Tomcat 7 SSL – Swapping a Cert out in the keystore

Posted by & filed under Server Admin.

I have a PKCS12 .pfx export of a cert that I need to import into a Tomcat keystore in order to update an expiring certificate.

 

Need to know a few things beforehand:

  • Tomcat keyfile path
  • Source store password for the pfx file
  • Source alias for the pfx
  • Dest source passwd
  • Dest source alias

In order to get the source alias from the new pfx file:

If you need to get the alias from the existing Tomcat keystore:

Additionally, the above command can be used to verify the certificate, expiry date, etc.

Lastly, if you restart Tomcat and it throws errors like the following in the catalina log, you may need to reset the keystore password:

Reset to the correct password as defined in the servver.xml keyStorePass parameter using the following command. You may need to adjust alias to your needs. You will be prompted for the new password, which should match the previously mentioned keyStorePass parameter.

You can also reset the password for the keystore itself (www.ibm.com/support/knowledgecenter/en/S…):

 

 

EDIT FROM THE FUTURE:

Additional note — when trying to run the import command I was getting the following error:

I ran the following to verify the alias is correct:

Key ID of 2 is displayed correctly here as well as a more verbose output also showed the same:

I then took the same .pfx file and checked it on a linux machine based on a hint from this stackoverflow on binary chars: http://stackoverflow.com/questions/15301005/keytool-cant-find-alias

And lo’ and behold it shows the alias is actually 1!

 

..Back in Windows land:

It accepted alias 1 instead and the cert imported correctly. I love Tomcat -_-

 

 

 

 

Linux – Unable to boot due to missing drive in fstab

Posted by & filed under Linux, Server Admin.

I had a old server I brought up and it was unable to complete it’s boot due to a missing drive in fstab. Editing the fstab in recovery mode is not a option since the filesystem gets flagged as read only.

In order to make the FS writable and therefore be able to successfully edt the fstab, the following command will remount the FS in read/write mode:

 

Windows XP: Recovering The registry using Linux when windows won’t boot

Posted by & filed under Server Admin.

I recently had a Windows XP laptop crash. Windows would not boot to safe mode or anything, and just displayed the following error message:

I could not afford to simply wipe the laptop and reinstall windows as it had some old software that was no longer available.I located the following article which details a procedure to recover from this issue using the MS recovery console and using the System Restore: https://support.microsoft.com/en-us/kb/307545

As this laptop did not have a optical cd-rom, it was a difficult proposition to make a XP bootable USB stick to complete this procedure since I do not have the media handy. Additionally, it seemed like a pain to go thru all the steps when it could be simplified quite a bit with a functioning OS like linux. I decided to attempt to recover using a linux live cd:

  1. Create a bootable USB stick with Ubuntu on it using uNetBootin
  2. Boot to the USB stick.
  3. Make backups of any critical files (just in case)
  4. Backup registry files at C:\windows\system32\config to usb stick:
  5. Access the System Volume Information which should contain restore points for the system. See Part 2 Steps 7 through 10 in above MS article for details, but in a nutshell you want to access C:\System Volume Information. There will be one or more folders inside and their names will be similar to “_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}”. Inside these folders, look for RPx folders. There may be more than 1, and x would be a number. Look at the created dates of these folders to identify a fairly recent restore point. For example I found one that was two weeks old in RP47.
  6. Access the snapshot folder to retrieve registry backups. Example:
  7. Inside the snapshot directory, copy the registry files to a temp location, and make a backup of them:
  8. Copy the snapshots to C:\windows\system32\config.
  9. Delete the old crashed registry files:
  10. Rename the backup registry files to replace the ones you just deleted:
  11. Cross your fingers and reboot! If it does not work, and you still receive the same error message, you may need to try a older registry snapshot. Simply follow the above steps to try a different registry snapshot.

Good luck!

Slow DNS Resolution on Ubuntu Linux Server 14.05 LTS

Posted by & filed under Linux, Server Admin.

This all started with WordPress timeouts. I was trying to activate some premium plugins, and the license activation was timing out. I started doing some digging and found they use the WordPress core library WP_http which in turn uses curl to make the request. I wrote my own code to use WP_Http and it failed in the same way with a timeout. I added a timeout parameter to the wp_remote_get() call, and it was able to complete without a timeout. I then used a IP address in place of the domain name and it worked without the need for the timeout parameter.

With that info in hand, I decided it must be on the server. I started doing some tests:

I then did the same test from another server that uses the same DNS servers in resolv.conf:

After much googling, I found a few number of suggested solutions:

  • Disable IPv6
  • Ensure /etc/nsswitch.conf is set correctly (hosts: files dns)

Neither of these worked for me. Finally, I added the following directive into my resolv.conf and it fixed the issue!

Apparently, this is actually somewhat related to ipv6 — from the resolv.conf manpage:

Now, I get good response times when I curl:

Looks like the resolver sends parallel requests, fails to see the IPv6 response, waits 5 sec and sends sequential requests because it thinks the nameserver is broken. By adding the options single-request, glibc makes the requests sequentially be default and does not timeout.

I found some good info and hints on this issue here: https://bbs.archlinux.org/viewtopic.php?id=75770

Lastly, to bring this whole thing full circle, the WprdPress plugins now are able to get out and communicate successfully. Woohoo!

cPanel WHM – Wipe cpHulk Lockouts

Posted by & filed under Firewalls, Security, Server Admin.

cPanel WHM’s cpHulk system manages iptables blocks against IP addresses that fail to authenticate repeatedly. While the settings are fairly lenient and shouldn’t result in legitimate users being blacklisted, occasionally it can happen. The following command will reset the blocklist completely. While this is akin to using a shotgun when a scalpel is required, the blocks are time based and any malicious addresses would get quickly re-blocked.

 

There is a method to remove specific addresses, but I do not have the commands handy at present, and if I remember correctly it entails connecting to the mysql console, running a query to find the IP in the block table and issuing a drop query.

OpenSSL – Extracting a crt and key from a pkcs12 file

Posted by & filed under Linux, Server Admin.

Quick and dirty way to pull out the key and crt from a pkcs12 file:

If you are using this for Apache and need to strip the password out of the certificate so Apache does not ask for it each time it starts:

Scanning for web malware, back doors, spam scripts, etc on Linux based web servers

Posted by & filed under Security, Server Admin.

In the wake of the recent SoakSoak WordPress vulnerability, among others I have began searching for a better way to keep tabs on malicious code that may get uploaded to client’s hosting accounts.

Enter maldet.

Maldet uses a constantly updated database of malware hashes to identify and quarantine (if required) malicious files. Maldet can be set to run automatically via cron, watch newly updates files, and more.

 

 

Exim – Find a list of the most commonly used scripts

Posted by & filed under Server Admin.

I had to deal with a malicious script that was inserted into a website today and was sending out spam. Typically I have a few tools I run, but I couldn’t locate this particular infection. Time to take another angle, Exim logs. The following shows the most used script directories which will help narrow down the suspects substantially.

Exim – Purge Mail Queue

Posted by & filed under Server Admin.

A quick one-liner to purge the Exim mail queue:

 

Recursively finding strings in files

Posted by & filed under Linux, Server Admin.

For example, if you wanted to scan all files in the current directory, and all sub directories for any calls to base64_decode, you could do something like this:

find all files, then execute grep on them, printing out matching lines, filenames and line numbers, finally write output to resultb64.txt

Another twist on this is to filter the filetypes a bit:

Lastly, if we wanted to find and replace (with nothing) a string:

Apache Scalp fixed XML file

Posted by & filed under Server Admin.

Needed to audit some apache logs, installed scalp, grabbed the XML, and it promptly puked:

Seems there is some issue with the regex in the XML file. I found this handy thread which outlines the fixes: code.google.com/p/apache-scalp/issues/de… and another person posted a XML will all the fixes: pastebin.com/uDziqcD5

Backup of the XML is below just in case pastebin goes down: default_filter (rename to .xml)

BASH: Copy files recursively, excluding directories

Posted by & filed under Linux, Server Admin.

Scenario:

Folder /public_html looks like this:

I need to clone all the files and folders (with a couple of exceptions) in this directory into the /public_html/dev folder. We need to exclude the dev/ folder as it is the destination, and also want to exclude the dev2/ folder.

Rsync makes this easy:

In my scenario, something like the following gets the job done:

 

Apache key and cert generation

Posted by & filed under Server Admin.

Here’s a nice one liner to generate a private key and csr:

Generates the key and the csr in one shot.

Process Explorer 16 and VirusTotal integration

Posted by & filed under Server Admin.

I came across this today and had to share. The latest version of Process Explorer has native integration with VirusTotal This means you can have Process Explorer analyze the processes running and compare them with the VirusTotal database.

Process Explorer 16 w/ VirusTotal integration

Enable:

Usage:

  • Select options -> Check VirusTotal.com to initiate a scan of the processes. The VirusTotal column will populate with scores for the process.
  • Click a score to be taken to the detailed results on VirusTotal.
    procexp-vtuse-2

How It Works:

  • Creates a SHA256 hash of the file.
  • Submits to VirusTotal.
  • The hash of the process is then looked up in VirusTotal’s database, and the results are displayed in Process Explorer.