Adminlogs

LibClamAV Error : Clamd restart issue

July 27, 2022 Author: Admin
No comment yet
Follow

What is the issue ?

Today my team reported that our mail relay server is not working and they are not able to sent e-mails via the test applications.
Whenever I check the mail server I found more than 1000 mails are in queue and mail server is failing to sent/deliver mails to recipients.
In a detailed check its found that clamd service is down and I was not able to restart clamd service. I was getting the following error
```
LibClamAV Error: mpool_malloc(): Attempt to allocate 8388608 bytes. Please report to http://bugs.clamav.net
```
After some googling its found that the issue is with the version of clamd we were using in our mail server. And the golden words I got from the clamv forum was as follows
```
" ClamAV 0.97.x is no longer supported. The current release of ClamAV is 0.99.2 ".
```
How to fix this issue ??
```
 1.  Download the latest version (0.99.2) of clamd, clamav and clamav-db rpm's and update your mail server. (https://dl.fedoraproject.org/pub/epel/5/x86_64/)
 2.  Restart freshclam and clamd services
```
Reference:-
https://bugzilla.clamav.net/show_bug.cgi?id=11647
[Translate]

ImageMagick critical remote execution vulnerability – CVE-2016-3714

May 5, 2016 Author: Admin

What is ImageTragic !! (CVE-2016-3714 )

In a vulnerable environment , image magic commands will allow remote code execution during conversion of several file formats.

Which are the platforms affected ?

As per RedHat , RedHat 5 , 6 and 7 platforms are affected with this vulnerability.

How to check whether your platform is affected or not ?

Create a .mvg file with the following content and run the convert command as follows. If your platform is vulnerable then the convert command will be able to list the folder contents.

# vi exploit.mvg
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg";|ls "-la)'
pop graphic-context

[[email protected] config]# convert exploit.mvg out1.png
total 172
drwxr-xr-x 2 root root  4096 May  5 04:52 .
drwxr-xr-x 4 root root  4096 Jun  2  2014 ..
-rw-r--r-- 1 root root  3447 Feb 10  2014 configure.xml
-rw-r--r-- 1 root root 11041 Feb 10  2014 delegates.xml
-rw-r--r-- 1 root root 46238 Jun 28  2009 english.xml
-rw-r--r-- 1 root root 49251 Jun 28  2009 francais.xml
-rw-r--r-- 1 root root  2403 Mar 24  2009 locale.xml
-rw-r--r-- 1 root root   369 May  5 04:42 out1.png
-rw-r--r-- 1 root root  1873 May  5 04:52 policy.xml
-rw-r--r-- 1 root root  9727 Feb 10  2014 type-ghostscript.xml
-rw-r--r-- 1 root root 13655 Feb 10  2014 type-windows.xml
-rw-r--r-- 1 root root   671 Feb 10  2014 type.xml
convert: unrecognized color `https://example.com/image.jpg"|ls "-la' @ color.c/GetColorInfo/965.
convert: no decode delegate for this image format `/tmp/magick-XXoEao8j' @ constitute.c/ReadImage/537.
convert: Non-conforming drawing primitive definition `fill' @ draw.c/DrawImage/3124.
[[email protected] config]

How to Fix this vulnerability ?

Upgrade your imagemagic packages to 6.9.3-10 or 7.0.1-1 ( As per imagemagic blog this bug patched and released in these versions : refer
Apply the manual patch via policy.xml file. Add additional policies for Imagemagic policy.xml file to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, and MSL commands within image files.

How to apply the manual patch via additional policies ?

Find policy.xml file on your distribution and add the following lines in <policymap> section of your policy.xml file.

# vi policy.xml
<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>

How to verify the fix ?

After updating the policy.xml file , re run the image magic convert command . If the bug fixed properly then convert command will fail to list the directories.

[[email protected] config]#  convert exploit.mvg out2.png
convert: not authorized `/tmp/exploit.mvg' @ constitute.c/ReadImage/425.
convert: missing an image filename `out2.png' @ convert.c/ConvertImageCommand/2800.
[[email protected] config]#

References :-

https://access.redhat.com/security/vulnerabilities/2296071

https://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=29594&hilit=CVE+2016+3714

What is LogJam Attack ?

May 21, 2015 Author: Admin

1 Comment

What is LogJam Attack ?

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography.

Who is Affected ?
Websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers are at risk for the Logjam attack

How we will prevent this on Application side ?
Update your applications ssl.conf file with the updated SSLCipherSuite and restart the service .

1) Apache
Disable support for SSLv2 and SSLv3 and enable support for TLS, explicitly allow/disallow specific ciphers in the given order :
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on

2) Nginx
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

3) Apache Tomcat  ( in server.xml)
<Connector
ciphers="ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, AES128-SHA, AES256-SHA, AES, CAMELLIA, DES-CBC3-SHA"
/>

4) Postfix ( /etc/postfix/main.cf )
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

5) Sendmail ( LOCAL_CONFIG section of your /etc/mail/sendmail.mc )
O CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Reference : https://weakdh.org

glibc GHOST vulnerability ( CVE-2015-0235 )

January 28, 2015 Author: Admin
No comment yet
Follow

What is glibc ?
Gnu library C or glibc is an implementation of standard c library and its a core member of linux OS .

What is GHOST Vulnerability ?
The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.And this bug is reported as CVE-2015-0235. Redhat and CentOS already ready with the fix and you can update your boxes to get the patched version.

Why it is called as GHOST ?
It is called as the GHOST vulnerability as it can be triggered by the GetHOST functions. ( gethostbyname*() set of functions )

Are you safe ?
As per redhat and qualys , most of the systems are vulnerable except those running with glibc-2.17 and glibc-2.18

How to confirm whether you are safe or not ?
qualys.com provided a vulnerability scanning script to check this

~]# rpm -qa | grep glibc
glibc-2.12-1.107.el6_4.2.x86_64
~]# rpm -qa | grep release
centos-release-6-4.el6.centos.10.x86_64

~]# /usr/bin/gcc ghost.c -o ghost
~]# ./ghost
vulnerable

After updating to patched version of glibc
~]# yum upgrade glibc
~]# rpm -qa | grep glibc
glibc-2.12-1.149.el6_6.5.x86_64
~]# ./ghost
not vulnerable
```
~]# cat ghost.c
 #include <netdb.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
 #define CANARY "in_the_coal_mine"
 struct {
 char buffer[1024];
 char canary[sizeof(CANARY)];
 } temp = { "buffer", CANARY };
 int main(void) {
 struct hostent resbuf;
 struct hostent *result;
 int herrno;
 int retval;
 /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
 size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
 char name[sizeof(temp.buffer)];
 memset(name, '0', len);
 name[len] = '\0';
 retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
 if (strcmp(temp.canary, CANARY) != 0) {
 puts("vulnerable");
 exit(EXIT_SUCCESS);
 }
 if (retval == ERANGE) {
 puts("not vulnerable");
 exit(EXIT_SUCCESS);
 }
 puts("should not happen");
 exit(EXIT_FAILURE);
 }
```
References :-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
http://www.openwall.com/lists/oss-security/2015/01/27/9
https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
[Translate]
POODLE: SSLv3.0 vulnerability

October 15, 2014 Author: Admin
1 Comment

Follow

What is POODLE ?

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

How to Fix ?

At present there is no working patch for this bug . So that Admin needs to manually disable SSLv3 on their servers .

Disable SSLv3 – Apache

1) Add ”   SSLProtocol All -SSLv2 -SSLv3 ” to httpd.conf

2) Restart apache service .

Disable SSLv3 – Nginx

1) Add   ” ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ” to nginx.conf under ssl section .

2) Restart nginx service .

Disable SSLv3 – PostFix

1) change smtpd_tls_mandatory_protocols to ” smtpd_tls_mandatory_protocols =!SSLv2,!SSLv3 ”

2) Restart postfix server .

Disable SSLv3 – Weblogic

Start weblogic with the following JVM option   ” -Dweblogic.security.SSL.protocolVersion=TLS1 ”

How to Diagnose ?

# openssl s_client -connect localhost:443 -ssl3

==> If you have already disabled sslv3 , then the output will be as follows

CONNECTED(00000003)
20888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
20888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

==> If you are not disabled the sslv3 and you are getting the following output , then your server is vulnerable to POODLE !!.

CONNECTED(00000003)
depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
verify return:1
—
Certificate chain
0 s:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
   i:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]

Reference :-

https://www.openssl.org/~bodo/ssl-poodle.pdf

http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/ssl.html

[Translate]
CentOs Fix for Bash Bug ( CVE-2014-6271 & CVE-2014-7169 )

September 26, 2014 Author: Admin
2 Comments

Follow

After couple of days trouble today we got a fix from Centos for the so famous bash security issue ( For known loop holes
CVE-2014-6271 & CVE-2014-7169 )

CentOS 5 Fix :-

* i386:
( sha256sum ) 9755e86ad8536c908f95340be308190b52989bfa0d9268a461c40a3f0d493bc7 : bash-3.2-33.el5_10.4.i386.rpm

* x86_64:
( sha256sum) b1e14edd0d675c6fb0be64cb875fbd9fac208a58e427ea32f373c9359b35642c : bash-3.2-33.el5_10.4.x86_64.rpm

CentOS 6 Fix: –

* x86_64:

http://mirror.centos.org/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm

* i386:

http://mirror.centos.org/centos/5/updates/i386/RPMS/bash-3.2-33.el5_10.4.i386.rpm

Test Output : –

[[email protected] ~]# rpm -qa | grep bash
bash-3.2-32.el5

[[email protected] ~]# env X='() { (a)= >\’ bash -c “echo date”;
bash: X: line 0: syntax error near unexpected token `=’
bash: X: line 0: `X () { (a)= >\’
bash: error importing function definition for `X’
date
[[email protected] ~]#

* After updating to latest bash rpm.

[[email protected] ~]# rpm -qa | grep bash
bash-3.2-33.el5_10.4
[[email protected] ~]#

[[email protected] ~]# env X='() { (a)= >\’ bash -c “echo date”;
date
[[email protected] ~]#

Reference :-

http://lists.centos.org/pipermail/centos-announce/2014-September

[Translate]
Again Bash !!! ( CVE-2014-7169 )

September 25, 2014 Author: Admin
No comment yet

Follow

Note : CentOS Fix for CVE-2014-7169

Redhat announced that the fix for CVE-2014-6271 is incomplete and reporting new one CVE-2014-7169 .

As per the latest update they are working to patch this against CVE-2014-7169.

People are able to recreate the bug like the following

/]$ rpm -qa | grep bash

bash-4.1.2-15.el6_5.1.x86_64 ( patched version )

~]$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

/]$ env X='() { (a)= >\’ bash -c “echo date”; cat echo
bash: X: line 0: syntax error near unexpected token `=’
bash: X: line 0: `X () { (a)= >\’
bash: error importing function definition for `X’
date
cat: echo: No such file or directory

/]$ env X='() { (a)=>\’ bash -c “echo echo vuln”; [[ “$(cat echo)” == “vuln” ]] && echo “still vulnerable :(“
bash: X: line 1: syntax error near unexpected token `=’
bash: X: line 1: `’
bash: error importing function definition for `X’
bash: echo: Permission denied
cat: echo: No such file or directory

Waiting for the patch from Redhat .

Referrence : –

https://access.redhat.com/security/cve/CVE-2014-7169

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

[Translate]
Serious Bug with BASH ( CVE-2014-6271 )

September 25, 2014 Author: Admin
No comment yet

Follow

Note : Redhat updated this patch is incomplete and they are working with a new one at the moment ( CVE-2014-7169 ) , Refer for the details for CVE-2014-7169

Affected platforms :-

Red Hat Enterprise Linux 4 (ELS)/ 5 / 6 /7
CentOs 5/6/7

How to test if your version of Bash is vulnerable to this issue or not ?

[[email protected]]# env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
vulnerable
this is a test
[[email protected]]#

Resolution :-

This issue affects all software that uses the Bash shell and parses values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.

In order to avoid exploitation from CVE-2014-6271, ensure that your system is updated to at least versions of Bash.

# yum update bash

Fix for CentOs platforms

Centos 5

bash-3.2-33.el5.1.i386.rpm / bash-3.2-33.el5.1.x86_64.rpm

Centos 6
bash-4.1.2-15.el6_5.1.i686.rpm / bash-4.1.2-15.el6_5.1.x86_64.rpm

Note : Its always better to reboot your machine after upgrading to the latest bash package . If its a production critical machine and not able to do a quick reboot then please run ” /sbin/ldconfig “

How to make sure your machine/server is secure after the package update ?

Run the above command again

[[email protected]]# env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

Reference :-

https://access.redhat.com/security/cve/CVE-2014-6271

http://lists.centos.org/pipermail/centos/2014-September/146099.html

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

[Translate]
Serious bug with openssl : Heart Bleeding !!!

April 8, 2014 Author: Admin
No comment yet

Follow

Yesterday One of the Google Security Engineer ( Thanks for Neel Mehta of Google Security for discovering the bug) reported a serious bug with current openssl . ( TLS heartbeat read overrun (CVE-2014-0160) )

As per openssl , Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. And its advised to upgrade to OpenSSL 1.0.1g ( https://www.openssl.org/source/openssl-1.0.1g.tar.gz ) to fix this issue or recompile affected versions with the option -DOPENSSL_NO_HEARTBEATS.

You may need to recompile other services which are associated with openssl like Apache , nginx , php etc . Also its better to renew your ssl cert’s to make sure everything is safe/fine.

How to Check Whether your server/website is affected or not ?

http://possible.lv/tools/hb

References :-

http://heartbleed.com/

https://rhn.redhat.com/errata/RHSA-2014-0376.html

http://www.spinics.net/lists/centos-announce/msg04911.html

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

[Translate]
MySql Replication over SSL

October 16, 2013 Author: Admin
No comment yet
Follow

Scenario : Setup mysql master slave replication over ssl

Master Server : 192.168.1.1

Slave Server   : 192.168.1.2

Confirm your mysql server is compiled/enabled to support ssl connections using the following command

# mysql -u root -p

mysql > show variables like ‘%ssl%’ ;

If you are getting an output some thing like as follows then you can confirm mysql is compiled to support ssl connections

mysql> show variables like ‘%ssl%’;

| have_openssl | DISABLED |

| have_ssl            | DISABLED |

The above shows that mysql is compiled with ssl support but it not enabled in the configuration .

Create Certificates

# cd /var/lib/mysql

# mkdir ssl

>>> Create CA Certificate
```
# openssl genrsa 2048 > ca-key.pem
```
```
# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
```
>>> Create Server Certificate
```
# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
```
```
# openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
```
>>> Create Client Sertificate .
```
# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
```
```
# openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
```
Copy the keys to Slave server

# scp ca-cert.pem client-cert.pem client-key.pem [email protected]:/var/lib/mysql/ssl

Master Side configuration

# vi /etc/my.cnf

#bind-address = 127.0.0.1
ssl
ssl-ca=/var/opt/mysql/ssl/ca-cert.pem
ssl-cert=/var/opt/mysql/ssl/server-cert.pem
ssl-key=/var/opt/mysql/ssl/server-key.pem
binlog-do-db=mydatabase
server-id = 1
log_bin = /var/lib/mysql/mysql-bin.log

Note that server id should be unique here for master its 1.

Restart mysql and confirm now ssl values are showing properly in ” mysql > show variables like ‘%ssl%’ ; ”

# mysql –u root –p
```
GRANT all privileges ON *.* TO [email protected]'192.168.1.2' IDENTIFIED BY 'password' REQUIRE SSL;
```
Slave Side Configuration

# vi /etc/my.cnf

bind-address = 0.0.0.0
server-id=2
master-host=192.168.1.1
master-connect-retry=60
replicate-do-db=mydatabase
replicate_ignore_db=dataold
replicate_ignore_db=data_duplicate
slave-skip-errors=all
relay-log=mysql-relay-bin.log

check master status on the master node

mysql > show master status ;

| File | Position | Binlog_do_db | Binlog_ignore_db | +

| mysql-bin.002 | 80600 | mydatabase | | +

Update the log location and Position on Slave

Msql > slave stop;
```
Mysql > CHANGE MASTER TO MASTER_HOST='192.168.1.1', MASTER_USER='replication', MASTER_PASSWORD='password', MASTER_LOG_FILE=' mysql-bin.002', MASTER_LOG_POS=80600, MASTER_SSL=1, MASTER_SSL_CA = '/var/opt/mysql/ssl/ca-cert.pem', MASTER_SSL_CERT = '/var/opt/mysql/ssl/client-cert.pem', MASTER_SSL_KEY = '/var/opt/mysql/ssl/client-key.pem';
```
Mysql > slave start ;

Mysql > show slave status \G ;

*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.1.1
Master_User: replication
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.000003
Read_Master_Log_Pos: 12345100
Relay_Log_File: mysql-relay-bin.000002
Relay_Log_Pos: 11381900
Relay_Master_Log_File: mysql-bin.000003
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB: mydatabase
Replicate_Ignore_DB:

The above lines which are marked in green shows that replication is working fine from master to slave.
[Translate]

Adminlogs.info

LibClamAV Error : Clamd restart issue

ImageMagick critical remote execution vulnerability – CVE-2016-3714

What is LogJam Attack ?

glibc GHOST vulnerability ( CVE-2015-0235 )

POODLE: SSLv3.0 vulnerability

CentOs Fix for Bash Bug ( CVE-2014-6271 & CVE-2014-7169 )

Again Bash !!! ( CVE-2014-7169 )

Serious Bug with BASH ( CVE-2014-6271 )

Serious bug with openssl : Heart Bleeding !!!

MySql Replication over SSL

Subscribe Adminlogs

Random Posts

Recent Comments