|
APACHE web server and SSL authentication |
|
Author: Jaroslav Imrich
 This article describes configuration techniques of module mod_ssl, which extends a functionality of Apache HTTPD to support SSL protocol. The article will deal with authentication of server (One-way SSL authentication), as well as it will also include authentication of clients by using certificates (Two-way SSL authentication).
Introduction
If you have decided to enable a SSL ( Secure Sockets Layer ) protocol on your web server it may be because you would like to extend its functionality to achieve an integrity and confidentiality for a data transferred on unsecured networks. However, this protocol with the combination of PKI ( Public Key Infrastructure ) principles can also along the side of integrity and confidentiality provide authentication between both sides involved in the client-server communication.
One-way SSL authentication allows a SSL client to confirm an identity of SSL server. However, SSL server cannot confirm an identity of SSL client. This kind of SSL authentication is used by HTTPS protocol and many public servers around the world this way provides services such as webmail or Internet banking. The SSL client authentication is done on a “application layer” of OSI model by the client entering an authentication credentials such as username and password or by using a grid card.
Two-way SSL authentication also known as mutual SSL authentication allows SSL client to confirm an identity of SSL server and SSL server can also confirm an identity of the SSL client. This type of authentication is called client authentication because SSL client shows its identity to SSL server with a use of the client certificate. Client authentication with a certificate can add yet another layer of security or even completely replace authentication method such us user name and password.
In this document, we will discuss configuration of both types of SSL authentication one-way SSL authentication and two-way SSL authentication.
|
|
Read more...
|
|
Choosing the right Linux File System Layout using a Top-Bottom Process |
|
July 31, 2009
By Pierre Vignéras  More stories by this author:
As you may probably know, Linux supports various filesystems such as ext2, ext3, ext4, xfs, reiserfs, jfs among others. Few users really consider this part of a system, selecting default options of their distribution's installer. In this article, I will give some reasons for a better consideration of the file-system and of its layout. I will suggest a top-bottom process for the design of a ``smart'' layout that remains as stable as possible over time for a given computer usage.
Introduction
The first question that you may ask is why are there so many file-systems, and what are their differences if any? To make it short (see wikipedia for details):
- ext2: it is THE Linux fs, I mean, the one that was specifically designed for linux (influenced by ext and Berkeley FFS). Pro: fast; Cons: not journalized (long fsck).
- ext3: the natural ext2 extension. Pro: compatible with ext2, journalized; Cons: slower than ext2, as many competitors, obsolete today.
- ext4: the last extension of the ext family. Pro: ascending-compatibility with ext3, big size; good read performance; cons: a bit too recent to know?
- jfs: IBM AIX FS ported to Linux. Pro: mature, fast, light and reliable, big size; Cons: still developed?
- xfs: SGI IRIX FS ported to Linux. Pro: very mature and reliable, good average performance, big size, many tools (such as a defragmenter); Cons: none as far as I know.
- reiserfs: alternative to ext2/3 file-system on linux. Pro: fast for small files; Cons: still developed?
There are other file-systems, in particular new ones such as btrfs, zfs and nilfs2 that may sound very interesting too. We will deal with them later on in this article (see 5
).
So now the question is: which file-system is the most suitable for your particular situation? The answer is not simple. But if you don't really know, if you have any doubt, I would recommend XFS for various reasons:
|
|
Read more...
|
|
IPwatchD an IP conflict detection tool for Linux |
|
Project name: IPwatchD - IP conflict detection tool
Author: Jaroslav Imrich
Project's Home Page: IPwatchD
Introduction When using a GNU/Linux operating system, from time to time you may come across a situation where network connectivity was interrupted due to the IP conflict. An IP conflict event occurs when two or more hosts on the same network are configured with identical IP addresses. At the present, there appears to be no code in the Linux kernel to take care of this situation by means of appropriate Gratuitous ARP response . Very often a network administrator is left in the complete ignorance by the Linux kernel and needs to troubleshoot IP conflict the hard way.  Fortunately, there is a simple daemon called IPwatchD which main purpose is to catch and evaluate packets on the network and this way is able to prevent an IP conflict occurrence. This is done by help of libpcap library. IPwatchD daemon is written in C language and can run in passive or active modes. The difference between a passive and active mode is that in the passive mode IPwatchD only logs every IP conflict event by engaging syslog daemon, and in active mode IPwatchD takes one step further and responds to Gratuitous ARP request which is the main construction block when it comes to the IP conflict prevention. This article will explore this simple daemon in terms of installation, configuration and usage.Prerequisites Before we can install IPwatchD under the GNU/Linux operating system it is recommended to confirm that all prerequisites needed by IPwatchD are installed on the system. Here is a list of packages you would need to install on Ubuntu 8.10. * build-essential - C compiler and other development tools
* libpcap-dev - Network packet capture library
* libnet1-dev - Network packet construction library
* libnotify-dev - sends desktop notifications to a notification daemon On ubuntu or debian linux you can install those packages with a following command: # apt-get install build-essential libpcap-dev libnet1-dev libnotify-dev
|
|
Read more...
|
|
VPN - Virtual Private Network and OpenVPN |
Introduction
This article will describe a configuration of Virtual Private Network connection by using an OpenVPN application. Firstly, you will be exposed to some basic theory behind Virtual Private Networks. Then, the article will guide you with step-by-step instructions on how to setup a OpenVPN virtual private network by using Symmetric Key Encryption and Public Key Encryption. This article is meant for everybody who possesses a basic knowledge of linux administration and networking.
Why VPN
If you work in IT industry, it is very common that you do not use only a single computer sitting on your work desk, but you also utilize other systems connected to the same local area network. As long as you are sitting on your office chair this approach should not be a problem. However, this situation can become complicated once you are in hurry, and therefore, you need to take some of your work home. You are able to take you company laptop with you, but to fully utilize company resources you would also need to be connected to the company's local area network. The solution to this problem depends on what resources are needed to complete your job. If you need some shared files available on the company's network, you may just simply copy these file to your laptop's hard drive or to USB stick. In case you need to work on the system installed on your company's PC you can also use some virtualization tools such as VirtualBox or VMware. Soon enough you will realize that this approach is not as convenient as you would like it to be, and that you spent more time by copying files and synchronizing virtual systems than concentrating on your work. The ideal solution in this case should allow employees to access company's local resources from an external network. This can be done by forwarding ports of the local services via firewall. Exposing local ports to the Internet is not entirely the safest approach. The more ports are exposed from your local network to an external network such as the Internet, the more vulnerable your local system will become. The ideal approach in this situation could be a use of just single port for all services coupled with encryption and user authentication. This can be achieved, for example, by using a Virtual Private Network (VPN)
.
How does VPN works
VPN networks are often operated as client-server applications. Good example could be an implementation of MS Windows PPTP or OpenVPN on the Linux Platform. VPN server is directly running on a firewall, where it creates virtual network interface and additional virtual network subnet. VPN server is waiting for connections on the external network interface of the firewall where it performs authentication of a VPN client application. After successful VPN client authentication a VPN client is given an IP address from a virtual subnet. Consequently, an encrypted tunnel is created between VPN client and VPN server, which is used for safe transfer of packets between two distant networks via the Internet. Services, which a VPN client can connect to, can furthermore be defined by firewall rules. This way firewall ensures that VPN client can connect only to services it is allowed to connect. If the previous couple sentences looked to you little difficult to understand, do not despair! Everything will become clearer once we see how encrypted tunnel works in an example.
VPN Encrypted Tunnel Fundamentals
VPN tunnels are generally considered as something mysterious and everybody who mentions them, is "cool" :-) However, there is nothing to be afraid about, in the fact principle of Virtual Private Network is very simple. Data in IP networks are exchanged in packets. Information about destination and a source of the packet can be found in the packet's header. The actual user data are carried as a payload. Let’s imagine that ssh client wants to talk to ssh server over the Virtual Private Network. Packets leaving a host's network interface located on the local network are sent with a destination port number 22. When this packet reaches a VPN tunnel it is encapsulated into the VPN packet where original packet is now treated as a payload. If the VPN server listens on the port 443, the VPN packet will carry a destination port 443. 
When looking at the previous figure it is apparent that this kind of network data transfer over the VPN is a waste of transfer rate because original packet has a smaller payload space just because it needs to fit into the VPN tunnel packet. In VPN analogical sense this can be considered as a drawback.
|
|
Read more...
|
|
Did You Know..
that you can search for files created or changed within certain number of days? For example to search for files created or changed within 20 days in /usr/bin/ directory a find linux command can be used with following options:
ISSN 1836-5930
