DNSSEC with BIND 9.10 and native PKCS#11

DNSSEC with BIND and native PKCS#11 support (BIND & SoftHSM)

Bind 9.10.0-P1 supports the native PKCS#11 mode, instead of the openssl based PKCS#11. You can either compile it with (./configure --enable-native-pkcs11 \
--with-pkcs11=provider-library-path
) or install prebuilt packages.

Upon writing this blog, Fedora 23, has built-in bind-9.10.3-7.P2 and SoftHSM (Software based HSM)

SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface

Install the required packages

# dnf install bind-chroot bind-pkcs11 softhsm bind-pkcs11-utils

bind-chroot-32:9.10.3-7.P2.fc23.x86_64
bind-pkcs11-9.10.3-7.P2.fc23.x86_64
softhsm-2.0.0rc1-3.fc23.x86_64
bind-pkcs11-utils-9.10.3-7.P2.fc23.x86_64

Initialize the SoftHSM repository
# softhsm2-util --init-token 0 --slot 0 --label softhsm
enter the user and security pin

Generate the keys (Key Signing Key and Zone Signing Key)

You may use the algorithm and key size depends on your requirement.
# pkcs11-keygen -a RSASHA256 -b 2048 -l sample_ksk
Enter Pin:
# pkcs11-keygen -a RSASHA256 -b 2048 -l sample_zsk
Enter Pin:

# pkcs11-list
Enter Pin:
object[0]: handle 2 class 2 label[12] 'sample_ksk' id[0]
object[1]: handle 3 class 2 label[12] 'sample_ksk' id[0]
object[2]: handle 4 class 3 label[12] 'sample_zsk' id[0]
object[3]: handle 5 class 3 label[12] 'sample_zsk' id[0]

Create a pair of BIND9 key files using dnssec-keyfromlabel-pkcs11 utility, since we are using pkcs#11 backend the label must be pkcs#11 uri format. Don’t know how safe it is to store the pin on the file system, but yes we have to create a text file with the HSM pin. Not sure if the dnssec-keyfromlabel can prompt for the pin.

# dnssec-keyfromlabel-pkcs11 -a RSASHA256 -f KSK -l 'pkcs11:object=sample_ksk;pin-source=/etc/token_pin' example.com
Kexample.com.+005+46938.key
# dnssec-keyfromlabel-pkcs11 -a RSASHA256 -l 'pkcs11:object=sample_zsk;pin-source=/etc/token_pin' example.com
Kexample.com.+005+46939.key

The resulting files can be used to sign the zone, as per the BIND documentation – “Unlike the normal K* files, which contain both public and private key data, these files will contain only the public key data, plus an identifier for the private key which remains stored within the HSM. Signing with the private key takes place inside the HSM.”

Include the keys in zone file or specify the key path on the named configuration.

echo "$INCLUDE Kexample.com.+005+46938.key" >> example.com.zone
echo "$INCLUDE Kexample.com.+005+46939.key" >> example.com.zone

Signing the zones
# dnssec-signzone-pkcs11 example.com
Verifying the zone using the following algorithms: RSASHA2.
Zone fully signed:
Algorithm: RSASHA2: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked

# head example.com.signed
; File written on Mon Jan 18 16:02:19 2016
; dnssec_signzone version 9.10.3-P2-RedHat-9.10.3-7.P2.fc23

Reference: BIND 9 Administrator Reference Manual
https://ftp.isc.org/isc/bind/cur/9.10/doc/arm/Bv9ARM.ch04.html
SoftHSM documentation

Monitor VMware ESXi hardware without root (Nagios)

Download and configure the plugin: http://exchange.nagios.org/directory/Plugins/Operating-Systems/*-Virtual-Environments/VMWare/check_esxi_hardware-2Epy/

– Create a new user in ESXi with no access privilege, you need to login to the ESXi directly to do that.

user

esxi_access

– Enable SSH, and add nagios user to root group:
# vi /etc/group
root:x:0:root,nagios

– Check from the command line, if it works
./check_esxi_hardware.py --host https://esxihost:5989 --user file:credentials.txt --pass file:credentials.txt
OK - Server: Cisco Systems Inc.....

– Configure the credentials files to use the nagios user credentials.

Setup GeoIP (PECL) for piwik geolocation and updating old visits

GeoIP is the recommended way to accurately determine the location of the visitor, by default geolocation settings may provide in accurate result.

To enable GeoIP(PECL) from redhat/centos machines:
# yum install php-pecl-geoip
#apachectl restart
# php -m | grep -i geo
geoip

From Piwik, Settings –> Geolocation –> GeoIP (PECL)

To reindex the old visits:
# cd misc/others
# php ./geoipUpdateRows.php
[note] Found working provider: geoip_pecl
90094 rows to process in piwik_log_visit and piwik_log_conversion....
.
.
.
100% done!

Send attachments from command line with mutt

To send e-mails from command line with attachments using mutt.

Set the from address with EMAIL=
-s – Subject
-a – attachment file
recipient name
-c – for CC
-b – for BCC
create a text file (eg: /tmp/testmessage) , with the body of the message.

EMAIL="foo@bar" mutt -s "Subject" -a test.doc foo1@bar -c foo2@bar < /tmp/testmessage

Create bootable USB on OSX

– Identify the disk number for the USB disk inserted, usually you can find it from the “Name” and “Size” field.
Below eg: , We inserted a USB with 4.1 GB size (so as the identified: “disk2”.)
Open terminal and execute the following commands:

sh-3.2$ diskutil list
/dev/disk0
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *120.0 GB disk0
1: EFI EFI 209.7 MB disk0s1
2: Apple_CoreStorage 119.0 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
/dev/disk1
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFS Macintosh HD *118.7 GB disk2
/dev/disk2
#: TYPE NAME SIZE IDENTIFIER
0: UNTITLED *4.1 GB disk2

– Unmount the disk
sh-3.2$ diskutil unmountDisk /dev/disk3
Unmount of all volumes on disk3 was successful

– write the ISO file to USB using dd command
sh-3.2$ sudo dd if=Downloads/ubuntu-12.04.3-desktop-i386.iso of=/dev/disk2 bs=1m
Password:
707+0 records in
707+0 records out
741343232 bytes transferred in 139.059398 secs (5331126 bytes/sec)

– Unmount the disk
sh-3.2$ diskutil eject /dev/disk3
Disk /dev/disk3 ejected

Configure apache solr with tomcat

Install tomcat

$ sudo yum install tomcat6

Download and extract apache solr : http://lucene.apache.org/solr/

$ cp apache-solr-3.6.2.war /var/lib/tomcat6/webapps/solr.war
$ cp -r /data/apache-solr-3.6.2/example/solr /var/lib/tomcat6/

$ cat /etc/tomcat6/Catalina/localhost/solr.xml
$ chown -R tomcat: /var/lib/tomcat6/solr/
$ sudo service tomcat6 restart

Access url : http://<server_name/ip>:8080/solr/admin

Virus scanning for file uploads with clamav/php

Download and install the following packages, in case your repository has those package just use the management tool to install.

Ubuntu/Debian/Mint

# apt-get install clamav clamav-db clamd clamav-devel php-devel

Redhat

# yum install php-devel
# wget http://pkgs.repoforge.org/clamav/clamav-0.97.7-1.el5.rf.i386.rpm
# wget http://pkgs.repoforge.org/clamav/clamav-db-0.97.7-1.el5.rf.i386.rpm
# wget http://pkgs.repoforge.org/clamav/clamd-0.97.7-1.el5.rf.i386.rpm
# wget http://pkgs.repoforge.org/clamav/clamav-devel-0.97.7-1.el5.rf.i386.rpm
# rpm -Uvh clam*
# freshclam
# service clamd start

Configure php-clamav

Download php-clamav from from sf.net

# wget http://downloads.sourceforge.net/project/php-clamav/0.15/php-clamav_0.15.7.tar.gz
# tar xvzf php-clamav_0.15.7.tar.gz
# cd php-clamav-0.15.7/
# phpize
#./configure –with-clamav
# make
# cp modules/clamav.so /usr/lib/php/modules/

Add the modules to php.ini if required.

extension=clamav.so

Make sure the module is loaded

# php -i | grep -i clam
clamav

Incase you see the following error create a symlink to clamav path
LibClamAV Error: cl_load(): Can’t get status of /var/lib/clamav

# ln -s /var/clamav /var/lib/clamav

Test script
Get the testing virus file from http://www.eicar.org/86-0-Intended-use.html and save it on a file (eg: /tmp/virus.txt)

Create a php script:
cat > check_virus.php

<?php
$file = ‘/tmp/testing.txt’;
$retcode = cl_scanfile($file, $virusname);
if ($retcode == CL_VIRUS) {
echo .”Virus found name : “.$virusname;
} else {
echo .cl_pretcode($retcode);
}
?>

$ php check_virus.php
Virus found name : Eicar-Test-Signature

./arun

Create CSR and implement in apache

These steps are used to generate a CSR to get the SSL certificate signed with verisign. The filenames used are just examples.

$ /usr/bin/openssl genrsa -rand /dev/urandom -out <web_root>/domain_name.key 2048
$ /usr/bin/openssl req -new -key <web_root>/domain_name.key -out <web_root>/domain_name.csr

Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:<make sure it matches exactly with your domain>
Email Address []:

Create the certificate without passphrase if you dont want passphrase to be prompted for every webserver restart.

Upload the CSR to the Certificate Authority and get the signed certificate and save it as domain_name.crt. If it is from verisign get both intermediate certificates and add it to a file (eg: intermediate.ca.crt)

In virtual host configuration

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:+EXP:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA!EXP-RC2-CBC-MD5!EXP-RC4-MD5

SSLCertificateFile <web_root>/domain_name.crt

SSLCertificateKeyFile <web_root>/domain_name.key

SSLCACertificateFile <web_root>/intermediate.ca.crt

Restart webservice and verify the certificate, you may use the verisign cert checker (https://ssl-tools.verisign.com/#certChecker)

Install rich text editor in mediawiki

The WYSIWYG extension enables a more intuitive editing of pages on a MediaWiki-based site

Download the package suitable for your mediawiki version

http://www.mediawiki.org/wiki/Extension:WYSIWYG#Download

$ unzip WYSIWYG.zip

$ cp -prf WYSIWYG

$media_wiki/extensions/

$ vi LocalSettings.php added

require_once(“$IP/extensions/WYSIWYG/WYSIWYG.php”);

$wgGroupPermissions[‘*’][‘wysiwyg’]=true;

$wgGroupPermissions[‘registered_users’][‘wysiwyg’]=true;

define permissions as per your requirements.