Monday, October 1, 2012

SSL certificates commands and tips


Verify a SSL certificate

  1. By SSL verification web site: https://www.ssllabs.com/ssltest/index.html
  2. By openssl:
$ openssl s_client -showcerts -connect test.domain.net:443

How to create pfx file that includes private key, certificate and certification chain?

$openssl pkcs12 -export -out test.domain.net_2012.pfx -inkey test.domain.net_2012.key -in test.domain.net_2012.crt -certfile thawtesecca.crt -certfile thawteprimca.crt

]How to see information inside CSR?

Normaly CSR looks like:
$cat test.domain.net_2012.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC6TCCAdECAQAwgaMxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxETAP
BgNVBAcTCE1vbnRyZWFsMSIwIAYDVQQKExlSYWRpYWxwb2ludCBTYWZlQ2FyZSBJ
bmMuMQwwCgYDVQQLEwNOT0MxGjAYBgNVBAMUESoucmFkaWFscG9pbnQubmV0MSIw
IAYJKoZIhvcNAQkBFhNub2NAcmFkaWFscG9pbnQuY29tMIIBIjANBgkqhkiG9w0B
OZrroiuiouorpro[pooooo[orrjjjggoipoioZY2toSHheDDEtHga35cPDJUfl1W
ITBFs9G+fji+i0GrS1WmRYUGCeI1+5+48k6rIGim2WwcxYfBofVgZUSaFTydf1nH
icCM8aMi39jWtNCLxlWfBKNNLkNj0zPEPgXmYJIQRE0dUXfCBi68o+7s2pRyCJ7V
H9D8wV9OaBugaOMuPGM8vFtVTGRuC/waFuH/0Avr8SKs4U3Io6ZiViikopgfipii
dCeW6KZzJnAlBmrEuzv0POty5NDvnr2iZYUct15dNN8CheG36pXXrjFgqF6siBXs
lVBU023hBFsCu6foF3pflEmq9zVoVdUBruoepVbaIGziYyXes85C4Iokha9Ym8hE
YG0C/Nd4vp1ICB1gXBf88JoT7c2bgJWFSWpLVHU=
-----END NEW CERTIFICATE REQUEST-----
But if you do the trick:
$ openssl req -in test.domain.net_2012.csr -noout -text

Certificate Request:
   Data:
       Version: 0 (0x0)
       Subject: C=CA, ST=Quebec, L=Montreal, O=USer Inc., OU=SOC, CN=test.domain.net/emailAddress=soc@test.domain.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:a5:83:4e:65:96:36:b6:84:87:85:e0:c3:12:d1:
                   47:21:30:45:b3:d1:be:7e:38:be:8b:41:ab:4b:55:
                   a6:45:85:06:09:e2:35:fb:9f:b8:f2:4e:ab:20:68:
                   a6:d9:6c:1c:c5:87:c1:a1:f5:60:65:44:9a:15:3c:
                   
                   8b:53:3f:6b:64:7e:2e:50:ec:35:1c:71:0f:42:4e:
                   bd:dd
               Exponent: 65537 (0x10001)
       Attributes:
           a0:00
   Signature Algorithm: sha1WithRSAEncryption
       7a:90:48:34:cb:70:47:af:54:a2:c2:f4:5e:5a:4c:57:a3:44:
       9b:6d:04:ec:b8:11:59:fb:32:c9:86:f4:a4:2f:5c:ad:df:cb:

       9d:48:08:1d:60:5c:17:fc:f0:9a:13:ed:cd:9b:80:95:85:49:
       6a:4b:54:75
You can get whole information about CSR you going to send for signature

Check CSR if certificate corresponds to private key

$ diff <(openssl rsa -in test.domain.net_2012.key -modulus -noout) <(openssl req -in test.domain.net_2012.csr -noout -modulus) 
if you get nothing, everything is OK.

Check what inside certificate you got from CA (certificate authority)

$ openssl x509 -in test.domain.net_2012.crt -noout -text

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           73:68:b7:62:11:51
       Signature Algorithm: sha1WithRSAEncryption
       Issuer: C=US, O=Thawte, Inc., CN=Thawte SSL CA
       Validity
           Not Before: Aug 20 00:00:00 2012 GMT
           Not After : Oct 19 23:59:59 2014 GMT
       Subject: C=CA, ST=Quebec, L=Montreal, O=User Inc., CN=test.domain.net
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:a5:83:4e:65:96:36:b6:84:87:85:e0:c3:12:d1:
                   47:21:30:45:b3:d1:be:7e:38:be:8b:41:ab:4b:55:
                   a6:45:85:06:09:e2:35:fb:9f:b8:f2:4e:ab:20:68:
                   a6:d9:6c:1c:c5:87:c1:a1:f5:60:65:44:9a:15:3c:

                   8b:53:3f:6b:64:7e:2e:50:ec:35:1c:71:0f:42:4e:
                   bd:dd
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Subject Alternative Name: 
               DNS test.domain.net
           X509v3 Basic Constraints: 
               CA:FALSE
           X509v3 Certificate Policies: 
               Policy: 2.16.840.1.113733.1.7.54
                 CPS: https://www.thawte.com/cps/
           X509v3 Key Usage: critical
               Digital Signature, Key Encipherment
           X509v3 Authority Key Identifier: 
               keyid:A7:A2:83:BB:34:45:40:3D:A1:01:9F:F6:DB
           X509v3 CRL Distribution Points: 
               Full Name:
                 URI:http://svr-ov-crl.thawte.com/ThawteOV.crl
           X509v3 Extended Key Usage: 
               TLS Web Server Authentication, TLS Web Client Authentication
           Authority Information Access: 
               OCSP - URI:http://ocsp.thawte.com
               CA Issuers - URI:http://svr-ov-aia.thawte.com/ThawteOV.cer
   Signature Algorithm: sha1WithRSAEncryption
       34:3f:66:4f:7b:3e:44:f6:88:d8:de:62:3f:93:34:55:fd:7e:

       20:94:60:f8:6e:99:88:73:8f:86:6b:55:38:31:a1:0a:e2:c0:
       f9:22:0f:e7

Verify if certificate you got corresponds to correct private key

diff <(openssl rsa -in test.domain.net_2012.key -modulus -noout) <(openssl x509 -in test.domain.net_2012.crt -noout -modulus) 
if you get nothing, everything is OK.

Friday, March 23, 2012

Checking amount of packets dropped by iptables using zabbix

I really love zabbix  and I using it for monitoring almost everything. Below I describe how to use it for checking amount of packets dropped by iptables .

Why it's nice to monitor amount of dropped packets? It will show you amount of traffic blocked by host firewall and anomalies in the traffic inform you about attack (DDOS) or firewall misconfiguration.
 Sure thing, you can log all dropped packets and analyze packet's log by your SIEM solution.
 I propose simple way to get quick results and increase system protection without significant investment of money or your time.

1. Get dropped packets counters from iptables:
       - if you use default policy DROP for INPUT:
        iptables -L -n -v -x | grep "Chain INPUT" | awk {'print $7'}
     
      - if you use DROP rule:
        iptables -L -n -v -x | grep DROP | awk {'print $2'}

2.  To run iptables command you need to have root privileges, so zabbix agent (which running normally under "zabbix" user account) can't do it without following tricks:
 
Instead of setting SUID flag for whole iptables (very bad idea ),  I propose to create simple C program that will have SUID flag and able to get only amount of dropped packets:

# vi /usr/bin/iptables_drop.c


#include
#include
#include
#include

int main()
{
setuid( 0 );
        system("/sbin/iptables -L -n -v -x | grep 'Chain INPUT' | awk {'print $7'}");
   return 0;
}

compile:
 #gcc iptables_drop.c -o iptables_drop

change permissions: 
#chmod 4111 /usr/bin/iptables_drop

3. Now let's add a zabbix custom parameter in /etc/zabbix/zabbix_agentd.conf:

UserParameter=iptables.block,/usr/bin/iptables_drop

4. Now add corresponding item to zabbix checks list:
















The trick here: change "Store value" parameter to "Delta (simpe change)"
it will store difference between counters, so show you new traffic between update interval.

Use this new item to build a Graph and stay informed!