• What is LogJam Attack ?

    What is LogJam Attack ?

    Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography.

    Who is Affected ?
    Websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers are at risk for the Logjam attack

    How we will prevent this on Application side ?
    Update your applications ssl.conf file with the updated SSLCipherSuite and restart the service .

    1) Apache
    Disable support for SSLv2 and SSLv3 and enable support for TLS, explicitly allow/disallow specific ciphers in the given order :
    SSLProtocol             all -SSLv2 -SSLv3
    SSLHonorCipherOrder     on
    2) Nginx
    ssl_prefer_server_ciphers on;
    3) Apache Tomcat  ( in server.xml)
    4) Postfix ( /etc/postfix/main.cf )
    smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
    5) Sendmail ( LOCAL_CONFIG section of your /etc/mail/sendmail.mc )


    Reference : https://weakdh.org

  • New PHP-CGI exploit: CVE-2012-1823, Badly affecting php scripts

    Recently some folks reported an interesting and nasty bug with php which will allow an intruder to view the source code and access the file systems.

    As per the update from php ( http://php.net ) , this bug has gone unnoticed for at least past 8 years .

    # Who all are affected ?

    If you are using Apache mod_cgi to run PHP you may be vulnerable to this bug.

    # Are you safe ?

    Just pass the argument “ ?-s “ to any of  your php pages and see.  Are you shocked ???
    If you pass the following arguments in your site , say example.com :

    1 ) http://example.com/index.php?-s
    Will dump your source code of the file index.php ( in simple words it will display the content of the file index.php )

    2) http://example.com/index.php?-dauto_prepend_file%3d/etc/passwd+-n
    Will display your /etc/passwd file !!!!!!!

    # Which all php versions are affected ?

    The PHP Group – PHP 5.3.11,PHP 5.3.10, 5.4.0 and  5.4.1

    # How to fix ?

    To fix this, upgrade your php to PHP 5.3.12 or PHP 5.4.2.

    # Any Patch ?

    Yes , php has provided  a temporary work around . I have tested and confirmed ( in php 5.3.10 )that  this will close the loop hole .
    Apply the following rewrite rule in your sites DocumentRoot .htaccess file .

             RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
             RewriteRule ^(.*) $1? [L]


    # More Reference ?

  • Resin SSL configuration in five steps !!

    Resin is a powerful web server which will run smoothly with java and html ( it will  support php also ).  Its very tough to get details about resin except from the www.caucho.com   site.  Hope that this doc will be helpful for the System admins who are working with  resin .  Its a simple  5 steps doc to setup ssl certificate for resin.


    1)  Create Key

    openssl  genrsa  -des3  -out  www.adminlgos.info.key  2048

    2)  Create CSR

    openssl req -new -key www.adminlogs.info.key -out www.adminlogs.info.csr

    3) Purchase the SSL using the above csr

    4) SSL configuration for resin web server
    ( We should save the ssl key , chainfile ( CA bundle ) and certificate in ”  /usr/local/resin/keys  ” )

    # vi /usr/local/resin/resin.conf

    <server id=”adminlogs” address=”″>
    <http id=”adminlogs” address=”″ port=”8080″/>
    <http id=”adminlogs” address=”″ port=”8443″>

    Terms : –
    certificate-file  : SSL certificate location
    certificate-key-file : SSL key file location
    certificate-chain-file : chain file location
    chain file  contains both ca bundle and ssl certificate
    For example you should create the file as follows , certificate first and then ca bundle.
    cat adminlogs.crt >> admin-inter.txt
    cat intermediate.txt >> admin-inter.txt

    password : Password given at the time of SSL Key creation in first step

    5) Restart resin

    /usr/local/resin/bin/resin-servers.sh restart

  • Are you worried about ssl certificate expiry ?

    Are you worried about ssl certificate expiry  ?  I found a good solution for that 🙂 . This script will monitor the ssl certificate expiry and  will  provide e-mail notifications when a certificate is getting close to expire !!!

    1) Download and setup the script for execution

    wget http://prefetch.net/code/ssl-cert-check
    chmod 744 ssl-cert-check

    2) To find the ssl expiry details of a local certificate

    ./ssl-cert-check -c  /usr/local/sss/adminlogs.crt

    3) To find  the ssl expiry details of a remote domain

    ./ssl-cert-check -s www.adminlogs.info -p 443

    4) To find the ssl expiry details of a list of domains

    If you are managing a number of domains , you can place the domains in a file with port number as follows

    # vi  /home/domainlist
    www.adminlogs.info 443
    www.google.com  443
    www.yahoo.com  443

    Then save the file and execute the script with the option ” -f ”

    ./ssl-cert-check -f  /home/domainlist  ./ssl-cert-check -i -f domainlist

    here ”  i ” will give the details of ssl provider/issuer
    5)  Setup e-mail alerts if ssl expiry date is less than or equal to 20 days

    ssl-cert-check can provide e-mail notifications when a certificate is getting close to expiring. The expiration interval can be controlled with ssl-cert-check’s “-x” (expiration interval) option, and the e-mail address to send notifications can be passed as an argument to the “-e” (e-mail address to send alerts) option.

    ./ssl-cert-check -a  -f   /home/domainlist  -q -x 20 -e  [email protected]

    You can add the above command in cron and monitor your ssl certificate validity .

    You can find more ssl related stuffs here : most-common-openssl-commands

    Thank you prefetch.net for this excellent script !!!


  • Resin webserver setup with Java and mysql

    As per  caucho.com  , Resin provides a fast standalone web server. It serves static pages faster than Apache! .Resin will work well with php,java and mysql.

    We can compile resin in two ways, one as a module of apche and the second one as a standalone webserver.  Here i am discussing the installation and configuration of resin stand alone webserver with java and mysql.

    When running as a daemon (eg, resin.sh start) Resin Watchdog Manager is the watchdog and Resin is the actual Resin instance. When running Resin as a foreground process, the process list displays resin.jar, which acts as the watchdog.

    The Resin Watchdog Manager is the parent process, providing automatic restarting Resin in cases of failure, and providing a single point of control for the start, stop and restart of all Resin processes. It is responsible for launching Resin with the correct JVM arguments and environment options such as starting Resin as the specified user, e.g. for <user-name> on unix.

    Resin Watchdog Manager watches Resin via a Socket connection. When the watchdog socket closes, Resin shuts itself down gracefully. The watchdog closes the socket on a stop or restart or if the watchdog itself is killed. If Resin exits for any reason, the watchdog will automatically start a new Resin process. This socket connection approach avoids the need for any signals or actual killing of Resin from the watchdog, and also makes it easy to stop all the Resins if necessary by just killing the watchdog.

    The Resin Watchdog Manager doesn’t actually kill Resin or even check Resin’s status, it just checks to see if Resin is alive or not. So if the JVM were to completely lock up, the watchdog would still think Resin was okay and would take no action.

    Because the watchdog is always managing Resin processes, if you ever need to stop Resin with kill, you must kill the watchdog. Just killing the Resin process results in the watchdog restarting it automatically.

    The watchdog will log to log/watchdog-manager.log. The Resin standard out/err is log/jvm-servername.log. Resin Watchdog Manager is responsible for creating both of these log files, so jvm-servername.log is not really under the control of the Resin instance. This makes it somewhat more reliable in case of JVM deadlocks, etc.

    1) Install JAVA

    Download java
    wget http://download.oracle.com/otn-pub/java/jdk/6u26-b03/jdk-6u26-linux-x64.bin

    Make sure that execute permissions are set
    chmod +x  jdk-6u26-linux-x64.bin

    Run the self-extracting binary.

    Create softlink
    ln -s /usr/java/jdk-1_6_26_(version) /usr/java/jdk

    Add JAVA_HOME and set classpath

    vi /etc/profile
    (add the following after the line “export PATH LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC” )

    export JAVA_HOME=/usr/java/jdk
    export CLASSPATH=$JAVA_HOME/lib:$JAVA_HOME/bin
    export CLASSPATH=$CLASSPATH:/usr/java/jdk/lib/tools.jar
    export CLASSPATH=$CLASSPATH:/usr/java/jdk/bin:/usr/java/jdk/jre/lib/rt.jar
    export PATH=$PATH:$JAVA_HOME/bin

    Check the java version

    #  java -version
    java version “1.6.26_00”

    2) Install Mysql

    You can refer the following lik to install mysql :  LAMP server setup


    3) Install Resin

    Resin is a fast JavaEE 6 web server. It is built on our distributed-agent technology for the elastic cloud. Our administration and health monitoring tools provide statistics, troubleshooting and application management. The resin cloud scales messaging, caching, load balancing and deployment services for new servers without a need for configuration. Resin runs on all major operating systems .Resin is coming with two version free and licensed version. Resinpro is the license version. Installation and setup is same for both the servers.

    # wget http://www.caucho.com/download/resin-pro-4.0.19.tar.gz
    # tar -vzxf resin-pro-4.0.19.tar.gz
    # cd resin-pro-4.x.x
    # ./configure –prefix=/usr/local/resin
    ( This will configure Resin to install in /usr/local/resin, with support for OpenSSL if it was detected )
    # make
    # make install
    # ln -s /usr/local/resin-pro-4.x.x  /usr/local/resin
    # vi /etc/profile
    ( add RESIN_HOME in  file )
    export RESIN_HOME

    4)  Configure app-default.xml ( you can use the default configuaration files in /usr/local/resin/conf/app-default.xml  directory after making necessary changes )

    Its a global configuration file to declare variable for all the hosts ( with different resin.conf )

    The <web-app-default> directive is a default configuration for all [web-apps|web-app] in a [host]. It can contain all the children of a <[web-app]> directive. It can be particularly useful with the <[web-app-deploy]> directive in combination with <[resin:import|resin import]>.

    Example configuration :-

    <compiling-loader path=”WEB-INF/classes”/>
    <library-loader path=”WEB-INF/lib”/>

    5)  Configure resin ( you can use the default configuaration files in /usr/local/resin/conf directory after making necessary changes )

    Resin uses a tag-based xml configuration file, usually as resin.conf . Default resin configuration will be in RESIN_HOME/conf/resin.conf .  We can give any name for the
    resin conf , for example we can give adminlogs.conf.

    Vi /usr/local/resin/conf/resin.conf
    – Management configuration
    – Remote management requires at least one enabled admin user.
    – Following section , whenever server load reaches 10 resin will restart the service automatically.
    <user name=”admin” password=”password==”/>
    <user name=”resin” password=”password==”/>

    – SMTP server for sending mail notifications
    <system-property mail.smtp.host=”″/>
    <system-property mail.smtp.port=”25″/>

    – Sets the default character encoding to utf-8

    – Configures the keepalive
    -Configure Memory and cache
    <cache path=”cache” memory-size=”512M” disk-size=”2048M”>

    – Check website status and restart the server if its not listening to port 8080
    -( Starts a thread that periodically makes a request to the server, and restarts Resin if it fails. This facility is used to increase server reliability – if there is a problem with the server (perhaps from a

    -deadlock or an exhaustion of resources), the server is restarted. A failure occurs if a request to the url returns an HTTP status that is not 200 )
    <!– a very busy server –>
    <!–mail notification when ping fails–>
    <mail-to>[email protected]</mail-to>
    <mail-from>[email protected]</mail-from>
    <mail-subject>Resin ping has failed for server ${server.name}</mail-subject>

    -VirtualHost Section

    <server id=”adminlogs” address=”″>
    <http id=”adminlogs” address=”″ port=”8080″/>
    <http id=”adminlogs” address=”″ port=”8443″>

    -SSL configuration starts here
    <protocol>-ALL +SSLv3 +TLSv1</protocol>
    </openssl> </http>

     <host id="">
     <access-log path="/usr/local/www/hosts/www.adminlogs.info/logs/access.log" format='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"' rollover-period="1D"/>
     <stdout-log path="/usr/local/www/hosts/www.adminlogs.info/log/stdout.log" rollover-count='7' timestamp='%H:%M:%S: ' rollover-period='1D'/>
     <stderr-log path="/usr/local/www/hosts/www.adminlogs.info/log/stderr.log" rollover-count='4' timestamp='%d/%m/%y %H:%M:%S: ' rollover-period='1W'/>
     <web-app id='/'>
     <servlet-mapping url-pattern="/servlet/*" servlet-name="invoker"/>
     <compiling-loader path='corresponding class file location'/>
     <compiling-loader path='corresponding java core files'/>
     <library-loader path='corresponding lib path'/>
     -DATA BASE connection configuration 
     <driver type="org.gjt.mm.mysql.Driver">
     - DATABASE configuration ends here

    Once you complete the resin.conf setup , then you need to upload your files to your document root and setup web.xml in WEB-INF/web.xml


    6)  Setup web.xml

    vi /usr/local/www/hosts/www.adminlogs.info/webapps/ROOT/WEB-INF/web.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
     <context-param><param-name>WebsiteName</param-name><param-value>Adminlogs Live</param-value></context-param>

    7) Configure resin startup script  to start/stop and restart

    vi /usr/local/resin/bin/resin-server.sh

    # resin         This shell script takes care of starting and stopping
    #               the Resin Webserver service.
    export JAVA_HOME
    export RESIN_HOME
    export SERVER_ROOT
    export PATH
    CURRENT_USER="`id | sed 's/uid=[0-9][0-9]*(\([^)]*\)).*/\1/'`"
    if [ $USER = $CURRENT_USER ] ; then
    $RESIN_HOME/bin/httpd.sh -server-root $SERVER_ROOT -conf $SERVER_ROOT/conf/resin.conf -server adminlogs $*
    su - $USER -c "$RESIN_HOME/bin/httpd.sh -server-root $SERVER_ROOT -conf $SERVER_ROOT/conf/resin.conf -server adminlogs $*"

    8 ) Setup IPTABLE rules for port forwarding.

    resin will listen on the ports 8080 and secure port 8443. We need to write our firewall rules to forward the communication from http port 80 to resin ports

     iptables -t nat -A PREROUTING -d -p tcp -m tcp --dport 80 -j DNAT --to-destination
     iptables -t nat -A PREROUTING -d -p tcp -m tcp --dport 443 -j DNAT --to-destination

    /etc/init.d/iptables save


    10 )  Start resin

    We can start resin as the user resin only , first we need to switch to resin user as follows  ( Also if you are using resin pro, then you should update the license file to ” /usr/local/resin/licenses/license-filename.license ” )

    # su resin –
    # /usr/local/resin/bin/resin-servers.sh start

    11) Logs

    As per the resin configuration , resin will write the logs for adminlogs.info in to the log directory of each host . If resin is not starting properly you need to check the following logs to find the cause.

    tail -f /usr/local/www/hosts/www.adminlogs.info/log/stdout.log
    tail -f /usr/local/www/hosts/www.adminlogs.info/log/stderror.log


    Optional section : – Resin directives

    >>> Connection settings configuration

    keepalive-max : the maximum number of keepalive connections
    keepalive-timeout : the maximum time a connection is maintained in the keepalive state
    thread-max : maximum number of working threads
    spare-thread-min: minimum number of spare working threads

    >> ssl configuration

    certificate-file: the file containing the server’s certificate
    certificate-key-file : the file containing the server’s certificate key, if separate from certificate-file
    password: the certificate key password
    certificate-chain-file: A file containing an intermediate (untrusted) and root (trusted) certificate ( same as CA bundle )
    protocol: SSLProtocol
    cipher-suite :SSLCipherSuite

    >>> Server Status configuration

    Ping Starts a thread that periodically makes a request to the server, and restarts Resin if it fails. This facility is used to increase server reliability – if there is a problem with the server (perhaps from a deadlock or an exhaustion of resources), the server is restarted.A failure occurs if a request to the url returns an HTTP status that is not 200.

    url : A url to ping.
    sleep-time: Time to wait between pings. The first ping is always 15m after the server starts, this is for subsequent pings.
    try-count: If a ping fails, number of times to retry before giving up and restarting
    retry-time: time between retries
    socket-timeout :time to wait for server to satrt responding to the tcp connection before giving up
    stat-service:periodically checks the status of the server, and reports errors as necessary.
    cpu-load-exit-threshold : CPU load triggering a Resin exit (and restart)
    cpu-load-log-info-threshold: CPU load triggering a log message at the info level
    cpu-load-log-warning-threshold:CPU load triggering a log message at the warning level
    cpu-load-log-thread-dump-threshold: CPU load triggering thread dump to the log
    sample-period:how often to sample the statistics
    thread-dump-interval: minimum time between thread dumps

    >>> Memory Configuration

    Memory-free-min :   improves server reliability by detecting low-memory situations caused by memory leaks and forcing a clean server restart. Since Resin’s watchdog service reliably restarts the server, a website can improve stability by forcing a restart before memory becomes a major problem. The memory-free-min restart will also log a warning, notifying the developers that a potential memory leak needs to be resolved.

    The allocation of memory for the JVM is specified using -X options when starting Resin
    It is good practice with server-side Java applications like Resin to set the minimum -Xms and maximum -Xmx heap sizes to the same value.

    -Xms    initial java heap size
    -Xmx    maximum java heap size
    -Xmn    the size of the heap for the young generation

    As you know its a vast subject and not that much easy to document in a single post. I have tried my best to include all the necessary things to setup a website in resin . Hope this info will helps  🙂
    Reference : http://www.caucho.com/

  • Admin Tips 2 : Monitor linux services using bash script

    Scenario : –

    In one of my resin server,  resin service was crashing due to some resource usage.  It was happening at night time.

    I used the following script to monitor the status and restart resin if its not running .

    # vi /home/resin/check-resin.sh

    run=`ps ax | grep /usr/java/jdk1.6.0_14/bin/java | grep -v grep | cut -c1-5 | paste -s -`
    if [ "$run" ];
    echo "resin is running" > /home/resin/check_resin.log
    /usr/local/resin/bin/resin-servers.sh restart
    mail -s "resin server restarted by check-resin script " admin[at]adminlogs[dot]info < /usr/local/www/hosts/www.adminlogs.info/log/stdout.log

    Or the issue is only for a single website ( shared resin hosting ) , you can use the following script and restart the respective server only.

    # vi /home/resin/check-resin.sh

    cd /tmp
    wget www.adminlogs.info:8080
    if [ $? -gt 0 ]; then
    /usr/local/resin/bin/resin-adminlogs.sh restart
    mail -s "adminlogs resin server restarted by check-resin script "  admin[at]adminlogs[dot]info < /usr/local/www/hosts/www.adminlogs.info/log/stdout.log

    $? contains the return code of the last executed process. -gt means greater than. Usually programs return zero on success or something else on failure

    After  making the following small changes ( use appropriate daemon) you can use the above script to monitor other services like Apache, ftpd,mysql etc as follows :-

    For example :-

    #  Vi check_httpd.sh

    run=`ps ax | grep /usr/local/apache/bin/httpd  | grep -v grep | cut -c1-5 | paste -s -`
    if [ “$run” ];
    echo “apache is running” > /home/admin/check_httpd.log
    /usr/local/apache/bin/apachectl -k restart
    mail -s “Apache server restarted by check-httpd script ” admin [at]adminlogs[dot]info < /usr/local/apache/logs/error.log

    Or ( only for apache )

    # Vi check_httpd.sh

    cd /tmp
    wget adminlogs.info:80
    if [ $? -gt 0 ]; then
    /usr/local/apache/bin/apachectl -k restart
    mail -s “Apache server restarted by check-httpd script ” admin [at]adminlogs[dot]info < /usr/local/apache/logs/error.log

    Add the script to crontab ( It will check the status in every 5 minutes )

    */5 * * * * /bin/bash check_httpd.sh

    Its worked fine  and now I have no worry about that website and getting good sleep 🙂


  • ssl configuration for webservers

    Today more and more people are becoming aware of the hazards of insufficient online security measures. Its time to become smart and start taking online security seriously. The first step towards this is to have a padlock icon and the prefix  https in the address bar, to ensure the safety of your online information

    An SSL Certificate, also abbreviated as Secure Socket Layer, is a digital certificate which authenticates the identity of a Website. It also encrypts the information before sending it to the server. An SSL Certificate acts as an online digital passport that contains the credentials of the online business. When an Internet user tries to send confidential information over the internet to the server, the users browser accesses the server’s digital certificate and establishes a secure connection

    How to purchase a ssl certificate.

    1) create a CSR and private key for your domain

    2) contact the ssl providers like www.verisign.com or www.thawte.com with this CSR and purchase ssl certificate. There are different types of ssl certs like secure server, extended valid etc.  For multiple domains you can use wild card ssl certificates and this can be used with all the domains under *.adminlogs.info .

    3) You need to install the purchased SSL certificate in your webserver

    For generating CSR and Key refer : SSL commands

    $ Configure ssl for Apache

    You should use a dedicated IP to configure ssl for your domain.

    DocumentRoot /home/admin/public_html
    ServerName www.adminlogs.info

    SSLEngine on
    SSLCertificateFile /usr/local/ssl/www.adminlogs.crt
    SSLCertificateKeyFile /usr/local/ssl/www.adminlogs.key
    SSLCertificateChainFile /usr/local/ssl/www.adminlogs.ca

    Adjust the file names to match your certificate files:

    * SSLCertificateFile should be your purchased certificate file .
    * SSLCertificateKeyFile should be the key file generated when you created the CSR.
    * SSLCertificateChainFile should be the intermediate certificate file provided by the SSL provider

    If the SSLCertificateChainFile directive does not work, try using the SSLCACertificateFile directive instead.

    $ restart apache

    Configure ssl for Resin web server

    ssl key file location is :  /usr/local/resin/keys/

    $ vi /usr/local/resin/resin.conf

    <server id=”www.adminlogs” address=”″>
    <http id=”www.adminlogs” address=”″ port=”8080″/>
    <http id=”www.adminlogs” address=”″ port=”8443″>

    <protocol>-ALL +SSLv3 +TLSv1</protocol>

    Protocol & cipher-suite directives here used for disable sslv2 weak cipher suites.

    $ restart resin

    How to verify the installation

    You can check your ssl installation using the following url