My Experiments for Truth.

First Generate a Private Key for SSL: This I am doing from the web server. # openssl genrsa -out gateway_key.pem 2048 Now generate a csr with using the above key: # root@ip-10-0-3-90:~# openssl req -new -sha256 -key gateway_key.pem -out gateway_key.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:XXXX Locality Name (eg, city) []:XXXX Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXX Co Ltd Organizational Unit Name (eg, section) []:XXXX Common Name (e.g. server FQDN or YOUR name) []:gateway.X-XXXX.net Email Address []:admin@X-XXXX.net Please enter the following 'extr

Suppose you want to add an additional IP to your Ubuntu Web Server, Here the steps are as follows: 1) Make sure your EC2 instance type will support more than 2 Network Interfaces. If not then you have to upgrade your Instance Type. 2) Add a New Network Interface. Make sure you give the same AZ, Subnet and Security Group as of the web server. 3) Now Add an Elastic IP and associate this elastic ip to the Web server. 4) Now attach the new Network Interface to the Webserver. Now the final part is , to create 2 route tables with default routes for each interface and use rules on inbound traffic to assign which table to use for the response traffic. 5) Here is a sample interface file that performs this: root@webserver:~# cat /etc/network/interfaces.d/eth0.cfg auto eth0 iface eth0 inet dhcp post-up ip route add default via 10.0.1.1 dev eth0 tab 1 post-up ip rule add from 10.0.1.81 tab 1 pre-down ip rule del from 10.0.1.81 tab 1 pre-down ip route del default via 10.0.1.1 dev

Hi all, Today I came up with a situation to create email address in AWS and landed in AWS Workmail. Prerequisites: Domain Registrar login details for updating the NS or Dns records. If your registrar is not providing dns management then use the AWS Route53 service for managing the dns records. In this service we need to setup this as below: 1) Create an Organization. The Web application url  will have a tail end like  .awsapps.com/mail  . If your organization is abc then the workmail web application url will be like https://abc.awsapps.com/mail 2) After creating the organization you need to click on it and now create the Domain for email address. 3) Once you create the domain , it should be verified by adding the TXT dns records and the remaining MX, CNAME and SPF records in the dns management (Route53)         > Verify domain ownership (required)         > Finalize mail setup (required)         > Increase security (recommended) It will take 5 to 1

                          Today I came across a situation to implement vooplayer along with aws s3 bucket for uploading videos to the s3 bucket. The issue is that for integrating the voopler the IAM user should  needs  s3 admin permissions as the vooplayer itself will create an s3 bucket during the integration, name starting with "vooplayerv4- ". The issue with this is that the user have access to all the buckets and its contents. So to restrict access for this user only to the bucket which belongs to him I have created a policy with the help of AWS support and sharing the same below: {     "Version": "2012-10-17",     "Statement": [         {             "Sid": "VisualEditor0",             "Effect": "Allow",             "Action": [                 "s3:*"             ],             "Resource": [                 "arn:aws:s3:::vooplayerv4-*",              

Initially remove the nginx current version using the below command,as NGINX 1.11.5 or later is required. sudo apt-get purge nginx nginx-common 1 – Install NGINX        cd /tmp/ && wget http://nginx.org/keys/nginx_signing.key        sudo apt-key add nginx_signing.key        sudo sh -c "echo 'deb http://nginx.org/packages/mainline/ubuntu/ '$(lsb_release -cs)' nginx' > /etc/apt/sources.list.d/nginx.list"        sudo apt-get remove nginx        sudo apt-get update        sudo apt install nginx=1.13.1-1~xenial        nginx -V 2 – Install Prerequisite Packages               pt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev 3 – Download and Compile the ModSecurity 3.0 Source Code Clone the GitHub repository: git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

#!/bin/bash ################################### #Created on 27-Jun-2018 #Purpose : This script will Create a VPC/Subnet/Routetable/Internetgateway/Natgateway and associate them to the corresponding subnets #Modified on : 13-Sep-2018 #################################### vpcName="My-VPC" vpcCidrBlock="10.0.0.0/16" PubsubNetCidrBlock="10.0.1.0/24" PrvsubNetCidrBlock="10.0.2.0/24" pubAvailabilityZone="ap-northeast-1a" prvAvailabilityZone="ap-northeast-1c" pubSubnetName="PublicSubnet-My" prvSubnetName="PrivateSubnet-My" PubRouteTableName="MyPublicRoute" PrvRouteTableName="MyPrivateRoute" destinationCidrBlock="0.0.0.0/0" #Create a VPC with a 10.0.0.0/16 CIDR block. aws_response=$(aws ec2 create-vpc --cidr-block "$vpcCidrBlock" --output json) vpcId=$(echo -e "$aws_response" |  /usr/bin/jq '.Vpc.VpcId' | tr -d '"') #nam

It was really annoying when we do whatever we can , alsamixer .. rebooting your machine.. and still you will not hear anything after connecting your headset. Just give the below command : alsactl restore jino@ndz:~$ alsactl restore alsactl: state_lock:125: file /var/lib/alsa/asound.state lock error: File exists alsactl: load_state:1683: Cannot open /var/lib/alsa/asound.state for reading: File exists Found hardware: "HDA-Intel" "Realtek ALC233" "HDA:10ec0235,1179f912,00100002 HDA:80862882,1179f91b,00100000" "0x1179" "0xf91b" Hardware is initialized using a generic method This immediately "restores" the headphones for me. Must be a bug in Ubuntu 16.04. Cheers.

In some cases we couldn't use public ip address not even an elastic ip for your ec2 instance , for example PCI audit related situations. But you should give internet access to your ec2 app servers to sent notification or alert mails to outside. In that case you can use the NAT Gateway for doing this. 1. First Create a NAT gateway in VPC section.          While creating the NAT Gateway, you should give the subnet as the Public Subnet having route table target as an "Internet Gateway". 2. Now edit your route table associated with your private EC2's subnet and make the target as "Nat gateway ID" That is all , now you will get internet access to your private EC2 instance, without public ip or elastic ip and having only Private ip in the instance description session.

First Make sure that the server time and the mobile time as same. root@ip-xx-xx-xx-xx:~# apt-get update root@ip-xx-xx-xx-xx:~# apt-get upgrade ubuntu@ip-xx-xx-xx-xx:~ sudo apt-get install libpam-google-authenticator ubuntu@ip-xx-xx-xx-xx:~ sudo vi /etc/pam.d/sshd At the start of the file, add the following line, then save and exit. auth required pam_google_authenticator.so nullok This will mean that users who don’t run Google Authenticator initialization won’t be asked for a second authentication. ubuntu@ip-xx-xx-xx-xx:~$ sudo vi /etc/ssh/sshd_config PasswordAuthentication yes ChallengeResponseAuthentication yes wq! ubuntu@ip-xx-xx-xx-xx:~$ google-authenticator Do you want authentication tokens to be time-based (y/n) y This will give a link like this , you can scan the QR code with the mobile. https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ubuntu@xx.xx.xx.xx Do you want me to update your "/home/ubuntu/.google_authenticato

Some time when we try to reset the password of our user in linux it will show as simple and systematic as below: BAD PASSWORD: it is too simplistic/systematic no matter how hard password you give it will show the same. Solution: ######### Check if your password is Ok with the below command, jino@ndz~$ echo 'D7y8HK#56r89lj&8*&^%&^%#56rlKJ!789l' | cracklib-check D7y8HK#56r89lj&8*&^%&^%#56rlKJ!789l: it is too simplistic/systematic Now Create a password with the below command : jino@ndz~$ echo $(tr -dc '[:graph:]' 7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K; You can see that this password will be ok with the cracklib-check. jino@ndz~$ echo '7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;' | cracklib-check                 7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;: OK Thats all, Thanks.

HSTS stands for HTTP Strict Transport Security, Today I came up in a situation to renew the ssl certificate in netgate pfsense firewall. When taking the url in the browser am getting an error SEC_ERROR_EXPIRED_CERTIFICATE and my browser will not show the unsafe link to the site. And I can only renew the certificate after getting the web url and login to the pfsense firewall. Like a dedlock situation. How I solved this issue is to disable the HSTS checking in the chrome browser. Just take the url chrome://net-internals/#hsts in your chrome browser and give your ssl expired domain in the " Delete domain security policies" section and click on "Delete". That is all, now you will get the "proceed with the unsafe" link and can login and install the new ssl certificate for  your pfsense firewall. Cheers.

Install Required Dependencies ############################# apt-get update -y apt-get upgrade -y apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -zxvf daq-2.0.6.tar.gz cd cd daq-2.0.6 ./configure && make && make install Install Snort from Source: ########################## wget https://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz tar -xvzf snort-2.9.11.1.tar.gz cd snort-2.9.11.1 ./configure --enable-sourcefire && make && make install ldconfig ln -s /usr/local/bin/snort /usr/sbin/snort snort -V Configure Snort ############### mkdir /etc/snort mkdir /etc/snort/preproc_rules mkdir /etc/snort/rules mkdir /var/log/snort mkdir /usr/local/lib/snort_dynamicrules touch /etc/snort/rules/white_list.rules touch /etc/snort/rules/black_list.rules touch

If someone wants you to send a confidential file. ######################################## 1)   Generate  gpg keys from your local machine and provide them your public key. 2)   Then they will encrypt that file with your public key provided by you via mail or chat. 3)   Now after encryption they will send that encrypted file to you. 4)   Now you can decrypt the file with the private key resides in your local machine. Useful commands. ############### Generate gpg key # gpg --gen-key Export a public key  #  gpg --armor --export ramesh > ramesh-pub-asc.gpg Import a public key #  gpg --import FileName If you want to send a file ##################### 1)   Ask his/her the public key. 2)   Import the public key. 3)   encrypt the file 4)   Send them the file. That is all , Thanks,

FOR APACHE $ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install python-certbot-apache First given a command like this : sudo certbot --apache -d cloud.xyz.com If this gave an error like below: Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. Then give the below command and it works. # certbot --authenticator standalone --installer apache --pre-hook "apachectl -k stop" --post-hook "apachectl -k start" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer apache No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel): cloud.xyz.com Running pre-hook command: apachectl -k stop Obtaining