Tag Archives: webserver

Enable SSL on Apache2

Share Button

Apache Web Server works great out of a box but in some cases you like to secure your site with a certificate and this Article will walk you through it step by step enabling SSL and generating a certificate. The only down site with self-signed certificates is that they are not trusted in the public internet and the customer will see a certificate warning. This doesn’t mean it’s not working it’s just that the certificate could not be verified but if you continue with the certificate it still secures your connection.

Let’s get started and install Apache2 enter:

sudo apt-get install apache2

type in ps ax |grep apache and you should see something like that:

23783 ? Ss 0:00 /usr/sbin/apache2 -k start
23787 ? S 0:00 /usr/sbin/apache2 -k start
23788 ? Sl 0:00 /usr/sbin/apache2 -k start
23789 ? Sl 0:00 /usr/sbin/apache2 -k start

that means the installation worked and apache is running. Now start firefox and enter the address of your web server in the URL and you should see this:



Great everything work the way it should. Now let’s create a certificate. First of all create a directory where we place our certificate. Type in:

sudo mkdir /etc/apache2/ssl

now create a certificate with the following command (it’s all in one line):

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

now openssl will ask you a bunch of questions. Let’s go over those together:

Generating a 2048 bit RSA private key
writing new private key to ‘/etc/apache2/ssl/apache-test.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New Mexico
Locality Name (eg, city) []:Albuquerque
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UbuntuVideoCast
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:www.ubuntuvideocast.com
Email Address []:mstjohn1974@gmail.com

this above should give you a good idea what you should fill in on those questions. Now that this is done lets prepare Apache to use it. Type in:

sudo nano /etc/apache2/sites-available/default-ssl

and now go down till you see the SSLEngine on directive. Now below that you should see the following two directives:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

we have to change it to match our new certificate, it should something like that:

SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

save it and enable ssl on apache by issuing this commands:

sudo a2enmod ssl

sudo a2ensite default-ssl

and last but now least restart or reloading the new configuration. Type:

sudo service apache2 restart

and try to hit it with your browser. If everything works you should see something like this:



This is the warning I was talking about earlier. Click on the link “I understand the risk” and you will see this:



Click on the button “Add Exception” and you will see this:



Click on the “View” button to verify it is really our certificate that we set up. You should see something like that:



Everything is there ..great…click on close and on the remaining screen click on “Confirm security exception” and we are done and should see this:



Cool…..that’s it…I hope it helped you in getting an SSL Certificate installed and running with your Web Server. Let me know if you have any further questions. Please comment on this article.


Brute-Force attacks for securitychecks in your network with Medusa

Share Button

It’s a good practise to questioning the security of your home network  and even more critical for you company network. The most obvious are weak passwords that ease the unauthorized access to systems and data for Hackers (to be more precisely: Cracker) and intruders. That could damage the systems, data or miss use of the system to damage or infiltrate of other systems. As examples are Administrative access to Databases, E-Mail Servers or other critical infrastructures. Read more

Authenticate your Linux with Active Directory

Share Button

Think about that you are managing a network with 20 or more Workstations with various Operating Systems like Windows, Mac and Linux and that you have to manage or troubleshoot them one by one if you have authentication problems or just want to change passwords on those machines. This would be a lot of work, right? So what you need is a centralized user/group management like OpenLDAP or Active Directory. Most Businesses utilize already Microsoft’s Active Directory because of the majority of Microsoft Windows Workstations. Because of that I like to talk about Active Directory Authentication for non Windows workstations and introduce you to several solution that will help you do that.

The first solution is the full hands on solution which involves a lot of script modifications and the installation of additional libraries. The entire procedure is written down in the TechNet issue of December 2008 and available for download at Microsoft and because of that I am not going into detail on that one, instead I like to introduce you to three third party applications that will do all that by just installing it and performing a few little configuration steps. Those three Applications are Likewise, Quest Authentication Services and Centrify.

Likewise Solution:

Likewise offers basically two solutions. The first one is Likewise Open which is free and just allows you to join workstation to your Active Directory, authenticate your users against Active Directory and let you manage group memberships at the Active Directory side. The second Solution is Likewise Enterprise. Likewise Enterprise offers Single Sign-On for Enterprise Applications like Microsoft Sharepoint or other Application or Services that can Authentication via directory Services like apache, JBoss, MySQL, WebSphere and other systems via SSH and without Directory Service it would required separate User and Password credentials. With Likewise Enterprise Single Sign-On, LDAP, Kerberos and Applications or Services tied to Directory Authentication only one username and password will be managed centralized in the Datacenter. Likewise Enterprise also provides group policies tools to create granular access policies to ensure users have all the permissions they need to do their job and more. If you use Likewise Enterprise you can also produce reports of users activity and with Likewise Enterprise and  Operations Dashboard Administrator can see what’s going on with users in real time which makes security and policy monitoring simple and effective. Considered all the features described above makes Likewise Enterprise complaint with SOX, PCI BSS, Base II, HITECH and HIPAA. Likewise Enterprise let you also add additional security with its optional smart card feature. If your organization still uses SUN’s Network Information Services (NIS) you should migration to the more secure Active Directory from Microsoft since its not secure and no longer supported by SUN. Likewise Enterprise provides NIS Migration tools which moved user accounts and password files to Active Directory. Likewise Enterprise also provides Hypervisor Management tools so users managing VMware vSphere and Citrix XenServer are authenticated against Microsoft Active Directory. Likewise has Binary Packages available for Red Hat, Suse, Fedora, Centos, Debian, Ubuntu, Mac OS X, Solaris, HP-UX, AIX and FreeBSD in 32 Bit and 64 Bit Architecture.

You can join your Workstation to Active Directory with one command for example on Linux type: /opt/likewise/bin/domainjoin-cli join domainName ADjoinAccount and press enter. To authentication against Active Directory in the GUI use DOMAIN\username and on the CLI use: DOMAIN\\username and that is all you have to do.

Overall I think Likewise solution is well build and should offer you solutions for most of your IT challenges.

Quest Authentication Services

Quest Authentication services is a patented technology. If I look over the information about this solution it appears that you need to installed a portion on the Server it self and then the Agent on the non Windows clients. Quest claims to have 1000 customers with over over 5 million installed seats. It supports Linux, Unix and Mac OS X Clients. It also appears to be that this solution is not offering a free solution to at least authenticate your non Windows clients.

Quest extend the authentication, authorization and administration infrastructure of Active Directory to the rest of the enterprise, enabling Unix, Linux and Mac OS X systems to act as full citizens within Active Directory. It also enables Audits, alerts and shows the detailed change of history. This solution also enables a Group Policy framework which allows you to manage Linux and Mac Clients through Microsoft’s Group Policy management. Access control capabilities will also be extended to non Windows clients. Single Sign-on will be available to non Windows client by enabling Kerberos and LDAP like Windows Clients and you could authenticate to Applications like SAP, Siebel and DB2. Quest provides migration tools to migrate from NIS to Active Directory.

Quest appears to be that is provides all necessary features to run your heterogeneous network and manage all user accounts through Active Directory. The only thing I would wish for is that Quest would offer a free agent other than that I think its good.


Centrify offers its product in basically four version, Express, Standard, Enterprise and Platinum. Lets go over each edition and see what its features are.

Express Edition: Includes Centrify DirectControll Express and Centrify DirectManage Express plus Centrify-enabled open source tools.

Standard Edition: Includes Centrify DirectControl, Centrify DirectManage and DirectAuthorize plus Centrify enabled open source tools

Enterprise Edition: Includes everything in the Standard Edition plus Centrify DirectAudit

Platinum Edition: Includes everything in the Enterprise Edition plus Direct Secure

In edition add-on modules are available for Single Sign-On to SAP, web applications for apache and J2EE and DB2.

So lets have a look over all these editions and its features.

Centrify DirectControl (Express): Enables Active Directory-based single sign-on to Unix, Linux and Mac.

Centrify DirectManage (Express): Discovers non-Windows systems and join them to Active Directory.

Centrify-Enabled Open Source Tools: Enhances productivity with painless remote access and Samba integration.

Centrify Direct Authorize: it enables you to lock down sensitive systems and eliminate uncontrolled use of root permissions.

Centrify DirectAudit: helps you to run detailed logging and spot suspicious activity by showing which user access what system and it allows you to monitor current user sessions.

Centrify DirectSecure: can block untrusted systems from communicating with trusted systems, encrypt data in motion.

Centrify also offers Centrify-Enabled Compnents like Kerberos Utilities, NIS Services, OpenSSH, Putty and SAMBA. Centrify supports the following Operating Systems: Apple Mac OS X, Centos, Citrix XenServer, Debian, HP-UX, IBM AIX, Mandriva, Suse, Solaris, Red Hat, Fedora, IRIX, Ubuntu and VMWare ESX Server all in 32 Bit and 64 Bit. Centrify also is the only one that is Microsoft Certified which means a lot for businesses that uses already Microsoft and like to integrate non Windows clients. The only difference I found between the Centrify Express and the other suites is that the Express Edition only offers Community Support and the other Editions offer 24/7 professional support.

My conclusion is that I like Centrify Suite the best because you get the most features in the free Edition compared to the other solutions and it supports the most Operating Systems. Coming in on second place is Likewise it offers basic features for free to get you started and the ability to integrate your non Windows clients and then if you like more you could upgrade and purchase one of the more advanced features and last but not least is Quest Authentication Services because I was not able to find a free client that at least enables you to authenticate your non Windows clients against Active Directory and I think their package offers you the most important features but not all the features that the other two offers. Overall I think either one of those solutions will get you where you like to be.

Please let me know if you know any other solutions that might be better or at least worth mentioning here also let me know if I stated something wrong here and I am happy to correct it. I hope that this article helped you to make a decision with which product you like to go or at least get you started with Active Directory Authentication for non Windows Clients.

1 2