Security

Query list of ciphers supported by a server

nmap --script ssl-enum-ciphers -p 443 example.com

Things that go in a certificate

Subject: CN     the certificate owner's common name
Subject: E      the certificate owner's email address
Subject: T      the certificate owner's locality
Subject: ST     the certificate owner's state of residence
Subject: O      the organization to which the certificate owner belongs
Subject: OU     the name of the organizational unit to which the certificate owner belongs
Subject: C      the certificate owner's country of residence
Subject: STREET the certificate owner's street address
Subject: ALL    the certificate owner's complete distinguished name
Serial  the certificate's serial number
SignatureAlg    the algorithm used by the Certificate Authority to sign the certificate
BeginDate       the date at which the certificate becomes valid
EndDate the date at which the certificate becomes invalid
PublicKey       the certificate's public key
FriendlyName    the certificate's friendly name

selinux example:

ls -Z file1
-rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1

also see /etc/selinux/targeted/context/users

SELinux/Nginx error

sudo cat /var/log/audit/audit.log | grep nginx | grep denied shows something like this:

type=AVC msg=audit(1445306182.317:301): avc:  denied  { name_connect } for  pid=5939 comm"nginx" dest=4374 scontext=system<sub>u</sub>:system<sub>r</sub>:httpd<sub>t</sub>:s0 tcontext=system<sub>u</sub>:object<sub>r</sub>:unreserved<sub>port</sub><sub>t</sub>:s0 tclass=tcp<sub>socket</sub>

Someone found that running the following commands fixed their issue:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
sudo semodule -i mynginx.pp

Or something like this:

chcon -Rt httpd_sys_content_t /srv/www/myapp/

..to change the security context of the directory recursively so nginx will be allowed to serve it. Followed by:

setsebool -P httpd_can_network_connect 1

SElinux Apache static html

sudo chcon -R -v -t httpd_sys_rw_content_t index.html

Nmap one liners

nmap -sS -P0 -sV -O 192.168.0.58
nmap -sP 192.168.0.*
nmap -sP 192.168.0.2-254
nmap -T4 -sP 192.168.0.0/24 && egrep "00:00:00:00:00:00" /proc/net/arp

Make a password in linux (without adding the user)

mkpasswd --method=SHA-512

IPtables port forwarding

Use case: make tomcat on port 8443 listen on port 443.

sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

This will forward all traffic coming in on port 443 to the tomcat server listening on 8443.

(picked from here: https://mihail.stoynov.com/2011/04/04/howto-start-tomcat-on-port-80-without-root-privileges/)

To view, the usual -L and -F won't show anything. Instead, use:

iptables -L -t nat
iptables -F -t nat

Open firewall ports with firewalld

firewall-cmd --permanent --add-port=5672/tcp
firewall-cmd --reload

Centos firewall commands

firewall-cmd --state
firewall-cmd --get-zones
firewall-cmd --list-all-zones
firewall-cmd --get-default-zone
firewall-cmd --list-services  # currently enabled in this zone
firewall-cmd --get-services   # all
firewall-cmd --add-service=https --permanent
firewall-cmd --add-service=http --permanent

ssh-agent

eval `ssh-agent`
ssh-add /home/test/.ssh/id_rsa

or, if your key is in the default location, you can just do:

ssh-add

or just put this in .bashrc:

if [ -z "$SSH_AUTH_SOCK" ] ; then
  eval `ssh-agent -s`
  ssh-add
fi

but this prompts for the passphrase the first time it is invoked. so do this instead:

#!/usr/bin/expect -f
spawn ssh-add /home/user/.ssh/id_rsa
expect "Enter passphrase for /home/user/.ssh/id_rsa:"
send "passphrase\n";
interact

Apache redirect http to https

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName mysite.example.com
   DocumentRoot /usr/local/apache2/htdocs 
   Redirect permanent / https://mysite.example.com/
</VirtualHost>

Letsencrypt notes

sudo dnf install httpd -y
sudo dnf install mod_ssl -y
sudo systemctl start httpd
sudo systemctl enable httpd
    sudo cp /etc/letsencrypt/options-ssl-apache.conf /etc/httpd/conf.d
    sudo systemctl restart httpd
letsencrypt-auto renew

Components of a cipher suite

The algorithms that make up a typical cipher suite are the following: