Tag Archives: encryption

Let’s encrypt the web – renewal

So easy!

just:

As I ran the letsencrypt-auto last time, I did again.

  • sudo systemctl stop nginx
  • cd letsencrypt
  • git pull
  • ./letsencrypt-auto
  • enter enter etc
  • sudo apache2ctl stop # .. why did it start apache2 automatically?
  • sudo systemctl start nginx

 

Since letsencrypt-auto version 0.5.0 it’s:

  • sudo systemctl stop nginx
  • cd letsencrypt
  • git pull
  • ./letsencrypt-auto –standalone –domains “my.example.com,2.example.com”
  • sudo systemctl restart nginx

Since certbot-auto (renamed from letsencrypt):

  • sudo systemctl stop nginx
  • ./certbot-auto renew
  • sudo systemctl start nginx

 

Red Hat Certification – RHCE – Course Outline

Howdy!

In case you saw my previous posts I’ve been prepping for a RHCE course the last couple of weeks.

Here are the posts based on the objectives:

Odds are quite high that I’ve missed something or not gone deep enough into some subjects and for the record some subjects I decided to skip.

I’m taking the course over at Tieturi here in Helsinki and they have published the schedule for the course, with quite detailed outline.

This outline of the course can with benefit be used to see if you missed any terms or functions while going through the objectives.

I’ll go through the ones I find more interesting below:

Network Resource Access Controls

-Internet Protocol and Routing

OK, well this is quite obvious, some commands:

ip addr
ip route
route add
netstat -rn

IPv6

-IPv6: Dynamic Interface Configuration
-IPv6: StaticInterface Configuration
-IPv6: Routing Configuration

You can add IPV6 specific lines in the ifcfg-device files in /etc/sysconfig/network-scripts/. See /usr/share/doc/initscripts*/sysconfig

Some settings can also go into /etc/sysconfig/network

iptables

Netfilter Overview
-Rules: General Considerations
Connection Tracking
-Network Address Translation (NAT)
-IPv6 and ip6tables

 

Web Services

-Squid Web Proxy Cache

On client check what IP you get:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

On server install and setup squid:

yum install squid
vi /etc/squid/squid.conf
#add this line in the right place:
acl localnet src 192.168.1.1/32
#allow port 3128 TCP in the firewall (use very strict access here)
service squid start

On client:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

Beware that this is unsecure. Very unsecure. You should at least set up a password for the proxy, change the default port and have as limited firewall rules as possible.

E-mail Services

-Simple Mail Transport Protocol
-Sendmail SMTP Restrictions
-Sendmail Operation

 

Securing Data

-The Need For Encryption

-Symmetric Encryption

Symmetric uses a secret/password to encrypt and decrypt a message.
You can use GnuPG (cli command is ‘gpg’) to encrypt and decrypt a file symmetrically. Arguments:

–symmetric/-c == symmetric cipher (CAST5 by default)
–force-mdc == if you don’t have this you’ll get “message was not integrity protected”

There are many more things you can specify.

echo "awesome secret message" > /tmp/file
gpg --symmetric --force-mdc /tmp/file
#(enter password)
#this creates a /tmp/file.gpg
#beware that /tmp/file still exists
#to decrypt:
gpg --decrypt /tmp/file.gpg
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
awesome secret message

 

-Asymmetric Encryption

Uses a key-pair. A public key and a private key.
A message encrypted with the public key can only be decrypted with the private key.
A message encrypted with the private key can only be decrypted with the public key.

GnuPG can let you handle this.

Login with a user called ‘labber’:

gpg --gen-key
# in this interactive dialog enter username: labber, e-mail and password
# this doesn't always work, might take _long_time_, eventually I just tried on another machine
echo "secret message" > /tmp/file
gpg -e -r labber /tmp/file
# enter password
gpg --decrypt /tmp/file
# enter password

To export the public key in ASCII format you can:

gpg --armor --output "key.txt" --export "labber"

However, how to encrypt a file with somebody else’s public key?

-Public Key Infrastructures – PKI

Consists of:

  • CA – certificate authority – issues and verifies digital certiciates
  • RA – registration authoriy – verifies user identity requesting info from the CA
  • central directory – used to store and index keys

-Digital Certificates

A certificate has user details and the public key.

Account Management

-Account Management
-Account Information (Name Service)
Name Service Switch (NSS)
Pluggable Authentication Modules (PAM)
-PAM Operation
-Utilities and Authentication

 

PAM

Basically a way to authenticate users. You can put different types of authentication ways behind PAM. So that a software only needs to learn to authenticate to PAM and then PAM takes care of the behind-the-scenes-work.

For example you can have PAM connect to an ldap-server.

CLI: authconfig

Files:
/etc/sysconfig/authconfig
/etc/pam.d/
/etc/sssd/sssd.conf

 

Reading encrypted/password protected pdf on Linux

Brocade Logo

The problematic PDF

The CFP300 material on http://community.brocade.com/docs/DOC-2041 is encrypted so that it cannot be printed/re-edited without a password.

If you try to open this with evince (default .pdf viewer in Gnome) it will ask for a password.
pdftotext (comes with the software suite poppler) says:

Error: Weird encryption info
Error: Incorrect password

It’s only the material starting with M0* that has this issue, this has also been seen with other documents. Maybe this is because they were created with a too new version of Adobe Acrobat that evince/pdftotext doesn’t support.
The rest of the material are going to be public and they are user/admin guides anyway. But the M0* files are from the actual course material for the 16G so this is why.

The solution on RHEL6 x64: install FoxitReader. Download the .rpm – then hit ‘rpm -Uvh FoxitReader-1.1-0.fc9.i386.rpm’ and it will be installed. To start it just hit ‘FoxitReader’.

Anyway I think it’s nice of Brocade to pre-release the course material for those doing the beta-test. If you want the real material the cheapest is 650$ and then you get the material, narration of the pdfs (usually good quality, not just reading off the presentations) and a few quite good lab exercises.

The Studying

Just threading along here with the material, slowly but steady.
I’m starting with the NPIV / Access Gateway stuff. It’s a bit more complicated than just a switch that isn’t its own domain, it’s also mapping the virtual WWN to the N_ports (a switch in AG mode has N_ports that connect to F_ports in another switch). Usually N_ports are on hosts’ and targets’ ports and the switches’ has the F_ports.