DPB

2012-06-27T22:56:41Z

Dburdick: Created page with "Dennis Burdick's Work page."

Dennis Burdick's Work page.

Creating server certificate

2010-07-16T17:15:01Z

Dburdick: /* Create openssl config file */

=== Create openssl config file ===

Here is an example of server.cnf

<pre>
[ req ]
default_bits = 2048
default_md = sha1
distinguished_name = req_dn
req_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=US

# State or Province Name (full name)
ST=Missouri

# Locality Name (eg. city)
L=St. Louis

# Organization (eg. company)
O=IVK/VVC

# Organizational Unit Name (eg. section)
OU=VPS1 server

# Common Name (*.example.com is also possible)
CN=vps1.chepkov.com

# E-mail contact
emailAddress=root@ivk.com.au

[ cert_type ]
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectAltName=IP:209.20.74.232,DNS:vps1.chepkov.com,DNS:ivk.com.au
</pre>
*Note: Using a file like this with ''subjectAltName'' is the only way to generate a request that will result in a certificate that is valid for more than one ''name''.

=== Generate server private key ===
openssl genrsa -out server.key 2048

=== Generate certificate request ===
openssl req -new -key server.key -out server.csr -config server.cnf

Now you need to send your request to a certificate authority or if you have your own, sign the request (see [[Managing_Certificate_Authority#Signing_Certificate_Request|example]])
You will get server certificate server.crt
[[Category:OpenSSL]]

Dburdick

2009-07-09T15:15:06Z

Dburdick: Created page with '=just a place for dennis to put crap= Using Squid As A Proxy'

=just a place for dennis to put crap=

[[Using Squid As A Proxy]]

Encrypt Fedora

2009-02-06T20:44:48Z

Dburdick: /* Create backup */

This article will help you to encrypt your existing Fedora 10 installation
=== Where we begin ===
We have the following disk configuration:
<pre>
# fdisk -l /dev/sda

Disk /dev/sda: 40.0 GB, 40000000000 bytes
255 heads, 63 sectors/track, 4863 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x000e6cc7

Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 83 Linux
/dev/sda2 14 4863 38957625 8e Linux LVM
</pre>

* '''/dev/sda1''' is our '''/boot''' partition
* '''/dev/sda2''' is physical volume for existing volume group '''vg0'''

<pre>
# cat /etc/fstab
/dev/vg0/root / ext3 noatime 1 1
/dev/vg0/tmp /tmp ext2 noatime 1 2
/dev/vg0/home /home ext3 noatime 1 2
/dev/vg0/var /var ext3 noatime 1 2
/dev/vg0/usr /usr ext3 noatime 1 2
LABEL=boot /boot ext2 noatime 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/vg0/swap swap swap defaults 0 0
</pre>

=== Install required packages ===
* dump
* plymouth-system-plugin
* cryptsetup-luks

yum install dump plymouth-system-plugin cryptsetup-luks

=== Create backup ===
Mount your external USB disk, for example, to /mnt and use dump to backup your current installation.
Make two copies, on two different disks, to be sure, '''this is the most important step'''
<pre>
dump -0 -f /mnt/root.dump /
dump -0 -f /mnt/usr.dump /usr
dump -0 -f /mnt/var.dump /var
dump -0 -f /mnt/home.dump /home
</pre>

=== Boot in rescue mode ===
Skip mounting existing installation, we are going to destroy it in the next step
* Make the existing data unrecoverable
shred -v -n 1 -z /dev/sda2

* Create new encrypted physical volume
cryptsetup --verify-passphrase luksFormat --cipher aes-cbc-essiv:sha256 --key-size 256 /dev/sda2
cryptsetup --verbose luksOpen /dev/sda2 cryptpv

* recreate volume group and logical volumes
<pre>
lvm pvcreate /dev/mapper/cryptpv
lvm vgcreate -s 32M vg0 /dev/mapper/cryptpv
lvm lvcreate --size 512 --name root vg0
lvm lvcreate --size 2G --name swap vg0
lvm lvcreate --size 4G --name usr vg0
lvm lvcreate --size 1G --name var vg0
lvm lvcreate --size 1G --name home vg0
lvm lvcreate --size 256 --name tmp vg0
mke2fs -j -L root /dev/vg0/root
mkswap -L swap /dev/vg0/swap
mke2fs -j -L usr /dev/vg0/usr
mke2fs -j -L var /dev/vg0/var
mke2fs -j -L home /dev/vg0/home
mke2fs -L tmp /dev/vg0/tmp
</pre>

* remount backup and root
<pre>
mkdir /tmp/root
mkdir /tmp/mnt
mount /dev/sdb1 /tmp/mnt
mount -t ext3 /dev/vg0/root /tmp/root
</pre>

* restore root
<pre>
cd /tmp/root
restore -r -f /tmp/mnt/root.dump
rm restoresymtable
</pre>

* mount and restore remaining file systems
<pre>
mount -t ext3 -o noatime /dev/vg0/usr /tmp/root/usr
cd /tmp/root/usr
restore -r -f /tmp/mnt/usr.dump
rm restoresymtable
mount -t ext3 -o noatime /dev/vg0/var /tmp/root/var
cd /tmp/root/var
restore -r -f /tmp/mnt/var.dump
rm restoresymtable
mount -t ext3 -o noatime /dev/vg0/home /tmp/root/home
cd /tmp/root/home
restore -r -f /tmp/mnt/home.dump
rm restoresymtable
mount -t ext2 -o noatime /dev/vg0/tmp /tmp/root/tmp
chmod 1777 /tmp/root/tmp
</pre>

* unmount backup, create all device nodes for chrooted environment
<pre>
umount /tmp/mnt
cp -ax /dev/* /tmp/root/dev
mkdir /tmp/root/dev/shm
mount -t proc proc /tmp/root/proc
mount -t sysfs sysfs /tmp/root/sys
</pre>

* chroot into restored system
<pre>
chroot /tmp/root
mount -a
swapon -a
vgcfgbackup
</pre>

* recreate initrd image
cd /boot
mkinitrd -v -f `ls initrd*` `ls /lib/modules`

* force fsck check and selinux relabeling of the new system
touch /.autofsck /.autorelabel

=== You are done ===
exit
reboot

[[Category:Linux]]

File:SSHTunnel.png

2008-12-26T17:54:13Z

Dburdick:

VVCWiki - User contributions [en]

DPB

Creating server certificate

Dburdick

Encrypt Fedora

File:SSHTunnel.png