Category Archives: Security

Move to a WordPress https website from http

Wordpress https

WordPress https

Google recently announced that it has started using HTTPS as a ranking signal. So to improve your SEO results you can choose to ONLY use HTTPS for your WordPress site. For this to work you have to have a valid certificate in place (obviously).

Setting up a “SSL only” blog takes two steps.

1. Update your .htaccess file

Go to your WordPress installation folder and edit the .htaccess file in there. Below the line

RewriteEngineOn

add the following two lines:

RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

The two rules above will take care for the redirection (in case the user visited your http site) to the https site.

2. Update the WordPress blog settings

Go to the dashboard of your WordPress site and navigate to Settings -> General . Change the WordPress Address and Site Address to use the htpps URL:

Wordpress https

WordPress https

Ok that is all. Your visitors will now always be redirected to the https version of your website.

Share

Get certificate information with openssl

To display certificate information of a certificate issue the command below:

openssl x509 -in certificate -text

Information about the certificate is displayed. Some important items are:

Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA

The Issuer is a CA that signed this certificate.

Validity
            Not Before: Feb  6 00:00:00 2015 GMT
           Not After : Feb 26 23:59:59 2016 GMT

The validity period of the certificate. Remember to renew your certificate before it expires!

Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=www.bjdejong.nl

The subject for this certificate. This certificate can be used for a website for the given CN.

Share

Protect your server from the POODLE attack

You can protect your server from the POODLE attack, as described here, by disabling the SSLv3 protocol on your (Ubuntu) Apache webserver. This is easily done by changing a single configuration file. Edit the file /etc/apache2/apache2.conf  and search for the line containing SSLProtocol. Change this line from

SSLProtocol all -SSLv2

to

SSLProtocol all -SSLv2 -SSLv3

This disables SSLv3 connections to your server. Restart your apache webserver

sudo service apache2 restart

and then test if the changes were successfull:

1. Try to open a SSLv2 connection; this should give you an error:

openssl s_client -ssl2 -connect bjdejong.nl:443

CONNECTED(00000003)1255:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/ssl/s2_pkt.c:427:

2. Try to open a SSLv3 connection; this should give you an error:

openssl s_client -ssl3 -connect bjdejong.nl:443

CONNECTED(00000003)
1256:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/ssl/s3_pkt.c:1143:SSL alert number 40
1256:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/ssl/s3_pkt.c:564:

3. Try to open a TLS connection; this should give you no error:

openssl s_client -tls1 -connect bjdejong.nl:443

CONNECTED(00000003)
depth=0 /O=Landing page bjdejong.NL/CN=*.landingpage.nl/emailAddress=bjdejong@bjdejong.nl
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=Landing page bjdejong.NL/CN=*.landingpage.nl/emailAddress=bjdejong@bjdejong.nl
verify return:1
---
Certificate chain
0 s:/O=Landing page
bjdejong.NL/CN=*.landingpage.nl/emailAddress=berendjdejong@gmail.com
i:/O=Landing page bjdejong.NL/CN=*.landingpage.nl/emailAddress=berendjdejong@gmail.com
---
Server certificate
-----BEGIN CERTIFICATE----
MIIDnzCCAoegAwIBAgIJAJl1fA2nG/6eMA0GCSqGSIb3DQEBBQUAMGYxITAfBgNV
......

If everything went ok you are protected against the POODLE attack.

Share

Setup Chroot SFTP in Ubuntu Linux

Chroot keeps the user in his login / home directory when logging in. This is not default behavior. In the default setup of SFTP you can CD anywhere on the system!

1. Create a new group

groupadd sftpusers

2. Create users who want to SFTP

useradd -g sftpusers -s /usr/sbin/nologin guestuser
passwd guestuser

3. Modify the the /etc/ssh/sshd_config file and comment out the following line:

Subsystem sftp /usr/libexec/openssh/sftp-server

4. Add the following line directly below the line you have commented out:

Subsystem sftp internal-sftp

5. Add the following lines at the end of /etc/ssh/sshd_config:

Match Group sftpusers
        ChrootDirectory /var/www/%u
        ForceCommand internal-sftp

6. Users start in the /var/www directory; this directory should be owned by root (see below) with chmod 755:

ll -ld /var/www
drwxr-xr-x 11 root root 4096 jun 30 13:39 /var/www/

7. Create a new directory with the same name as the username you just added:

mkdir /var/www/guestuser

8. Make sure that this new directory is also owned by root (see below):

ll -ld /var/www/guestuser
drwxr-xr-x 3 root www-data 4096 aug 14 18:18 /var/www/guestuser

10. Create a subfolder below /var/www/guestuser for example www and set user ownership to guestuser and groupowner ship to www-data. Set access right two 2755 ( 2=set group id, 7=rwx for owner (guestuser), 5=rx for group (www-data), 5=rx for world (including apache www-data user):

ll -ld /var/www/guestuser
drwxr-sr-x 2 guestuser www-data 4096 okt  1 17:02 /var/www/guestuser/www/

9. Restart the ssh server:

service sshd restart

If the directories have not the correct ownership a message will appear in /var/log/auth.log:

Aug 14 18:18:29 hostname sshd[24996]: fatal: bad ownership or modes for chroot directory "/var/www/guestuser"

 

Share

Configure IIS Website with SSL

To secure your website you can use SSL and certificates. In this post I will explain in detail how to setup your site to use a certificate, including the details of installing your own Certification Authority. Finally I will show you some C# code to work with certificates.

Part 1 will show you how to install the Certificate Authority on a Windows 2003 machine, part 2 is about creating a new website,
part 3
shows how to request a webserver certificate,
part 4 shows you how to send the request to the Certification Authority,
part 5
shows you how the CA processes the request,
part 6
shows you how to download and install the certificate on the website, 
part 7
shows you how to create a virtual folder.
Part 8 shows you how to test ths site together with some coding examples in C#.

Share

Code Access Security

There are three kinds of permissions, each with a specific purpose:

  1. Code access permissions, which represent access to a protected resource or the ability to perform a protected operation.
  2. Identity permissions, which indicate that code has credentials that support a particular kind of identity.
  3. Role-based security permissions, which provide a mechanism for discovering whether a user (or the agent acting on the user’s behalf) has a particular identity or is a member of a specified role.

PrincipalPermission is the only role-based security permission.

Applications that receive less than full trust by the runtime code access security system are not allowed to call shared managed libraries unless the library writer specifically allows them to through the use of the AllowPartiallyTrustedCallersAttribute Class.

AllowPartiallyTrustedCallersAttribute is only effective when applied by a strong-named assembly at the assembly level.

By default code executing from “Local Intranet” and “Internet” zone is partially trusted!

There is no programmatic way for partially trusted code to call a library that does not have the AllowPartiallyTrustedCallersAttribute attribute.

To view the list of fully trusted assemblies, use the following command:
caspol -listfulltrus

If u want to turn it off, u should be the administrator. By using this command u can turn it off.
caspol -s off

Reset security settings:
caspol -reset

XML files for storing configuration:
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727CONFIGsecurity.config

Share

Encrypting / decrypting web.config sections

  1. Determine the identity of your ASP.NET application. In most situations this will be the “NT AUTHORITYNETWORK SERVICE” account.
  2. Grant the account determined in step 1 access to the machine-level RSA key container:
    aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITYNETWORK SERVICE"
  3. To encrypt your appSettings section execute the following command:
    aspnet_regiis -pe "appSettings" -app "/Site"
    appSettings is casesensitive and /Site point to the virtual folder where your web.config is stored.
  4. To decrypt the web.config section execute the following command:
    aspnet_regiis–pd "appSettings" –app "/Site"
  5. Retrieving your encrypted settings can be done with the ConfigurationManager:
    string username = ConfigurationManager.AppSettings["username"].ToString();
    
Share

Sign a MSI

Start a Visual Studio command prompt and create a test certificate with the command:

makecert -r -ss My -n “CN=Berend his Certificate” mycert.cer
-r create a self signed certificate.
This is a certificate without a certification path:

A regular certificate points to a Root agent:

-ss The store to use
-n The common name

Sign your MSI with this certificate:

signtool sign /n “Berend his Certificate” .msi

Result from signtool is something like:

Done Adding Additional Store
Successfully signed: .msi

You can display information about this certificate by following the steps in this article.

You can even check the public key (in C# code) by following the steps in this article.

Type certmgr.msc in a command prompt (or run command) and you will be directed to the Certification Manager snap-in. navigate to “Personal –> Certificates”; you can see your certificate created with MakeCert (command above) here:

Share