• FreeIPA User Account Locked

    When using FreeIPA windows there are time when user lock themself. And when we check FreeIPA UI we don’t see any problem. Actually the problem is user is locked out in Kerberos Database. Hence to make it work we have to unlock the user in kerberos database. Below are the steps.

    # kadmin.local
    kadmin: getprinc mohan

    Below is the output from above command.

    Principal: mohan@LOCALDOMAIN.INTERNAL

    Last successful authentication: [never]
    Last failed authentication: Thu Sep 03 11:30:33 IST 2014
    Failed password attempts: 4

    To unlock the user below is the command.

    kadmin: modprinc -unlock mohan

  • selinuxApache

    Apache DocumentRoot must be directory

    You have created a separate partition for you htdocs folder and mounted it on /path/to/documentroot. However, when you try to start Apache you get following error ‘DocumentRoot must be directory’.

    This is due to SELinux to get Apache working you have 2 ways

    1. Crude way:- disable SELinux altogether
    2. Eligible way:- set SELinux context to that directory

    Crude way:- disable selinux altogether

    Follow below steps:

    vi /etc/selinux/config
    Change ‘SELINUX=enforcing’ to ‘SELINUX=disabled’
    Restart your system

    Eligible way:- set SELinux context to that directory

    First check the SELinux context of the directory with following command.

    ls -laZ /path/to/documentroot

    Follow below steps:

    chcon -R -h -t httpd_sys_content_t /path/to/documentroot

    Verify the SELinux context

    ls -laZ /path/to/documentroot

    Restart your Apache and it works :).

    Hope this saves your time.


  • ASC

    Amazon VPC with OpenSwan and Cisco ASA Site-to-Site VPN


    Recently my company want to achieve PCI compliance on Amazon. As per PCI compliance standard Database instance should listen on private IP and should not be accessible from outside world using public IP. This is not achievable using EC2 as instances are assigned public you want it or not. Also when Database is listening on private IP we needed VPN connectivity between amazon and our network. Hence I started looking into Amazon VPC. However, VPC VPN needs BGP to create site-to-site VPN and we being using Cisco ASA couldn’t use the VPC VPN option as BGP is not supported. Hence I started looking for alternate solution on web and found TechSmog article “OpenSwan, Amazon VPC, and Cisco ASA. Putting it all together.” this helped me a lot.


    My requirement were as follows:

    1. Allow communication between my companies local network and ec2 instances within the vpc and vice-versa.
    2. Allow communication between ec2 instances within the vpc on different network.
    3. Communication between must be somewhat secure.
    4. The ability to have all instances be able to route to the outside world, and have a few publically accessable IP.


    My office network:

    – and – office local networks 254 useable ip address each.
    – – office ASA internal IP.
    – – office ASA public IP.

    Amazon VPC:

    – – the /16 subnet that is required for the outer vpc layer
    – and – the vpc subnets that I will be working with.
    – – the internal private ip for the OpenSwan server.
    – – the elastic IP I allocated from amazon vpc. This will be binded to OpenSwan to use for our IPSec tunnel, more on that later. Just remember I am using that as my external IP to connect our IPSec tunnel.

    Amazon VPC getting started:
    First off we want to create our VPC via the Amazon AWS Management Console.

    I pretty much followed the guide here:

    1. Go to the VPC tab
    2. Find the Your Virtual Private Cloud area, and click Get started creating a VPC.
    3. I choose VPC with Public and Private Subnets, along with the information I provided above in the layout.
    4. Follow the steps to create the VPC.

    Adding the OpenSwan Server into our VPC:

    1. First we will need to Allocate a New Elastic IP within the VPC tab under Virtual Private Cloud -> Elastic IPs. This will be used for the openswan server.
    2. Once that is done, I went back to the EC2 tab, and launched an instance. I used the Basic 32bit Amazon Linux AMI
    1. I choose m1.small as my instance type
    2. Make sure to choose ‘Launch Instances Into Your Virtual Private Cloud’
    3. For instance details, I chose to assign it a private IP address of
    4. Choose my keypair, assigned it a name tag of ‘openswankey’
    5. For configure firewall, I chose allow all traffic from my public IP (
    6. I then associated the elastic IP to the running instance after it started up.

    I ssh’d into the instance using my key (ssh -i my-key.pem ec2-user@, and I was brought to a shell, :yay:

    Configure the instance w/ OpenSwan:

    I followed TechSmog article which helped a lot I made few changes / amendments to make it work for my scenario.

    Here are the exact commands I ran after ssh’ing into the server, note the HOMEPUBLIC and HOMEPRIVATE should be changed according to your internal network:

    [bash]sudo yum update -y
    sudo yum -y install openswan openswan-doc ipsec-tools
    EC2PUBLIC=`curl -s`
    PSK=`< /dev/urandom tr -dc a-zA-Z0-9_ | head -c30`
    echo “conn home” > /tmp/home.conf
    echo ” left=%defaultroute” >> /tmp/home.conf
    echo ” leftsubnet=$EC2PRIVATE/24″ >> /tmp/home.conf
    echo ” leftid=$EC2PUBLIC” >> /tmp/home.conf
    echo ” right=$HOMEPUBLIC” >> /tmp/home.conf
    echo ” rightid=$HOMEPUBLIC” >> /tmp/home.conf
    echo ” rightsubnet=$HOMEPRIVATE” >> /tmp/home.conf
    echo ” authby=secret” >> /tmp/home.conf
    echo ” esp=3DES-MD5″ >> /tmp/home.conf
    echo ” keyingtries=3″ >> /tmp/home.conf
    echo ” rekey=no” >> /tmp/home.conf
    echo ” keyexchange=ike” >> /tmp/home.conf
    echo ” ikelifetime=86400s” >> /tmp/home.conf
    echo ” pfs=yes” >> /tmp/home.conf
    echo ” forceencaps=no” >> /tmp/home.conf
    echo ” auto=start” >> /tmp/home.conf
    echo “” >> /tmp/home.conf
    echo “conn officesub2″ >> /tmp/home.conf
    echo ” rightsubnet=″ >> /tmp/home.conf
    echo ” also=home” >> /tmp/home.conf
    echo “” >> /tmp/home.conf
    echo “conn vpcsub2″ >> /tmp/home.conf
    echo ” leftsubnet=″ >> /tmp/home.conf
    echo ” also=home” >> /tmp/home.conf
    echo “” >> /tmp/home.conf
    echo “conn officevpcsub2″ >> /tmp/home.conf
    echo ” leftsubnet=″ >> /tmp/home.conf
    echo ” also=officesub2″ >> /tmp/home.conf
    echo “$EC2PUBLIC $HOMEPUBLIC: PSK “$PSK”” > /tmp/home.secrets
    sudo sed ‘s!^#(include /etc/ipsec.d/*.conf)!1!’ /etc/ipsec.conf > /tmp/ipsec.conf
    sudo chmod 600 /tmp/home.* /tmp/ipsec.conf
    sudo chown root:root /tmp/home.* /tmp/ipsec.conf
    sudo mv /tmp/home.* /etc/ipsec.d
    sudo mv /tmp/ipsec.conf /etc
    sudo chkconfig ipsec on
    sudo /etc/init.d/ipsec start[/bash]

    Now on command line run following command
    [bash]iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE[/bash]

    At the end of this, I had OpenSwan up and running! I had /etc/ipsec.d/home.conf as my openswan configuration and /etc/ipsec.d/home.secrets as my preshared key! Awesome!

    Configuring the ASA:

    ASA Configs: Make sure to BACKUP before making these changes!

    Tunnel Group:
    [bash]tunnel-group type ipsec-l2l
    tunnel-group ipsec-attributes
    ! pre-shared-key (the key in /etc/ipsec.d/home.secrets on your openswan server)[/bash]

    Crypto Map:
    [bash]crypto map outside_map 6 match address outside_cryptomap_6
    crypto map outside_map 6 set pfs
    crypto map outside_map 6 set peer
    crypto map outside_map 6 set transform-set ESP-3DES-MD5
    crypto ipsec transform-set ESP-3DES-MD5
    access-list outside_cryptomap_6 extended permit ip
    access-list outside_cryptomap_6 extended permit ip
    access-list outside_cryptomap_6 extended permit ip
    access-list outside_cryptomap_6 extended permit ip[/bash]

    Internal Network Group:
    [bash]object-group myinternalnetwork1
    description My Internal Network that Will connect to EC2 VPC

    [bash]object-group myinternalnetwork2
    description My Internal Network that Will connect to EC2 VPC

    NAT Entries allowing Access from internal network to VPC:
    [bash]access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork1
    access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork2
    access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork1
    access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork2[/bash]

    Restarting IPSec on OpenSwan Instance:
    1. Log back into your openswan instance via ssh, and issue the commands sudo /etc/init.d/ipsec stop; sudo /etc/init.d/ipsec start
    2. You can check if the tunnel is up by issuing an /etc/init.d/ipsec status which should state if the tunnel is up or not, you can also check your ASA.

    That’s it you should now be able to connect your instances without any problems.

    Note:- If you are using windows instances you will need to reduce the MTU of interface on instance to 1200 from 1500 else you won’t be able to access your windows instance.

  • ssltermination

    Change / Update SSL certificate for Amazon Elastic Load Balancer

    This is in continuation to Amazon ELB SSL Termination HowTo. Earlier we have seen how to setup Elastic Load Balancer with SSL termination on Amazon. Now we will see how do we change the SSL certification once we renew it or revoke it for some reason.

    To enable to change the certificate used by Elastic Load Balancer (ELB) we need to install the ELB and IAM command line tool. To install these tools you need to do as follows.

    1. Download and install Java JDK or JRE (minimum 1.6) from here.
    2. Set JAVA_HOME environment variable.
    3. Download and install IAM Client tool from here.
    4. Download and install ELB Client tool from here.

    Installing IAM tool

    Once downloaded the IAMCli.zip file extract the zip content now do the following:

    1. Create an environment variable AWS_IAM_HOME pointing to IAM client folder ‘AWS_IAM_HOME=/path/to/iam/folder’.
    2. Add $AWS_IAM_HOME/bin to your path (in Windows: %AWS_IAM_HOME%bin).
    3. Change $AWS_IAM_HOME/aws-credential.template change AWSAccessKeyId and AWSSecretKey to yours
    4. Create an environment variable AWS_CREDENTIAL_FILE pointing to aws-credential.template file ‘AWS_CREDENTIAL_FILE=$AWS_IAM_HOME/aws-credential.template’ (in windows ‘AWS_CREDENTIAL_FILE=%AWS_IAM_HOME%/aws-credential.template’).
    5. If you are behind proxy change $AWS_IAM_HOME/client-config.template (this is self explanatory).
    6. Create an environment variable CLIENT_CONFIG_FILE poting to client-config.template file ‘CLIENT_CONFIG_FILE=$AWS_IAM_HOME/client-config.template’ (in windows ‘CLIENT_CONFIG_FILE=%AWS_IAM_HOME%/client-config.template’).

    Installing ELB tool

    Once downloaded the ElasticLoadBalancing.zip file extract the zip content now do the following:

    1. Create an environment variable AWS_ELB_HOME pointing to ELB client folder ‘AWS_ELB_HOME=/path/to/elb/folder’.
    2. Add $AWS_ELB_HOME/bin to your path (in Windows: %AWS_ELB_HOME%bin).
    3. Now login to your AWS web console create the private file. You will be prompted to download the private key file save it as my-pk.pem.
    4. Now go to X.509 Certificate tab create your X509 certificate and download it save it as my-cert.pem.
    5. Now create an environment variable named EC2_CERT pointing to my-cert.pem ‘EC2_CERT=/path/to/my-cert.pem’.
    6. Now create an environment variable named EC2_PRIVATE_KEY pointing to my-pk.pem ‘EC2_PRIVATE_KEY=/path/to/my-pk.pem’.
    7. Now create an environment variable named SERVICE_JVM_ARGS to set JVM parameter if you are behind the proxy ‘SERVICE_JVM_ARGS=”-Dhttp.proxyHost=my.pro.xy.ip -Dhttp.proxyPort=8080 -Dhttps.proxyHost=my.pro.xy.ip -Dhttps.proxyPort=8080″.

    Now we are set to upload new certificates to Amazon and apply it to ELB. To upload new certificate we need following:

    1. New Certificate (PEM Encoded).
    2. Private Key (Used to generate the CSR PEM Encoded)
    3. Chain Certificate (Optional)

    Uploading the Certificate

    To upload the certificate to amazon issue below command on command line.

    iam-servercertupload -b domain_com.crt -c chain_cert.pem -k private.key -s NewCertificateName

    Now to verify that your certificate has been uploaded successfully issue following command on command line.


    This will give output as follows

    IsTruncated: false

    Now its time to apply the new certificate to ELB. To do this issue following command on command line.

    elb-set-lb-listener-ssl-cert –region eu-west-1 –lb mylb –lb-port 443 –cert-id arn:aws:iam::accountnumber:server-certificate/CertLBNEW

    Now open your browser and go to your https://domain.com and verify that you have latest Certificate listed.

  • apache

    Disable Trace/Track in Apache HTTPD


    Disabling TRACE and TRACK in Apache for PCI-related vulnerabilities like Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability is surprisingly easy with the Apache web server. The main thing to keep in mind is understanding that if you are running apache and this vulnerability pops up during a scan, you can be reasonably certain that TRACK is not the problem TRACE is.

    The HTTP TRACK method is something Microsoft cooked up that performs essentially the same thing that TRACE does with the exception that it never got used—except by penetration testers, hackers, worms, and vulnerability scanners.
    Validation Steps

    If you web server is listening on port 80, by far the easiest (and universal) way to determine whether it is vulnerable or not is using telnet. Simply open up your telnet application and connect to your web site/web server over port 80, ( telnet). If you are using the Microsoft telnet client, be careful because it doesn’t echo back what you were typing in. Once you connect, type the following:

    TRACE / HTTP/1.0
    Host: <hostname_you_are_testing>
    VAR1: Test
    VAR2: Test2
    VAR3: Test3

    Press enter twice and if trace is enabled, if you are not using rewrite rules you should see output similar to the following:

    HTTP/1.1 200 OK
    Server: Apache
    Date: Fri, 30 Sep 2011 03:15:30 GMT
    Content-Type: message/http
    Content-Length: 76

    TRACE / HTTP/1.0
    Host: <hostname_you_are_testing>
    VAR1: Test
    VAR2: Test2
    VAR3: Test3

    If you are using rewrite rules you should see output similar to the following:

    HTTP/1.1 301 Moved Permanently
    Date: Fri, 30 Sep 2011 03:15:30 GMT
    Server: Apache
    Location: http://<hostname_you_are_testing>405.shtml
    Content-Length: 243
    Connection: close
    Content-Type: text/html; charset=iso-8859-1

    <title>301 Moved Permanently</title>
    <h1>Moved Permanently</h1>
    <p>The document has moved <a href=”http://<hostname_you_are_testing>405.shtml”>here</a>.</p>

    Request and Response over telnet for the HTTP TRACK method is same, for testing purposes, as it is for TRACE. Simply substitute TRACK for TRACE. If you need to test a host that is listening on ssl port 443 (and does not have an HTTP port exposed), use openssl’s s_client. Simply type ” openssl s_client -connect”. You will connect and then you can enter the above request the same as you would for telnet.

    TRACE is enabled by default in an apache installation. There are two ways to remediate. The first can be used if you are running Apache 1.3.34, 2.0.55, or anything in the 2.2 release. Simply add the TraceEnable directive into your httpd.conf and set the value to Off.

    The second mechanism involves creating a mod_rewrite rule that will disable http methods, which is also quite popular and works with ANY version of apache that supports mod_rewrite. The directives below would need to be set, which are written assuming that this is the first time use for mod_rewrite.

    The first thing to do is make sure that mod_rewrite is loaded. If mod_rewrite.so is missing from your apache configuration but you have it installed, (and your install location is /usr/local/apache), then add the following statement to your httpd.conf:

    LoadModule rewrite_module “/usr/local/apache/modules/mod_rewrite.so”

    Then add the following as well to your httpd.conf file:

    RewriteEngine On
    RewriteRule .* – [F]

    Restart apache, re-run the steps in the Validation section, and with either method, you should receive an HTTP 403-Forbidden code back.

    As following:

    HTTP/1.1 403 Forbidden
    Date: Fri, 30 Sep 2011 03:23:47 GMT
    Server: Apache
    Content-Length: 202
    Connection: close
    Content-Type: text/html; charset=iso-8859-1

    <title>403 Forbidden</title>

    You don’t have permission to access /
    on this server.</p>

    Congratulation you have now disabled TRACE/TRACK method 🙂