Quick tip: VMware vSphere and USB, use xHCI

For a project i had to move quite a lot of data, which is used as an initial seed for replication, to a second location. The best device i could find quickly was a 1TB USB disk. OK, fine…

Copied all the data to the disk on my client and shipped the disk to the second location. There it was attached to a vSphere host directly. Never used USB device on a vSphere host directly before, but knew that it works.

So i added a “EHCI+UHCI” controller to the VM and attached the USB disk. Fine… Well… Not that fine. A transfer rate of 5-6MB/s isn’t fine at all. Even for a cheap USB disk.

Stopped the copy process, removed the device and controller from the VM and added an xHCI controller instead of the “EHCI+UHCI”. And now, 30MB/s. Much better!

Always use a xHCI USB controller if you have to attach a USB device to a VM which needs performance.

Posted in VMware | Tagged , , , , , , , , | Leave a comment

Quick tip: Download all pdf files on a website

After RedHat Enterprise Linux 7 was released this week, which has a bunch of very cool features by the way, I wanted to download all the new documentations as PDF to put them on my iPad.

But right-click each of the 30 links and click “save as” definitely wasn’t the way to go. Administrators are lazy guys…

URL of the documentation page: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/

NOTE: Little disadvantage on this particular page:
The URL contains the links to the documentations of all RHEL versions, from 2.1 to 7, but only shows the version which is selected on the left. Luckily, it starts to download the files from top to bottom, and RHEL 7 links are on the top. I just watched the downloaded files and hit Ctrl+C as soon all documents i need have been downloaded.

Using “wget”, this is a simple task:

wget -e robots=off -np -nd -A ".pdf" -r -l1 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/

Options used:

  • -e robots=off (Ignore robots.txt because some pages want to deny fetching the whole page)
  • -np (Don’t follow links to parent pages)
  • -nd (Save all files in the current directory instead of creating the whole hierarchy)
  • -A “.pdf” (Only download files with PDF extension)
  • -r (Recursive)
  • -l1 (Follow links one level)
Posted in Bash, CentOS, Linux, Mac, Quick tip | Tagged , | Leave a comment

Quick tip: Flush OS X Mavericks plist file cache

My finding of the day while I did a clean install on my MacBook Pro:
In OS X Mavericks, Apple started to cache plist files, which results in replacing a plist file manually has no effect until the cache is reloaded automatically. If you open the application which uses this plist file to early, it overwrites your copied file with the old/cached one.

Now you can reload the plist file manually:

defaults read [bundle identifier]
# f.ex. for Jitsi
defaults read org.jitsi.plist
# Full path works too
defaults read /Users/username/Library/Preferences/org.jitsi.plist

Or delete the cached one (Not tested myself!):

defaults delete org.jitsi.plist
Posted in Mac, Quick tip | Tagged , , , , , | 1 Comment

Increase SSL and TLS security on nginx and Apache by enabling PFS and HSTS

SSL Labs A+ Rating

The default configuration of SSL is fine on most Linux distributions (you will get an A-Rating at SSL Labs), but still could be done a lot better and more secure.

Goals we want to achieve:

  • Enable Perfect Forward Secrecy (PFS)
  • Enable HTTP Strict Transport Security (HSTS)
  • Disable SSLv2 and SSLv3
  • PCI compliant
  • FIPS-ready (optional)
  • Don’t break IE…

NOTE: the configuration below will break SSL/TLS communication with IE6 and Java6, because it’s simply not possible to have secure communication with them. This configuration is about security and not compatibility.

nginx on CentOS 6

In the default repositories nginx in version 1.0.15 is included, which should support PFS. But, it doesn’t. Why that? It’s because nginx is static linked to an older openssl library, and therefore doesn’t support required ciphers. ECC and ECDHE ciphers are supported in OpenSSL 1.0.1c+.

But luckily, nginx has an official repository which provides more recent versions for CentOS. To add their repo and install nginx execute these commands:

wget http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm
rpm -ivh nginx-release-centos-6-0.el6.ngx.noarch.rpm

yum install nginx

Apache 2.2

Unfortunately Apache 2.2 doesn’t support PFS at all. The solution is to configure nginx as a reverse proxy because it supports everything we need, it’s done quickly, and we don’t really lose much performance. PFS is supported in Apache 2.4+.

Use more secure DH key exchange

To have a more secure DH key exchange we have to generate a DH parameter file with a size of 2048 or 4096 bits (this will take some time!):

openssl dhparam -out /etc/pki/tls/private/dhparam.pem 2048
chmod 600 /etc/pki/tls/private/dhparam.pem

Configuration of nginx

Global config for all sites (/etc/nginx/nginx.conf):

http {
    # Only allow save protocols
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # Prefer server side protocols for SSLv3 and TLSv1
    ssl_prefer_server_ciphers on;

    # PCI compilant ciphers

    # FIPS ready ciphers only

    # SSL session cache
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    # For Diffie Hellman Key Exchange:
    # Create dhparam.pem: openssl dhparam -out dhparam.pem 2048
    ssl_dhparam /etc/pki/tls/private/dhparam.pem;

Setting for HSTS has to be done in server section or it will not work (at least in my case):

server {
    # Enable HSTS (HTTP Strict Transport Security)
    add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";

Now, if you use nginx only, configure your virtual hosts as usual.
If you’re using nginx as a reverse proxy for Apache, add the following config:
Site specific configuration (f.ex. /etc/nginx/conf.d/default.conf):

server {
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

    # Set headers
    proxy_set_header Accept-Encoding "";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # Most PHP, Python, Rails, Java App can use these headers
    proxy_set_header X-Forwarded-Proto $scheme;
    add_header Front-End-Https on;

    # Disbale redirect
    proxy_redirect off;

    # Depending on your configuration, you may want to place the location in separate files
    location / {

A bit off topic, but you definitely want to have compression enabled:
Global config for all sites (/etc/nginx/nginx.conf):

http {
 gzip on;
 gzip_disable "msie6";
 gzip_comp_level 6;
 gzip_min_length 1100;
 gzip_buffers 16 8k;
 gzip_proxied any;
 gzip_http_version 1.1;
 gzip_types text/plain application/xml text/css text/js text/xml application/x-javascript text/javascript application/json application/xml+rss;

What about BEAST attacks?

BEAST is a purely client-side vulnerability. When this attack became public, there was the possibility to mitigate the attack on the server side. But in the meantime all common browser have fixed it and therefore it’s not needed to mitigate it on server-side anymore. Read more about BEAST attacks.

What key size should be used?

1024 bit keys are broken. If you sill use them somewhere, replace them by bigger ones as soon as possible.
2048 bit keys are still secure and it’s the minimum key length that should be used. Should be save for some more years.
4096 bit keys are the most secure option and should be secure for many more years. But also uses more CPU and decreases performance a bit.

I personally have started to use 4094 bit keys only since last quarter of 2013, but don’t replace smaller ones until i have to replace them anyway.

Some smartcards and other devices may not support 4096 yet. You can find some further informations here.

Test your configuration

Finally you have to check if everything was configured correctly.
Test your site at SSL Labs.

Posted in Apache, CentOS, Linux, nginx, Security | Tagged , , , , , , , , | 3 Comments

Change host name of Puppet client

Here are the steps i use to change the host name of a puppet client:

On the client side stop Puppet, remove old certificates and change host name:

service puppet stop
find /var/lib/puppet/ssl -type f -print | xargs rm -v

Change the host name in /etc/sysconfig/network and /etc/hosts, then reboot the client.

Remove the old certificate on the server:

puppet cert clean hostname.domain.tld

If you’re using Foreman, change the host name there too.

Finally, initialize a manual update on the client:

puppet agent --waitforcert 60 --test

and sign the new certificate as usual:

puppet cert list
puppet cert sign hostname.domain.tld
Posted in CentOS, Linux, Puppet | Tagged , , | Leave a comment