Posts Tagged ‘apache’

Check and detect Linux/CDorked.A infections

Wednesday, May 8th, 2013

We’ve been reading a lot about a Linux exploit targeting webservers and since we manage quite a lot of webservers, we’re keeping a close eye on it. We recently already deployed a check for rogue Apache modules (since we mainly use Apache), but now we’ve also created a check from the code provided by ESET on their security blog describing the Linux/CDorked.A exploit. All it does is check shared memory for a segment of a specific size, but it’s still better than nothing.

As usual, the Icinga check can be found in our GitHub repository and if you’re on Debian, you can find the nagios-plugins-kumina package in our repository. This check needs to be run on the local machine, so you need to setup nrpe or ssh access from Icinga for that.

Let us know if this helps you or if we should improve on it! All kudos to ESET, since they provided the actual script (and research!) for this check.

Checking for rogue Apache modules

Wednesday, April 3rd, 2013

We’ve read a lot recently about attacks in which an attacker loads a modified module into Apache to insert iframes in outgoing data. Pretty scary, especially since nobody really seems to know how the hacks are performed. Recently, Sucuri wrote a blog article about how to check for rogue Apache modules on Debian. We’ve decided to implement this into an Icinga/Nagios check.

You can find the source for the plugin here. We also publish all our plugins via the ‘nagios-plugins-kumina’ package, provided by our apt repository.

Hope this helps!

Update: I packaged and pushed the wrong version of the script… Silly me. Fixed now!

Check SSL certificates

Wednesday, August 24th, 2011

This post is mostly a collection of commands to check SSL certificates and make sure they are what you think they are. Especially when things do not go as expected, these commands are handy to have around. First, some definitions. We call the signed certificate cert.crt, the private key server.key, the certificate sign request cert.csr and any intermediate/chain certificates chain.pem. Substitude in the commands below with your files. It’s assumed you have all these certificates in the PEM format, for easy use with Apache’s mod_ssl.

Checking if the CSR is actually a public key from your serverkey

You need to check the modulo of the private key and the certificate sign request. The output of these two commands should be the same if the csr is made with this server key.

$ openssl rsa -noout -modulus -in server.key | openssl md5
$ openssl req -noout -modulus -in cert.csr | openssl md5

Checking if a signed certificate is actually created from the CSR that you created

You need to check the modulo of both files. The output of the two commands should be the same.

$ openssl x509 -noout -modulus -in cert.crt | openssl md5
$ openssl req -noout -modulus -in cert.csr | openssl md5

Checking if a signed certificate is actually the public key from your serverkey

This should be obvious if you read the two items above. The output of both commands should be the same.

$ openssl x509 -noout -modulus -in cert.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

Checking if the chain file actually applies to the signed certificate

openssl verify -CAfile chain.pem -verbose cert.crt

Output the details from a certificate sign request

openssl req -text -in cert.csr

Output the details from a signed certificate

openssl x509 -text -in cert.crt

Another job opening

Tuesday, June 7th, 2011

Kumina is again looking for a new full-time junior systems administrator per July or August 2011. Are you the person we’re looking for?

We’re looking for someone who…

  • … doesn’t quit when the going gets tough
  • … has an interest in system maintenance
  • … is comfortable with responsibility
  • … wants to go the extra mile if that results in higher quality of the end-product
  • … is versatile and wants to learn new things all the time
  • … can work with a team, but not necessarily in a team

Linux knowledge is not necessarily required, if you’re willing to learn fast. You can find info about what we do on our website. Some keywords:

We’re looking for a full-time employee starting July or August 2011. Interested? Send your resumé and an introductory letter to jobs@kumina.nl!