This looks like a GREAT post. I'm gonna wipe out the node, and start from scratch using this tutorial probably early next week.

The only thing extra I need is MySQL. How would I go about setting that up in this tutorial? As in at what steps would I type what?

Thanks!

-Kevin

apt-get install mysql
To configure see the MySQL site.

Sorry, Mysql is not one of my strong subjects.

@chapterthree:

The only thing extra I need is MySQL. How would I go about setting that up in this tutorial? As in at what steps would I type what?

Just do this, any time after upgrading:

apt-get install mysql-server

In fact, I installed MySQL at the same time as Apache and PHP:

apt-get install apache2 php4 mysql-server

-Mike

Oops, you probably want PHP4 and MySQL to actually work with Apache 2 and each other! You need a couple more modules to hook them all up.

Here's the whole thing:

apt-get install apache2 mysql-server php4 libapache2-MOD-php4 php4-mysql

Fantastic tutorial! Thanks!

I think step 3 can be skipped entirely. There is no need to install ee editor because nano is already installed by default.

You are right step three can be skipped, nano will work however I like EE better :)

You may also consider changing 'testing' in sources.list to 'sarge'. That way when (some would say if) Sarge becomes stable, you can continue running it with no changes. This assumes that you want to continue running Sarge of course.

I am close to what I want with the following– but it still needs some work.

This goes from the standard linode debian 6 squeeze 32-bit install to debian wheezy-testing at the time I wrote it.

I would happily accept suggestions on improvements (like adding suexec, better virtual host stuff, and better permission suggestions) or things I can read to be a better admin.

Thanks,

-Brad

Many thanks to the patient souls in #debian and #apache on Freenode

Many commands and much info stolen from these locations:

http://www.rackaid.com/resources/linux- … nd-how-to/">http://www.rackaid.com/resources/linux-screen-tutorial-and-how-to/

http://www.debian.org/releases/testing/ … #newkernel">http://www.debian.org/releases/testing/amd64/release-notes/ch-upgrading.en.html#newkernel

https://sites.google.com/site/mydebiansourceslist/

http://linux.justinhartman.com/SettingupaLAMPServer

http://www.debian-administration.org/articles/349

http://www.lavluda.com/2008/02/02/insta … tu-server/">http://www.lavluda.com/2008/02/02/install-imagemagick-support-to-your-debianubuntu-server/

http://php.net/manual/en/imagick.setup.php

http://www.lavluda.com/2007/07/15/how-t … 22-debian/">http://www.lavluda.com/2007/07/15/how-to-enable-mod_rewrite-in-apache22-debian/

http://www.debian-administration.org/articles/284

http://openvpn.net/archive/openvpn-user … 00355.html">http://openvpn.net/archive/openvpn-users/2004-05/msg00355.html

http://wiki.apache.org/httpd/RemoveSSLCertPassPhrase

http://httpd.apache.org/docs/2.2/vhosts/examples.html

Base debian 6 32-bit linode.com Virtual Private Server install

login via ssh as root

get the screen program

apt-get install screen

start the screen window program

screen

Basic screen command line commands

start the screen window program

screen

see running screen windows

screen -ls

reattach to a screen window

screen -r (your pid.connection.hostname will vary)

Basic screen keybindings

create an additional window in screen

CTRL+a+c

switch to the next window in the forward direction

CTRL+a+n

switch to the next window in the forward direction

CTRL+a+p

see a list of windows

CTRL+a+w

switch to a specific window

CTRL+a+"

(" = SHIFT+')

kill the current window

CTRL+a+k

(if it is the last window, screen will close and return you to the command line)

detatch from all windows leaving screen running and return to the command line

CTRL+a+d

once screen is up update and upgrade the system

apt-get update

apt-get upgrade

install the kernel metapackage

apt-get install linux-image-2.6.32-5-686

verify everything is in good order (no output is what you want)

dpkg --audit

aptitude search "~ahold"

apt-get clean

test that the new kernel metapackage is installed (pray you see output)

dpkg -l "linux-image*" | grep ^ii

reboot

edit /etc/apt/sources.list

vi /etc/apt/sources.list

My sources is as follows:

#

deb cdrom:[Debian GNU/Linux 6.0.3 Squeeze - Official i386 NETINST Binary-1 20111008-19:55]/ squeeze main

deb cdrom:[Debian GNU/Linux 6.0.3 Squeeze - Official i386 NETINST Binary-1 20111008-19:55]/ squeeze main

deb http://ftp.us.debian.org/debian/ squeeze main

deb-src http://ftp.us.debian.org/debian/ squeeze main

deb http://security.debian.org/ squeeze/updates main

deb-src http://security.debian.org/ squeeze/updates main

squeeze-updates, previously known as 'volatile'

deb http://ftp.us.debian.org/debian/ squeeze-updates main

deb-src http://ftp.us.debian.org/debian/ squeeze-updates main

#

Debian Testing

#

Testing

deb http://ftp.debian.org/debian/ testing main contrib non-free

deb-src http://ftp.debian.org/debian/ testing main contrib non-free

Testing Security http://secure-testing-master.debian.net/

deb http://security.debian.org wheezy/updates main contrib non-free

deb-src http://security.debian.org wheezy/updates main contrib non-free

update the system

apt-get update

run a distribution upgrade

apt-get dist-upgrade

you will be presented with distribution upgrade notes:

q (will exit the less program)

You will be presented with a choice of automatically restarting services

│ There are services installed on your system which need to be restarted when certain libraries, such as libpam, libc, │

│ and libssl, are upgraded. Since these restarts may cause interruptions of service for the system, you will normally be │

│ prompted on each upgrade for the list of services you wish to restart. You can choose this option to avoid being │

│ prompted; instead, all necessary restarts will be done for you automatically so you can avoid being asked questions on │

│ each library upgrade. │

│ │

│ Restart services during package upgrades without asking? │

│ │

│ I chose yes and hit Configuration file `/etc/default/rc'

==> File on system created by you or by a script.

==> File also in package provided by package maintainer.

What would you like to do about it ? Your options are:

Y or I : install the package maintainer's version

N or O : keep your currently-installed version

D : show the differences between the versions

Z : start a shell to examine the situation

The default action is to keep your current version.

*** rcS (Y/I/N/O/D/Z) [default=N] ?

I hit to choose the default

│ The new Linux kernel version provides different drivers for some PATA (IDE) controllers. The names of some hard disk, │

│ CD-ROM, and tape devices may change. │

│ │

│ It is now recommended to identify disk devices in configuration files by label or UUID (unique identifier) rather than │

│ by device name, which will work with both old and new kernel versions. │

│ │

│ If you choose to not update the system configuration automatically, you must update device IDs yourself before the │

│ next system reboot or the system may become unbootable. │

│ │

│ Update disk device IDs in system configuration? │

│ │

│ │

│ │

I chose Yes and hit │ │

│ Boot loader configuration check needed │

│ │

│ The boot loader configuration for this system was not recognized. These settings in the configuration may need to be │

│ updated: │

│ │

│ * The root device ID passed as a kernel parameter; │

│ * The boot device ID used to install and update the boot loader. │

│ │

│ │

│ You should generally identify these devices by UUID or label. However, on MIPS systems the root device must be │

│ identified by name. │

│ │

│ │

│ │

I hit to choose Ok and continue

Configuration file `/etc/dhcp/dhclient.conf'

==> Modified (by you or by a script) since installation.

==> Package distributor has shipped an updated version.

What would you like to do about it ? Your options are:

Y or I : install the package maintainer's version

N or O : keep your currently-installed version

D : show the differences between the versions

Z : start a shell to examine the situation

The default action is to keep your current version.

*** dhclient.conf (Y/I/N/O/D/Z) [default=N] ?

I hit to choose the default

reboot

Start building the web server

apt-get install apache2 php5 php5-fpm fcgid

a2enmod cgid rewrite ssl

apt-get install php-pear imagemagick re2c libmagickwand-dev php5-dev make

pear config-set preferred_state beta

pecl install Imagick

vi /etc/php5/apache2/php.ini

(at line 213 for me)

shortopentag = Off

(at line 674 for me)

postmaxsize = 12M

(at line 802 for me)

uploadmaxfilesize = 12M

(at line 865 for me)

extension = imagick.so

(at line 1360 for me)

session.cookie_secure = 1

(at line 1391 for me)

session.cookie_httponly = 1

service apache2 restart

vi /etc/apache2/ports.conf

we need to ensure

my /etc/apache2/ports.conf reads as follows:

If you just change the port or add more ports here, you will likely also

have to change the VirtualHost statement in

/etc/apache2/sites-enabled/000-default

This is also true if you have upgraded from before 2.2.9-3 (i.e. from

Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and

README.Debian.gz

NameVirtualHost *:80

Listen 80

# If you add NameVirtualHost *:443 here, you will also have to change

the VirtualHost statement in /etc/apache2/sites-available/default-ssl

to # Server Name Indication for SSL named virtual hosts is currently not

supported by MSIE on Windows XP.

NameVirtualHost *:443

Listen 443

NameVirtualHost *:443

Listen 443

//UPDATE THESE

set up the default virtual host configurations

specifictally the virtualhosts for the default & default-ssl virtualhosts, the webroot locations, the log locations, and the ssl settings.

vi /etc/apache2/sites-available/default

my /etc/apache2/sites-available/default reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /var/www/default/http

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /var/www/default/logs/error_log

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /var/www/default/logs/access_log combined

likewise modify your default-ssl virtual host configuration

vi /etc/apache2/sites-available/default-ssl

my /etc/apache2/sites-available/default-ssl reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /var/www/default/https

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /var/www/default/logs/sslerrorlog

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /var/www/default/logs/sslaccesslog combined

SSL Engine Switch:

Enable/Disable SSL for this virtual host.

SSLEngine on

A self-signed (snakeoil) certificate can be created by installing

the ssl-cert package. See

/usr/share/doc/apache2.2-common/README.Debian.gz for more info.

If both key and certificate are stored in the same file, only the

SSLCertificateFile directive is needed.

SSLCertificateFile /var/www/default/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /var/www/default/certs/ssl-cert-snakeoil.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

SSLCertificateChainFile /var/www/default/certs/server-ca.crt

Certificate Authority (CA):

Set the CA certificate verification path where to find CA

certificates for client authentication or alternatively one

huge file containing all of them (file must be PEM encoded)

Note: Inside SSLCACertificatePath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCACertificatePath /var/www/default/certs/

SSLCACertificateFile /var/www/default/certs/ca-bundle.crt

Certificate Revocation Lists (CRL):

Set the CA revocation path where to find CA CRLs for client

authentication or alternatively one huge file containing all

of them (file must be PEM encoded)

Note: Inside SSLCARevocationPath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCARevocationPath /var/www/default/certs/

SSLCARevocationFile /var/www/default/certs/ca-bundle.crl

Client Authentication (Type):

Client certificate verification type and depth. Types are

none, optional, require and optionalnoca. Depth is a

number which specifies how deeply to verify the certificate

issuer chain before deciding the certificate is not valid.

SSLVerifyClient require

SSLVerifyDepth 10

Access Control:

With SSLRequire you can do per-directory access control based

on arbitrary complex boolean expressions containing server

variable checks and other lookup directives. The syntax is a

mixture between C and Perl. See the mod_ssl documentation

for more details.

#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

and %{SSLCLIENTSDNO} eq "Snake Oil, Ltd." \

and %{SSLCLIENTSDNOU} in {"Staff", "CA", "Dev"} \

and %{TIMEWDAY} >= 1 and %{TIMEWDAY} <= 5 \

and %{TIMEHOUR} >= 8 and %{TIMEHOUR} <= 20 ) \

or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

SSL Engine Options:

Set various options for the SSL engine.

o FakeBasicAuth:

Translate the client X.509 into a Basic Authorisation. This means that

the standard Auth/DBMAuth methods can be used for access control. The

user name is the `one line' version of the client's X.509 certificate.

Note that no password is obtained from the user. Every entry in the user

file needs this password: `xxj31ZMTZzkVA'.

o ExportCertData:

This exports two additional environment variables: SSLCLIENTCERT and

SSLSERVERCERT. These contain the PEM-encoded certificates of the

server (always existing) and the client (only existing when client

authentication is used). This can be used to import the certificates

into CGI scripts.

o StdEnvVars:

This exports the standard SSL/TLS related `SSL_*' environment variables.

Per default this exportation is switched off for performance reasons,

because the extraction step is an expensive operation and is usually

useless for serving static content. So one usually enables the

exportation for CGI and SSI requests only.

o StrictRequire:

This denies access when "SSLRequireSSL" or "SSLRequire" applied even

under a "Satisfy any" situation, i.e. when it applies access is denied

and no other module can change it.

o OptRenegotiate:

This enables optimized SSL connection renegotiation handling when SSL

directives are used in per-directory context.

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

SSL Protocol Adjustments:

The safe and default but still SSL/TLS standard compliant shutdown

approach is that mod_ssl sends the close notify alert but doesn't wait for

the close notify alert from client. When you need a different shutdown

approach you can use one of the following variables:

o ssl-unclean-shutdown:

This forces an unclean shutdown when the connection is closed, i.e. no

SSL close notify alert is send or allowed to received. This violates

the SSL/TLS standard but is needed for some brain-dead browsers. Use

this when you receive I/O errors because of the standard approach where

mod_ssl sends the close notify alert.

o ssl-accurate-shutdown:

This forces an accurate shutdown when the connection is closed, i.e. a

SSL close notify alert is send and mod_ssl waits for the close notify

alert of the client. This is 100% SSL/TLS standard compliant, but in

practice often causes hanging connections with brain-dead browsers. Use

this only for browsers where you know that their SSL implementation

works correctly.

Notice: Most problems of broken clients are also related to the HTTP

keep-alive facility, so you usually additionally want to disable

keep-alive for those clients, too. Use variable "nokeepalive" for this.

Similarly, one has to force some clients to use HTTP/1.0 to workaround

their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

"force-response-1.0" for this.

BrowserMatch "MSIE [2-6]" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

MSIE 7 and newer should be able to use keepalive

BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

create the file system directory structure specified in the configuration files

mkdir /var/www/default

mkdir /var/www/default/http

mkdir /var/www/default/https

mkdir /var/www/default/certs

mkdir /var/www/default/logs

cd /var/www

chown -R root:www-data *

chmod -R 774 *

chmod -R u+s *

chmod -R g+s *

optionally move or delete the default web page created upon installation

mv /var/www/index.html /var/www/default/http

make a backup of the default openssl settings

cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf~

edit the /etc/ssl/openssl.cnf

vi /etc/ssl/openssl.cnf

(line 73)

default_days = 3650 # how long to certify for

(line 74)

defaultcrldays= 3650 # how long before next CRL

(line 129)

countryName_default = US

(line 133)

stateOrProvinceName_default = Ohio

(line 139)

0.organizationName_default = Rust Belt Rebellion

(line 146)

organizationalUnitName_default = Web Hosting

my /etc/ssl/openssl.cnf looks like this:

#

OpenSSL example configuration file.

This is mostly being used for generation of certificate requests.

#

This definition stops the following lines choking if HOME isn't

defined.

HOME = .

RANDFILE = $ENV::HOME/.rnd

Extra OBJECT IDENTIFIER info:

oid_file = $ENV::HOME/.oid

oidsection = newoids

To use this configuration file with the "-extfile" option of the

"openssl x509" utility, name here the section containing the

X.509v3 extensions to use:

extensions =

(Alternatively, use a configuration file that has only

X.509v3 extensions in its main [= default] section.)

[ new_oids ]

We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

Add a simple OID like this:

testoid1=1.2.3.4

Or use config file substitution like this:

testoid2=${testoid1}.5.6

Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7

#

[ ca ]

defaultca = CAdefault # The default ca section

#

[ CA_default ]

dir = ./demoCA # Where everything is kept

certs = $dir/certs # Where the issued certs are kept

crl_dir = $dir/crl # Where the issued crl are kept

database = $dir/index.txt # database index file.

unique_subject = no # Set to 'no' to allow creation of

several ctificates with same subject.

newcertsdir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate

serial = $dir/serial # The current serial number

crlnumber = $dir/crlnumber # the current crl number

must be commented out to leave a V1 CRL

crl = $dir/crl.pem # The current CRL

private_key = $dir/private/cakey.pem# The private key

RANDFILE = $dir/private/.rand # private random number file

x509extensions = usrcert # The extentions to add to the cert

Comment out the following two lines for the "traditional"

(and highly broken) format.

nameopt = cadefault # Subject Name options

certopt = cadefault # Certificate field options

Extension copying option: use with caution.

copy_extensions = copy

Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

so this is commented out by default to leave a V1 CRL.

crlnumber must also be commented out to leave a V1 CRL.

crlextensions = crlext

default_days = 3650 # how long to certify for

defaultcrldays= 3650 # how long before next CRL

default_md = default # use public key default MD

preserve = no # keep passed DN ordering

A few difference way of specifying how similar the request should look

For type CA, the listed attributes must be the same, and the optional

and supplied fields are just that :-)

policy = policy_match

For the CA policy

[ policy_match ]

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

For the 'anything' policy

At this point in time, you must list all acceptable 'object'

types.

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

#

[ req ]

default_bits = 2048

default_keyfile = privkey.pem

distinguishedname = reqdistinguished_name

attributes = req_attributes

x509extensions = v3ca # The extentions to add to the self signed cert

Passwords for private keys if not present they will be prompted for

input_password = secret

output_password = secret

This sets a mask for permitted string types. There are several options.

default: PrintableString, T61String, BMPString.

pkix : PrintableString, BMPString (PKIX recommendation before 2004)

utf8only: only UTF8Strings (PKIX recommendation after 2004).

nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

MASK:XXXX a literal mask value.

WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.

string_mask = utf8only

reqextensions = v3req # The extensions to add to a certificate request

[ reqdistinguishedname ]

countryName = Country Name (2 letter code)

countryName_default = US

countryName_min = 2

countryName_max = 2

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = Ohio

localityName = Locality Name (eg, city)

0.organizationName = Organization Name (eg, company)

0.organizationName_default = Rust Belt Rebellion

we can do this but it is not needed normally :-)

1.organizationName = Second Organization Name (eg, company)

1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName = Organizational Unit Name (eg, section)

organizationalUnitName_default = Web Hosting

commonName = Common Name (e.g. server FQDN or YOUR name)

commonName_max = 64

emailAddress = Email Address

emailAddress_max = 64

SET-ex3 = SET extension number 3

[ req_attributes ]

challengePassword = A challenge password

challengePassword_min = 4

challengePassword_max = 20

unstructuredName = An optional company name

[ usr_cert ]

These extensions are added when 'ca' signs a request.

This goes against PKIX guidelines but some CAs do it and some software

requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

Here are some examples of the usage of nsCertType. If it is omitted

the certificate can be used for anything except object signing.

This is OK for an SSL server.

nsCertType = server

For an object signing certificate this would be used.

nsCertType = objsign

For normal client use this is typical

nsCertType = client, email

and for everything including object signing:

nsCertType = client, email, objsign

This is typical in keyUsage for a client certificate.

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

This will be displayed in Netscape's comment listbox.

nsComment = "OpenSSL Generated Certificate"

PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

This stuff is for subjectAltName and issuerAltname.

Import the email address.

subjectAltName=email:copy

An alternative to produce certificates that aren't

deprecated according to PKIX.

subjectAltName=email:move

Copy subject details

issuerAltName=issuer:copy

nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

nsBaseUrl

nsRevocationUrl

nsRenewalUrl

nsCaPolicyUrl

nsSslServerName

This is required for TSA certificates.

extendedKeyUsage = critical,timeStamping

[ v3_req ]

Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

Extensions for a typical CA

PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

This is what PKIX recommends but some broken software chokes on critical

extensions.

basicConstraints = critical,CA:true

So we do this instead.

basicConstraints = CA:true

Key usage: this is typical for a CA certificate. However since it will

prevent it being used as an test self-signed certificate it is best

left out by default.

keyUsage = cRLSign, keyCertSign

Some might want this also

nsCertType = sslCA, emailCA

Include email address in subject alt name: another PKIX recommendation

subjectAltName=email:copy

Copy issuer details

issuerAltName=issuer:copy

DER hex encoding of an extension: beware experts only!

obj=DER:02:03

Where 'obj' is a standard or added object

You can even override a supported extension:

basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

CRL extensions.

Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always

[ proxycertext ]

These extensions should be added when creating a proxy certificate

This goes against PKIX guidelines but some CAs do it and some software

requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

Here are some examples of the usage of nsCertType. If it is omitted

the certificate can be used for anything except object signing.

This is OK for an SSL server.

nsCertType = server

For an object signing certificate this would be used.

nsCertType = objsign

For normal client use this is typical

nsCertType = client, email

and for everything including object signing:

nsCertType = client, email, objsign

This is typical in keyUsage for a client certificate.

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

This will be displayed in Netscape's comment listbox.

nsComment = "OpenSSL Generated Certificate"

PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

This stuff is for subjectAltName and issuerAltname.

Import the email address.

subjectAltName=email:copy

An alternative to produce certificates that aren't

deprecated according to PKIX.

subjectAltName=email:move

Copy subject details

issuerAltName=issuer:copy

nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

nsBaseUrl

nsRevocationUrl

nsRenewalUrl

nsCaPolicyUrl

nsSslServerName

This really needs to be in place for it to be a proxy certificate.

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

#

[ tsa ]

defaulttsa = tsaconfig1 # the default TSA section

[ tsa_config1 ]

These are used by the TSA reply generation only.

dir = ./demoCA # TSA root directory

serial = $dir/tsaserial # The current serial number (mandatory)

crypto_device = builtin # OpenSSL engine to use for signing

signer_cert = $dir/tsacert.pem # The TSA signing certificate

(optional)

certs = $dir/cacert.pem # Certificate chain to include in reply

(optional)

signer_key = $dir/private/tsakey.pem # The TSA private key (optional)

defaultpolicy = tsapolicy1 # Policy if request did not specify it

(optional)

otherpolicies = tsapolicy2, tsa_policy3 # acceptable policies (optional)

digests = md5, sha1 # Acceptable message digests (mandatory)

accuracy = secs:1, millisecs:500, microsecs:100 # (optional)

clockprecisiondigits = 0 # number of digits after dot. (optional)

ordering = yes # Is ordering defined for timestamps?

(optional, default: no)

tsa_name = yes # Must the TSA name be included in the reply?

(optional, default: no)

esscertid_chain = no # Must the ESS cert id chain be included?

(optional, default: no)

cd /var/www/default/certs

openssl req -new -x509 -extensions v3_ca -keyout ssl-cert-snakeoil.key -out ssl-cert-snakeoil.pem -days 3650 -config /etc/ssl/openssl.cnf

Generating a 2048 bit RSA private key

……………………………………………………….+++

……………………………………………+++

writing new private key to 'ssl-cert-snakeoil.key'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

---

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

---

Country Name (2 letter code) [US]:

State or Province Name (full name) [Ohio]:

Locality Name (eg, city) []:Eastlake

Organization Name (eg, company) [Rust Belt Rebellion]:

Organizational Unit Name (eg, section) []:Web Hosting

Common Name (e.g. server FQDN or YOUR name) []:rustbeltrebellion.com

Email Address []:bradchesney79@gmail.com

a2ensite default-ssl

enter the pass phrase

passphrase remove the passphrase

mv ssl-cert-snakeoil.key ssl-cert-snakeoil.key~

openssl rsa -in ssl-cert-snakeoil.key~ -out ssl-cert-snakeoil.key

restart apache, not reload

service apache2 restart

apt-get install mysql-server mysql-client php5-mysql

a dialog pops up for you to set a password on the root mysql user

a second dialog will pop up to confirm there were no typos or identical typos entered

mysql -uroot -p

USE mysql

select host,user,password from user;

delete from user where user='';

select host,user,password from user;

GRANT ALL PRIVILEGES ON . TO "admin"@"%" IDENTIFIED BY "password";

CREATE DATABASE username;

GRANT ALL PRIVILEGES ON username.* TO "username"@"localhost" IDENTIFIED BY "password";

GRANT ALL PRIVILEGES ON username.* TO "username"@"YOU.R H.OST.IP" IDENTIFIED BY "password";

GRANT ALL PRIVILEGES ON username.* TO "username"@"127.0.0.1" IDENTIFIED BY "password";

FLUSH PRIVILEGES;

DELETE FROM user WHERE user='root';

FLUSH PRIVILEGES;

EXIT

–-At this point, the base configuration is complete---

add a user

adduser username

Password

Password

Fullname

Room Number

Work Phone

Home Phone

Other

Is the information correct

using sftponly shell

vi /etc/passwd

change /bin/bash to /usr/lib/sftp-server

set up directory structure

cd /home/username

mkdir hostname.tld

cd hostname.tld

mkdir http

mkdir https

mkdir certs

mkdir logs

change the ownership and access permissions

cd ..

chown -R username:www-data *

chmod -R 775 *

add sticky bits

chmod -R u+s *

chmod -R g+s *

create sites available for the new websites

vi /etc/apache2/sites-available/hostname.tld

my /etc/apache2/sites-available/hostname.tld reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /home/username/hostname.tld/http

ServerName hostname.tld

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /home/username/hostname.tld/logs/error_log

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /home/username/hostname.tld/logs/access_log combined

likewise modify your default-ssl virtual host configuration

vi /etc/apache2/sites-available/hostname.tld-ssl

my /etc/apache2/sites-available/hostname.tld-ssl reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /home/username/hostname.tld/https

ServerName hostname.tld

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /home/username/hostname.tld/logs/sslerrorlog

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /home/username/hostname.tld/logs/sslaccesslog combined

SSL Engine Switch:

Enable/Disable SSL for this virtual host.

SSLEngine on

A self-signed (snakeoil) certificate can be created by installing

the ssl-cert package. See

/usr/share/doc/apache2.2-common/README.Debian.gz for more info.

If both key and certificate are stored in the same file, only the

SSLCertificateFile directive is needed.

SSLCertificateFile /home/username/hostname.tld/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /home/username/hostname.tld/certs/ssl-cert-snakeoil.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

SSLCertificateChainFile /home/username/hostname.tld/certs/server-ca.crt

Certificate Authority (CA):

Set the CA certificate verification path where to find CA

certificates for client authentication or alternatively one

huge file containing all of them (file must be PEM encoded)

Note: Inside SSLCACertificatePath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCACertificatePath /home/username/hostname.tld/certs/

SSLCACertificateFile /home/username/hostname.tld/certs/ca-bundle.crt

Certificate Revocation Lists (CRL):

Set the CA revocation path where to find CA CRLs for client

authentication or alternatively one huge file containing all

of them (file must be PEM encoded)

Note: Inside SSLCARevocationPath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCARevocationPath /home/username/hostname.tld/certs/

SSLCARevocationFile /home/username/hostname.tld/certs/ca-bundle.crl

Client Authentication (Type):

Client certificate verification type and depth. Types are

none, optional, require and optionalnoca. Depth is a

number which specifies how deeply to verify the certificate

issuer chain before deciding the certificate is not valid.

SSLVerifyClient require

SSLVerifyDepth 10

Access Control:

With SSLRequire you can do per-directory access control based

on arbitrary complex boolean expressions containing server

variable checks and other lookup directives. The syntax is a

mixture between C and Perl. See the mod_ssl documentation

for more details.

#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

and %{SSLCLIENTSDNO} eq "Snake Oil, Ltd." \

and %{SSLCLIENTSDNOU} in {"Staff", "CA", "Dev"} \

and %{TIMEWDAY} >= 1 and %{TIMEWDAY} <= 5 \

and %{TIMEHOUR} >= 8 and %{TIMEHOUR} <= 20 ) \

or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

SSL Engine Options:

Set various options for the SSL engine.

o FakeBasicAuth:

Translate the client X.509 into a Basic Authorisation. This means that

the standard Auth/DBMAuth methods can be used for access control. The

user name is the `one line' version of the client's X.509 certificate.

Note that no password is obtained from the user. Every entry in the user

file needs this password: `xxj31ZMTZzkVA'.

o ExportCertData:

This exports two additional environment variables: SSLCLIENTCERT and

SSLSERVERCERT. These contain the PEM-encoded certificates of the

server (always existing) and the client (only existing when client

authentication is used). This can be used to import the certificates

into CGI scripts.

o StdEnvVars:

This exports the standard SSL/TLS related `SSL_*' environment variables.

Per default this exportation is switched off for performance reasons,

because the extraction step is an expensive operation and is usually

useless for serving static content. So one usually enables the

exportation for CGI and SSI requests only.

o StrictRequire:

This denies access when "SSLRequireSSL" or "SSLRequire" applied even

under a "Satisfy any" situation, i.e. when it applies access is denied

and no other module can change it.

o OptRenegotiate:

This enables optimized SSL connection renegotiation handling when SSL

directives are used in per-directory context.

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

SSL Protocol Adjustments:

The safe and default but still SSL/TLS standard compliant shutdown

approach is that mod_ssl sends the close notify alert but doesn't wait for

the close notify alert from client. When you need a different shutdown

approach you can use one of the following variables:

o ssl-unclean-shutdown:

This forces an unclean shutdown when the connection is closed, i.e. no

SSL close notify alert is send or allowed to received. This violates

the SSL/TLS standard but is needed for some brain-dead browsers. Use

this when you receive I/O errors because of the standard approach where

mod_ssl sends the close notify alert.

o ssl-accurate-shutdown:

This forces an accurate shutdown when the connection is closed, i.e. a

SSL close notify alert is send and mod_ssl waits for the close notify

alert of the client. This is 100% SSL/TLS standard compliant, but in

practice often causes hanging connections with brain-dead browsers. Use

this only for browsers where you know that their SSL implementation

works correctly.

Notice: Most problems of broken clients are also related to the HTTP

keep-alive facility, so you usually additionally want to disable

keep-alive for those clients, too. Use variable "nokeepalive" for this.

Similarly, one has to force some clients to use HTTP/1.0 to workaround

their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

"force-response-1.0" for this.

BrowserMatch "MSIE [2-6]" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

MSIE 7 and newer should be able to use keepalive

BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

enable the website

a2ensite hostname.tld

create self-signed certificate

cd /home/username/hostname/certs

openssl req -new -x509 -extensions v3_ca -keyout ssl-cert-snakeoil.key -out ssl-cert-snakeoil.pem -days 3650 -config /etc/ssl/openssl.cnf

remove the passphrase

mv ssl-cert-snakeoil.key ssl-cert-snakeoil.key~

openssl rsa -in ssl-cert-snakeoil.key~ -out ssl-cert-snakeoil.key

a2ensite hostname.tld-ssl

I want to say thank you to rnowak from the IRC channel for pointing me in the direction of php-fpm pools (instead of suexec which will not help me in the way I though it would because of php-fpm). While there, I also was clued in on looking at full-disclosure for 0 day MySQL exploits. I will be back when I make the necessary improvements to the tutorial.

I have moved on to streamlining and hardening the stock MySQL 5.5 package installation by paring down the access of the debian-sys-maintenance user, removing the mysqlcheck command from the /etc/mysql/debian-start script, and combating the known 0 day exploits.

My updated notes follow:

Many thanks to the patient souls in #debian and #apache on Freenode

Many commands and much info stolen from these locations:

http://www.rackaid.com/resources/linux- … nd-how-to/">http://www.rackaid.com/resources/linux-screen-tutorial-and-how-to/

http://www.debian.org/releases/testing/ … #newkernel">http://www.debian.org/releases/testing/amd64/release-notes/ch-upgrading.en.html#newkernel

https://sites.google.com/site/mydebiansourceslist/

http://linux.justinhartman.com/SettingupaLAMPServer

http://www.debian-administration.org/articles/349

http://www.lavluda.com/2008/02/02/insta … tu-server/">http://www.lavluda.com/2008/02/02/install-imagemagick-support-to-your-debianubuntu-server/

http://php.net/manual/en/imagick.setup.php

http://www.lavluda.com/2007/07/15/how-t … 22-debian/">http://www.lavluda.com/2007/07/15/how-to-enable-mod_rewrite-in-apache22-debian/

http://www.debian-administration.org/articles/284

http://openvpn.net/archive/openvpn-user … 00355.html">http://openvpn.net/archive/openvpn-users/2004-05/msg00355.html

http://wiki.apache.org/httpd/RemoveSSLCertPassPhrase

http://httpd.apache.org/docs/2.2/vhosts/examples.html

Base debian 6 32-bit linode.com Virtual Private Server install

(On linode build images, the ssh package is preinstalled for you.

apt-get install ssh

on the server for everyone else without it.

ifconfig

to get your IP address. ~192.168.100.23~

You may only have access via the local network at that address. Google "NAT")

login via ssh as root

ssh root@012.345.678.910

get the screen program

apt-get install screen

start the screen window program

screen

Basic screen command line commands

start the screen window program

screen

see running screen windows

screen -ls

reattach to a screen window

screen -r (your pid.connection.hostname will vary)

Basic screen keybindings

create an additional window in screen

CTRL+a+c

switch to the next window in the forward direction

CTRL+a+n

switch to the next window in the forward direction

CTRL+a+p

see a list of windows

CTRL+a+w

switch to a specific window

CTRL+a+"

(" = SHIFT+')

kill the current window

CTRL+a+k

(if it is the last window, screen will close and return you to the command line)

detatch from all windows leaving screen running and return to the command line

CTRL+a+d

once screen is up update and upgrade the system

apt-get update

apt-get upgrade

install the kernel metapackage

apt-get install linux-image-2.6.32-5-686

(apt-get install linux-image-2.6.32-5-amd64 for AMD64 based 64-bit machines)

test that the new kernel metapackage is installed (pray you see output)

dpkg -l "linux-image*" | grep ^ii

I get one line that starts with "ii" followed by the package name, the dotted numeric version, and a short text description.

verify everything is in good order (no output is what you want)

dpkg --audit

aptitude search "~ahold"

apt-get clean

reboot

edit /etc/apt/sources.list

vi /etc/apt/sources.list

My sources is as follows:

#

deb cdrom:[Debian GNU/Linux 6.0.3 Squeeze - Official i386 NETINST Binary-1 20111008-19:55]/ squeeze main

deb cdrom:[Debian GNU/Linux 6.0.3 Squeeze - Official i386 NETINST Binary-1 20111008-19:55]/ squeeze main

deb http://ftp.us.debian.org/debian/ squeeze main

deb-src http://ftp.us.debian.org/debian/ squeeze main

deb http://security.debian.org/ squeeze/updates main

deb-src http://security.debian.org/ squeeze/updates main

squeeze-updates, previously known as 'volatile'

deb http://ftp.us.debian.org/debian/ squeeze-updates main

deb-src http://ftp.us.debian.org/debian/ squeeze-updates main

#

Debian Testing

#

Testing

deb http://ftp.debian.org/debian/ testing main contrib non-free

deb-src http://ftp.debian.org/debian/ testing main contrib non-free

Testing Security http://secure-testing-master.debian.net/

deb http://security.debian.org wheezy/updates main contrib non-free

deb-src http://security.debian.org wheezy/updates main contrib non-free

update the system

apt-get update

run a distribution upgrade

apt-get dist-upgrade

you will be presented with distribution upgrade notes:

q (will exit the less program)

You will be presented with a choice of automatically restarting services

│ There are services installed on your system which need to be restarted when certain libraries, such as libpam, libc, │

│ and libssl, are upgraded. Since these restarts may cause interruptions of service for the system, you will normally be │

│ prompted on each upgrade for the list of services you wish to restart. You can choose this option to avoid being │

│ prompted; instead, all necessary restarts will be done for you automatically so you can avoid being asked questions on │

│ each library upgrade. │

│ │

│ Restart services during package upgrades without asking? │

│ │

│ I chose yes and hit Configuration file `/etc/default/rc'

==> File on system created by you or by a script.

==> File also in package provided by package maintainer.

What would you like to do about it ? Your options are:

Y or I : install the package maintainer's version

N or O : keep your currently-installed version

D : show the differences between the versions

Z : start a shell to examine the situation

The default action is to keep your current version.

*** rcS (Y/I/N/O/D/Z) [default=N] ?

I hit to choose the default

│ The new Linux kernel version provides different drivers for some PATA (IDE) controllers. The names of some hard disk, │

│ CD-ROM, and tape devices may change. │

│ │

│ It is now recommended to identify disk devices in configuration files by label or UUID (unique identifier) rather than │

│ by device name, which will work with both old and new kernel versions. │

│ │

│ If you choose to not update the system configuration automatically, you must update device IDs yourself before the │

│ next system reboot or the system may become unbootable. │

│ │

│ Update disk device IDs in system configuration? │

│ │

│ │

│ │

I chose Yes and hit │ │

│ Boot loader configuration check needed │

│ │

│ The boot loader configuration for this system was not recognized. These settings in the configuration may need to be │

│ updated: │

│ │

│ * The root device ID passed as a kernel parameter; │

│ * The boot device ID used to install and update the boot loader. │

│ │

│ │

│ You should generally identify these devices by UUID or label. However, on MIPS systems the root device must be │

│ identified by name. │

│ │

│ │

│ │

I hit to choose Ok and continue

Configuration file `/etc/dhcp/dhclient.conf'

==> Modified (by you or by a script) since installation.

==> Package distributor has shipped an updated version.

What would you like to do about it ? Your options are:

Y or I : install the package maintainer's version

N or O : keep your currently-installed version

D : show the differences between the versions

Z : start a shell to examine the situation

The default action is to keep your current version.

*** dhclient.conf (Y/I/N/O/D/Z) [default=N] ?

I hit to choose the default

reboot

Start building the web server

apt-get install apache2 php5 php5-fpm libapache2-mod-fcgid

a2enmod fcgid rewrite ssl

apt-get install php-pear imagemagick re2c libmagickwand-dev php5-dev make

pear config-set preferred_state beta

pecl install Imagick

vi /etc/php5/apache2/php.ini

(maybe

vi /etc/php5/fpm/php.ini

)

(at line 213 for me)

shortopentag = Off

(at line 674 for me)

postmaxsize = 12M

(at line 802 for me)

uploadmaxfilesize = 12M

(at line 865 for me)

extension = imagick.so

(at line 1360 for me)

session.cookie_secure = 1

(at line 1391 for me)

session.cookie_httponly = 1

service apache2 restart

vi /etc/apache2/ports.conf

we need to ensure

my /etc/apache2/ports.conf reads as follows:

If you just change the port or add more ports here, you will likely also

have to change the VirtualHost statement in

/etc/apache2/sites-enabled/000-default

This is also true if you have upgraded from before 2.2.9-3 (i.e. from

Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and

README.Debian.gz

NameVirtualHost *:80

Listen 80

# If you add NameVirtualHost *:443 here, you will also have to change

the VirtualHost statement in /etc/apache2/sites-available/default-ssl

to # Server Name Indication for SSL named virtual hosts is currently not

supported by MSIE on Windows XP.

NameVirtualHost *:443

Listen 443

NameVirtualHost *:443

Listen 443

//UPDATE THESE

set up the default virtual host configurations

specifictally the virtualhosts for the default & default-ssl virtualhosts, the webroot locations, the log locations, and the ssl settings.

vi /etc/apache2/sites-available/default

my /etc/apache2/sites-available/default reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /var/www/default/http

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /var/www/default/logs/error_log

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /var/www/default/logs/access_log combined

likewise modify your default-ssl virtual host configuration

vi /etc/apache2/sites-available/default-ssl

my /etc/apache2/sites-available/default-ssl reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /var/www/default/https

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /var/www/default/logs/sslerrorlog

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /var/www/default/logs/sslaccesslog combined

SSL Engine Switch:

Enable/Disable SSL for this virtual host.

SSLEngine on

A self-signed (snakeoil) certificate can be created by installing

the ssl-cert package. See

/usr/share/doc/apache2.2-common/README.Debian.gz for more info.

If both key and certificate are stored in the same file, only the

SSLCertificateFile directive is needed.

SSLCertificateFile /var/www/default/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /var/www/default/certs/ssl-cert-snakeoil.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

SSLCertificateChainFile /var/www/default/certs/server-ca.crt

Certificate Authority (CA):

Set the CA certificate verification path where to find CA

certificates for client authentication or alternatively one

huge file containing all of them (file must be PEM encoded)

Note: Inside SSLCACertificatePath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCACertificatePath /var/www/default/certs/

SSLCACertificateFile /var/www/default/certs/ca-bundle.crt

Certificate Revocation Lists (CRL):

Set the CA revocation path where to find CA CRLs for client

authentication or alternatively one huge file containing all

of them (file must be PEM encoded)

Note: Inside SSLCARevocationPath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCARevocationPath /var/www/default/certs/

SSLCARevocationFile /var/www/default/certs/ca-bundle.crl

Client Authentication (Type):

Client certificate verification type and depth. Types are

none, optional, require and optionalnoca. Depth is a

number which specifies how deeply to verify the certificate

issuer chain before deciding the certificate is not valid.

SSLVerifyClient require

SSLVerifyDepth 10

Access Control:

With SSLRequire you can do per-directory access control based

on arbitrary complex boolean expressions containing server

variable checks and other lookup directives. The syntax is a

mixture between C and Perl. See the mod_ssl documentation

for more details.

#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

and %{SSLCLIENTSDNO} eq "Snake Oil, Ltd." \

and %{SSLCLIENTSDNOU} in {"Staff", "CA", "Dev"} \

and %{TIMEWDAY} >= 1 and %{TIMEWDAY} <= 5 \

and %{TIMEHOUR} >= 8 and %{TIMEHOUR} <= 20 ) \

or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

SSL Engine Options:

Set various options for the SSL engine.

o FakeBasicAuth:

Translate the client X.509 into a Basic Authorisation. This means that

the standard Auth/DBMAuth methods can be used for access control. The

user name is the `one line' version of the client's X.509 certificate.

Note that no password is obtained from the user. Every entry in the user

file needs this password: `xxj31ZMTZzkVA'.

o ExportCertData:

This exports two additional environment variables: SSLCLIENTCERT and

SSLSERVERCERT. These contain the PEM-encoded certificates of the

server (always existing) and the client (only existing when client

authentication is used). This can be used to import the certificates

into CGI scripts.

o StdEnvVars:

This exports the standard SSL/TLS related `SSL_*' environment variables.

Per default this exportation is switched off for performance reasons,

because the extraction step is an expensive operation and is usually

useless for serving static content. So one usually enables the

exportation for CGI and SSI requests only.

o StrictRequire:

This denies access when "SSLRequireSSL" or "SSLRequire" applied even

under a "Satisfy any" situation, i.e. when it applies access is denied

and no other module can change it.

o OptRenegotiate:

This enables optimized SSL connection renegotiation handling when SSL

directives are used in per-directory context.

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

SSL Protocol Adjustments:

The safe and default but still SSL/TLS standard compliant shutdown

approach is that mod_ssl sends the close notify alert but doesn't wait for

the close notify alert from client. When you need a different shutdown

approach you can use one of the following variables:

o ssl-unclean-shutdown:

This forces an unclean shutdown when the connection is closed, i.e. no

SSL close notify alert is send or allowed to received. This violates

the SSL/TLS standard but is needed for some brain-dead browsers. Use

this when you receive I/O errors because of the standard approach where

mod_ssl sends the close notify alert.

o ssl-accurate-shutdown:

This forces an accurate shutdown when the connection is closed, i.e. a

SSL close notify alert is send and mod_ssl waits for the close notify

alert of the client. This is 100% SSL/TLS standard compliant, but in

practice often causes hanging connections with brain-dead browsers. Use

this only for browsers where you know that their SSL implementation

works correctly.

Notice: Most problems of broken clients are also related to the HTTP

keep-alive facility, so you usually additionally want to disable

keep-alive for those clients, too. Use variable "nokeepalive" for this.

Similarly, one has to force some clients to use HTTP/1.0 to workaround

their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

"force-response-1.0" for this.

BrowserMatch "MSIE [2-6]" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

MSIE 7 and newer should be able to use keepalive

BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

create the file system directory structure specified in the configuration files

mkdir /var/www/default

mkdir /var/www/default/http

mkdir /var/www/default/https

mkdir /var/www/default/certs

mkdir /var/www/default/logs

cd /var/www

chown -R root:www-data *

chmod -R 770 *

chmod -R u+s *

chmod -R g+s *

optionally move or delete the default web page created upon installation

mv /var/www/index.html /var/www/default/http

make a backup of the default openssl settings

cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf~

edit the /etc/ssl/openssl.cnf

vi /etc/ssl/openssl.cnf

(line 73)

default_days = 3650 # how long to certify for

(line 74)

defaultcrldays= 3650 # how long before next CRL

(line 129)

countryName_default = US

(line 133)

stateOrProvinceName_default = Ohio

(line 139)

0.organizationName_default = Rust Belt Rebellion

(line 146)

organizationalUnitName_default = Web Hosting

my /etc/ssl/openssl.cnf looks like this:

#

OpenSSL example configuration file.

This is mostly being used for generation of certificate requests.

#

This definition stops the following lines choking if HOME isn't

defined.

HOME = .

RANDFILE = $ENV::HOME/.rnd

Extra OBJECT IDENTIFIER info:

oid_file = $ENV::HOME/.oid

oidsection = newoids

To use this configuration file with the "-extfile" option of the

"openssl x509" utility, name here the section containing the

X.509v3 extensions to use:

extensions =

(Alternatively, use a configuration file that has only

X.509v3 extensions in its main [= default] section.)

[ new_oids ]

We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

Add a simple OID like this:

testoid1=1.2.3.4

Or use config file substitution like this:

testoid2=${testoid1}.5.6

Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7

#

[ ca ]

defaultca = CAdefault # The default ca section

#

[ CA_default ]

dir = ./demoCA # Where everything is kept

certs = $dir/certs # Where the issued certs are kept

crl_dir = $dir/crl # Where the issued crl are kept

database = $dir/index.txt # database index file.

unique_subject = no # Set to 'no' to allow creation of

several ctificates with same subject.

newcertsdir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate

serial = $dir/serial # The current serial number

crlnumber = $dir/crlnumber # the current crl number

must be commented out to leave a V1 CRL

crl = $dir/crl.pem # The current CRL

private_key = $dir/private/cakey.pem# The private key

RANDFILE = $dir/private/.rand # private random number file

x509extensions = usrcert # The extentions to add to the cert

Comment out the following two lines for the "traditional"

(and highly broken) format.

nameopt = cadefault # Subject Name options

certopt = cadefault # Certificate field options

Extension copying option: use with caution.

copy_extensions = copy

Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

so this is commented out by default to leave a V1 CRL.

crlnumber must also be commented out to leave a V1 CRL.

crlextensions = crlext

default_days = 3650 # how long to certify for

defaultcrldays= 3650 # how long before next CRL

default_md = default # use public key default MD

preserve = no # keep passed DN ordering

A few difference way of specifying how similar the request should look

For type CA, the listed attributes must be the same, and the optional

and supplied fields are just that :-)

policy = policy_match

For the CA policy

[ policy_match ]

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

For the 'anything' policy

At this point in time, you must list all acceptable 'object'

types.

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

#

[ req ]

default_bits = 2048

default_keyfile = privkey.pem

distinguishedname = reqdistinguished_name

attributes = req_attributes

x509extensions = v3ca # The extentions to add to the self signed cert

Passwords for private keys if not present they will be prompted for

input_password = secret

output_password = secret

This sets a mask for permitted string types. There are several options.

default: PrintableString, T61String, BMPString.

pkix : PrintableString, BMPString (PKIX recommendation before 2004)

utf8only: only UTF8Strings (PKIX recommendation after 2004).

nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

MASK:XXXX a literal mask value.

WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.

string_mask = utf8only

reqextensions = v3req # The extensions to add to a certificate request

[ reqdistinguishedname ]

countryName = Country Name (2 letter code)

countryName_default = US

countryName_min = 2

countryName_max = 2

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = Ohio

localityName = Locality Name (eg, city)

0.organizationName = Organization Name (eg, company)

0.organizationName_default = Rust Belt Rebellion

we can do this but it is not needed normally :-)

1.organizationName = Second Organization Name (eg, company)

1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName = Organizational Unit Name (eg, section)

organizationalUnitName_default = Web Hosting

commonName = Common Name (e.g. server FQDN or YOUR name)

commonName_max = 64

emailAddress = Email Address

emailAddress_max = 64

SET-ex3 = SET extension number 3

[ req_attributes ]

challengePassword = A challenge password

challengePassword_min = 4

challengePassword_max = 20

unstructuredName = An optional company name

[ usr_cert ]

These extensions are added when 'ca' signs a request.

This goes against PKIX guidelines but some CAs do it and some software

requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

Here are some examples of the usage of nsCertType. If it is omitted

the certificate can be used for anything except object signing.

This is OK for an SSL server.

nsCertType = server

For an object signing certificate this would be used.

nsCertType = objsign

For normal client use this is typical

nsCertType = client, email

and for everything including object signing:

nsCertType = client, email, objsign

This is typical in keyUsage for a client certificate.

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

This will be displayed in Netscape's comment listbox.

nsComment = "OpenSSL Generated Certificate"

PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

This stuff is for subjectAltName and issuerAltname.

Import the email address.

subjectAltName=email:copy

An alternative to produce certificates that aren't

deprecated according to PKIX.

subjectAltName=email:move

Copy subject details

issuerAltName=issuer:copy

nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

nsBaseUrl

nsRevocationUrl

nsRenewalUrl

nsCaPolicyUrl

nsSslServerName

This is required for TSA certificates.

extendedKeyUsage = critical,timeStamping

[ v3_req ]

Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

Extensions for a typical CA

PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

This is what PKIX recommends but some broken software chokes on critical

extensions.

basicConstraints = critical,CA:true

So we do this instead.

basicConstraints = CA:true

Key usage: this is typical for a CA certificate. However since it will

prevent it being used as an test self-signed certificate it is best

left out by default.

keyUsage = cRLSign, keyCertSign

Some might want this also

nsCertType = sslCA, emailCA

Include email address in subject alt name: another PKIX recommendation

subjectAltName=email:copy

Copy issuer details

issuerAltName=issuer:copy

DER hex encoding of an extension: beware experts only!

obj=DER:02:03

Where 'obj' is a standard or added object

You can even override a supported extension:

basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

CRL extensions.

Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always

[ proxycertext ]

These extensions should be added when creating a proxy certificate

This goes against PKIX guidelines but some CAs do it and some software

requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

Here are some examples of the usage of nsCertType. If it is omitted

the certificate can be used for anything except object signing.

This is OK for an SSL server.

nsCertType = server

For an object signing certificate this would be used.

nsCertType = objsign

For normal client use this is typical

nsCertType = client, email

and for everything including object signing:

nsCertType = client, email, objsign

This is typical in keyUsage for a client certificate.

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

This will be displayed in Netscape's comment listbox.

nsComment = "OpenSSL Generated Certificate"

PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

This stuff is for subjectAltName and issuerAltname.

Import the email address.

subjectAltName=email:copy

An alternative to produce certificates that aren't

deprecated according to PKIX.

subjectAltName=email:move

Copy subject details

issuerAltName=issuer:copy

nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

nsBaseUrl

nsRevocationUrl

nsRenewalUrl

nsCaPolicyUrl

nsSslServerName

This really needs to be in place for it to be a proxy certificate.

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

#

[ tsa ]

defaulttsa = tsaconfig1 # the default TSA section

[ tsa_config1 ]

These are used by the TSA reply generation only.

dir = ./demoCA # TSA root directory

serial = $dir/tsaserial # The current serial number (mandatory)

crypto_device = builtin # OpenSSL engine to use for signing

signer_cert = $dir/tsacert.pem # The TSA signing certificate

(optional)

certs = $dir/cacert.pem # Certificate chain to include in reply

(optional)

signer_key = $dir/private/tsakey.pem # The TSA private key (optional)

defaultpolicy = tsapolicy1 # Policy if request did not specify it

(optional)

otherpolicies = tsapolicy2, tsa_policy3 # acceptable policies (optional)

digests = md5, sha1 # Acceptable message digests (mandatory)

accuracy = secs:1, millisecs:500, microsecs:100 # (optional)

clockprecisiondigits = 0 # number of digits after dot. (optional)

ordering = yes # Is ordering defined for timestamps?

(optional, default: no)

tsa_name = yes # Must the TSA name be included in the reply?

(optional, default: no)

esscertid_chain = no # Must the ESS cert id chain be included?

(optional, default: no)

cd /var/www/default/certs

openssl req -new -x509 -extensions v3_ca -keyout ssl-cert-snakeoil.key -out ssl-cert-snakeoil.pem -days 3650 -config /etc/ssl/openssl.cnf

Generating a 2048 bit RSA private key

……………………………………………………….+++

……………………………………………+++

writing new private key to 'ssl-cert-snakeoil.key'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

---

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

---

Country Name (2 letter code) [US]:

State or Province Name (full name) [Ohio]:

Locality Name (eg, city) []:Eastlake

Organization Name (eg, company) [Rust Belt Rebellion]:

Organizational Unit Name (eg, section) []:Web Hosting

Common Name (e.g. server FQDN or YOUR name) []:rustbeltrebellion.com

Email Address []:bradchesney79@gmail.com

remove the passphrase

mv ssl-cert-snakeoil.key ssl-cert-snakeoil.key~

openssl rsa -in ssl-cert-snakeoil.key~ -out ssl-cert-snakeoil.key

enter the pass phrase

passphrase restart apache, not reload

a2ensite default-ssl

service apache2 restart

apt-get install mysql-server mysql-client php5-mysql

a dialog pops up for you to set a password on the root mysql user

a second dialog will pop up to confirm there were no typos or identical typos entered

mysqlsecureinstallation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL

SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current

password for the root user. If you've just installed MySQL, and

you haven't set the root password yet, the password will be blank,

so you should just press enter here.

Enter current password for root (enter for none):

OK, successfully used password, moving on…

Setting the root password ensures that nobody can log into the MySQL

root user without the proper authorisation.

You already have a root password set, so you can safely answer 'n'.

Change the root password? [Y/n] n

… skipping.

By default, a MySQL installation has an anonymous user, allowing anyone

to log into MySQL without having to have a user account created for

them. This is intended only for testing, and to make the installation

go a bit smoother. You should remove them before moving into a

production environment.

Remove anonymous users? [Y/n] Y

… Success!

Normally, root should only be allowed to connect from 'localhost'. This

ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y

… Success!

By default, MySQL comes with a database named 'test' that anyone can

access. This is also intended only for testing, and should be removed

before moving into a production environment.

Remove test database and access to it? [Y/n] Y

• Dropping test database…

… Success!

• Removing privileges on test database…

… Success!

Reloading the privilege tables will ensure that all changes made so far

will take effect immediately.

Reload privilege tables now? [Y/n] Y

… Success!

Cleaning up…

All done! If you've completed all of the above steps, your MySQL

installation should now be secure.

Thanks for using MySQL!

Note the password (they are both the same)… We will need it in just a bit.

tail /etc/mysql/debian.cnf

~End Plan A~

mysql -uroot -p

USE mysql

~Plan B~

DELETE FROM user WHERE user='';

~End Plan B~

A common vector is to attack the MySQL root user since it is the default omipotent user put on almost all MySQL installs.

So, give your 'root' user a different name. (Is admin more secure than root, meh. Yeah, I guess.)

INSERT INTO user VALUES ('localhost','admin',password('password'),'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y', 'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'',NULL);

INSERT INTO user VALUES ('127.0.0.1','admin',password('password'),'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y', 'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'',NULL);

GRANT ALL PRIVILEGES ON * TO "admin"@"%" IDENTIFIED BY "pwork" WITH GRANT OPTION;

DELETE FROM user WHERE user='root';

DELETE FROM user WHERE user='debian-sys-maint';

The debian-sys-maint user starts and stops the database as well as is tied into the script that rotates the logs.

The script it is tied to also has some features that may impact the performance of your database. You can google on that later.

GRANT ALL PRIVILEGES ON * TO "debian-sys-maint"@"localhost" IDENTIFIED BY PASSWORD "gNtdj7ZOroAU6Isy";

~List the commands to pare back the permissions, here~

FLUSH PRIVILEGES;

Then keep this set of commands handy for when you create a new user.

CREATE DATABASE username;

~Plan A~

Give your user access via both of the most common ways to log in to the database for a logged in user

GRANT ALL PRIVILEGES ON username.* TO "username"@"localhost" IDENTIFIED BY "password";

GRANT ALL PRIVILEGES ON username.* TO "username"@"127.0.0.1" IDENTIFIED BY "password";

Assuming your host has a fixed IP, also give access for that

GRANT ALL PRIVILEGES ON username.* TO "username"@"YOU.R H.OST.IP" IDENTIFIED BY "password";

~End Plan A~

~Plan B~

GRANT ALL PRIVILEGES ON username.* TO "username"@"%" IDENTIFIED BY "password";

~End Plan B~

FLUSH PRIVILEGES;

EXIT

---At this point, the base configuration is complete---

add a user

adduser username

Password

Password

Fullname

Room Number

Work Phone

Home Phone

Other

Is the information correct

using sftponly shell

vi /etc/passwd

change /bin/bash to /usr/lib/sftp-server

set up directory structure

cd /home/username

mkdir hostname.tld

cd hostname.tld

mkdir http

mkdir https

mkdir certs

mkdir logs

change the ownership and access permissions

cd ..

chown -R username:www-data *

chmod -R 775 *

add sticky bits

chmod -R u+s *

chmod -R g+s *

create sites available for the new websites

vi /etc/apache2/sites-available/hostname.tld

my /etc/apache2/sites-available/hostname.tld reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /home/username/hostname.tld/http

ServerName hostname.tld

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /home/username/hostname.tld/logs/error_log

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /home/username/hostname.tld/logs/access_log combined

likewise modify your default-ssl virtual host configuration

vi /etc/apache2/sites-available/hostname.tld-ssl

my /etc/apache2/sites-available/hostname.tld-ssl reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /home/username/hostname.tld/https

ServerName hostname.tld

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /home/username/hostname.tld/logs/sslerrorlog

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /home/username/hostname.tld/logs/sslaccesslog combined

SSL Engine Switch:

Enable/Disable SSL for this virtual host.

SSLEngine on

A self-signed (snakeoil) certificate can be created by installing

the ssl-cert package. See

/usr/share/doc/apache2.2-common/README.Debian.gz for more info.

If both key and certificate are stored in the same file, only the

SSLCertificateFile directive is needed.

SSLCertificateFile /home/username/hostname.tld/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /home/username/hostname.tld/certs/ssl-cert-snakeoil.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

SSLCertificateChainFile /home/username/hostname.tld/certs/server-ca.crt

Certificate Authority (CA):

Set the CA certificate verification path where to find CA

certificates for client authentication or alternatively one

huge file containing all of them (file must be PEM encoded)

Note: Inside SSLCACertificatePath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCACertificatePath /home/username/hostname.tld/certs/

SSLCACertificateFile /home/username/hostname.tld/certs/ca-bundle.crt

Certificate Revocation Lists (CRL):

Set the CA revocation path where to find CA CRLs for client

authentication or alternatively one huge file containing all

of them (file must be PEM encoded)

Note: Inside SSLCARevocationPath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCARevocationPath /home/username/hostname.tld/certs/

SSLCARevocationFile /home/username/hostname.tld/certs/ca-bundle.crl

Client Authentication (Type):

Client certificate verification type and depth. Types are

none, optional, require and optionalnoca. Depth is a

number which specifies how deeply to verify the certificate

issuer chain before deciding the certificate is not valid.

SSLVerifyClient require

SSLVerifyDepth 10

Access Control:

With SSLRequire you can do per-directory access control based

on arbitrary complex boolean expressions containing server

variable checks and other lookup directives. The syntax is a

mixture between C and Perl. See the mod_ssl documentation

for more details.

#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

and %{SSLCLIENTSDNO} eq "Snake Oil, Ltd." \

and %{SSLCLIENTSDNOU} in {"Staff", "CA", "Dev"} \

and %{TIMEWDAY} >= 1 and %{TIMEWDAY} <= 5 \

and %{TIMEHOUR} >= 8 and %{TIMEHOUR} <= 20 ) \

or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

SSL Engine Options:

Set various options for the SSL engine.

o FakeBasicAuth:

Translate the client X.509 into a Basic Authorisation. This means that

the standard Auth/DBMAuth methods can be used for access control. The

user name is the `one line' version of the client's X.509 certificate.

Note that no password is obtained from the user. Every entry in the user

file needs this password: `xxj31ZMTZzkVA'.

o ExportCertData:

This exports two additional environment variables: SSLCLIENTCERT and

SSLSERVERCERT. These contain the PEM-encoded certificates of the

server (always existing) and the client (only existing when client

authentication is used). This can be used to import the certificates

into CGI scripts.

o StdEnvVars:

This exports the standard SSL/TLS related `SSL_*' environment variables.

Per default this exportation is switched off for performance reasons,

because the extraction step is an expensive operation and is usually

useless for serving static content. So one usually enables the

exportation for CGI and SSI requests only.

o StrictRequire:

This denies access when "SSLRequireSSL" or "SSLRequire" applied even

under a "Satisfy any" situation, i.e. when it applies access is denied

and no other module can change it.

o OptRenegotiate:

This enables optimized SSL connection renegotiation handling when SSL

directives are used in per-directory context.

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

SSL Protocol Adjustments:

The safe and default but still SSL/TLS standard compliant shutdown

approach is that mod_ssl sends the close notify alert but doesn't wait for

the close notify alert from client. When you need a different shutdown

approach you can use one of the following variables:

o ssl-unclean-shutdown:

This forces an unclean shutdown when the connection is closed, i.e. no

SSL close notify alert is send or allowed to received. This violates

the SSL/TLS standard but is needed for some brain-dead browsers. Use

this when you receive I/O errors because of the standard approach where

mod_ssl sends the close notify alert.

o ssl-accurate-shutdown:

This forces an accurate shutdown when the connection is closed, i.e. a

SSL close notify alert is send and mod_ssl waits for the close notify

alert of the client. This is 100% SSL/TLS standard compliant, but in

practice often causes hanging connections with brain-dead browsers. Use

this only for browsers where you know that their SSL implementation

works correctly.

Notice: Most problems of broken clients are also related to the HTTP

keep-alive facility, so you usually additionally want to disable

keep-alive for those clients, too. Use variable "nokeepalive" for this.

Similarly, one has to force some clients to use HTTP/1.0 to workaround

their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

"force-response-1.0" for this.

BrowserMatch "MSIE [2-6]" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

MSIE 7 and newer should be able to use keepalive

BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

enable the website

a2ensite hostname.tld

create self-signed certificate

cd /home/username/hostname/certs

openssl req -new -x509 -extensions v3_ca -keyout ssl-cert-snakeoil.key -out ssl-cert-snakeoil.pem -days 3650 -config /etc/ssl/openssl.cnf

remove the passphrase

mv ssl-cert-snakeoil.key ssl-cert-snakeoil.key~

openssl rsa -in ssl-cert-snakeoil.key~ -out ssl-cert-snakeoil.key

a2ensite hostname.tld-ssl

///MySQL Suggested Packages

The following extra packages will be installed:

libaio1 libdbd-mysql-perl libdbi-perl libhtml-template-perl libmysqlclient18

libnet-daemon-perl libplrpc-perl mysql-client-5.5 mysql-common mysql-server-5.5

mysql-server-core-5.5

Suggested packages:

libipc-sharedcache-perl libterm-readkey-perl tinyca

look at libapache2-mod-evasive

Hit the character limit– This is the top half for 2012-12-18

I have moved on to streamlining and hardening the stock MySQL 5.5 package installation by paring down the access of the debian-sys-maintenance user, removing the mysqlcheck command from the /etc/mysql/debian-start script, and combating the known 0 day exploits.

My updated notes follow:

Many thanks to the patient souls in #debian and #apache on Freenode

Many commands and much info stolen from these locations:

http://www.rackaid.com/resources/linux- … nd-how-to/">http://www.rackaid.com/resources/linux-screen-tutorial-and-how-to/

http://www.debian.org/releases/testing/ … #newkernel">http://www.debian.org/releases/testing/amd64/release-notes/ch-upgrading.en.html#newkernel

https://sites.google.com/site/mydebiansourceslist/

http://linux.justinhartman.com/SettingupaLAMPServer

http://www.debian-administration.org/articles/349

http://www.lavluda.com/2008/02/02/insta … tu-server/">http://www.lavluda.com/2008/02/02/install-imagemagick-support-to-your-debianubuntu-server/

http://php.net/manual/en/imagick.setup.php

http://www.lavluda.com/2007/07/15/how-t … 22-debian/">http://www.lavluda.com/2007/07/15/how-to-enable-mod_rewrite-in-apache22-debian/

http://www.debian-administration.org/articles/284

http://openvpn.net/archive/openvpn-user … 00355.html">http://openvpn.net/archive/openvpn-users/2004-05/msg00355.html

http://wiki.apache.org/httpd/RemoveSSLCertPassPhrase

http://httpd.apache.org/docs/2.2/vhosts/examples.html

http://www.youtube.com/watch?v=dtclmj3H7ZU

http://www.youtube.com/watch?v=FLPx7HLLteI

http://wiki.debian.org/SELinux/Setup#St … up_SELinux">http://wiki.debian.org/SELinux/Setup#Stepstosetup_SELinux

Base debian 6 32-bit linode.com Virtual Private Server install

(On linode build images, the ssh package is preinstalled for you.

apt-get install ssh

on the server for everyone else without it.

ifconfig

to get your IP address. ~192.168.100.23~

You may only have access via the local network at that address. Google "NAT")

login via ssh as root

ssh root@012.345.678.910

get the screen program

apt-get install screen

start the screen window program

screen

Basic screen command line commands

start the screen window program

screen

see running screen windows

screen -ls

reattach to a screen window

screen -r (your pid.connection.hostname will vary)

Basic screen keybindings

create an additional window in screen

CTRL+a+c

switch to the next window in the forward direction

CTRL+a+n

switch to the next window in the forward direction

CTRL+a+p

see a list of windows

CTRL+a+w

switch to a specific window

CTRL+a+"

(" = SHIFT+')

kill the current window

CTRL+a+k

(if it is the last window, screen will close and return you to the command line)

detatch from all windows leaving screen running and return to the command line

CTRL+a+d

once screen is up update and upgrade the system

apt-get update

apt-get upgrade

install the kernel metapackage

apt-get install linux-image-2.6.32-5-686

(apt-get install linux-image-2.6.32-5-amd64 for AMD64 based 64-bit machines)

test that the new kernel metapackage is installed (pray you see output)

dpkg -l "linux-image*" | grep ^ii

I get one line that starts with "ii" followed by the package name, the dotted numeric version, and a short text description.

verify everything is in good order (no output is what you want)

dpkg --audit

aptitude search "~ahold"

apt-get clean

reboot

edit /etc/apt/sources.list

vi /etc/apt/sources.list

My sources is as follows:

#

deb cdrom:[Debian GNU/Linux 6.0.3 Squeeze - Official i386 NETINST Binary-1 20111008-19:55]/ squeeze main

deb cdrom:[Debian GNU/Linux 6.0.3 Squeeze - Official i386 NETINST Binary-1 20111008-19:55]/ squeeze main

deb http://ftp.us.debian.org/debian/ squeeze main

deb-src http://ftp.us.debian.org/debian/ squeeze main

deb http://security.debian.org/ squeeze/updates main

deb-src http://security.debian.org/ squeeze/updates main

squeeze-updates, previously known as 'volatile'

deb http://ftp.us.debian.org/debian/ squeeze-updates main

deb-src http://ftp.us.debian.org/debian/ squeeze-updates main

#

Debian Testing

#

Testing

deb http://ftp.debian.org/debian/ testing main contrib non-free

deb-src http://ftp.debian.org/debian/ testing main contrib non-free

#

Debian Wheezy

#

deb http://ftp.debian.org/debian/ wheezy main contrib non-free

deb-src http://ftp.debian.org/debian/ wheezy main contrib non-free

Testing Security http://secure-testing-master.debian.net/

deb http://security.debian.org wheezy/updates main contrib non-free

deb-src http://security.debian.org wheezy/updates main contrib non-free

update the system

apt-get update

run a distribution upgrade

apt-get dist-upgrade

you will be presented with distribution upgrade notes:

q (will exit the less program)

You will be presented with a choice of automatically restarting services

│ There are services installed on your system which need to be restarted when certain libraries, such as libpam, libc, │

│ and libssl, are upgraded. Since these restarts may cause interruptions of service for the system, you will normally be │

│ prompted on each upgrade for the list of services you wish to restart. You can choose this option to avoid being │

│ prompted; instead, all necessary restarts will be done for you automatically so you can avoid being asked questions on │

│ each library upgrade. │

│ │

│ Restart services during package upgrades without asking? │

│ │

│ I chose yes and hit Configuration file `/etc/default/rc'

==> File on system created by you or by a script.

==> File also in package provided by package maintainer.

What would you like to do about it ? Your options are:

Y or I : install the package maintainer's version

N or O : keep your currently-installed version

D : show the differences between the versions

Z : start a shell to examine the situation

The default action is to keep your current version.

*** rcS (Y/I/N/O/D/Z) [default=N] ?

I hit to choose the default

│ The new Linux kernel version provides different drivers for some PATA (IDE) controllers. The names of some hard disk, │

│ CD-ROM, and tape devices may change. │

│ │

│ It is now recommended to identify disk devices in configuration files by label or UUID (unique identifier) rather than │

│ by device name, which will work with both old and new kernel versions. │

│ │

│ If you choose to not update the system configuration automatically, you must update device IDs yourself before the │

│ next system reboot or the system may become unbootable. │

│ │

│ Update disk device IDs in system configuration? │

│ │

│ │

│ │

I chose Yes and hit │ │

│ Boot loader configuration check needed │

│ │

│ The boot loader configuration for this system was not recognized. These settings in the configuration may need to be │

│ updated: │

│ │

│ * The root device ID passed as a kernel parameter; │

│ * The boot device ID used to install and update the boot loader. │

│ │

│ │

│ You should generally identify these devices by UUID or label. However, on MIPS systems the root device must be │

│ identified by name. │

│ │

│ │

│ │

I hit to choose Ok and continue

Configuration file `/etc/dhcp/dhclient.conf'

==> Modified (by you or by a script) since installation.

==> Package distributor has shipped an updated version.

What would you like to do about it ? Your options are:

Y or I : install the package maintainer's version

N or O : keep your currently-installed version

D : show the differences between the versions

Z : start a shell to examine the situation

The default action is to keep your current version.

*** dhclient.conf (Y/I/N/O/D/Z) [default=N] ?

I hit to choose the default

reboot

Start building the web server

apt-get install apache2 php5 php5-fpm libapache2-mod-fcgid

a2enmod fcgid rewrite ssl

apt-get install php-pear imagemagick re2c libmagickwand-dev php5-dev make

pear config-set preferred_state beta

pecl install Imagick

vi /etc/php5/apache2/php.ini

(maybe

vi /etc/php5/fpm/php.ini

)

(at line 213 for me)

shortopentag = Off

(at line 674 for me)

postmaxsize = 12M

(at line 802 for me)

uploadmaxfilesize = 12M

(at line 865 for me)

extension = imagick.so

(at line 1360 for me)

session.cookie_secure = 1

(at line 1391 for me)

session.cookie_httponly = 1

service apache2 restart

vi /etc/apache2/ports.conf

we need to ensure

my /etc/apache2/ports.conf reads as follows:

If you just change the port or add more ports here, you will likely also

have to change the VirtualHost statement in

/etc/apache2/sites-enabled/000-default

This is also true if you have upgraded from before 2.2.9-3 (i.e. from

Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and

README.Debian.gz

NameVirtualHost *:80

Listen 80

# If you add NameVirtualHost *:443 here, you will also have to change

the VirtualHost statement in /etc/apache2/sites-available/default-ssl

to # Server Name Indication for SSL named virtual hosts is currently not

supported by MSIE on Windows XP.

NameVirtualHost *:443

Listen 443

NameVirtualHost *:443

Listen 443

//UPDATE THESE

set up the default virtual host configurations

specifictally the virtualhosts for the default & default-ssl virtualhosts, the webroot locations, the log locations, and the ssl settings.

vi /etc/apache2/sites-available/default

my /etc/apache2/sites-available/default reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /var/www/default/http

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /var/www/default/logs/error_log

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /var/www/default/logs/access_log combined

likewise modify your default-ssl virtual host configuration

vi /etc/apache2/sites-available/default-ssl

my /etc/apache2/sites-available/default-ssl reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /var/www/default/https

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /var/www/default/logs/sslerrorlog

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /var/www/default/logs/sslaccesslog combined

SSL Engine Switch:

Enable/Disable SSL for this virtual host.

SSLEngine on

A self-signed (snakeoil) certificate can be created by installing

the ssl-cert package. See

/usr/share/doc/apache2.2-common/README.Debian.gz for more info.

If both key and certificate are stored in the same file, only the

SSLCertificateFile directive is needed.

SSLCertificateFile /var/www/default/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /var/www/default/certs/ssl-cert-snakeoil.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

SSLCertificateChainFile /var/www/default/certs/server-ca.crt

Certificate Authority (CA):

Set the CA certificate verification path where to find CA

certificates for client authentication or alternatively one

huge file containing all of them (file must be PEM encoded)

Note: Inside SSLCACertificatePath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCACertificatePath /var/www/default/certs/

SSLCACertificateFile /var/www/default/certs/ca-bundle.crt

Certificate Revocation Lists (CRL):

Set the CA revocation path where to find CA CRLs for client

authentication or alternatively one huge file containing all

of them (file must be PEM encoded)

Note: Inside SSLCARevocationPath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCARevocationPath /var/www/default/certs/

SSLCARevocationFile /var/www/default/certs/ca-bundle.crl

Client Authentication (Type):

Client certificate verification type and depth. Types are

none, optional, require and optionalnoca. Depth is a

number which specifies how deeply to verify the certificate

issuer chain before deciding the certificate is not valid.

SSLVerifyClient require

SSLVerifyDepth 10

Access Control:

With SSLRequire you can do per-directory access control based

on arbitrary complex boolean expressions containing server

variable checks and other lookup directives. The syntax is a

mixture between C and Perl. See the mod_ssl documentation

for more details.

#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

and %{SSLCLIENTSDNO} eq "Snake Oil, Ltd." \

and %{SSLCLIENTSDNOU} in {"Staff", "CA", "Dev"} \

and %{TIMEWDAY} >= 1 and %{TIMEWDAY} <= 5 \

and %{TIMEHOUR} >= 8 and %{TIMEHOUR} <= 20 ) \

or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

SSL Engine Options:

Set various options for the SSL engine.

o FakeBasicAuth:

Translate the client X.509 into a Basic Authorisation. This means that

the standard Auth/DBMAuth methods can be used for access control. The

user name is the `one line' version of the client's X.509 certificate.

Note that no password is obtained from the user. Every entry in the user

file needs this password: `xxj31ZMTZzkVA'.

o ExportCertData:

This exports two additional environment variables: SSLCLIENTCERT and

SSLSERVERCERT. These contain the PEM-encoded certificates of the

server (always existing) and the client (only existing when client

authentication is used). This can be used to import the certificates

into CGI scripts.

o StdEnvVars:

This exports the standard SSL/TLS related `SSL_*' environment variables.

Per default this exportation is switched off for performance reasons,

because the extraction step is an expensive operation and is usually

useless for serving static content. So one usually enables the

exportation for CGI and SSI requests only.

o StrictRequire:

This denies access when "SSLRequireSSL" or "SSLRequire" applied even

under a "Satisfy any" situation, i.e. when it applies access is denied

and no other module can change it.

o OptRenegotiate:

This enables optimized SSL connection renegotiation handling when SSL

directives are used in per-directory context.

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

SSL Protocol Adjustments:

The safe and default but still SSL/TLS standard compliant shutdown

approach is that mod_ssl sends the close notify alert but doesn't wait for

the close notify alert from client. When you need a different shutdown

approach you can use one of the following variables:

o ssl-unclean-shutdown:

This forces an unclean shutdown when the connection is closed, i.e. no

SSL close notify alert is send or allowed to received. This violates

the SSL/TLS standard but is needed for some brain-dead browsers. Use

this when you receive I/O errors because of the standard approach where

mod_ssl sends the close notify alert.

o ssl-accurate-shutdown:

This forces an accurate shutdown when the connection is closed, i.e. a

SSL close notify alert is send and mod_ssl waits for the close notify

alert of the client. This is 100% SSL/TLS standard compliant, but in

practice often causes hanging connections with brain-dead browsers. Use

this only for browsers where you know that their SSL implementation

works correctly.

Notice: Most problems of broken clients are also related to the HTTP

keep-alive facility, so you usually additionally want to disable

keep-alive for those clients, too. Use variable "nokeepalive" for this.

Similarly, one has to force some clients to use HTTP/1.0 to workaround

their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

"force-response-1.0" for this.

BrowserMatch "MSIE [2-6]" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

MSIE 7 and newer should be able to use keepalive

BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

create the file system directory structure specified in the configuration files

mkdir /var/www/default

mkdir /var/www/default/http

mkdir /var/www/default/https

mkdir /var/www/default/certs

mkdir /var/www/default/logs

cd /var/www

chown -R root:www-data *

chmod -R 770 *

chmod -R u+s *

chmod -R g+s *

optionally move or delete the default web page created upon installation

mv /var/www/index.html /var/www/default/http

make a backup of the default openssl settings

cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf~

edit the /etc/ssl/openssl.cnf

vi /etc/ssl/openssl.cnf

(line 73)

default_days = 3650 # how long to certify for

(line 74)

defaultcrldays= 3650 # how long before next CRL

(line 129)

countryName_default = US

(line 133)

stateOrProvinceName_default = Ohio

(line 139)

0.organizationName_default = Rust Belt Rebellion

(line 146)

organizationalUnitName_default = Web Hosting

my /etc/ssl/openssl.cnf looks like this:

#

OpenSSL example configuration file.

This is mostly being used for generation of certificate requests.

#

This definition stops the following lines choking if HOME isn't

defined.

HOME = .

RANDFILE = $ENV::HOME/.rnd

Extra OBJECT IDENTIFIER info:

oid_file = $ENV::HOME/.oid

oidsection = newoids

To use this configuration file with the "-extfile" option of the

"openssl x509" utility, name here the section containing the

X.509v3 extensions to use:

extensions =

(Alternatively, use a configuration file that has only

X.509v3 extensions in its main [= default] section.)

[ new_oids ]

We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

Add a simple OID like this:

testoid1=1.2.3.4

Or use config file substitution like this:

testoid2=${testoid1}.5.6

Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7

#

[ ca ]

defaultca = CAdefault # The default ca section

#

[ CA_default ]

dir = ./demoCA # Where everything is kept

certs = $dir/certs # Where the issued certs are kept

crl_dir = $dir/crl # Where the issued crl are kept

database = $dir/index.txt # database index file.

unique_subject = no # Set to 'no' to allow creation of

several ctificates with same subject.

newcertsdir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate

serial = $dir/serial # The current serial number

crlnumber = $dir/crlnumber # the current crl number

must be commented out to leave a V1 CRL

crl = $dir/crl.pem # The current CRL

private_key = $dir/private/cakey.pem# The private key

RANDFILE = $dir/private/.rand # private random number file

x509extensions = usrcert # The extentions to add to the cert

Comment out the following two lines for the "traditional"

(and highly broken) format.

nameopt = cadefault # Subject Name options

certopt = cadefault # Certificate field options

Extension copying option: use with caution.

copy_extensions = copy

Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

so this is commented out by default to leave a V1 CRL.

crlnumber must also be commented out to leave a V1 CRL.

crlextensions = crlext

default_days = 3650 # how long to certify for

defaultcrldays= 3650 # how long before next CRL

default_md = default # use public key default MD

preserve = no # keep passed DN ordering

A few difference way of specifying how similar the request should look

For type CA, the listed attributes must be the same, and the optional

and supplied fields are just that :-)

policy = policy_match

For the CA policy

[ policy_match ]

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

For the 'anything' policy

At this point in time, you must list all acceptable 'object'

types.

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

#

[ req ]

default_bits = 2048

default_keyfile = privkey.pem

distinguishedname = reqdistinguished_name

attributes = req_attributes

x509extensions = v3ca # The extentions to add to the self signed cert

Passwords for private keys if not present they will be prompted for

input_password = secret

output_password = secret

This sets a mask for permitted string types. There are several options.

default: PrintableString, T61String, BMPString.

pkix : PrintableString, BMPString (PKIX recommendation before 2004)

utf8only: only UTF8Strings (PKIX recommendation after 2004).

nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

MASK:XXXX a literal mask value.

WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.

string_mask = utf8only

reqextensions = v3req # The extensions to add to a certificate request

[ reqdistinguishedname ]

countryName = Country Name (2 letter code)

countryName_default = US

countryName_min = 2

countryName_max = 2

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = Ohio

localityName = Locality Name (eg, city)

0.organizationName = Organization Name (eg, company)

0.organizationName_default = Rust Belt Rebellion

we can do this but it is not needed normally :-)

1.organizationName = Second Organization Name (eg, company)

1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName = Organizational Unit Name (eg, section)

organizationalUnitName_default = Web Hosting

commonName = Common Name (e.g. server FQDN or YOUR name)

commonName_max = 64

emailAddress = Email Address

emailAddress_max = 64

SET-ex3 = SET extension number 3

[ req_attributes ]

challengePassword = A challenge password

challengePassword_min = 4

challengePassword_max = 20

unstructuredName = An optional company name

[ usr_cert ]

These extensions are added when 'ca' signs a request.

This goes against PKIX guidelines but some CAs do it and some software

requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

Here are some examples of the usage of nsCertType. If it is omitted

the certificate can be used for anything except object signing.

This is OK for an SSL server.

nsCertType = server

For an object signing certificate this would be used.

nsCertType = objsign

For normal client use this is typical

nsCertType = client, email

and for everything including object signing:

nsCertType = client, email, objsign

This is typical in keyUsage for a client certificate.

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

This will be displayed in Netscape's comment listbox.

nsComment = "OpenSSL Generated Certificate"

PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

This stuff is for subjectAltName and issuerAltname.

Import the email address.

subjectAltName=email:copy

An alternative to produce certificates that aren't

deprecated according to PKIX.

subjectAltName=email:move

Copy subject details

issuerAltName=issuer:copy

nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

nsBaseUrl

nsRevocationUrl

nsRenewalUrl

nsCaPolicyUrl

nsSslServerName

This is required for TSA certificates.

extendedKeyUsage = critical,timeStamping

[ v3_req ]

Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

Extensions for a typical CA

PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

This is what PKIX recommends but some broken software chokes on critical

extensions.

basicConstraints = critical,CA:true

So we do this instead.

basicConstraints = CA:true

Key usage: this is typical for a CA certificate. However since it will

prevent it being used as an test self-signed certificate it is best

left out by default.

keyUsage = cRLSign, keyCertSign

Some might want this also

nsCertType = sslCA, emailCA

Include email address in subject alt name: another PKIX recommendation

subjectAltName=email:copy

Copy issuer details

issuerAltName=issuer:copy

DER hex encoding of an extension: beware experts only!

obj=DER:02:03

Where 'obj' is a standard or added object

You can even override a supported extension:

basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

CRL extensions.

Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always

[ proxycertext ]

These extensions should be added when creating a proxy certificate

This goes against PKIX guidelines but some CAs do it and some software

requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

Here are some examples of the usage of nsCertType. If it is omitted

the certificate can be used for anything except object signing.

This is OK for an SSL server.

nsCertType = server

For an object signing certificate this would be used.

nsCertType = objsign

For normal client use this is typical

nsCertType = client, email

and for everything including object signing:

nsCertType = client, email, objsign

This is typical in keyUsage for a client certificate.

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

This will be displayed in Netscape's comment listbox.

nsComment = "OpenSSL Generated Certificate"

PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

This stuff is for subjectAltName and issuerAltname.

Import the email address.

subjectAltName=email:copy

An alternative to produce certificates that aren't

deprecated according to PKIX.

subjectAltName=email:move

Copy subject details

issuerAltName=issuer:copy

nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

nsBaseUrl

nsRevocationUrl

nsRenewalUrl

nsCaPolicyUrl

nsSslServerName

This really needs to be in place for it to be a proxy certificate.

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

#

[ tsa ]

defaulttsa = tsaconfig1 # the default TSA section

[ tsa_config1 ]

These are used by the TSA reply generation only.

dir = ./demoCA # TSA root directory

serial = $dir/tsaserial # The current serial number (mandatory)

crypto_device = builtin # OpenSSL engine to use for signing

signer_cert = $dir/tsacert.pem # The TSA signing certificate

(optional)

certs = $dir/cacert.pem # Certificate chain to include in reply

(optional)

signer_key = $dir/private/tsakey.pem # The TSA private key (optional)

defaultpolicy = tsapolicy1 # Policy if request did not specify it

(optional)

otherpolicies = tsapolicy2, tsa_policy3 # acceptable policies (optional)

digests = md5, sha1 # Acceptable message digests (mandatory)

accuracy = secs:1, millisecs:500, microsecs:100 # (optional)

clockprecisiondigits = 0 # number of digits after dot. (optional)

ordering = yes # Is ordering defined for timestamps?

(optional, default: no)

tsa_name = yes # Must the TSA name be included in the reply?

(optional, default: no)

esscertid_chain = no # Must the ESS cert id chain be included?

(optional, default: no)

cd /var/www/default/certs

openssl req -new -x509 -extensions v3_ca -keyout ssl-cert-snakeoil.key -out ssl-cert-snakeoil.pem -days 3650 -config /etc/ssl/openssl.cnf

Generating a 2048 bit RSA private key

……………………………………………………….+++

……………………………………………+++

writing new private key to 'ssl-cert-snakeoil.key'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

---

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

---

Country Name (2 letter code) [US]:

State or Province Name (full name) [Ohio]:

Locality Name (eg, city) []:Eastlake

Organization Name (eg, company) [Rust Belt Rebellion]:

Organizational Unit Name (eg, section) []:Web Hosting

Common Name (e.g. server FQDN or YOUR name) []:rustbeltrebellion.com

Email Address []:bradchesney79@gmail.com

remove the passphrase

mv ssl-cert-snakeoil.key ssl-cert-snakeoil.key~

openssl rsa -in ssl-cert-snakeoil.key~ -out ssl-cert-snakeoil.key

enter the pass phrase

passphrase restart apache, not reload

a2ensite default-ssl

service apache2 restart

apt-get install mysql-server mysql-client php5-mysql

a dialog pops up for you to set a password on the root mysql user

a second dialog will pop up to confirm there were no typos or identical typos entered

~Plan A~

mysqlsecureinstallation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL

SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current

password for the root user. If you've just installed MySQL, and

you haven't set the root password yet, the password will be blank,

so you should just press enter here.

Enter current password for root (enter for none):

OK, successfully used password, moving on…

Setting the root password ensures that nobody can log into the MySQL

root user without the proper authorisation.

You already have a root password set, so you can safely answer 'n'.

Change the root password? [Y/n] n

… skipping.

By default, a MySQL installation has an anonymous user, allowing anyone

to log into MySQL without having to have a user account created for

them. This is intended only for testing, and to make the installation

go a bit smoother. You should remove them before moving into a

production environment.

Remove anonymous users? [Y/n] Y

… Success!

Normally, root should only be allowed to connect from 'localhost'. This

ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y

… Success!

By default, MySQL comes with a database named 'test' that anyone can

access. This is also intended only for testing, and should be removed

before moving into a production environment.

Remove test database and access to it? [Y/n] Y

• Dropping test database…

… Success!

• Removing privileges on test database…

… Success!

Reloading the privilege tables will ensure that all changes made so far

will take effect immediately.

Reload privilege tables now? [Y/n] Y

… Success!

Cleaning up…

All done! If you've completed all of the above steps, your MySQL

installation should now be secure.

Thanks for using MySQL!

Note the password (they are both the same)… We will need it in just a bit.

tail /etc/mysql/debian.cnf

~End Plan A~

mysql -uroot -p

USE mysql

~Plan B~

DELETE FROM user WHERE user='';

~End Plan B~

A common vector is to attack the MySQL root user since it is the default omipotent user put on almost all MySQL installs.

So, give your 'root' user a different name. (Is admin more secure than root, meh. Yeah, I guess.)

~Plan A~

GRANT ALL PRIVILEGES ON * TO 'admin'@'localhost' IDENTIFIED BY 'pwork' WITH GRANT OPTION;

GRANT ALL PRIVILEGES ON * TO 'admin'@'127.0.0.1' IDENTIFIED BY 'pwork' WITH GRANT OPTION;

~End Plan A~

~Plan B~

INSERT INTO user VALUES ('localhost','admin',password('pwork'),'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y', 'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'',NULL);

INSERT INTO user VALUES ('127.0.0.1','admin',password('pwork'),'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y', 'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'',NULL);

~End Plan B~

CREATE USER 'backup'@'localhost' IDENTIFIED BY 'password';

GRANT SELECT, SHOW VIEW, RELOAD, REPLICATION CLIENT, EVENT, TRIGGER ON . TO 'backup'@'localhost';

DELETE FROM user WHERE user='root';

~Plan A~

So, the debian-sys-maint user is used by a lot of stuff. And it would serve to break more than I can justify it saves. I fundamentally disagree with the debian-sys-maint user, but that is the mumblings of a first class nobody-significant.

DELETE FROM user WHERE user='debian-sys-maint';

The debian-sys-maint user starts and stops the database as well as is tied into the script that rotates the logs.

The script it is tied to also has some features that may impact the performance of your database. You can google on that later.

~Plan A~

REVOKE ALL PRIVILEGES ON . FROM 'debian-sys-maint'@'localhost';

~End Plan A~

~Plan B~

CREATE USER 'debian-sys-maint'@'localhost' IDENTIFIED BY PASSWORD 'gNtdj7ZOroAU6Isy';

CREATE USER 'debian-sys-maint'@'127.0.0.1' IDENTIFIED BY PASSWORD 'gNtdj7ZOroAU6Isy';

~End Plan B~

UPDATE mysql.user SET Createviewpriv = 'Y', Showviewpriv = 'Y', Createroutinepriv = 'Y', Alterroutinepriv = 'Y', Createuserpriv = 'Y' WHERE User = 'debian-sys-maint';

GRANT SHUTDOWN ON . TO 'debian-sys-maint'@'localhost';

GRANT SHUTDOWN ON . TO 'debian-sys-maint'@'127.0.0.1';

~Starts fine at boot~~~

~Cannot use "service mysql stop|restart|start"~

~Needs more privileges~

Undo:

REVOKE ALL PRIVILEGES ON * FROM 'debian-sys-maint'@'localhost';

REVOKE ALL PRIVILEGES ON . FROM 'debian-sys-maint';

GRANT ALL PRIVILEGES ON * TO 'debian-sys-maint'@'localhost IDENTIFIED BY PASSWORD 'your password' WITH GRANT OPTION;

GRANT ALL PRIVILEGES ON * TO 'debian-sys-maint'@'localhost' WITH GRANT OPTION;

GRANT ALL PRIVILEGES ON . TO 'debian-sys-maint'@'localhost' WITH GRANT OPTION;

~End Plan A~

~Plan B~

Do nothing with the debian-sys-maint user. :(

~End Plan B~

FLUSH PRIVILEGES;

This is my /etc/mysql/debian-start file

!/bin/bash

#

This script is executed by "/etc/init.d/mysql" on every (re)start.

#

Changes to this file will be preserved when updating the Debian package.

#

source /usr/share/mysql/debian-start.inc.sh

MYSQL="/usr/bin/mysql --defaults-file=/etc/mysql/debian.cnf"

MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf"

MYUPGRADE="/usr/bin/mysql_upgrade --defaults-extra-file=/etc/mysql/debian.cnf"

MYCHECK="/usr/bin/mysqlcheck --defaults-file=/etc/mysql/debian.cnf"

MYCHECK_SUBJECT="WARNING: mysqlcheck has found corrupt tables"

MYCHECK_PARAMS="--all-databases --fast --silent"

MYCHECK_RCPT="root"

The following commands should be run when the server is up but in background

where they do not block the server start and in one shell instance so that

they run sequentially. They are supposed not to echo anything to stdout.

If you want to disable the check for crashed tables comment

"checkforcrashed_tables" out.

(There may be no output to stdout inside the background process!)

echo "Checking for tables which need an upgrade, are corrupt or were "

echo "not closed cleanly."

(

upgradesystemtablesifnecessary;

checkrootaccounts;

checkforcrashed_tables;

) >&2 &

exit 0

install and configure selinux (the same level of security DoD requires for many government machines)

apt-get install selinux-basics

set FIXFSCK in /etc/default/rcS

vi /etc/default/rcS

---

#

/etc/default/rcS

#

Default settings for the scripts in /etc/rcS.d/

#

For information about these variables see the rcS(5) manual page.

#

This file belongs to the "initscripts" package.

delete files in /tmp during boot older than x days.

'0' means always, -1 or 'infinite' disables the feature

TMPTIME=0

spawn sulogin during boot, continue normal boot if not used in 30 seconds

SULOGIN=no

do not allow users to log in until the boot has completed

DELAYLOGIN=no

be more verbose during the boot process

VERBOSE=no

automatically repair filesystems with inconsistencies during boot

FSCKFIX=yes

---

Fix the domain of PID 1 error lines

vi /etc/udev/udev.config

---

The initial syslog(3) priority: "err", "info", "debug" or its

numerical equivalent. For runtime debugging, the daemons internal

state can be changed with: "udevadm control --log-priority=".

#

udevd is started in the initramfs, so when this file is modified the

initramfs should be rebuilt.

udev_log="err"

nostaticdev="1"

---

selinux-activate

~Plan B~

cd /usr/share/initramfs-tools/scripts/init-bottom/

vi loadselinux_policy

The file's contents are as follows because a wget for the file didn't work:

---

! /bin/sh

set -e

PREREQ="framebuffer console_setup"

prereqs () {

echo "$PREREQ"

}

case $1 in

prereqs)

prereqs

exit 0

;;

esac

. /scripts/functions

Mount the selinux directory in both the ramdisk's root as well as in

the real root directory.

mkdir -p /selinux

mkdir -p ${rootmnt}/selinux

Temporarily pivot to the real root directory, loading the policy

from that disk. Normally this process will occur by init, but kinit

is not compiled against libselinux. Therefore use load_policy to

perform the same initialization.

set +e

chroot ${rootmnt} /sbin/load_policy -i

RET=$?

if [ $RET -eq 3 ]; then

panic "SELinux policy load failed and enforcing mode requested, halting now"

kill -INT 1

elif [ $RET -ne 0 ]; then

logwarningmsg "SELinux policy load failed, continuing"

else

logsuccessmsg "SELinux policy was loaded"

fi

This is unnecessary and confuses the selinux-basic init script

mount -t selinuxfs none /selinux || \

logwarningmsg "Unable to mount /selinux"

exit 0

–--------

~For whatever reason~

Sadness

wget http://wiki.debian.org/SELinux/Setup?ac … nux_policy">http://wiki.debian.org/SELinux/Setup?action=AttachFile&do=view&target=loadselinux_policy

~End~

chmod 770 loadselinux_policy

~End Plan B~

~Plan C !!!Note First Run, Verify Previous Steps in Plan A Do Not Require These Commands to be Run~

my /etc/pam.d/login file needed an edit on line 42 for me

This is the block I changed

SELinux needs to be the first session rule. This ensures that any

lingering context has been cleared. Without out this it is possible

that a module could execute code in the wrong domain.

When the module is present, "required" would be sufficient (When SELinux

is disabled, this returns success.)

session [success=ok ignore=ignore moduleunknown=ignore default=bad] required pamselinux.so close

required was added between ] and pam_selinux.so .

The full file is as follows:

The PAM configuration file for the Shadow `login' service

#

Enforce a minimal delay in case of failure (in microseconds).

(Replaces the `FAIL_DELAY' setting from login.defs)

Note that other modules may require another minimal delay. (for example,

to disable any delay, you should add the nodelay option to pam_unix)

auth optional pam_faildelay.so delay=3000000

Outputs an issue file prior to each login prompt (Replaces the

ISSUE_FILE option from login.defs). Uncomment for use

auth required pam_issue.so issue=/etc/issue

Disallows root logins except on tty's listed in /etc/securetty

(Replaces the `CONSOLE' setting from login.defs)

#

With the default control of this module:

[success=ok newauthtokreqd=ok ignore=ignore user_unknown=bad default=die]

root will not be prompted for a password on insecure lines.

if an invalid username is entered, a password is prompted (but login

will eventually be rejected)

#

You can change it to a "requisite" module if you think root may mis-type

her login and should not be prompted for a password in that case. But

this will leave the system as vulnerable to user enumeration attacks.

#

You can change it to a "required" module if you think it permits to

guess valid user names of your system (invalid user names are considered

as possibly being root on insecure lines), but root passwords may be

communicated over insecure lines.

auth [success=ok newauthtokreqd=ok ignore=ignore userunknown=bad default=die] pamsecuretty.so

Disallows other than root logins when /etc/nologin exists

(Replaces the `NOLOGINS_FILE' option from login.defs)

auth requisite pam_nologin.so

SELinux needs to be the first session rule. This ensures that any

lingering context has been cleared. Without out this it is possible

that a module could execute code in the wrong domain.

When the module is present, "required" would be sufficient (When SELinux

is disabled, this returns success.)

session [success=ok ignore=ignore moduleunknown=ignore default=bad] required pamselinux.so close

This module parses environment configuration file(s)

and also allows you to use an extended config

file /etc/security/pam_env.conf.

#

parsing /etc/environment needs "readenv=1"

session required pam_env.so readenv=1

locale variables are also kept into /etc/default/locale in etch

reading this file in addition to /etc/environment does not hurt

session required pam_env.so readenv=1 envfile=/etc/default/locale

Standard Un*x authentication.

@include common-auth

This allows certain extra groups to be granted to a user

based on things like time of day, tty, service, and user.

Please edit /etc/security/group.conf to fit your needs

(Replaces the `CONSOLE_GROUPS' option in login.defs)

auth optional pam_group.so

Uncomment and edit /etc/security/time.conf if you need to set

time restrainst on logins.

(Replaces the `PORTTIMECHECKSENAB' option from login.defs

as well as /etc/porttime)

account requisite pam_time.so

Uncomment and edit /etc/security/access.conf if you need to

set access limits.

(Replaces /etc/login.access file)

account required pam_access.so

Sets up user limits according to /etc/security/limits.conf

(Replaces the use of /etc/limits in old login)

session required pam_limits.so

Prints the last login info upon succesful login

(Replaces the `LASTLOG_ENAB' option from login.defs)

session optional pam_lastlog.so

Prints the message of the day upon succesful login.

(Replaces the `MOTD_FILE' option in login.defs)

This includes a dynamically generated part from /run/motd.dynamic

and a static (admin-editable) part from /etc/motd.

session optional pam_motd.so motd=/run/motd.dynamic

session optional pam_motd.so

Prints the status of the user's mailbox upon succesful login

(Replaces the `MAILCHECKENAB' option from login.defs).

#

This also defines the MAIL environment variable

However, userdel also needs MAILDIR and MAILFILE variables

in /etc/login.defs to make sure that removing a user

also removes the user's mail spool file.

See comments in /etc/login.defs

session optional pam_mail.so standard

Standard Un*x account and session

@include common-account

@include common-session

@include common-password

SELinux needs to intervene at login time to ensure that the process

starts in the proper default security context. Only sessions which are

intended to run in the user's context should be run after this.

session [success=ok ignore=ignore moduleunknown=ignore default=bad] pamselinux.so open

When the module is present, "required" would be sufficient (When SELinux

is disabled, this returns success.)

~End Plan B~

–-At this point, the base configuration is complete---

add a user

adduser username

Password

Password

Fullname

Room Number

Work Phone

Home Phone

Other

Is the information correct

~Plan A~

using sftponly shell

vi /etc/passwd

change /bin/bash to /usr/lib/sftp-server

~End Plan A~

set up directory structure

cd /home/username

mkdir hostname.tld

cd hostname.tld

mkdir http

mkdir https

mkdir certs

mkdir logs

change the ownership and access permissions

cd ..

chown -R username:www-data *

chmod -R 775 *

add sticky bits

chmod -R u+s *

chmod -R g+s *

create sites available for the new websites

vi /etc/apache2/sites-available/hostname.tld

my /etc/apache2/sites-available/hostname.tld reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /home/username/hostname.tld/http

ServerName hostname.tld

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /home/username/hostname.tld/logs/error_log

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /home/username/hostname.tld/logs/access_log combined

likewise modify your default-ssl virtual host configuration

vi /etc/apache2/sites-available/hostname.tld-ssl

my /etc/apache2/sites-available/hostname.tld-ssl reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /home/username/hostname.tld/https

ServerName hostname.tld

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /home/username/hostname.tld/logs/sslerrorlog

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /home/username/hostname.tld/logs/sslaccesslog combined

SSL Engine Switch:

Enable/Disable SSL for this virtual host.

SSLEngine on

A self-signed (snakeoil) certificate can be created by installing

the ssl-cert package. See

/usr/share/doc/apache2.2-common/README.Debian.gz for more info.

If both key and certificate are stored in the same file, only the

SSLCertificateFile directive is needed.

SSLCertificateFile /home/username/hostname.tld/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /home/username/hostname.tld/certs/ssl-cert-snakeoil.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

SSLCertificateChainFile /home/username/hostname.tld/certs/server-ca.crt

Certificate Authority (CA):

Set the CA certificate verification path where to find CA

certificates for client authentication or alternatively one

huge file containing all of them (file must be PEM encoded)

Note: Inside SSLCACertificatePath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCACertificatePath /home/username/hostname.tld/certs/

SSLCACertificateFile /home/username/hostname.tld/certs/ca-bundle.crt

Certificate Revocation Lists (CRL):

Set the CA revocation path where to find CA CRLs for client

authentication or alternatively one huge file containing all

of them (file must be PEM encoded)

Note: Inside SSLCARevocationPath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCARevocationPath /home/username/hostname.tld/certs/

SSLCARevocationFile /home/username/hostname.tld/certs/ca-bundle.crl

Client Authentication (Type):

Client certificate verification type and depth. Types are

none, optional, require and optionalnoca. Depth is a

number which specifies how deeply to verify the certificate

issuer chain before deciding the certificate is not valid.

SSLVerifyClient require

SSLVerifyDepth 10

Access Control:

With SSLRequire you can do per-directory access control based

on arbitrary complex boolean expressions containing server

variable checks and other lookup directives. The syntax is a

mixture between C and Perl. See the mod_ssl documentation

for more details.

#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

and %{SSLCLIENTSDNO} eq "Snake Oil, Ltd." \

and %{SSLCLIENTSDNOU} in {"Staff", "CA", "Dev"} \

and %{TIMEWDAY} >= 1 and %{TIMEWDAY} <= 5 \

and %{TIMEHOUR} >= 8 and %{TIMEHOUR} <= 20 ) \

or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

SSL Engine Options:

Set various options for the SSL engine.

o FakeBasicAuth:

Translate the client X.509 into a Basic Authorisation. This means that

the standard Auth/DBMAuth methods can be used for access control. The

user name is the `one line' version of the client's X.509 certificate.

Note that no password is obtained from the user. Every entry in the user

file needs this password: `xxj31ZMTZzkVA'.

o ExportCertData:

This exports two additional environment variables: SSLCLIENTCERT and

SSLSERVERCERT. These contain the PEM-encoded certificates of the

server (always existing) and the client (only existing when client

authentication is used). This can be used to import the certificates

into CGI scripts.

o StdEnvVars:

This exports the standard SSL/TLS related `SSL_*' environment variables.

Per default this exportation is switched off for performance reasons,

because the extraction step is an expensive operation and is usually

useless for serving static content. So one usually enables the

exportation for CGI and SSI requests only.

o StrictRequire:

This denies access when "SSLRequireSSL" or "SSLRequire" applied even

under a "Satisfy any" situation, i.e. when it applies access is denied

and no other module can change it.

o OptRenegotiate:

This enables optimized SSL connection renegotiation handling when SSL

directives are used in per-directory context.

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

SSL Protocol Adjustments:

The safe and default but still SSL/TLS standard compliant shutdown

approach is that mod_ssl sends the close notify alert but doesn't wait for

the close notify alert from client. When you need a different shutdown

approach you can use one of the following variables:

o ssl-unclean-shutdown:

This forces an unclean shutdown when the connection is closed, i.e. no

SSL close notify alert is send or allowed to received. This violates

the SSL/TLS standard but is needed for some brain-dead browsers. Use

this when you receive I/O errors because of the standard approach where

mod_ssl sends the close notify alert.

o ssl-accurate-shutdown:

This forces an accurate shutdown when the connection is closed, i.e. a

SSL close notify alert is send and mod_ssl waits for the close notify

alert of the client. This is 100% SSL/TLS standard compliant, but in

practice often causes hanging connections with brain-dead browsers. Use

this only for browsers where you know that their SSL implementation

works correctly.

Notice: Most problems of broken clients are also related to the HTTP

keep-alive facility, so you usually additionally want to disable

keep-alive for those clients, too. Use variable "nokeepalive" for this.

Similarly, one has to force some clients to use HTTP/1.0 to workaround

their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

"force-response-1.0" for this.

BrowserMatch "MSIE [2-6]" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

MSIE 7 and newer should be able to use keepalive

BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

enable the website

a2ensite hostname.tld

create self-signed certificate

cd /home/username/hostname/certs

openssl req -new -x509 -extensions v3_ca -keyout ssl-cert-snakeoil.key -out ssl-cert-snakeoil.pem -days 3650 -config /etc/ssl/openssl.cnf

remove the passphrase

mv ssl-cert-snakeoil.key ssl-cert-snakeoil.key~

openssl rsa -in ssl-cert-snakeoil.key~ -out ssl-cert-snakeoil.key

a2ensite hostname.tld-ssl

mysql -uadmin -p

CREATE DATABASE username;

~Plan A~

Give your user access via both of the most common ways to log in to the database for a logged in user

GRANT ALL PRIVILEGES ON username.* TO 'username'@'localhost' IDENTIFIED BY 'password';

GRANT ALL PRIVILEGES ON username.* TO 'username'@'127.0.0.1' IDENTIFIED BY 'password';

Assuming your host has a fixed IP, you may also give access for that

GRANT ALL PRIVILEGES ON username.* TO 'username'@'YOU.R H.OST.IP' IDENTIFIED BY 'password';

~End Plan A~

~Plan B~

GRANT ALL PRIVILEGES ON username.* TO 'username'@'%' IDENTIFIED BY 'password';

~End Plan B~

FLUSH PRIVILEGES;

EXIT

///MySQL Suggested Packages

The following extra packages will be installed:

libaio1 libdbd-mysql-perl libdbi-perl libhtml-template-perl libmysqlclient18

libnet-daemon-perl libplrpc-perl mysql-client-5.5 mysql-common mysql-server-5.5

mysql-server-core-5.5

Suggested packages:

libipc-sharedcache-perl libterm-readkey-perl tinyca

look at libapache2-mod-evasive

Working on mitigating the known mysql 5.5 0 day exploits.

My updated notes follow:

Many thanks to the patient souls in #debian and #apache on Freenode

Many commands and much info stolen from these locations:

http://www.rackaid.com/resources/linux- … nd-how-to/">http://www.rackaid.com/resources/linux-screen-tutorial-and-how-to/

http://www.debian.org/releases/testing/ … #newkernel">http://www.debian.org/releases/testing/amd64/release-notes/ch-upgrading.en.html#newkernel

https://sites.google.com/site/mydebiansourceslist/

http://linux.justinhartman.com/SettingupaLAMPServer

http://www.debian-administration.org/articles/349

http://www.lavluda.com/2008/02/02/insta … tu-server/">http://www.lavluda.com/2008/02/02/install-imagemagick-support-to-your-debianubuntu-server/

http://php.net/manual/en/imagick.setup.php

http://www.lavluda.com/2007/07/15/how-t … 22-debian/">http://www.lavluda.com/2007/07/15/how-to-enable-mod_rewrite-in-apache22-debian/

http://www.debian-administration.org/articles/284

http://openvpn.net/archive/openvpn-user … 00355.html">http://openvpn.net/archive/openvpn-users/2004-05/msg00355.html

http://wiki.apache.org/httpd/RemoveSSLCertPassPhrase

http://httpd.apache.org/docs/2.2/vhosts/examples.html

http://www.youtube.com/watch?v=dtclmj3H7ZU

http://www.youtube.com/watch?v=FLPx7HLLteI

http://wiki.debian.org/SELinux/Setup#St … up_SELinux">http://wiki.debian.org/SELinux/Setup#Stepstosetup_SELinux

Base debian 6 32-bit linode.com Virtual Private Server install

(On linode build images, the ssh package is preinstalled for you.

apt-get install ssh

on the server for everyone else without it.

ifconfig

to get your IP address. ~192.168.100.23~

You may only have access via the local network at that address. Google "NAT")

login via ssh as root

ssh root@012.345.678.910

get the screen program

apt-get install screen

start the screen window program

screen

Basic screen command line commands

start the screen window program

screen

see running screen windows

screen -ls

reattach to a screen window

screen -r (your pid.connection.hostname will vary)

Basic screen keybindings

create an additional window in screen

CTRL+a+c

switch to the next window in the forward direction

CTRL+a+n

switch to the next window in the forward direction

CTRL+a+p

see a list of windows

CTRL+a+w

switch to a specific window

CTRL+a+"

(" = SHIFT+')

kill the current window

CTRL+a+k

(if it is the last window, screen will close and return you to the command line)

detatch from all windows leaving screen running and return to the command line

CTRL+a+d

once screen is up update and upgrade the system

apt-get update

apt-get upgrade

install the kernel metapackage

apt-get install linux-image-2.6.32-5-686

(apt-get install linux-image-2.6.32-5-amd64 for AMD64 based 64-bit machines)

test that the new kernel metapackage is installed (pray you see output)

dpkg -l "linux-image*" | grep ^ii

I get one line that starts with "ii" followed by the package name, the dotted numeric version, and a short text description.

verify everything is in good order (no output is what you want)

dpkg --audit

aptitude search "~ahold"

apt-get clean

reboot

edit /etc/apt/sources.list

vi /etc/apt/sources.list

My sources is as follows:

#

deb cdrom:[Debian GNU/Linux 6.0.3 Squeeze - Official i386 NETINST Binary-1 20111008-19:55]/ squeeze main

deb cdrom:[Debian GNU/Linux 6.0.3 Squeeze - Official i386 NETINST Binary-1 20111008-19:55]/ squeeze main

deb http://ftp.us.debian.org/debian/ squeeze main

deb-src http://ftp.us.debian.org/debian/ squeeze main

deb http://security.debian.org/ squeeze/updates main

deb-src http://security.debian.org/ squeeze/updates main

squeeze-updates, previously known as 'volatile'

deb http://ftp.us.debian.org/debian/ squeeze-updates main

deb-src http://ftp.us.debian.org/debian/ squeeze-updates main

#

Debian Testing

#

Testing

deb http://ftp.debian.org/debian/ testing main contrib non-free

deb-src http://ftp.debian.org/debian/ testing main contrib non-free

#

Debian Wheezy

#

deb http://ftp.debian.org/debian/ wheezy main contrib non-free

deb-src http://ftp.debian.org/debian/ wheezy main contrib non-free

Testing Security http://secure-testing-master.debian.net/

deb http://security.debian.org wheezy/updates main contrib non-free

deb-src http://security.debian.org wheezy/updates main contrib non-free

update the system

apt-get update

apt-get upgrade

run a distribution upgrade

apt-get dist-upgrade

you will be presented with distribution upgrade notes:

q (will exit the less program)

You will be presented with a choice of automatically restarting services

│ There are services installed on your system which need to be restarted when certain libraries, such as libpam, libc, │

│ and libssl, are upgraded. Since these restarts may cause interruptions of service for the system, you will normally be │

│ prompted on each upgrade for the list of services you wish to restart. You can choose this option to avoid being │

│ prompted; instead, all necessary restarts will be done for you automatically so you can avoid being asked questions on │

│ each library upgrade. │

│ │

│ Restart services during package upgrades without asking? │

│ │

│ I chose yes and hit Configuration file `/etc/default/rc'

==> File on system created by you or by a script.

==> File also in package provided by package maintainer.

What would you like to do about it ? Your options are:

Y or I : install the package maintainer's version

N or O : keep your currently-installed version

D : show the differences between the versions

Z : start a shell to examine the situation

The default action is to keep your current version.

*** rcS (Y/I/N/O/D/Z) [default=N] ?

I hit to choose the default

│ The new Linux kernel version provides different drivers for some PATA (IDE) controllers. The names of some hard disk, │

│ CD-ROM, and tape devices may change. │

│ │

│ It is now recommended to identify disk devices in configuration files by label or UUID (unique identifier) rather than │

│ by device name, which will work with both old and new kernel versions. │

│ │

│ If you choose to not update the system configuration automatically, you must update device IDs yourself before the │

│ next system reboot or the system may become unbootable. │

│ │

│ Update disk device IDs in system configuration? │

│ │

│ │

│ │

I chose Yes and hit │ │

│ Boot loader configuration check needed │

│ │

│ The boot loader configuration for this system was not recognized. These settings in the configuration may need to be │

│ updated: │

│ │

│ * The root device ID passed as a kernel parameter; │

│ * The boot device ID used to install and update the boot loader. │

│ │

│ │

│ You should generally identify these devices by UUID or label. However, on MIPS systems the root device must be │

│ identified by name. │

│ │

│ │

│ │

I hit to choose Ok and continue

Configuration file `/etc/dhcp/dhclient.conf'

==> Modified (by you or by a script) since installation.

==> Package distributor has shipped an updated version.

What would you like to do about it ? Your options are:

Y or I : install the package maintainer's version

N or O : keep your currently-installed version

D : show the differences between the versions

Z : start a shell to examine the situation

The default action is to keep your current version.

*** dhclient.conf (Y/I/N/O/D/Z) [default=N] ?

I hit to choose the default

reboot

Start building the web server

apt-get install apache2 php5 php5-fpm libapache2-mod-fcgid

a2enmod fcgid rewrite ssl

apt-get install php-pear imagemagick re2c libmagickwand-dev php5-dev make

pear config-set preferred_state beta

pecl install Imagick

vi /etc/php5/apache2/php.ini

(maybe

vi /etc/php5/fpm/php.ini

)

(at line 213 for me)

shortopentag = Off

(at line 674 for me)

postmaxsize = 12M

(at line 802 for me)

uploadmaxfilesize = 12M

(at line 865 for me)

extension = imagick.so

(at line 1360 for me)

session.cookie_secure = 1

(at line 1391 for me)

session.cookie_httponly = 1

service apache2 restart

vi /etc/apache2/ports.conf

we need to ensure

my /etc/apache2/ports.conf reads as follows:

If you just change the port or add more ports here, you will likely also

have to change the VirtualHost statement in

/etc/apache2/sites-enabled/000-default

This is also true if you have upgraded from before 2.2.9-3 (i.e. from

Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and

README.Debian.gz

NameVirtualHost *:80

Listen 80

# If you add NameVirtualHost *:443 here, you will also have to change

the VirtualHost statement in /etc/apache2/sites-available/default-ssl

to # Server Name Indication for SSL named virtual hosts is currently not

supported by MSIE on Windows XP.

NameVirtualHost *:443

Listen 443

NameVirtualHost *:443

Listen 443

//UPDATE THESE

set up the default virtual host configurations

specifictally the virtualhosts for the default & default-ssl virtualhosts, the webroot locations, the log locations, and the ssl settings.

vi /etc/apache2/sites-available/default

my /etc/apache2/sites-available/default reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /var/www/default/http

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /var/www/default/logs/error_log

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /var/www/default/logs/access_log combined

likewise modify your default-ssl virtual host configuration

vi /etc/apache2/sites-available/default-ssl

my /etc/apache2/sites-available/default-ssl reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /var/www/default/https

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /var/www/default/logs/sslerrorlog

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /var/www/default/logs/sslaccesslog combined

SSL Engine Switch:

Enable/Disable SSL for this virtual host.

SSLEngine on

A self-signed (snakeoil) certificate can be created by installing

the ssl-cert package. See

/usr/share/doc/apache2.2-common/README.Debian.gz for more info.

If both key and certificate are stored in the same file, only the

SSLCertificateFile directive is needed.

SSLCertificateFile /var/www/default/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /var/www/default/certs/ssl-cert-snakeoil.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

SSLCertificateChainFile /var/www/default/certs/server-ca.crt

Certificate Authority (CA):

Set the CA certificate verification path where to find CA

certificates for client authentication or alternatively one

huge file containing all of them (file must be PEM encoded)

Note: Inside SSLCACertificatePath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCACertificatePath /var/www/default/certs/

SSLCACertificateFile /var/www/default/certs/ca-bundle.crt

Certificate Revocation Lists (CRL):

Set the CA revocation path where to find CA CRLs for client

authentication or alternatively one huge file containing all

of them (file must be PEM encoded)

Note: Inside SSLCARevocationPath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCARevocationPath /var/www/default/certs/

SSLCARevocationFile /var/www/default/certs/ca-bundle.crl

Client Authentication (Type):

Client certificate verification type and depth. Types are

none, optional, require and optionalnoca. Depth is a

number which specifies how deeply to verify the certificate

issuer chain before deciding the certificate is not valid.

SSLVerifyClient require

SSLVerifyDepth 10

Access Control:

With SSLRequire you can do per-directory access control based

on arbitrary complex boolean expressions containing server

variable checks and other lookup directives. The syntax is a

mixture between C and Perl. See the mod_ssl documentation

for more details.

#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

and %{SSLCLIENTSDNO} eq "Snake Oil, Ltd." \

and %{SSLCLIENTSDNOU} in {"Staff", "CA", "Dev"} \

and %{TIMEWDAY} >= 1 and %{TIMEWDAY} <= 5 \

and %{TIMEHOUR} >= 8 and %{TIMEHOUR} <= 20 ) \

or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

SSL Engine Options:

Set various options for the SSL engine.

o FakeBasicAuth:

Translate the client X.509 into a Basic Authorisation. This means that

the standard Auth/DBMAuth methods can be used for access control. The

user name is the `one line' version of the client's X.509 certificate.

Note that no password is obtained from the user. Every entry in the user

file needs this password: `xxj31ZMTZzkVA'.

o ExportCertData:

This exports two additional environment variables: SSLCLIENTCERT and

SSLSERVERCERT. These contain the PEM-encoded certificates of the

server (always existing) and the client (only existing when client

authentication is used). This can be used to import the certificates

into CGI scripts.

o StdEnvVars:

This exports the standard SSL/TLS related `SSL_*' environment variables.

Per default this exportation is switched off for performance reasons,

because the extraction step is an expensive operation and is usually

useless for serving static content. So one usually enables the

exportation for CGI and SSI requests only.

o StrictRequire:

This denies access when "SSLRequireSSL" or "SSLRequire" applied even

under a "Satisfy any" situation, i.e. when it applies access is denied

and no other module can change it.

o OptRenegotiate:

This enables optimized SSL connection renegotiation handling when SSL

directives are used in per-directory context.

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

SSL Protocol Adjustments:

The safe and default but still SSL/TLS standard compliant shutdown

approach is that mod_ssl sends the close notify alert but doesn't wait for

the close notify alert from client. When you need a different shutdown

approach you can use one of the following variables:

o ssl-unclean-shutdown:

This forces an unclean shutdown when the connection is closed, i.e. no

SSL close notify alert is send or allowed to received. This violates

the SSL/TLS standard but is needed for some brain-dead browsers. Use

this when you receive I/O errors because of the standard approach where

mod_ssl sends the close notify alert.

o ssl-accurate-shutdown:

This forces an accurate shutdown when the connection is closed, i.e. a

SSL close notify alert is send and mod_ssl waits for the close notify

alert of the client. This is 100% SSL/TLS standard compliant, but in

practice often causes hanging connections with brain-dead browsers. Use

this only for browsers where you know that their SSL implementation

works correctly.

Notice: Most problems of broken clients are also related to the HTTP

keep-alive facility, so you usually additionally want to disable

keep-alive for those clients, too. Use variable "nokeepalive" for this.

Similarly, one has to force some clients to use HTTP/1.0 to workaround

their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

"force-response-1.0" for this.

BrowserMatch "MSIE [2-6]" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

MSIE 7 and newer should be able to use keepalive

BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

create the file system directory structure specified in the configuration files

mkdir /var/www/default

mkdir /var/www/default/http

mkdir /var/www/default/https

mkdir /var/www/default/certs

mkdir /var/www/default/logs

cd /var/www

chown -R root:www-data *

chmod -R 770 *

chmod -R u+s *

chmod -R g+s *

optionally move or delete the default web page created upon installation

mv /var/www/index.html /var/www/default/http

make a backup of the default openssl settings

cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf~

edit the /etc/ssl/openssl.cnf

vi /etc/ssl/openssl.cnf

(line 73)

default_days = 3650 # how long to certify for

(line 74)

defaultcrldays= 3650 # how long before next CRL

(line 129)

countryName_default = US

(line 133)

stateOrProvinceName_default = Ohio

(line 139)

0.organizationName_default = Rust Belt Rebellion

(line 146)

organizationalUnitName_default = Web Hosting

my /etc/ssl/openssl.cnf looks like this:

#

OpenSSL example configuration file.

This is mostly being used for generation of certificate requests.

#

This definition stops the following lines choking if HOME isn't

defined.

HOME = .

RANDFILE = $ENV::HOME/.rnd

Extra OBJECT IDENTIFIER info:

oid_file = $ENV::HOME/.oid

oidsection = newoids

To use this configuration file with the "-extfile" option of the

"openssl x509" utility, name here the section containing the

X.509v3 extensions to use:

extensions =

(Alternatively, use a configuration file that has only

X.509v3 extensions in its main [= default] section.)

[ new_oids ]

We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

Add a simple OID like this:

testoid1=1.2.3.4

Or use config file substitution like this:

testoid2=${testoid1}.5.6

Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7

#

[ ca ]

defaultca = CAdefault # The default ca section

#

[ CA_default ]

dir = ./demoCA # Where everything is kept

certs = $dir/certs # Where the issued certs are kept

crl_dir = $dir/crl # Where the issued crl are kept

database = $dir/index.txt # database index file.

unique_subject = no # Set to 'no' to allow creation of

several ctificates with same subject.

newcertsdir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate

serial = $dir/serial # The current serial number

crlnumber = $dir/crlnumber # the current crl number

must be commented out to leave a V1 CRL

crl = $dir/crl.pem # The current CRL

private_key = $dir/private/cakey.pem# The private key

RANDFILE = $dir/private/.rand # private random number file

x509extensions = usrcert # The extentions to add to the cert

Comment out the following two lines for the "traditional"

(and highly broken) format.

nameopt = cadefault # Subject Name options

certopt = cadefault # Certificate field options

Extension copying option: use with caution.

copy_extensions = copy

Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

so this is commented out by default to leave a V1 CRL.

crlnumber must also be commented out to leave a V1 CRL.

crlextensions = crlext

default_days = 3650 # how long to certify for

defaultcrldays= 3650 # how long before next CRL

default_md = default # use public key default MD

preserve = no # keep passed DN ordering

A few difference way of specifying how similar the request should look

For type CA, the listed attributes must be the same, and the optional

and supplied fields are just that :-)

policy = policy_match

For the CA policy

[ policy_match ]

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

For the 'anything' policy

At this point in time, you must list all acceptable 'object'

types.

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

#

[ req ]

default_bits = 2048

default_keyfile = privkey.pem

distinguishedname = reqdistinguished_name

attributes = req_attributes

x509extensions = v3ca # The extentions to add to the self signed cert

Passwords for private keys if not present they will be prompted for

input_password = secret

output_password = secret

This sets a mask for permitted string types. There are several options.

default: PrintableString, T61String, BMPString.

pkix : PrintableString, BMPString (PKIX recommendation before 2004)

utf8only: only UTF8Strings (PKIX recommendation after 2004).

nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

MASK:XXXX a literal mask value.

WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.

string_mask = utf8only

reqextensions = v3req # The extensions to add to a certificate request

[ reqdistinguishedname ]

countryName = Country Name (2 letter code)

countryName_default = US

countryName_min = 2

countryName_max = 2

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = Ohio

localityName = Locality Name (eg, city)

0.organizationName = Organization Name (eg, company)

0.organizationName_default = Rust Belt Rebellion

we can do this but it is not needed normally :-)

1.organizationName = Second Organization Name (eg, company)

1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName = Organizational Unit Name (eg, section)

organizationalUnitName_default = Web Hosting

commonName = Common Name (e.g. server FQDN or YOUR name)

commonName_max = 64

emailAddress = Email Address

emailAddress_max = 64

SET-ex3 = SET extension number 3

[ req_attributes ]

challengePassword = A challenge password

challengePassword_min = 4

challengePassword_max = 20

unstructuredName = An optional company name

[ usr_cert ]

These extensions are added when 'ca' signs a request.

This goes against PKIX guidelines but some CAs do it and some software

requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

Here are some examples of the usage of nsCertType. If it is omitted

the certificate can be used for anything except object signing.

This is OK for an SSL server.

nsCertType = server

For an object signing certificate this would be used.

nsCertType = objsign

For normal client use this is typical

nsCertType = client, email

and for everything including object signing:

nsCertType = client, email, objsign

This is typical in keyUsage for a client certificate.

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

This will be displayed in Netscape's comment listbox.

nsComment = "OpenSSL Generated Certificate"

PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

This stuff is for subjectAltName and issuerAltname.

Import the email address.

subjectAltName=email:copy

An alternative to produce certificates that aren't

deprecated according to PKIX.

subjectAltName=email:move

Copy subject details

issuerAltName=issuer:copy

nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

nsBaseUrl

nsRevocationUrl

nsRenewalUrl

nsCaPolicyUrl

nsSslServerName

This is required for TSA certificates.

extendedKeyUsage = critical,timeStamping

[ v3_req ]

Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

Extensions for a typical CA

PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

This is what PKIX recommends but some broken software chokes on critical

extensions.

basicConstraints = critical,CA:true

So we do this instead.

basicConstraints = CA:true

Key usage: this is typical for a CA certificate. However since it will

prevent it being used as an test self-signed certificate it is best

left out by default.

keyUsage = cRLSign, keyCertSign

Some might want this also

nsCertType = sslCA, emailCA

Include email address in subject alt name: another PKIX recommendation

subjectAltName=email:copy

Copy issuer details

issuerAltName=issuer:copy

DER hex encoding of an extension: beware experts only!

obj=DER:02:03

Where 'obj' is a standard or added object

You can even override a supported extension:

basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

CRL extensions.

Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always

[ proxycertext ]

These extensions should be added when creating a proxy certificate

This goes against PKIX guidelines but some CAs do it and some software

requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

Here are some examples of the usage of nsCertType. If it is omitted

the certificate can be used for anything except object signing.

This is OK for an SSL server.

nsCertType = server

For an object signing certificate this would be used.

nsCertType = objsign

For normal client use this is typical

nsCertType = client, email

and for everything including object signing:

nsCertType = client, email, objsign

This is typical in keyUsage for a client certificate.

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

This will be displayed in Netscape's comment listbox.

nsComment = "OpenSSL Generated Certificate"

PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

This stuff is for subjectAltName and issuerAltname.

Import the email address.

subjectAltName=email:copy

An alternative to produce certificates that aren't

deprecated according to PKIX.

subjectAltName=email:move

Copy subject details

issuerAltName=issuer:copy

nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

nsBaseUrl

nsRevocationUrl

nsRenewalUrl

nsCaPolicyUrl

nsSslServerName

This really needs to be in place for it to be a proxy certificate.

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

#

[ tsa ]

defaulttsa = tsaconfig1 # the default TSA section

[ tsa_config1 ]

These are used by the TSA reply generation only.

dir = ./demoCA # TSA root directory

serial = $dir/tsaserial # The current serial number (mandatory)

crypto_device = builtin # OpenSSL engine to use for signing

signer_cert = $dir/tsacert.pem # The TSA signing certificate

(optional)

certs = $dir/cacert.pem # Certificate chain to include in reply

(optional)

signer_key = $dir/private/tsakey.pem # The TSA private key (optional)

defaultpolicy = tsapolicy1 # Policy if request did not specify it

(optional)

otherpolicies = tsapolicy2, tsa_policy3 # acceptable policies (optional)

digests = md5, sha1 # Acceptable message digests (mandatory)

accuracy = secs:1, millisecs:500, microsecs:100 # (optional)

clockprecisiondigits = 0 # number of digits after dot. (optional)

ordering = yes # Is ordering defined for timestamps?

(optional, default: no)

tsa_name = yes # Must the TSA name be included in the reply?

(optional, default: no)

esscertid_chain = no # Must the ESS cert id chain be included?

(optional, default: no)

cd /var/www/default/certs

openssl req -new -x509 -extensions v3_ca -keyout ssl-cert-snakeoil.key -out ssl-cert-snakeoil.pem -days 3650 -config /etc/ssl/openssl.cnf

Generating a 2048 bit RSA private key

……………………………………………………….+++

……………………………………………+++

writing new private key to 'ssl-cert-snakeoil.key'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

---

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

---

Country Name (2 letter code) [US]:

State or Province Name (full name) [Ohio]:

Locality Name (eg, city) []:Eastlake

Organization Name (eg, company) [Rust Belt Rebellion]:

Organizational Unit Name (eg, section) []:Web Hosting

Common Name (e.g. server FQDN or YOUR name) []:rustbeltrebellion.com

Email Address []:bradchesney79@gmail.com

remove the passphrase

mv ssl-cert-snakeoil.key ssl-cert-snakeoil.key~

openssl rsa -in ssl-cert-snakeoil.key~ -out ssl-cert-snakeoil.key

enter the pass phrase

passphrase restart apache, not reload

a2ensite default-ssl

service apache2 restart

~2012-12-19~

apt-get install mysql-server mysql-client php5-mysql

a dialog pops up for you to set a password on the root mysql user

a second dialog will pop up to confirm there were no typos or give you the opportunity to enter identical typos which is another way to look at it.

mysqlsecureinstallation

–--------

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL

SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current

password for the root user. If you've just installed MySQL, and

you haven't set the root password yet, the password will be blank,

so you should just press enter here.

Enter current password for root (enter for none):

OK, successfully used password, moving on…

Setting the root password ensures that nobody can log into the MySQL

root user without the proper authorisation.

You already have a root password set, so you can safely answer 'n'.

Change the root password? [Y/n] n

… skipping.

By default, a MySQL installation has an anonymous user, allowing anyone

to log into MySQL without having to have a user account created for

them. This is intended only for testing, and to make the installation

go a bit smoother. You should remove them before moving into a

production environment.

Remove anonymous users? [Y/n] Y

… Success!

Normally, root should only be allowed to connect from 'localhost'. This

ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y

… Success!

By default, MySQL comes with a database named 'test' that anyone can

access. This is also intended only for testing, and should be removed

before moving into a production environment.

Remove test database and access to it? [Y/n] Y

• Dropping test database…

… Success!

• Removing privileges on test database…

… Success!

Reloading the privilege tables will ensure that all changes made so far

will take effect immediately.

Reload privilege tables now? [Y/n] Y

… Success!

Cleaning up…

All done! If you've completed all of the above steps, your MySQL

installation should now be secure.

Thanks for using MySQL!

---

mysql -uroot -p

USE mysql

A common vector is to attack the MySQL root user since it is the default omipotent user put on almost all MySQL installs.

So, give your 'root' user a different name. (Is admin more secure than root, meh. Yeah, I guess.)

GRANT ALL PRIVILEGES ON . TO 'admin'@'localhost' IDENTIFIED BY 'pwork' WITH GRANT OPTION;

GRANT ALL PRIVILEGES ON . TO 'admin'@'127.0.0.1' IDENTIFIED BY 'pwork' WITH GRANT OPTION;

GRANT ALL PRIVILEGES ON . TO 'admin'@'::1' IDENTIFIED BY 'pwork' WITH GRANT OPTION;

GRANT ALL PRIVILEGES ON * TO 'admin'@'localhost' IDENTIFIED BY 'pwork' WITH GRANT OPTION;

GRANT ALL PRIVILEGES ON * TO 'admin'@'127.0.0.1' IDENTIFIED BY 'pwork' WITH GRANT OPTION;

GRANT ALL PRIVILEGES ON * TO 'admin'@'::1' IDENTIFIED BY 'pwork' WITH GRANT OPTION;

DELETE FROM user WHERE User='root';

CREATE USER 'backup'@'localhost' IDENTIFIED BY 'password';

GRANT SELECT, SHOW VIEW, RELOAD, REPLICATION CLIENT, EVENT, TRIGGER ON . TO 'backup'@'localhost';

So, the debian-sys-maint user is used by a lot of stuff. And it would serve to break more than I can justify it saves. I fundamentally disagree with the debian-sys-maint user, but that is the mumblings of a first class nobody-significant.

Do nothing with the debian-sys-maint user. :(

FLUSH PRIVILEGES;

This is my /etc/mysql/debian-start file

vi /etc/mysql/debian-start

---

!/bin/bash

#

This script is executed by "/etc/init.d/mysql" on every (re)start.

#

Changes to this file will be preserved when updating the Debian package.

#

source /usr/share/mysql/debian-start.inc.sh

MYSQL="/usr/bin/mysql --defaults-file=/etc/mysql/debian.cnf"

MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf"

MYUPGRADE="/usr/bin/mysql_upgrade --defaults-extra-file=/etc/mysql/debian.cnf"

MYCHECK="/usr/bin/mysqlcheck --defaults-file=/etc/mysql/debian.cnf"

MYCHECK_SUBJECT="WARNING: mysqlcheck has found corrupt tables"

MYCHECK_PARAMS="--all-databases --fast --silent"

MYCHECK_RCPT="root"

The following commands should be run when the server is up but in background

where they do not block the server start and in one shell instance so that

they run sequentially. They are supposed not to echo anything to stdout.

If you want to disable the check for crashed tables comment

"checkforcrashed_tables" out.

(There may be no output to stdout inside the background process!)

echo "Checking for tables which need an upgrade, are corrupt or were "

echo "not closed cleanly."

(

upgradesystemtablesifnecessary;

checkrootaccounts;

checkforcrashed_tables;

) >&2 &

exit 0

---

install git version control

apt-get install git

install and set the access rights for the restricted shell for users

apt-get install rssh

vi /etc/rssh.conf

---

This is the default rssh config file

set the log facility. "LOG_USER" and "user" are equivalent.

logfacility = LOG_USER

Leave these all commented out to make the default action for rssh to lock

users out completely…

allowscp

allowsftp # Uncomment to allow SFTP

allowcvs

allowrdist

allowrsync

allowsvnserve

set the default umask

umask = 022

If you want to chroot users, use this to set the directory where the root of

the chroot jail will be located.

#

if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.

chrootpath = /usr/local/chroot

You can quote anywhere, but quotes not required unless the path contains a

space… as in this example.

chrootpath = "/usr/local/my chroot"

#

EXAMPLES of configuring per-user options

user=rudy:077:000100: # the path can simply be left out to not chroot

user=rudy:077:000100 # the ending colon is optional

user=rudy:011:001000: # cvs, with no chroot

user=rudy:011:010000: # rdist, with no chroot

user=rudy:011:100000: # rsync, with no chroot

user=rudy:011:000001: # svnserve, with no chroot

user="rudy:011:000010:/usr/local/chroot" # whole user string can be quoted

user=rudy:01"1:000010:/usr/local/chroot" # or somewhere in the middle, freak!

user=rudy:'011:000010:/usr/local/chroot' # single quotes too

if your chroot_path contains spaces, it must be quoted…

In the following examples, the chroot_path is "/usr/local/my chroot"

user=rudy:011:000100:"/usr/local/my chroot" # sftp with chroot

user=rudy:011:000110:"/usr/local/my chroot" # both with chroot

Spaces before or after the '=' are fine, but spaces in chrootpath need

quotes.

user = "rudy:011:000010:/usr/local/my chroot"

user = "rudy:011:000010:/usr/local/my chroot" # neither do comments at line end

---

install better system administration auditing tools

apt-get install auditd

install and configure selinux (the same level of security DoD requires for many government machines)

apt-get install selinux-basics

---

root@wheezy:~# apt-get install selinux-basics

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following packages were automatically installed and are no longer required:

cpp-4.4 cups-driver-gutenprint foomatic-filters-ppds libbluetooth3 libfont-freetype-perl

libgmp3c2 libgs8 libjpeg62 libnl1 libpoppler5 libsysfs2 libxcb-render-util0 libxfont1

min12xxw pnm2ppa xfonts-encodings xfonts-utils xli

Use 'apt-get autoremove' to remove them.

The following extra packages will be installed:

bwidget checkpolicy libapol4 libaudit0 libdrm-intel1 libdrm-nouveau1a libdrm-radeon1

libdrm2 libgl1-mesa-dri libgl1-mesa-glx libglapi-mesa libqpol1 libsetools-tcl libutempter0

libx11-xcb1 libxcb-glx0 libxcb-shape0 libxss1 libxtst6 libxv1 libxxf86dga1 policycoreutils

python-ipy python-selinux python-semanage python-sepolgen python-setools

selinux-policy-default selinux-utils setools tcl tcl8.5 tk tk8.5 x11-utils xbitmaps xterm

Suggested packages:

libglide3 selinux-policy-dev logcheck syslog-summary tcl-tclreadline mesa-utils

xfonts-cyrillic

The following NEW packages will be installed:

bwidget checkpolicy libapol4 libaudit0 libdrm-intel1 libdrm-nouveau1a libdrm-radeon1

libdrm2 libgl1-mesa-dri libgl1-mesa-glx libglapi-mesa libqpol1 libsetools-tcl libutempter0

libx11-xcb1 libxcb-glx0 libxcb-shape0 libxss1 libxtst6 libxv1 libxxf86dga1 policycoreutils

python-ipy python-selinux python-semanage python-sepolgen python-setools selinux-basics

selinux-policy-default selinux-utils setools tcl tcl8.5 tk tk8.5 x11-utils xbitmaps xterm

0 upgraded, 38 newly installed, 0 to remove and 0 not upgraded.

Need to get 36.9 MB of archives.

After this operation, 171 MB of additional disk space will be used.

Do you want to continue [Y/n]? y

Get:1 http://ftp.debian.org/debian/ testing/main libqpol1 amd64 3.3.7-3 [222 kB]

Get:2 http://ftp.debian.org/debian/ testing/main libapol4 amd64 3.3.7-3 [113 kB]

Get:3 http://ftp.debian.org/debian/ testing/main libdrm2 amd64 2.4.33-3 [444 kB]

Get:4 http://ftp.debian.org/debian/ testing/main libdrm-intel1 amd64 2.4.33-3 [478 kB]

Get:5 http://ftp.debian.org/debian/ testing/main libdrm-nouveau1a amd64 2.4.33-3 [433 kB]

Get:6 http://ftp.debian.org/debian/ testing/main libdrm-radeon1 amd64 2.4.33-3 [440 kB]

Get:7 http://ftp.debian.org/debian/ testing/main libglapi-mesa amd64 8.0.5-3 [46.6 kB]

Get:8 http://ftp.debian.org/debian/ testing/main libx11-xcb1 amd64 2:1.5.0-1 [139 kB]

Get:9 http://ftp.debian.org/debian/ testing/main libxcb-glx0 amd64 1.8.1-2 [32.1 kB]

Get:10 http://ftp.debian.org/debian/ testing/main libgl1-mesa-glx amd64 8.0.5-3 [134 kB]

Get:11 http://ftp.debian.org/debian/ testing/main libxcb-shape0 amd64 1.8.1-2 [11.0 kB]

Get:12 http://ftp.debian.org/debian/ testing/main libxss1 amd64 1:1.2.2-1 [17.5 kB]

Get:13 http://ftp.debian.org/debian/ testing/main libxtst6 amd64 2:1.2.1-1 [26.6 kB]

Get:14 http://ftp.debian.org/debian/ testing/main libxv1 amd64 2:1.0.7-1 [21.6 kB]

Get:15 http://ftp.debian.org/debian/ testing/main libxxf86dga1 amd64 2:1.1.3-2 [22.6 kB]

Get:16 http://ftp.debian.org/debian/ testing/main python-ipy all 1:0.75-1 [31.4 kB]

Get:17 http://ftp.debian.org/debian/ testing/main python-selinux amd64 2.1.9-5 [365 kB]

Get:18 http://ftp.debian.org/debian/ testing/main python-semanage amd64 2.1.6-6 [128 kB]

Get:19 http://ftp.debian.org/debian/ testing/main python-setools amd64 3.3.7-3 [511 kB]

Get:20 http://ftp.debian.org/debian/ testing/main python-sepolgen all 1.1.5-3 [77.0 kB]

Get:21 http://ftp.debian.org/debian/ testing/main libaudit0 amd64 1:1.7.18-1.1 [68.2 kB]

Get:22 http://ftp.debian.org/debian/ testing/main policycoreutils amd64 2.1.10-9 [614 kB]

Get:23 http://ftp.debian.org/debian/ testing/main tcl8.5 amd64 8.5.11-2 [1,627 kB]

Get:24 http://ftp.debian.org/debian/ testing/main tk8.5 amd64 8.5.11-2 [1,189 kB]

Get:25 http://ftp.debian.org/debian/ testing/main tcl all 8.5.0-2 [4,636 B]

Get:26 http://ftp.debian.org/debian/ testing/main tk all 8.5.0-2 [4,674 B]

Get:27 http://ftp.debian.org/debian/ testing/main bwidget all 1.9.5-1 [240 kB]

Get:28 http://ftp.debian.org/debian/ testing/main checkpolicy amd64 2.1.8-2 [287 kB]

Get:29 http://ftp.debian.org/debian/ testing/main libgl1-mesa-dri amd64 8.0.5-3 [21.8 MB]

Get:30 http://ftp.debian.org/debian/ testing/main libsetools-tcl amd64 3.3.7-3 [638 kB]

Get:31 http://ftp.debian.org/debian/ testing/main libutempter0 amd64 1.1.5-4 [8,020 B]

Get:32 http://ftp.debian.org/debian/ testing/main selinux-utils amd64 2.1.9-5 [87.3 kB]

Get:33 http://ftp.debian.org/debian/ testing/main selinux-basics all 0.5.0 [15.5 kB]

Get:34 http://ftp.debian.org/debian/ testing/main selinux-policy-default all 2:2.20110726-12 [4,302 kB]

Get:35 http://ftp.debian.org/debian/ testing/main setools amd64 3.3.7-3 [1,418 kB]

Get:36 http://ftp.debian.org/debian/ testing/main x11-utils amd64 7.7~1 [233 kB]

Get:37 http://ftp.debian.org/debian/ testing/main xbitmaps all 1.1.1-1 [31.8 kB]

Get:38 http://ftp.debian.org/debian/ testing/main xterm amd64 278-4 [613 kB]

Fetched 36.9 MB in 19s (1,855 kB/s)

Extracting templates from packages: 100%

Selecting previously unselected package libqpol1:amd64.

(Reading database … 55095 files and directories currently installed.)

Unpacking libqpol1:amd64 (from …/libqpol13.3.7-3amd64.deb) …

Selecting previously unselected package libapol4:amd64.

Unpacking libapol4:amd64 (from …/libapol43.3.7-3amd64.deb) …

Selecting previously unselected package libdrm2:amd64.

Unpacking libdrm2:amd64 (from …/libdrm22.4.33-3amd64.deb) …

Selecting previously unselected package libdrm-intel1:amd64.

Unpacking libdrm-intel1:amd64 (from …/libdrm-intel12.4.33-3amd64.deb) …

Selecting previously unselected package libdrm-nouveau1a:amd64.

Unpacking libdrm-nouveau1a:amd64 (from …/libdrm-nouveau1a2.4.33-3amd64.deb) …

Selecting previously unselected package libdrm-radeon1:amd64.

Unpacking libdrm-radeon1:amd64 (from …/libdrm-radeon12.4.33-3amd64.deb) …

Selecting previously unselected package libglapi-mesa:amd64.

Unpacking libglapi-mesa:amd64 (from …/libglapi-mesa8.0.5-3amd64.deb) …

Selecting previously unselected package libx11-xcb1:amd64.

Unpacking libx11-xcb1:amd64 (from …/libx11-xcb12%3a1.5.0-1amd64.deb) …

Selecting previously unselected package libxcb-glx0:amd64.

Unpacking libxcb-glx0:amd64 (from …/libxcb-glx01.8.1-2amd64.deb) …

Selecting previously unselected package libgl1-mesa-glx:amd64.

Unpacking libgl1-mesa-glx:amd64 (from …/libgl1-mesa-glx8.0.5-3amd64.deb) …

Selecting previously unselected package libxcb-shape0:amd64.

Unpacking libxcb-shape0:amd64 (from …/libxcb-shape01.8.1-2amd64.deb) …

Selecting previously unselected package libxss1:amd64.

Unpacking libxss1:amd64 (from …/libxss11%3a1.2.2-1amd64.deb) …

Selecting previously unselected package libxtst6:amd64.

Unpacking libxtst6:amd64 (from …/libxtst62%3a1.2.1-1amd64.deb) …

Selecting previously unselected package libxv1:amd64.

Unpacking libxv1:amd64 (from …/libxv12%3a1.0.7-1amd64.deb) …

Selecting previously unselected package libxxf86dga1:amd64.

Unpacking libxxf86dga1:amd64 (from …/libxxf86dga12%3a1.1.3-2amd64.deb) …

Selecting previously unselected package python-ipy.

Unpacking python-ipy (from …/python-ipy1%3a0.75-1all.deb) …

Selecting previously unselected package python-selinux.

Unpacking python-selinux (from …/python-selinux2.1.9-5amd64.deb) …

Selecting previously unselected package python-semanage.

Unpacking python-semanage (from …/python-semanage2.1.6-6amd64.deb) …

Selecting previously unselected package python-setools.

Unpacking python-setools (from …/python-setools3.3.7-3amd64.deb) …

Selecting previously unselected package python-sepolgen.

Unpacking python-sepolgen (from …/python-sepolgen1.1.5-3all.deb) …

Selecting previously unselected package libaudit0.

Unpacking libaudit0 (from …/libaudit01%3a1.7.18-1.1amd64.deb) …

Selecting previously unselected package policycoreutils.

Unpacking policycoreutils (from …/policycoreutils2.1.10-9amd64.deb) …

Selecting previously unselected package tcl8.5.

Unpacking tcl8.5 (from …/tcl8.58.5.11-2amd64.deb) …

Selecting previously unselected package tk8.5.

Unpacking tk8.5 (from …/tk8.58.5.11-2amd64.deb) …

Selecting previously unselected package tcl.

Unpacking tcl (from …/archives/tcl8.5.0-2all.deb) …

Selecting previously unselected package tk.

Unpacking tk (from …/archives/tk8.5.0-2all.deb) …

Selecting previously unselected package bwidget.

Unpacking bwidget (from …/bwidget1.9.5-1all.deb) …

Selecting previously unselected package checkpolicy.

Unpacking checkpolicy (from …/checkpolicy2.1.8-2amd64.deb) …

Selecting previously unselected package libgl1-mesa-dri:amd64.

Unpacking libgl1-mesa-dri:amd64 (from …/libgl1-mesa-dri8.0.5-3amd64.deb) …

Selecting previously unselected package libsetools-tcl.

Unpacking libsetools-tcl (from …/libsetools-tcl3.3.7-3amd64.deb) …

Selecting previously unselected package libutempter0.

Unpacking libutempter0 (from …/libutempter01.1.5-4amd64.deb) …

Selecting previously unselected package selinux-utils.

Unpacking selinux-utils (from …/selinux-utils2.1.9-5amd64.deb) …

Selecting previously unselected package selinux-basics.

Unpacking selinux-basics (from …/selinux-basics0.5.0all.deb) …

Selecting previously unselected package selinux-policy-default.

Unpacking selinux-policy-default (from …/selinux-policy-default2%3a2.20110726-12all.deb) …

Selecting previously unselected package setools.

Unpacking setools (from …/setools3.3.7-3amd64.deb) …

Selecting previously unselected package x11-utils.

Unpacking x11-utils (from …/x11-utils7.7~1amd64.deb) …

Selecting previously unselected package xbitmaps.

Unpacking xbitmaps (from …/xbitmaps1.1.1-1all.deb) …

Selecting previously unselected package xterm.

Unpacking xterm (from …/archives/xterm278-4amd64.deb) …

Processing triggers for man-db …

Setting up libqpol1:amd64 (3.3.7-3) …

Setting up libapol4:amd64 (3.3.7-3) …

Setting up libdrm2:amd64 (2.4.33-3) …

Setting up libdrm-intel1:amd64 (2.4.33-3) …

Setting up libdrm-nouveau1a:amd64 (2.4.33-3) …

Setting up libdrm-radeon1:amd64 (2.4.33-3) …

Setting up libglapi-mesa:amd64 (8.0.5-3) …

Setting up libx11-xcb1:amd64 (2:1.5.0-1) …

Setting up libxcb-glx0:amd64 (1.8.1-2) …

Setting up libgl1-mesa-glx:amd64 (8.0.5-3) …

Setting up libxcb-shape0:amd64 (1.8.1-2) …

Setting up libxss1:amd64 (1:1.2.2-1) …

Setting up libxtst6:amd64 (2:1.2.1-1) …

Setting up libxv1:amd64 (2:1.0.7-1) …

Setting up libxxf86dga1:amd64 (2:1.1.3-2) …

Setting up python-ipy (1:0.75-1) …

Setting up python-selinux (2.1.9-5) …

Setting up python-semanage (2.1.6-6) …

Setting up python-setools (3.3.7-3) …

Setting up python-sepolgen (1.1.5-3) …

Setting up libaudit0 (1:1.7.18-1.1) …

Setting up policycoreutils (2.1.10-9) …

Setting up tcl8.5 (8.5.11-2) …

update-alternatives: using /usr/bin/tclsh8.5 to provide /usr/bin/tclsh (tclsh) in auto mode

Setting up tk8.5 (8.5.11-2) …

update-alternatives: using /usr/bin/wish8.5 to provide /usr/bin/wish (wish) in auto mode

Setting up tcl (8.5.0-2) …

update-alternatives: using /usr/bin/tclsh-default to provide /usr/bin/tclsh (tclsh) in auto mode

Setting up tk (8.5.0-2) …

update-alternatives: using /usr/bin/wish-default to provide /usr/bin/wish (wish) in auto mode

Setting up bwidget (1.9.5-1) …

Setting up checkpolicy (2.1.8-2) …

Setting up libgl1-mesa-dri:amd64 (8.0.5-3) …

Setting up libsetools-tcl (3.3.7-3) …

Setting up libutempter0 (1.1.5-4) …

Creating utempter group…

Setting up selinux-utils (2.1.9-5) …

Setting up selinux-basics (0.5.0) …

Generating grub.cfg …

Found linux image: /boot/vmlinuz-3.2.0-4-amd64

Found initrd image: /boot/initrd.img-3.2.0-4-amd64

Found linux image: /boot/vmlinuz-2.6.32-5-amd64

Found initrd image: /boot/initrd.img-2.6.32-5-amd64

done

Setting up selinux-policy-default (2:2.20110726-12) …

Notice: Trying to link (but not load) a default policy.

This process may fail -- you should check the results, and

you need to switch to this policy yourself anyway.

Locating modules

Ordering modules based on dependencies

Selecting modules based on installed packages

Loaded modules apache dbus netutils ssh devicekit lpd cups remotelogin telnet xserver xscreensaver exim apm avahi cpufreqselector pythonsupport rpc dmidecode mysql policykit portmap vbetool tcpd ftp screen dhcp consolekit lvm lda tzdata rpcbind bluetooth gpg ptchown usbmodules java pcmcia

Setting up setools (3.3.7-3) …

Setting up x11-utils (7.7~1) …

Setting up xbitmaps (1.1.1-1) …

Setting up xterm (278-4) …

update-alternatives: using /usr/bin/xterm to provide /usr/bin/x-terminal-emulator (x-terminal-emulator) in auto mode

update-alternatives: using /usr/bin/uxterm to provide /usr/bin/x-terminal-emulator (x-terminal-emulator) in auto mode

update-alternatives: using /usr/bin/lxterm to provide /usr/bin/x-terminal-emulator (x-terminal-emulator) in auto mode

---

selinux-activate

Fix the domain of PID 1 error lines

vi /etc/udev/udev.conf

---

The initial syslog(3) priority: "err", "info", "debug" or its

numerical equivalent. For runtime debugging, the daemons internal

state can be changed with: "udevadm control --log-priority=".

#

udevd is started in the initramfs, so when this file is modified the

initramfs should be rebuilt.

udev_log="err"

nostaticdev="1"

---

update-initramfs -k all -u

set FIXFSCK in /etc/default/rcS

vi /etc/default/rcS

---

#

/etc/default/rcS

#

Default settings for the scripts in /etc/rcS.d/

#

For information about these variables see the rcS(5) manual page.

#

This file belongs to the "initscripts" package.

delete files in /tmp during boot older than x days.

'0' means always, -1 or 'infinite' disables the feature

TMPTIME=0

spawn sulogin during boot, continue normal boot if not used in 30 seconds

SULOGIN=no

do not allow users to log in until the boot has completed

DELAYLOGIN=no

be more verbose during the boot process

VERBOSE=no

automatically repair filesystems with inconsistencies during boot

FSCKFIX=yes

---

reboot

~Automatic reboot~

~Note: the /etc/pam.d/login error is due to an error in the check-selinux-installation script~

~Add PHPMyAdmin to default-ssl~

---At this point, the base configuration is complete---

add a user

adduser username

Password

Password

Fullname

Room Number

Work Phone

Home Phone

Other

Is the information correct

~Plan A~

give user restricted shell access

usermod -s /usr/bin/rssh username

chroot the user

vi /etc/rssh.conf

–--------

---

~End Plan A~

~Plan B~

give user restricted shell access

usermod -s /usr/bin/rssh username

chroot the user

give mkdir, rmdir, mv, cp, and rm

give mysql and git

~End Plan B~

~Plan C~

using sftponly shell

vi /etc/passwd

change /bin/bash to /usr/lib/sftp-server

~End Plan C~

set up directory structure

cd /home/username

mkdir hostname.tld

cd hostname.tld

mkdir http

mkdir https

mkdir certs

mkdir logs

change the ownership and access permissions

cd ..

chown -R username:www-data *

chmod -R 775 *

add sticky bits

chmod -R u+s *

chmod -R g+s *

create sites available for the new websites

vi /etc/apache2/sites-available/hostname.tld

my /etc/apache2/sites-available/hostname.tld reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /home/username/hostname.tld/http

ServerName hostname.tld

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /home/username/hostname.tld/logs/error_log

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /home/username/hostname.tld/logs/access_log combined

likewise modify your default-ssl virtual host configuration

vi /etc/apache2/sites-available/hostname.tld-ssl

my /etc/apache2/sites-available/hostname.tld-ssl reads as follows:

ServerAdmin webmaster@localhost

DocumentRoot /home/username/hostname.tld/https

ServerName hostname.tld

Options FollowSymLinks

AllowOverride All

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog /home/username/hostname.tld/logs/sslerrorlog

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog /home/username/hostname.tld/logs/sslaccesslog combined

SSL Engine Switch:

Enable/Disable SSL for this virtual host.

SSLEngine on

A self-signed (snakeoil) certificate can be created by installing

the ssl-cert package. See

/usr/share/doc/apache2.2-common/README.Debian.gz for more info.

If both key and certificate are stored in the same file, only the

SSLCertificateFile directive is needed.

SSLCertificateFile /home/username/hostname.tld/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /home/username/hostname.tld/certs/ssl-cert-snakeoil.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

SSLCertificateChainFile /home/username/hostname.tld/certs/server-ca.crt

Certificate Authority (CA):

Set the CA certificate verification path where to find CA

certificates for client authentication or alternatively one

huge file containing all of them (file must be PEM encoded)

Note: Inside SSLCACertificatePath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCACertificatePath /home/username/hostname.tld/certs/

SSLCACertificateFile /home/username/hostname.tld/certs/ca-bundle.crt

Certificate Revocation Lists (CRL):

Set the CA revocation path where to find CA CRLs for client

authentication or alternatively one huge file containing all

of them (file must be PEM encoded)

Note: Inside SSLCARevocationPath you need hash symlinks

to point to the certificate files. Use the provided

Makefile to update the hash symlinks after changes.

SSLCARevocationPath /home/username/hostname.tld/certs/

SSLCARevocationFile /home/username/hostname.tld/certs/ca-bundle.crl

Client Authentication (Type):

Client certificate verification type and depth. Types are

none, optional, require and optionalnoca. Depth is a

number which specifies how deeply to verify the certificate

issuer chain before deciding the certificate is not valid.

SSLVerifyClient require

SSLVerifyDepth 10

Access Control:

With SSLRequire you can do per-directory access control based

on arbitrary complex boolean expressions containing server

variable checks and other lookup directives. The syntax is a

mixture between C and Perl. See the mod_ssl documentation

for more details.

#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

and %{SSLCLIENTSDNO} eq "Snake Oil, Ltd." \

and %{SSLCLIENTSDNOU} in {"Staff", "CA", "Dev"} \

and %{TIMEWDAY} >= 1 and %{TIMEWDAY} <= 5 \

and %{TIMEHOUR} >= 8 and %{TIMEHOUR} <= 20 ) \

or %{REMOTE_ADDR} =~ m/^192.76.162.[0-9]+$/

SSL Engine Options:

Set various options for the SSL engine.

o FakeBasicAuth:

Translate the client X.509 into a Basic Authorisation. This means that

the standard Auth/DBMAuth methods can be used for access control. The

user name is the `one line' version of the client's X.509 certificate.

Note that no password is obtained from the user. Every entry in the user

file needs this password: `xxj31ZMTZzkVA'.

o ExportCertData:

This exports two additional environment variables: SSLCLIENTCERT and

SSLSERVERCERT. These contain the PEM-encoded certificates of the

server (always existing) and the client (only existing when client

authentication is used). This can be used to import the certificates

into CGI scripts.

o StdEnvVars:

This exports the standard SSL/TLS related `SSL_*' environment variables.

Per default this exportation is switched off for performance reasons,

because the extraction step is an expensive operation and is usually

useless for serving static content. So one usually enables the

exportation for CGI and SSI requests only.

o StrictRequire:

This denies access when "SSLRequireSSL" or "SSLRequire" applied even

under a "Satisfy any" situation, i.e. when it applies access is denied

and no other module can change it.

o OptRenegotiate:

This enables optimized SSL connection renegotiation handling when SSL

directives are used in per-directory context.

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

SSL Protocol Adjustments:

The safe and default but still SSL/TLS standard compliant shutdown

approach is that mod_ssl sends the close notify alert but doesn't wait for

the close notify alert from client. When you need a different shutdown

approach you can use one of the following variables:

o ssl-unclean-shutdown:

This forces an unclean shutdown when the connection is closed, i.e. no

SSL close notify alert is send or allowed to received. This violates

the SSL/TLS standard but is needed for some brain-dead browsers. Use

this when you receive I/O errors because of the standard approach where

mod_ssl sends the close notify alert.

o ssl-accurate-shutdown:

This forces an accurate shutdown when the connection is closed, i.e. a

SSL close notify alert is send and mod_ssl waits for the close notify

alert of the client. This is 100% SSL/TLS standard compliant, but in

practice often causes hanging connections with brain-dead browsers. Use

this only for browsers where you know that their SSL implementation

works correctly.

Notice: Most problems of broken clients are also related to the HTTP

keep-alive facility, so you usually additionally want to disable

keep-alive for those clients, too. Use variable "nokeepalive" for this.

Similarly, one has to force some clients to use HTTP/1.0 to workaround

their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

"force-response-1.0" for this.

BrowserMatch "MSIE [2-6]" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

MSIE 7 and newer should be able to use keepalive

BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

enable the website

a2ensite hostname.tld

create self-signed certificate

cd /home/username/hostname/certs

openssl req -new -x509 -extensions v3_ca -keyout ssl-cert-snakeoil.key -out ssl-cert-snakeoil.pem -days 3650 -config /etc/ssl/openssl.cnf

remove the passphrase

mv ssl-cert-snakeoil.key ssl-cert-snakeoil.key~

openssl rsa -in ssl-cert-snakeoil.key~ -out ssl-cert-snakeoil.key

a2ensite hostname.tld-ssl

mysql -uadmin -p

CREATE DATABASE username;

~Plan A~

Give your user access via both of the most common ways to log in to the database for a logged in user

GRANT ALL PRIVILEGES ON username.* TO 'username'@'localhost' IDENTIFIED BY 'password';

GRANT ALL PRIVILEGES ON username.* TO 'username'@'127.0.0.1' IDENTIFIED BY 'password';

Assuming your host has a fixed IP, you may also give access for that

GRANT ALL PRIVILEGES ON username.* TO 'username'@'YOU.R H.OST.IP' IDENTIFIED BY 'password';

~End Plan A~

~Plan B~

GRANT ALL PRIVILEGES ON username.* TO 'username'@'%' IDENTIFIED BY 'password';

~End Plan B~

FLUSH PRIVILEGES;

EXIT

mpm-itk

///MySQL Suggested Packages

The following extra packages will be installed:

libaio1 libdbd-mysql-perl libdbi-perl libhtml-template-perl libmysqlclient18

libnet-daemon-perl libplrpc-perl mysql-client-5.5 mysql-common mysql-server-5.5

mysql-server-core-5.5

Suggested packages:

libipc-sharedcache-perl libterm-readkey-perl tinyca

look at libapache2-mod-evasive