Monday, 31 January 2011

Creating server and user certificates

I went through Hell to find out how to create server and especially proper client certificates that would work correctly with all browsers, svn and https on Apache2. I went through the Apache site, OpenSSL documentation, Google, no where did I found exactly what I was looking for, even the man pages had errors. I hope there's a better way to do that but if not, here you are for all those who are looking to do the same thing:

Create a server certificate
(for use with your HTTPS server, for example):
sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl

Just make sure to use a password everywhere it asks for one. This seems to be necessary at least for the client certificate we'll create below if you use it in OS X.

Create the server key:
sudo openssl genrsa -out server.key 2048

Create the server's certificate request. You would send this to an official Certificate Authority (CA) if you wanted to have an official certificate instead of the self-signed certificate that we will generate here.
sudo openssl req -new -key server.key -out server.csr

Create the server certificate itself. You can use this one for your HTTPS site.
sudo openssl x509 -req -days 3652 -in server.csr -signkey server.key -out server.crt

Create a 'CA' certificate. We'll need this one to create a properly signed client certificate.
sudo openssl x509 -req -in server.csr -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey server.key -out CAserver.crt

Create a client certificate
Create the client key:
sudo openssl genrsa -out user.key 2048

Create the server's certificate request.
sudo openssl req -new -key user.key -out user.csr

Create the client certificate signed with the 'CA' certificate we created above.
sudo openssl x509 -req -days 3652 -in user.csr -extfile /etc/ssl/openssl.cnf -extensions usr_cert -CA CAserver.crt -CAkey server.key -CAcreateserial -out user.crt

Create a PKCS#12 version of the certificate for use on the user system.
sudo openssl pkcs12 -export -in user.crt -inkey user.key -out user.p12

Just import this p12 file in your certificate manager (Key Chain in OS X).

Saturday, 15 January 2011

Get rid of the startup sound of your Mac

I love Macs but the startup sound when you open the computer and specially the fact that you can't turn it off just looks so 1990… and it drives me crazy. The sound comes from the internal speaker so there's nothing you can do to minimize the volume or shut it down.

My office is in the corner of our bedroom so if I decide to work after my wife is already asleep, sure thing the startup sound will wake her up.

Gladly I found this little utility that let's you control that. I now install it as one of the first add-on to my Macs.

And it's free!

Basic iptables

Here are the basics of using iptables on your system:

Create /etc/iptables.new.rules with the following content:

( You can use sudo nano /etc/iptables.new.rules)
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -i ! lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# For SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# For SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# For HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# For HTTPS
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
Add/delete ports depending on your own server setup.

Just to be on the safe side, let's backup the old rules:
sudo -i
iptables-save > /etc/iptables.old.rules
iptables-restore < /etc/iptables.new.rules

Check it:
iptables -L

If all is good, put it in a file for next time the server starts:
iptables-save > /etc/iptables.up.rules

Make sure these rules will get loaded again if you reboot the server:
nano /etc/network/interfaces

Add the iptable line below:
...
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.up.rules

Important note: If you access your server remotely, make sure to keep the current session open and try your new rules by opening a new connection to your server. If you can't connect, go back to your first connection and do:
sudo iptables-restore < /etc/iptables.old.rules
You should be good until you figure out your problem.

Convert AVI to DVD on OS X

One of the beauty of OS X is that it offers a plethora of tools to do almost everything you could want. Here's another great example: by using the tools that come out of the box (or almost) with OS X you can convert an AVI movie file to a DVD to watch on your TV.

1) Open the AVI with QuickTime Player. If you can't open it, you may need additional codecs. I suggest you get Perian which include almost every codec you may ever need. (That's the only piece you'll need).

2) From QuickTime, save the movie in .mov format.

3) Copy the .mov file to your iTunes Library. Open iTunes and just drag the files to the Library section.

4) Open iDVD, (you can create your DVD in multiple ways but here's one). Choose Magic iDVD, in the right pane, choose the Films tab, choose iTunes and select/drag the film in the left pane. Click the Burn icon on the bottom right corner. You'll probably need to adapt the Project/Properties and voilà! Pop in a blank DVD and have a good movie night.

Friday, 14 January 2011

Accessing MySQL from an other server

On Debian (and possibly other OS) the default installation of MySQL will not allow connections from other IP than the local one (127.0.0.1). This a good security measure but if you really need access from outside, follow this:

1) Make sure the port (default MySQL port is 3306) is open  in your firewall (iptables). Add the following line to your iptables rules:

-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

2) Edit /etc/mysql/my.cnf. Comment the following line:

bind-address = 127.0.0.1

3) You’ll also need to use a login that can connect from any server.

*EDIT: You have a much more detailed walkthrough here.