Root CA and Wildcard Certificate Generation in CentOS/RHEL 6&7

     Hi folks ! this is one of the best method to create your own RootCA server and generating self-signed wildcard certificates.The greatest advantage of following this method: this would not make any system level changes, as everything is stored in files mentioned in the commands. At any stage if something went wrong, clear all the files and perform the steps once again.

There are two sections

1. RootCA Server   --  Need to perform only once.

2. Generating wildcard certificates for xyz.com domain -- Need to perform once per domain to create wildcard certificates. Need to perform once per site per domain to create individual certificates per site.


RootCA Server
============
1. Install required packages.

# yum install openssl -y

2. Generate XYZRootCA certificates

# mkdir /opt/XYZRootCA
# cd /opt/XYZRootCA
# openssl genrsa -out XYZRootCA.key 2048
# openssl req -x509 -new -nodes -key XYZRootCA.key -sha256 -days 10950 -out XYZRootCA.pem

#Provide information as given below

Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bengaluru
Organization Name (eg, company) [Default Company Ltd]:XYZ Solutions Pvt. Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:XYZRootCA
Email Address []:info@xyz.com

3. Convert .pem to .crt

# openssl x509 -outform der -in XYZRootCA.pem -out XYZRootCA.crt



Generating wildcard certificates for xyz.com domain
===========================================
1. Generate CSR for *.xyz.com

# openssl genrsa -out XYZWildcard.key 2048
# openssl req -new -key XYZWildcard.key -out XYZWildcard.csr

#Provide information as given below
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bengaluru
Organization Name (eg, company) [Default Company Ltd]:XYZ Solutions Pvt. Ltd
Organizational Unit Name (eg, section) []:Infra Support
Common Name (eg, your name or your server's hostname) []:*.xyz.com
Email Address []:infrasupport@xyz.com

2. Using CSR generated above (As Shown in Step no:1), generate a wildcard certificate for *.xyz.com also get it signed by XYZRootCA as well.

# openssl x509 -req -in XYZWildcard.csr -CA XYZRootCA.pem -CAkey XYZRootCA.key -CAcreateserial -out XYZWildcard.crt -days 3650 -sha256

3. Import XYZRootCA.crt to trusted root certificates

# yum install ca-certificates
# update-ca-trust force-enable
# cp XYZRootCA.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust extract



References:
###########

1. https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
2. http://linoxide.com/security/make-ca-certificate-authority/
3. https://blog.celogeek.com/201209/209/how-to-create-a-self-signed-wildcard-certificate/
4. http://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key
5. https://serversforhackers.com/self-signed-ssl-certificates
6. http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html

Linux : full path of a file

Hello ,

Sometimes we need to have full or absolute path of file. And most of the times we used to pwd + filename manually.

But with google search I came across a command named as readlink.


readlink -f filename.txt

that will print complete path of filename along with filename append to it.

linuxmen@linuxmen-fresh:~/test/test1$ readlink -f ex4.js
/home/linuxmen/test/test1/ex4.js
linuxmen@linuxmen-fresh:~/test/test1$  

Note : make sure you are same directory where file resides else give relative path to file.

Hope it helps

Suspended Jobs vs Running jobs in Linux

Background Job : A job which is running background in the same shell. You can use bg command to see any background jobs.

Foreground job : A Job which is running in the same shell right before your eyes.

Suspended Job : Its a stopped/pause job but you can resume their running.

Let me explain with example very clealy

virt00# sleep 180
^Z
zsh: suspended  sleep 180
virt00# jobs
[1]  + suspended  sleep 180
virt00# bg
[1]  + continued  sleep 180
virt00# fg
[1]  + running    sleep 180
^Z
zsh: suspended  sleep 180
virt00# jobs
[1]  + suspended  sleep 180
virt00#

I have started a Job named sleep 180 then I stopped with CTRL+Z . right now my job is in suspended mode.

I see it by typing jobs command. Now I want to resume its running in background so I typed bgcommand then it will move from suspended state to running state but in background it will run.

now I typed command fg to bring it foreground , now job wont get stepped but it will pull from background jobs queue and push into foreground jobs queue.

So yes background jobs and foreground jobs always are in running state.

Deny SSH access to particular users

We all know SSH is very famous and the best service for remote access.

Today I am going to tell you how to block or allow only particular users or group from SSH access.

open sshd_config file as per your environment

in Debian

vim /etc/ssh/sshd_config

Then add below line to enable access for only below users

AllowUsers username1 username2

to deny access for only below users add a line as

DenyUsers username1 username2

as in the same way

AllowGroups group1 group2

and to deny groups

DenyGroups group1 group2

 But there is something very important you have to follow here. It is the order of mentioning.

From manpage of SSH 

The allow/deny directives are processed in the following
      order: DenyUsers, AllowUsers, DenyGroups, and finally
      AllowGroups.

So first mention DenyUsers and then AllowUsers then only it will works and same for DenyGroups and AllowGroups

Hope it helps.

grep: unknown device method

Today while using grep command via rundeck I was through grep: unknown device method error.

And the reason is due to I am having ' - ' in my search pattern I was through this error.

I mean search includes

grep "-search.this" /path/to/file

Then you may get error with grep. So remove ' - ' in pattern and repeat your search.

grep "search.this" /path/to/file

Hope that helps.

Extract log efficiently by using sed

Modification of Log pulling command by using sed

Old command That I use to do log extraction

sed -nre '/12:23:12/,/12:24:12/ p' logfile > /tmp/somelog.txt

But this will take match of given two time stamps at any where in log file.And sometimes from middle of the line which gives obviously wrong log that I need.

So , Now we are modifying sed to look after only at lines starting with timestamp.
It will pull the logs if timestamp exists at beginning of the lines else It wont pull any log.

sed -nre '/^12:23:12/,/^12:24:12/ p' logfile > /tmp/somelog.txt

Note: If you want to make sure that given timestamp existed or not at line starting
you can use

grep -m 5 12:23:12 server.log

The above command ran for 5 first matching of grep and so you can conclude the availability of
given time-stamp in logfile.

For more information please refer sed man page

Hope it will help you.

Getting load information via SSH

I have tried so many ways but finally happy with this

#!/bin/bash

for i in localhost 127.0.01
do
ssh raja@$i 'uptime | grep -o load.*'
done

The above script will produce load average from a remote system.

Fix conky hiding

I have installed and got some conky script but after system starting its hiding automatically and the only way I can see it while shutting down.

So I have googled and got some solution which can fix my problem.

Open your conkyrc file which is a hidden file  in home directory with

$ vim  .conkyrc

or

$ vim ~/.conkyrc

Find the area of below lines and make the configuration as I have mentioned.

own_window yes
own_window_class Conky
own_window_type normal
own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager 
own_window_transparent yes

Then save and exit from your conkyrc file.

Then in we have to reload the conky with updated configuration , so all you have to do is kill the conky and then start it again.

so In your terminal as root user do as

# killall conky & conky

or

$ su -c " killall conky & conky"

 
I hope that will help you.

Use Wget for downloading from FTP with username and Password

Hi , We all know we can use wget to download files from command-line.

Downloading files from FTP can be done but for with username and password you have to scroll manpage a lot.


wget --user <username> --password <password> ftp://xxx.xxx.xxx.xxx/dir/file/download


to resume

wget -c --user <username> --password <password> ftp://xxx.xxx.xxx.xxx/dir/file/download

How to Download Total website by using Wget

If you would like to download a whole website pages then you can do it wget.
wget is a command-line download manager,installed by default in almost all linux operating systems.

Syntax

wget -rkp -l3 -np -nH --cut-dirs=1 [URL]

Example

wget -rkp -l3 -np -nH --cut-dirs=1 http://ss64.com/bash/aspell.html

DD Command Usage

* Example use of dd command to create an ISO disk image from a CD-ROM:
dd if=/dev/cdrom of=/home/sam/myCD.iso bs=2048 conv=sync

*Using dd to wipe an entire disk with random data:
dd if=/dev/urandom of=/dev/hda

*Using dd to clone a hard disk to another hard disk:
dd if=/dev/ad0 of=/dev/ad1 bs=1M conv=noerror

*Duplicate a disk partition as a disk image file on a remote machine over a secure ssh connection:
dd if=/dev/sdb2 | ssh user@host “dd of=/home/user/partition.image”

*Overwrite the first 512 bytes of a file with null bytes:
dd if=/dev/zero of=path/to/file bs=512 count=1 conv=notrunc

*To duplicate a disk partition as a disk image file on a different partition:
dd if=/dev/sdb2 of=/home/sam/partition.image bs=4096 conv=noerror

*Create a 1 GiB file containing only zeros (bs=blocksize, count=number of blocks):
dd if=/dev/zero of=file1G.tmp bs=1M count=1024

*To zero out a drive:
dd if=/dev/zero of=/dev/sda

*To make sure that the drive is really zeroed out:
dd if=/dev/sda | hexdump -C | head

*To duplicate the first 2 sectors of the floppy:
dd if=/dev/fd0 of=/home/sam/MBRboot.image bs=512 count=2

*To create an image of the entire master boot record (including the partition table):
dd if=/dev/sda of=/home/sam/MBR.image bs=512 count=1

*To create an image of only the boot code of the master boot record (without the partition table):
dd if=/dev/sda of=/home/sam/MBR_boot.image bs=446 count=1

*To make drive benchmark test and analyze read and write performance:
dd if=/dev/zero bs=1024 count=1000000 of=/home/sam/1Gb.file
dd if=/home/sam/1Gb.file bs=64k | dd of=/dev/null

*To make a file of 100 random bytes:
dd if=/dev/urandom of=/home/sam/myrandom bs=100 count=1

*To convert a file to uppercase:
dd if=filename of=filename conv=ucase

*To search the system memory:
dd if=/dev/mem | hexdump -C | grep ‘some-string-of-words-in-the-file-you-forgot-to-save-before-you-hit-the-close-button’

*Image a partition to another machine:
On source machine: dd if=/dev/hda bs=16065b | netcat 1234
On target machine: netcat -l -p 1234 | dd of=/dev/hdc bs=16065b

*Create a 1 GiB sparse file or resize an existing file to 1 GiB without overwriting:
dd if=/dev/zero of=mytestfile.out bs=1 count=0 seek=1G

*To copy MBR 

MBRTotal Size

446 + 64 + 2 = 512

*Where

446 bytes – Bootstrap.
64 bytes – Partition table.
2 bytes – Signature(magic no)

*Type dd command as follows:
dd if=/dev/sda of=/dev/sdb bs=512 count=1

*dd command for two discs with different size partitions
# dd if=/dev/sda of=/tmp/mbrsda.bak bs=512 count=1

*Now to restore the image to any sdb:
# dd if=/tmp/mbrsda.bak of=/dev/sdb bs=446 count=1

*Linux sfdisk Command Example

Linux sfdisk command can make a backup of the primary and extended partition table as follows.
It creates a file that can be read in a text editor, or this file can be used by sfdisk to restore the primary/extended partition table.
To back up the partition table /dev/sda, enter:
# sfdisk -d /dev/sda > /tmp/sda.bak

*To restore, enter:
# sfdisk /dev/sda /tmp/backup-sda.sfdisk

*Task: Restore MBR and Extended Partitions Schema
To restore the MBR and the extended partitions copy backup files from backup media and enter:
# dd if=backup-sda.mbr of=/dev/sda
# sfdisk /dev/sda < backup-sda.sfdisk

*Example 1. Backup Entire Harddisk

To backup an entire copy of a hard disk to another hard disk connected to the same system, execute the dd command as shown below.
In this dd command example, the UNIX device name of the source hard disk is /dev/hda, and device name of the target hard disk is /dev/hdb.

# dd if=/dev/sda of=/dev/sdb
“if” represents inputfile, and “of” represents output file. So the exact copy of /dev/sda will be available in /dev/sdb.
If there are any errors, the above command will fail. If you give the parameter “conv=noerror” then it will continue to copy if there are read errors.
Input file and output file should be mentioned very carefully, if you mention source device in the target and vice versa, you might loss all your data.
In the copy of hard drive to hard drive using dd command given below, sync option allows you to copy everything using synchronized I/O.

# dd if=/dev/sda of=/dev/sdb conv=noerror,sync

*Example 2. Create an Image of a Hard Disk

Instead of taking a backup of the hard disk, you can create an image file of the hard disk and save it in other storage devices.
There are many advantages to backing up your data to a disk image, one being the ease of use.
This method is typically faster than other types of backups, enabling you to quickly restore data following an unexpected catastrophe.
# dd if=/dev/hda of=~/hdadisk.img
The above creates the image of a harddisk /dev/hda. Refer our earlier article How to view initrd.image for more details.

*Example 3. Restore using Hard Disk Image

To restore a hard disk with the image file of an another hard disk, use the following dd command example.

# dd if=hdadisk.img of=/dev/hdb
The image file hdadisk.img file, is the image of a /dev/hda, so the above command will restore the image of /dev/hda to /dev/hdb.

*Example 4. Creating a Floppy Image

Using dd command, you can create a copy of the floppy image very quickly. In input file, give the floppy device location, and in the output file, give the name of your floppy image file as shown below.

# dd if=/dev/fd0 of=myfloppy.img
Example 5. Backup a Partition

You can use the device name of a partition in the input file, and in the output either you can specify your target path or image file as shown in the dd command example below.

# dd if=/dev/hda1 of=~/partition1.img

*Example 6. CDROM Backup

dd command allows you to create an iso file from a source file. So we can insert the CD and enter dd command to create an iso file of a CD content.

# dd if=/dev/cdrom of=tgsservice.iso bs=2048
dd command reads one block of input and process it and writes it into an output file. You can specify the block size for input and output file. In the above dd command example, the parameter “bs” specifies the block size for the both the input and output file. So dd uses 2048bytes as a block size in the above command.

Note: If CD is auto mounted, before creating an iso image using dd command, its always good if you unmount the CD device to avoid any unnecessary access to the CD ROM.

I/O Redirection in Linux

Three types of I/O redirections in Linux

1. stdin         <

2. stdout       >

3. stderr       2>

Examples: 

1. # date > file1.txt

    Redirects the output of date command to the file file1.txt .

2. #cal >> file1.txt

    Redirects the output of cal command to file1.txt. Note that the out put of cal command will append to file    file1.txt.   > simply replaces the content where >> will append the content.

3. #tr [a-z] [A-Z] file1.txt  < file1.txt 

    Translates the all lowercase letter to uppercase letter in file1.txt. Here we are giving the file1.txt as input to the command using < .

4. $find / -name linux 2> out_error.txt

    Here a normal user is trying to find the file/folder with name "linux" under root file system ( / ).A normal user doesn't have permissions to every location under root file system ( / ). So the above command will give the output as well as some errors. 

    We can redirect the error messages to a file out_error.txt so that it can display only the found results.

We can use > out_results.txt to capture only the found resuts in out.txt file and leave the errors to display on stdout.

5. $find /-name linux > out_all.txt 2>&1

     The constructor "2>1" will redirect the stderr messages as stdout (but not file). The constructor "2>&1" also do the same but & indicates the output will be stored in a file. So both found results and error messages will store in the file out_all.txt