dilluns, 21 d’octubre del 2013
iptables, bloquejar excesives peticions, efecte f5 pulsat 'descuidadament', actualització masiva
algun problema havia tingut amb l'efecte f5 per part dels clients del servidor i com afinar-ho, finalment aquest matí, entre altres regles la present em permet cada 5 segons que la mateixa ip envii fins a 20 peticions pero la resta les deixa contingudes i permet subsistir al servidor.
iptables -A INPUT -p tcp --syn -m recent --set
iptables -A INPUT -p tcp --syn -m recent --update --seconds 5 --hitcount 20 -j DROP
com ha resultat es pot veure que :
iptables -nvL
30306 1551K tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 recent: SET name: DEFAULT side: source
1719 87164 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 recent: UPDATE seconds: 5 hit_count: 20 name: DEFAULT side: source
diumenge, 20 d’octubre del 2013
certificats apache2 ssl
actualitzo donat que hi havia un punt intermig que com no tenia el server.crt creat no em permetia creat el certificat autosignat
http://www.akadia.com/services/ssh_test_certificate.html
How to create a self-signed SSL Certificate ... ... which can be used for testing purposes or internal usage Overview The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process. Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser). SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server. If SSL utilizes public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessary - the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.
Step 1: Generate a Private Key
The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage. The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.........................................................++++++
........++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password -
Enter PEM pass phrase:
/etc/apache2/sites-available/default-ssl el posar el valor ServerName i que coincideix amb el nom d'aquest ordinador i el certificat, el FQDN creació del certificat autofirmat
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/server.key -out
/etc/apache2server.crt
https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04
How to create a self-signed SSL Certificate ... ... which can be used for testing purposes or internal usage Overview The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process. Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser). SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server. If SSL utilizes public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessary - the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.
Step 1: Generate a Private Key
The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage. The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.........................................................++++++
........++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password -
Enter PEM pass phrase:
Step 2: Generate a CSR (Certificate Signing Request)
Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://public.akadia.com, then enter public.akadia.com at this prompt. The command to generate the CSR is as follows:
openssl req -new -key server.key -out server.csrCountry Name (2 letter code) [GB]:CH
State or Province Name (full name) [Berkshire]:Bern
Locality Name (eg, city) [Newbury]:Oberdiessbach
Organization Name (eg, company) [My Company Ltd]:Akadia AG
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:public.akadia.com
Email Address []:martin dot zahn at akadia dot ch
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Step 3: Remove Passphrase from Key
One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:
cp server.key server.key.org
openssl rsa -in server.key.org -out server.keyThe newly created server.key file has no more passphrase in it.-rw-r--r-- 1 root root 745 Jun 29 12:19 server.csr
-rw-r--r-- 1 root root 891 Jun 29 13:22 server.key
-rw-r--r-- 1 root root 963 Jun 29 13:22 server.key.org
Step 4: Generating a Self-Signed Certificate
At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.To generate a temporary certificate which is good for 365 days, issue the following command:openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information
Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch
Getting Private key
Step 5: Installing the Private Key and Certificate
When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key
Step 6: Configuring SSL Enabled Virtual Hosts
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Step 7: Restart Apache and Test
FINALMENT M'HA ANAT MOLT BÉ AFINAR LA CONFIGURACIÓ/etc/init.d/httpd stop
/etc/init.d/httpd stophttps://public.akadia.com
/etc/apache2/sites-available/default-ssl el posar el valor ServerName i que coincideix amb el nom d'aquest ordinador i el certificat, el FQDN creació del certificat autofirmat
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/server.key -out
/etc/apache2server.crt
https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04
dijous, 17 d’octubre del 2013
treballant amb la consola del freezer
li estava donant voltes a per què la consola del freezer no m'afegia els ordinadors de les aules....
finalment he parat que l'avast considere que el directori de faronics (empresa del freezer) no la de revisar, que si no el bloqueja
anava a configurar el tallafocs i he dubtat si els missatges amb el freezer, eren udp o tcp, tenia clar que era el 7725 el port que utilitzava
finalment he posat wireshark a escoltar, he filtrat pels dos ports en tcp i udp i finalment he trobat la resposta, la consola continuament pregunta a les màquines que ja té a la llista, via tcp, pero el descobriment d'una màquina amb freezer, d'on està la consola o fa via udp
mireu que curios el missatge, on a la capa d'aplicació sembla que porta un missatge en rus
finalment i mirant un traductor sembla que la resposta del servidor freezer ( la consola ) al client és : Hola , que tal tia.... zdrastvujte, ja vasha tetia!
curios i em sembla divertit.
dimarts, 15 d’octubre del 2013
switch cisco amb peticions tftp anormals i posada en hora.
un switch de cisco estava donant aquest comportament pel registre de ossim - alienvault
New Event ticket url url url url snort: "ET POLICY Outbound TFTP Read Request" 2013-10-15 17:38:38 alienvault
Host-192-168-130-19:52881
255.255.255.255:69
[2 -> 2]
New Event ticket url url url url snort: "ET POLICY Outbound TFTP Read Request" 2013-10-15 17:38:35 alienvault
Host-192-168-130-19:52881
255.255.255.255:69
[2 -> 2]
New Event ticket url url url url snort: "ET POLICY Outbound TFTP Read Request" 2013-10-15 17:38:31 alienvault
Host-192-168-130-19:52881
255.255.255.255:69
[2 -> 2]
connectant al mateix via telnet i mirant el log
show log
Switch-ciscorack1.3#show log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 14548 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 14548 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
File logging: disabled
Persistent logging: disabled
Trap logging: level informational, 14551 message lines logged
Log Buffer (4096 bytes):
AILURE: System config parse from (tftp://255.255.255.255/cisconet.cfg) failed
*Mar 26 03:07:40.164: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/switch-ciscorack1.3-confg) failed
*Mar 26 03:08:04.349: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/switch-c.cfg) failed
*Mar 26 03:17:24.750: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/network-confg) failed
*Mar 26 03:17:48.959: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/cisconet.cfg) failed
*Mar 26 03:18:28.570: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/switch-ciscorack1.3-confg) failed
*Mar 26 03:18:52.755: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/switch-c.cfg) failed
*Mar 26 03:28:13.181: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/network-confg) failed
*Mar 26 03:28:37.373: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/cisconet.cfg) failed
*Mar 26 03:29:16.968: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/switch-ciscorack1.3-confg) failed
*Mar 26 03:29:41.177: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/switch-c.cfg) failed
*Mar 26 03:39:01.586: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/network-confg) failed
a part d'estar fora d'horari no era capaç de trovar aquesta petició tftp al port 69 de manera continua.
Switch-ciscorack1.3#show log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
finalment provo de parar-ho
Switch-ciscorack1.3(config)#no service config
ja aprofito i el poso en hora
Switch-ciscorack1.3#clock set 18:48:23 Octover 18 2013
^
% Invalid input detected at '^' marker.
Switch-ciscorack1.3#clock set 18:48:23 October 18 2013
que burro, October va en B, confirmo
Switch-ciscorack1.3#show clock
18:48:42.537 UTC Fri Oct 18 2013
New Event ticket url url url url snort: "ET POLICY Outbound TFTP Read Request" 2013-10-15 17:38:38 alienvault
Host-192-168-130-19:52881
255.255.255.255:69
[2 -> 2]
New Event ticket url url url url snort: "ET POLICY Outbound TFTP Read Request" 2013-10-15 17:38:35 alienvault
Host-192-168-130-19:52881
255.255.255.255:69
[2 -> 2]
New Event ticket url url url url snort: "ET POLICY Outbound TFTP Read Request" 2013-10-15 17:38:31 alienvault
Host-192-168-130-19:52881
255.255.255.255:69
[2 -> 2]
connectant al mateix via telnet i mirant el log
show log
Switch-ciscorack1.3#show log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 14548 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 14548 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
File logging: disabled
Persistent logging: disabled
Trap logging: level informational, 14551 message lines logged
Log Buffer (4096 bytes):
AILURE: System config parse from (tftp://255.255.255.255/cisconet.cfg) failed
*Mar 26 03:07:40.164: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/switch-ciscorack1.3-confg) failed
*Mar 26 03:08:04.349: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/switch-c.cfg) failed
*Mar 26 03:17:24.750: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/network-confg) failed
*Mar 26 03:17:48.959: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/cisconet.cfg) failed
*Mar 26 03:18:28.570: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/switch-ciscorack1.3-confg) failed
*Mar 26 03:18:52.755: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/switch-c.cfg) failed
*Mar 26 03:28:13.181: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/network-confg) failed
*Mar 26 03:28:37.373: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/cisconet.cfg) failed
*Mar 26 03:29:16.968: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/switch-ciscorack1.3-confg) failed
*Mar 26 03:29:41.177: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/switch-c.cfg) failed
*Mar 26 03:39:01.586: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/network-confg) failed
a part d'estar fora d'horari no era capaç de trovar aquesta petició tftp al port 69 de manera continua.
Switch-ciscorack1.3#show log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
finalment provo de parar-ho
Switch-ciscorack1.3(config)#no service config
ja aprofito i el poso en hora
Switch-ciscorack1.3#clock set 18:48:23 Octover 18 2013
^
% Invalid input detected at '^' marker.
Switch-ciscorack1.3#clock set 18:48:23 October 18 2013
que burro, October va en B, confirmo
Switch-ciscorack1.3#show clock
18:48:42.537 UTC Fri Oct 18 2013
dissabte, 12 d’octubre del 2013
problemes amb el rotate de logs.
com provocar-ho
Con esto configurado sólo nos falta comprobar si está todo bien y funciona, y lo hacemos de la siguiente manera:
/usr/sbin/logrotate -d /etc/logrotate.conf
Si no escupe ningún error y lo hemos configurado a nuestro gusto ejecutamos el de verdad (el otro era de debug):
/usr/sbin/logrotate -f /etc/logrotate.conf
Una vez acaba esto podemos comprobar que el tamaño de los logs se ha reducido
http://www.redxenon.com/blog/tutorial-optimizar-los-logs-de-apache/
altre opció de manera manual
Una situación típica que simplemente rota los registros y comprime los registros antiguos para ahorrar espacio es:
mv access_log access_log.old
mv error_log error_log.old
apachectl graceful
sleep 600
gzip access_log.old error_log.old
http://httpd.apache.org/docs/2.0/es/logs.html
FINALMENT MIRANT EN DETALL EL RESULTAT DE DEBUG
/usr/sbin/logrotate -d /etc/logrotate.conf
obtenia
Ignoring apache2 because of bad file mode.
per l'apache que em portava ja mal de cap, el fitxer arribava i passava d'una giga
al final, després de mirar el mirar fitxer de configuració el seu contingut, el problema estava als permisos..... on tenia permisoso 611 el contingut de /etc/logrotate.d/....., res canviar permisos, tornar a posar 644 i endavant.
divendres, 11 d’octubre del 2013
iptables-save iptables-restore
la opció -c no és imprescindible donat que guarda també els contadors de iptables.
iptables-save -c > /etc/iptables-save
El comando anterior guardará el conjunto de reglas con los valores de sus contadores en un fichero llamado /etc/iptables-save.
iptables-restore [-c] [-n]
El argumento -c reestablece los contadores de bytes y paquetes y es la opción que debes usar cuando quieras volver a cargar los valores guardados con iptables-save de estos contadores. La opción también puede escribirse en su forma extendida: --counters.
El argumento -n le indica a iptables-restore que no sobreescriba las reglas existentes en la tabla o tablas en que esté escribiendo. El comportamiento por defecto de iptables-restore es eliminar cualquier regla preexistente. La opción en su "versión larga" sería: --noflush.
Para cargar conjuntos de reglas con el comando iptables-restore tenemos varias alternativas, aunque veremos la más simple y más utilizada.
cat /etc/iptables-save | iptables-restore -c
Simplificando: con éllo imprimiremos en la salida estándar (la pantalla) el contenido del conjunto de reglas existente en el fichero/etc/iptables-save y a continuación esa salida se dirigirá al comando iptables-restore, que captará el conjunto de reglas y lo cargará en el núcleo, incluyendo los valores de los contadores de bytes y paquetes
apache benchmark
primer de tot instal·lem apache2-utils
ab -n 100 -c 10 http://www.movistar.com/
Benchmarking www.movistar.com (be patient).....done
Server Software: Sun-ONE-Web-Server/6.1
Server Hostname: www.movistar.com
Server Port: 80
Document Path: /
Document Length: 14741 bytes
Concurrency Level: 10
Time taken for tests: 3.515 seconds
Complete requests: 100
Failed requests: 0
Write errors: 0
Total transferred: 1487300 bytes
HTML transferred: 1474100 bytes
Requests per second: 28.45 [#/sec] (mean)
Time per request: 351.468 [ms] (mean)
Time per request: 35.147 [ms] (mean, across all concurrent requests)
Transfer rate: 413.25 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 3 6 3.7 5 18
Processing: 297 329 27.4 320 410
Waiting: 32 40 6.7 38 75
Total: 302 335 29.1 324 416
Percentage of the requests served within a certain time (ms)
50% 324
66% 334
75% 347
80% 358
90% 387
95% 408
98% 415
99% 416
100% 416 (longest request)
y para localhost
ab -n 100 -c 10 http://www.movistar.com/
Server Software: Apache/2.2.22
Server Hostname: localhost
Server Port: 80
Document Path: /
Document Length: 177 bytes
Concurrency Level: 10
Time taken for tests: 1.410 seconds
Complete requests: 100
Failed requests: 0
Write errors: 0
Total transferred: 45300 bytes
HTML transferred: 17700 bytes
Requests per second: 70.92 [#/sec] (mean)
Time per request: 140.998 [ms] (mean)
Time per request: 14.100 [ms] (mean, across all concurrent requests)
Transfer rate: 31.38 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 2 5.1 0 19
Processing: 30 133 39.4 132 228
Waiting: 8 53 28.9 47 167
Total: 48 135 38.0 135 233
Percentage of the requests served within a certain time (ms)
50% 135
66% 150
75% 156
80% 161
90% 193
95% 199
98% 229
99% 233
100% 233 (longest request)
Subscriure's a:
Missatges (Atom)
Entrades
