OpenSSL – List Trusted Certificate Authorities

Unlike Microsoft Windows, which provides the Trusted Root Certification Authorities Certificate Store, Redhat and CentOS distributions do not provide a “straight forward” way in which to quickly check if a Certificate Authority is included into the Certificate Authority Bundle (CA Bundle).

During a recent project engagement I came across a simple CLI command which can be used to parse the CA bundle and list all of the CA’s included:

[m@srv /home/user]# awk -v cmd='openssl x509 -noout -subject' '
    /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crt

Alternatively the same command can be ran, piped through grep to identify a specific CA, for example “Entrust” –

[m@srv /home/user]# awk -v cmd='openssl x509 -noout -subject' '
    /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crt | grep Entrust

Whilst not complicated, this simple syntax saves a substantial amount of time manually searching CA bundles with a text editor.

Critical OpenSSL security exploit (aka Heartbleed)

Important: Critical OpenSSL security exploit

A serious vulnerability has been discovered in OpenSSL (the most popular SSL module used on Linux based servers). This exploit allows a third party to steal information that would otherwise be secured and encrypted with the SSL/TLS protocol.

If you have a virtual server (VPS) or dedicated server you urgently need to apply the latest OpenSSL patches. Instructions below –

cPanel/WHM:

  1. Login to WebHostManager
  2. Go to cPanel in the left hand menu
  3. Click Upgrade to Latest Version
  4. Follow upgrade instructions
  5. Go to Software in the left hand menu
  6. Click Update System Software
  7. Follow upgrade instructions

SW-Soft Plesk

  1. Login to the Plesk Control Panel
  2. Go to to Settings
  3. Run the Plesk Updater

For the CentOS operating system:

  1. SSH in as root
  2. Run the command ‘yum update’ from the command line
  3. Yum will update the at-risk packages

For Ubuntu or Debian operating system:

  1. SSH in as root
  2. Run the command ‘apt-get update && apt-get upgrade’

If you need assistance patching your systems consider contacting a technical services company such as Aorta Consulting.

Sysdig – Linux System Troubleshooting Tool

Sysdig is an open source Linux system troubleshooting tool which allows you to capture system state and activity from a running Linux instance, then save, filter and analyze it. It includes strace, tcpdump, lsof and a number of other utilities all compiled into one Swiss-army style tool.

Sysdig is designed to simplify system level troubleshooting, in-particular distributed, virtualized and cloud-based environments. Sysdig captures system calls and other system level events using a linux kernel facility called tracepoints, which means much less overhead than strace. It then “packetizes” this information, so that you can save it into trace files and filter it, a bit like you would do with tcpdump. This makes it very flexible to explore what processes are doing.

For installation instructions please click here.

Caching Name Server for CentOS 6.x

A caching only DNS server caches DNS query results for the domain name being queried. These chache are stored for pre specified time known as the TTL ( time-to-live). A caching only name server will find the answer to name queries and remember the answer the next time you need it. This will shorten the waiting time the next time significantly, especially if you’re on a slow connection.

Step 1: Install the BIND Packages using Yum

Install bind packages using below command. In CentOS the caching-nameserver package has been included with bind package.

# yum install bind bind-chroot
Step 2: Copy default bind configuration File

Copy bind configuration file from bind sample files using below command. Change the path of files as per version you have installed.

cd /var/named/chroot/etc
cp /usr/share/doc/bind-9.9.2/sample/etc/named.conf  .
cp /usr/share/doc/bind-9.9.2/sample/etc/named.rfc1912.zones  .
Step 3: Make changes in Configuration File

Edit bind configuration file in your favorite editor and make necessory changes as per below settings or use below configuration.

// /var/named/chroot/etc/named.conf
options {
        listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 port 53 { ::1; };
         Continue reading "Caching Name Server for CentOS 6.x"

Install Dell OpenManage on CentOS 6.4x

I have updated my Dell OpenManage installer script to address several compatibility issues with Dell PowerEdge G12+ systems. The following Dell OpenManage Server Administrator (OMSA) installation script is suitable for RedHat 6.4x and CentOS 6.4x systems

1. Login to your server via SSH.
2. Change directories to your source store:

# cd /usr/src

3. Create the install script:

# nano -w dominstaller.sh

4. Cut and paste the following text:

#!/bin/bash
#
# Dell OpenManage Installer (DOMI)
# Revision: June 25th 2013 md3v.com
#
HOST=`hostname`
D=`date '+%d%m%y'`
echo
echo "Dell OpenIPMI & OpenManage Automatic Installer"
echo "Revision: July 25nd 2013 md3v.com"
echo
read -p "Press [Enter] key to begin the installation or [CTRL+C] to exit."
echo
echo "Installing OpenIPMI..."
echo
yum -y install OpenIPMI
echo Continue reading "Install Dell OpenManage on CentOS 6.4x"