Remove SSL certificate passphrase

A lot of people ask how they can remove the passphrase requirements from a private key so that Apache can be (re)started without the need to re-enter the key’s passphrase.

Security warning

Once you remove the requirement for the passphrase, the certificate can be easily copied and used elsewhere, thus raising the risk of it being abused. If you must remove the passphrase then you must take adequate protection in the storage of the file. Ensure that the permissions are set to only allow access to those who need it.

Now that you have been warned about the risks, we can continue onto the options

1) httpd has a directive you can use, SSLPassPhraseDialog.
2) You can use OpenSSL to remove the passphrase from the certificate completely.

An example usage of SSLPassPhraseDialog :

SSLPassPhraseDialog exec:/path/to/script

N.B. 'SSLPassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks.

Inside an example perl script:

#!/bin/sh
echo "put the passphrase here"

After saving the passphrase script, set the file executable

chmod +x /path/to/passphrase-script

How to strip a key with OpenSSL

With OpenSSL you can actually remove the passphrase from the SSL key completely. This will avoid Apache asking you to enter the passphrase every time it is started. To do this go to the command line and type

/path/to/openssl rsa -in /path/to/originalkeywithpass.key -out /path/to/newkeywithnopass.key

with the file names and paths appropriate for your environment.

[Solved] Instance Status Checks – Failed – AWS EC2 Ubuntu Redhat

1) Stop the Instance (Problem Instance)
2) Detach the Volume (Problem Volume)
3) Fire up another Instance (New Instance)
4) Attach the Problem Volume to the New Instance
5) Start the New Instance
6) Mount the Problem Volume to /ebs
sudo mount /dev/xvdf1 /ebs -t ext4
7) Edit /ebs/etc/fstab
8) Unmount the Problem Volume
sudo umount /ebs
9) Detach the Problem Volume from the New Instance
10) Stop the New Instance
11) Detach the Problem Volume from the New Instance
12) Attach the Problem Volume back to the Problem Instance
Device Name: /dev/sda1
13) Start the Problem Instance

Hope you have your instance rebooted 🙂

Perfect Linux Ubuntu (Apache2, PHP, MySQL) Server on AWS EC2

Firstly, change the hostname

$ sudo echo server1.example.com > /etc/hostname 
$ sudo service hostname restart

Afterwards, run

$ hostname 
$ hostname -f

Both should show server1.example.com now.

Update the apt package database.

$ sudo apt-get update

Install the latest updates (if there are any).

$ sudo apt-get upgrade

If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:

$ sudo reboot

Disable AppArmor.

$ sudo service apparmor stop 
$ sudo update-rc.d -f apparmor remove 
$ sudo apt-get remove apparmor apparmor-utils

Check Date and Time.

$ date
Wed Jul 16 22:52:47 EDT 2014

Check the Timezone.

$ cat /etc/timezone
America/New_York

To change and update Timezone.

$ sudo dpkg-reconfigure tzdata
$ sudo service cron stop && service cron start

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

$ sudo apt-get install ntp ntpdate

and your system time will always be in sync.

Run locale to list what locales currently defined for the current user account:

$ sudo locale

Then generate the missing locale:

$ sudo locale-gen "en_US" "en_US.UTF-8"

Reconfigure locales to take notice

$ sudo dpkg-reconfigure locales

For Ubuntu Server 12.04 LTS, add following lines to /etc/environment

LC_ALL=en_US.UTF-8
LANG=en_US.UTF-8

The default settings are stored in the /etc/default/locale file.

$ sudo cat /etc/default/locale
LANG=en_US.UTF-8

This file can either be adjusted manually or updated using the tool, update-locale.

$ sudo update-locale LANG=en_US.UTF-8

Install MySQL.

$ sudo apt-get install mysql-client mysql-server

You will be asked the following questions:

New password for the MySQL "root" user: <-- yourrootsqlpassword 
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

$ sudo nano /etc/mysql/my.cnf
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1

Then we restart MySQL:

$ sudo service mysql restart

Now check that networking is enabled. Run

$ sudo netstat -tap | grep mysql

Install Apache2, PHP5, FCGI, suExec, Pear, and mcrypt.

Apache2, PHP5, FCGI, suExec, Pear, and mcrypt can be installed as follows:

$ sudo apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp

The PHP5 mcrypt module has to be enabled manually:

$ sudo php5enmod mcrypt

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions:

$ sudo a2enmod suexec rewrite ssl actions include cgi

Next open /etc/apache2/mods-available/suphp.conf

$ sudo nano /etc/apache2/mods-available/suphp.conf

Comment out the <FilesMatch “\.ph(p3?|tml)$”> section and add the line AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml – otherwise all PHP files will be run by SuPHP:

<IfModule mod_suphp.c>
 #<FilesMatch "\.ph(p3?|tml)$">
 # SetHandler application/x-httpd-suphp
 #</FilesMatch>
 suPHP_AddHandler application/x-httpd-suphp
 AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml

<Directory />
 suPHP_Engine on
 </Directory>

# By default, disable suPHP for debian packaged web applications as files
 # are owned by root and cannot be executed by suPHP because of min_uid.

 <Directory /usr/share>
 suPHP_Engine off
 </Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
 # suPHP_ConfigPath /etc/php5/cgi/suphp/
 # # Tells mod_suphp NOT to handle requests with the type <mime-type>.
 # suPHP_RemoveHandler <mime-type>
</IfModule>

Restart Apache afterwards:

$ sudo service apache2 restart

If you want to host Ruby files with the extension .rb on your web sites created, you must comment out the line application/x-ruby rb in /etc/mime.types:

$ sudo /etc/mime.types
#application/x-ruby rb

(This is needed only for .rb files; Ruby files with the extension .rbx work out of the box.)

Restart Apache afterwards:

$ sudo service apache2 restart

Xcache is a free and open PHP opcode cacher for caching and optimizing PHP intermediate code. It’s similar to other PHP opcode cachers, such as eAccelerator and APC. It is strongly recommended to have one of these installed to speed up your PHP page.

Xcache can be installed as follows:

$ sudo apt-get install php5-xcache

Now restart Apache:

$ sudo service apache2 restart

The Perfect Ubuntu Server is now ready.

Add Swap File on AWS EC2 Ubuntu Redhat Linux

Use following commands to create swap file on your system.

$ sudo dd if=/dev/zero of=/var/swapfile bs=1M count=2048

bs=1M count=2048 means it will create 2GB of swap file, You may change as per you need. After enabling swap we can see that our system has swap enabled by running “free -m” command.

To prevent the file from being world-readable, you should set up the correct permissions on the swap file:

$ sudo chown root:root /var/swapfile
$ sudo chmod 0600 /var/swapfile

Subsequently we are going to prepare the swap file by creating a linux swap area.

$ sudo mkswap /var/swapfile

Finish up by activating the swap file.

$ sudo swapon /var/swapfile

You will then be able to see the new swap file when you view the swap summary.

$ sudo swapon -s

This file will last on the virtual private server until the machine reboots. You can ensure that the swap is permanent by adding it to the fstab file.

$ sudo nano /etc/fstab

Paste in the following line:

/var/swapfile swap swap defaults 0 0

Ubuntu system comes with a default of 60, meaning that the swap file will be used fairly often if the memory usage is around half of my RAM. You can check your own system’s swappiness value by running:

$ cat /proc/sys/vm/swappiness

As I have 4 GB of RAM, so I’d like to turn that down to 10 or 15. The swap file will then only be used when my RAM usage is around 80 or 90 percent. To change the system swappiness value, open /etc/sysctl.conf as root. Then, change or add this line to the file:

vm.swappiness = 10

Reboot for the change to take effect.

You can also change the value while your system is still running

sysctl vm.swappiness=10

Skipping this step may cause both poor performance.

You can also clear your swap by running

swapoff -a

And then

swapon -a

As root instead of rebooting to achieve the same effect.

Create Own Private PPTP VPN Server on AWS EC2 Ubuntu Redhat

For Ubuntu Server,

$ sudo apt-get install pptpd ufw

For 32 bit Redhat instances,

$ wget http://poptop.sourceforge.net/yum/stable/rhel6/i386/pptpd-1.3.4-2.el6.i686.rpm
$ yum localinstall pptpd-1.3.4-2.el6.i686.rpm

For 64 bit Redhat instances,

$ wget http://poptop.sourceforge.net/yum/stable/rhel6/x86_64/pptpd-1.4.0-1.el6.x86_64.rpm
$ yum localinstall pptpd-1.4.0-1.el6.x86_64.rpm

If you are using uwf, please allow Ports 22 and 1723 on UFW and Enable UFW
Warning: if you are connected to SSH on a port other than 22, please adjust the first command accordingly so you don’t get kicked off.

$ sudo ufw allow 22
$ sudo ufw allow 1723
$ sudo ufw enable

Edit “/etc/ppp/pptpd-options”
Comment out (by placing a “#” at the beginning of the line) the following lines in “/etc/ppp/pptpd-options”:

#refuse-pap
#refuse-chap
#refuse-mschap

If you don’t want to require encryption, comment out “require-mppe-128” (might be good to disable it just for testing and re-enable it later)

Add the following:

ms-dns 8.8.8.8
ms-dns 8.8.4.4

*You can use any DNS servers you like, the two above are Google’s public DNS servers.

Edit “/etc/pptpd.conf”
At the end of the file “/etc/pptpd.conf”, add:

localip 172.16.0.5
remoteip 172.16.0.11-19

 

The localip field determines the IP address of your EC2 instance on the VPN, while remoteip field determines the IP address of connected clients. Because there may be potentially many clients connecting to this VPN, the remoteip is a range of 10 IP addresses.

Same edit “/etc/pptpd.conf”, Comment out logwtmp by adding # at the beginning of the line

#logwtmp

Edit “/etc/ppp/chap-secrets”
The format for “/etc/ppp/chap-secrets” is: [Username] [Service] [Password] [Allowed IP Address]
Add something like this to the end (replacing sampleusername and samplepassword with whatever you want):

sampleusername pptpd samplepassword *

Reboot pptpd
Finally, you can reboot the pptpd server with:

$ sudo /etc/init.d/pptpd restart

Edit “/etc/sysctl.conf”
Un-comment the following line in “/etc/sysctl.conf”:

net.ipv4.ip_forward=1

The following command reloads the configuration (you can also just reboot at the end of this guide):

$ sudo sysctl -p

And we also need to enable iptables NAT configuration:

$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To ensure the NAT configuration be loaded when the machine boots, it might be a good idea to add in your “/etc/rc.local” the command:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

OK, it’s nearly finished! You need to start the pptpd service, and set it to automatically start when the machine boots:

$ /sbin/service pptpd start
$ chkconfig pptpd on

ONE FINAL THING:
Be sure to enable port 1723 of your EC2 instance, otherwise the firewall will prevent your VPN from working!