Posts

Posted on

[OpenSSL] Generate a self-signed SSL certificate

First let generate an RSA key for the server:

openssl genrsa -out server.key 2048

Next, for a “true” certificate, we must generate a certificate request (CSR).
But for a self-signed certificate, we can generate it directly like this: 

openssl req -new -days 3650 -key server.key -out server.csr

Here we will generate a x509 certificate valid for ten year. You don’t have to respond to any question beside the “Common Name ( eg, YOUR name )“. Correct value is the domain name you are going to use the certificate for.

Posted on

HTTP return code

  • 200 : request completed
  • 201 : object created, reason = new URI
  • 202 : async completion (TBS)
  • 203 : partial completion
  • 204 : no info to return
  • 205 : request completed, but clear form
  • 206 : partial GET furfilled
  • 300 : server couldn’t decide what to return
  • 301 : object permanently moved
  • 302 : object temporarily moved
  • 303 : redirection w/ new access method
  • 304 : if-modified-since was not modified
  • 305 : redirection to proxy, location header specifies proxy to use
  • 307 : HTTP/1.1: keep same verb
  • 400 : invalid syntax
  • 401 : access denied
  • 402 : payment required
  • 403 : request forbidden
  • 404 : object not found
  • 405 : method is not allowed
  • 406 : no response acceptable to client found
  • 407 : proxy authentication required
  • 408 : server timed out waiting for request
  • 409 : user should resubmit with more info
  • 410 : the resource is no longer available
  • 411 : the server refused to accept request w/o a length
  • 412 : precondition given in request failed
  • 413 : request entity was too large
  • 414 : request URI too long
  • 415 : unsupported media type
  • 500 : internal server error
  • 501 : required not supported
  • 502 : error response received from gateway
  • 503 : temporarily overloaded
  • 504 : timed out waiting for gateway
  • 505 : HTTP version not supported
Posted on

[Cisco] IOS – “Diff” running-config

Sometime people does changes on switches and forget to use the write command. Then you login, make your changes and before making wr tape the following:

show archive config differences nvram:startup-config system:running-config

Because you’re a conscientious admin 😉
Lines preceded with “+” are only found in the running-config. Lines preceded with “-” are absent from the running-config.

Posted on

[DRAC] Access through an SSH tunnel

In order to access to all DRAC features through an SSH Tunnel, you need to forward ports TCP 443, 5900 and 5901:

# sudo ssh -L 443:10.10.22.167:443 -L 5900:10.10.22.167:5900 -L 5901:10.10.22.167:5901 root@foobar_vm.foo.fr
Posted on

[Apache] LogFormat with X-Forwarded-For

If you use apache behind a reverse-proxy you need to modify the combined log format to use the X-forwarded-For header. Simply replace:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

by

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
Posted on

How to add/remove/change route

The route command is used to show/manipulate the IP routing table. It is primarily used to setup static routes to specific host or networks via an interface.

Display existing routes

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.2.8.1        0.0.0.0         UG    0      0        0 eth0
10.2.8.0        *               255.255.252.0   U     0      0        0 eth0
10.10.16.0      10.10.32.53     255.255.240.0   UG    0      0        0 tun0

Change default gateway

# route del default
route add default gw 10.2.0.4

Add a route for a given network

route add -net 172.17.255.0/24 gw 195.54.62.1

Remove a route for a given network

route del -net 172.17.255.0/24 gw 195.54.62.1

Reject routing for a given network

route add -net 192.168.1.0/24 reject
Posted on

[Debian] Installing APC

APC is a PHP accelerator (like eAccelerator or XCache) but dedicated for PHP5. It can reduce PHP script runtime by a factor 5 to 10. Unfortunately it’s not packaged in Debian Etch but you can still install it easily using pear’s repositories.

Install PEAR

aptitude install php-pear
aptitude install php5-dev apache2-prefork-dev build-essential

Install APC module

pecl install apc

PEAR configuration

vi /etc/php5/conf.d/apc.ini
extension=apc.so
apc.enabled=1
apc.shm_size=30

Adapt the values depending your applications requirements. Then restart apache. You can check if apc is correctly loaded by creating a page with a phpinfo(); call.

Posted on

[Debian] Error: subprocess post-removal script returned error exit status xx

This error message may appear if you are unlucky enough to install a damaged or badly designed package and then want to remove it. Now that your package manager is “stuck” you must fix the situation by hand.

Go to the directory /var/lib/dpkg/info and list every scripts related to the faulty package ls .* <package_name>.

Depending the precise error modify the appropriate script (prerm or postrm). Sometime changing /bin/sh -e by /bin/sh could be enough. Other time you must comment the ‘faulty’ line. Worst case scenario place an exit 0 at the second line.

Posted on

Debian OpenSSL vulnerability

In May 2008 a bug was discovered in the Debian OpenSSL package which affected the seeding of the random number generator. Any SSH keys generated by affected systems should be considered “insecure”. That doesn’t mean an attacker could immediately guess your private key but because there was significantly less entropy during key generation, the key space was significantly reduced making a brute-force attack feasible.

ssh-vulnkey

A new tool has been added to OpenSSH after this event: ssh-vulnkey. This tool check if a key belong to the reduced “key pool”. If result is positive you must immediately regenerate a new key on an up-to-date server. Note also that security updates for all distribution has been released to blacklist the vulnerable keys.

Further Reading and sources

Posted on

[Gnome] Enable metacity compositing

Metacity, the official GNOME window manager, has a limited compositing support. You can activate it like this:

gconftool-2 -s '/apps/metacity/general/compositing_manager' -type bool true

This is very usefull if you want to use a dock like AVN without changing for something more eye-candy and resource-hungry like Beryl.