MySQL Replication with SSL

Server Spec:
Box 1 : Ubuntu Hardy 8.04 server edition (Master)
Box 2 : Ubuntu Hardy 8.04 desktop edition (Slave)

Prerequisites:

Make sure your mysql compiled with –-have-openssl enabled. How to check the ssl service already enabled? From your mysql console type:

SHOW VARIABLES LIKE 'have_openssl';

The results will show you something like this:
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl | DISABLED |
+---------------+-------+

The value can be DISABLED, YES or NO. If the value in there is NO, means your mysql server doesn’t support openssl and you must reinstall mysql with openssl enabled. If the value is DISABLED, it means your mysql server already support openssl but it’s not configured yet.

Creating Keys, Certificates and other fun SSL Stuff

Create your own Certification Authority (CA)

Change to the mysql ssl directory (you may need to create it)

mkdir /etc/mysql/ssl
cd /etc/mysql/ssl/

Create your own Certification Authority (CA) if you do not already have one (e.g. for signing web or mail server certificates)

openssl req -x509 -new -days 9999 -newkey rsa:2048 -nodes -keyout ca-key.pem -out ca-cert.pem

Create a server certificate
Create the server certificate request

openssl req -new -newkey rsa:2048 -nodes -keyout server-key.pem -out server-csr.pem

(optional) Remove the passphrase from the key

openssl rsa -in server-key.pem -out server-key.pem

Sign this server request with the CA key to make a proper server certificate.

openssl x509 -req -days 9999 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -CAserial ca-srl.txt -in server-csr.pem -out server-cert.pem

Adjust the following lines (such as the paths) in /etc/mysql/my.cnf as necessary (note to self - the server keys go in the [mysqld] section, the client keys go in the [client] section):

[mysqld]
ssl-key=/etc/mysql/ssl/server-key.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-ca=/etc/mysql/ssl/ca-cert.pem

Create the client certificates
Create the client certificate request

openssl req -new -newkey rsa:2048 -nodes -keyout client-key.pem -out client-csr.pem

(OPTIONAL) Remove a passphrase from the key

openssl rsa -in client-key.pem -out client-key.pem

Sign this server request with the CA key to make a proper server certificate

openssl x509 -req -days 9999 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -CAserial ca-srl.txt -in client-csr.pem -out client-cert.pem

Copy the client files client-key, client-cert and ca-cert.pem to /etc/mysql/ssl on the client machine and adjust your /etc/mysql/my.cnf:

[client]
master_ssl = 1
master_ssl_capath = /etc/mysql/ssl/
master_ssl_ca = /etc/mysql/ssl/ca-cert.pem
master_ssl_key = /etc/mysql/ssl/client-key.pem
master_ssl_cert = /etc/mysql/ssl/client-cert.pemIf you ever need to swap slave/master

Configure SSL Login User
Example:

mysql> grant replication slave on *.* to 'replicate'@'%' identied by 'password' require SSL;
mysql> flush privileges;

Replication Setting on my.cnf
Master:

server-id=1
log-bin=/var/log/mysql/mysql-bin.log

Slave:

server-id = 2
log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
#this is example, you can put another db to ignore replicate in this section.
replicate-ignore-db = mysql
#you can put direct ip / hostname for master-host
master-host = masterhost/10.0.0.1
master-port = 3306
master-user = mysqldb-rep
master-password = password
master-connect-retry = 60

Before you restart mysql service. Please backup all data in master and pass it to slave.
After you dump all data from master to slave, you can restart both server to reload new setting (my.cnf).

root# /etc/init.d/mysql restart

ISSUES:
In ubuntu hardy apparmor prevent mysql to run over ssl. You must change the apparmor setting or stop the service so you can run mysql replication over ssl.

How to start replication:
Master>

mysql > reset master;

Slave>

mysql> start slave;
mysql> show slave status\G

Your slave status should

mysql> show slave status\G
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 10.0.0.1
Master_User: replicate
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.000001
Read_Master_Log_Pos: 98
Relay_Log_File: mysqld-relay-bin.000001
Relay_Log_Pos: 235
Relay_Master_Log_File: mysql-bin.000001
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB: mysql
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 98
Relay_Log_Space: 235
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/mysql/ssl/ca-cert.pem
Master_SSL_CA_Path: /etc/mysql/ssl/
Master_SSL_Cert: /etc/mysql/ssl/client-cert.pem
Master_SSL_Cipher:
Master_SSL_Key: /etc/mysql/ssl/client-key.pem
Seconds_Behind_Master: 0
1 row in set (0.00 sec)

Make sure this 3 variables value is YES:

Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Master_SSL_Allowed: Yes

Intrusion detection system with OSSEC-HIDS and Ubuntu Hardy

This HOWTO will walk you through the very simple installation of the OSSEC-HIDS application. Before we continue lets make sure everybody is on the same sheet of music.

1. OSSEC-HIDS is a host based intrusion detection system. It is a very flexible system that will allow you to achieve the following.

• rootkit detection
• file system integrity
• log file analysis
• time based alerting
• active responses

Taken from the ossec-hids FAQ
"OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response"

2. This howto is based on the following assumptions

• You are running an up to date installation of Dapper
• You are preforming a "local" installation (i.e. a single host)

3. The majority of this HOWTO is taken directly from the Installation Manual for OSSEC-HID which is a very easy to follow Manual. If you run into trouble please look at the Manual first as it will always have the most up to date information.

Ok, Now that we are all together lets proceed. As mentioned above this HOWTO will only cover a local installation. ossec-hids has the ability to monitor multiple hosts all using the same ruleset. This is accomplished by installed the ossec-hids server on one machine and then doing an agents installation on every other machine you wish to protect. The agents communicate to the server via a secure connection. If you need this type of setup please take a look at the manual, however the installation is not very different (just different options available in your conf file is about it. The other nice thing is that the agents portion of the application will also run under a windows host. This allows those of you that have to and/or want to run a windows box to secure that as well (install the server on your /flamebait/ superior /flamebait/ Linux box and the agent on your windows box)

Now the first thing we need to do is grab the latest sources. For this HOWTO we will be installing 0.8, however feel free to get the latest copy available from their site. We also need to install some stuff so we can compile it later.

Code:

sudo apt-get install build-essential [NOT build-essentials]
cd ~
mkdir src
cd src
wget http://www.ossec.net/files/ossec-hids-1.5.tar.gz
http://www.ossec.net/files/ossec-hids-1.5_checksum.txt

Before we go ahead and extract this, lets make sure we got what we think we got. Verify the checksums in the .txt file and the same that the commands below output. THIS IS IMPORTANT -- DON'T SKIP IT --

Code:

cat ossec-hids-1.5_checksum.txt
md5sum ossec-hids-1.5.tar.gz
sha1sum ossec-hids-1.5.tar.gz

Well now, after verifying you have legit files (you did do that didn't you?) lets extract this bugger

Code:

tar -zxvf ossec-hids-1.5.tar.gz
cd ossec-hids-1.5

Now the fun and easy part. We are going to run the installation script and let it do all the hard work. Note: Here I enter a su shell for the sake of simplicity. If you don't want to do this simply append "sudo" to the following commands

Code:

sudo -s
./install.sh

Go ahead and pick what language you want to read everything in and hit enter

Code:

 ** Para instalação em português, escolha [br].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Per l'installazione in Italiano, scegli [it].
** Aby instalować w języku Polskim, wybierz [pl].
** Türkçe kurulum için seçin [tr].
(en/br/de/it/pl/tr) [en]:  en  

Next it is going to warn us that we need a C compiler on the machine. (you did install build-essentials didn't you?) and give you some general information about your computer (kernel version, user and host). Go ahead and hit enter likes it says.

Code:

OSSEC HIDS 1.5 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux diana 2.6.15-25-k7
- User: root
- Host: diana


-- Press ENTER to continue or Ctrl-C to abort. --

Next select a local install

Code:

1- What kind of installation do you want (server, agent, local or help)? local  

Now choose were you want to install it. This HOWTO will choose the default

Code:

- Choose where to install the OSSEC HIDS [/var/ossec]:   

Now select you notification options. You can choose my answers or different ones. I would recommend setting "Y" to everything. Active responses are really nice. It will set some default configuration variables based on your answers and certian things it finds on your system.

Code:

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y
 - What's your e-mail address? youremail@yourdomain.com
 - What's your SMTP server ip/host? your smtp server address (localhost)

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

 - Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

 - Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
     command based on the events received. For example,
     you can block an IP address or disable access for
     a specific user.
     More information at:
     http://www.ossec.net/en/manual.html#active-response

 - Do you want to enable active response? (y/n) [y]: y

   - Active response enabled.

 - By default, we can enable the host-deny and the
   firewall-drop responses. The first one will add
   a host to the /etc/hosts.deny and the second one
   will block the host on iptables (if linux) or on
   ipfilter (if Solaris, FreeBSD or NetBSD).
 - They can be used to stop SSHD brute force scans,
   portscans and some other forms of attacks. You can
   also add them to block on snort events, for example.

 - Do you want to enable the firewall-drop response? (y/n) [y]: y

   - firewall-drop enabled (local) for levels >= 6

 - Default white list for the active response:
    - 192.168.2.1

 - Do you want to add more IPs to the white list? (y/n)? [n]: n

3.6- Setting the configuration to analyze the following logs:
  -- /var/log/messages
  -- /var/log/auth.log
  -- /var/log/syslog
  -- /var/log/mail.info
  -- /var/log/apache2/error.log (apache log)
  -- /var/log/apache2/access.log (apache log)

- If you want to monitor any other file, just change
 the ossec.conf and add a new localfile entry.
 Any questions about the configuration can be answered
 by visiting us online at http://www.ossec.net .


 --- Press ENTER to continue ---

Now it will compile everything. This shouldn't take too long to complete. It only took around 1-2 minutes for my boxes. After it is completed press enter to finish.

Code:

 - Unknown system. No init script added.

- Configuration finished properly.

- To start OSSEC HIDS:
              /var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:
              /var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


  Thanks for using the OSSEC HIDS.
  If you have any question, suggestion or if you find any bug,
  contact us at contact@ossec.net or using our public maillist at
  ossec-list@ossec.net
  (http://mailman.underlinux.com.br/mailman/listinfo/ossec-list).

  More information can be found at http://www.ossec.net

  ---  Press ENTER to finish (maybe more information bellow). ---

Now lets crank her up and make sure everything works

Code:

/etc/init.d/ossec start

If you get something like this, you should be in good shape.

Code:

Starting OSSEC HIDS v1.5 (by Daniel B. Cid)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

Now you can go on to customize the setup. Chances are you going to want it to ignore certian directories and create your own rules. Please check out the manual for excellent instructions on doing so.

Secure your Apache Web Server with Mod-Security

This article shows how to install and configure mod_security. mod_security is an Apache module (for Apache 1 and 2) that provides intrusion detection and prevention for web applications. It aims at shielding web applications from known and unknown attacks, such as SQL injection attacks, cross-site scripting, path traversal attacks, etc.

OS: Ubuntu Dapper 6.06
Apache Version: Apache 2.0

How to install mod-security?
1. You can install from repositories
2. Download binary file from http://www.modsecurity.org and install it manually

In this session i will use mod-security install from repositories.
- Install mod-security module ( root shell )
# apt-get install libapache2-mod-security

- Enable mod-security module
# a2enmod mod-security

After finish with mod-security installation, you will found mod-security module in /usr/lib/apache2/modules and /etc/apache2/mods-enabled/mod-security.load file.

Edit your httpd.conf

[IfModule mod_security.c]
# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log suspicious requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/apache2/audit_log
# Debug level set to a minimum
SecFilterDebugLog /var/log/apache2/modsec_debug_log
SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"
[/IfModule]

Detail configuration you can read it from here