Linux Security Questions
What is CSR ?
A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country.
It also contains the public key that will be included in the certificate.
A private key is usually created at the same time that you create the CSR, making a key pair.
A CSR is generally encoded using ASN.1 according to the PKCS #10 specification.
A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.
Ethical Hacking Training – Resources (InfoSec)
ServerAdminz is a server support company specialized in Outsourced 24/7 Web Hosting Support, Remote Infrastructure Management, NOC, Cloud and Enterprise Security Services. With over 10+ of years of experience in working with major Data Centers and ISPs with 130+ experienced technicians, we continue to manage more than 49,000 servers from 85+ countries and has bagged 5 international awards.
If you have any queries regarding server management services, share your thoughts and our representative will get back to you.
##################################################################################
A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country.
It also contains the public key that will be included in the certificate.
A private key is usually created at the same time that you create the CSR, making a key pair.
A CSR is generally encoded using ASN.1 according to the PKCS #10 specification.
A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.
Apache: Generate CSR (Certificate Signing Request)
Follow these instructions to generate a certificate signing request (CSR) for your Apache Web server. When you have completed generating your CSR, cut/copy and paste it into the CSR field on the SSL certificate-request page.To Generate a Certificate Signing Request for Apache 2.x
- Log in to your server's terminal (SSH).
- At the prompt, type the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csrNote: Replace yourdomain with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr. - Enter the requested information:
- Common Name: The fully-qualified domain name, or URL, you're securing.
If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com. - Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor's name.
- Organization Unit: If applicable, enter the DBA (doing business as) name.
- City or Locality: Name of the city where your organization is registered/located. Do not abbreviate.
- State or Province: Name of the state or province where your organization is located. Do not abbreviate.
- Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered
PKI and Associated Concepts
Public Key Infrastructure (PKI) is the easiest and most efficient way to establish trust and security in computer networking. PKI is used bind public keys to user attributes that are used in various applications and protocols for digital signature, authentication, non-repudiation and S/MIME.
PKI consist of two keys known as private and public keys. This combination of 2 keys is called a key pair. Private Key belongs to the individual security and should always be kept secure. The public key should be distributed to the participants of communication. One key is used to encrypt, and a corresponding/matching key is used to decrypt. If the public key is used for encryption, the associated private key is used for decryption. If the private key is used for encryption, the associated public key is used for decryption.For example in S/MIME, the private key is used to sign a document digitally so the author can be authenticated from the corresponding public key.
PKI and RSA (Rivest Shamir Adleman)
The most well-known algorithm being used on PKI is RSA. RSA algorithm supports key lengths from 512 bits to 16384 bits. When the high key length is used, it requires high processing speed. The standard for modern communication is RSA 2048 bits, and the same will be used in this article.
Security of RSA
Modern cryptography is mainly based on prime numbers. Similarly, an RSA key is composed of two prime numbers that should be very large otherwise it will compromise the RSA security.
Digital Certificate
The binding of a public key to a user along with personal details is called digital certificate. A digital certificate is an electronic document used to prove ownership of a public key. The certificate includes information about the key, information about its owner’s identity and associated permissions such as digital signature, non-repudiation, file system encryption, server authentication and client authentication, etc. Permissions define the usage for the certificate in operation.
A public-key certificate consists of a data part and a signature part. The data part consists of the name of an entity, the public key corresponding to that entity, possibly additional relevant information (e.g., the entity’s Common Name, Organizational Unit, network address, a validity period for the public key, and various other attributes). The signature part consists of the signature of a certificate authority over the data part. A sample certificate with details is being shown in figures 1 and 2.
Figure: 1 Details of Digital Certificate
Figure: 2 Details of Digital CertificateComponents of PKI
- Common Name: The fully-qualified domain name, or URL, you're securing.
- Certificate Authorities (CA’s): These are responsible for issuing and revoking digital certificates to the users or subscribers.
- Registration Authorities (RA’s): These verify the binding between public keys and the identities of their holders. RAs conduct the initial verification of a potential subscriber’s/ user’s identity and/or attributes before a certificate is issued to the client.
- Subscribers/Users/Digital Certificate holders: People, computers, network devices or software agents that have been issued with certificates and can use them to sign digital documents. The standard currently in use for digital certificates is X.509 V3.
- Clients: These validate digital signatures and the certificates of the communicating parties. The clients may range from simple users to state of the art network devices.
Lab Environment Preparation for PKI
- Download ISO image file of Ubuntu 14 and install a copy of it in VMWare.
- Boot up Ubuntu with NAT Mode so that it shares the host’s IP address to access the internet.
Figure: 3 Network Mode Setting in VMWare.
- Ping the guest VM machine from the host machine to check the machine connectivity.
- Ping internet from the guest VM machine to check the internet connectivity in the VM.
- From the terminal of Ubuntu Linux, Update the repositories by the following command apt-get update.
- Type apt-get install apache2 to install apache server.
- Type apt-get install ssh to install OpenSSH server.
- Type apt-get install openssl to install OpenSSL.
- Type /etc/init.d/apache2 start to start the Apache server in the guest VM.
- Type /etc/init.d/ssh start to start the SSH server in the guest VM. SSH server is a service that has to be enabled on the Linux machine so that Windows clients can copy files to/from the Linux machine.
- Type apt-get install wireshark to install Wireshark.
- Add Apache to boot startup by typing the command update-rc.d apache2 enable
- Add Apache to boot startup by typing the command update-rc.d ssh enable
- The IP of VM being used in this document is 192.168.1.133, and host IP is 192.168.1.1.
- From host machine, type telnet 192.168.1.133 22 on command prompt to check the connectivity with SSH server.
- Download and install WinSCP. This tool is used on windows to access the SSH server on the Linux machine and transfer the files to/from Linux machine.
- From host machine, start WinSCP. Click on New Site. Enter 192.168.1.132, Username & Password and click Connect.
- After successful connection, the file system of Linux machine will be explored.
Generate CA Key and Certificate
-
Create a key for CA Certificate. Run openssl genrsa -out cakey.pem 20482048 Bit CA Key is stored into the file cakey.pem
Figure: 4 Generation of CA Private Key
- Create a key for CA Certificate. Run openssl genrsa -in cakey.pem -noout -text
Figure: 5 Parameters of Private Key
- Createca.cfgfor the configuration of the CA.
[ ext ]
keyUsage = critical, cRLSign, keyCertSign basicConstraints = critical,CA:true subjectKeyIdentifier = hash [ req ] distinguished_name = req_distinguished_name [ req_distinguished_name ] CN = Common Name CN_default=”Demo Certificate Authority” policy = policy_supplied [ policy_supplied ] CN = supplied |
- Create self-signed CA Certificate. Run openssl req -config ca.cfg -extensions ext -days 3650 -new -x509 -key cakey.pem -out cacert.crt -set_serial 01 -batch-text
- Double click the cacert.crt file to view the certificate.
Figure: 6 Details of CA Certificate
Figure: 7 Details of CA Certificate
Generate SSL/TLSServer Certificate
- For the creation of key and certificates of TLS Server, create a file tls_server.cfg
HOME = .
RANDFILE = $ENV::HOME/.rnd [ ca ] default_ca = CA_default [ CA_default ] dir = . certs = $dir crl_dir = $dir/crl database = $dir/index.txt unique_subject = no new_certs_dir = $dir certificate = $dir/cacert.crt serial = $dir/serial crlnumber = $dir/crlnumber crl = $dir/crl.pem private_key = $dir/cakey.pem RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days= 30 default_md = default preserve = yes [ req ] distinguished_name = req_distinguished_name req_extensions = req_ext string_mask = nombstr [ req_distinguished_name ] CN = ABC CN_default=”192.168.1.133″ policy = policy_supplied [ policy_supplied ] commonName = supplied [ req_ext] basicConstraints = critical,CA:false subjectKeyIdentifier = hash keyUsage = critical,digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2 |
- Create a server private key. Run openssl genrsa -out server.key 2048
Figure: 8 Details of Server Private Key
- Create a CSR (Certificate Signing Request) for the server key that was generated in previous step. Run openssl req -config tls_server.cfg -out server.csr -key server.key -new -batch
- Sign the CSR to create server certificate. Run openssl x509 -req -extfile tls_server.cfg -extensions req_ext -in server.csr -CA cacert.crt -CAkey cakey.pem -out server.crt -days 720 -set_serial 2 -text
Figure: 9 Details of Server Certificate
Figure: 10 Details of Server Certificate
- Double click server.crt to view the server certificate.
Figure: 11 Details of Server Certificate
- Create PKCS12/PFX bundle to encrypt the key and cert. It will input
password two times. Remember this password because if this p12 file has
to be used in Windows/Linux, then this password will be required.Runopenssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
Figure: 12 Export Server Key and Certificate to P12 format
Setup a Basic/Plain Web Server
- Access the default Web Interface of Apache Server on Ubuntu Linux by typing http://192.168.1.133/
Figure: 13 Plain Web Server
- All this communication was in plain and can be captured by any attacker.
- Open Wireshark and start capturing the traffic.
- Analyze the traffic between client and server by typing “ip.addr == 192.168.1.1 && ip.addr == 192.168.1.133” in the filter textbox. The unencrypted/plain page is visible in the figure.
Figure: 14 Plain Communication captured through Wireshark
- We have to secure the above web server so that the contents are not visible to attackers and intruders.
Using the Certificates to Configure a Secure SSL/TLS Web Server
- Create directory by command mkdir /etc/apache2/certificates
- Go to certificates directory by cd /etc/apache2/certificates
- Login via WinSCP, copy cacert.crt, server.key and server.crt files to /etc/apache2/certificatesby commands
- cp /home/maverick/cacert.crt /etc/apache2/certificates/
- cp /home/maverick/server.key /etc/apache2/certificates/
- cp /home/maverick/server.crt /etc/apache2/certificates/
- Go to certificates directory by cd /etc/apache2/sites-enabled
- Create file ssl.conf and add contents
NameVirtualHost *:80
NameVirtualHost *:443 <VirtualHost *:80> DocumentRoot /var/www/html/ ServerName 192.168.1.133 </VirtualHost> <VirtualHost *:443> DocumentRoot /var/www/html/ ServerName 192.168.1.133 SSLEngine on SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile /etc/apache2/certificates/server.crt SSLCertificateKeyFile /etc/apache2/certificates/server.key SSLCACertificateFile /etc/apache2/certificates/cacert.crt </VirtualHost> |
- Run command to enable ssl in Apache a2enmod ssl
- Restart apache server by /etc/init.d/apache2 restart
Using the Certificates on Client for SSL
CA certificate must be imported in the web browser else it will generate security warnings.Ethical Hacking Training – Resources (InfoSec)
Import Certificates in Internet Explorer
- Internet Explorer ->Tools ->Internet Options ->Content ->Certificates ->Trusted Root Certification Authorities ->Import->Browse (Select the cacert.crt file)->Import to Trusted Root Certification Authorities. Click Yes to the Security Warning.
Figure: 15 Add CA Certificate to Windows Store
- Double click the cacert.crt file to view the certificate.
Figure: 16 CA Certificate in MS Windows
Import Certificates in Mozilla Firefox
- Import CA Certificate in Mozilla Firefox ->Tools ->Options ->Advanced ->Encryption ->View Certificates ->Authorities ->Import ->Browser for cacert.crt ->Check all 3 options.
Figure: 17 Import CA Certificate in Mozilla Firefox Store
If we open the server certificate, then it opens correctly because we
have added its CA certificate in Windows store. The CA chain is
verified correctly as shown in the figure.
Figure: 18 Server Certificate Chain Verification
Verify Encrypted Web Server Traffic
- Access the default Web Interface of Apache Server on Ubuntu Linux by typing https://192.168.1.133/
Figure: 19 Secure Web Server on HTTPS
- All this communication was encrypted and cannot be captured by any attacker.
- Open Wireshark and start capturing the traffic. Access the web page again to generate the traffic.
- Analyze the traffic between client and server by typing “ip.addr == 192.168.1.1 && ip.addr == 192.168.1.133” in the filter textbox. The encrypted traffic is visible in the figure.
Figure: 20 Encrypted Traffic captured in Wireshark
- Web server traffic has been secured from attackers and intruders.
-
The ciphers being used for the communication are:
- Connection encrypted through AES Galois Counter Mode
- ECDHE_RSA was used as the secure key exchange mechanism between client and server.
Figure: 21 Details of Encryption Mechanisms on Web Server
- Web server traffic has been secured from attackers and intruders.
Generate User Private/Public Key Pair
- Create a user private key. Run openssl genrsa -out UserAPrivate.key 2048
Figure: 22Generate User Private Key
- Open the private key to verify that command was run successfully. Run vim UserAPrivate.key
Figure: 23Check Private Key
- Generate corresponding public key. Run openssl rsa -in UserAPrivate.key -out UserAPublic.key -outform PEM -pubout
Figure: 24Generate Public Key
- Open the public key to verify that command was run successfully. Run vim UserAPublic.key
Figure: 25Verify Public Key
Confidentiality: Encryption with Public Key and Decryption with PrivateKey
As it was discussed before in the article that one key is used to encrypt, and a corresponding/matching key is used to decrypt. If the public key is used for encryption, the associated private key is used for decryption achieving confidentiality.- Create a plain text file. Run echo “This file has some text. It will be used for Encryption and Decryption” > file.txt
Figure: 26Create Plain text file
- Encrypt the plain text file with the public key. Run openssl rsautl -encrypt -inkey UserAPublic.key -pubin -in file.txt -out encfile.txt
Figure: 27Encrypt with Public Key
- Open the encrypted file to view the contents. Run vim encfile.txt
Figure: 28View Encrypted Text
- Decrypt the file with the private key. Run openssl rsautl -decrypt -inkey UserAPrivate.key -in encfile.txt -out fileDecrypted.txt
Figure: 29Decrypt with Private Key
- View the decrypted file; actual contents have to be decrypted successfully. Run cat fileDecrypted.txt
Figure: 30Verify Decrypted Output
- The actual plain text has been recovered successfully.
Authentication: Encryption with Private Key and Decryption with Public Key
As it was discussed before in the article that one key is used to encrypt, and a corresponding/matching key is used to decrypt. If the private key is used for encryption, the associated public key is used for decryption achieving authentication.- Create a plain text file. Run echo “This file has some text. It will be used for Encryption and Decryption” > file.txt
Figure: 31 Create Plain text file
- Encrypt the plain text file with the private key. Run openssl rsautl -inkey UserAPrivate.key -sign -in file.txt -out fileSigned.txt
Figure: 32 Encrypt with Private Key
- Open the encrypted file to view the contents. Run vim fileSigned.txt
Figure: 33 View Signed File
- Decrypt the file with the public key. Run openssl rsautl -inkey UserAPublic.key -pubin -in fileSigned.txt
Figure: 34 Decrypt with Public Key
##################################################################################
Any enterprise basically faces the same
key issues while they set up and maintain server management solutions.
The whole process of server management would be too slow, too complex or
too expensive.
It is the responsibility of the IT
department head or CIO to ensure that everyone accessing business
applications from the server find it reliable and stable to operate. To
ensure this, the IT admins usually install a set of software including
security tools such as anti-virus, backup applications, performance
monitoring software, etc. They also need to ensure that all the
management solutions are set up meeting the required corporate and
regulatory policies. Otherwise, they may run into legal issues.
While it is relatively easy for the IT
department to set up server management for 2-3 servers, imagine scaling
it up to tens or hundreds of servers. It would be chaotic. They have to
continuously monitor each server management solution’s life cycle i.e
installation, monitoring, maintenance and updation.
So, why do such problems arise?
No Control & Visibility
The teams often do not have total
control or visibility over server management solutions. As these
solutions are running in different virtual, cloud and physical
environments, the lack of visibility and control affects server
management. IT admins are unable to upgrade existing solutions to
better, more stable versions with latest fixes and features. Instead,
they are forced to install new server management solutions.
Introduction of new solutions means
starting over from the initial phase of their life cycle. Thus, it
becomes a tiring and inconvenient option that takes time for updates.
Being difficult to introduce new updates, organizations will find it
difficult to make use of the best options available in the market.
Server Management Agents
They are the major culprits as agents
are required to be installed on each server. During deployment, this
tiresome, time consuming activity slows down the whole process. Also,
during installation of agents, there would be issues such as reboots,
which would affect stability, performance and user experience due to
server downtime.
In fact, many-a-times, business owners
will have to wait for weeks at times for IT teams to complete various
tasks. In an era where instant gratification is the watchword, it can be
detrimental for IT teams if they are perceived to be working slowly.
Cloud Disruption
The introduction of cloud has
drastically altered Enterprise IT processes in the near past. The
popularity of cloud has presented two major challenges to IT teams.
Increased complexity – The public cloud
requires a different set up to the existing software used to manage the
workloads of virtual and physical servers. Therefore, new solutions
would be required. IT teams will have to learn the processes and adapt
to them.
Scalability –The traditional server
management software setup on location are limited and cannot meet the
requirements of public cloud infrastructure. It cannot be scaled and is
very slow and vulnerable to human errors.
To solve these issues, specialized
server management skills are required. These experts know how to weave
in through the server management web and find the right solution for
you.
ServerAdminz provides Outsourced 24/7 Technical Support, Remote
Server Administration, Server Security, Linux Server Management, Windows
Server Management and Helpdesk Management to Datacenters, Hosting
companies and ISPs around the world. We specialize in Extended Server
Security, Server Hardening, Support of Linux/UNIX/Windows servers,
products and services.If you are looking for a server management service provider, you can contact us on sales@serveradminz.com or +1 (845) 271 7172.ServerAdminz is a server support company specialized in Outsourced 24/7 Web Hosting Support, Remote Infrastructure Management, NOC, Cloud and Enterprise Security Services. With over 10+ of years of experience in working with major Data Centers and ISPs with 130+ experienced technicians, we continue to manage more than 49,000 servers from 85+ countries and has bagged 5 international awards.
If you have any queries regarding server management services, share your thoughts and our representative will get back to you.
##################################################################################
Hi Gopi,
ReplyDeleteThis is indeed great! But I think perhaps you are generally referring Linux Security Questions which is getting unsustainable.
I had used Linux until just over a year ago with a previous company but have not used it since because I was not given an opportunity and do not know what has happened in the community. I was using Fedora (possibly 5) and RHEL, but now I need to install a new server and need some advice.
The inode contains info about the file-size, its location, time of last access, time of last modification, permission and so on. Directories are also represented as files and have an associated inode.
Very useful article, if I run into challenges along the way, I will share them here.
Merci,
Kevin
Thank you Kevin.
DeleteKindly share your challenges here, it might be helpful for others and for me as well.