Difference between revisions of "Short Notes on Security"

From PaskvilWiki
Jump to: navigation, search
(Password Generators)
(Apache)
Line 1: Line 1:
 
== Apache ==
 
== Apache ==
  
==== Note - serving of local files ====
+
=== Note - serving of local files ===
  
 
'''Note''': Often the initial installation of Apache has <tt>&lt;Directory /&gt;</tt> directive (directive for the root of the filesystem) set to "Allow from All", in '''[Apache config dir]/sites-available/default'''! This means that server can server '''any''' file from the file system, not just the files in the ''htdocs'' document folder, which you typically want!
 
'''Note''': Often the initial installation of Apache has <tt>&lt;Directory /&gt;</tt> directive (directive for the root of the filesystem) set to "Allow from All", in '''[Apache config dir]/sites-available/default'''! This means that server can server '''any''' file from the file system, not just the files in the ''htdocs'' document folder, which you typically want!
Line 7: Line 7:
 
To avoid this, simply change this to "Deny from All".
 
To avoid this, simply change this to "Deny from All".
  
==== Enable SSL/HTTPS in Apache ====
+
=== Self-Signed SSL Certificate ===
 +
 
 +
They might not pass as customer-friendly - in fact, if you need https/ssl for customer communication, you should always use signed certificates, as those do induce trust - but often you have private sections/domains/sites where self-signed is just fine... or you might just wanna test the ssl while waiting for the signed certificate.
 +
 
 +
Here are only listed steps to get to your certificate; for details and explanations, see e.g. [http://www.akadia.com/services/ssh_test_certificate.html akadia.com].
 +
 
 +
<pre># openssl genrsa -des3 -out server.key 1024
 +
# openssl req -new -key server.key -out server.csr
 +
# cp server.key server.key.org
 +
# openssl rsa -in server.key.org -out server.key
 +
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
 +
# cp server.crt /etc/apache2/cert/ssl.crt
 +
# cp server.key /etc/apache2/cert/ssl.key
 +
# chmod 400 /etc/apache2/cert/ssl.crt /etc/apache2/cert/ssl.key</pre>
 +
 
 +
=== Enable SSL/HTTPS in Apache ===
  
 
'''HowTo''': Use the following virtual host definition:
 
'''HowTo''': Use the following virtual host definition:
  
<VirtualHost *:443>
+
<pre><VirtualHost *:443>
ServerName ssl-name
+
    ServerName ssl-name
DocumentRoot /var/www/ssl/root
+
    DocumentRoot /var/www/ssl/root
SSLEngine on
+
    SSLEngine on
SSLCertificateFile /etc/apache2/server.crt
+
    SSLCertificateFile /etc/apache2/server.crt
SSLCertificateKeyFile /etc/apache2/server.key
+
    SSLCertificateKeyFile /etc/apache2/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
+
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
+
</VirtualHost></pre>
  
where ''certificate file'' and the ''certificate key file'' are either authority-signed or self-signed certificate files (see [[#External Links|below]]), and add
+
where ''certificate file'' and the ''certificate key file'' are either authority-signed or self-signed certificate files (see above), and add
  
NameVirtualHost *:443
+
<pre>NameVirtualHost *:443
Listen 443
+
Listen 443</pre>
  
 
to '''/etc/apache2/ports.conf''' and restart Apache.
 
to '''/etc/apache2/ports.conf''' and restart Apache.

Revision as of 03:13, 3 January 2012

Apache

Note - serving of local files

Note: Often the initial installation of Apache has <Directory /> directive (directive for the root of the filesystem) set to "Allow from All", in [Apache config dir]/sites-available/default! This means that server can server any file from the file system, not just the files in the htdocs document folder, which you typically want!

To avoid this, simply change this to "Deny from All".

Self-Signed SSL Certificate

They might not pass as customer-friendly - in fact, if you need https/ssl for customer communication, you should always use signed certificates, as those do induce trust - but often you have private sections/domains/sites where self-signed is just fine... or you might just wanna test the ssl while waiting for the signed certificate.

Here are only listed steps to get to your certificate; for details and explanations, see e.g. akadia.com.

# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# cp server.crt /etc/apache2/cert/ssl.crt
# cp server.key /etc/apache2/cert/ssl.key
# chmod 400 /etc/apache2/cert/ssl.crt /etc/apache2/cert/ssl.key

Enable SSL/HTTPS in Apache

HowTo: Use the following virtual host definition:

<VirtualHost *:443>
    ServerName ssl-name
    DocumentRoot /var/www/ssl/root
    SSLEngine on
    SSLCertificateFile /etc/apache2/server.crt
    SSLCertificateKeyFile /etc/apache2/server.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>

where certificate file and the certificate key file are either authority-signed or self-signed certificate files (see above), and add

NameVirtualHost *:443
Listen 443

to /etc/apache2/ports.conf and restart Apache.

Other

Password Generators

  • PHP - replace the '16' with length of the generated password (28 is most you can get):
$password = substr(str_replace(array('$1$', '$2$', '$2a$', '$', '.', '/'), '', crypt(php_uname() . microtime())), 0, 16);

or, terminal version:

$ php -r "echo substr(str_replace(array('$1$', '$2$', '$2a$', '$', '.', '/'), '', crypt(php_uname() . microtime())), 0, 16);"; echo
1hlNxRwBr4mCZWQF
  • Bash - replace the '64' with length of the generated password (no real limit here), and change the characters class in tr -d as you please, to control what characters can be contained in the password; the characters class presented here are all characters that are treated as a part of the word in terminal (i.e. you can double-click the word and it gets selected as a whole):
$ cat /dev/urandom | tr -d -c "a-zA-Z0-9@#%&\-\_+=:,.?/" | head -c 64; echo
uQ,XGSG4qPtE4.&UQT,jPA#=a8j-mhy+qjQUg:m#s7g1@c2-#J8D-,3zQFd+o_-W

External Links

Apache

Other