Organizational Unit Name (eg, section) : TecMintĬommon Name (eg, your name or your server's hostname) : TecMint Organization Name (eg, company) : TecMint State or Province Name (full name) : Maharashtra If you enter '.', the field will be left blank. There are quite a few fields but you can leave some blankįor some fields there will be a default value, What you are about to enter is what is called a Distinguished Name or a DN. You are about to be asked to enter information that will be incorporated Writing new private key to '/etc/httpd/ssl/apache.key' # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt # mkdir /etc/httpd/ssl Ĭreate the key and certificate: - On Debian/Ubuntu based systems. # yum install mod_sslĪlthough we will use the Debian/Ubuntu path and names, the same procedure is valid for CentOS and RHEL if you replace the commands and paths below with the CentOS equivalents.Ĭreate a directory to store the key and certificate: # mkdir /etc/apache2/ssl To do this, install mod_ssl package on CentOS based distributions. To avoid this, let’s secure the login page with a certificate. Please note that we have hidden part of the root password with a blue mark over it: Sniffing HTTP Traffic It will not take us long to realize that the username and password have been sent over the wire in plain text format, as you can see in the truncated output of tcpdump in the image below. To begin sniffing traffic, we typed the following command and pressed Enter: # tcpdump port http -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' -line-buffered -B20 To introduce this tip, let’s sniff the HTTP traffic between a client machine and the Debian 8 server where we have made the innocent mistake to login using the database root user’s credentials in our last article at: Change and Secure Default PhpMyAdmin Login URLĪs we mentioned in the previous tip, do not attempt to do this yet if you don’t want to expose your credentials.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |