Sonntag, 2. Januar 2011

Print out MySQL root password

If you have forgotton your MySQL root password but you are using IspCP, you got luck. Create the following pearl script in the folder /var/www/ispcp/engine

#!/usr/bin/perl

use FindBin;
use lib "$FindBin::Bin/";
require 'ispcp_common_code.pl';
use strict;
use warnings;

my ($rs, $rdata) = (undef, undef);

my $current_db_pass = undef ;

if(exists  $main::cfg{'DATABASE_PASSWORD'} && $main::cfg{'DATABASE_PASSWORD'}) {
    $current_db_pass = $main::cfg{'DATABASE_PASSWORD'};
} else {
    $current_db_pass = '';
}


($rs, $current_db_pass) = decrypt_db_password($current_db_pass);   

print STDOUT $current_db_pass;

Make the file executable and run it. It will print out your root password. Please not that this only prints the password stored encrypted in the ispcp settings.

Eingestellt von um Keine Kommentare:
Labels: ,

Wordpress installation

Wordpress is a very comfortable, powerful and user-friendly blog system. It’s currently the best IMHO. Here’s a recommendation how to make the basic installation even more powerful using plugins.

Embedding Flash Videos

Embedding Flash videos with the Flash Video Player which is based on the famous JWPlayer. To embed a video in your Article, just insert

[flashvideo file=video/video.flv /]

Securing your Blog

Force Login

If you don’t want all blog posts to be public to everyone, the following plugins are for you. A 100% private blog needs the Force User Login plugin. This will give you the login dialog right after you enter the blog. Users need to register in order to see anything. The plugin comes with only one PHP file which can be edited to define the landing page after successful login.

Content Control

If you want the full control, you should install the Social Privacy for wordpress. It comes with a set of plugins to

  • restrict users to see only defined article categories
  • support permission-based RSS feeds
  • send out email notifications to subscribers based on their permissions

It gives you great control to allow users to read only posts they should be.

Single Sign On with OpenID

Some users might be annoyed to create a new account on your blog. The OpenID plugin helps. Users can login to your blog using any OpenID provider. Providers are for example Google Mail, Yahoo, MySpace and many more. After you installed the plugin, your login dialog is extended by the following line.

image

An OpenID is a URL. If you want to to login with your GMail account for example, put the following URL in the field

www.google.com/accounts/o8/id

During the login process, it will redirect you to the GMail login page and ask for confirmation.

Image Gallery

NextGEN Gallery is a great image gallery plugin. You can create galleries by uploding zip files or bulk-uploading images via Flash-Uploader. It automatically creates thumbnails and resizes the images if needed. Easily include slideshows, albums, image lists into your posts. Absolutely hassle-free.

Sending Welcome Emails

The SB Welcome Email Editor allows you to change the ugly default mail that wordpress sends out when a new user registers.

Eingestellt von um Keine Kommentare:
Labels:

Mittwoch, 29. Dezember 2010

Using SSL with virtual hosts

SSL with virtual hosts

The 1st important thing to know is that SSL does not work well with virtual hosts. If you host multiple domains on one server, you need to have a seperate public IP address for every domain which should support SSL.

Reconfiguring non-SSL Virtual Hosts

As mentioned above, every SSL-Domain needs its own IP Address. The 1st thing you need to change is your Nameserver to point each domain to its unique IP. Secondly, edit the existing VirtualHost entries of the respective domains to listen to new IP addresses only.

Example: You are running example.com, example1.com and example2.com on your server with IP 1.2.3.4. The configuration so far looks like this.

<VirtualHost 1.2.3.4:80>
ServerName example.com

</VirtualHost>

<VirtualHost 1.2.3.4:80>
ServerName example1.com

</VirtualHost>

<VirtualHost 1.2.3.4:80>
ServerName example2.com

</VirtualHost>

All virtualhosts using the same IP Address. Now you want to have example2.com to support SSL and you got an additional IP 1.2.3.10. You need to modify your nameserver to map example2.com to 1.2.3.10 and modify the existing configration to

<VirtualHost 1.2.3.4:80>
ServerName example.com

</VirtualHost>

<VirtualHost 1.2.3.4:80>
ServerName example1.com

</VirtualHost>

<VirtualHost 1.2.3.10:80>
ServerName example2.com

</VirtualHost>

Configuring SSL Virtual Hosts

For the new SSL websites, I created a new site configuratino file in the apache sites-available directory which holds configuration for all SSL domains. I named it ssl-sites. Start the file with naming all IP-Addresses that should run a SSL supported domain. In our example, this is only 1.2.3.10

NameVirtualHost 1.2.3.10:443 # for example2.com

Then, the virtualhost definitions follows. You can just copy the virtualhost defintion for example2.com from your existing configu and modify it to listen to port 443.

<VirtualHost 1.2.3.10:443>
ServerName example2.com

</VirtualHost>

Additionally, you need to add the SSL configuration, especially to configure the certificates and key files.

<VirtualHost 1.2.3.10:443>
ServerName example2.com
# SSL DIrectives
SSLEngine On
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/apache2/ssl/example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example2.com.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.pem
SSLCACertificateFile /etc/apache2/ssl/ca.pem
...
</VirtualHost>

Enable the site

If you did it like I did, you need only to enable the new configuration file by

a2ensite ssl-sites
/etc/init.d/apache2 restart

Done! Now you can reach your domain via SSL

Eingestellt von um Keine Kommentare:
Labels: ,

Using .NET SmartCard with TrueCrypt

This post is about the usage of the .NET SmartCard in Thunderbird. You might want to read Installing and configuring a .NET Smartcard first.

Consideration

It is possible to use the SmartCard with TrueCrypt, however, it does not provide the level of security it could be. This is because TrueCrypt is not able to use the certificats stored on the card. The strong security of the card is based on the fact that secret portion of the certificate cannot be read from the card and thus, cannot be copied. TrueCrypt can use only security tokens, which can be stored on the card. The token can be read and copied by any application that is provided with the PIN of the card.
Anyway, using the security token is typically much more safe than using a password.

 

Configuring the security device

Open truecrypt, go to Settings –> Security Tokens

image

Select the Gemalto PKCS#11 Library. Mine was located at
C:\Program Files (x86)\Gemalto\PKCS11 for .NET V2 smart cards\gtop11dotnet.dll

Set the checkmark for “Close token session (log out) after a volume is successfully mounted

Loading a token onto the card

Go to Settings –> Default Keyfiles

image

Press Generate Random Keyfile… and save the generated keyfile

image

Press Add Token Files… and add the generated keyfile to the card via Import Keyfile To Token…

image

Make sure you securely delete the generated keyfile from your harddisk now!

Done! Now you can use the keyfile on the SmartCard for container creation and for mounting the volumes.

Eingestellt von um Keine Kommentare:
Labels:

Using a .NET SmartCard in Thunerbird for S/MIME Mail

This post is about the usage of the .NET SmartCard in Thunderbird. You might want to read Installing and configuring a .NET Smartcard first.

Go to Tools –> Options

image_thumb[42]

Press  Security Devices –> Load

image_thumb[43]

Browse for the PKCS#11 DLL file which is located at the following location on my PC
C:\Program Files (x86)\Gemalto\PKCS11 for .NET V2 smart cards\gtop11dotnet.dll

image_thumb[45]

Go back to the options-menu, now press “View Certificates”. Thunderbird now asks you for the SmartCard PIN and then shows the certificated contained on your card.

image_thumb[46]

That’s it! You can now use Thunderbird with S/MIME. When you write an email, just select Options –> Digitally Sign This Message”.
Once the receiver got your signed mail, he can reply with an encrypted mail.

image

Eingestellt von um Keine Kommentare:
Labels:

Installing and configuring a .NET Smartcard

A SmartCard is very handy when it comes to security. It can
  • hold your S/MIME certificate for secure E-Mail communication
  • be used to sign in to your windows PC
  • hold security tokens for harddrive encryption
  • … much more

This post explains how to setup a Gemalto .NET SmartCard on your PC. You could use any SmartCard with PKCS11 support but this post covers the .NET card specifically.
Buy the equipement
The 1st thing you need is the SmartCard itself. I bought my “Gemalto .NET IM V2+” SmartCard at the CryptoShop for about 20€. 
Additionally, you need a card reader. Any Home-Banking cardreader will work just fine. If you don’t have any, just get one starting from 10€ from ebay or amazon. I got the SCR 3310 for my home PC and the OmniKey 4040 for my Laptop, both from ebay.
Install the windows drivers
For applications to access the card and it’s content, you need to have the so-called PKCS#11 library installed. It’s a DLL that can be loaded into various applications like Firefox, Thunderbird etc.
Download the .NET PKCS#11 Libraries for Windows OS from gemalto.com
Run the installer and walk through the wizard, there’s not much to select, you should end up with this window.
image
The setup created a folder in your program files which contains the PKCS#11 libaray. For me, it was located in
C:\Program Files (x86)\Gemalto\PKCS11 for .NET V2 smart cards
and looked something like this:
image

Import certificates to the smartcard
The SmartCard you received from the store is empty. You need to load a certificate onto it. Open the browser-based gemalto certificate manager with Firefox. The 1st time you do that, you need to install a Firefox add-on called SConnect. This is the interface to your SmartCard.
image
Restart Firefox
image
Insert your smartcard and e.nter the certificate manager again. When asked, allow the gemalto website to access your smartcard. You should now see the following screen
image
Press “Import P12 Cert” and select the certificate to import to the card. If you don't have a certificate yet, here's how to create one.
During import you’ll need the default PIN which is 0000
After the import is complete, you should change the PIN to something more secure.
Done! Your certificate is securely stored on the SmartCard. You should keep your certificate file on an external drive in a secure location. It’s just for backup purposes.

See my other posts to find out how to get a certificate and how to use the smartcard with your applications
Eingestellt von um Keine Kommentare:
Labels:

Samstag, 16. Oktober 2010

Secure Surfing

When you're in a Hotel, using an unencrypted Wireless, this is pretty insecure. There are several VPN solutions to encrypt your traffic such as Comodo WIFI Security or OpenVPN. However, one problem remains: As soon as you're connected to the network, several programs start sending data - mostly signing in. This might happen before you connected your VPN Tunnel.

There is a simple solutino using Windows 7 Firewall. Configure your WIFI or untrusted LAN connection as "Public". Set the default setting for public connections to "Whitelist" mode (block everything unknowen). Define a rule which allows to connect the VPN only. Define your VPN adapter as trusted. Additionally, you need to create a rule to allow any traffic from your VPN IP Address. That's it! No surfing will be possible unless you're connected to your VPN tunnel.
Eingestellt von um Keine Kommentare:
Labels: ,
Abonnieren Kommentare (Atom)