Linux Security Questions

What is CSR ?

A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country.

It also contains the public key that will be included in the certificate.
A private key is usually created at the same time that you create the CSR, making a key pair.
A CSR is generally encoded using ASN.1 according to the PKCS #10 specification.

A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

Apache: Generate CSR (Certificate Signing Request)

Follow these instructions to generate a certificate signing request (CSR) for your Apache Web server. When you have completed generating your CSR, cut/copy and paste it into the CSR field on the SSL certificate-request page.

To Generate a Certificate Signing Request for Apache 2.x

1. Log in to your server's terminal (SSH).
2. At the prompt, type the following command:
   
   openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
   Note: Replace yourdomain with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr.
3. Enter the requested information:
   
   • Common Name: The fully-qualified domain name, or URL, you're securing.
     If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.
   • Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor's name.
   • Organization Unit: If applicable, enter the DBA (doing business as) name.
   • City or Locality: Name of the city where your organization is registered/located. Do not abbreviate.
   • State or Province: Name of the state or province where your organization is located. Do not abbreviate.
   • Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered
    #############################################################################
   
   

   PKI and Associated Concepts

   Public Key Infrastructure (PKI) is the easiest and most efficient way to establish trust and security in computer networking. PKI is used bind public keys to user attributes that are used in various applications and protocols for digital signature, authentication, non-repudiation and S/MIME.
   PKI consist of two keys known as private and public keys. This combination of 2 keys is called a key pair. Private Key belongs to the individual security and should always be kept secure. The public key should be distributed to the participants of communication. One key is used to encrypt, and a corresponding/matching key is used to decrypt. If the public key is used for encryption, the associated private key is used for decryption. If the private key is used for encryption, the associated public key is used for decryption.For example in S/MIME, the private key is used to sign a document digitally so the author can be authenticated from the corresponding public key.
   

   PKI and RSA (Rivest Shamir Adleman)

   The most well-known algorithm being used on PKI is RSA. RSA algorithm supports key lengths from 512 bits to 16384 bits. When the high key length is used, it requires high processing speed. The standard for modern communication is RSA 2048 bits, and the same will be used in this article.
   

   Security of RSA

   Modern cryptography is mainly based on prime numbers. Similarly, an RSA key is composed of two prime numbers that should be very large otherwise it will compromise the RSA security.
   

   Digital Certificate

   The binding of a public key to a user along with personal details is called digital certificate. A digital certificate is an electronic document used to prove ownership of a public key. The certificate includes information about the key, information about its owner’s identity and associated permissions such as digital signature, non-repudiation, file system encryption, server authentication and client authentication, etc. Permissions define the usage for the certificate in operation.
   A public-key certificate consists of a data part and a signature part. The data part consists of the name of an entity, the public key corresponding to that entity, possibly additional relevant information (e.g., the entity’s Common Name, Organizational Unit, network address, a validity period for the public key, and various other attributes). The signature part consists of the signature of a certificate authority over the data part. A sample certificate with details is being shown in figures 1 and 2.
   
   
   
   Figure: 1 Details of Digital Certificate
   
   
   Figure: 2 Details of Digital Certificate

   Components of PKI

4. Certificate Authorities (CA’s): These are responsible for issuing and revoking digital certificates to the users or subscribers.
5. Registration Authorities (RA’s): These verify the binding between public keys and the identities of their holders. RAs conduct the initial verification of a potential subscriber’s/ user’s identity and/or attributes before a certificate is issued to the client.
6. Subscribers/Users/Digital Certificate holders: People, computers, network devices or software agents that have been issued with certificates and can use them to sign digital documents. The standard currently in use for digital certificates is X.509 V3.
7. Clients: These validate digital signatures and the certificates of the communicating parties. The clients may range from simple users to state of the art network devices.

Lab Environment Preparation for PKI

1. Download ISO image file of Ubuntu 14 and install a copy of it in VMWare.
2. Boot up Ubuntu with NAT Mode so that it shares the host’s IP address to access the internet.

Figure: 3 Network Mode Setting in VMWare.

1. Ping the guest VM machine from the host machine to check the machine connectivity.
2. Ping internet from the guest VM machine to check the internet connectivity in the VM.
3. From the terminal of Ubuntu Linux, Update the repositories by the following command apt-get update.
4. Type apt-get install apache2 to install apache server.
5. Type apt-get install ssh to install OpenSSH server.
6. Type apt-get install openssl to install OpenSSL.
7. Type /etc/init.d/apache2 start to start the Apache server in the guest VM.
8. Type /etc/init.d/ssh start to start the SSH server in the guest VM. SSH server is a service that has to be enabled on the Linux machine so that Windows clients can copy files to/from the Linux machine.
9. Type apt-get install wireshark to install Wireshark.
10. Add Apache to boot startup by typing the command update-rc.d apache2 enable
11. Add Apache to boot startup by typing the command update-rc.d ssh enable
12. The IP of VM being used in this document is 192.168.1.133, and host IP is 192.168.1.1.
13. From host machine, type telnet 192.168.1.133 22 on command prompt to check the connectivity with SSH server.
14. Download and install WinSCP. This tool is used on windows to access the SSH server on the Linux machine and transfer the files to/from Linux machine.
15. From host machine, start WinSCP. Click on New Site. Enter 192.168.1.132, Username & Password and click Connect.
16. After successful connection, the file system of Linux machine will be explored.

Generate CA Key and Certificate

1. Create a key for CA Certificate. Run openssl genrsa -out cakey.pem 2048
   2048 Bit CA Key is stored into the file cakey.pem

Figure: 4 Generation of CA Private Key

1. Create a key for CA Certificate. Run openssl genrsa -in cakey.pem -noout -text

Figure: 5 Parameters of Private Key

1. Createca.cfgfor the configuration of the CA.

[ ext ] keyUsage = critical, cRLSign, keyCertSign basicConstraints = critical,CA:true subjectKeyIdentifier = hash [ req ] distinguished_name    = req_distinguished_name [ req_distinguished_name ] CN = Common Name CN_default=”Demo Certificate Authority” policy = policy_supplied [ policy_supplied ] CN = supplied

1. Create self-signed CA Certificate. Run openssl req -config ca.cfg -extensions ext -days 3650 -new -x509 -key cakey.pem -out cacert.crt -set_serial 01 -batch-text
2. Double click the cacert.crt file to view the certificate.

Figure: 6 Details of CA Certificate

Figure: 7 Details of CA Certificate

Generate SSL/TLSServer Certificate

1. For the creation of key and certificates of TLS Server, create a file tls_server.cfg

HOME            = . RANDFILE        = $ENV::HOME/.rnd [ ca ] default_ca    = CA_default [ CA_default ] dir        = . certs        = $dir crl_dir        = $dir/crl database    = $dir/index.txt unique_subject    = no new_certs_dir    = $dir certificate    = $dir/cacert.crt serial        = $dir/serial crlnumber    = $dir/crlnumber crl        = $dir/crl.pem private_key    = $dir/cakey.pem RANDFILE    = $dir/.rand name_opt     = ca_default cert_opt     = ca_default default_days    = 365 default_crl_days= 30 default_md    = default preserve    = yes [ req ] distinguished_name    = req_distinguished_name req_extensions = req_ext string_mask = nombstr [ req_distinguished_name ] CN = ABC CN_default=”192.168.1.133″ policy = policy_supplied [ policy_supplied ] commonName = supplied [ req_ext] basicConstraints = critical,CA:false subjectKeyIdentifier = hash keyUsage = critical,digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2

1. Create a server private key. Run openssl genrsa -out server.key 2048

Figure: 8 Details of Server Private Key

1. Create a CSR (Certificate Signing Request) for the server key that was generated in previous step. Run openssl req -config tls_server.cfg -out server.csr -key server.key -new -batch
2. Sign the CSR to create server certificate. Run openssl x509 -req -extfile tls_server.cfg -extensions req_ext -in server.csr -CA cacert.crt -CAkey cakey.pem -out server.crt -days 720 -set_serial 2 -text

Figure: 9 Details of Server Certificate

Figure: 10 Details of Server Certificate

1. Double click server.crt to view the server certificate.
   

Figure: 11 Details of Server Certificate

1. Create PKCS12/PFX bundle to encrypt the key and cert. It will input password two times. Remember this password because if this p12 file has to be used in Windows/Linux, then this password will be required.Runopenssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
   

Figure: 12 Export Server Key and Certificate to P12 format

Setup a Basic/Plain Web Server

1. Access the default Web Interface of Apache Server on Ubuntu Linux by typing http://192.168.1.133/

Figure: 13 Plain Web Server

1. All this communication was in plain and can be captured by any attacker.
2. Open Wireshark and start capturing the traffic.
3. Analyze the traffic between client and server by typing “ip.addr == 192.168.1.1 && ip.addr == 192.168.1.133” in the filter textbox. The unencrypted/plain page is visible in the figure.

Figure: 14 Plain Communication captured through Wireshark

1. We have to secure the above web server so that the contents are not visible to attackers and intruders.
   

Using the Certificates to Configure a Secure SSL/TLS Web Server

1. Create directory by command mkdir /etc/apache2/certificates
2. Go to certificates directory by cd /etc/apache2/certificates
3. Login via WinSCP, copy cacert.crt, server.key and server.crt files to /etc/apache2/certificatesby commands

• cp /home/maverick/cacert.crt /etc/apache2/certificates/
  
• cp /home/maverick/server.key /etc/apache2/certificates/
  
• cp /home/maverick/server.crt /etc/apache2/certificates/
  

1. Go to certificates directory by cd /etc/apache2/sites-enabled
2. Create file ssl.conf and add contents

NameVirtualHost *:80 NameVirtualHost *:443 <VirtualHost *:80> DocumentRoot /var/www/html/ ServerName 192.168.1.133 </VirtualHost> <VirtualHost *:443> DocumentRoot /var/www/html/ ServerName 192.168.1.133 SSLEngine on SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile /etc/apache2/certificates/server.crt SSLCertificateKeyFile /etc/apache2/certificates/server.key SSLCACertificateFile /etc/apache2/certificates/cacert.crt </VirtualHost>

1. Run command to enable ssl in Apache a2enmod ssl
2. Restart apache server by /etc/init.d/apache2 restart

Using the Certificates on Client for SSL

CA certificate must be imported in the web browser else it will generate security warnings.
Ethical Hacking Training – Resources (InfoSec)

Import Certificates in Internet Explorer

1. Internet Explorer ->Tools ->Internet Options ->Content ->Certificates ->Trusted Root Certification Authorities ->Import->Browse (Select the cacert.crt file)->Import to Trusted Root Certification Authorities. Click Yes to the Security Warning.

Figure: 15 Add CA Certificate to Windows Store

1. Double click the cacert.crt file to view the certificate.

Figure: 16 CA Certificate in MS Windows

Import Certificates in Mozilla Firefox

1. Import CA Certificate in Mozilla Firefox ->Tools ->Options ->Advanced ->Encryption ->View Certificates ->Authorities ->Import ->Browser for cacert.crt ->Check all 3 options.

Figure: 17 Import CA Certificate in Mozilla Firefox Store

If we open the server certificate, then it opens correctly because we have added its CA certificate in Windows store. The CA chain is verified correctly as shown in the figure.

Figure: 18 Server Certificate Chain Verification

Verify Encrypted Web Server Traffic

1. Access the default Web Interface of Apache Server on Ubuntu Linux by typing https://192.168.1.133/

Figure: 19 Secure Web Server on HTTPS

1. All this communication was encrypted and cannot be captured by any attacker.
2. Open Wireshark and start capturing the traffic. Access the web page again to generate the traffic.
3. Analyze the traffic between client and server by typing “ip.addr == 192.168.1.1 && ip.addr == 192.168.1.133” in the filter textbox. The encrypted traffic is visible in the figure.

Figure: 20 Encrypted Traffic captured in Wireshark

1. Web server traffic has been secured from attackers and intruders.
2. The ciphers being used for the communication are:
   1. Connection encrypted through AES Galois Counter Mode
   2. ECDHE_RSA was used as the secure key exchange mechanism between client and server.

Figure: 21 Details of Encryption Mechanisms on Web Server

1. Web server traffic has been secured from attackers and intruders.

Generate User Private/Public Key Pair

1. Create a user private key. Run openssl genrsa -out UserAPrivate.key 2048

Figure: 22Generate User Private Key

1. Open the private key to verify that command was run successfully. Run vim UserAPrivate.key

Figure: 23Check Private Key

1. Generate corresponding public key. Run openssl rsa -in UserAPrivate.key -out UserAPublic.key -outform PEM -pubout

Figure: 24Generate Public Key

1. Open the public key to verify that command was run successfully. Run vim UserAPublic.key

Figure: 25Verify Public Key

Confidentiality: Encryption with Public Key and Decryption with PrivateKey

As it was discussed before in the article that one key is used to encrypt, and a corresponding/matching key is used to decrypt. If the public key is used for encryption, the associated private key is used for decryption achieving confidentiality.

1. Create a plain text file. Run echo “This file has some text. It will be used for Encryption and Decryption” > file.txt
   

Figure: 26Create Plain text file

1. Encrypt the plain text file with the public key. Run openssl rsautl -encrypt -inkey UserAPublic.key -pubin -in file.txt -out encfile.txt

Figure: 27Encrypt with Public Key

1. Open the encrypted file to view the contents. Run vim encfile.txt

Figure: 28View Encrypted Text

1. Decrypt the file with the private key. Run openssl rsautl -decrypt -inkey UserAPrivate.key -in encfile.txt -out fileDecrypted.txt

Figure: 29Decrypt with Private Key

1. View the decrypted file; actual contents have to be decrypted successfully. Run cat fileDecrypted.txt

Figure: 30Verify Decrypted Output

1. The actual plain text has been recovered successfully.
   

Authentication: Encryption with Private Key and Decryption with Public Key

As it was discussed before in the article that one key is used to encrypt, and a corresponding/matching key is used to decrypt. If the private key is used for encryption, the associated public key is used for decryption achieving authentication.

1. Create a plain text file. Run echo “This file has some text. It will be used for Encryption and Decryption” > file.txt

Figure: 31 Create Plain text file

1. Encrypt the plain text file with the private key. Run openssl rsautl -inkey UserAPrivate.key -sign -in file.txt -out fileSigned.txt

Figure: 32 Encrypt with Private Key

1. Open the encrypted file to view the contents. Run vim fileSigned.txt

Figure: 33 View Signed File

1. Decrypt the file with the public key. Run openssl rsautl -inkey UserAPublic.key -pubin -in fileSigned.txt

Figure: 34 Decrypt with Public Key
 

##################################################################################

Any enterprise basically faces the same key issues while they set up and maintain server management solutions. The whole process of server management would be too slow, too complex or too expensive.

It is the responsibility of the IT department head or CIO to ensure that everyone accessing business applications from the server find it reliable and stable to operate. To ensure this, the IT admins usually install a set of software including security tools such as anti-virus, backup applications, performance monitoring software, etc. They also need to ensure that all the management solutions are set up meeting the required corporate and regulatory policies. Otherwise, they may run into legal issues.

While it is relatively easy for the IT department to set up server management for 2-3 servers, imagine scaling it up to tens or hundreds of servers. It would be chaotic. They have to continuously monitor each server management solution’s life cycle i.e installation, monitoring, maintenance and updation.

So, why do such problems arise?

No Control & Visibility

The teams often do not have total control or visibility over server management solutions. As these solutions are running in different virtual, cloud and physical environments, the lack of visibility and control affects server management. IT admins are unable to upgrade existing solutions to better, more stable versions with latest fixes and features. Instead, they are forced to install new server management solutions.

Introduction of new solutions means starting over from the initial phase of their life cycle. Thus, it becomes a tiring and inconvenient option that takes time for updates. Being difficult to introduce new updates, organizations will find it difficult to make use of the best options available in the market.

Server Management Agents

They are the major culprits as agents are required to be installed on each server. During deployment, this tiresome, time consuming activity slows down the whole process. Also, during installation of agents, there would be issues such as reboots, which would affect stability, performance and user experience due to server downtime.

In fact, many-a-times, business owners will have to wait for weeks at times for IT teams to complete various tasks. In an era where instant gratification is the watchword, it can be detrimental for IT teams if they are perceived to be working slowly.

Cloud Disruption

The introduction of cloud has drastically altered Enterprise IT processes in the near past. The popularity of cloud has presented two major challenges to IT teams.

Increased complexity – The public cloud requires a different set up to the existing software used to manage the workloads of virtual and physical servers. Therefore, new solutions would be required. IT teams will have to learn the processes and adapt to them.

Scalability –The traditional server management software setup on location are limited and cannot meet the requirements of public cloud infrastructure.  It cannot be scaled and is very slow and vulnerable to human errors.

To solve these issues, specialized server management skills are required. These experts know how to weave in through the server management web and find the right solution for you.

ServerAdminz provides Outsourced 24/7 Technical Support, Remote Server Administration, Server Security, Linux Server Management, Windows Server Management and Helpdesk Management to Datacenters, Hosting companies and ISPs around the world. We specialize in Extended Server Security, Server Hardening, Support of Linux/UNIX/Windows servers, products and services.If you are looking for a server management service provider, you can contact us on sales@serveradminz.com or +1 (845) 271 7172.
ServerAdminz is a server support company specialized in Outsourced 24/7 Web Hosting Support, Remote Infrastructure Management, NOC, Cloud and Enterprise Security Services. With over 10+ of years of experience in working with major Data Centers and ISPs with 130+ experienced technicians, we continue to manage more than 49,000 servers from 85+ countries and has bagged 5 international awards.
If you have any queries regarding server management services, share your thoughts and our representative will get back to you.
##################################################################################