Turning SSLv3 off on Apache Server to mitigate "POODLE" attack (CVE-2014-3566) 
Thursday, 16 October 2014, 10:22 - Apache Stuff, OpenSSL
Posted by Administrator
Add the following to your SSL configuration section:

# Disable SSLv2 & SSLv3 against POODLE issue (CVE-2014-3566)
SSLProtocol All -SSLv2 -SSLv3

Note to insert this to all VirtualHost sections where SSL is enabled!

Check your config:
apachectl configtest

Then restart apache server:
sudo service apache2 restart

To check if SSLv3 is turned off:
openssl s_client -connect server.domain.tld:443 -ssl3

Then you shold see a message like this:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40

To disable SSLv3 within other services:
see this post
add comment ( 1426 views )   |  permalink   |  related link   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 2372 )
Check certificate on a server 
Wednesday, 4 June 2014, 18:26 - Knowledge, OpenSSL
Posted by Administrator
Issue the following command:
openssl s_client -CApath /etc/ssl/certs/ -connect <host.domian.tld>:993


There should be stated quite at end of command output:
    Verify return code: 0 (ok)

before an eventual greeting message of the server.

A bit above, you can check the certificate chain completeness:
Certificate chain
0 s:/description=3UwjnK9kRZ2wUo8e/C=CH/CN=domain1.ownspace.ch/emailAddress=hostmaster@ownspace.ch
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---

The last i(ssuer) is the root cert that most client will trust.
add comment ( 1608 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1252 )
Postfix Mail Queue Cleaner 
Monday, 14 April 2014, 12:17 - Tools & more, Knowledge, Postfix Stuff
Posted by Administrator
This small shell script removes all messages originating from a certain sender address out of the postfix mail queue.


#! /bin/bash
if [ "$1" == "" ]; then
echo "please give e-mail address"
exit 1
else
emailaddr=$1
fi
for id in `mailq | egrep "[0-9A-F]{10} " | grep "$emailaddr" | cut -d " " -f 1`
do
echo $id
postsuper -d $id
done


add comment ( 1831 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 2527 )
Detect and block abuse of (cracked) e-mail account 
Friday, 28 February 2014, 10:45 - Postfix Stuff, Mail stuff
Posted by Administrator
To avoid bad things(TM) caused by a cracked e-mail account on our postfix mailserver, I used the script Check Auth Log to detect abnormal high numbers of logins or logins from many different IP addresses within a certain time onto a certain account. Then the script will lock out the account. This, together with per-session limits within postfix configuration (smtpd_client_message_rate_limit, smtpd_client_recipient_rate_limit), should help to avoid or at least mitigate the damage caused by cracked accounts, i.e. SMTP server being blacklisted.

add comment ( 1698 views )   |  permalink   |  related link   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 2486 )
DNS Tools 
Tuesday, 22 October 2013, 23:00 - Tools & more
Posted by Administrator
Web Interface for DNS Queries.

Download


Download the tarball

Prerequisites


The "dig" tool must be installed on your system, and be allowed to be executed from php. If it doesn't work, e.g. if using safe_mode and/or open_basedir restrictions, add the path where dig is located to the two php options:
open_basedir /usr/bin/dig
safe_mode_exec_dir /usr/bin/
Within a VirtualHost, set with php_admin_value <option>.

In addition, TCP port 43 and UDP port 53 need to be open outbound.

Installation


Extract the content of the archive within your web root of the webserver, e.g.
cd <webroot>
tar xvzf dnstools.tar.gz

Usage


Navigate your web-browser to http://<your_host_name>/dnstools/ and enter either the appropriate form.

add comment ( 2100 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 873 )

<Back | 1 | 2 | 3 | 4 | 5 | 6 | Next> Last>>