Introduction: For a long time under Debian Wheezy Spamassassin was running quite well until I upgraded the system to Jessie. That is when Spamassassin(spamd) started to crash every now and then without giving much reasons why. Cause of error message: Looking in the system logs(/var/log/syslog) I found the following error: spamd[7490]: util: refusing to untaint …
Category: Security
Using HTTPS as proxy backend in Apache 2.4
Introduction: In Apache 2.4 in a Vhost in order to be able to proxy to a backend with HTTPS using either a self-signed or expired certificate on the backend we need to include the following directives: SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off You also need to enable the required Apache2 modules …
Redirecting HTTP to HTTPS in NginX
Here is a working method of redirecting any requested HTTP URL to HTTPS in NginX VirtualHosts that handles both HTTP and HTTPS. For example, to have a single vhost support both HTTP and HTTPS you have normally the following directives: # Support for HTTP and HTTPS listen 80; listen 443 ssl; ssl_certificate /etc/letsencrypt/live/www.myserver.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.myserver.com/privkey.pem; …
Testing SSL Connections with SSLyze, Nmap or OpenSSL
Introduction: OpenSSL is a great tool to check SSL connections to servers. The difficulty here is when one want a full scan of all possible SSL Cyphers and protocols used by a server. That is where SSLyze comes in handy. This tool is a Python script which will scan the target host/port for SSL handshake …
Recursively delete files securely: shredding
Description: Every administrator should know that when we delete a file on the hard disk, almost nothing is really deleted. The space used by the files is simply put back on the list of ‘free to use‘ space in the filesystem and will no more appear in the directory listing. This means forensic tools can …
Reporting SMART status of RAID disks
Reference site: http://www.cyberciti.biz/faq/linux-checking-sas-sata-disks-behind-adaptec-raid-controllers/ Note: Although Hardware RAID controllers made by other hardware manufacturers here I use Adaptec as an example: Install the software: apt- get install smartmontools Curious which company the RAID controller is from? Find out which RAID controller you have: lspci | grep ‘RAID’ Result: 01:00.0 RAID bus controller: Adaptec Device 028b (rev …
Preventing a bash script from running concurrently
Introduction: In order to prevent a bash script instance from running more than once concurrently, here is a small tip on how to write the script. Script template: #!/bin/bash # Prevents that an instance of the script starts while another instance of it is still running scriptname=$(basename $0) lockfile=”/tmp/${scriptname}.lock” if [ -e $lockfile ]; then …
Creating a web certificate CSR file.
The process of buying an SSL certificate for a web site is usually as follows: – You create a secret key and CSR files using the method showm in this post. – You cut and paste the content of the CSR file into a field in a SSL Vendor web site – The SSL vendor …
Scanning for viruses on a Debian/Ubuntu server
Situation: Although most viruses would be mostly harmless in a Linux environment if the viruses are just files laying around, BUT since a server is meant to SERVE it is one of the best place to spread the viruses to other systems where it could do damages. Solution: Scan the system or certain vulnerable directories …
Example of using UFW firewall in Debian/Ubuntu
Introduction: I just started to use the firewall UFW which is a terminal commands based firewall. The tool seemed a bit difficult to understand at first but with a bit of trying and errors I finally got something working. So here is what I did. I install the UFW firewall: apt-get install ufw Assumption: I …
Installing pure-ftpd in Debian/Ubuntu
Difficulty with FTP servers and firewall: If you configure a firewall for a host which runs an FTP server you normally need to leave the ports 1024-65365 range open, since you never know which port the FTP server will use to send data to the FTP client. This situation is quite critical if you have …
Limiting the number of connected clients on a VirtualHost in Apache
Problem: When a DDOS attack or a burst of requests are coming at the same time in my Apache2 Web server, the whole server can run out of RAM and crash. Possible solution: Limit the number of simultaneous connections to your Web server per VirtualHost Method: One simple and effective method done directly on the …
Verifying the integrity of files with md5sum
In order to transfer files and be sure that they were not compromised on their way to their destinations a method of ‘checksumming’ the file’s content can help. Under Linux the tool is called ‘md5sum’. Here is how to use it. For example to check the integrity of the downloaded Ubuntu Linux .iso file. md5sum …
Installing VSFTPD for FTP-SSL web sites upload on Ubuntu
In order to force an exclusive use of the SSL/TLS connectivity to users here is how to install it: Note: This tutorial was base from this site: https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-an-ubuntu-vps Install the vsftpd package sudo apt-get install vsftpd Edit the /etc/vsftpd.conf configuration file and add the following at the end of the file or alternatively adapt the …
Encrypt a password with different encryption methods
Situation: I happen to have configured a Linux system with MySQL database and wanted to enter a password in the password field in the DB. Here is a way I found. This will output in the terminal the encrypted string you can then enter directly in the password field via phpmyadmin or mysql client. Note: …
Using TLS for mail delivery from postfix to another TLS activated mail server
Introduction: The default encryption method for delivering email from Postfix to another mail server is ‘NONE’ In certain cases for enhanced security reasons emails for certain destinations should be encrypted all the way: Meaning: Client 1 ==(TLS)==> Postfix Server ==TLS==> Other email Server ==SSL/TLS==> Client 2 In this case we cannot influence the way the …