Pages

Welcome to My Blog

This is to share my IT experience with friends all around the world.
I have been working in Linux Fedora Systems for more than 8 years. Its fun to share knowledge and learn..
As everyone knows when a problem arises in your systems "googling" is the way that many depend on..

All the posts here are my working experiences during my working life.. So you can count on it..

I have added the references where I got help in solving IT issues

Tuesday, March 29, 2011

SSL Certificate Generation in Fedora

If you are using TLS for your web/mail server you need to generate a certificate for the server. SSL certificates can be generation using openssl command;
Following given a sequence of command that I have executed to generate a .key, a .csr and a self signed certificate .crt.
  1. Generate the private key
    2. openssl genrsa -des3 -out server.key 4096 When generating the private key it will prompt for a pass phase; Enter a pass phase for security purposes. This pass phase is required in many situations including service restart. If you feel this is too much.. You can disable the pass phase later (As given below)
  2. Generate the certificate request (i.e. .csr)
    openssl req -new -key server.key -out server.csr
    This request can be forwarded to the CA to generate a certificate


  3. Generate the self signed certificate using above generated csr and .key
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  4. If you want to remove the pass phase of the .key file use following command
    openssl rsa -in server.key -out server.key.insecure
    This is done because if the .key file needs a phase phase to use, whenever the service is started the pass phase will be prompted. In some services, there is a configuration parameter to hard code the pass phase. If it is set, it will be used by the service whenever required (I have noticed this scenario in dovecot 

If you want to view the contents of a pem format file use the following command
  1. openssl x509 -text -noout -in server.pem

Verifying the certificates and private keys

Certificate (.crt):
openssl x509 -noout -modulus -in server_certificate.crt | openssl md5

Certificate Request (.csr):
openssl req -noout -modulus -in server_certificate_request.csr | openssl md5

Private Key (.key)
openssl rsa -noout -modulus -in server.key | openssl md5
You need to compare the outputs (MD5 Hash) of the above commands and check the validity.

PKCS12 file (.p12)
openssl pkcs12 -info -in keyStore.p12




Worth read:
http://goodsarves.blogspot.com/2011/03/creating-certificate-authorities-and.html
http://www.sslshopper.com/article-most-common-openssl-commands.html
Posted by at 3:11 AM 2 comments
Labels: , ,

Tuesday, March 15, 2011

Add Grub Password After Linux Installation

Setting a grub password after installing Linux OS is as follows;
  • login as root and execute 'grub' command in terminal/konsole. prompt will change to 'grub>'
    execute md5crypt to generate password hash.
grub> md5crypt
  • it will prompt you for password, enter the password which you are going to set for GRUB. it will display encrypted password hash.
Password: ******
Encrypted: $1$jxcdN0$hVHViq1aiPf8FziuGJGZp0
  • Note down encrypted password hash and exit grub mode:
grub> quit
  • edit /boot/grub/grub.conf file and insert encrypted password in between "splashimage" and "title" lines.
E.g.
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
password --md5
title Fedora X
Reference:
http://www.linuxforums.org/forum/red-hat-fedora-linux/69395-add-grub-password-after-installation.html
Posted by at 9:49 PM 0 comments

Monday, March 14, 2011

chroot for BIND 9

There may be permission issues when using bind-chroot

Example log entry in the named log file:

general: error: dumping master file: tmp-tAj6kdgzCl: open: permission denied
xfer-in: error: transfer of 'lk/IN' from 192.248.8.17#53: failed while receiving responses: permission denied

The issue is due to permissions in the bind directories

Set the permissions as follows

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/

Good reference:
http://hostechsupport.com/forums/showthread.php?620-Install-A-Chrooted-DNS-Server-%28BIND9%29
Posted by at 1:22 AM 0 comments

Monday, March 7, 2011

IP Route2 - Advanced routing for Linux

We can use a Linux box as a advanced routing device by using iproute2 features. We have used a gateway server cater 3 ISP Internet connections. It supports policy based routing, load balancing etc.

Good reference
http://www.linux-tutorial.info/modules.php?name=Howto&pagename=Adv-Routing-HOWTO/index.html
http://www.policyrouting.org/iproute2.doc.html

Useful commands
Create a table
/sbin/ip rule add from a.b.c.d/n table 200
Add routes
/sbin/ip route add x.x.x.x/n2 via gateway_of_eth0 dev eth0 table table_number
E.g.
/sbin/ip route add 10.168.0.0/24 via 192.168.8.30 dev eth2 table 200

Adding a default rule
/sbin/ip route add default via gateway_of_eth2 dev eth2 table 200

Display routing table
ip route show table table_name
Posted by at 8:14 PM 0 comments
Subscribe to: Posts (Atom)