Linux

All blog posts related to LINUX

Securing Apache with SSL on Ubuntu 14

Prerequisites
$ sudo apt-get update
$ sudo apt-get install apache2
Activate the SSL Module
$ sudo a2enmod ssl
$ sudo service apache2 restart
Create a Self Signed SSL Certificate
You are required to create a self signed certificate and attach it to the Apache SSL configuration. You may create at any preferred location. Here there are moved to a new directory /etc/apache2/ssl.
$ sudo service apache2 restart
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Configure Apache to use SSL
Edit default-ssl.conf (/etc/apache2/sites-available), file that contains the default SSL configuration.
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin admin@example.com
        ServerName example.com
        ServerAlias www.example.com
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.crt
        SSLCertificateKeyFile /etc/apache2/ssl/apache.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>
</IfModule>
Activate the SSL Virtual Host

$ sudo a2ensite default-ssl.conf
$ sudo service apache2 restart

Test the Virtual Host with SSL
Now you can test the application with https://<your-domain> it should work!
References
VN:F [1.9.22_1171]
Rating: 10.0/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)

Tomcat Startup Script – Ubuntu 14.04 LTS

Environment : Ubuntu 14.04 LTS

Prerequisites: Java and Tomcat installed in your machine/instance. JAVA_HOME should be set already before start.

Step 1: Create a file called “tomcat” under /etc/init.d folder and have the contents as below.

#!/bin/bash
#
# tomcat
#
# chkconfig:
# description:  Start up the Tomcat servlet engine.

# Source function library.
TOMCAT_DIR=/home/crishantha/lib/apache-tomcat-7.0.63

case "$1" in
 start)
   $TOMCAT_DIR/bin/startup.sh
   ;;
 stop)
   $TOMCAT_DIR/bin/shutdown.sh
   sleep 10
   ;;
 restart)
   $TOMCAT_DIR/bin/shutdown.sh
   sleep 20
   $TOMCAT_DIR/bin/startup.sh
   ;;
 *)
   echo "Usage: tomcat {start|stop|restart}" >&2
   exit 3
   ;;
esac

Step 2: Make the script executable

sudo chmod a+x tomcat

Step 3: Test the above script by executing the commands below

sudo ./tomcat start
sudo ./tomcat stop

Step 4: Registering the above script as an init script. The following will make sure to execute “start” or “stop” at the system run levels. Generally default start happens on 2 3 4 5 run levels. Default stop happens on 0 1 6 run levels.

sudo update-rc.d tomcat defaults

Step 5: Now reboot the machine/instance to see everything is fine

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: +2 (from 2 votes)

Creating LXC instances on Ubuntu 14 LTS

Hypervisor Virtualization Vs OS level / Container Virtualization

Unlike hypervisor virtualization, where one or more independent machines run virtually on physical hardware via an intermediation layer, containers instead run user space on top of an operating system’s kernel. As a result, container virtualization is often called operating system-level virtualization.

Container /OS level virtualization, provide multiple isolated Linux environments on a single Linux host. It shares the host OS kernel and make use of the Guest OS system libraries for providing the required OS capabilities.This allows containers to have a very low overhead and to have much faster startup time compared to VMs.

As limitations, containers also been considered as less secure compared to hypervisor virtualization. However countering this argument, containers lack the larger attacker surface compared to full operating systems deployed by the hypervisor virtualization.

The most recent OS level virtualiztion/ containers are considered as OpenVZ, Oracle Solaris Zones, Linux LXCs.

LXC Containers

Linux Container (LXC), is a fast, lightweight, and OS-level virtualization technology that allows us to host multiple isolated Linux systems in a single host.

Installing LXC on Ubuntu 14 LTS

LXC is available on Ubuntu default repositories. Simply type the following for a complete installation.

sudo apt-get install lxc lxctl lxc-templates

To check the successful completion, type

sudo lxc-checkconfig

If everything is fine, it will show something similar to the following

Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.13.0-32-generic
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
Creating LXC
sudo lxc-create -n <container-name> -t <template>

The <template> can be found in the  /usr/share/lxc/templates/ folder.

For example, if you need to create an Ubuntu container, you may execute,

sudo lxc-create -n ubuntu01 -t ubuntu

If you want to create an OpenSUSE container you may execute,

sudo lxc-create -n opensuse1 -t opensuse

If you want to create a Centos container, you may execute,

sudo apt-get install yum // This is require as a prerequisite for centos installation
sudo lxc-create -n centos01 -t centos

Once created you should be able to list all the LXCs created.

sudo lxc-ls

To list down the complete container information,

sudo lxc-info -n ubuntu01
Starting LXC

Execute following command to start the created containers.

sudo lxc-start -n ubuntu01 -d

Now use the following to log in to the started containers.

sudo lxc-console -n ubuntu01

The default userid/password is ubuntu/ubuntu.

[To exit from the console, press “Ctrl+a” followed by the letter “a”.]

If you need to see the assigned IP address and the state of any created instance,

sudo lxc-ls --fancy ubuntu01
Stopping LXC
sudo lxc-stop -n ubuntu01
Cloning LXC
sudo lxc-stop -n ubuntu01
sudo lxc-clone ubuntu01 ubuntu02
sudo lxc-start -n ubuntu02
Deleting LXC

sudo lxc-destroy -n ubuntu01

Managing LXC using a Web Console
sudo wget http://lxc-webpanel.github.io/tools/install.sh -O - | bash

Then, access the LXC web panel using URL: http://<ip-address>:5000. The default username/password is admin/admin

References:

1. Setting up Multiple Linix System Containers using Ubuntu 14 LTS - http://www.unixmen.com/setting-multiple-isolated-linux-systems-containers-using-lxc-ubuntu-14-04/

2. LXC Complete Guide – https://help.ubuntu.com/12.04/serverguide/lxc.html

3. The Evolution of Linux Containers and Future – https://dzone.com/articles/evolution-of-linux-containers-future

4. Can containers really ship software –  https://dzone.com/articles/can-containers-really-ship-software

VN:F [1.9.22_1171]
Rating: 8.5/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: +2 (from 2 votes)

Generating public-private key pairs with ssh-keygen

If you are into enterprise application development, you must have come across the requirement of “generating public-private key pairs”. The purpose can be multiple. Mostly you need this in order to authenticate a desired client.

Usually, for this task you always tend to fall back on tools like keytool or OpenSSL. However, they have the capability not only to create “public-private key pairs”. They have the capability to handle generated keys and certificates in production systems.

However, if you have a simple authentication requirement, using above tools may not be ideal choices. Mainly because there are some other tools, which has the capability to just generate “public-private key pairs” without much hassle. One of the popular choices is the ssh-keygen tool, which is available on Unix/Linux distributions.

For example, If you want to authenticate yourself to a remote server, other than the username-password authentication, you are required to create a “public-private key pair” to authenticate between two entities. (i.e. Authenticating an AWS user to a EC2 instance is a good example) In these scenarios, ssh-keygen can be very handy. After creating the key pair, just send out the public key to any party who is willing to authenticate your machine. That party may add your public key to the server instance. (In Unix like systems, it may be to your .ssh directory of the home folder. Just append the public key to the “authorized_keys” file) Thereafter, just do a “ssh” to the particular remote server/instance specifying the private key as the argument. Thats it!

However, in Windows systems, puttygen is the tool widely being used. However, the public keys, which are extracted from this tool will not work properly while user authentication. The workaround would be to change the format of the public key in the authorized_keys.

For example, the initial public key generated by puttygen can be in the following format,

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20110829"
AAAAB3NzaFDFDFDGEEABJQAAAIEAknX1EwDVO826fSyAxVOkruwwG8AWNjsw4FXz
XrN6FClXU7BegOziTlDFDFDGDGGDFGD9ciJkE7LN55CEr9eOcNh16jSd/6a9J38R
MQwWUn3UvsrHKMu6qetf1kbP0b77Md4DFDFDFGDFGDyVYZrt7Nw/Q0MtObYdqFVS
/4kdfdffS=
---- END SSH2 PUBLIC KEY ----

In this example, just remove the comment lines and EOL characters and add a “ssh-rsa” string to the beginning.

ssh-rsa AB3NzaC1yc2EAAAABJQAAAIEAknX1EwDVO826fSyAxVOkruwwG8AWNjsw4FXzXrN6FClXU7BegOziTlL1jG0oPOHMrxx9ciJ38RMQwWUn3UvsrHKMu6qetf1kbP0b77Md4fJvxgPnxAM6yVYZrt7Nw/Q0MtObYdqFVS/4kx+JM= <user-name>

This will eliminate the authentication issue that you probably had.

VN:F [1.9.22_1171]
Rating: 7.0/10 (3 votes cast)
VN:F [1.9.22_1171]
Rating: +2 (from 2 votes)

Using the Linux “screen” command

If you have a remote Linux machine with ssh access and if you want to run a job that takes a longer period of time, most of the time the ssh session will time out. That means you need a way to execute that job in the background even if your session times out. To facilitate this feature, Linux has the screen command.

How to activate a screen session?

>> screen -a

Then if you want to run the background job, just execute it and use the Ctrl+A+D to get back to your main prompt.

How to check the number of screen sessions available?

>> screen -ls

The answer would be like,

There is a screen on:
10707.pts-0.linuxmachine    (Detached)
1 Socket in /var/run/screen/S-root.

How do we go back to a screen session that is already detached by the user?

>> screen -r 10707

(Here the “10707″ refers to the particular screen session ID)

Once you get back to the particular screen session, you can formally get back to the  default command prompt by just typing exit.

Reference: http://www.linuxjournal.com/article/6340?page=0,1

VN:F [1.9.22_1171]
Rating: 9.8/10 (5 votes cast)
VN:F [1.9.22_1171]
Rating: +2 (from 2 votes)
Go to Top