Tag Archives: security

Apache2 cipher selection

The tutorial explains how to configure the Apache2 cipher selection. It provides better security by defaulting to PFS and disallowing known insecure ciphers.
We start by editing the /etc/apache2/sites-available/002-ssl-www.rivy.org.conf from the previous post.

You can check the overal ssl/tls settings of your webserver on SSL Labs. SSL Labs is a free product from Qualys. Before applying the above configuration, the results of my webserver look like this.

SSL Labs results before cipher selection

In the <VirtualHost> section, add the following lines. Please note that I used the settings from the fine folks at bettercrypto.org

    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
# taken from https://bettercrypto.org
    SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
    EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:\
    +SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:\
    !ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

After saving the file and restarting Apache2, the results look more better. We’re all green. Note that this scan has been done on Jan 31, 2015. It’s always possible that newly discovered vulnerabilities in the selected ciphers influence the rating.

SSL Labs result after cipher selection

Migrate from http to https

This howto explains how you can easily migrate from http to https. This guide is written for Apache 2.4. It has been tested on Ubuntu 14.04.

Plaintext http vhost

Normally you’re starting with a site config similar to his.

<VirtualHost *:80>
   ServerName www.rivy.org
   ServerAdmin webmaster@rivy.org
   DocumentRoot /var/www/www.rivy.org/
   <Directory />
      Options FollowSymLinks
      AllowOverride None
      deny from all
   </Directory>
   <Directory /var/www/www.rivy.org/>
      Options FollowSymLinks MultiViews
      AllowOverride All
      Order allow,deny
      allow from all
   </Directory>
</VirtualHost>

Encrypted https vhost

Now let’s create an extra site configuration for the https website. Usually, the available sites are kept in /etc/apache2/sites-available.

# cp /etc/apache2/sites-available/001-www.rivy.org.conf /etc/apache2/sites-available/sites-available/002-ssl-www.rivy.org.conf

Now you edit the config for the new ssl enabled site. I assume that you already have the crt and key file available. Adjust the paths as necessary.

<VirtualHost *:443>
   ServerName www.rivy.org
   ServerAdmin webmaster@rivy.org
   SSLEngine On
   SSLCertificateFile /path/to/www.rivy.org.crt
   SSLCertificateKeyFile /path/to/www.rivy.org.key
   SSLCertificateChainFile /etc/certs/chain.crt

   DocumentRoot /var/www/www.rivy.org/
   <Directory />
      Options FollowSymLinks
      AllowOverride None
      deny from all
   </Directory>
   <Directory /var/www/www.rivy.org/>
      Options FollowSymLinks MultiViews
      AllowOverride All
      Order allow,deny
      allow from all
   </Directory>
</VirtualHost>

After saving the file, you can enable the site with this command.

# a2ensite 002-ssl-www.rivy.org
# service apache2 restart

Make sure that this command doesn’t return any errors. At this time you should be able to use any browser and go to your https enabled website.

https://www.rivy.org

Send all visitors to secure version

It’s probably a good idea to send all your visitors to the secure version of your website. This can be done transparently and without impact on the users. Links in bookmarks and incoming hyperlinks will still work. Edit the 001-www.rivy.org.conf file like this.

<VirtualHost *:80>
   ServerName www.rivy.org
   ServerAdmin webmaster@rivy.org
   Redirect 301 / https://www.rivy.org/
</VirtualHost>

This creates a permanent redirect to the secure version of your site. After saving and reloading or restarting apache2 ( see previous steps ) you can visit the http:// version of your site and you’ll be automatically redirected to the secure version.

Installing Snorby

This guide will help you with installing Snorby on a freshly installed Ubuntu 12.04 LTS server. We’ll be using the latest version from the git repository.

Install required dependencies

Snorby uses a number of libraries and tools. They should be installed before we’re going to install Snorby.

# apt-get install apache2 git imagemagick wkhtmltopdf ruby1.9.3 libyaml-dev libxml2-dev libxslt1-dev  zlib1g-dev build-essential openssl libssl-dev libmysqlclient-dev libreadline6-dev
# gem install rails
# gem update

Install snorby

We’re going to fetch the latest version from Snorby from the Git tree.

git clone http://github.com/Snorby/snorby.git

Once snorby is downloaded, we proceed by installing a few dependencies.

# cd snorby && bundle install

Create 2 config files

You have to create 2 files in the config/ directory. First file is called database.yml and this is the contents.

# Snorby Database Configuration
#
# Please set your database password/user below
# NOTE: Indentation is important.
#
snorby: &snorby
  adapter: mysql
  username: snorby
  password: "s3cr3t"
  host: 127.0.0.1 # or the IP of your database server

development:
  database: snorby
  <

The second file is snorby_config.yml

production:
  domain: 'snorby.yourdomain.com' # can be changed to your domain
  wkhtmltopdf: /usr/bin/wkhtmltopdf # correct for Ubuntu 12.04
  ssl: false
  mailer_sender: 'snorby@yourdomain.com'  # can be changed 
  geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
  rules:
    - ""
  authentication_mode: database

Create database account

Before proceeding you have to create a database user that can connect from the snorby machine to your MySQL server. You also need to create a new database and give full rights for the new user to the new database. The user should and the database should be called “snorby”. The password should be the same password as the one used in “database.yml”.

Run the setup program for Snorby

The command should finalize the installation of Snorby on your system.

# bundle exec rake snorby:setup

Final step : run Snorby

This command will start Snorby without detaching from the console. It’s a good idea to use this the first time so you can check if any errors are reported.

bundle exec rails server -e production

If you didn’t get any errors, you should be able to access your Snorby installation using the following URL. This assumes you running Snorby and your webbrowser on the same machine. Adapt to your needs if necessary.

http://localhost:3000

The default login is ‘snorby@snorby.org’. Password is ‘snorby’. You’ll notice that the database is still empty. You’ll need a tool like Barnyard2 to send events from Snort to your Snorby database.

Configuring Barnyard2 event feed

This assumes you’ve installed Barnyard2 as described in this post. Add the following line to your /etc/snort/barnyard2.conf config file.

output database: log, mysql, user=snorby password=s3cr3t dbname=snorby host=localhost

Adapt the password and the host if necessary. They should match the database and password you used in the database.yml configuration file.
After restarting barnyard2, events will start to pop up in the GUI.

snorby-screenshot

Snorby Screenshot