A very current topic. As SSL 3.0 is now vulnerable, I will try not to use it in this assignment. If you have not yet disabled SSL 3.0 – check my last post and see how it’s done.


  • Goal: Virtual machine works as a CA. Create a server SSL -certificate and key. Configure Apache to use SSL – encryption.
  • Two virtual machines, one works as Apache -server and the other as a normal desktop.
  • Server machine: install OpenSSL. Create a certificate on the server and authenticate it.
    • PKCS -certificate – so that th browser can recognise you as the CA. || work in progress
    • Install ssl_mod, and configure the server
  • Test that https – connection works.

Step 1. Configuring OpenSSL

After the machines have been created, we can start installing and configuring OpenSSL.
First, we need to install the shared libraries for OpenSSL, there are a lot of options, you’ll notice:

apt-cache search libssl | grep SSL

We want to install the shared libraries, so go on and install:

libssl0.9.8 - SSL shared libraries ## 0.9.8 most recent @16.10.2014

You can also run sudo apt-get install openssl – this however, does not always guarantee the wanted results.

After installation you can check the version of OpenSSL with:

openssl version


Installation is done, now let’s create the CA.

Let’s start by making some directories for the certificates following the Ubuntu community guide.

cd && mkdir -p myCA/signedcerts && mkdir myCA/private


As  the Ubuntu community guide puts it:

  • ~/myCA : contains CA certificate, certificates database, generated certificates, keys, and requests

  • ~/myCA/signedcerts : contains copies of each signed certificate

  • ~/myCA/private : contains the private key

Next, create the initial DB in the  myCA/ subdir using this command:

echo '01' > serial  && touch index.txt

And then create the conf -file:

sudo nano ~/myCA/caconfig.cnf

Since I am using a text base Ubuntu Server, copy pasting the sample configuration file from Ubuntu community guide is challenging. I will instead use SSH to access the server machine from a desktop environment, to help out with the copy pasting. In order for this to work, set the virtual machines to “bridged” connection.

Now, copy pasta the conf -file found in Ubuntu community guide to the conf file you create.
Make sure to fix the <username> -tag in two locations:
conf1 conf2
This is a little less important, change root_ca_distinguished_name stuff, into something more suitable:


Then run the following commands:

export OPENSSL_CONF=~/myCA/caconfig.cnf
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825

Enter PEM password and now your CA -Certificate Authority has been configured.

Step 2. Server Certificate

Similar as above, create a new conf file to you ~/myCA/ – folder.

cd ~/myCA/ 
sudo nano servercert.cnf

Then copy pasta the example .conf from  Ubuntu community guide.
Fix the distinguished names and save. Run the commands:

export OPENSSL_CONF=~/myCA/servercert.cnf
openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM

Enter PEM password again. After this copy the temporary private key into an unencrypted key with this command:

openssl rsa < tempkey.pem > server_key.pem

As prompted, give it the same passphrase as given above.

Now we can SIGN the certificate!! Run these commands:

export OPENSSL_CONF=~/myCA/caconfig.cnf

And then sign the certificate with this command:

openssl ca -in tempreq.pem -out server_crt.pem

Remove the temporary certificate:

rm -f tempkey.pem && rm -f tempreq.pem

And there you have it, a signed certificate!

Step 3. Apache HTTPS Configuration

OpenSSL is now properly set up on our server machine. Next let’s conf Apache to accept out lord and savior, SSL.

This is done really easily, just run the following commands:

sudo a2enmod ssl
sudo a2ensite default-ssl
sudo /etc/init.d/apache2 restart



Vulnerability in SSL 3.0 has just been detected. A vulnerability that allows a third party to hijack the user’s browser.

For now, before hotfixes are out, it is somewhat recommended not to use SSL 3.0. For Firefox download this plugin in order to manage the SSL versions:

For Google Chrome, add this line to the start up properties and set a target: " --ssl-version-min=tls1".

This site will tell you whether you are safe or not, if the site does not open you’re safe, if it does – you’re not:




Workstation specs.


  • Install LAMP on a virtual machine
  • Install WordPress to the LAMP environment, change the theme. 

I’m installing a new virtual machine for this assignment. I’m going to use Mint 17 distribution.

Step 1. Apache

Let’s start with installing Apache web server to our fresh virtual machine.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install apache2

To check if installation was successful, we can type in “localhost” to our browser’s URL field.
Seems like everything worked out.

To create a website use this path:  /home/LAMP/public_html ##replace LAMP as your computer's name

Create a file called index.html into the public_html -file.
After this you’ll need to activate the userdir -module in order for your own site to work in browser:

sudo a2enmod userdir

After this restart Apache:

sudo service apache2 restart

Some security configurations might be necessary here. Apache needs to know what to do and what not to do. For this we can look into the configuration file again.  Located in /etc/apache2/apache2.conf

In here you can see a great deal of configuration possibilities in detail. I’m not going to go thorough all them here, but one configuration that is easy to do and improves security a lot is AllowOverride None -setting. This prevents the use of .htaccess files in all directories apart from those specifically enabled.

Add the following lines to the conf -file inside the directory tags.

AllowOverride None 

One more important security improving step is to setup permission for the ServerRoot directories. The commands vary depending on where you wish to setup ServerRoot, I chose to do as the good folk at Apache do it, and set it up in /usr/ -directory. In most cases, Apache is not started by the root user, so this sort of a solution works better in real life situations.

The commands needed are listed as follows:

mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs

This will change the permissions settings in the files.

More info on the security tips for Apache can be found here:

Step 2. MySQL

The first two are somewhat setup now from the LAMP acronym. Linux and Apache. Next comes MySQL.

sudo apt-get install mysql-server

Typing out this command will also include necessary extra packages to the installation. I recommend using this, makes your life easier.
During the installation process, the installation wizard will ask for a MySQL root password.

Creating users in MySQL is done as follows. However, as a security tip, mind the permissions here as well.
To create a user, we first need to open up the software as root.

mysql -u root -p


Creating users is done by the CREATE USER -command. The first problem here is that plain text passwords are a big no-no. As is runnign MySQL as root, but eh.
So, create a user as you wish. For testing purposes I did not encrypt the pw, just went by:


Anyway, creating databases is done with:


After this, the database has been created. In order to use it we need to grant some permissions, this is done with the following command:

GRANT ALL PRIVILEGES ON testdb.* TO juho@localhost IDENTIFIED BY ‘password';

After this, logging in with the user “juho” should be possible:

mysql -u juho -p testdb;


And SHOW DATABASES; should list our testdb.

Step 3. PHP

Install Apache PHP-plugins:

sudo apt-get install libapache2-mod-php5filter
sudo apt-get install libapache2-mod-suphp

Your index.html -file should be renamed as index.php.
After this restart Apache again. The changes should now apply.

I created a small app for demonstration purposes. Here you can see the code:

And here you can see, how it looks like in the browser:

It also works btw:

LAMP is now successfully installed. However, all of the security configurations are not online here.

ERRORS – WORK IN PROGRESS || Installing software to LAMP -environment – WordPress

DigitalOcean has a nice guide on installing WordPress on Ubuntu:

I will follow the guide here and post what I did.

First, let’s login to our MySQL -client and make a database for WordPress:

mysql -u root -p


Let’s make a new account for WordPress:

CREATE USER juhowordpress@localhost IDENTIFIED BY 'password';


Aaaand grant privileges as done already above:

GRANT ALL PRIVILEGES ON wordpress.* TO juhowordpress@localhost;

Exit the MySQL -client and proceed to the next step.

Next we need to download WordPress. What I did was follow the instructions and use these commands:

cd ~
tar xzvf latest.tar.gz

WordPress directory will be created in your home directory. The instructions recommend downloading a few packages as well. We’ve downloaded a few php- packages while installing and setting up our LAMP -environment, so you may already have these:

sudo apt-get update
sudo apt-get install php5-gd libssh2-php

Configuring WordPress for MySQL 

Next, time to configure WordPress.  I will just faithfully follow the instructions here and turn the sample file into actual conf- file.

cd ~/wordpress
cp wp-config-sample.php wp-config.php

Then, open up a text editor, and make the following changes to you conf-file.

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'juhowordpress');

/** MySQL database password */
define('DB_PASSWORD', 'password');

That should do it, next step!

Copying files to Document Root

Again, following the instructions. Transfer files for /wordpress/ to the /var/www/html/ using rsync.

sudo rsync -avP ~/wordpress/ /var/www/html/

Now if we navigate to the /html/ folder, we can see that the WordPress stuff has moved there:

Next, let’s change some permission settings:

sudo chown -R juho:www-data *

We will also need an uploads folder and set permissions to it as well, so run the commands as the instructions say:

mkdir /var/www/html/wp-content/uploads
sudo chown -R :www-data /var/www/html/wp-content/uploads





The platform for this assignment varies a little. It was started at the campus using a comp with these specs, and carried on with my home PC.
The virtual environment, i.e. the virtual machines were exported and imported to a USB-stick, which allowed the handy usage of the virtual machine(s).


  • Install a new machine, running Ubuntu Server, to the virtual environment. Install the Samba server and the SSH-server to this machine.
  • Install a new machine, running Windows 7, to the virtual environment.
    (unfortunately I was unable to transfer the Windows machine within the USB-stick, the time it took to export this machine was measured in hours, and I really did not have the time or the patience to wait for this.)
  • Using the Ubuntu Server Guide and the Samba-HOWTO-collection, test and configure the Samba server. Do not setup a printing server, only the file server.
  • Setup disk quotas for the users, i.e. give them Samba -server accounts.

Step 1. Installing the new machine

Firstly, I installed the new Ubuntu Server machine. During installation I selected the Samba server and Open-SSH server to be included in the installation. After the installation was completed I proceeded in configuring the Samba server.

I also installed a new Linux desktop to the environment, running Kubuntu 14.04 LTS, to kind of replace the Windows desktop.

Step 2. Configuring the Samba server

Telling Samba what to do is rather simple. The configurations will change during the setup progress, since I’m proceeding in a step by step manner.

First we need to edit some key/value pairs in the Samba-configuration file. It can be accessed using this command:

sudo nano /etc/samba/smb.conf

Here we will want to look into the [global] -section first. We will need to give our workgroup a name, and give a basic security declaration. My conf-file’s [global] looks like this: globalconf

Next I created a new section to the bottom of the conf-file called “[share]”. This section will define the sharing policies of the file server. You might want to add these lines to it:

comment = Samba File Server #just a friendly reminder
path = /srv/samba/share #we will create this later
browsable = yes
guest only = yes
read only = no
create mask = 0755

My section looks similar to the one above:

Now Samba is configured.

We will now need to create the shared directory, so run these command:

sudo mkdir -p /srv/samba/share
sudo chown exmpl.nogrp /srv/samba/share/

Samba needs to be restarted in order for the configurations to apply:

sudo restart smbd
sudo restart nmbd

You can also run a command “testparm” to check if the configuration file syntax is correct.


There you go. Local network configuration is done!
Your machines in your local network should now detect the Samba file server.

Step 2. Detecting the server

This really isn’t a step at all. Just log into one of your desktops, also connected to the internal network and go check the “Network” (if debian) folder.
In my Kubuntu, I could find the “Samba Shares” folder without any further configurations. Clicked it and:
I can find a few shared networks here, since other people were doing the same stuff in the same network. I could find my network “Example.lan” on the top.
Two folders here, “data” and “share”. We just created the “share” folder. And I also made a text-file there on the server machine, for testing purposes.
Looks like it works!

If you have problems accessing the folders, you might not have permission to them. Try checking the [share] settings. If that doesn’t work, try using chmod to see if the problem is there.

sudo chmod -c -rwxrwxrwx /share

This of course is not very good considering data security, but we just want to see if this is the problem.

Step 3. Users

Users need both accounts on the server and accounts in Samba. So create the users into your server machine. After that let’s make them in Samba as well.

Users are already created in the server, they are valid Samba users. So we only need to give them Samba specific passwords. That is done with the command:

sudo smbpasswd -a user

This how it will look in the terminal:
As we can see here, Samba really doesn’t appreciate my security settings. I also ran into this while checking the Samba status with:


Now this is how it looked. (the server is not working properly yet, we’re on it)

I brute forced this error out, no one likes error:
Messy work around, but it does the job for now. The status looks much better now too:

Let’s see if we can log into our Samba server.
Root login:

sudo smbclient //

If you want to log in with a account is is done with this command:

smbclient // U-usrname/pw


Server status

We can check the server status using this command:

smbclient -l samba -u%


Looks alright.

The users have now been created and the server configured. The next step is to mess around with disk quotas.

Step 4. Disk quotas

Let’s set up disk quotas for our users.  Install the software using this command:

sudo apt-get install quota

After installation take a copy of the conf -file located: /etc/fstab. After open the conf -file.

sudo nano /etc/fstab

By default the file looks as follows:
Add ,usrquota after the errors=remount,ro -part. Don’t remove anything. This file is extremely picky with the syntax.
The modified file will look something like this:

Run a remount to apply the settings:

sudo mount -o remount /

Now, be sure to have your quota turned off before running the check commands. Execute the commands as follows:

sudo quotaoff /
sudo quotacheck -cum /
sudo quotaon /

Now we can set quotas for our users using the sudo edquota

sudo edquota juhotest

We can set the usable disk space etc here. Like this:

After we’ve set quotas as wanted we can see if they are applying. Checking for user quotas can be done with the command:

quota userhere


And there we have it!




To change your IP form dynamic to static, we will need to look into the /etc/networks/interfaces -file.

sudo nano /etc/networks/interfaces

This will open up the configuration file in which you can tweak your IP setting. It will look a bit like this:
You will need to change a few lines in order to make your IP static. Add these changes into the file:

auto eth0
iface eth0 inet static

Depending on your needs, you can also configure netmask and other necessary configurations here.
# – means that the setting is commented out, and will not apply.

Your finished file will look like this:

Save the file and run these commands:

sudo ifdown eth0
sudo ifup eth0

This will apply the changes made and give you a new IP. Now if you run ifconfig your IP should display as – you now have a static IP.


So, my external hard drive is a brick. To summarise the problem; It just won’t boot. So I am will run this assignment on a Windows desktop, since my laptop is not strong enough to run so many virtual machines at once.

Windows 7 Enterprise 64-bit
Intel Core i5-2400 @ 3.10GHz
Some integrated Intel HD graphics GPU
8GB of RAM


Create four virtual machines:

## Machine A: Linux desktop, I’ll be using Mint 17. This machine will receive its network address from the DHCP -server.  Eth0 in the local network (intnet). ## Machine A not used in this post

Machine B: Master, running Ubuntu server. This machine will work as a DHCP – server. Static IP, Eth0 in local network.

Machine C: Bridge, running Ubuntu server. This machine works as a NAT -distributor (If it works..) between the local and public network. Static IP, Eth0 in public network (bridged), Eth1 in local network (intnet).

Machine D: Running Ubuntu server. Receives IP from the DHCP -server. Address reserved before hand using MAC -address. Eth0 in local network. Calling this machine ‘Aku’ on this post.

Step 1.

Creating and installing the virtual machines will be the first step. I begun with installing all the machines using Ubuntu server. I gave them all 512 MB of RAM and 8 GB of space on the hard drive, the desktop client gets a bit more RAM etc, but servers will manage with less.

During the installation, I also installed the OpenSSH -client. Machine B also got the DNS-server package during installation.

Bridged network setting is necessary here, since we still need to access public network, in order to make a few installations here.

Machine C – the bridge, will need two network adapters here. It will work as a gateway to the public network for the other machines. Set Eth0 to public network setting – Bridged, and Eth0 to internal network. Primary network adapter = Eth0.

After setting up Machine C – the bridge, run this command:
ls /sys/class/net/
This should list you the following adapters: eth0, eth1 and lo.

Step 1.2 DHCP-server installation

After the machines are setup, installing the DHCP -server on the master machine is necessary. It can be done with the following command:

sudo apt-get install isc-dhcp-server

Be sure to have bind9 installed before doing this. (sudo apt-get install bind9)

This will install and start the DHCP -server. However, it still needs go through the process of configuration.

After the installation is completed, everything that needs to be installed on this machine has been installed. Now we can change the IP to a static IP.

sudo nano /etc/networks/interfaces

This will open up the configuration file in which you can tweak your IP setting. It will look a bit like this:
You will need to change a few lines in order to make your IP static. Add these changes into the file:

auto eth0
iface eth0 inet static

For now, leave the dns-nameservers commented out.

Save the file and run these commands:

sudo ifdown eth0
sudo ifup eth0

This will apply the changes made and give you a new IP. Now if you run ifconfig your IP should display as – you now have a static IP.

Configuring the /etc/hosts -file might not be necesary, but I’d say do it just to be sure. Capture
We will want to change the IP here to our own static IP and fill in the host’s name – master.

Step 1.2 Gateway//Bridge

Before testing, make sure all your other machines have also got the appropriate IP settings in /etc/network/interfaces:
On the bridge machine, we will want to leave the eth0 -setting untouched and make a similar configuration for the eth1 -adapter.
Eth1 – adapter is in the internal network, so we will want to give it static IP and other configurations as seen above.

Remember, for the settings to apply, you will need to run ifdown and ifup -commands.

Step 2. Testing the work done so far

At this point we can test if that the machines can find each other using SSH.
We can start by trying to connect from MASTER —> BRIDGE

ssh juho@

You should get similar results:

Step 3. Configuring the DHCP -Server

Configuration here is done in a similar way to the prior part of the assignment. You will need to access the .conf file and tweak it a bit.

sudo nano /etc/dhcp/dhcpd.conf

This is how it will look by default:

You will need to add these lines into the .conf -file:

subnet netmask {
option domain-name-servers,; 
## is google's name server, which work as a backup here
option domain-name "yournetwork'snamehere.example";
option broadcast-address;
#option routers #if you need this 

After adding this to the file, it should look a bit like this:

Depending on how you want to build your network, you might want to set fixed addresses to your machines. This is done using MAC-addresses and the configuration is done to the same file we’re in now. Here’s how you’ll do it.

 host hostname {
      hardware ethernet 08:00:27:ff:03:57; 
      } #remember to close the script

“hardware ethernet” is the mac-address of the machine whose IP you want to set as fixed. It can be found in ifconfig.
“fixed-address” is the IP you want to set. Preferably set it outside the range set above, to avoid overlaps.

My conf-file looks like this:
I gave all my machines fixed-addresses.

Now we need to restart the DHCP -server. It is done with this command:

sudo /etc/init.d/isc-dhcp-server restart

You should get similar results:
Now the DHCP -server has been configured.

Now the other machines should receive a fixed address, if their network is set to internal. Let’s test this. Machine D, aka Aku, let’s refresh the connection with ifdown and up, and see what kind of IP will we get. It’s supposed to be
Looks like it worked!  We can also see from the messages on the terminal, that the DHCP-server is working properly.

Next step is to configure the server so, that the machines in internal network can also access public network. That will be done in the next post.


Time to play around with SSH, again!

Assignment II:

Specs of the workstation here: specs

– Install Wireshark
– Create the needed keys to establish secure and automated connection
– Use Wireshark to monitor network traffic
– Create an SSH connection and perform some simple commands via SSH
– Terminate the connection, analyze the network traffic on Wireshark

– Install Munin


Step 1.

Installing Wireshark is done with the following command:
sudo apt-get install wireshark

Running Wireshark for the first time needs to be done using sudo -rights. Otherwise tracking won’t work. Here’s a picture of a fully set up Wireshark, displaying TCP -connections only.


Step 1.1

Creating keys for SSH is ez. Done like this:

After the command, give the desired location for the keys when prompted.
After giving the location, the program will ask for a pass phrase, this will be needed later when establishing the automated connection.

Step 1.2

Copying the public keys between the client and the server will be done as follows:
ssh-copy-id USER@IP

If you are performing this between two virtual machines, remember to set the connection as “bridged”. Otherwise the virtual machines will receive the same IP, resulting in this method not working.

After copying the key, try to login to the desired workstation, using SSH. The program will ask you to repeat the password/pass phrase once more, and after this the login will be automated.

Here I am connecting to my Ubuntu Server virtual machine from my Linux Mint virtual machine, after copying the keys.

Step 1.3

After setting up Wireshark, and performing the steps above, the steps are seen on Wireshark like this:
We can see that the steps we made previously are seen as  “Encrypted requests – and responses” and steps prior to that “new keys” etc are not encrypted.


Step 2: Munin

The installation of Munin here is done by following the steps provided by Ubuntu.

At this point I was unable to access my workstation, I believe the external hard drive I’m using is some what broken. So I will attempt the installation on my laptop.
Specs of the laptop used here: laptopspecs.

Before installing Munin, Apache -web server needs to be installed and set up. Before attempting this, be sure to do so.

As Mint uses same package repository as Ubuntu, the commands provided by Ubuntu will work here as well.

Installing Munin can be done with a few commands:
installing server01 – sudo apt-get install munin
installing server02 – sudo apt-get install munin-node

On server01, we will have to do a few modifications in order to make the program work properly.  Go to /etc/munin/using cd – command and make the following modifications:

We will need to modify the .conf file, in order to do so, use this command:
sudo nano munin.conf


## This here will be our normal host
## Add this text into the file 
       address localhost

Replace the address and [localhost] into your server’s address. If you only want to do this locally, you can use localhost.

Next we will modify munin-node.conf -file the same way.

## add this into the munin-node-conf -file
## replace localhost with your own IP
allow ^localhost$

In order for these changes to apply, we need to restart the munin server.
sudo /etc/init.d/munin-node restart


  • Copying and modifying this and all the other documents in this blog is allowed according to the GNU General Public License (versio 2 or newer).