SSL Installation in a cPanel based server

What is SSL

SSL (Secure Sockets Layer) is a cryptographic protocol which ensure the security of communication over the Internet. SSL encrypt the segments of network connections above the Transport Layer, using symmetric cryptography for privacy and a keyed message authentication code for message reliability.

How SSL works

Web servers and Web browsers rely on the SSL protocol to create a unique encrypted channel for private communications over the Internet. The SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decrypt it. When a Web browser points to a domain which is secured by SSL, a level of encryption is established based on the type of SSL Certificate as well as the client Web browser, operating system and host server’s capabilities. This is why SSL certificates feature a different range of encryption levels.

Obtaining an SSL Certificate

Domain example.com needs an SSL Certificate. The following steps are involved in it :

a) Example.com generates a CSR (Certificate Signing Request) and during this process, a private key is generated.
b) With this CSR, Example.com goes to a trusted, third party Certificate Authority like Verisign. They take the Certificate Signing Request and validates example.com. The Certificate Authority validates example.com.
c) When the validation process is complete, the third party Certificate Authority gives a new public key (certificate) encrypted with their private key.
d) Example.com installs the new certificate and gets secured.

Installing SSL

(i) Through cPanel/WHM
Its quite easy to install SSL through cPanel/WHM interface.

Generating CSR

Under Security tab, click SSL/TLS Manager.

Generate the Private Keys first by accessing the option Generate, view, upload or delete your private keys

Access the option Generate, view, or delete SSL certificate signing requests. Fill in the forms like Domain Name, E-mail Address, Country etc.

You will obtain the CSR. Contact the Certificate provider with this information. The Certificate Authority will then provide the Certificate (CRT). Finally you will have the following files associated with SSL :

CSR in the format domain.com.csr or domain_com.csr

CA bundle, which have the Public key of the Certificate Authority in the format domain.com.cabundle or domain_com.ca-bundle

CRT, the certificate in the format domain.com.crt or domain_com.crt

Private key in the format domain.com.key or domain_com.key

Method 1 : Installing from cPanel

1. Go to SSL/TLS Manager.
2. Click Generate, view, upload, or delete your private keys.
3. Under the Upload a New Certificate section, click on the Browse button (next to Choose a .crt file option) and find the Domain Certificate file (example.crt) that you obtained from the SSL vendor. Alternatively you can paste the Certificate contents on the section Paste the crt below. Make sure to include the BEGIN and END tags, while copying your certificate. Click the Upload button.
4. Go Back and click Return to SSL Manager at the bottom of the page.
5. Click on Setup a SSL certificate to work with your site. If this option is not available, your web host may have disabled it. You will need to contact them for further support.
6. Now, select the domain you are using from the Domain drop down menu. It will attempt to fetch the SSL Certificate and the private key. If this doesn’t work, you may need to contact your web host.
7. In the box labeled CA Bundle paste the contents of the Intermediate certificate (DigiCertCA.crt).
8. Click Install Certificate. Your SSL certificate should now be installed, and the website configured to accept secure connections. You or your web host may need to restart Apache before it will work.

Method 2 : Installing from WHM

You can install SSL certificate from WHM also. Its quite simple when compared to the installation through cPanel. All you need is the root access to WHM. Once you login to the WHM, search for the option Install a SSL Certificate and Setup the Domain.

You’ll find three boxes. Paste the CRT file contents in the first box. It will automatically fetch the Key and CA Bundle (In most cases, CA bundle needs to be fetched manually). Finally click Submit once all the fields are populated. You’ll see a message that indicates the installation is successful

Method 3 : Manual Installation

You need the Server Root shell access for this. Go to the Apache configuration file in the server, in the cPanel case its /usr/local/apache/conf/httpd.conf. Locate the VirtualHost entry configured for SSL. Configure it like :

<VirtualHost xxx.xxx.x.xx:443>
 ServerName example.com
 ServerAlias www.example.com
 DocumentRoot /home/example/public_html
 SSLEngine on
 SSLCertificateFile /usr/share/ssl/certs/example.com.crt
 SSLCertificateKeyFile /usr/share/ssl/private/example.com.key
 SSLCACertificateFile /usr/share/ssl/certs/example.com.cabundle
</VirtualHost>

where SSLCertificateFile is the SSL certificate file path, SSLCertificateKeyFile is the Key file path, SSLCACertificateFile is the path to the Intermediate file. Make sure you’ve the files in the specified path (It may vary on different scenarios). Restart the Web server and you’re done.

DDoS, prevention, cure! – Part 1

DDoS – Distributed Denial Of Service  Wiki : http://en.wikipedia.org/wiki/Denial-of-service_attack

DDoS is an attack on a computer/server or its resources and thereby making it unavailable to intended users.

Web-hosts must be familiar with this term and will be a victim at-least once. The intention of this post is to give  a brief description about DDoS, its prevention and cure if effected. Please note that this will not server as a perfect guide to the mentioned “Subject-line”, but a “tip-note”.

Understanding DDoS:

The four commonly used programs used by attackers to launch DDoS attacks are

1. Trinoo
2. TFN
3. TFN2K
4. Stacheldraht

Symptoms of DDos:

1. Unusually slow network performance (opening files or accessing web sites)
2. Unavailability of a particular web site
3. Inability to access any web site
4. Dramatic increase in the number of spam emails received—(this type of DoS attack is considered an e-mail bomb)
5. Packet loss for pings to IP/Domain

How DDoS is done:

Pictorial representation of Stacheldraht DDoS attack.

In Stacheldraht DDoS attack, the attacker uses a client program to connect handlers which is a set of compromised machines that issues commands to the agents which in-turn facilitate the DDoS attack. The agents are another set of machines which is compromised using handlers by the attacker. Each handler can control thousands of agents  and all these widely distributed agents floods the target server and thereby increasing the impact of attack.

DoS and DDoS are not the same:

If the attacker initiates an attack from a single host, it is classified as a DoS  as it is not ‘distributed’. In fact, any attack against availability would be classed as a Denial of Service attack. On the other hand, if an attacker uses a thousand systems to simultaneously launch smurf attacks against a remote host, this would be classified as a DDoS attack.

Then what is DRDoS? DRDoS is Distributed Refected Denial of Service. These attacks forge the source address of the IP packets with the victim’s IP and send pings/packets to intermediate hosts. When the intermediate sends back the reply to these pings , it is sent to the victims IP thereby flooding the victim.

Some other types/methods of DDoS/DRDoS/Dos attacks are :

Reflective ICMP attack: The reflective ICMP attack uses public sites like google.com that responds to ICMP ping requests to that of victims IP. The attacker spoofs the victims IP and send requests to the Public servers which will then reply to the actual IP.

TCP SYN flood attack : The attacker sends a packet with SYS bit set of the well known TCP three way handshake. The victim responds to the request by sendong a reply packet with SYN_ACK bit set, but the attackr never responds and thereby increasing the TCP receive queues and denying new TCP connetions. But modern  UNIX and Windows fixed this by increasing the queue qize and limited the number of TCP SYS packets allowed.

UDP attacks : The UDP is one of the most effective way of DDos/DoS attacks. UDP is a stateless protocol and does not have any acknowledgement mechanism by design. PROTOS,the SNMP test suite, and other SNMP tools have been used successfully to launch application level DoS attacks. The Slammer worm was extremely fast because it did not require a response from the compromised computer.

TTL Expiration : The attacker forges the victims IP and send packets with low TTL set to it so that it will expire in the transmit at high speed router. When the TTL reaches zero, the router drops the packet and sends an ICMP TTL expired message to the source address, ie the Victim IP. This attack could be lowered by rate limiting ICMP to all routers in the service provider’s network.

Permanent DoS attacks (PDoS) :  PDoS is an attack that damages the system so badly that it needs the hardware to be replaced or reinstalled. The PDoS is purely a hardware targeted attack in which the attacker modifies the devide fireware by the legitimate method caled flashing. The attacker replaces the hardware firmware with his own modified version which will make the device unstable and render it from the original purpose for which it is made or designed for. The is done by exploiting the hardware security flaws which will allow remote administration of devices such as routers, printers and other networking hardwares.

Degradation Of Service Attacks : The compromised computers are used by the atackers to launch short-lived flooding on victims website which will slow down the website rather than crashing it. This is degradation of service rather than deniel of service and is more seriver than DoS as this is pretty difficult to detect and resolve.

Un-intentional Denial Of Services :  Sudden spike in popularity for a website is the major cause for this. This happens when an extremely popular wesite posts a link to a second site as a part of referrence for news or article. This will lead significant increase in traffic to the secondary website which will result in crashing or server/services. An example for this hapened when Michael Jackson died in 2009 which took down sites like Google and Twitter. (In this case you cant just blame someone )

Blind Denial Of Service : In Blind Deniel of Service, the attacker must be able to receive traffic from the victim, then the attacker must either subvert the routing fabric or use the attacker’s own IP address. Either provides an opportunity for the victim to track the attacker and/or filter out his traffic. With a blind attack the attacker uses a forged IP addresses, making it extremely difficult for the victim to filter out those packets. The TCP SYN flood attack is an example of a blind attack. Designers should make every attempt possible to prevent blind denial of service attacks.

CRITICAL : One more kernel exploit known to the public

A continuation of the previous exploits. http://isec.pl/vulnerabilities/isec-0025-syscall-emulation.txt

Full Disclosure here  - http://seclists.org/fulldisclosure/2010/Sep/268 & mitigation at http://seclists.org/fulldisclosure/2010/Sep/273

Details about the 0 day exploit and how to test whether your system is exploitable or not. However no need to get panicked as this particular exploit was with l33t hackers for last 2 years as you can see at the above link. Now since it is public now, take an extra care if uname -m gives you a x86_64.

http://sota.gen.nz/compat2/

http://sota.gen.nz/compat1/

Two CVE candidates are there – CVE-2010-3081 and CVE-2010-3301. One will affect the server and other don’t.

Temporary solution would be to follow https://access.redhat.com/kb/docs/DOC-40265

IFS

How many times have you written scripts and a had bad time with those having spaces? The remedy to this situation is your IFS value.

IFS or Internal Field Seperator holds the value which seperates the various entities. This can be file names, values read into a script by read etc. It is the character or characters designated as whitespace by the operating system.

The IFS is set to the newline and space character. The global variable $IFS stores the value. To view the exact value stored in IFS execute:

echo "$IFS" | cat -vTE
 ^I$
$

Running echo “$IFS” will not give you any visible output (after all, you are going to see a space and a newline). cat -vTE displays non printable characters , tabs as ^I and ends each line with a $ sign.

In a script which utilises filenames (with spaces), it is always preferable to change the IFS to include only the newline character opposed to the default space and newline character. Lets check out one such script which accepts filenames wih spaces. This scripts simply prints the file names in your current directory. (Remember to create some files in your currenct directory which has spaces. You may try the same script removing the lines with the IFS variable in reference to see the difference)

#!/bin/bash
OIFS=$IFS # Original IFS

IFS=$(echo -en "\n\b") # New IFS

for fil in $(ls -1 $PWD); do
	echo $fil
done

IFS=$OIFS # Restore earlier IFS

IFS can also be used to read files with lines sepearated by a special character. For example in the /etc/passwd, to store the various entries like username, homedirectory etc.

The following script uses the while construct to determine the users who have the shell portion as /bin/false

#!/bin/bash

OIFS=$IFS
IFS=':'

while read username password userid groupid comments homedir shell_avail
do
	if [[ $shell_avail == /bin/false ]]; then
                echo "$username has no shell"
        fi

done < /etc/passwd
IFS=$OIFS

In the above script each of the 7 portions of the /etc/passwd file is assigned to the 7 variables
username password userid groupid comments homedir shell_avail with the read command. The if portion in the script compares the seventh variable – shell_avail to /bin/false to determine the username and outputs it.

From now on you can use the IFS variable for all those files with spaces and extracting values separated by a special character.

How to create a RPM from source package(Creating CSF RPM)

We create RPM’s from the Source for a package. As an initial step, compile and install the source using normal procedures just to confirm all necessary libraries/dependencies are met.

Here I am explaining the whole process to create an RPM for CSF that could be  installed on cPanel servers.

Getting ready with the Source Files:

Download Latest CSF from here : http://www.configserver.com/free/csf.tgz

Extract the tarball.

[root@server new]# tar -xvf csf.tgz
[root@server new]# ls
csf  csf.tgz

Install to check all libraries/dependencies are met.

[root@server csf]# cd csf
[root@server csf]# sh install.cpanel.sh
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
Installation Completed

We confirmed all libraries/dependencies are met for installing CSF.  We need to rename the tarball to define a version so that it could be used in the SPEC file.

[root@server csf]# cd ..
[root@server new]# ls
csf  csf.tgz
[root@server new]#mv csf csf-0.0.1
[root@server new]# tar -cvf csf-0.0.1.tar.gz csf-0.0.1

0.0.1 defines the version. (Can assign any). Now we are ready with the source file for CSF csf-0.0.1.tar.gz that could be used to generate RPM.

Building the RPM:

Install RPMBUILD tool:

[root@server ~]# yum install rpm-build

We never build RPM’s as ‘root’ users, but as normal users, because root can alter any file on the system, it was easy to inadvertently alter a running system by adding extraneous files or removing important files during interim builds of an RPM. Earlier RPM’s were build as root user but recently the RPM system changed to allow any user to build RPMs in a home directory. Building an RPM without the privileges of root prevents changes to core system files and hence we are on the safer side.

Initial Set-up:

We need to create a directory hierarchy for the rpm build tool to work with. To begin with, create a directory under your home directory which will act as the root directory for the build process. Lets make a directory ‘csfrpm’ under home directory for this purpose.

[sage@server ~]$ mkdir -p /home/your_username/csfrpm

[sage@server ~]$ cd /home/your_username/csfrpm

Create Five sub-directories under csfrpm.

[sage@server csfrpm]$ mkdir BUILD RPMS SOURCES SPECS SRPMS

• BUILD: BUILD is used as a space to compile the software.
• RPMS: RPMS contains the binary RPM that rpmbuild builds.
• SOURCES: SOURCES is for source code.
• SPECS: SPECS contains your spec file or files—one spec file per RPM you want to build.
• SRPMS: SRPMS contains the source RPM built during the process.

[sage@server csfrpm]$ ls
BUILD  RPMS  SOURCES  SPECS  SRPMS

Copy the source code that we have created(csf-0.0.1.tar.gz) to the SOURCES folder. Make sure that the owner  for source file is your_username.

[sage@server ~]$ cp csf-0.0.1.tar.gz /home/your_username/csfrpm/SOURCES/

Create the SPEC file:

SPEC file is noting but the configuration for rpmbuild tool.

[sage@server csfrpm]$ vi SPECS/csf.spec

# This is a sample spec file for csf

%define _topdir         /home/your_username/csfrpm
%define name            csf
%define release         0
%define version         0.0.1
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Summary:                GNU csf
License:                GPL
Name:                   %{name}
Version:                %{version}
Release:                %{release}
Source:                 %{name}-%{version}.tar.gz
Group:                  Security/Tools

%description
A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

%prep
%setup -q

%install
./install.cpanel.sh prefix=$RPM_BUILD_ROOT/usr/local

%clean
%{__rm} -rf %{buildroot}

%files
%defattr(-,root,root,0755)

Finally Build the RPM:

[sage@server csfrpm]$ rpmbuild -v -bb --clean SPECS/csf.spec

You can see the result if everything went fine:

Processing files: csf-0.0.1-0
Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/csf-0.0.1-root
Wrote: /home/your_username/csfrpm/RPMS/i386/csf-0.0.1-0.i386.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.84469
+ umask 022
+ cd /home/your_username/csfrpm/BUILD
+ cd csf-0.0.1
+ /bin/rm -rf /var/tmp/csf-0.0.1-root
+ exit 0
Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.84469
+ umask 022
+ cd /home/yuor_username/csfrpm/BUILD
+ rm -rf csf-0.0.1
+ exit 0

The RPM is written to /home/your_username/csfrpm/RPMS/i386/csf-0.0.1-0.i386.rpm