how to fix SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) 25 / tcp / smtp CVE-2015-4000

This is short version of guide from  here (https://weakdh.org/sysadmin.html)

Generate a 2048 key using openssl

openssl dhparam -out dhparams.pem 2048

and then reconfigure postfix

Postfix SMTP

Both parameters should be set in /etc/postfix/main.cf.

Add

smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA

Add

smtpd_tls_dh1024_param_file = ${config_directory}/dhparams.pem

Reload configuration

sudo postfix reload

This will fix your postfix installation and your server will be PCI compliant again.

Linux lsof command. How to use it

lsof – a linux command stand for LiSt Open Files and this is what this command does.

To get more inform you can type

man lsof

info lsof

type lsof

This will give you some info which I want be explaining here as you can manuals so you use them!

The lsof program can be used to identify what files are open in a directory, find who’s accessing them, and so on.

As everything in Linux is a file and is kept in the file it also means that you can use this command to display network connections.

i parameter will select all the listing of files any of whose Internet address matches the address specified. If no address is specified, this option select the listing of all Internet.

ami@amios:~$ lsof -i
COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
ruby    19379  ami    8u  IPv4 4682378      0t0  TCP localhost:45065 (LISTEN)

You can restrict the output of lsof by including an address after the -i option. The addres takes the following form:

[46][protocol][@hostname|hostaddr][:service|port]

The digit 4 or 6 represent an IPv4 or IPv6 connection, the protocol is the protocl type (TCP or UDP), the hostname or hostaddr is the computer hostname or IP address associated with the remote system.

ami@amios:~$ lsof -i :ftp

Nothing get displayed as I am not running a FTP service on my testbed.

Alternatively, you can replace ftp with 21, because 21 is the port number associated with FTP port.

ami@amios:~$ lsof -i | grep LISTEN
ruby    19379  ami    8u  IPv4 4682378      0t0  TCP localhost:45065 (LISTEN)
 

Paging through the raw output (without using grep to search for LISTEN) will provide
you with a better idea of your system’s overall network use. You could conceivably spot
something suspicious, such as an outgoing network connection to a sensitive computer
that the client shouldn’t be contacting. This network activity may indicate active cracking
attempts by a user of the client, intrusion by an outsider, or the work of an automated
worm or Trojan horse program.

If you identify programs that shouldn’t be running, such as unnecessary servers, you can
use the command name, PID, and other information to help shut them down. The preceding
section “Disabling Unused Servers” describes how to do this in more detail.
Another use of lsof is in identifying who’s accessing fi les. This might be handy if you
need to unmount a fi lesystem (including a network fi lesystem) but can’t because of in-use
fi les or if you suspect inappropriate activities involving file access.

 

 

 

 

English Names for characters in keyboard

~ tilde (sounds like til-da); be prepared to explain to computer-illiterate people saying “you know, the wave-shaped thingy”
! exclamation; commonly read as bang in case of #!/bin/sh
@ at
# pound; but commonly read as shee in case of #!/bin/sh, not sure why
$ dollar
% percent
^ caret; not many people know this word so be prepared to say “no, not carrot; it’s the character above 6, an arrow pointing up”
& ampersand
* star; some read asterisk
( opening parenthesis (some may shorten it saying paren)
) closing parenthesis
_ underscore; once I heard people say underbar
+ plus
minus; as symbol before arguments in commands, some people including me read dash, easier to say one syllable
= equals
` backtick or backquote
{ opening brace
} closing brace
[ opening bracket
] closing bracket
| pipe or vertical bar
\ backslash; be prepared to explain to some computer-illiterate people
: colon
; semicolon
double quote
single quote
< less than; some may read left angle bracket
> greater than
, comma
. dot; period if in English text
? question mark
/ slash or forward slash; some computer-illiterate people may be confused about / and \
space
(), [] and {} may also be called brackets in general. In that case, they specifically call [] square brackets and {} curly brackets. I never like this. Open and Closing may also be called left and right.
security

Secure Server – Hardening Tips & Tricks. Make your server more secure.

Server Hardening Tips & Tricks:

Found it on the net but let’s make it better. Post your COMMENTS!

 

Is that really all ?

Every server security conscious organization will have their own methods for maintaining adequate system and network security. Often you will find that server hardening consultants can bring your security efforts up a notch with their specialized expertise.

Some common server hardening tips & tricks include:

– Use Data Encryption for your Communications
– Avoid using insecure protocols that send your information or passwords in plain text.
– Minimize unnecessary software on your servers.
– Disable Unwanted SUID and SGID Binaries
– Keep your operating system up to date, especially security patches.
– Using security extensions is a plus.
– When using Linux, SELinux should be considered. Linux server hardening is a primary focus for the web hosting industry, however in web hosting SELinux is probably not a good option as it often causes issues when the server is used for web hosting purposes.
– User Accounts should have very strong passwords
– Change passwords on a regular basis and do not reuse them
– Lock accounts after too many login failures. Often these login failures are illegitimate attempts to gain access to your system.
– Do not permit empty passwords.
– SSH Hardening
— Change the port from default to a non standard one
— Disable direct root logins. Switch to root from a lower level account only when necessary.
– Unnecessary services should be disabled. Disable all instances of IRC – BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink.
– Securing /tmp /var/tmp /dev/shm
– Hide BIND DNS Sever Version and Apache version
– Hardening sysctl.conf
– Server hardenining by installing Root Kit Hunter and ChrootKit hunter.
– Minimize open network ports to be only what is needed for your specific circumstances.
– Configure the system firewall (Iptables) or get a software installed like CSF or APF. Proper setup of a firewall itself can prevent many attacks.
– Consider also using a hardware firewall
– Separate partitions in ways that make your system more secure.
– Disable unwanted binaries
– Maintain server logs; mirror logs to a separate log server
– Install Logwatch and review logwatch emails daily. Investigate any suspicious activity on your server.
– Use brute force and intrusion detection systems
– Install Linux Socket Monitor – Detects/alerts when new sockets are created on your system, often revealing hacker activity
– Install Mod_security as Webserver Hardening
– Hardening the Php installation
– Limit user accounts to accessing only what they need. Increased access should only be on an as-needed basis.
– Maintain proper backups
– Don’t forget about physical server security

yum install error File “/usr/bin/yum”, line 30 except KeyboardInterrupt on Cent OS Ubuntu Linux Mint Redhat

This is a common problem if you updated your python distribution to python 3. Normally installed python from source.

 

Unfortunately yum still depend on the python 2

What you need to do is:

$which python

Then navigate normally to:

$cd /usr/bin/

$ll | grep python

and see what is happening:

lrwxrwxrwx    1 root root           9 Feb 22 17:10 python -> python2.6
lrwxrwxrwx    1 root root           6 Nov  9 12:04 python2 -> python
-rwxr-xr-x    1 root root        9032 Jul 10  2013 python2.6

In my case I have already fixed this problem so you can see that my symlink python -> python2.6

if it point to something else then you need to type in:

ln -s python2.6 python

You can use any other version of python you have got installed as long as it is version 2

 

Install rvm Ruby on Rails and Ruby on Kali Linux

It’s not as simple as described on the rvm website. By some reason it’s just does not work on Kali Linux.

1. Clean up your system first

$apt-get autoremove

2.whereis ruby – we will install a new version and overwrite the existing version instead of removing it.

ruby: /usr/bin/ruby /usr/lib/ruby /usr/bin/X11/ruby /usr/share/man/man1/ruby.1.gz

If you still want to remove it by any reason then you can use these commands if you want but it’s not recommended ;). Try do $apt-get remove ruby

If ruby are installed from source then you need to do the following to remove them.

rm -rf /usr/local/lib/ruby
rm -rf /usr/lib/ruby
rm -f /usr/local/bin/ruby
rm -f /usr/bin/ruby
rm -f /usr/local/bin/irb
rm -f /usr/bin/irb
rm -f /usr/local/bin/gem
rm -f /usr/bin/gem

3. apt-get install build-essential zlib1g zlib1g-dev libreadline6 libreadline6-dev libssl-dev

This is for root user installation.

$\curl -L https://get.rvm.io | bash -s -- --ignore-dotfiles --autolibs=0 --ruby

Searching for binary rubies, this might take some time.
No binary rubies available for: debian/Kali_Linux_1/x86_64/ruby-2.1.0.
Continuing with compilation. Please read ‘rvm help mount’ to get more information on binary rubies.
Installing Ruby from source to: /home/ami/.rvm/rubies/ruby-2.1.0, this may take a while depending on your cpu(s)…
ruby-2.1.0 – #downloading ruby-2.1.0, this may take a while depending on your connection…
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
100 11.4M  100 11.4M    0     0   397k      0  0:00:29  0:00:29 –:–:–  968k
ruby-2.1.0 – #extracting ruby-2.1.0 to /home/ami/.rvm/src/ruby-2.1.0.
ruby-2.1.0 – #applying patch /home/ami/.rvm/patches/ruby/2.1.0/changeset_r44327.diff.
ruby-2.1.0 – #applying patch /home/ami/.rvm/patches/ruby/GH-488.patch.
ruby-2.1.0 – #configuring…………………………………………….
ruby-2.1.0 – #post-configuration.
ruby-2.1.0 – #compiling…………………………………………………………………………..
ruby-2.1.0 – #installing……………………………
ruby-2.1.0 – #making binaries executable.
ruby-2.1.0 – #downloading rubygems-2.2.2
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
100  404k  100  404k    0     0   707k      0 –:–:– –:–:– –:–:–  884k
No checksum for downloaded archive, recording checksum in user configuration.
ruby-2.1.0 – #extracting rubygems-2.2.2.
ruby-2.1.0 – #removing old rubygems.
ruby-2.1.0 – #installing rubygems-2.2.2……………
ruby-2.1.0 – #gemset created /home/ami/.rvm/gems/ruby-2.1.0@global
ruby-2.1.0 – #importing gemset /home/ami/.rvm/gemsets/global.gems

This will install latest ruby 2.1.0 in writing this post.

root@amiOs:/home/ami# source /etc/profile.d/rvm.sh
root@amiOs:/home/ami# type rvm | head -n 1
rvm is a function

Yes it’s installed correctly!

This is quite important

root@amiOs:/home/ami# ruby -v
ruby 2.1.0p0 (2013-12-25 revision 44422) [x86_64-linux]

Ruby is now also installed to the correct version.

Now switch to global and update your gems.

root@amiOs:/home/ami# rvm gemset use global
Using ruby-2.1.0 with gemset global
root@amiOs:/home/ami# gem outdated
bigdecimal (1.2.3 < 1.2.5)
minitest (4.7.5 < 5.2.2)
psych (2.0.2 < 2.0.4)
rake (10.1.0 < 10.1.1)
rdoc (4.1.0 < 4.1.1)
test-unit (2.1.0.0 < 2.5.5)
root@amiOs:/home/ami# gem update

Updating installed gems
Updating installed gems
Updating bigdecimal
Fetching: bigdecimal-1.2.5.gem (100%)
Building native extensions.  This could take a while…
Successfully installed bigdecimal-1.2.5
Parsing documentation for bigdecimal-1.2.5
Installing ri documentation for bigdecimal-1.2.5
Installing darkfish documentation for bigdecimal-1.2.5
Done installing documentation for bigdecimal after 1 seconds
………….

$echo “gem: –no-document” >> ~/.gemrc

This is to speed up gem installation as we don’t need docs files.

We will create a gemset now.

root@amios:/home/ami# rvm use ruby-2.1.0@rails4.0 –create (two dashes this need to be –create instead of -create)

It’s time to install Rails

root@amiOs:/home/ami# gem install rails
Fetching: atomic-1.1.14.gem (100%)
Building native extensions.  This could take a while…
Successfully installed atomic-1.1.14
Fetching: thread_safe-0.1.3.gem (100%)
Successfully installed thread_safe-0.1.3
Fetching: tzinfo-0.3.38.gem (100%)
Successfully installed tzinfo-0.3.38
Fetching: multi_json-1.8.4.gem (100%)
Successfully installed multi_json-1.8.4
Fetching: i18n-0.6.9.gem (100%)
Successfully installed i18n-0.6.9
Fetching: activesupport-4.0.2.gem (100%)
Successfully installed activesupport-4.0.2
Fetching: erubis-2.7.0.gem (100%)
Successfully installed erubis-2.7.0
Fetching: rack-1.5.2.gem (100%)
Successfully installed rack-1.5.2
Fetching: rack-test-0.6.2.gem (100%)
Successfully installed rack-test-0.6.2
Fetching: builder-3.1.4.gem (100%)
Successfully installed builder-3.1.4
Fetching: actionpack-4.0.2.gem (100%)
Successfully installed actionpack-4.0.2
Fetching: activerecord-deprecated_finders-1.0.3.gem (100%)
Successfully installed activerecord-deprecated_finders-1.0.3
Fetching: arel-4.0.2.gem (100%)
Successfully installed arel-4.0.2

after 658 seconds
27 gems installed
root@amiOs:/home/ami# rails
Usage:
rails new APP_PATH [options]

root@amiOs:/home/ami# rvm gemset list

gemsets for ruby-2.1.0 (found in /home/ami/.rvm/gems/ruby-2.1.0)
(default)
global
=> rails4.0

root@amiOs:/home/ami# rvm gemset use rails4.0
Using ruby-2.1.0 with gemset rails4.0
root@amiOs:/home/ami#

Well done to you?

Think I can improve it? Post your comments!

SSD Hosting for 5 dollars a month https://www.digitalocean.com/?refcode=71a52388956e