Tagged: security Toggle Comment Threads | Keyboard Shortcuts

  • Elmer Masters 3:10 pm on July 19, 2016 Permalink
    Tags: , security,   

    Helping Dan bang out the kinks in deploying SSL for the main website. Reminding me that our site is a bit on the complex side.

  • Elmer Masters 9:16 pm on July 12, 2016 Permalink
    Tags: , security   

    Looks like tomorrow will be a fun day for Drupal admins.

    > From: security-news@drupal.org
    > Date: July 12, 2016 at 12:37:55 PM CDT
    > To: security-news@drupal.org
    > Subject: [Security-news] Drupal contrib – Highly Critical – Remote code execution PSA-2016-001
    > Reply-To: noreply@drupal.org
    > View online: https://www.drupal.org/node/2764899
    > * Advisory ID: DRUPAL-PSA-2016-001
    > * Project: Drupal contributed modules
    > * Version: 7.x
    > * Date: 2016-July-12
    > * Security risk: 22/25 ( Highly Critical)
    > AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All [1]
    > * Vulnerability: Arbitrary PHP code execution
    > ———————————————————
    > There will be multiple releases of Drupal contributed modules on Wednesday
    > July 13th 2016 16:00 UTC that will fix highly critical remote code execution
    > vulnerabilities (risk scores up to 22/25 [2]). The Drupal Security Team urges
    > you to reserve time for module updates at that time because exploits are
    > expected to be developed within hours/days. Release announcements will appear
    > at the standard announcement locations. [3]
    > Drupal core is not affected. Not all sites will be affected. You should
    > review the published advisories on July 13th 2016 to see if any modules you
    > use are affected.
    > —————————————-
    > The Drupal security team can be reached at security at drupal.org or via the
    > contact form at https://www.drupal.org/contact [4].
    > Learn more about the Drupal Security team and their policies [5], writing
    > secure code for Drupal [6], and securing your site [7].
    > Follow the Drupal Security Team on Twitter at
    > https://twitter.com/drupalsecurity [8]
    > [1] https://www.drupal.org/security-team/risk-levels
    > [2] https://www.drupal.org/security-team/risk-levels
    > [3] https://www.drupal.org/security/contrib
    > [4] https://www.drupal.org/contact
    > [5] https://www.drupal.org/security-team
    > [6] https://www.drupal.org/writing-secure-code
    > [7] https://www.drupal.org/security/secure-configuration
    > [8] https://twitter.com/drupalsecurity
    > _______________________________________________
    > Security-news mailing list
    > Security-news@drupal.org
    > Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • Elmer Masters 4:01 pm on October 15, 2015 Permalink
    Tags: , security, ,   

    Setting up Apache 2.4 to use https only 

    With a free SSL certificate in hand from StartSSL we need to configure Apache to use the certificate and serve up all content using HTTPS. The examples below are for Apache 2.4.x. Older versions will require some slight adjustments.

    Start by moving the necessary keys and certificates to the server. I use SFTP to do this sort of thing, transferring the contents of the folder I saved the files in when generating the certificate. Create a directory for the files like /etc/apache2/ssl/ on the server. Make note of what you called the directory, you’ll need that info later.

    With the files in place it’s time to move on to configuring Apache. Apache needs some modules to deal with SSL and other security settings. Make sure that the ssl, rewrite, headers, and env modules are enabled in your Apache config. Restart Apache to get the new modules running.

    I recommend using the Mozilla SSL Configuration Generator to generate a skeleton virtual host config file. You tell it what version of Apache you have and it gives you a block of text that will get you started. Add the copied text the default.conf file in Apache this will add the SSL virtual host to the default configuration of the web server. Yes, the file will have 2 virtual hosts in it, one listening at port 80 and one at port 443. That’s ok. Edit the pasted text to point to the files you uploaded to the server. Add the same path and directory information you have in the port 80 virtual host into the 443 virtual host. This assures that both servers are looking in the same spot for the same things. Save the file and restart Apache for it to take affect.

    At this point you should be able to access the same content at either http:// or https://. The final step is to redirect all http:// traffic to https:// so only encrypted traffic is served. This requires editing the default.conf file one more time. This time you’ll make changes to the port 80 virtual host by commenting out all of the lines that follow the ServerName and ServerAdmin directives. Then add the line Redirct permanent / https://site.name/ to the virtual host conf file and save the file. Restart Apache one more time. Now accessing http:// will redirect you right to https:// so you have only secure access to your site.

  • Elmer Masters 7:20 pm on October 14, 2015 Permalink
    Tags: security,   

    Getting a free SSL certificate from StartSSL 

    StartSSL provides free of charge SSL certificates that are good for one year and require that you verify your email address and control over the domain. This is a big money saverif you want to bring https to your website.

    First verify your email account and generate a client certificate for your browser. This is the lowest level of verification but it is sufficient and pretty straight forward. You can use this identity to generate any number of certificates for the next 30 days. After that you’ll need to verify your email again.

    Once you have this set up and are logged in to the site you’ll need to verify the domain you want to generate the certificate for. Hit the validations wizard tab and enter the domain name. Only top level domains work, no subdomains. Next you’re presented with a list of email to use for domain verification. Select one that you can access right away. Click continue and await the arrival of the verification email.

    Grab the verification code in the email that was sent and enter it in the verification code box on the complete validation page and click on continue. You should see the validation success message. Once a domain is validated you can use the validation for 30 days to generate certificates. Click finish to close the process.

    Now we’re ready to generate a certificate. Hit the certificates wizard tab to get started. Select Web Server SSL/TLS Certificate from the dropdown and hit continue. The first step here is to generate the private key for your certificate. Please note that If you created your own private key and certificate request (CSR), you can skip this step. Otherwise enter a key password twice hit continue.

    Please note that you need to keep this password somewhere or you won;t be able to decrypt the key you’re about to generate. I highly recommend that use a password tracker like KeePass to generate and store a strong password for this.

    StartSSL will present you with a private key. Copy the text being careful not to add any spaces or lines to the text. Use a simple text editor to save the private key as ssl.key. I like to create a folder with the domain name to save this and the other files needed to get SSL going on the web server.

    At this point the key is encrypted and you’ll need the password to decrypt it for use with the web server. For me the easiest way to do this is to go to the folder where you saved ssl.key and decrypt the private key with the OpenSSL utility: openssl rsa -in ssl.key -out ssl.key.d. This works well on Linux and OSX. StartSSL also provides a tool for decrypting the key but I’ve had mixed results with it.

    Once you’ve decrypted the key hit continue to add a domain and generate the actual certificate. Just select your domain and hit continue. You will be prompted to add the subdomain for the certificate. In most cases that will be www. Hitting continue shows you the information gathered so far and prompts for one more click on continue to generate the certificate.

    Finally we get to the SSL certificate! As with the private key you’ll need to copy the text carefully and use a text editor to save the file as ssl.cert. In addition you need to save the intermediate and root CA certificates for the installation at your server using Save As… in your browser.

    With everything saved you can hit the finalize button to finish up. Now you have all you need to get SSL up and running on your web server. Coming next are instruction on getting it all working on Apache 2.4.

Compose new post
Next post/Next comment
Previous post/Previous comment
Show/Hide comments
Go to top
Go to login
Show/Hide help
shift + esc