How To Generate A CSR in Linux Using OpenSSL

 (Photo credit: Wikipedia)

One of the main points of Bauer-Power is that it is my own personal knowledge base. I can't remember everything, so I often times will write up a how-to here on Bauer-Power so I can easily go back later and look it up in one place. That is what this post is about.

I occasionally have to use SSL on Apache web servers in Linux, but I don't do it often enough that I remember all of the OpenSSL commands that I need to get things done. For instance, the command needed to generate a Certificate Signing Request (CSR) that I can use to obtain an SSL certificate from a third party certificate authority (CA).

That command is:

openssl req -nodes -newkey rsa:4096 -keyout SSL.key -out SSL.csr

That will start off some prompts that you can fill out to generate your private key file, as well as the  CSR you will need to get a certificate from your third party SSL provider.

Note, you can change the bits number to 2048 or 1024 if you want, I prefer a stronger RSA key though. You can also change the names of the key and csr file to whatever you want.

Anyway, if you already knew how to do this, awesome! Like I said, this post is mainly for me :-P

Related articles

• Re: [NSE] SSL certificate chain and verification
• Rename Linux Redux to Linux OpenSSL and adjust config.
• HttpSslModule
• HttpSslModule

Read more »

Fix Untrusted Chain Issue With Firefox and GnuTLS

I have GnuTLS setup on numerous Apache web servers. It's just better than OpenSSL because with GnuTLS I can use the more secure TLSv1.1 or TLSv1.2. The only problem I've had with it, until now is that it's trusted by every browser I've used with the exception of Firefox.

When I browse to one of my GnuTLS enabled sites in Firefox I get an error saying The certificate is not trusted because no issuer chain was provided.

In the Apache config files using OpenSSL it's easy, you can specify a chain file, but in GnuTLS you can't. There is a way of making it work though.

Just open your server certificate with your favorite text editor, and open the intermediate certificate in another text editor, then copy the contents of the intermediate certificate to the end of your server certificate and save it. Restart Apache and you should be right as rain now!

If you are doing this on your server you can append the end of the intermediate cert to your server cert by running the following command:

cat intermediate.crt >> server.crt

If you have any questions, let me know. For some reason there isn't a lot of documentation out there for GnuTLS yet.

Related articles

• Debugging Apache Rewrites and Redirects
• GnuTLS 2.x Lucky13 fix regression CVE-2013-2116
• recent librelp development
• PHP Vulnerability Fixed in Ubuntu 13.04

Read more »

Manage Amavis Spam/AV Quarantine For Free in iRedMail With Amacube

This may very well be my final post about my new anti-NSA Linux email server I setup on an Ubuntu VPS using iRedMail... No seriously, I think this should cover it.

iRedMail is a free Linux package you can use to stand up a really awesome email server that combines Roundcube, Postfix, Dovecot, Spamassasin, ClamAV, Amavis and others in a matter of minutes. The problem with the free version is that it doesn't allow you to easily manage your spam quarantine. For that, they want you to spend upwards of $600 for iRedMail pro.

Well if you are on a budget like me, $600 is too much, but I found a free alternative that is pretty easy to use. It takes advantage of the fact that the webmail interface iRedMail uses is Roundcube, which is fairly popular and has many different plugins you can add.

One of those plugins, Amacube, let's users manage their own email spam/virus quarantines!

After it's installed, it puts a little quarantine button in the upper right corner of the Roundcube interface:

Inside the quarantine you can see any messages that have been quarantined and the user can then delete, or release them if they want. I would show you a screen shot, but I deleted the quarantine before I wrote this up.

Anyway, if you want to manage your spam quarantine easily with Roundcube in iRedMail, you don't need to spend $600. Just get the Amacube plugin.

Related articles

• So far, so good on MailRoute Spam Filter free trial!
• Creating a Mail Server on Ubuntu (Postfix, Courier, SSL, SpamAssasin, Amavis, ClamAV
• Talk:Simple Virtual User Mail System
• WatchGuard XCS User Spam Quarantine Local

Read more »

Get Rid Of The Stupid Landscape Advertisement In Ubuntu Server

I am one of the few people in this world that like to add a little something to my motd in Ubuntu so when I ssh into one of my servers it's a little less boring. I love putting ASCII art in my motd.tail file so I have something fun to look at when I login.

In fact, here is what it looks like when you login to my email server:

One of the things I don't like is the annoying advertisement for Canonical's Landscape. You know, the string that says, "Graph this data and manage this system at https://landscape.canonical.com/".

I have never used it, and will likely never use it, so stop bugging me about it!

Well, to turn it off without losing the other useful system information, all you need to do is create a client.conf file in /etc/lanscape with the following information:

[sysinfo]
exclude_sysinfo_plugins=LandscapeLink

Now with that there, you will get everything you want, and none of the Lanscape crap you don't!

[Via Kember]

Related articles

• Ubuntu Touch beats Firefox OS to win best of MWC from CNET
• Shuttleworth: Still Key to Ubuntu Linux, Canonical, Open Source?
• Ubuntu to Consolidate Web Account Services Under 'Ubuntu One' Brand
• Xfce, LXDE, & GNOME Are Running On Ubuntu XMir

Read more »

Get Off The Free Teat of Gmail, Hotmail and Yahoo by Setting Up Your Own Linux Email Server Using iRedMail

In this final episode of Tech Chop, I talked about how I decided to give up my free Google Apps email account and setup my own email server on an Ubuntu Linux VPS using iRedMail.

As you can see in the video, iRedMail is probably the easiest email server you will ever setup. You basically stand up a plain Ubuntu server with no other applications, then you run the install script from iRedmail which installs just about everything you need.

I am personally doing this to avoid the NSA's PRISM program, as well as to stop giving Google unfettered access to my private email information that they can then turn over to the feds, or sell to marketers.

Related articles

• Email Servers - Gateway to Secure Communication
• Canonical cracks the slate code, brings Ubuntu to Nexus tablets
• Monitor Your Public Facing Servers For Free With UptimeRobot
• How To poll out lotus notes(or any other mail server) emails into a Ruby App

Read more »

Android Users: Get The NSA Out Of Your Text Messages With TextSecure

Last week I wrote about a really great app for your Android or iPhone that allows you to encrypt phone conversations so the NSA and the other federal alphabet soup guys can't snoop on your conversations. That app was called RedPhone.

Well the makers of RedPhone, WhisperSystems, have another app for Android that does something similar for text messages. It's called TextSecure!

From their Google Play Page:

Like privacy? Secure your SMS/MMS communication with TextSecure. It's that simple. 

TextSecure encrypts your text messages over the air and on your phone. It's almost identical to the normal text messaging application, and is just as easy to use.
TextSecure Provides:

• A secure and private replacement for the default text messaging app.

• All messages are encrypted locally, so if your phone is lost or stolen, your messages will be safe.

• Messages to other TextSecure users are encrypted over the air, protecting your communication in transit.

• TextSecure is Free and Open Source, enabling anyone to verify its security by auditing the code.

TextSecure is the only Android private SMS/MMS messenger replacement that uses open source peer-reviewed cryptographic protocols to keep your messages safe. Rather than simply pretending to hide your texts by putting them in another place, TextSecure uses cryptography to ensure that they remain truly secure.

Up until now I have been using Google Voice for everything, especially since they have Sprint integration. Well, I ended that last week and switched over to TextSecure. Now Google, who has given backdoor access to the NSA through PRISM, doesn't have unfettered access to my text message archive. At the very least, now Google can't sell information found in my text messages to marketers.

If I'm texting others with TextSecure, my messages are stored encrypted, and sent encrypted so the NSA can't snoop the content of our conversation.

If I am texting those who don't value their rights, sure the NSA can snoop that off the wire, but at least me messages are stored using encryption on my phone. I guess you can't win them all.

So far this app is only available on Android. If you know of another application that has an iPhone counterpart, or one that is compatible with TextSecure, let me know in the comments.

Related articles

• Ask a hacker: Top four anti-surveillance apps
• Burn after reading: Privatext messaging app allows secure texts, pictures to self-destruct
• Burn after reading: Privatext messaging app allows secure texts, pictures to self-destruct
• Privatext Launches New Application to Provide Consumers and Businesses with Secure Messaging Platform; Text Messages Automatically Delete off Devices and Servers after Designated Time

Read more »

Configure Postfix and Dovecot SSL Settings For PCI Compliance

Yes, this is yet another post on my Linux email server that I am using to get off of Google's teat, and of course avoid the NSA's PRISM program.

As a part of setting up my email server I wanted to lock it down well enough that it would pass a Payment Card Industry (PCI) security scan from a PCI authorized auditor like Comodo's Hacker Guardian. My reasoning is that if I can pass a scan that banks and credit card companies use to evaluate their security against hackers, that it's probably the best one can do against the NSA.

I am very familiar with locking down regular websites. After all, it's a part of what I do for my day job. I've even written about how to configure SSL on Apache for PCI compliance, as well as Windows 2008R2 and Windows 2003.

Will with my email server, I also had to configure SSL encryption for SMTP and IMAP using Postfix and Dovecot respectively. It took a while because I didn't see a lot of documentation online on how to do it, but I finally figured it out.

For Postfix (/etc/postfix/main.cf), use these settings for SSL/TLS:

smtpd_tls_cert_file = /etc/path/to/public.crt
smtpd_tls_key_file = /etc/path/to/private.key
smtpd_tls_CAfile = /etc/path/to/ca-bundle.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = SSLv3, TLSv1
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, 3DES, MD5, AES
smtpd_sasl_security_options = noplaintext

For Dovecot (/etc/dovecot/dovecot.conf) use these settings for SSL/TLS:

ssl = required
verbose_ssl = no
ssl_cert = </etc/path/to/public.crt
ssl_key = </etc/path/to/private.key
ssl_ca = </etc/path/to/ca-bundle.crt
ssl_cipher_list = HIGH:+TLSv1:+SSLv3:!LOW:!SSLv2:!EXP:!aNULL

That's it! After I made those settings I was able to pass my PCI scan from Hacker Guardian:

That's not the only thing you have to worry about of course. You have to do stuff like hide your PHP version, and Apache version as well, but the SSL stuff is usually the hardest to deal with in PCI.

Did this help you out? If so, let us know in the comments.

Related articles

• Securing Postfix
• Compile postfix with TLS And SASL for Sendgrid.
• Talk:Simple Virtual User Mail System
• PCI Scan Fail SSL Certificates ClearOS/CentOS

Read more »