Resin | Adminlogs.info

What is LogJam Attack ?

May 21, 2015 Author: Admin

What is LogJam Attack ?

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography.

Who is Affected ?
Websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers are at risk for the Logjam attack

How we will prevent this on Application side ?
Update your applications ssl.conf file with the updated SSLCipherSuite and restart the service .

1) Apache
Disable support for SSLv2 and SSLv3 and enable support for TLS, explicitly allow/disallow specific ciphers in the given order :
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on

2) Nginx
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

3) Apache Tomcat  ( in server.xml)
<Connector
ciphers="ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, AES128-SHA, AES256-SHA, AES, CAMELLIA, DES-CBC3-SHA"
/>

4) Postfix ( /etc/postfix/main.cf )
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

5) Sendmail ( LOCAL_CONFIG section of your /etc/mail/sendmail.mc )
O CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Reference : https://weakdh.org

New PHP-CGI exploit: CVE-2012-1823, Badly affecting php scripts

May 5, 2012 Author: Admin
No comment yet

Follow

Recently some folks reported an interesting and nasty bug with php which will allow an intruder to view the source code and access the file systems.

As per the update from php ( http://php.net ) , this bug has gone unnoticed for at least past 8 years .

# Who all are affected ?

If you are using Apache mod_cgi to run PHP you may be vulnerable to this bug.

# Are you safe ?

Just pass the argument “ ?-s “ to any of your php pages and see. Are you shocked ???
If you pass the following arguments in your site , say example.com :

1 ) http://example.com/index.php?-s
Will dump your source code of the file index.php ( in simple words it will display the content of the file index.php )

2) http://example.com/index.php?-dauto_prepend_file%3d/etc/passwd+-n
Will display your /etc/passwd file !!!!!!!

# Which all php versions are affected ?

The PHP Group – PHP 5.3.11,PHP 5.3.10, 5.4.0 and 5.4.1

# How to fix ?

To fix this, upgrade your php to PHP 5.3.12 or PHP 5.4.2.

# Any Patch ?

Yes , php has provided a temporary work around . I have tested and confirmed ( in php 5.3.10 )that this will close the loop hole .
Apply the following rewrite rule in your sites DocumentRoot .htaccess file .

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

# More Reference ?
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.php.net/archive/2012.php#id2012-05-03-1

[Translate]
Resin SSL configuration in five steps !!

August 17, 2011 Author: Admin
No comment yet

Follow

Resin is a powerful web server which will run smoothly with java and html ( it will support php also ). Its very tough to get details about resin except from the www.caucho.com site. Hope that this doc will be helpful for the System admins who are working with resin . Its a simple 5 steps doc to setup ssl certificate for resin.

1) Create Key

openssl genrsa -des3 -out www.adminlgos.info.key 2048

2) Create CSR

openssl req -new -key www.adminlogs.info.key -out www.adminlogs.info.csr

3) Purchase the SSL using the above csr

4) SSL configuration for resin web server
( We should save the ssl key , chainfile ( CA bundle ) and certificate in ” /usr/local/resin/keys ” )

# vi /usr/local/resin/resin.conf

<server id=”adminlogs” address=”192.168.1.2″>
<http id=”adminlogs” address=”192.168.1.2″ port=”8080″/>
<http id=”adminlogs” address=”192.168.1.2″ port=”8443″>
<openssl>
<certificate-file>keys/adminlogs.crt</certificate-file>
<certificate-key-file>keys/adminlogs.key</certificate-key-file>
<certificate-chain-file>keys/admin-inter.txt</certificate-chain-file>
<password>password</password>
</openssl>
</http>
</server>

Terms : –
certificate-file : SSL certificate location
certificate-key-file : SSL key file location
certificate-chain-file : chain file location
chain file contains both ca bundle and ssl certificate
For example you should create the file as follows , certificate first and then ca bundle.
cat adminlogs.crt >> admin-inter.txt
cat intermediate.txt >> admin-inter.txt

password : Password given at the time of SSL Key creation in first step

5) Restart resin

/usr/local/resin/bin/resin-servers.sh restart

[Translate]
Are you worried about ssl certificate expiry ?

July 20, 2011 Author: Admin
3 Comments
Follow

Are you worried about ssl certificate expiry ? I found a good solution for that 🙂 . This script will monitor the ssl certificate expiry and will provide e-mail notifications when a certificate is getting close to expire !!!

1) Download and setup the script for execution
```
wget http://prefetch.net/code/ssl-cert-check
chmod 744 ssl-cert-check
```
2) To find the ssl expiry details of a local certificate
```
./ssl-cert-check -c  /usr/local/sss/adminlogs.crt
```
3) To find the ssl expiry details of a remote domain
```
./ssl-cert-check -s www.adminlogs.info -p 443
```
4) To find the ssl expiry details of a list of domains

If you are managing a number of domains , you can place the domains in a file with port number as follows

# vi /home/domainlist
www.adminlogs.info 443
www.google.com 443
www.yahoo.com 443

Then save the file and execute the script with the option ” -f ”
```
./ssl-cert-check -f  /home/domainlist  ./ssl-cert-check -i -f domainlist
```
here ” i ” will give the details of ssl provider/issuer
5) Setup e-mail alerts if ssl expiry date is less than or equal to 20 days

ssl-cert-check can provide e-mail notifications when a certificate is getting close to expiring. The expiration interval can be controlled with ssl-cert-check’s “-x” (expiration interval) option, and the e-mail address to send notifications can be passed as an argument to the “-e” (e-mail address to send alerts) option.
```
./ssl-cert-check -a  -f   /home/domainlist  -q -x 20 -e  [email protected]
```
You can add the above command in cron and monitor your ssl certificate validity .

You can find more ssl related stuffs here : most-common-openssl-commands

Thank you prefetch.net for this excellent script !!!
[Translate]
Resin webserver setup with Java and mysql

June 29, 2011 Author: Admin
2 Comments
Follow

As per caucho.com , Resin provides a fast standalone web server. It serves static pages faster than Apache! .Resin will work well with php,java and mysql.

We can compile resin in two ways, one as a module of apche and the second one as a standalone webserver. Here i am discussing the installation and configuration of resin stand alone webserver with java and mysql.

When running as a daemon (eg, resin.sh start) Resin Watchdog Manager is the watchdog and Resin is the actual Resin instance. When running Resin as a foreground process, the process list displays resin.jar, which acts as the watchdog.

The Resin Watchdog Manager is the parent process, providing automatic restarting Resin in cases of failure, and providing a single point of control for the start, stop and restart of all Resin processes. It is responsible for launching Resin with the correct JVM arguments and environment options such as starting Resin as the specified user, e.g. for <user-name> on unix.

Resin Watchdog Manager watches Resin via a Socket connection. When the watchdog socket closes, Resin shuts itself down gracefully. The watchdog closes the socket on a stop or restart or if the watchdog itself is killed. If Resin exits for any reason, the watchdog will automatically start a new Resin process. This socket connection approach avoids the need for any signals or actual killing of Resin from the watchdog, and also makes it easy to stop all the Resins if necessary by just killing the watchdog.

The Resin Watchdog Manager doesn’t actually kill Resin or even check Resin’s status, it just checks to see if Resin is alive or not. So if the JVM were to completely lock up, the watchdog would still think Resin was okay and would take no action.

Because the watchdog is always managing Resin processes, if you ever need to stop Resin with kill, you must kill the watchdog. Just killing the Resin process results in the watchdog restarting it automatically.

The watchdog will log to log/watchdog-manager.log. The Resin standard out/err is log/jvm-servername.log. Resin Watchdog Manager is responsible for creating both of these log files, so jvm-servername.log is not really under the control of the Resin instance. This makes it somewhat more reliable in case of JVM deadlocks, etc.

1) Install JAVA

Download java
# wget http://download.oracle.com/otn-pub/java/jdk/6u26-b03/jdk-6u26-linux-x64.bin

Make sure that execute permissions are set
# chmod +x jdk-6u26-linux-x64.bin

Run the self-extracting binary.
# ./jdk-1_6_26_<version>-linux-i586.bin

Create softlink
# ln -s /usr/java/jdk-1_6_26_(version) /usr/java/jdk

Add JAVA_HOME and set classpath

# vi /etc/profile
(add the following after the line “export PATH LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC” )

export JAVA_HOME=/usr/java/jdk
export CLASSPATH=$JAVA_HOME/lib:$JAVA_HOME/bin
export CLASSPATH=$CLASSPATH:/usr/java/jdk/lib/tools.jar
export CLASSPATH=$CLASSPATH:/usr/java/jdk/bin:/usr/java/jdk/jre/lib/rt.jar
export PATH=$PATH:$JAVA_HOME/bin

Check the java version

# java -version
java version “1.6.26_00”

2) Install Mysql

You can refer the following lik to install mysql : LAMP server setup

3) Install Resin

Resin is a fast JavaEE 6 web server. It is built on our distributed-agent technology for the elastic cloud. Our administration and health monitoring tools provide statistics, troubleshooting and application management. The resin cloud scales messaging, caching, load balancing and deployment services for new servers without a need for configuration. Resin runs on all major operating systems .Resin is coming with two version free and licensed version. Resinpro is the license version. Installation and setup is same for both the servers.

# wget http://www.caucho.com/download/resin-pro-4.0.19.tar.gz
# tar -vzxf resin-pro-4.0.19.tar.gz
# cd resin-pro-4.x.x
# ./configure –prefix=/usr/local/resin
( This will configure Resin to install in /usr/local/resin, with support for OpenSSL if it was detected )
# make
# make install
# ln -s /usr/local/resin-pro-4.x.x /usr/local/resin
# vi /etc/profile
( add RESIN_HOME in file )
RESIN_HOME=/usr/local/resin
export RESIN_HOME

4) Configure app-default.xml ( you can use the default configuaration files in /usr/local/resin/conf/app-default.xml directory after making necessary changes )

Its a global configuration file to declare variable for all the hosts ( with different resin.conf )

The <web-app-default> directive is a default configuration for all [web-apps|web-app] in a [host]. It can contain all the children of a <[web-app]> directive. It can be particularly useful with the <[web-app-deploy]> directive in combination with <[resin:import|resin import]>.

Example configuration :-

<web-app-default>
<class-loader>
<compiling-loader path=”WEB-INF/classes”/>
<library-loader path=”WEB-INF/lib”/>
</class-loader>

5) Configure resin ( you can use the default configuaration files in /usr/local/resin/conf directory after making necessary changes )

Resin uses a tag-based xml configuration file, usually as resin.conf . Default resin configuration will be in RESIN_HOME/conf/resin.conf . We can give any name for the
resin conf , for example we can give adminlogs.conf.

Vi /usr/local/resin/conf/resin.conf
<!–
– Management configuration
– Remote management requires at least one enabled admin user.
– Following section , whenever server load reaches 10 resin will restart the service automatically.
–>
<management>
<user name=”admin” password=”password==”/>
<user name=”resin” password=”password==”/>
<deploy-service/>
<jmx-service/>
<log-service/>
<stat-service>
<cpu-load-exit-threshold>10.0</cpu-load-exit-threshold>
<cpu-load-log-info-threshold>3.0</cpu-load-log-info-threshold>
<cpu-load-log-warning-threshold>5.0</cpu-load-log-warning-threshold>
<cpu-load-thread-dump-threshold>8.0</cpu-load-thread-dump-threshold>
<sample-period>30s</sample-period>
<thread-dump-interval>60m</thread-dump-interval>
</stat-service>
<xa-log-service/>
</management>

<!–
– SMTP server for sending mail notifications
–>
<system-property mail.smtp.host=”127.0.0.1″/>
<system-property mail.smtp.port=”25″/>

<!–
– Sets the default character encoding to utf-8
–>
<character-encoding>utf-8</character-encoding>

<!–
– Configures the keepalive
–>
<keepalive-max>128</keepalive-max>
<keepalive-timeout>15s</keepalive-timeout>
<!–
-Configure Memory and cache
–>
<server-default>
<thread-max>1024</thread-max>
<jvm-arg>-Xmx1024M</jvm-arg>
<jvm-arg>-Xms1024M</jvm-arg>
<memory-free-min>5M</memory-free-min>
</server-default>
<cache path=”cache” memory-size=”512M” disk-size=”2048M”>

<!–
– Check website status and restart the server if its not listening to port 8080
-( Starts a thread that periodically makes a request to the server, and restarts Resin if it fails. This facility is used to increase server reliability – if there is a problem with the server (perhaps from a

-deadlock or an exhaustion of resources), the server is restarted. A failure occurs if a request to the url returns an HTTP status that is not 200 )
–>
<ping>
<url>http://www.adminlogs.info:8080/websiteup.jsp</url>
<sleep-time>1m</sleep-time>
<try-count>4</try-count>
<!– a very busy server –>
<socket-timeout>30s</socket-timeout>
<!–mail notification when ping fails–>
<mail-to>[email protected]</mail-to>
<mail-from>[email protected]</mail-from>
<mail-subject>Resin ping has failed for server ${server.name}</mail-subject>
</ping>

<!–
-VirtualHost Section
–>

<server id=”adminlogs” address=”192.168.0.2″>
<http id=”adminlogs” address=”192.168.0.2″ port=”8080″/>
<http id=”adminlogs” address=”192.168.0.2″ port=”8443″>

<!–
-SSL configuration starts here
–>
<openssl>
<certificate-file>keys/adminlogs.crt</certificate-file>
<certificate-key-file>keys/adminlogs.key</certificate-key-file>
<certificate-chain-file>keys/inter-chain.txt</certificate-chain-file>
<password>password</password>
<protocol>-ALL +SSLv3 +TLSv1</protocol>
<cipher-suite>ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</cipher-suite>
</openssl> </http>
</server>
```
 <host id="">
 <root-directory>/usr/local/resin/webapps</root-directory>
 <document-directory>/usr/local/www/hosts/www.adminlogs.info/webapps/ROOT</document-directory>
 <access-log path="/usr/local/www/hosts/www.adminlogs.info/logs/access.log" format='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"' rollover-period="1D"/>
 <stdout-log path="/usr/local/www/hosts/www.adminlogs.info/log/stdout.log" rollover-count='7' timestamp='%H:%M:%S: ' rollover-period='1D'/>
 <stderr-log path="/usr/local/www/hosts/www.adminlogs.info/log/stderr.log" rollover-count='4' timestamp='%d/%m/%y %H:%M:%S: ' rollover-period='1W'/>
 <web-app id='/'>
 <servlet-mapping url-pattern="/servlet/*" servlet-name="invoker"/>
 </web-app>
 <class-loader>
 <compiling-loader path='corresponding class file location'/>
 <compiling-loader path='corresponding java core files'/>
 <library-loader path='corresponding lib path'/>
 </class-loader>

 <database>
 <jndi-name>jdbc/mysql/dbPool</jndi-name>
 <prepared-statement-cache-size>8</prepared-statement-cache-size>
 <max-connections>100</max-connections>
 <max-idle-time>30s</max-idle-time>
 <driver type="org.gjt.mm.mysql.Driver">
 <url>jdbc:mysql://localhost:3306/DBNAME?autoReconnectForPool=true&amp;autoReconnect=true&amp;useUnicode=true&amp;characterEncoding=UTF-
8&amp;zeroDateTimeBehavior=convertToNull&amp;useOldAliasMetadataBehavior=true</url>
 <user>DBUSER-NAME</user>
 <password>DB-PASSWORD</password>
 </driver>
 </database>

 </host>
```
Once you complete the resin.conf setup , then you need to upload your files to your document root and setup web.xml in WEB-INF/web.xml

6) Setup web.xml

vi /usr/local/www/hosts/www.adminlogs.info/webapps/ROOT/WEB-INF/web.xml
```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
 <context-param><param-name>WebsiteName</param-name><param-value>Adminlogs Live</param-value></context-param>
 <context-param><param-name>WebsiteType</param-name><param-value>Live</param-value></context-param>
 <context-param><param-name>ExternalHostName</param-name><param-value>www.adminlogs.info</param-value></context-param>
 <context-param><param-name>SecondaryHostNames</param-name><param-value>www2.adminlogs.info</param-value></context-param>
 <context-param><param-name>InternalHTTPPort</param-name><param-value>8080</param-value></context-param>

 <context-param><param-name>Database-jndi-name</param-name><param-value>jdbc/mysql/dbPool</param-value></context-param>
 <context-param><param-name>DbName</param-name><param-value>DB-NAME</param-value></context-param>
 <context-param><param-name>Replication</param-name><param-value>Yes</param-value></context-param>
 <context-param><param-name>UseNewComponentMethod</param-name><param-value>No</param-value></context-param>

 
```
7) Configure resin startup script to start/stop and restart

vi /usr/local/resin/bin/resin-server.sh
```
#!/bin/sh
#
# resin         This shell script takes care of starting and stopping
#               the Resin Webserver service.
#
JAVA_HOME=/usr/java/jdk
export JAVA_HOME
RESIN_HOME=/usr/local/resin
export RESIN_HOME
SERVER_ROOT=/usr/local/resin
export SERVER_ROOT
PATH=/bin:/usr/bin/:/usr/local/bin
export PATH
CURRENT_USER="`id | sed 's/uid=[0-9][0-9]*($[^)]*$).*/\1/'`"
USER=resin
if [ $USER = $CURRENT_USER ] ; then
$RESIN_HOME/bin/httpd.sh -server-root $SERVER_ROOT -conf $SERVER_ROOT/conf/resin.conf -server adminlogs $*
else
su - $USER -c "$RESIN_HOME/bin/httpd.sh -server-root $SERVER_ROOT -conf $SERVER_ROOT/conf/resin.conf -server adminlogs $*"
fi
 
```
8 ) Setup IPTABLE rules for port forwarding.

resin will listen on the ports 8080 and secure port 8443. We need to write our firewall rules to forward the communication from http port 80 to resin ports
```
#  iptables -t nat -A PREROUTING -d 192.168.0.2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2:8080
```
```
#  iptables -t nat -A PREROUTING -d 192.168.0.2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.2:8443
```
# /etc/init.d/iptables save

10 ) Start resin

We can start resin as the user resin only , first we need to switch to resin user as follows ( Also if you are using resin pro, then you should update the license file to ” /usr/local/resin/licenses/license-filename.license ” )

# su resin –
# /usr/local/resin/bin/resin-servers.sh start

11) Logs

As per the resin configuration , resin will write the logs for adminlogs.info in to the log directory of each host . If resin is not starting properly you need to check the following logs to find the cause.

tail -f /usr/local/www/hosts/www.adminlogs.info/log/stdout.log
tail -f /usr/local/www/hosts/www.adminlogs.info/log/stderror.log

Optional section : – Resin directives

>>> Connection settings configuration

keepalive-max : the maximum number of keepalive connections
keepalive-timeout : the maximum time a connection is maintained in the keepalive state
thread-max : maximum number of working threads
spare-thread-min: minimum number of spare working threads

>> ssl configuration

certificate-file: the file containing the server’s certificate
certificate-key-file : the file containing the server’s certificate key, if separate from certificate-file
password: the certificate key password
certificate-chain-file: A file containing an intermediate (untrusted) and root (trusted) certificate ( same as CA bundle )
protocol: SSLProtocol
cipher-suite :SSLCipherSuite

>>> Server Status configuration

Ping Starts a thread that periodically makes a request to the server, and restarts Resin if it fails. This facility is used to increase server reliability – if there is a problem with the server (perhaps from a deadlock or an exhaustion of resources), the server is restarted.A failure occurs if a request to the url returns an HTTP status that is not 200.

url : A url to ping.
sleep-time: Time to wait between pings. The first ping is always 15m after the server starts, this is for subsequent pings.
try-count: If a ping fails, number of times to retry before giving up and restarting
retry-time: time between retries
socket-timeout :time to wait for server to satrt responding to the tcp connection before giving up
stat-service:periodically checks the status of the server, and reports errors as necessary.
cpu-load-exit-threshold : CPU load triggering a Resin exit (and restart)
cpu-load-log-info-threshold: CPU load triggering a log message at the info level
cpu-load-log-warning-threshold:CPU load triggering a log message at the warning level
cpu-load-log-thread-dump-threshold: CPU load triggering thread dump to the log
sample-period:how often to sample the statistics
thread-dump-interval: minimum time between thread dumps

>>> Memory Configuration

Memory-free-min :   improves server reliability by detecting low-memory situations caused by memory leaks and forcing a clean server restart. Since Resin’s watchdog service reliably restarts the server, a website can improve stability by forcing a restart before memory becomes a major problem. The memory-free-min restart will also log a warning, notifying the developers that a potential memory leak needs to be resolved.

The allocation of memory for the JVM is specified using -X options when starting Resin
It is good practice with server-side Java applications like Resin to set the minimum -Xms and maximum -Xmx heap sizes to the same value.

-Xms    initial java heap size
-Xmx    maximum java heap size
-Xmn    the size of the heap for the young generation

As you know its a vast subject and not that much easy to document in a single post. I have tried my best to include all the necessary things to setup a website in resin . Hope this info will helps 🙂
Reference : http://www.caucho.com/
[Translate]
Admin Tips 2 : Monitor linux services using bash script

June 20, 2011 Author: Admin
No comment yet
Follow

Scenario : –

In one of my resin server, resin service was crashing due to some resource usage. It was happening at night time.

I used the following script to monitor the status and restart resin if its not running .

# vi /home/resin/check-resin.sh
```
#!/bin/sh
run=`ps ax | grep /usr/java/jdk1.6.0_14/bin/java | grep -v grep | cut -c1-5 | paste -s -`
if [ "$run" ];
then
echo "resin is running" > /home/resin/check_resin.log
else
/usr/local/resin/bin/resin-servers.sh restart
mail -s "resin server restarted by check-resin script " admin[at]adminlogs[dot]info < /usr/local/www/hosts/www.adminlogs.info/log/stdout.log
fi
```
Or the issue is only for a single website ( shared resin hosting ) , you can use the following script and restart the respective server only.

# vi /home/resin/check-resin.sh
```
#!/bin/sh
cd /tmp
wget www.adminlogs.info:8080
if [ $? -gt 0 ]; then
/usr/local/resin/bin/resin-adminlogs.sh restart
mail -s "adminlogs resin server restarted by check-resin script "  admin[at]adminlogs[dot]info < /usr/local/www/hosts/www.adminlogs.info/log/stdout.log
fi
```
$? contains the return code of the last executed process. -gt means greater than. Usually programs return zero on success or something else on failure

After making the following small changes ( use appropriate daemon) you can use the above script to monitor other services like Apache, ftpd,mysql etc as follows :-

For example :-

# Vi check_httpd.sh

#!/bin/sh
run=`ps ax | grep /usr/local/apache/bin/httpd | grep -v grep | cut -c1-5 | paste -s -`
if [ “$run” ];
then
echo “apache is running” > /home/admin/check_httpd.log
else
/usr/local/apache/bin/apachectl -k restart
mail -s “Apache server restarted by check-httpd script ” admin [at]adminlogs[dot]info < /usr/local/apache/logs/error.log
fi

Or ( only for apache )

# Vi check_httpd.sh

#!/bin/sh
cd /tmp
wget adminlogs.info:80
if [ $? -gt 0 ]; then
/usr/local/apache/bin/apachectl -k restart
mail -s “Apache server restarted by check-httpd script ” admin [at]adminlogs[dot]info < /usr/local/apache/logs/error.log
fi

Add the script to crontab ( It will check the status in every 5 minutes )

*/5 * * * * /bin/bash check_httpd.sh

Its worked fine and now I have no worry about that website and getting good sleep 🙂
[Translate]
ssl configuration for webservers

April 22, 2011 Author: Admin
No comment yet

Follow

Today more and more people are becoming aware of the hazards of insufficient online security measures. Its time to become smart and start taking online security seriously. The first step towards this is to have a padlock icon and the prefix https in the address bar, to ensure the safety of your online information

An SSL Certificate, also abbreviated as Secure Socket Layer, is a digital certificate which authenticates the identity of a Website. It also encrypts the information before sending it to the server. An SSL Certificate acts as an online digital passport that contains the credentials of the online business. When an Internet user tries to send confidential information over the internet to the server, the users browser accesses the server’s digital certificate and establishes a secure connection

How to purchase a ssl certificate.

1) create a CSR and private key for your domain

2) contact the ssl providers like www.verisign.com or www.thawte.com with this CSR and purchase ssl certificate. There are different types of ssl certs like secure server, extended valid etc. For multiple domains you can use wild card ssl certificates and this can be used with all the domains under *.adminlogs.info .

3) You need to install the purchased SSL certificate in your webserver

For generating CSR and Key refer : SSL commands

$ Configure ssl for Apache

You should use a dedicated IP to configure ssl for your domain.

<VirtualHost 192.168.0.10:443>
DocumentRoot /home/admin/public_html
ServerName www.adminlogs.info

SSLEngine on
SSLCertificateFile /usr/local/ssl/www.adminlogs.crt
SSLCertificateKeyFile /usr/local/ssl/www.adminlogs.key
SSLCertificateChainFile /usr/local/ssl/www.adminlogs.ca
</VirtualHost>

Adjust the file names to match your certificate files:

* SSLCertificateFile should be your purchased certificate file .
* SSLCertificateKeyFile should be the key file generated when you created the CSR.
* SSLCertificateChainFile should be the intermediate certificate file provided by the SSL provider

If the SSLCertificateChainFile directive does not work, try using the SSLCACertificateFile directive instead.

$ restart apache

Configure ssl for Resin web server

ssl key file location is : /usr/local/resin/keys/

$ vi /usr/local/resin/resin.conf

<server id=”www.adminlogs” address=”192.168.0.10″>
<http id=”www.adminlogs” address=”192.168.0.10″ port=”8080″/>
<http id=”www.adminlogs” address=”192.168.0.10″ port=”8443″>

<openssl>
<certificate-file>keys/www.adminlogs.crt</certificate-file>
<certificate-key-file>keys/www.adminlogs.key</certificate-key-file>
<certificate-chain-file>keys/inter-adminlogs.txt</certificate-chain-file>
<password>pass</password>
<protocol>-ALL +SSLv3 +TLSv1</protocol>
<cipher-suite>ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</cipher-suite>
</openssl>
</http>
</server>

Protocol & cipher-suite directives here used for disable sslv2 weak cipher suites.

$ restart resin

How to verify the installation

You can check your ssl installation using the following url

http://www.digicert.com/help/

[Translate]

What is LogJam Attack ?

New PHP-CGI exploit: CVE-2012-1823, Badly affecting php scripts

Resin SSL configuration in five steps !!

Are you worried about ssl certificate expiry ?

Resin webserver setup with Java and mysql

Admin Tips 2 : Monitor linux services using bash script

ssl configuration for webservers

Subscribe Adminlogs

Random Posts

Recent Comments