SSL Certificate signed by own CA

There are a lot of “how-to” on the Internet explaining the setup procedure. This is mainly a copy / paste example for those in a hurry :)

How to setup your own CA

Generate a key for CA

openssl genrsa -aes256 -out myCA.key 4096

Pick a password and remember it!

Generate a SSL certificate for CA

openssl req -new -x509 -days 3650 -key myCA.key -out myCA.crt

How to create a new SSL certificate signed by your own CA

Request a new key for the new domain that you want to secure

openssl genrsa -aes256 -out MyServerName.key 2048

Pick a password and remember it!

Request a CSR and sign it with the previous created key

openssl req -new -key MyServerName.key -out MyServerName.csr

Request the SSL certificate and sign it against the CA

openssl x509 -req -in MyServerName.csr -out MyServerName.crt -sha1 -CA myCA.crt -CAkey myCA.key -CAcreateserial -days 720

(Optional for Linux) Secure the key on the server

chmod 0400 *.key

To have the SSL working you need to copy on the server side
– MyServerName.key
– MyServerName.crt
– myCA.crt (that’s the CA certificate)

How to view a certificate

openssl x509 -in MyServerName.crt -text -noout

How to check whether a private key matches a certificate or that the certificate matches the certificate signing request (CSR)

openssl x509 -noout -modulus -in MyServerName.crt | openssl md5
openssl rsa -noout -modulus -in MyServerName.key | openssl md5
openssl req -noout -modulus -in MyServerName.csr | openssl md5

Does anybody knows a simple script that can offer the above functionality from web interface? I was looking around for a while now, but either they are enterprise complex or do not work. Let me know in Comments if you have a good suggestion.

Thanks!

GNS3 1.2.1 installation on Ubuntu 14.04

As mentioned in an earlier post GNS3 is moving ahead fast. Currently at version 1.2.1 the GNS3 is looking great. Compared with the version 1.0 Beta 1 which I had installed, the 1.2.1 is not only more stable, but it has the Menu more clean and compact. For example now there is only one Preferences menu where you can adjust all your settings.

During the installation of 1.0 Beta 1 I made some notes in Evernote and it prove to be very useful as the installation was pretty messy. With 1.2.1 I did the same thing, but the installation was very smooth. Still, I said that if I made those notes maybe I should share them for those interested in a quick installation. A more complete guide can be found on GNS3 Community.

1. Download GNS3 1.2.1

Head over to http://www.gns3.com/, create and account and download the bundle archive for Linux.

If you for some reason you don’t want to create an account, you may download each package individually from https://github.com/GNS3

The following lines will assume that you have the bundle archive.

2. Install Ubuntu 14.04 dependencies

$ sudo apt-get install libpcap-dev uuid-dev libelf-dev cmake
$ sudo apt-get install python3-setuptools python3-pyqt4 python3-ws4py python3-netifaces python3-zmq python3-tornado
$ sudo apt-get install unzip 

3. Unzip the bundle archive

$ unzip GNS3-1.2.1.source.zip

You should see 5 packages in GNS3-1.2.1 folder:
dynamips-0.2.14.zip
gns3-server-1.2.1.zip
gns3-gui-1.2.1.zip
iouyap-0.95.zip
vpcs-0.6.zip

4. Install Dynamips

$ unzip dynamips-0.2.14.zip
$ cd dynamips-0.2.14
$ mkdir build
$ cd build
$ cmake ..
$ make
$ sudo make install

To check if the correct version is install:

$ dynamips | grep version

You should see in the output 0.2.14

5. Install GNS3 Server

$ unzip gns3-server-1.2.1.zip
$ cd gns3-server-1.2.1
$ sudo python3 setup.py install

To check if the GNS3 Server is installed correctly:

$ gns3server

If you see some output other than an error, than you’re fine.

6. Install GNS3 GUI

$ unzip gns3-gui-1.2.1.zip
$ cd gns3-gui-1.2.1
$ sudo python3 setup.py install

To test if the installation is working:

$ gns3

You should see a graphical interface of GNS3 launched.

At this moment you have a working GNS3 environment if you want only want to test Cisco hardware emulators. I strongly recommend to continue and install also the rest of the components. Who knows when you’ll need them

7. Install IOUyap (Optional, if you will use IOU images)

$ unzip iouyap-0.95.zip
$ cd iouyap-0.95.zip
$ make
$ sudo make install

To test the installation:

$ iouyap -h

If you encounter an error, please check the [Update 1] section at the bottom of this article.

8. Install VPCS (Optional, if you want to use VirtualPC)

$ unzip vpcs-0.6.zip
$ cd vpcs-0.6/src
$ ./mk.sh 64
$ cp vpcs /usr/bin/

For the third line, the 64 represent 64bit, as my Ubuntu 14.04 is build on 64bit.
The values can be:
– 32 or i386 for 32bit OS
– 64 or amd64 for 64bit OS

Please be sure to use the correct one for your OS.

To test the VPCS:

$ vpcs

You should see a Virtual PC being launched. Leave the console with letter q.

9. Install VirtualBox (Optional, if you want to launch VMs)

Download the correct version for your system from https://www.virtualbox.org/wiki/Linux_Downloads. The following lines will assume an Ubuntu 14.04 64bit OS.

$ apt-get install dkms
$ dpkg -i virtualbox-4.3_4.3.20-96996~Ubuntu~raring_amd64.deb

You can also use the instructions at https://www.virtualbox.org/wiki/Linux_Downloads and go for an APT installation.The choice is yours.

10. Install Qemu (Optional, if you want to use qemu images)

$ sudo apt-get install qemu

11. Install IOU (Optional, if you want to use IOU images)

I’m not a legal matter expert, and the usage of IOU is sort of grey area. Because of this, I’m not going to cover this chapter.

You’re ready to go. Start the GNS3 GUI:

$ gns3

Some things to check before going live:

  • check in the menu Edit > Preferences to set your desired Paths (in General sections) and to check the paths for the binaries (dynamips, vpcs, iou, virtualbox…)
  • add the IOS, virtualbox vm, iou images
  • in case of Cisco hardware emulators don’t forget to find the IdlePC value (when you add the IOS image or later with the start of your first router with a certain image) otherwise your CPUs will cry.

If something does not work as described or you need help please let me know in Comments.

[Update 1]

If you get the following error during installation of iouyap:

GNS3-1.2.2.source/iouyap-0.95 $ make
gcc -g -DDEBUG -Wall -c -o iouyap.o iouyap.c
iouyap.c:40:23: fatal error: iniparser.h: No such file or directory
#include
^
compilation terminated.
make: *** [iouyap.o] Error 1

Try to install the iniparser as follows:

sudo apt-get install flex bison

then

cd /tmp
curl -L https://github.com/ndevilla/iniparser/archive/master.tar.gz | tar -xz
cd iniparser*
make

and finally iouyap

cd /tmp
curl -L https://github.com/GNS3/iouyap/archive/master.tar.gz | tar -xz
cd iouyap*
bison -ydv netmap_parse.y
flex netmap_scan.l
gcc -Wall *.c -I /tmp/iniparser*/src -L /tmp/iniparser* -o iouyap -liniparser -lpthread
strip --strip-unneeded iouyap
sudo mv iouyap /usr/local/bin

Thanks to mweisel @ forum.gns3.net for this update!

Troubleshooting with Wireshark [Riverbed lab kit]

A while ago I attended a Wireshark webinar from Riverbed in which they presented the tool, some beginner and intermediate users troubleshooting scenarios and some lab kit.

Now I got an e-mail that they made it available for download at http://www.riverbed.com/wireshark-virtual-tour

Part of this Lab Kit were available in the Virtual World Tour 2014 webinar on Troubleshooting with Wireshark, held by Laura Chappell and Gerald Combs.

Kit is a free collection of Wireshark training, trace files and tips and tricks for troubleshooting your network. This lab kit contains the following:

  • Nine Network Analysis Training videos
  • Troubleshooting Checklist
  • Sample Network Analysis Report
  • Practice Trace Files
  • Laura’s Wireshark Troubleshooting Profile
  • Chapter Excerpts from Laura Chappell’s new book “Troubleshooting with Wireshark Locate the Source of Performance Problems”

  • If you are interested in troubleshooting with Wireshark, I think this would be a nice place to start. The presentation page of Wireshark Virtual Tour looks a little bit like comics marketing style, but the materials are pretty good.

    Live digital threats

    I wanted to bring these free tools to my blog to keep track of them, as most probably I will forget about, and to share with anybody interested in gathering information in the security areas.

    First tool was revealed to my in tweet from Greg Ferro:

    https://twitter.com/etherealmind/status/392606499044098049

    As usually I trust his words, I said to give it a try. I can tell that this tool is very interesting. According to the explanation found on http://www.digitalattackmap.com/faq/ :

    The Digital Attack Map presents data gathered and published by Arbor Networks ATLAS® global threat intelligence system. ATLAS sources its data worldwide from 270+ ISP customers who have agreed to share anonymous network traffic and attack statistics. Data is updated hourly and can also be found in Arbor’s ATLAS Threat Portal.

    Below you have an embedded version of this map, but better access the Digital Attack Map website.

    Second tool caught my attention from the Digital Attack Map explanation and it’s called Arbor’s ATLAS Threat Portal.

    Atlat Threat Portal

    This tool is explained as:

    The ATLAS portal today is a public resource that delivers a sub-set of the intelligence derived from the ATLAS sensor network on host/port scanning activity, zero-day exploits and worm propagation, security events, vulnerability disclosures and dynamic botnet and phishing infrastructures.

    If the first tool is related to network attacks, the second one is covering more topics like botnets, phishing, scans and more.
    You can access Arbor’s ATLAS Threat Portal here.


    Packet header graphic representation

    I was surfing the Internet in search of some good drawing representing packet header and I come across five excellent diagrams large enough ( 1050px wide ) to use digital but also for printing. The person behind these excellent drawings is Matt Baxter, but his site (fatpipe.org) is not accessible anymore. I found these documents on the Internet and I thought to add them here together.

    You will find a link at the bottom of this post where you can download them all together.

    Disclaimer: These drawings are not mine and I don’t claim any rights on them. My thanks and all copyrights go to Matt Baxter.
    Matt, if you come across this blog and you find sharing to be inappropriate, please contact me.

    IPv4 Header

    IPv4 Header

    IPv6 Header

    IPv6 Header

    TCP Header

    TCP Header

    UDP Header

    UDP Heater

    ICMP Header

    ICMP Header

    Download all drawings here:

    Packet header representation