAAAIY83RKh/Kj+Jv8OhW1FNUp/Il7WOs
1zo+owYp9uyT08gE1XBGvMrdam2w77YabIT20Dt2jkKs2wJBfasdfVu88cqmJ2P
F0+JlFbOL5pvldjfkeDkefIesdIdfeIdkXxK343/45uo35lYVj6vXfdsafFeMWD
jHH3EYMCQQD1JcnOz8CGMSeMbFXrdb1erkt3fgcJwny4WotUUoRx5KZinPGSasXv
GmL8zshzHcN9wWFgicXGOcqpQijM8kP1AkAdHoMd4MtnOBFxF6rkhMB+8v4gR0zw
F901P7OURpHAiCf/4lnFD98fadsfsadfasdfasdfuoUFHeHqr/LLMi3jAkBUDPS7
73U1Uq55SbcO5ooR1Vuz8LH0t7W7jMIOSC1o4K4TLn6123cQJk3TBRGGjdygJQtx
jlJv2UzMUTKPaQFbAkAuvRDkvUVb1lvuduolUZHmz3SBdwiKIVMn8+SeXoCT+hL8
SQJ56ary8w+dkfjaldkfkjdekelsldkelf

-----END RSA PRIVATE KEY-----

Command:

$ cat ~/.ssh/config

Result:

Host vps
HostName 111.111.11.111
Port 22
User root
IdentityFile ~/vps.key

Command:

$ chmod 600 ~/vps.key

Command:

$ ssh vps

Result:

[root@v111-111-11-111 ~]#

Charlie Lee: Crypto Hedge: Live Conference With Litecoin Creator Charlie Lee!

Monday, August 28, 2017

Mining Bitcoin with Excel

仕事辞めたい！入社３年以内で辞めていい理由が見るとわかるよ!

PIVX | Private transactions on the blockchain

What is happening to NEM? - NEM on GitHub - Programmer explains

Something strange is happening with EOS - Programmer explains

THE TRUTH | every Bitconnect member has to see this!

Music (音楽)

The Smashing Pumpkins: IN ASHES The Smashing Pumpkins: Cyr
The Smashing Pumpkins: Ramona
The Smashing Pumpkins: Wyttch William Patrick Corgan: Hard Times William Patrick Corgan: Cotillions William Patrick Corgan: Cri De Coeur William Patrick Corgan: Like Lambs William Patrick Corgan: Anon Knights of Malta by Smashing Pumpkins Silvery Sometimes (Ghosts) (Music video) by The Smashing Pumpkins Solara (Music video) by The Smashing Pumpkins Billy Corgan: Pillbox Billy Corgan: Neath The Darkest Eves Aeronaut by William Patrick Corgan