Linux

Secure Sockets Layer (SSL): How It Works

Secure Sockets Layer (SSL) technology protects your Web site and makes it easy for your Web site visitors to trust you in three essential ways:

1. An SSL Certificate enables encryption of sensitive information during online transactions.
2. Each SSL Certificate contains unique, authenticated information about the certificate owner.
3. A Certificate Authority verifies the identity of the certificate owner when it is issued.

You need SSL if...

* you have an online store or accept online orders and credit cards
* you offer a login or sign in on your site
* you process sensitive data such as address, birth date, license, or ID numbers
* you need to comply with privacy and security requirements
* you value privacy and expect others to trust you.

How Encryption Works

Imagine sending mail through the postal system in a clear envelope. Anyone with access to it can see the data. If it looks valuable, they might take it or change it. An SSL Certificate establishes a private communication channel enabling encryption of the data during transmission. Encryption scrambles the data, essentially creating an envelope for message privacy.

Each SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decipher it. When a Web browser points to a secured domain, a Secure Sockets Layer handshake authenticates the server (Web site) and the client (Web browser). An encryption method is established with a unique session key and secure transmission can begin. True 128-bit SSL Certificates enable every site visitor to experience the strongest SSL encryption available to them.
How Authentication Works

Imagine receiving an envelope with no return address and a form asking for your bank account number. Every VeriSign® SSL Certificate is created for a particular server in a specific domain for a verified business entity. When the SSL handshake occurs, the browser requires authentication information from the server. By clicking the closed padlock in the browser window or certain SSL trust marks (such as the VeriSign Secured® Seal), the Web site visitor sees the authenticated organization name. In high-security browsers, the authenticated organization name is prominently displayed and the address bar turns green when an Extended Validation SSL Certificate is detected. If the information does not match or the certificate has expired, the browser displays an error message or warning.

Why Authentication Matters

Like a passport or a driver’s license, an SSL Certificate is issued by a trusted source, known as the Certificate Authority (CA). Many CAs simply verify the domain name and issue the certificate. VeriSign verifies the existence of your business, the ownership of your domain name, and your authority to apply for the certificate, a higher standard of authentication.

VeriSign Extended Validation (EV) SSL Certificates meet the highest standard in the Internet security industry for Web site authentication as required by CA/Browser Forum. EV SSL Certificates give high-security Web browsers information to clearly display a Web site’s organizational identity. The high-security Web browser’s address bar turns green and reveals the name of the organization that owns the SSL Certificate and the SSL Certificate Authority that issued it. Because VeriSign is the most recognized name in online security, VeriSign SSL Certificates with Extended Validation will give Web site visitors an easy and reliable way to establish trust online.

Subscribe to ASCLbatch26

Email:

Visit this group

# Compile and configure Mysql

First Download MySql from the following link. Here we use Mysql 4.1.22. Stable version.
Link: - http://linux.softpedia.com/get/Database/Database-Servers/MySQL-2323.shtml

After downloading it copy it to /usr/local/src/. You may copy it to any convinent location you want. I have copied it here.

First, we create the group and user that "owns" MySQL. For security purposes, we don't want MySQL running as root on the system. To be able to easily identify MySQL processes in top or a ps list, we'll make a user and group named mysql:

groupadd mysql
useradd -g mysql -c "MySQL Server" mysql

If you get any messages about the group or user already existing, that's fine. The goal is just to make sure we have them on the system.
What the useradd command is doing is creating a user mysql in the group mysql with the "name" of MySQL Server. This way when it's showed in various user and process watching apps, you'll be able to tell what it is right away.

Now follow the below steps to compile Mysql.

1) Go to the source directory. -  cd /usr/local/src/mysql-4.1.22

2) chown -R root.root *`

To change the ownership of all files to root.

3) make clean

This will delete the old .config and Makefile,which will delete old config templete.

4) ./configure --prefix=/usr/local/mysql --localstatedir=/usr/local/mysql/data \ 
           --disable-maintainer-mode --with-mysqld-user=mysql --with-unix-socket-path=/tmp/mysql.sock \
        --without-comment --without-debug --without-bench

Wait untill this is successfully completed.Then proceed further.

5) make && make install 
we are giving both make and make install command at a time.The make install will be done only make is done successfully.

6) make test

This is an additional process and takes some time to complete.Once this is done the installation process it completed,

#Configuring MySQL

MySQL is "installed" but we have a few more steps until it's actually "done" and ready to start. First run the script which actually sets up MySQL's internal database (named mysql). 

1) ./scripts/mysql_install_db 

Then we want to set the proper ownership for the MySQL directories and data files, so that only MySQL (and root) can do anything with them.

2) chown -R root:mysql /usr/local/mysql

3) chown -R mysql:mysql /usr/local/mysql/data    

Copy the default configuration file for the expected size of the database (small, medium, large, huge)

cp support-files/my-medium.cnf /etc/my.cnf
chown root:sys /etc/my.cnf
chmod 644 /etc/my.cnf

If you get an error message about the data directory not existing, etc., something went wrong in the mysql_install_db step above. Go back and review that; make sure you didn't get some sort of error message when you ran it, etc.

Now we have to tell the system where to find some of the dynamic libraries that MySQL will need to run. We use dynamic libraries instead of static to keep the memory usage of the MySQL program itself to a minimum.

echo "/usr/local/mysql/lib/mysql" >> /etc/ld.so.conf
ldconfig

Now create a startup script, which enables MySQL auto-start each time your server is rebooted.

cp ./support-files/mysql.server /etc/rc.d/init.d/mysql
chmod +x /etc/rc.d/init.d/mysql
chkconfig --add mysql
/sbin/chkconfig --level 3 mysql on

Then set up symlinks for all the MySQL binaries, so they can be run from anyplace without having to include/specify long paths, etc.

cd /usr/local/mysql/bin
for file in *; do ln -s /usr/local/mysql/bin/$file /usr/bin/$file; done

Now every thing is done.just start your mysql.

/etc/init.d/mysql start

Then connect to DB with below command

bash:# mysql

mysql> show databases;

This should show below output.

mysql> show databases;
+---------------+
| Database   |
+---------------+
| mysql          |
| test              |
+---------------+

2 rows in set (0.01 sec)

Try creating  some test DB.

mysql> create database foo;


Mysql is now installed and configured on the server. Now let's move to Apache and PHP conpilation.

#Compiling Apache

 Download/unpack Apache2 source from the Apache httpd server website, http://httpd.apache.org/
 Go to Apache source directory for me it is /usr/local/src/httpd-2.0.40

1) make clean ( to delete old templet .config file and makefile)

./configure --prefix=/usr/local/apache --enable-so --enable-cgi    --enable-info --enable-rewrite \
            --enable-spelling --enable-usertrack --enable-deflate --enable-ssl --enable-mime-magic

Make Apache from the just-created Makefile:

    make

 If make is successful, install Apache as root:

    make install

Now Apache installed on your server.Test it by starting it to verify if everything has gone correct.

/usr/loca/apache/bin/apachectl -k start

check the processes of Apache.

ps -ef| grep httpd


Now We have MySQL and Apache installed and configured on your server. Now we just have to compile PHP and with Apache.

#Compiling PHP with Apache and Mysql : -

Download/unpack PHP source from the PHP website, http://www.php.net/
Pick the latest from the 4.x series or 5.x series.
The compilation procedure is the same as above. Go to the PHP directory, here it is /usr/local/src/php-version

make clean

./configure --with-apxs2=/usr/local/apache/bin/apxs --with-mysql --prefix=/usr/local/apache/php \
            --enable-force-cgi-redirect --disable-cgi --with-zlib --with-gettext --with-gdbm
          
You only need the --with-apxs2, and prefix lines. --with-mysql adds MySql (you need to specify the directory if it's in a unusual location (e.g., --with-mysql=/usr/local ), --with-config-file moves the php.ini file location, disable-cgi disables the CGI version, which is not needed if you use Apache modules. It also enables and installs the command line interface (CLI) version. --with-zlib allows use of gzip-type compression, --with-gettext is for internationalization, and --with-gdbm allows access to GDBM databases. For more information, type ./configure --help and see the "Installation" chapter in the PHP Manual, http://ww.php.net/docs.php

 Make PHP from the just-created Makefile:

    make

 If make is successful, type this as root to install PHP:

    make install

If you are not root (I do not perform makes while root, for security and safety reasons), become root and type the following:

    make install-su

If file /usr/local/apache/modules/libphp5.so does not exist or is an older version, type this (change this to libphp4.so for PHP 4):

    cp -p .libs/libphp5.so /usr/local/apache/modules

Install the php.ini file:

    cp -p php.ini-recommended /usr/local/apache/php/php.ini

 Add these directives are in /usr/local/apache/conf/httpd.conf (if already there, verify they are correct):

    # Make sure there's only **1** line for each of these 2 directives:
    # Use for PHP 4.x:
    #LoadModule php4_module        modules/libphp4.so
    #AddHandler php-script   php

    # Use for PHP 5.x:
    LoadModule php5_module        modules/libphp5.so
    AddHandler php5-script php

    # Add index.php to your DirectoryIndex line:
    DirectoryIndex index.html index.php

    AddType text/html       php

    # PHP Syntax Coloring
    # (optional but useful for reading PHP source for debugging):
    AddType application/x-httpd-php-source phps

 You're now ready to try it out. Start Apache (httpd) as root:

    /usr/local/apache/bin/apachectl start

 Perform these sanity checks to verify your install went OK:

    $ /usr/local/apache/bin/httpd -t
    Syntax OK

    $ /usr/local/apache/bin/httpd -v
    Server version: Apache/2.2.2
    Server built:   May 29 2006 12:40:55


    $ /usr/local/apache/bin/httpd -V
    Server version: Apache/2.2.2
    Server built:   May 29 2006 12:40:55
    Server's Module Magic Number: 20051115:2
    Server loaded:  APR 1.2.7, APR-Util 1.2.7
    Compiled using: APR 1.2.7, APR-Util 1.2.7
    Architecture:   32-bit
    Server MPM:     Prefork
      threaded:     no
        forked:     yes (variable process count)
    Server compiled with....
     -D APACHE_MPM_DIR="server/mpm/prefork"
     -D APR_HAS_SENDFILE
     -D APR_HAS_MMAP
     -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
     -D APR_USE_SYSVSEM_SERIALIZE
     -D APR_USE_PTHREAD_SERIALIZE
     -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
     -D APR_HAS_OTHER_CHILD
     -D AP_HAVE_RELIABLE_PIPED_LOGS
     -D DYNAMIC_MODULE_LIMIT=128
     -D HTTPD_ROOT="/usr/local/apache"
     -D SUEXEC_BIN="/usr/local/apache/bin/suexec"
     -D DEFAULT_PIDLOG="logs/httpd.pid"
     -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
     -D DEFAULT_LOCKFILE="logs/accept.lock"
     -D DEFAULT_ERRORLOG="logs/error_log"
     -D AP_TYPES_CONFIG_FILE="conf/mime.types"
     -D SERVER_CONFIG_FILE="conf/httpd.conf"

    $ /usr/local/apache/bin/httpd -S
    VirtualHost configuration:
    . . .

    $ /usr/local/apache/bin/httpd -l
    Compiled in modules:
      core.c
      . . .
      mod_so.c

    $ /usr/local/apache/bin/httpd -M
    Loaded Modules:
    . . .
     php5_module (shared)
    Syntax OK

    (the above works for Apache 2.2.x and higher only)

    $ ps -ef |grep httpd
    root     24069     1  0 09:17 ?        00:00:08 /usr/local/apache/bin/httpd -k s
    apache   29917 24069  0 15:30 ?        00:00:00 /usr/local/apache/bin/httpd -k s
    . .
Access your webserver with telnet. Type HEAD / HTTP/1.0 followed by a blank line:

    $ telnet localhost 80
    Trying 127.0.0.1...
    Connected to localhost (127.0.0.1).
    Escape character is '^]'.
    HEAD / HTTP/1.0

    HTTP/1.1 200 OK
    Date: Mon, 29 May 2006 23:28:18 GMT
    Server: Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7a PHP/5.1.4
    X-Powered-By: PHP/5.1.4
    Last-Modified: Wed, 15 Mar 2006 06:53:17 GMT
    Vary: Accept-Encoding
    Connection: close
    Content-Type: text/html; charset=ISO-8859-1
    Content-Language: en

Access your webserver with your favorite browser. The following is a good test page to use for PHP. You only need the one line in bold is needed to display PHP configuration information. Name the file anything you want, but it must end with .php, such as phpinfo.php, and move the file to your web server content directory (for me /usr/local/apache/htdocs), with read permission set:

    <html>
    <head>
        <title>PHP Test</title>
        <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    </head>
    <body>
        <h1>PHP Test</h1>
        <p>
        <b>An Example of PHP in Action</b><br />
            <?php echo "The Current Date and Time is: <br>";
                echo date("g:i A l, F j Y.");?>
        </p>

        <h2>PHP Information</h2>
        <p>
            <?php phpinfo(); ?>
        </p>
    </body>
    </html>

  alias    Create an alias
  apropos  Search Help manual pages (man -k)
  apt-get  Search for and install software packages (Debian)
  aspell   Spell Checker
  awk      Find and Replace text, database sort/validate/index
b
  bash     GNU Bourne-Again SHell 
  bc       Arbitrary precision calculator language 
  bg       Send to background
  break    Exit from a loop
  builtin  Run a shell builtin
  bzip2    Compress or decompress named file(s)
c
  cal      Display a calendar
  case     Conditionally perform a command
  cat      Display the contents of a file
  cd       Change Directory
  cfdisk   Partition table manipulator for Linux
  chgrp    Change group ownership
  chmod    Change access permissions
  chown    Change file owner and group
  chroot   Run a command with a different root directory
  chkconfig System services (runlevel)
  cksum    Print CRC checksum and byte counts
  clear    Clear terminal screen
  cmp      Compare two files
  comm     Compare two sorted files line by line
  command  Run a command - ignoring shell functions
  continue Resume the next iteration of a loop
  cp       Copy one or more files to another location
  cron     Daemon to execute scheduled commands
  crontab  Schedule a command to run at a later time
  csplit   Split a file into context-determined pieces
  cut      Divide a file into several parts
d
  date     Display or change the date & time
  dc       Desk Calculator
  dd       Convert and copy a file, write disk headers, boot records
  ddrescue Data recovery tool
  declare  Declare variables and give them attributes
  df       Display free disk space
  diff     Display the differences between two files
  diff3    Show differences among three files
  dig      DNS lookup
  dir      Briefly list directory contents
  dircolors Colour setup for `ls'
  dirname  Convert a full pathname to just a path
  dirs     Display list of remembered directories
  dmesg    Print kernel & driver messages 
  du       Estimate file space usage
e
  echo     Display message on screen
  egrep    Search file(s) for lines that match an extended expression
  eject    Eject removable media
  enable   Enable and disable builtin shell commands
  env      Environment variables
  ethtool  Ethernet card settings
  eval     Evaluate several commands/arguments
  exec     Execute a command
  exit     Exit the shell
  expect   Automate arbitrary applications accessed over a terminal
  expand   Convert tabs to spaces
  export   Set an environment variable
  expr     Evaluate expressions
f
  false    Do nothing, unsuccessfully
  fdformat Low-level format a floppy disk
  fdisk    Partition table manipulator for Linux
  fg       Send job to foreground 
  fgrep    Search file(s) for lines that match a fixed string
  file     Determine file type
  find     Search for files that meet a desired criteria
  fmt      Reformat paragraph text
  fold     Wrap text to fit a specified width.
  for      Expand words, and execute commands
  format   Format disks or tapes
  free     Display memory usage
  fsck     File system consistency check and repair
  ftp      File Transfer Protocol
  function Define Function Macros
  fuser    Identify/kill the process that is accessing a file
g
  gawk     Find and Replace text within file(s)
  getopts  Parse positional parameters
  grep     Search file(s) for lines that match a given pattern
  groups   Print group names a user is in
  gzip     Compress or decompress named file(s)
h
  hash     Remember the full pathname of a name argument
  head     Output the first part of file(s)
  history  Command History
  hostname Print or set system name
i
  id       Print user and group id's
  if       Conditionally perform a command
  ifconfig Configure a network interface
  ifdown   Stop a network interface 
  ifup     Start a network interface up
  import   Capture an X server screen and save the image to file
  install  Copy files and set attributes
j
  join     Join lines on a common field
k
  kill     Stop a process from running
  killall  Kill processes by name
l
  less     Display output one screen at a time
  let      Perform arithmetic on shell variables
  ln       Make links between files
  local    Create variables
  locate   Find files
  logname  Print current login name
  logout   Exit a login shell
  look     Display lines beginning with a given string
  lpc      Line printer control program
  lpr      Off line print
  lprint   Print a file
  lprintd  Abort a print job
  lprintq  List the print queue
  lprm     Remove jobs from the print queue
  ls       List information about file(s)
  lsof     List open files
m
  make     Recompile a group of programs
  man      Help manual
  mkdir    Create new folder(s)
  mkfifo   Make FIFOs (named pipes)
  mkisofs  Create an hybrid ISO9660/JOLIET/HFS filesystem
  mknod    Make block or character special files
  more     Display output one screen at a time
  mount    Mount a file system
  mtools   Manipulate MS-DOS files
  mv       Move or rename files or directories
  mmv      Mass Move and rename (files)
n
  netstat  Networking information
  nice     Set the priority of a command or job
  nl       Number lines and write files
  nohup    Run a command immune to hangups
  nslookup Query Internet name servers interactively
o
  open     Open a file in its default application
  op       Operator access 
p
  passwd   Modify a user password
  paste    Merge lines of files
  pathchk  Check file name portability
  ping     Test a network connection
  pkill    Stop processes from running
  popd     Restore the previous value of the current directory
  pr       Prepare files for printing
  printcap Printer capability database
  printenv Print environment variables
  printf   Format and print data
  ps       Process status
  pushd    Save and then change the current directory
  pwd      Print Working Directory
q
  quota    Display disk usage and limits
  quotacheck Scan a file system for disk usage
  quotactl Set disk quotas
r
  ram      ram disk device
  rcp      Copy files between two machines
  read     read a line from standard input
  readonly Mark variables/functions as readonly
  reboot   Reboot the system
  renice   Alter priority of running processes 
  remsync  Synchronize remote files via email
  return   Exit a shell function
  rev      Reverse lines of a file
  rm       Remove files
  rmdir    Remove folder(s)
  rsync    Remote file copy (Synchronize file trees)
s
  screen   Multiplex terminal, run remote shells via ssh
  scp      Secure copy (remote file copy)
  sdiff    Merge two files interactively
  sed      Stream Editor
  select   Accept keyboard input
  seq      Print numeric sequences
  set      Manipulate shell variables and functions
  sftp     Secure File Transfer Program
  shift    Shift positional parameters
  shopt    Shell Options
  shutdown Shutdown or restart linux
  sleep    Delay for a specified time
  slocate  Find files
  sort     Sort text files
  source   Run commands from a file `.'
  split    Split a file into fixed-size pieces
  ssh      Secure Shell client (remote login program)
  strace   Trace system calls and signals
  su       Substitute user identity
  sudo     Execute a command as another user
  sum      Print a checksum for a file
  symlink  Make a new name for a file
  sync     Synchronize data on disk with memory
t
  tail     Output the last part of files
  tar      Tape ARchiver
  tee      Redirect output to multiple files
  test     Evaluate a conditional expression
  time     Measure Program running time
  times    User and system times
  touch    Change file timestamps
  top      List processes running on the system
  traceroute Trace Route to Host
  trap     Run a command when a signal is set(bourne)
  tr       Translate, squeeze, and/or delete characters
  true     Do nothing, successfully
  tsort    Topological sort
  tty      Print filename of terminal on stdin
  type     Describe a command
u
  ulimit   Limit user resources
  umask    Users file creation mask
  umount   Unmount a device
  unalias  Remove an alias
  uname    Print system information
  unexpand Convert spaces to tabs
  uniq     Uniquify files
  units    Convert units from one scale to another
  unset    Remove variable or function names
  unshar   Unpack shell archive scripts
  until    Execute commands (until error)
  useradd  Create new user account
  usermod  Modify user account
  users    List users currently logged in
  uuencode Encode a binary file 
  uudecode Decode a file created by uuencode
v
  v        Verbosely list directory contents (`ls -l -b')
  vdir     Verbosely list directory contents (`ls -l -b')
  vi       Text Editor
  vmstat   Report virtual memory statistics
w
  watch    Execute/display a program periodically
  wc       Print byte, word, and line counts
  whereis  Report all known instances of a command    
  which    Locate a program file in the user's path. 
  while    Execute commands
  who      Print all usernames currently logged in
  whoami   Print the current user id and name (`id -un')
  Wget     Retrieve web pages or files via HTTP, HTTPS or FTP
  write    Send a message to another user 
x
  xargs    Execute utility, passing constructed argument list(s)
  yes      Print a string until interrupted
  .        Run a command script in the current shell
  ###      Comment / Remark

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.

Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even DNS root servers

One common method of attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consume its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

Denial-of-service attacks are considered violations of the IAB's Internet proper use policy. They also commonly constitute violations of the laws of individual nations.^[1]