Posts Tagged ‘check’

Icinga check for Linux.Fokirtor

Friday, November 15th, 2013

We were notified this morning of the specifics of the attack that struck Hetzner at the start of this year. Or rather, the backdoor software that was used to provide access to the machines. It does not detail what vulnerability was exploited to actually install the Trojan. But it’s still a good idea to make sure your current processes are not infected.

So we went ahead and created a check that can detect Linux.Fokirtor, based on the information provided by Hetzner and Symantec.

Check SSL certificates

Wednesday, August 24th, 2011

This post is mostly a collection of commands to check SSL certificates and make sure they are what you think they are. Especially when things do not go as expected, these commands are handy to have around. First, some definitions. We call the signed certificate cert.crt, the private key server.key, the certificate sign request cert.csr and any intermediate/chain certificates chain.pem. Substitude in the commands below with your files. It’s assumed you have all these certificates in the PEM format, for easy use with Apache’s mod_ssl.

Checking if the CSR is actually a public key from your serverkey

You need to check the modulo of the private key and the certificate sign request. The output of these two commands should be the same if the csr is made with this server key.

$ openssl rsa -noout -modulus -in server.key | openssl md5
$ openssl req -noout -modulus -in cert.csr | openssl md5

Checking if a signed certificate is actually created from the CSR that you created

You need to check the modulo of both files. The output of the two commands should be the same.

$ openssl x509 -noout -modulus -in cert.crt | openssl md5
$ openssl req -noout -modulus -in cert.csr | openssl md5

Checking if a signed certificate is actually the public key from your serverkey

This should be obvious if you read the two items above. The output of both commands should be the same.

$ openssl x509 -noout -modulus -in cert.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

Checking if the chain file actually applies to the signed certificate

openssl verify -CAfile chain.pem -verbose cert.crt

Output the details from a certificate sign request

openssl req -text -in cert.csr

Output the details from a signed certificate

openssl x509 -text -in cert.crt