Security 24/7

Archive for the ‘Nginx’ Category

OpenSSL allows you to request, sign, generate, export and convert digital certificates.
OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.

Download link for Windows binaries:
http://www.slproweb.com/products/Win32OpenSSL.html
Download link for Linux source files (pre-compiled):
http://www.openssl.org/source/

1. Install OpenSSL.
2. Run the command bellow to generate a new key store called “server.key”
   openssl genrsa -des3 -out /tmp/server.key 1024
3. Run the commands bellow to request a new SSL certificate:
   openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt

   openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info

4. Run the command bellow to backup the key store file that has a password:
   cp /tmp/server.key /tmp/server.key.bak
5. Run the command bellow to generate a new key store without a password:
   openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
   cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
   openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx

Appendix:

• server.key – Key store file
• server.crt – Server SSL public key file
• no.pwd.server.key – Key store file (without a password)
• no.pwd.server.pem – Key store file + server SSL public key file (without a password)
• server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)

Print PDF

The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.

Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984

http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year

I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:

Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx

Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm

How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true

Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx

DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx

Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx

IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx

Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/

IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html

Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems

Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view

Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541

Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html

Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html

Apache Talking IPv6
http://www.linuxjournal.com/article/5451

How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm

Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/

IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058

IPv6 – Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html

Cisco – IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html

Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm

EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm

Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf

Print PDF

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

SSL implementation phase

1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /usr/local/nginx/ssl
chmod 600 /usr/local/nginx/ssl

3. Run the command bellow to generate a key pair:
   /usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
   /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csr
Note: The command above should be written as one line.
5. Send the file /tmp/nginx.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
    cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
Note: The command above should be written as one line.
11. Remove the original server.crt and ca-bundle.crt files:
    rm -f /usr/local/nginx/ssl/server.crt
rm -f /usr/local/nginx/ssl/ca-bundle.crt

12. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
    # HTTPS server
    #
    #server {
    # listen 443;
    # server_name localhost;

    # ssl on;
    # ssl_certificate cert.pem;
    # ssl_certificate_key cert.key;

    # ssl_session_timeout 5m;

    # ssl_protocols SSLv2 SSLv3 TLSv1;
    # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    # ssl_prefer_server_ciphers on;

    # location / {
# root html;
# index index.html index.htm;
# }
#}
To:
    server {
listen 443;
server_name Server_FQDN;
ssl on;
ssl_certificate /usr/local/nginx/ssl/server.pem;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /www;
index index.html index.htm;
}
}


13. Restart the Nginx service:
    /etc/init.d/nginx restart

Print PDF

1. Login to the server using Root account.
2. Create a new account:
   groupadd nginx
useradd -g nginx -d /dev/null -s /sbin/nologin nginx

3. Mount RHEL 5.4 DVD, and move to the RPM folder:
   mount /dev/hdc /media
cd /media/Server

4. Before compiling the Nginx environment, install the following RPM:
   rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm

5. Download Nginx 0.7.65 from:
   http://wiki.nginx.org/NginxInstall
6. Copy the Nginx 0.7.65 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
   cd /tmp

8. Extract the nginx-0.7.65.tar.gz file:
   tar -zxvf nginx-0.7.65.tar.gz

9. Move to the Nginx source folder:
   cd /tmp/nginx-0.7.65

10. Edit using VI, the file /tmp/nginx-0.7.65/src/http/ngx_http_header_filter_module.c and replace the following section, from:
    static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
To:
    static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
static char ngx_http_server_full_string[] = "Server: Secure Web Server" CRLF;

11. Run the commands bellow to compile the Nginx environment:
    ./configure --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module

    make

    make install


12. Remove the Nginx source files:
    rm -rf /tmp/nginx-0.7.65
rm -f /tmp/nginx-0.7.65.tar.gz

13. Remove Default Content
    rm -rf /usr/local/nginx/html

14. Updating Ownership and Permissions on Nginx folders:
    chown -R root:root /usr/local/nginx
chmod 750 /usr/local/nginx/sbin/nginx
chmod -R 640 /usr/local/nginx/conf
chmod -R 770 /usr/local/nginx/logs

15. Create folder for the web content:
    mkdir -p /www
16. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
chmod -R 775 /www
17. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
    From:
    #user nobody;To:
    user nginx nginx;

    From:
    #error_log logs/error.log notice;To:
    error_log logs/error.log notice;

    From:
    server_name localhost;To:
    server_name Server_FQDN;

    From:
    root html;To:
    root /www;

18. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file:
    server_tokens off;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 10;

19. Create using VI, the file /etc/init.d/nginx with the following content:
    #!/bin/sh
    #
    # nginx - this script starts and stops the nginx daemon
    #
    # chkconfig: - 85 15
    # description: Nginx is an HTTP(S) server, HTTP(S) reverse \
    # proxy and IMAP/POP3 proxy server
    # processname: nginx
    # config: /etc/nginx/nginx.conf
    # config: /etc/sysconfig/nginx
    # pidfile: /var/run/nginx.pid

    # Source function library.
    . /etc/rc.d/init.d/functions

    # Source networking configuration.
    . /etc/sysconfig/network

    # Check that networking is up.
    [ "$NETWORKING" = "no" ] && exit 0

    nginx="/usr/local/nginx/sbin/nginx"
    prog=$(basename $nginx)

    NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

    [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

    lockfile=/var/lock/subsys/nginx

    start() {
    [ -x $nginx ] exit 5
    [ -f $NGINX_CONF_FILE ] exit 6
    echo -n $"Starting $prog: "
    daemon $nginx -c $NGINX_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
    }

    stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
    }

    restart() {
    configtest return $?
    stop
    sleep 1
    start
    }

    reload() {
    configtest return $?
    echo -n $"Reloading $prog: "
    killproc $nginx -HUP
    RETVAL=$?
    echo
    }

    force_reload() {
    restart
    }

    configtest() {
    $nginx -t -c $NGINX_CONF_FILE
    }

    rh_status() {
    status $prog
    }

    rh_status_q() {
    rh_status >/dev/null 2>&1
    }

    case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q exit 0
$1
;;
restartconfigtest)
$1
;;
reload)
rh_status_q exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestarttry-restart)
rh_status_q exit 0
;;
*)
echo $"Usage: $0 {startstopstatusrestartcondrestarttry-restartreloadforce-reloadconfigtest}"
exit 2
esac


20. Change the permissions of the file /etc/init.d/nginx
    chmod +x /etc/init.d/nginx
21. To start Nginx service at server start-up, run the command:
    chkconfig nginx on

22. To manually start the Nginx service, use the command:
    /etc/init.d/nginx start

23. Uninstall the following RPM:
    rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

Print PDF