Tuesday 25 August 2015

cURL support for CloudFlare-enabled websites (zabbix with ssl sites, enebled in CloudFlare )

Ordinal post: https://luxing.im/curl-support-for-cloudflare-enabled-websites/

For debian 7 works like in post, not only on Fedora!

For Centos - curl -v --ciphers ecdhe_ecdsa_aes_128_sha URL works, use .curlrc.

cURL support for CloudFlare-enabled websites


CloudFlare provides a nice protection from DDoS and other hacking activities, last year they even added a free UniverSSL package to all users. The problem began with the cURL ciphers on cloudflare-enabled websites. cURL does not successfully handshake with cloudflare servers with its default encryption algorithms.
I test my website out using openssl s_client.
openssl s_client -connect luxing.im:443
We could see the following output:

...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
...
OK so it is using ECDHE-RSA-AES128-GCM-SHA256 cipher to connect to my website.
Well, let’s try this:
curl https://luxing.im --cipher ecdhe_rsa_aes_128_gcm_sha_256
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
Huh. Strange isn’t it? With a LOT of searching, finally I got an answer from here, I added the suggested line to .curlrc in my home directory:
 ciphers="rsa_aes_256_sha,rsa_aes_128_sha,dhe_rsa_aes_256_cbc_sha,dhe_rsa_aes_128_cbc_sha,rsa_aes_256_cbc_sha_256,rsa_aes_128_cbc_sha_256,dhe_rsa_aes_256_cbc_sha_256,dhe_rsa_aes_128_cbc_sha_256,rsa_aes_128_gcm_sha_256,ecdhe_rsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_gcm_sha_256"
Then try:
curl -v https://luxing.im
Yes, now my curl is working. Let’s see the output:

...
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
...
OK. It is actually using the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 algorithm, so forcing the cipher to use ecdhe_ecdsa_aes_128_gcm_sha_256 works.
My curl is:

curl -V
curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.17.4 Basic ECC zlib/1.2.8 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink

And I am on Fedora 20+.
Note:
1. Debian/RHEL/CentOS series does not support this algorithm. You’ll have to create a ticket to CloudFlare support to discuss it with them.
2. According to this, git uses cURL to access https repositories but this workaround won’t help. Too bad.

Install Java 8 (both JDK8 and JRE8) in Debian

Original post : http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html


echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer

#There is a package in our repository that automatically sets the Java 8 environment variab#les and sets JDK8 as the default JDK

sudo apt-get install oracle-java8-set-default

#to check
java -version

#java version "1.8.0_60"
#Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
#Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)

javac -version
#javac 1.8.0_60



How to accept the Oracle JDK8 license automatically

you can use the following command:
echo oracle-java8-installer shared/accepted-oracle-license-v1-1 select true | sudo /usr/bin/debconf-set-selections

Saturday 15 August 2015

Upload SSH key from Windows to Linux

mkdir -p ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && cat >> ~/.ssh/authorized_keys

cntrl-C public key text and Ctrl - V to ssh command propt, Enter
Cntrl-D to finish 

Install FreeRADIUS v3 on Centos 7

Install FreeRADIUS v3 on Centos 7

Edit

Install packages

yum install mariadb-server mariadb freeradius freeradius-mysql freeradius-utils -y
sudo chkconfig --levels 235 radiusd  on
sudo chkconfig --levels 235 mariadb on
Edit

Populate MySql db

mysql -uroot -p

CREATE DATABASE radius;

GRANT ALL PRIVILEGES ON radius.* TO radius@localhost IDENTIFIED BY "YOUR PASS";

SOURCE /etc/raddb/mods-config/sql/main/mysql/schema.sql
Edit

Configure RADIUS

ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled

Edit

Edit radiusd.conf

modules {
$INCLUDE mods-enabled/
}
policy {
$INCLUDE sites-enabled/
}
Edit

Enable SQL configuration in the default enabled site /etc/freeradius/sites-available/default:
authorize {

sql

}
accounting {

sql

}
session {

sql

}
post-auth {

sql

}
Post-Auth-Type REJECT {
sql
}

Edit

Configure SQL module /raddb/mods-available/sql and change the database connection parameters to suite your environment:

sql {
driver = “rlm_sql_mysql”
server = “192.168.1.1”
port = 3306
login = “radius”
password = “radiuspwd”
  1. Database table configuration for everything except Oracle
    radius_db = “radius”
    }
  1. Set to ‘yes’ to read radius clients from the database (‘nas’ table)
  2. Clients will ONLY be read on server startup.
    read_clients = yes
  1. Table to keep radius client info
    client_table = “nas”
Edit

Test to see if Free Radius works by issuing the following command:

This will start FreeRadius in debug mode ( To stop it -> Ctrl+c).
radiusd -X
Edit

Install daloradius

Edit

Download daloradius and updated sql

yum install php-mysql php php-pear php-gd php-pear-DB -y
cd /tmp
wget http://sourceforge.net/projects/daloradius/files/latest/download?source=files
tar zxvf download?source=files
mysql -uradius -p radius < daloradius-0.9-9/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
Edit

Config daloradius sql connection

nano daloradius-0.9-9/library/daloradius.conf.php

# $configValues['DALORADIUS_VERSION'] = '0.9-9';
# $configValues['FREERADIUS_VERSION'] = '3';
# $configValues['CONFIG_DB_ENGINE'] = 'mysql';
# $configValues['CONFIG_DB_HOST'] = 'localhost';
# $configValues['CONFIG_DB_USER'] = 'radius';
# $configValues['CONFIG_DB_PASS'] = 'radius@123';
# $configValues['CONFIG_DB_NAME'] = 'radius';
Edit

Config apache

nano /etc/httpd/conf/httpd.conf
Edit the /etc/httpd/conf/httpd.conf file and append this to the end of the file (customize to your likings):
Alias /myradius "/var/www/daloradius/"
<Directory /var/www/daloradius/>
Options None
order deny,allow
deny from all
allow from 127.0.0.1
allow from <my management system's ip which has a web-browser>
</Directory>