Windows 2012 R2 Certification Authority installation guide

This step-by-step guide explains how to install and configure public key infrastructure, based on:

  • Windows 2012 R2 Server core – offline Root CA
  • Windows 2012 R2 domain controller
  • Windows 2012 R2 standard edition – Subordinate Enterprise CA server

Offline Root CA – OS installation phase

  1. Boot the server using Windows 2012 R2 bootable DVD.
  2. From the installation option, choose “Windows Server 2012 R2 Standard (Server Core Installation)” -> click Next.
  3. Accept the license agreement -> click Next.
  4. Choose “Custom: Install Windows Only (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
  5. Allow the installation phase to continue and restart the server automatically.
  6. To login to the server for the first time, press CTRL+ALT+DELETE
  7. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
  8. From the command prompt window, run the command bellow:
    sconfig.cmd
  9. Press “2″ to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
  10. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  11. From the command prompt window, run the command bellow:
    sconfig.cmd
  12. Press “5″ to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
  13. Press “6″ to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
  14. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  15. From the command prompt window, run the command bellow:
    sconfig.cmd
  16. In-case you need to use RDP to access and manage the server, press “7″ to enable “Remote Desktop” -> choose “E” to enable -> choose either “1″ or “2″ according to your client settings -> Press OK.
  17. Press “8″ to configure “Network settings” -> select the network adapter by its Index number -> press “1″ to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2″ to configure the DNS servers -> click OK -> press “4″ to return to the main menu.
  18. Press “9″ to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
  19. Press “11″ to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
  20. 20. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  21. From the command prompt window, run the command bellow:
    powershell
  22. Run the commands bellow to enable remote management of the Root CA:
    Enable-NetFirewallRule -DisplayGroup "Remote Service Management"Note: The above command should be written in single line.
    Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Offline Root CA – Certificate Authority server installation phase

  1. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  2. From the command prompt window, run the command bellow:
    powershell
  3. Run the command below to create CA policy file:
    notepad c:\windows\capolicy.inf
  4. Specify the following data inside the capolicy.inf file:
    [Version]
    Signature="$Windows NT$"
    [Certsrv_Server]
    RenewalKeyLength=4096
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=20
    CRLPeriod=Weeks
    CRLPeriodUnits=26
    CRLDeltaPeriod=Days
    CRLDeltaPeriodUnits=0
    LoadDefaultTemplates=0
    AlternateSignatureAlgorithm=1
    [PolicyStatementExtension]
    Policies=LegalPolicy
    [LegalPolicy]
    OID=1.2.3.4.1455.67.89.5
    Notice="Legal Policy Statement"
    URL=http://www/CertEnroll/cps.asp
  5. Run the commands below to install Certification Authority using Powershell:
    Import-Module ServerManagerAdd-WindowsFeature ADCS-Cert-Authority -IncludeManagementToolsNote: The above command should be written in single line.
  6. Run the command below to install the Root CA:
    Install-AdcsCertificationAuthority -CAType StandaloneRootCA -KeyLength 4096 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 20 -CACommonName <CA_Server_Name> -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"Note 1: The above command should be written in single line.
    Note 2: Replace “CA_Server_Name” with the Root CA NetBIOS name.
  7. Run the command below to remove all default CRL Distribution Point (CDP):
    $crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};Note: The above command should be written in single line.
  8. Run the commands below to configure new CRL Distribution Point (CDP):
    Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl -PublishToServer -ForceNote: The above command should be written in single line.
    Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8.crl -AddToCertificateCDP -ForceNote: The above command should be written in single line.
  9. Run the command below to remove all default Authority Information Access (AIA):
    $aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};Note: The above command should be written in single line.
  10. Run the command below to configure new Authority Information Access (AIA):
    Add-CAAuthorityInformationAccess -AddToCertificateAia -uri http://www/CertEnroll/%1_%3.crtNote: The above command should be written in single line.
  11. Run the commands below to configure the Root CA settings:
    certutil.exe -setreg CA\CRLPeriodUnits 26
    certutil.exe -setreg CA\CRLPeriod "Weeks"
    certutil.exe -setreg CA\CRLDeltaPeriodUnits 0
    certutil.exe -setreg CA\CRLDeltaPeriod "Days"
    certutil.exe -setreg CA\CRLOverlapPeriodUnits 12
    certutil.exe -setreg CA\CRLOverlapPeriod "Hours"
    certutil.exe -setreg CA\ValidityPeriodUnits 20
    certutil.exe -setreg CA\ValidityPeriod "Years"
    certutil.exe -setreg CA\KeySize 4096
    certutil.exe -setreg CA\AuditFilter 127
  12. Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
    certutil.exe -setreg ca\DSConfigDN "CN=Configuration, DC=mycompany,DC=com"Note 1: The above command should be written in single line.
    Note 2: Replace “DC=mycompany,DC=com” according to your domain name.
    certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"Note: Replace “DC=mycompany,DC=com” according to your domain name.
  13. Run the command bellow to stop the CertSvc service:
    Restart-Service certsvc
  14. Run the command below to publish new CRL’s:
    certutil.exe -CRL

Enterprise Subordinate CA – OS installation phase
Pre-requirements:

  • Active Directory (Forest functional level – Windows 2012 R2)
  • Add “A” record for the Root CA to the Active Directory DNS.
  1. Boot the server using Windows 2012 R2 bootable DVD.
  2. From the installation option, choose “Windows Server 2012 R2 Standard (Server with a GUI)” -> click Next.
  3. Accept the license agreement -> click Next.
  4. Choose “Custom: Install Windows Only (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
  5. Allow the installation phase to continue and restart the server automatically.
  6. To login to the server for the first time, press CTRL+ALT+DELETE
  7. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
  8. From the “Welcome to Server Manager”, click on “Configure this local server” -> replace the “Computer name” -> restart the server.
  9. From the “Welcome to Server Manager”, click on “Configure this local server” -> click on Ethernet -> right click on the network interface -> properties -> configure static IP address.
  10. Enable “Remote Desktop”
  11. From the command prompt window, run the command bellow:
    powershell
  12. Run the commands bellow to enable remote management of the Root CA:
    Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Enterprise Subordinate CA – Certificate Authority server installation phase
Pre-requirements:

  • DNS CNAME record named “www” for the Enterprise Subordinate CA.
  • Make sure the clocks of the Offline Root CA and the Subordinate CA are synched.
  1. To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
  2. Copy the files bellow from the Offline Root CA server to a temporary folder on the subordinate CA:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
    C:\Windows\System32\CertSrv\CertEnroll\*.crl
  3. Run the command below to publish the Root CA in the Active Directory:
    certutil.exe -dspublish -f "<CACertFileName.crt>" RootCANote: Replace “CACertFileName” with the actual CRT file.
  4. Run the commands below to add the Root CA certificate to the subordinate CA certificate store:
    certutil.exe -addstore -f root "<CACertFileName.crt>"
    certutil.exe -addstore -f root "<CACertFileName.crl>"
    Note: Replace “CACertFileName” with the actual CRT and CRL files.
  5. From the command prompt window, run the command bellow:
    powershell
  6. Run the command below to create CA policy file:
    notepad c:\windows\capolicy.inf
  7. Specify the following data inside the capolicy.inf file:
    [Version]
    Signature="$Windows NT$"
    [Certsrv_Server]
    RenewalKeyLength=2048
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=5
    LoadDefaultTemplates=0
    AlternateSignatureAlgorithm=1
  8. Run the commands below to install Certification Authority using Powershell:
    Import-Module ServerManagerAdd-WindowsFeature ADCS-Cert-Authority -IncludeManagementToolsNote: The above command should be written in single line.
    Add-WindowsFeature Web-Mgmt-Console
    Add-WindowsFeature Adcs-Web-Enrollment
  9. Open Server Manager -> From the “Welcome to Server Manager”, click on notification icon -> click on “Configure Active Directory Certificate Services on the destination server”
  10. Specify credentials and click on Next.
  11. Select both “Certification Authority” and “Certification Authority Web Enrollment” roles and click on Next.
  12. Select “Enterprise CA” -> click on Next.
  13. Select “Subordinate CA” -> click on Next.
  14. Select “Create a new private key” -> click on Next.
  15. Cryptography:
    Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
    Key length: 2048
    Hash algorithm: SHA256
  16. CA Name:
    Common name: specify here the subordinate server NetBIOS name
    Distinguished name suffix: leave the default domain settings
  17. Select “Save a certificate request to file on the target machine” -> click Next
  18. Specify the database location and click Next.
  19. Click on Configure -> wait until the process completes and click on Close.
    Note: If asked, choose not to configure additional role services.
  20. Copy the request file (*.req) to the Offline Root CA.
  21. Login to the Offline Root CA using administrative account.
  22. Run the command below to approve the subordinate CA certificate request:
    certreq -submit "<CACertFileName>.req"Note: Replace “CACertFileName” with the actual request file.
  23. Run the command below to approve the subordinate CA request:
    certutil -resubmit 2Note: Replace “2″ with the request ID.
  24. Run the command below to command to download the new certificate.
    certreq -retrieve 2 "C:\<CACertFileName>.cer"Note 1: Replace “CACertFileName” with the actual CER file.
    Note 2: Replace “2″ with the request ID.
  25. Logoff the Root CA and power it off for up to 179 days (for CRL update).
  26. Return to the Subordinate CA.
  27. Copy the file “c:\<CACertFileName>.cer” from the Offline Root CA to the Subordinate CA.
    Note: Replace “CACertFileName” with the actual CER file.
  28. Run the commands below to complete the Subordinate CA installation process:
    powershell
    Certutil -installcert "<CACertFileName>.cer"
    Note: Replace “CACertFileName” with the actual CER file.
  29. Run the command below to restart the CA service:
    start-service certsvc
  30. Run the command below to remove all default CRL Distribution Point (CDP):
    $crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};Note: The above command should be written in single line.
  31. Run the commands below to configure new CRL Distribution Point (CDP):
    Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -ForceNote: The above command should be written in single line.
    Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8%9.crl -AddToCertificateCDP -ForceNote: The above command should be written in single line.
    Add-CACRLDistributionPoint -Uri file://\\<SubordinateCA_DNS_Name>\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -ForceNote 1: The above command should be written in single line.
    Note 2: Replace “<SubordinateCA_DNS_Name>” with the actual Subordinate CA DNS name.
  32. Run the command below to remove all default Authority Information Access (AIA):
    $aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};Note: The above command should be written in single line.
  33. Run the commands below to configure new Authority Information Access (AIA):
    Add-CAAuthorityInformationAccess -AddToCertificateAia http://www/CertEnroll/%1_%3%4.crt -ForceNote: The above command should be written in single line.
    Add-CAAuthorityInformationAccess -AddToCertificateAia "ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11"Note: The above command should be written in single line.
    Add-CAAuthorityInformationAccess -AddToCertificateOcsp http://www/ocsp -ForceNote: The above command should be written in single line.
  34. Run the commands below to configure the Root CA settings:
    Certutil -setreg CA\CRLPeriodUnits 2
    Certutil -setreg CA\CRLPeriod "Weeks"
    Certutil -setreg CA\CRLDeltaPeriodUnits 1
    Certutil -setreg CA\CRLDeltaPeriod "Days"
    Certutil -setreg CA\CRLOverlapPeriodUnits 12
    Certutil -setreg CA\CRLOverlapPeriod "Hours"
    Certutil -setreg CA\ValidityPeriodUnits 5
    Certutil -setreg CA\ValidityPeriod "Years"
    certutil -setreg CA\AuditFilter 127
    certutil -setreg CA\EncryptionCSP\CNGEncryptionAlgorithm AES
    certutil -setreg CA\EncryptionCSP\SymmetricKeySize 256
    certutil -setreg CA\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2Note: The above command should be written in single line.
  35. Run the command bellow to stop the CertSvc service:
    Restart-Service certsvc
  36. Run the command below to public new CRL’s:
    certutil.exe -CRL
  37. Copy the files bellow from the Root CA to the subordinate CA (same location):
    C:\Windows\System32\CertSrv\CertEnroll\*.crl
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
  38. Create CPS (Certificate Practice Statement), save it as “cps.asp” inside the subordinate CA under the folder below:
    C:\Windows\System32\CertSrv\CertEnrollNote: For more information about Certificate Practice Statement, see:
    http://technet.microsoft.com/en-us/library/cc780454(v=ws.10).aspx
  39. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
  40. Open Server Manager -> Tools -> Active Directory Users and Computers.
  41. From the left pane, expand the domain name -> choose an OU and create the following groups:
    Group name: CA Admins
    Group description/purpose: Manage CA server
    Group name:
    CA Issuers
    Group description/purpose: Issue certificates
  42. Logoff the domain controller.
  43. Login to the Subordinate CA using administrative account, who is also member of the “CA Admins” group.
  44. Open Server Manager -> Tools -> Certification Authority.
  45. From the left pane, right click on the CA server name -> Properties -> Security tab -> Add -> add the “CA Admins” group -> grant the permissions “Issue and Manage Certificates” and “Manage CA” and remove all other permissions -> click on OK.
    Note: As best practices, it is recommended to remove the default permissions of “Domain Admins” and “Enterprise Admins”.
  46. From the left pane, expand the CA server name -> right click on Certificate Templates -> Manage -> from the main pane, right click on “User” certificate -> Duplicate Template -> General tab -> rename the template to “Custom User Certificate” -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read”, “Enroll” and “Autoenroll” -> click on OK.
  47. From the main pane, right click on “Web Server” certificate -> Duplicate Template -> General tab -> rename the template to “Custom Web Server Certificate” -> Request Handling tab -> select “Allow private key to be exported” -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read” and “Enroll” -> remove the permissions for the built-in Administrator account -> click on OK.
    Note: All computer accounts requesting the “Custom Web Server Certificate” certificate must be member of the “CA Issuers” group.
  48. From the main pane, right click on “OCSP Response Signing” certificate -> Duplicate Template -> General tab -> rename the template to “Custom OCSP Response Signing” -> Security tab -> add the subordinate CA computer account -> grant “Read”, “Enroll” and “Autoenroll” -> click OK.
  49. From the main pane, right click on “Web Server” certificate -> Properties -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read” and “Enroll” -> click OK
  50. Close the Certificate Templates Console.
  51. From the Certification Authority console left pane, right click on Certificate Templates -> New -> Certificate Template to issue -> select the following certificate templates:
    Web Server
    Custom User Certificate
    Custom Web Server Certificate
    Custom OCSP Response Signing
  52. Click OK.
  53. Close the Certification Authority console.
  54. Open Server Manager -> Manage -> Add Roles and Features -> click Next 3 times -> expand “Active Directory Certificate Services” -> select “Online Responder” -> click on Add Features -> click Next twice -> click on Install -> click on Close
  55. From the upper pane, click on notification icon -> click on “Configure Active Directory Certificate Services on the destination server”
  56. Specify credentials and click on Next.
  57. Select “Online Responder” -> click Next -> click on Configure -> click Close.
  58. From the left pane, right click on “Online Responder” -> Responder Properties -> Audit tab -> select “Changes to the Online Responder configuration”, “Changes to the Online Responder security settings” and “Requests submitted to the Online Responder” -> click OK -> close the “Online Responder Configuration” console.
  59. Open Server Manager -> Tools -> Local Security Policy -> from the left pane, expand “Advanced Audit Policies” -> expand “System Audit Policies – Local Group Policy Object” -> click on Object Access -> from the main pane, double click on “Audit Certification Services” -> select “Configure the following audit events” -> select both Success and Failure -> click OK -> close the Local Security policy console.
  60. Run from command line:
    certutil -CRL
  61. Run from command line:
    certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECKNote: The above command should be written in single line.
  62. Run the commands bellow to stop the CertSvc service:
    powershell
    Restart-Service certsvc
  63. Open Server Manager -> Tools -> Online Responder Management
  64. From the left pane, right click on “Revocation Configuration” -> Add revocation configuration -> click Next -> on the name field, specify “Custom Revocation Configuration” -> click Next -> select “Select a certificate for an Existing enterprise CA” -> click Next -> click Browse -> select the subordinate CA -> click OK -> Automatically select a signing certificate -> click Next -> click Finish
  65. Close the Online Responder Management console
  66. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
  67. Copy the files bellow from the subordinate CA server to a temporary folder on the domain controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crtNote: Copy the newest files
  68. Open Server Manager -> Tools -> Group Policy Management.
  69. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
  70. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA server -> click Open -> click Next twice -> click Finish -> click OK.
  71. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
  72. From the main pane, right click on the certificate name -> Properties -> OCSP tab -> inside the empty “Add URL” field, specify:
    http://www/ocspClick on Add URL -> Click OK.
  73. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> click on “Public Key Policies” -> from the main pane, right click on “Certificate Services Client – Certificate Enrollment Policy” -> Properties -> change the “Configuration Model” to “Enabled” and click OK.
  74. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> click on “Public Key Policies” -> from the main pane, right click on “Certificate Services Client – Auto-Enrollment” -> Properties -> change the “Configuration Model” to “Enabled” -> select “Renew expired certificates, update pending certificates, and remove revoked certificates” and “Update certificates that use certificate templates” -> click OK.
  75. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Administrative Templates” -> expand “Windows Components” -> expand “Internet Explorer” -> expand “Internet Control Panel” -> expand “Security Page” -> double click on “Site to zone assignment list” -> click on “Enabled” -> under Options, click on “Show” -> inside “Value name”, specify the Subordinate CA DNS name -> inside “Value”, specify 2 -> click OK twice.
  76. Close the “Group Policy Management”.
  77. Logoff the domain controller.
  78. Login to the Subordinate CA using administrative account.
  79. Open Server Manager -> Tools -> Internet Information Services (IIS) Manager.
  80. From the left pane, expand the server name -> expand Sites -> click on “Default Web Site” -> from the right pane, click on “Bindings” -> click on Add -> from the Type, select HTTPS -> under “SSL Certificate”, select the Subordinate CA certificate -> click OK -> click on Close.
  81. From the left pane, expand “Default Web Site” -> click on “CertSrv” -> from the main pane, double click on “Request Filtering” -> click Edit Feature Settings -> select “Allow Double Escaping” -> click OK
  82. From the main pane, double click on “SSL Settings” -> select “Require SSL” -> click on Apply.
  83. Close the Internet Information Services (IIS) Manager console.
  84. Run PKIVIEW.msc to make sure the entire PKI structure is fully functional.
  85. Logoff the Subordinate CA.

What is a Fake WAP/Evil Twin Hack, and How can They be Stopped?

The Evil Twin, or fake wireless access (WAP) point, hack is one of the easiest hacks to do. Those who become a victim of it may never know a thing about it. The only sign may be well after the point of no return when your personal accounts begin making purchases, spamming people, or locking you out!

The Evil Twin/Fake WAP: A Demo of How Easy it is to Steal Your Data

This hack takes place in public spaces and is usually done through a type of misdirection: you think you’re doing one thing, but in fact you’re giving your data away.

Hackers uses a tool which allows them to create their own Wireless Access Point. They are easily found, tools like aircrack – ng suite are no real secret. They are already setup, programmed and ready to go.

Once a hacker has set their WAP up, they just have to wait for people to connect and start freely giving them data – all without them knowing. If people aren’t connecting up to the quickly enough, they can use a deauthentication app to knock them off their current connections and have them connect to theirs.

What harm is caused by an Evil Twin attack?

The harm in an Evil Twin hacks are:

  1. Hackers set up the WAP to require a password and login to access their WAP through a fake portal. People who use a common login and password combination are the most common victims of this. They enter them to access the fake WAP, and the hacker takes those all over the Internet to see if they can sign in somewhere else.
  2. Hackers may also use a ‘man-in-the-middle’ attack tool. Ettercap is an example. These tools are used to steal, analyze, and gain total access to information that is being transmitted through their fake WAP.
  3. A listening device, such as meterpreter and other Metasploit Projects, are used to gain even further access to your system, along with more control of your information.

Evil Twin hacks are terribly difficult to do. With the tools listed above, the desire to steal, and the right location, and hacker can go right ahead and steal from a few unsuspecting people. Read on to see that you’re not helpless!

How to defend against an Evil Twin attack

Here are six things that you can do, some of them pretty common sense, some a little bit more complex, to defend against an Evil Twin/Fake WAP attack. We’ll start with the easiest ones and work up to the more complex:

  1. Ask the proprietor for the right WiFi name: A fake WAP can be easily spotted when you just know which WAP you’re actually being offered in public space. Hackers commonly trick people into connecting to their fake WAP by giving it a name that sounds right: “Free Starbucks WiFi,” “Connect Free @ LaGuardia,” “McDonalds Courtesy Connect WiFi,” and on and on.
  2. Turn off auto-connect: Evil Twin attacks that have a side of man-in-the-middle love it when devices automatically connect to them. They don’t have to do any work beyond making sure that their WAP is the most powerful one in the area. A simple command line is all it takes to drown out the other signals.
  3. Use unique passwords: How to track all of your unique passwords? Use a password generator tool for everything that you sign into. This will give you a number of different sign in details so that if a hacker does steal your data, they will only gain access to one account: not all of them!
  4. Encrypt your data with a VPN: The entire point of a VPN is to protect your data and privacy. It works best in a public setting as it always defends against man-in-the-middle attacks. You can even use them to unlock geo-blocked content on Netflix and other websites. It’s no excuse to act recklessly by ignoring the points above, but it can seriously help you out when you want added security.
  5. Be aware of suspicious activity: A surefire way to know you’re using a fake WAP that wants to harm you is that it won’t let you use your VPN. This is rare behavior from an actual WAP, but essential for a hacker who wants to steal your data. If you try to connect but are told you can’t due to a VPN, ask the proprietor if they block VPNs. If they don’t, you know you’re connecting to someone trying to do an Evil Twin attack.
  6. A Sudden disconnect followed by a new ‘free’ WAP: That new “free” WAP was almost certainly caused by the person trying to get you to connect by ‘bumping offs’ users with a deauthentication tool.

Take precautions like the one outlined above when you’re out and about in the public space and looking to use WiFi, and you’ll be nearly impossible for a fake WAP hacker to attack. You don’t need any fancy knowledge to defend against them; some common sense, and a few tools of your own, will keep you safe and secure.

Instagram Lottery winning fraud made thousands of victims

In the recent time social networking sites simply becomes a victim of hacking event but today Instagram – A social networking site experienced different face of internet called Social Engineering. You might have heard about spam emails that lure reader to click on emails, offering lottery, and jobs, discount offers, but from the last few days, Symantec has observed a shocking activity on Instagram carried on by hackers.

Instagram scammers are posting images related to fake lottery winnings. Even spammers have also convinced users for post sharing, surrendering their personal information, and sending money to the scammers.

The users who fall victim were mostly belonged to USA and UK. Spammers also offered $1000 to Instagram users for following them, and leaving comment with email addresses. Below is an image of Instagram accounts pretend to be real-life lottery winners.

Almost spammers got response from 5,000 to 10,000 followers. After receiving a huge response, they disclose a new Instagram account named “accountant” to deliver $1000 to users. Spammers also asked users to send $0.99 postage charge for a large payment processing. In this case, some users also sent such postage charge and many of users revealed their email addresses to spammers. Below is an image of fake accountant that asked for money from users.

The main object of this campaign was to amass account details to be used for personal use or resale. Spammers also changed the avatar, user name, biography for spamming purpose.

Spammers had spin accounts and after it, the impersonated accounts reappeared with few followers. Though these accounts were bogus, still users hoped that they would get $1000 for following Instagram accounts. Below is an Instagram account that reappeared with few followers.

Symantec has revealed some precautions against this spamming activity.

  • Do not blindly trust everything you see on social media.
  • Raise a question in your mind, when you find such offers.
  • Do not unveil your personal information.
  • Do not send money to the person that you do not know.

How to defend from the “Zero day viruses” family

Recently, viruses’ manufacturers know now how to penetrate antivirus programs. They do it by changing the virus code a little so it appears to have new “signature”. Signature is the traditional way antivirus programs detect viruses. By having a new signature, the virus is unknown to the antivirus program and it can penetrate the computer easily.

Once it is in the computer, it can do several things:

  1. Scan your computer and steal important documents.
  2. Act like a bridge head and download other viruses.
  3. Implant itself to become operated every time the computer boots.
  4. Record every keystroke/conversation/login you make on the computer and transmit it to external criminal use.

The life expectancy of such a virus is three weeks – the time it takes to the antivirus program to get updated on every computer in the world. By that time the virus manufacturer releases a new (and unknown) version.

Since the antivirus has this inherit flow, many solutions are being developed aiming to seal this “zero day virus gap”. The common solutions are placing a monitoring program in the computer that monitors the computer activities and sends suspicious incidents to network administrator attention. The incidents are evaluated based on “behavioral approach” which aims to determine if the incident indicates virus penetration or not.  Other solutions put traps on the computer and wait for a virus to trigger the trap alarm. Most of those solutions are aimed for the enterprise market and require professional staff to handle the alerts received.

 

“Magen – Malware Vigilance” was developed by programmers for the home market: It alerts the users about possible Malware penetration into their computer and allows them to disable the threat before significant damage is made. Magen is an alarm system, not an antivirus. This means that it does not block/erase/dismantle viruses, but specializes in detecting new program penetration into the computer and conveying the message to the computer owner scrutiny.

Magen detection algorithm is very efficient and patent pending. It alerts on every program implementation into the computer, which is every program that has configured itself to be automatically operated in the computer.

Using the Magen brings to the computer users attention information about significant changes in their computer and allows them to stay in control regarding their computer hygiene. From time to time it reveals legitimate program updates that install new computer services without telling the owner and without a good reason for doing so.  I consider such updates to be immoral, and the information Magen convey allow people to remove the undesired intrusion.

“Decent Spyware” can be used to inflict significant damage to the victim. From pedophiles who are able to get to kids’ bedrooms, to cyber criminals that can take home mortgage on other people’s name.

In the following example we can see a sample of Virus that is received using an Email message (Click the Image to enlarge):

Email with virus attachment

The virus trigger the following alert:

Malware alert

Pressing the “more…” reveals the program properties:


Detailed view of Malware alert

Googling for msxurpk.exe does not show any results. With the rest of the properties, it is quite evident that this is most likely a virus. The best way to disable this threat is to click on the “system restore” button and restore the operating system to an earlier date then the detection date (in our case 02/March/2014).

In these sophisticated times, when people spend many hours online, it is essential to be “Malware Vigilant” and protect your computer from being infected by “Zero day virus” which can pass through the antivirus.

To see some samples of infections and how they are revealed, you can see Cyber-Dome YouTube channel.

You can download Magen and test it free for 45 days here.

Hardening guide for NGINX 1.5.8 on RedHat 6.4 (64bit edition)

This document explains the process of installation, configuration and hardening of NGINX server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack
 
Some of the features explained in this document are supported by only some of the Internet browsers:

  • X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
  • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    1. Installation Phase

    2. Login to the server using Root account
    3. Install pre-requirement packages:
      yum install policycoreutils-python-* -y
      yum install setools-libs-* -y
      yum install libcgroup-* -y
      yum install audit-libs-python-* -y
      yum install libsemanage-python-* -y
      yum install setools-libs-python-* -y
      yum install gcc* -y
    4. Create a new account:
      groupadd nginx

      useradd -g nginx -d /dev/null -s /sbin/nologin nginx

    5. Upgrade the Openssl build:
      rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm

      yum --enablerepo=axivo update openssl -y

    6. Download Openssl source files:
      cd /opt

      wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz

    7. Extract Openssl source files:
      tar zxvf /opt/openssl-1.0.1e.tar.gz -C /opt
    8. Remove Openssl source file:
      rm -rf /opt/openssl-1.0.1e.tar.gz
    9. Download PCRE source file into /tmp, from:
      http://sourceforge.net/projects/pcre/files/pcre/
    10. Compile PCRE from source file:
      tar zxvf /tmp/pcre-8.34.tar.gz -C /tmp

      mv /tmp/pcre-8.34 /usr/local/pcre

      cd /usr/local/pcre

      ./configure --prefix=/usr/local/pcre

      make

      make install

    11. Remove PCRE package:
      rm -rf /tmp/pcre-8.34.tar.gz
    12. Download Nginx 1.5.8:
      cd /tmp

      wget http://nginx.org/download/nginx-1.5.8.tar.gz

    13. Extract the nginx-1.5.8.tar.gz file:
      tar -zxvf /tmp/nginx-1.5.8.tar.gz -C /tmp
    14. Move to the Nginx source folder:
      cd /tmp/nginx-1.5.8
    15. Edit using VI, the file
      /tmp/nginx-1.5.8/src/http/ngx_http_header_filter_module.c and replace the following section, from:
      static char ngx_http_server_string[] = "Server: nginx" CRLF;

      static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;To:
      static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
      static char ngx_http_server_full_string[] = "Server: Secure Web Server" NGINX_VER CRLF;

    16. Run the commands bellow to compile the Nginx environment:
      ./configure --with-openssl=/opt/openssl-1.0.1e --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module --with-pcre=/usr/local/pcreNote: The command above should be written as one line.
      make

      make install

    17. Remove the Nginx source files:
      cd /

      rm -rf /tmp/nginx-1.5.8

      rm -f /tmp/nginx-1.5.8.tar.gz

    18. Remove Default Content
      rm -rf /usr/local/nginx/html
    19. Updating Ownership and Permissions on Nginx folders:
      chown -R root:root /usr/local/nginx

      chmod 750 /usr/local/nginx/sbin/nginx

      chmod -R 640 /usr/local/nginx/conf

      chmod -R 770 /usr/local/nginx/logs

    20. Create folder for the web content:
      mkdir -p /www
    21. Updating Ownership and Permissions on the web content folder:
      chown -R root /www

      chmod -R 775 /www

    22. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
      From:
      #user nobody;To:
      user nginx nginx;

      From:
      #error_log logs/error.log notice;To:
      error_log logs/error.log notice;

      From:
      server_name localhost;To:
      server_name Server_FQDN;Note: Replace Server_FQDN with the actual server DNS name.

      From:
      root html;To:
      root /www;

    23. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file (before the last “}” character):
      ## turn off nginx version number ##
      server_tokens off;
      ## Size Limits & Buffer Overflows ##
      client_body_buffer_size 1K;
      client_header_buffer_size 1k;
      client_max_body_size 1k;
      large_client_header_buffers 2 2k;
      ## Timeouts ##
      client_body_timeout 10;
      client_header_timeout 10;
      send_timeout 10;
    24. Create using VI, the file /etc/init.d/nginx with the following content:
      #!/bin/sh
      #
      # nginx - this script starts and stops the nginx daemon
      #
      # chkconfig: - 85 15
      # description: Nginx is an HTTP(S) server, HTTP(S) reverse \
      # proxy and IMAP/POP3 proxy server
      # processname: nginx
      # config: /usr/local/nginx/conf/nginx.conf
      # config: /etc/sysconfig/nginx
      # pidfile: /var/run/nginx.pid

      # Source function library.
      . /etc/rc.d/init.d/functions

      # Source networking configuration.
      . /etc/sysconfig/network

      # Check that networking is up.
      [ "$NETWORKING" = "no" ] && exit 0

      nginx="/usr/local/nginx/sbin/nginx"
      prog=$(basename $nginx)

      NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

      [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

      lockfile=/var/lock/subsys/nginx

      start() {
      [ -x $nginx ] || exit 5
      [ -f $NGINX_CONF_FILE ] || exit 6
      echo -n $"Starting $prog: "
      daemon $nginx -c $NGINX_CONF_FILE
      retval=$?
      echo
      [ $retval -eq 0 ] && touch $lockfile
      return $retval
      }

      stop() {
      echo -n $"Stopping $prog: "
      killproc $prog -QUIT
      retval=$?
      echo
      [ $retval -eq 0 ] && rm -f $lockfile
      return $retval
      }

      restart() {
      configtest || return $?
      stop
      sleep 1
      start
      }

      reload() {
      configtest || return $?
      echo -n $"Reloading $prog: "
      killproc $nginx -HUP
      RETVAL=$?
      echo
      }

      force_reload() {
      restart
      }

      configtest() {
      $nginx -t -c $NGINX_CONF_FILE
      }

      rh_status() {
      status $prog
      }

      rh_status_q() {
      rh_status >/dev/null 2>&1
      }

      case "$1" in
      start)
      rh_status_q && exit 0
      $1
      ;;
      stop)
      rh_status_q || exit 0
      $1
      ;;
      restart|configtest)
      $1
      ;;
      reload)
      rh_status_q || exit 7
      $1
      ;;
      force-reload)
      force_reload
      ;;
      status)
      rh_status
      ;;
      condrestart|try-restart)
      rh_status_q || exit 0
      ;;
      *)
      echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
      exit 2
      esac

    25. Change the permissions of the file /etc/init.d/nginx
      chmod +x /etc/init.d/nginx
    26. To start Nginx service at server start-up, run the command:
      chkconfig nginx on
    27. To manually start the Nginx service, use the command:
      /etc/init.d/nginx start
    28. Configure IPTables:
      service iptables stop

      iptables -P INPUT DROP

      iptables -A INPUT -i lo -j ACCEPT

      iptables -A OUTPUT -o lo -j ACCEPT

      iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    29. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
      iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask.
    30. Allow HTTP access from the Internet on the public interface (i.e. eth0)
      iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
    31. Save the IPTables settings:
      service iptables save
      SSL Configuration Phase

    1. Login to the server using Root account.
    2. Create folder for the SSL certificate files:
      mkdir -p /usr/local/nginx/ssl

      chmod 600 /usr/local/nginx/ssl

    3. Run the command bellow to generate a key pair:
      /usr/bin/openssl genrsa -aes256 -out /usr/local/nginx/ssl/server-sec.key 2048Note: Specify a complex pass phrase for the private key (and document it)
    4. Run the command bellow to generate the CSR:
      /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -days 1095 -key /usr/local/nginx/ssl/server-sec.key -out /tmp/server.csrNote: The command above should be written as one line.
    5. Send the file /tmp/server.csr to a Certificate Authority server.
    6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt”
    7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
    8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
    9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
    10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
      cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pemNote: The command above should be written as one line.
    11. Remove the key store passphrase:
      /usr/bin/openssl rsa -in /usr/local/nginx/ssl/server-sec.key -out /usr/local/nginx/ssl/server.keyNote: The command above should be written as one line.
    12. Remove the original “server.crt”, “server.csr” and “ca-bundle.crt” files:
      rm -f /tmp/server.csr

      rm -f /usr/local/nginx/ssl/server.crt

      rm -f /usr/local/nginx/ssl/ca-bundle.crt

    13. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
      # HTTPS server
      #
      #server {
      # listen 443 ssl;
      # server_name localhost;
      # ssl_certificate cert.pem;
      # ssl_certificate_key cert.key;
      # ssl_session_cache shared:SSL:1m;
      # ssl_session_timeout 5m;
      # ssl_ciphers HIGH:!aNULL:!MD5;
      # ssl_prefer_server_ciphers on;
      # location / {
      # root html;
      # index index.html index.htm;
      # }
      #}
      To:
      # HTTPS server
      #
      server {
      listen 443;
      server_name Server_FQDN;
      ssl on;
      ssl_certificate /usr/local/nginx/ssl/server.pem;
      ssl_certificate_key /usr/local/nginx/ssl/server.key;
      ssl_session_timeout 5m;
      ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
      ssl_prefer_server_ciphers on;
      # HTTP Strict Transport Security #
      add_header Strict-Transport-Security max-age=63072000;
      # X-Frame-Options header #
      add_header X-Frame-Options SAMEORIGIN;
      location / {
      root /www;
      index index.html index.htm;
      }
      }
      Note: Replace Server_FQDN with the actual server DNS name.
    14. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
      iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name
    15. Remove HTTP access from the Internet on the public interface (i.e. eth0)
      iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name
    16. Save the IPTables settings:
      service iptables save
    17. Restart the nginx:
      service nginx restart

    Hardening guide for Apache 2.4.6 on CentOS 6.4 (64bit edition)

        This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack.
        Some of the features explained in this document are supported by only some of the Internet browsers:

      • X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
      • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
      Pre-Requirements

      • policycoreutils-python-* package installed
      • setools-libs-* package installed
      • libcgroup-* package installed
      • audit-libs-python-* package installed
      • libsemanage-python-* package installed
      • setools-libs-python-* package installed
      • gcc* package installed
      • gcc-c++* package installed
      • autoconf* package installed
      • automake* package installed
      Installation Phase

    1. Login to the server using Root account
    2. Upgrade the Openssl build:
      rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm

      yum --enablerepo=axivo update openssl -y

    3. Download Apache source file into /tmp, from:
      http://httpd.apache.org/download.cgi
    4. Download APR and APR-Util source files into /tmp, from:
      https://apr.apache.org/download.cgi
    5. Download PCRE source file into /tmp, from:
      http://sourceforge.net/projects/pcre/files/pcre/
    6. Compile PCRE from source file:

      tar zxvf /tmp/pcre-8.33.tar.gz -C /tmp

      mv /tmp/pcre-8.33 /usr/local/pcre

      cd /usr/local/pcre

      ./configure --prefix=/usr/local/pcre

      make

      make install

    7. Extract Apache source files:
      cd /tmp

      tar zxvf httpd-2.4.6.tar.gz

      cd httpd-2.4.6/srclib/

      tar zxvf ../../apr-1.4.8.tar.gz

      ln -s apr-1.4.8/ apr

      tar zxvf ../../apr-util-1.5.2.tar.gz

      ln -s apr-util-1.5.2/ apr-util

    8. Compile the Apache from source files:
      cd /tmp/httpd-2.4.6

      ./configure --prefix=/opt/httpd --with-included-apr --enable-so --enable-ssl --with-ssl=/opt/openssl-1.0.1e --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre

      make

      make install

    9. Remove the source files:
      rm -rf /tmp/apr-1.4.8.tar.gz

      rm -rf /tmp/apr-util-1.5.2.tar.gz

      rm -rf /tmp/httpd-2.4.6.tar.gz

      rm -rf /tmp/httpd-2.4.6

      rm -rf /tmp/pcre-8.33.tar.gz

    10. Remove Default Content:
      rm -rf /opt/httpd/cgi-bin

      rm -rf /opt/httpd/htdocs

      rm -rf /opt/httpd/icons

      rm -rf /opt/httpd/man

      rm -rf /opt/httpd/manual

      rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf

      rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-dav.conf

      rm -rf /opt/httpd/conf/extra/httpd-dav.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-default.conf

      rm -rf /opt/httpd/conf/extra/httpd-default.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-info.conf

      rm -rf /opt/httpd/conf/extra/httpd-info.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-languages.conf

      rm -rf /opt/httpd/conf/extra/httpd-languages.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-manual.conf

      rm -rf /opt/httpd/conf/extra/httpd-manual.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-mpm.conf

      rm -rf /opt/httpd/conf/extra/httpd-mpm.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf

      rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-userdir.conf

      rm -rf /opt/httpd/conf/extra/httpd-userdir.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf

      rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf.in

      rm -rf /opt/httpd/conf/extra/proxy-html.conf

      rm -rf /opt/httpd/conf/extra/proxy-html.conf.in

      rm -rf /opt/httpd/conf/original

    11. Updating Ownership and Permissions on Apache folders:
      chown root:root /opt/httpd/bin/apachectl

      chown root:root /opt/httpd/bin/httpd

      chmod 770 /opt/httpd/bin/apachectl

      chmod 770 /opt/httpd/bin/httpd

      chown -R root:root /opt/httpd

      chmod -R go-r /opt/httpd

      chown -R root:root /opt/httpd/logs

      chmod -R 700 /opt/httpd/logs

    12. Create folder for the web content:
      mkdir -p /www
    13. Updating Ownership and Permissions on the web content folder:
      chown -R root /www

      chmod -R 775 /www

    14. Fix the SELinux security context on the new web folder:
      semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"

      restorecon -F -R -v /www

    15. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
      From:
      LogLevel warnTo:
      LogLevel notice

      From:
      DocumentRoot "/opt/httpd/htdocs"To:
      DocumentRoot "/www"

      From:
      Listen 80To:
      Listen Server_FQDN:80
      Note: Replace Server_FQDN with the actual DNS name.

      From:
      ServerAdmin root@localhostTo:
      ServerAdmin webmaster@mycompany.com
      Note: Replace mycompany.com with the actual Company DNS name.

      From:
      #ServerName www.example.com:80To:
      ServerName Server_FQDN
      Note: Replace Server_FQDN with the actual DNS name.

      From:
      ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"To:
      # ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"

      From:
      <Directory />
      Options FollowSymLinks
      AllowOverride None
      </Directory>
      To:
      <Directory />
      Options None
      AllowOverride None
      Require all denied
      Order deny,allow
      deny from all
      <LimitExcept GET POST>
      deny from all
      </limitexcept>
      </Directory>

      From:
      <Directory "/opt/httpd/htdocs">
      Options Indexes FollowSymLinks
      AllowOverride None
      </Directory>
      To:
      <Directory "/www">
      Options None
      AllowOverride None
      Require all granted
      Order allow,deny
      Allow from all
      <LimitExcept GET POST>
      deny from all
      </limitexcept>
      </Directory>

    16. Comment out all lines inside the /opt/httpd/conf/httpd.conf file, begining with:
      ScriptAlias

      IndexOptions

      AddIconByEncoding

      AddIconByType

      AddIcon

      DefaultIcon

      ReadmeName

      HeaderName

      IndexIgnore

      LanguagePriority

      ForceLanguagePriority

    17. Comment out the lines inside the /opt/httpd/conf/httpd.conf file below to disable default modules:
      LoadModule cgi_module modules/mod_cgi.so

      LoadModule status_module modules/mod_status.so

      LoadModule info_module modules/mod_info.so

      LoadModule autoindex_module modules/mod_autoindex.so

      LoadModule include_module modules/mod_include.so

      LoadModule userdir_module modules/mod_userdir.so

      LoadModule env_module modules/mod_env.so

      LoadModule negotiation_module modules/mod_negotiation.so

      LoadModule actions_module modules/mod_actions.so

    18. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/httpd.conf
    19. Add the following sections to the end of the /opt/httpd/conf/httpd.conf file:
      # Configure custom error message:
      ErrorDocument 400 "The requested URL was not found on this server."
      ErrorDocument 401 "The requested URL was not found on this server."
      ErrorDocument 403 "The requested URL was not found on this server."
      ErrorDocument 404 "The requested URL was not found on this server."
      ErrorDocument 405 "The requested URL was not found on this server."
      ErrorDocument 408 "The requested URL was not found on this server."
      ErrorDocument 410 "The requested URL was not found on this server."
      ErrorDocument 411 "The requested URL was not found on this server."
      ErrorDocument 412 "The requested URL was not found on this server."
      ErrorDocument 413 "The requested URL was not found on this server."
      ErrorDocument 414 "The requested URL was not found on this server."
      ErrorDocument 415 "The requested URL was not found on this server."
      ErrorDocument 500 "The requested URL was not found on this server."
      # Configure Server Tokens
      ServerTokens Prod
      # Disable Server Signature
      ServerSignature Off
      # Disable Tracing
      TraceEnable Off
      # Maximum size of the request body.
      LimitRequestBody 25000
      # Maximum number of request headers in a request.
      LimitRequestFields 40
      # Maximum size of request header lines.
      LimitRequestFieldSize 4000
      # Maximum size of the request line.
      LimitRequestLine 4000
      MaxRequestsPerChild 10000
      # Configure clickjacking protection
      Header always append X-Frame-Options SAMEORIGIN
    20. Edit using VI the file /opt/httpd/include/ap_release.h and replace the following strings:
      From:
      #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
      #define AP_SERVER_BASEVENDOR "Restricted server"

      From:
      #define AP_SERVER_BASEPROJECT "Apache HTTP Server"To:
      #define AP_SERVER_BASEPROJECT "Secure Web Server"

      From:
      #define AP_SERVER_BASEPRODUCT "Apache"To:
      #define AP_SERVER_BASEPRODUCT "Secure Web Server"

    21. Download the Apache boot script into /tmp from:
      http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2
    22. Extract and install the Apache boot script:
      cd /tmp/

      tar xvjf blfs-bootscripts-20131023.tar.bz2

      cd /tmp/blfs-bootscripts-20131023

      make install-httpd

    23. Edit using VI, the file /etc/init.d/httpd, and replace the strings below:
      From:
      /usr/sbin/apachectlTo:
      /opt/httpd/bin/apachectl

      From:
      log_info_msgTo:
      echo

      From:
      evaluate_retvalTo:
      #evaluate_retval

    24. Configure the Apache to start automatically:
      chkconfig httpd on
    25. Configure IPTables:
      service iptables stop

      iptables -P INPUT DROP

      iptables -A INPUT -i lo -j ACCEPT

      iptables -A OUTPUT -o lo -j ACCEPT

      iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    26. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
      iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
      Note: Replace 10.0.0.0/8 with the internal segment and subnet mask
    27. Allow HTTP access from the Internet on the public interface (i.e. eth0)
      iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
      Note: Replace eth0 with the public interface name
    28. Save the IPTables settings:
      service iptables save
    29. Start the Apache daemon:
      service httpd start
      SSL Configuration Phase

    1. Login to the server using Root account.
    2. Create folder for the SSL certificate files:
      mkdir -p /opt/httpd/conf/ssl

      chmod 600 /opt/httpd/conf/ssl

    3. Run the command bellow to generate a key pair:
      /usr/bin/openssl genrsa -des3 -out /opt/httpd/conf/ssl/server.key 2048
      Note: Specify a complex pass phrase for the private key (and document it)
    4. Run the command bellow to generate the CSR:
      /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /opt/httpd/conf/ssl/server.key -out /tmp/apache.csr
      Note: The command above should be written as one line.
    5. Send the file /tmp/apache.csr to a Certificate Authority server.
    6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as /opt/httpd/conf/ssl/server.crt
    7. Follow the link on the email from the CA server, to create the Root CA chain, and save it as /opt/httpd/conf/ssl/server-ca.crt (Note: The file must be PEM (base64) encoded).
    8. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
      From:
      Listen Server_FQDN:80To:
      Listen Server_FQDN:443
      Note: Replace Server_FQDN with the actual DNS name.

      From:
      ServerName Server_FQDNTo:
      ServerName Server_FQDN:443
      Note: Replace Server_FQDN with the actual DNS name.

      From:
      #Include conf/extra/httpd-ssl.confTo:
      Include conf/extra/httpd-ssl.conf

      From:
      #LoadModule socache_shmcb_module modules/mod_socache_shmcb.soTo:
      LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

    9. Edit using VI the file /opt/httpd/conf/extra/httpd-ssl.conf and change the following strings:
      From:
      SSLCertificateFile "/opt/httpd/conf/server.crt"To:
      SSLCertificateFile /opt/httpd/conf/ssl/server.crt

      From:
      SSLCertificateKeyFile "/opt/httpd/conf/server.key"To:
      SSLCertificateKeyFile /opt/httpd/conf/ssl/server.key

      From:
      #SSLCertificateChainFile "/opt/httpd/conf/server-ca.crt"To:
      SSLCertificateChainFile /opt/httpd/conf/ssl/server-ca.crt

      From:
      SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5To:
      SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

      From:
      #SSLHonorCipherOrder onTo:
      SSLHonorCipherOrder On

      From:
      Listen @@SSLPort@@To:
      Listen Server_FQDN:443
      Note: Replace Server_FQDN with the actual DNS name.

      From:
      DocumentRoot "/opt/httpd/htdocs"To:
      DocumentRoot "/www"

      From:
      ServerName www.example.com:@@SSLPort@@To:
      #ServerName www.example.com:@@SSLPort@@

      From:
      ServerAdmin you@example.comTo:
      ServerAdmin webmaster@mycompany.com
      Note: Replace mycompany.com with the actual Company DNS name.

      From:
      <VirtualHost _default_:@@SSLPort@@>To:
      <VirtualHost _default_:443>

    10. Add the following sections to the end of the /opt/httpd/conf/extra/httpd-ssl.conf file:
      # Disable SSLv2
      SSLProtocol ALL -SSLv2 +TLSv1 +TLSv1.1 +TLSv1.2
      # Disable SSL Compression
      SSLCompression Off
    11. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/extra/httpd-ssl.conf
    12. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
      iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT
      Note: Replace eth0 with the public interface name
    13. Remove HTTP access from the Internet on the public interface (i.e. eth0)
      iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
      Note: Replace eth0 with the public interface name
    14. Save the IPTables settings:
      service iptables save
    15. Restart the Apache service:
      service httpd restart

    Hardening guide for Postfix 2.x

    1. Make sure the Postfix is running with non-root account:
      ps aux | grep postfix | grep -v '^root'
    2. Change permissions and ownership on the destinations below:
      chmod 755 /etc/postfix
      chmod 644 /etc/postfix/*.cf
      chmod 755 /etc/postfix/postfix-script*
      chmod 755 /var/spool/postfix
      chown root:root /var/log/mail*
      chmod 600 /var/log/mail*
    3. Edit using VI, the file /etc/postfix/main.cf and add make the following changes:
      • Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:
        myhostname = myserver.example.com
      • Configure network interface addresses that the Postfix service should listen on, for example:
        inet_interfaces = 192.168.1.1
      • Configure Trusted Networks, for example:
        mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
      • Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:
        myorigin = example.com

      • Configure the SMTP domain destination, for example:
        mydomain = example.com
      • Configure to which SMTP domains to relay messages to, for example:
        relay_domains = example.com
      • Configure SMTP Greeting Banner:
        smtpd_banner = $myhostname
      • Limit Denial of Service Attacks:
        default_process_limit = 100
        smtpd_client_connection_count_limit = 10
        smtpd_client_connection_rate_limit = 30
        queue_minfree = 20971520
        header_size_limit = 51200
        message_size_limit = 10485760
        smtpd_recipient_limit = 100
    4. Restart the Postfix daemon:
      service postfix restart

    Hardening guide for BIND9 (Debian platform)

    1. Make sure the Bind is running with non-root account:
      ps aux | grep bind | grep -v '^root'
    2. Change permissions and ownership on the destinations below:
      chown -R root:bind /etc/bind
      chown root:bind /etc/bind/named.conf*
      chmod 640 /etc/bind/named.conf*
    3. Edit using VI, the file /etc/bind/named.conf.options and add the following settings under the “Options” section:
      • Add the line below to replace DNS version banner:
        version "Secured DNS server";
        Note: In-order to test, run the command below:
        dig +short @localhost version.bind chaos txt
      • Add the line below to restrict recursive queries to trusted clients:
        allow-recursion { localhost; 192.168.0.0/24; };
        Note 1: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
        Note 2: In-order to test, run the command below:
        nslookup www.google.com
      • Add the line below to restrict query origins to trusted clients:
        allow-query { localhost; 192.168.0.0/24; };
        Note: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
      • Add the line below to Nameserver ID:
        server-id none;
      • Add the line below to restrict which hosts can perform zone transfers:
        allow-transfer { 192.168.1.1; };
        Note: Replace 192.168.1.1 with the trusted DNS server.
      • Add the line below to restrict the DNS server to listen to specific interfaces:
        listen-on port 53 { 127.0.0.1; 192.168.1.1; };
        Note: Replace 192.168.1.1 with the IP address of the DNS server.
    4. Restart the DNS daemon:
      service bind9 restart

    Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

    thought that SSL + TLS are the magic words??
    think again!

    http://www.isg.rhul.ac.uk/tls/

    Roy Coren
    Security Specialist
    Roy Coren AT gmail

    Most Aggressively Spreading Malware Binaries

    hello again!
    with that live list you can search various sites for MD5 file names and keep updated regarding what and how those malware are spreading in your network.
    this site is my bible regarding malware searching and fighting.

    http://mtc.sri.com/live_data/binaries/

    HAPPY NEW YEAR!
    Roy Coren
    Security Specialist
    Roycoren AT gmail.com

    Search This Blog
    Labels
    NetworkedBlogs