Archive for the ‘Security’ Category
This article describes how to use an existing SSL for use with Stash. The process involves converting the certificate using OpenSSL, importing it into the Java keystore, and then updating the Stash configuration to utilize it.
1. First you will need to arrange your certificate in a .pem file. Open Notepad and copy/paste the certificate, key, intermediate certificate, and root certificate in the following format:
—–BEGIN RSA PRIVATE KEY—–
Private key for yourdomain.com
—–END RSA PRIVATE KEY—–
SSL for yourdomain.com
Intermediate certificate from the issuing authority
Root certificate from the issuing authority
2. Save the file as “yourdomain.pem”.
3. Open a command prompt and navigate to where you saved the .pem file. Then run the following command:
openssl pkcs12 -export -in yourdomain.pem > yourdomain.p12
Note: This requires OpenSSL to be installed. If necessary this can be downloaded here.
4. Copy the new .p12 file to the server if it is not already there. Then open a command prompt and run the following to import the certificate into the keystore:
keytool -importkeystore -srckeystore yourdomain.p12 -destkeystore server.jks -srcstoretype pkcs12
You will be prompted for two passwords. Make sure to enter the same password for both and make note of this for later. If keytool is not recognized as a valid command you will have to change directories to the Java JRE bin directory.
5. Edit the Server.xml file located in the “conf” directory of your Stash installation directory. Anywhere before the ending tab enter the following:
<Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" useBodyEncodingForURI="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" keystoreFile="C:\server.jks" keystorePass="MyPassword" sslProtocol="TLS" />
You may need to update the following values depending on your setup:
keystoreFile: This is the full path to the .jks keystore file.
keystorePass: This is the import password you used during step # 4.
I did not do any tweaking of the values listed above. They were simply taken from Atlassian’s guide Securing Stash with Tomcat using SSL.
6. Restart the Stash service and test by navigating to the following URL:
1. Click “Install a SSL Certificate and Setup the Domain” under SSL/TLS on the left hand side. Alternatively you can use the find feature to locate “SSL”.
2. Paste the certificate details in the top text box and then click a blank area on the page. CPanel will auto fill information based off the certificate text such as the domain and username.
Note: If the IP address is shared by multiple domains you will need to set the username to “nobody”.
3. If the key field was auto-filled in, just delete it and paste the matching key.
4. Paste the intermediate or CA file in the last text box.
5. Finally hit the Submit button located towards the top of the page.
6. Test navigating to the domain securely via a browser.
SSL failing after install?
Recently some SSL installs have been failing, despite being installed correctly. If this seems like the case check the httpd.conf file for something similar to:
Comment out these lines, restart Apache, and test the SSL. If it is now working make sure to run the distiller so this change is not overwritten next time cPanel is updated:
/usr/local/cpanel/bin/apache_conf_distiller –update –main
You can regenerate the httpd.conf file to verify this was distilled properly:
Sometimes you will need to install an SSL and the person who ordered it sends in an encrypted key. Here is an example of an encrypted key:
—–BEGIN RSA PRIVATE KEY—–
—–END RSA PRIVATE KEY—–
In a Linux environment OpenSSL provides an easy way to un-encrypt this:
openssl rsa -in server.key.secure -out server.key
Make sure to replace “server.key.secure” with the filename of your encrypted key, and “server.key” with whatever you want the un-encrypted filename to be. If you are prompted for a passphrase whoever made the key specified one. Unfortunately you will not be able to decrypt the key without the correct passphrase.
So I setup a new WordPress blog and did everything I could to make sure it is secure. As my first post I will detail all the steps I took in hopes that it will help other WordPress users.
1. Security keys
Implemented in WordPress v. 2.7 these will help security by encrypting your WordPress cookies. There are four of these keys which can be set in your wp-config.php file.
You can use the key generator tool provided by WordPress here:
2. Update table prefix from wp_ to something random
Alot of automated tools will assume you are using the wp_ prefix and scan for this. Updated it to something random can help block this type of attack. The prefix can be changed to anything random, as long as it is not “wp_” for instance “Hng93m12”.
If your blog is already setup you can follow the steps here to update your table prefix:
3. Move the wp-config.php file out of the webroot
WordPress allows the wp-config.php file to be moved up one directory outside of the web root. This is great for security since the main configuration file which has your database connection info will not be accessible by the web.
Simply move the file up one directory. No extra configuration is needed.
4. Restrict access to wp-admin with .htaccess
If you only connect to your WP admin section from one or a few locations, you can limit what IPs can access this area. This will prevent unwanted access to your admin section which means hackers will not be able to brute force your login information.
Here is an example of the .htaccess file. Remember to replace 126.96.36.199 with your IP address(s):
order deny, allow
allow from 188.8.131.52
deny from all
If your IP changes too much or you connect from various locations and this is not an option, consider password protecting the wp-admin directory. This will provide two sets of logins which will decrease the likeliness that someone guesses your login info.
5. Delete the admin User Account
Automated attacks and manual ones tend to assume the administrative user is “admin”. Creating an admin user with a different name will prevent this.
- Create another administrative user in your WP admin section
- Log out
- Log in as the new user
- Delete the old “admin” user
6. Create a robots.txt file to block indexing of certain WP files
Hackers sometimes use indexed information to attack your site. It is not necessary for search engines to index certain files such as the ones in wp-admin. To prevent this create a robots.txt file in the web root of your site and enter the following:
7. Use the WP Security plugin
This is a great plugin to automatically scan permisisons and other security vulnerabilities and provide the recommended settings. You can download this here:
8. Keep WordPress and your plugins up to date
This is a big one that people tend to forget. If WP or your WP plugins are out of date, this creates an easy point of access for potential attackers.
9. Last and hopefully most obvious, use strong passwords
An easy way to create strong passwords is to use a password generator tool. There are many available but here is one I tend to use: