Remove SSL certificate passphrase

A lot of people ask how they can remove the passphrase requirements from a private key so that Apache can be (re)started without the need to re-enter the key’s passphrase.

Security warning

Once you remove the requirement for the passphrase, the certificate can be easily copied and used elsewhere, thus raising the risk of it being abused. If you must remove the passphrase then you must take adequate protection in the storage of the file. Ensure that the permissions are set to only allow access to those who need it.

Now that you have been warned about the risks, we can continue onto the options

1) httpd has a directive you can use, SSLPassPhraseDialog.
2) You can use OpenSSL to remove the passphrase from the certificate completely.

An example usage of SSLPassPhraseDialog :

SSLPassPhraseDialog exec:/path/to/script

N.B. 'SSLPassPhraseDialog' can only be used in the main server config, and must be outside of any <Directory> or <Location> blocks.

Inside an example perl script:

#!/bin/sh
echo "put the passphrase here"

After saving the passphrase script, set the file executable

chmod +x /path/to/passphrase-script

How to strip a key with OpenSSL

With OpenSSL you can actually remove the passphrase from the SSL key completely. This will avoid Apache asking you to enter the passphrase every time it is started. To do this go to the command line and type

/path/to/openssl rsa -in /path/to/originalkeywithpass.key -out /path/to/newkeywithnopass.key

with the file names and paths appropriate for your environment.

[Solved] Instance Status Checks – Failed – AWS EC2 Ubuntu Redhat

1) Stop the Instance (Problem Instance)
2) Detach the Volume (Problem Volume)
3) Fire up another Instance (New Instance)
4) Attach the Problem Volume to the New Instance
5) Start the New Instance
6) Mount the Problem Volume to /ebs
sudo mount /dev/xvdf1 /ebs -t ext4
7) Edit /ebs/etc/fstab
8) Unmount the Problem Volume
sudo umount /ebs
9) Detach the Problem Volume from the New Instance
10) Stop the New Instance
11) Detach the Problem Volume from the New Instance
12) Attach the Problem Volume back to the Problem Instance
Device Name: /dev/sda1
13) Start the Problem Instance

Hope you have your instance rebooted :)

Check CPU Usage of Ubuntu Redhat Linux

To get CPU usage, best way is to read /proc/stat file. See man 5 proc for more help.

There is a useful script written by Paul Colby.

#!/bin/bash
# by Paul Colby (http://colby.id.au), no rights reserved ;)

PREV_TOTAL=0
PREV_IDLE=0

while true; do

 CPU=(`cat /proc/stat | grep '^cpu '`) # Get the total CPU statistics.
 unset CPU[0] # Discard the "cpu" prefix.
 IDLE=${CPU[4]} # Get the idle CPU time.

 # Calculate the total CPU time.
 TOTAL=0

 for VALUE in "${CPU[@]:0:4}"; do
 let "TOTAL=$TOTAL+$VALUE"
 done

 # Calculate the CPU usage since we last checked.
 let "DIFF_IDLE=$IDLE-$PREV_IDLE"
 let "DIFF_TOTAL=$TOTAL-$PREV_TOTAL"
 let "DIFF_USAGE=(1000*($DIFF_TOTAL-$DIFF_IDLE)/$DIFF_TOTAL+5)/10"
 echo -en "\rCPU: $DIFF_USAGE% \b\b"

 # Remember the total and idle CPU times for the next check.
 PREV_TOTAL="$TOTAL"
 PREV_IDLE="$IDLE"

 # Wait before checking again.
 sleep 1
done

Save it to ~/cpu_usage, add execute permission sudo chmod +x ~/cpu_usage and run:

~/cpu_usage

To stop the script, hit Ctrl + C

Adding Timestamp Date Time while Saving a Log File from Crontab Cronjob Ubuntu Redhat Linux

This is just a quick solution to put a timestamp with each line of the output of some command in Ubuntu Redhat Linux (*nix). It’s a very simple thing, thought I’d write it down here so maybe it’ll help somebody some day.

I have a cron job running on my server, it’s a high frequency job so I don’t want to send email reports each time, I’m logging it into a file, but I want to log the timestamp of each time it runs and logs something to this file, I didn’t want to change the code behind it to also print the timestamp with each write to the output, so I pipelined the command to a simple bash script that will append the timestamp to each line in the output then write the result to the stdout again.

Here is the bash script for sudo nano ~/timestamp.sh

#!/bin/bash
while read x; do
 echo -n `date +%d/%m/%Y\ %H:%M:%S`;
 echo -n " ";
 echo $x;
done

Then I edited the cron job crontab -e line to be like this:

* 9 * * 1-5 ~/my-cronjob-command.sh 2>&1 | ~/timestamp.sh >> /var/log/cron/my-cronjob-command.log

And you’re done!

Enjoy it.

Add Swap File on AWS EC2 Ubuntu Redhat Linux

Use following commands to create swap file on your system.

$ sudo dd if=/dev/zero of=/var/swapfile bs=1M count=2048

bs=1M count=2048 means it will create 2GB of swap file, You may change as per you need. After enabling swap we can see that our system has swap enabled by running “free -m” command.

To prevent the file from being world-readable, you should set up the correct permissions on the swap file:

$ sudo chown root:root /var/swapfile
$ sudo chmod 0600 /var/swapfile

Subsequently we are going to prepare the swap file by creating a linux swap area.

$ sudo mkswap /var/swapfile

Finish up by activating the swap file.

$ sudo swapon /var/swapfile

You will then be able to see the new swap file when you view the swap summary.

$ sudo swapon -s

This file will last on the virtual private server until the machine reboots. You can ensure that the swap is permanent by adding it to the fstab file.

$ sudo nano /etc/fstab

Paste in the following line:

/var/swapfile swap swap defaults 0 0

Ubuntu system comes with a default of 60, meaning that the swap file will be used fairly often if the memory usage is around half of my RAM. You can check your own system’s swappiness value by running:

$ cat /proc/sys/vm/swappiness

As I have 4 GB of RAM, so I’d like to turn that down to 10 or 15. The swap file will then only be used when my RAM usage is around 80 or 90 percent. To change the system swappiness value, open /etc/sysctl.conf as root. Then, change or add this line to the file:

vm.swappiness = 10

Reboot for the change to take effect.

You can also change the value while your system is still running

sysctl vm.swappiness=10

Skipping this step may cause both poor performance.

You can also clear your swap by running

swapoff -a

And then

swapon -a

As root instead of rebooting to achieve the same effect.

Create Own Private PPTP VPN Server on AWS EC2 Ubuntu Redhat

For Ubuntu Server,

$ sudo apt-get install pptpd ufw

For 32 bit Redhat instances,

$ wget http://poptop.sourceforge.net/yum/stable/rhel6/i386/pptpd-1.3.4-2.el6.i686.rpm
$ yum localinstall pptpd-1.3.4-2.el6.i686.rpm

For 64 bit Redhat instances,

$ wget http://poptop.sourceforge.net/yum/stable/rhel6/x86_64/pptpd-1.4.0-1.el6.x86_64.rpm
$ yum localinstall pptpd-1.4.0-1.el6.x86_64.rpm

If you are using uwf, please allow Ports 22 and 1723 on UFW and Enable UFW
Warning: if you are connected to SSH on a port other than 22, please adjust the first command accordingly so you don’t get kicked off.

$ sudo ufw allow 22
$ sudo ufw allow 1723
$ sudo ufw enable

Edit “/etc/ppp/pptpd-options”
Comment out (by placing a “#” at the beginning of the line) the following lines in “/etc/ppp/pptpd-options”:

#refuse-pap
#refuse-chap
#refuse-mschap

If you don’t want to require encryption, comment out “require-mppe-128” (might be good to disable it just for testing and re-enable it later)

Add the following:

ms-dns 8.8.8.8
ms-dns 8.8.4.4

*You can use any DNS servers you like, the two above are Google’s public DNS servers.

Edit “/etc/pptpd.conf”
At the end of the file “/etc/pptpd.conf”, add:

localip 172.16.0.5
remoteip 172.16.0.11-19

 

The localip field determines the IP address of your EC2 instance on the VPN, while remoteip field determines the IP address of connected clients. Because there may be potentially many clients connecting to this VPN, the remoteip is a range of 10 IP addresses.

Same edit “/etc/pptpd.conf”, Comment out logwtmp by adding # at the beginning of the line

#logwtmp

Edit “/etc/ppp/chap-secrets”
The format for “/etc/ppp/chap-secrets” is: [Username] [Service] [Password] [Allowed IP Address]
Add something like this to the end (replacing sampleusername and samplepassword with whatever you want):

sampleusername pptpd samplepassword *

Reboot pptpd
Finally, you can reboot the pptpd server with:

$ sudo /etc/init.d/pptpd restart

Edit “/etc/sysctl.conf”
Un-comment the following line in “/etc/sysctl.conf”:

net.ipv4.ip_forward=1

The following command reloads the configuration (you can also just reboot at the end of this guide):

$ sudo sysctl -p

And we also need to enable iptables NAT configuration:

$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To ensure the NAT configuration be loaded when the machine boots, it might be a good idea to add in your “/etc/rc.local” the command:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

OK, it’s nearly finished! You need to start the pptpd service, and set it to automatically start when the machine boots:

$ /sbin/service pptpd start
$ chkconfig pptpd on

ONE FINAL THING:
Be sure to enable port 1723 of your EC2 instance, otherwise the firewall will prevent your VPN from working!