Jun 152016
 

With advent of Letsencrypt service this may seem unnecessary. But sometimes you just need to quickly generate SSL certificate to secure internal/test service…

Install OpenSSL, Debian/Ubuntu

sudo apt-get -y install openssl

or Centos

yum install openssl

Create file

vim multidomains.conf

# openssl req -sha256 -config multidomains.conf -keyout server.key -out server.csr -new
[ req ]
default_bits = 4096 # avoid to specify a value under 1024...
prompt = no # if you want to type a lot of stuff, say Yes here
encrypt_key = no # see question in our FAQ to help you...
default_md = sha256
distinguished_name = dn
[ dn ]
C = PL
O = Cebula Computer Systems
0.CN = hostA.mielnet.pl
1.CN = aka.mielnet.pl
L = Kocborowo
OU = IT Services

 

Generate key and csr with

openssl req -sha256 -config multidomains.conf -keyout server.key -out server.csr -new
# you can display CSR with:
openssl req -text -noout -in server.csr
# pay attention to Signature Algorithm, we want sha256WithRSAEncryption

 

Finally generate certificate


openssl x509 -sha256 -days 3650 -req -in server.csr -signkey server.key > server.crt
# you can display certificate with:
openssl x509 -text -in server.crt 

# again, we want Signature Algorithm sha256WithRSAEncryption


 

Dec 172015
 

Come Back Later

These are just examples to pick your imagination, please do refrain from blindly coping and pasting as you can cut yourself off 😀

UFW quick setup (Debian/Ubuntu)

 

aptitude install ufw
ufw allow 22/tcp
ufw allow from 124.111.0.0/16 to any port 22
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow proto tcp from IP.ADD.Here to any port 3306
ufw allow proto udp from IP.ADD.Here to any port 161
ufw allow proto udp from IP.ADD.Here to any port 161
ufw allow from 10.10.1.0/24
# allow traffic on interface
ufw allow in on em3

ufw enable
ufw status
ufw status numbered
ufw delete 10
# ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. 
# ufw will deny connections if an IP address has attempted to initiate 6 or more connections in the last 30 seconds.
ufw limit ssh
ufw logging off #once it working stop flooding logs!

# ufw on KVM server, edit /etc/ufw/sysctl.conf
# and make sure we don't filter packets to our libvirt guests
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

firewall-cmd quick setup (RedHat/CentOS 7)

firewall-cmd --get-services
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https

# punch a hole for CIFS
firewall-cmd --permanent --add-service=samba

firewall-cmd --permanent --add-port 5989/tcp
firewall-cmd --list-all-zones
firewall-cmd --list-ports

firewall-cmd --get-active-zones
firewall-cmd --zone=public --list-all
firewall-cmd --permanent --remove-service=dhcpv6-client

firewall-cmd --zone=trusted --add-source=10.100.1.18 --permanent
firewall-cmd --reload

Some say firewalld is too complicated for most server type of use, who am I to judge? Alegedly firewalld also requires Network Manager so if Network Manager is disabled then we need to go back. If you want to replace firewalld with good ol’ iptables:

systemctl disable firewalld
systemctl stop firewalld
yum -y install iptables-services
touch /etc/sysconfig/iptables
touch /etc/sysconfig/iptables6
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables