Disable sslv2 and weak ciphers for IHS 6

The methods for disabling specific SSL cipher suites vary based on the web server and the underlying operating systems. Microsoft Internet Information Services (IIS):- by editing windows registry, and Apache 2 - by using mod_ssl directives.

When an SSL connection is established, the client (Web browser) and the Web server negotiate the cipher to use for the connection. The Web server has an ordered list of ciphers, and the first cipher in that list which is supported by the client will be selected.

Threat:

The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. SSL encryption ciphers are classified based on encryption key length as follows:                                                                          

HIGH - key length larger than 128 bits                                            

MEDIUM - key length equal to 128 bits                                             

LOW - key length smaller than 128 bits                                            

Messages encrypted with LOW encryption ciphers are easy to decrypt.               

Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to guarantee transaction security.  

Solution:  Disable support for LOW encryption ciphers.                            
Apache Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:                                                                
SSLProtocol -ALL +SSLv3 +TLSv1                                                  
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Solution: Change the list of ciphers supported, and add SSLProtocoLDisable SSLv2.

The following configuration directs the server to prefer strong 128-bit RC4 ciphers first and will provide a significant performance improvement over the default configuration. 

This configuration does not support the weaker 40-bit, 56-bit, or NULL/Plaintext ciphers that security scanners might complain about.

The order of the SSLCipherSpec directives dictates the priority of the ciphers, so we order them in a way that will cause IBM HTTP Server to prefer less CPU intensive ciphers.

we can verify the same with the ssldigger utility.

download link - http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx



Refere the sample httpd.conf (Tested with IHS-6.1)

---Sample httpd.conf-----congigurations starts----
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443

<VirtualHost YourServer:443>
ServerName YourServer
DocumentRoot "D:\IBM\HTTPServer\htdocs\en_US"
SSLEnable
Keyfile "D:\IBM\HTTPServer\ssl\temp\test_cert.kdb"
SSLV2Timeout 100
SSLV3Timeout 1000


## SSLv3 128 bit Ciphers
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

## Triple DES 168 bit Ciphers
## These can still be used, but only if the client does
## not support any of the ciphers listed above.
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

## The following block enables SSLv2. Excluding it in the
## presence of the SSLv3 configuration above disables
## SSLv2 support.

## SSLv2 128 bit Ciphers
SSLCipherSpec SSL_RC4_128_WITH_MD5
SSLCipherSpec SSL_RC4_128_WITH_SHA

## SSLv2 168 bit 3DES cipher
## These can still be used, but only if the client does
## not support any of the ciphers listed above.
SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
</VirtualHost>
SSLDisable

---httpd.conf-----congigurations ends----

once the httpd configurations are doen same can be tested by using tool THCSSLCheck.exe
pls find the attached Result files for before the configurations and after the remediations for ihs 6.1



The httpd.conf file is configured correctly with the strong ciphers and weak SSLv2 ciphers are disabled:
The below config will disable SSLv2 ciphers
<VirtualHost *:443>      
    SSLEnable              

    ## Set strong ciphers  
    SSLCipherSpec 3A        
    SSLCipherSpec 34        
    SSLCipherSpec 35

</VirtualHost>
Attached is the Result file after enabling the strong ciphers as mentioned above

THCSSLCheck v0.1Sample logs for IBM IHS 6 for default configurations
THCSSLCheck v0.1Sample logs for IBM IHS 6 after securing web server
THCSSLCheck v0.1Sample logs for IBM IHS 6 after securing web server as per the config mentioned above

IHS SSL Configurations 6.1

IHS SSL Configurations 6.1 using IBM Key Management Utility


Start Key Management Utility
Create New key database along with password protections as shown in below screens

4 files will be created

1) test_cert.kdb
2) test_cert.crl
3) test_cert.rdb
4) test_cert.sth

Now Create / generate a Certificate Request

Select Personal Certificate Request and Click New Request and get the Certificate from Authorized CA and Complete the Server Certificate Request using ikeyman utility.

Step:-1) Personal Certificate Request ( Create CSR )
Step:-2) Signer Certificates ( Get CSR signed by Authorized CA and import Root CA)
Step:-3) Personal Certificates ( Import the Certificate received from CA )

imp note:-> All the signer Certificates must exists in the Key Database before completing the Certificate Request.

httpd modifications

#Enable or Load below module
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so


Listen 443

ServerName mytestserver.com
DocumentRoot "D:\IBM\HTTPServer\htdocs\en_US"
SSLEnable
Keyfile "D:\IBM\HTTPServer\ssl\temp\test_cert.kdb"
SSLV2Timeout 100
SSLV3Timeout 1000

SSLDisable


Restart Http Services and Check https://mytestserver.com/

a suitable jvm could not be found. please run the program again.

getting error while installing Plugins for the IHS 6.1

Error Description:-
A suitable JVM could not be found.
Please run the program again using the option -is:javahome <Java Home Dir>

It's Resolution
To Resolve such issue start the installation using log options as given below and you will come to know that
it is searching for folder PREREQ.JDK,

install -is:javahome D:\IBM\WebSphere\AppServer\java -is:log testlogs.txt

and this is missing in plugin directroy which is downloaded from the
site is  missing folder PREREQ.JDK  Download the required files from ibm websphere site and place it in the D:\IBM\WebSphere\plugin\repository and now start the installation.

Plugins for IBM Http Server 6.1

Step by step installation guide Plugins for IHS 6.1

IBM Http Server 6.1 Installation Guide

Step by step installation guide for IHS 6.1

Apache rewrite rule for Mobile Phones

Apache ReWrite rules can be used to route the users to the respective optimized version.

Here is my Apache rewrite rule that I use to check if its an Symbian, Android or Blackberry Phone and redirect to its optimized version. ( .htaccess file needs to be updated with the below rewrite code)

RewriteEngine On
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} !android|avantgo|blackberry|blazer|compal|symbian
RewriteRule ^$ http://www.mydomain.com/desktop  [L,R]

RewriteCond %{HTTP_USER_AGENT} android|avantgo|blackberry|blazer|compal|symbian
RewriteRule ^$ http://www.mydomain.com/mobile  [L]

as the url indicates that desktop link is made for the devices which are not symbian, blackberry and the mobile is made for the mentioned devices.

commands in ms sql

commands in ms sql
select @@version
select @@servername
select serverproperty('productversion')
serverproperty ('productlevel')
serverproperty ('edition')
select getdate() ( system date )
select getdate()-30 ( date before 30 days )
select * into [dbName].[dbo].[tableName_new] from [dbName].[dbo].[tableName_old]
sp_helpdb 'databaseName'
sp_spaceused ( with this we can check the free space in mdf or ldf file )
dbcc sqlperf(logspace) ( Amout in percent of logs used )

--User logins from cmd line disabled/enabled can be viewed from below simple views.
select * from sys.sql_logins select name,default_database_name,create_date,modify_date,is_disabled from sys.sql_logins
--Unlock User Account with password Reset
alter login rajesh with password = 'abc@123456' unlock;
--if the Account is Disabled.
alter login [rajesh] enable;
--alter login with set default database.
use [master] go
alter login [rajesh] with default_database=[testdb],
default_language=[us_english],
check_expiration=off,
check_policy=on go
--changing the owner for the db named my_db_test_10 previous owner rajesh and new is vijay
use [my_db_test_10] go
exec dbo.sp_changedbowner @loginame = n'vijay', @map = false go
--view the associated database schema's or dependency.
sp_helplogins 'rajesh'
--drop the login by name rajesh
sp_droplogin 'rajesh'

Useful Commands in DB2

D:\>db2 connect to <databaseName> user db2admin using db2admin
db2 -tf <sample_sql_file.sql> -v
(above cmd will import the sample_sql_file.sql file to the connected database at once.)

table alteration
alter table tableName alter column columnName set data type VARCHAR(500)

Database export / import
db2move databaseName export -p db2admin -u db2admin

Database configuration Modification Command
db2 update db cfg for databaseName using LOGFILSIZ 5000

Catalog/Uncatalog
db2 catalog database TestDB as TstDB
db2 uncatalog database TstDB

Call External Program from Database using Triggers

This is certainly possible either you call xp_cmdshell, which allows you to invoke an external program, or use sp_oacreate and sp_oamethod, which allow you to manipulate COM objects this is the case with MsSQL Server, in oracle we can use LoadJava with functions but i think there is some limitations with MySQL, i don't know if somebody know this pls let me know. 

Some where it was mentioned that it is not a better idea or recommended to call trigger. A trigger holds open atransaction in your database. Any delay in releasing that transaction or any failure to release it can cause blocking of other processes. Also, if your external program accesses the database in any way then there is the
possibility of causing an undetectable deadlock.

It is better to poll the database to see if that change has happened and then invoke your code as required. That way transaction performance is unaffected.

i will suggest create a temp table, a trigger on the master table to dump the changes to the temp table and now poll temp table from any external java program or anything, so this way performance on the existing transaction/master table is not going to impact.

Calling Java Methods in Oracle Database

With loadjava utility we can call java methods from the oracle database.

public class Hello
{
  public static String world()
  {
    return "Hello world";
  }
}
Save the file as a Hello.java file
Compile it using the standard Java compiler (it is better to compile it with oracle's own compiler)

Error while calling function if the class is not loaded successfully.
ORA-29541: Class MYTEST.Hello could not be resolved.

Try Loading the class on the server using the loadjava tool. You must specify the user name and password. Run the loadjava tool as follows.

D:\oracle\ora92\jdk\bin>
loadjava -resolve -verbose -user mytestuser/mytestpasswd "Hello.class"

arguments: '-resolve' '-verbose' '-user' 'mytestuser/mytestpasswd' 'Hello.class'
creating : class Hello
loading  : class Hello
resolving: class Hello

the above stmts shows it is successfully loaded.

In SQL*Plus, connect to the database and define a top-level call specification for Hello.world() as follows:

SQL> CREATE OR REPLACE FUNCTION helloworld RETURN VARCHAR2 AS LANGUAGE JAVA NAME 'Hello.world () return java.lang.String';
     /
Function created

Call the stored procedure, as follows:

SQL> VARIABLE myString VARCHAR2(20);
SQL> CALL helloworld() INTO :myString;
Call completed.
SQL> PRINT myString

MYSTRING
---------------------------------------
Hello world

TableSpace Check in Oracle

select file_name, bytes, autoextensible, maxbytes from dba_data_files;

SELECT tablespace_name FROM dba_tablespaces;

SELECT file_name, tablespace_name, bytes, blocks, autoextensible, increment_by FROM dba_data_files;

SELECT file_name, tablespace_name, bytes, blocks, autoextensible, increment_by FROM dba_temp_files;

SELECT tablespace_name, status FROM dba_tablespaces;

SELECT dd.tablespace_name tablespace_name, dd.file_name file_name, dd.bytes/1024 TABLESPACE_KB, SUM(fs.bytes)/1024 KBYTES_FREE, MAX(fs.bytes)/1024 NEXT_FREE
FROM sys.dba_free_space fs, sys.dba_data_files dd
WHERE dd.tablespace_name = fs.tablespace_name
AND dd.file_id = fs.file_id
GROUP BY dd.tablespace_name, dd.file_name, dd.bytes/1024
ORDER BY dd.tablespace_name, dd.file_name;

clear breaks
set linesize 132
set pagesize 60
break on tablespace_name skip 1
col tablespace_name format a15
col file_name format a50
col tablespace_kb heading 'TABLESPACE|TOTAL KB'
col kbytes_free heading 'TOTAL FREE|KBYTES'

SELECT dd.tablespace_name tablespace_name, dd.file_name file_name, dd.bytes/1024 TABLESPACE_KB, SUM(fs.bytes)/1024 KBYTES_FREE, MAX(fs.bytes)/1024 NEXT_FREE
FROM sys.dba_free_space fs, sys.dba_data_files dd
WHERE dd.tablespace_name = fs.tablespace_name
AND dd.file_id = fs.file_id
GROUP BY dd.tablespace_name, dd.file_name, dd.bytes/1024
ORDER BY dd.tablespace_name, dd.file_name;

SELECT dd.file_name file_name, dd.bytes/1024 TABLESPACE_KB, SUM(fs.bytes)/1024 KBYTES_FREE, MAX(fs.bytes)/1024 NEXT_FREE
FROM sys.dba_free_space fs, sys.dba_data_files dd
WHERE dd.tablespace_name = fs.tablespace_name
AND dd.file_id = fs.file_id
GROUP BY dd.tablespace_name, dd.file_name, dd.bytes/1024
ORDER BY dd.tablespace_name, dd.file_name;

clear breaks
set linesize 220
set pagesize 60
break on autoextensible skip 1
select tablespace_name as TablespaceName, bytes/1024/1024 as Allocated_Size_MB,
user_bytes/1024/1024 as Space_Used_MB,increment_by as Increment_By_Bytes
from dba_data_files;

For Help & Reference, kindly Refer.
http://psoug.org/reference/tablespaces.html

Rotate Apache Tomcat std Logs using log4j

Apache Tomcat std_out logs can be rotated by using log4j functionality based on its file size as mentioned below.

Modify log4j.properties

log4j.rootCategory=DEBUG,stdout, Sample

#### First appender writes to console
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
# Pattern to output the caller's file name and line number.
log4j.appender.stdout.layout.ConversionPattern=%5p [%t] (%F:%L) - %m%n

#### Second appender writes to a file
log4j.appender.Sample=org.apache.log4j.RollingFileAppender
log4j.appender.Sample.File=D:/ApacheSoftwareFoundation/Tomcat5.5/logs/SampleSiteLogs.txt
### Control the maximum log file size
### Archive log files
### (one backup file here Attribute MaxBackupIndex is where we can define max no of files to be written)
log4j.appender.Sample.MaxFileSize=100KB
log4j.appender.Sample.MaxBackupIndex=5
log4j.appender.Sample.layout=org.apache.log4j.PatternLayout
log4j.appender.Sample.layout.ConversionPattern=%d{dd MMM yyyy HH:mm:ss,SSS} %p %t %c - %m%n

Oracle 11g DBConsole Creation

After the installation of Oracle 11g Database, DBConsole can be configured manually.

Before the configurations make sure that it is not configured and this can be verified by checking the services list or by hitting the command emctl dbconsole status or by hitting the url https://ServerIP:1158/em / https://ServerIP:5500/em

emca -config dbcontrol db -repos [create|recreate]
with this command we can create the DBConsole service, this will ask the parameters like HostName, ORACLE_HOME, DatabaseName, Passwords for accounts like SYS, SYSMAN, DBSNMP, SMTP Params.

Installing PERL Script(Linux/Win) for Snort-MySQL Database Cleanup.

MySQL-Snort-Cleanup.pl is very simple and useful perl script with which we can manage cleanup activity for IDS Database SNORT, This will delete the data from all the respective tables, we have to provide the command line arguments to this script i.e. StartDate and EndDate

For windows OS we need to install the Active Perl, and mysql db drivers, Once it is done we can run this MySQL-Snort-Cleanup.pl for cleaning database with specific time frames. Database Name,UserName, Passwords to be supplied to the MySQL-Snort-Cleanup.pl can be modified by any text editor.

Script Usage for Win/Linux:-
perl MySQL-Snort-Cleanup.pl "Start Time" "End Time"
e.g. perl MySQL-Snort-Cleanup.pl "2010-12-18 15:00:00" "2010-12-18 16:07:00"

Active Perl installation is not installing the DB drivers for MySQL DB by default hence same must be installed using Perl Package Manager(PPM) It is defined below.

1).Active Perl Installation with the default settings for windows. (for linux it is installed by default
2).MySQL driver can be installed on windows using PPM as shown below.
  
ppm install DBD-mysql

Perl Script MySQL-Snort-Cleanup.pl

MySQL Database Exporting/Importing

we can use Perl scripts to automate the MySQL database in connection with the mysqldump utility specially for large databases.
mysqldump -u UserName -pPassword DBName | gzip > DBName.sql.gz
Once the DatabaseName.sql.gz is completed the same file can be imported to the new created database but gz file needs to be decompressed first it can be done as shown below.
gzip -d DatabaseName.sql.gz


Database Restoring Steps.
Create new Database
Connect to the newly created database
Import the decompressed/extracted file DatabaseName.sql using below option
Create database NewDBName
Connect NewDBName
source D:\DatabaseName.sql


This will import the entire sql dump file to this new database.