2015年9月25日 星期五

Dump Android APK version info

Use Android SDK Tool  aapt.exe


"C:\Program Files\Android sdk\build-tools\22.0.1\aapt.exe" dump badging myTest.apk

CentOS 7 + Apache 2.4 + WebDav (Not so secure)

1. Create webdav directory 

mkdir /var/www/webdav
chown apache:apache /var/www/webdav

2.  Add a virtual host to apache server


vim /etc/httpd/conf/httpd.conf

NameVirtualHost *:8080

        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/webdav/
       
                Options Indexes MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
       


        DavLockDB "/tmp/DavLock"
        Alias /webdav /var/www/webdav/

       
                DAV On
                AuthType Basic
                AuthName "webdav"
                AuthUserFile /var/www/webdav/passwd.dav
                Require valid-user
                RewriteEngine off
       



3. Create webdav user

htpasswd -c /var/www/webdav/passwd.dav test

Use"-c" at first time to create the passwd file
To add other users, don't use "-c" option


4. SELINUX , set the webdav folder writable by apache httpd

grep denied /var/log/audit/audit.log | grep webdav

type=AVC msg=audit(1443167688.330:3067): avc:  denied  { write } for  pid=10689 comm="httpd" name="webdav" dev="dm-0" ino=770665 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

grep "Permission denied" /var/log/httpd/error_log

[Fri Sep 25 15:54:48.332239 2015] [dav:error] [pid 10689] (13)Permission denied: [client 192.168.1.195:45679] Could not open file for writing  [500, #0]

chcon -R -t httpd_sys_content_rw_t /var/www/webdav/

5. Test webdav


yum install cadaver
cadaver http://192.168.1.195:8080/webdav/
Authentication required for webdav on server `192.168.1.195':
Username: test
Password:
dav:/webdav/> exit



2015年9月22日 星期二

CentOS 7 + Nginx 1.8.0 + PHP 5.6 + MariaDB 10.0 (LEMP) + SSL

1. change ulimits

vim /etc/security/limits.conf

* soft nofile 65535
* hard nofile 65535

2. Install MariaDB

vim /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.0/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

yum install MariaDB-server MariaDB-client
chkconfig mysql on
mysql_secure_installation
setting firewalld for mysql

3. Install Nginx

rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

yum install nginx
systemctl start nginx
systemctl enable nginx

setting firewalld for nginx

4.  Install PHP

https://webtatic.com/packages/php56/
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install php56w php56w-fpm php56w-mysql

vim /etc/php.ini
;cgi.fix_pathinfo=1
cgi.fix_pathinfo=0

Reference : https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7

What we are looking for in this file is the parameter that sets cgi.fix_pathinfo. This will be commented out with a semi-colon (;) and set to "1" by default.
This is an extremely insecure setting because it tells PHP to attempt to execute the closest file it can find if a PHP file does not match exactly. This basically would allow users to craft PHP requests in a way that would allow them to execute scripts that they shouldn't be allowed to execute.
We will change both of these conditions by uncommenting the line and setting it to "0" like this:



5. Edit /etc/php-fpm.d/www.conf


[global]
pid = /usr/local/php/var/run/php-fpm.pid
error_log = /var/log/httpd/php-fpm.log


[www]
;listen = 127.0.0.1:9000
listen = /var/run/php-fpm/php-fpm.sock

listen.owner = nobody
listen.group = nobody
listen.mode = 0666


;user = apache
user = nginx
;group = apache
group = nginx

6. Edit /etc/nginx/conf.d/default.conf


 location / {
        root   /usr/share/nginx/html;
        index  index.php index.html index.htm;
    }

location ~ \.php$ {
        root   /usr/share/nginx/html;
        try_files $uri = 404;
        fastcgi_pass  unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
}


7 Restart php-fpm and nginx

systemctl restart php-fpm
systemctl restart nginx

8. Test PHP

vim /usr/share/nginx/html/info.php

http://serverip/info.php


9. Create Self-Signed Cert
openssl req -x509 -nodes -sha512 -newkey rsa:2048 -keyout cert.key -out cert.pem.csr -days 65536

Common Name (eg, your name or your server's hostname) []: mysite.example.com

chmod 600 cert.key
chmod 600 cert.pem.csr
copy cert.key /etc/nginx
copy cert.pem.csr /etc/nginx

vim /etc/nginx/conf.d/my_host_ssl.conf

server {
    listen       443 ssl;
    server_name  mysite.example.com;

    ssl_certificate      /etc/nginx/cert.pem.csr;
    ssl_certificate_key  /etc/nginx/cert.key;


    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";






#set the ssl_ciphers to resolve chrome display "is encrypted with obsolete cryptography"
   ssl_prefer_server_ciphers   on;
    ssl_protocols      TLSv1.2;

    location / {
        root   /usr/share/nginx/html;
        index  index.php index.html index.htm;
    }
}







2015年9月18日 星期五

CentOS 7 command mapping

 Ref :
http://note.tc.edu.tw/931.html
http://note.tc.edu.tw/932.html

  1. netstat

    ss
    ss -lt
    ss -t
  2. route

    ip -route
  3. ifconfig

    ip addr
    ip -s link
  4. arp

    ip neigh
  5. ifconfig

    ip link set eth1 up
    ip link set eth1 down
  6. traceroute

    tracepath 168.95.1.1
  7. service

    systemctl  restart firewalld
    systemctl -l status mysql
    systemctl list-unit-files | grep nginx    //check the default start option , like chkconfig
    systemctl enable nginx


  8. iptables

    firewall-cmd --list-service
    firewall-cmd --list-zone
    firewall-cmd --list-all --permanent
    firewall-cmd --add-service=http
    firewall-cmd --zone=public --list-all
    firewall-cmd --zone=public --add-port=443/tcp
    firewall-cmd --zone=public --remove-port=443
    firewall-cmd --zone=public --add-source=192.168.1.0/24
    firewall-cmd --zone=public -remove-source=192.168.1.0/24
    firewall-cmd --zone=public --list-rich-rules
    firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.2.0/24" port port="8080" protocol="tcp" accept'

    vim /etc/firewalld/zones/public.xml

2015年9月8日 星期二

SSL Certificate in Java

1. Use open_ssl to test SSL connection


openssl s_client -connect IP:443


2. Import ca into java keystore



keytool -import -alias TWCAroot -keystore /usr/java/jdk1.6.0_35/jre/lib/security/cacerts -trustcacerts -file root.cer 


3. List ca in keystore


keytool -list -v -keystore cacerts
keytool -list -v -keystore cacerts  -alias twcaroot

4. Delete ca in keystore

keytool -delete -alias aliasname  -keystore /usr/java/jdk1.6.0_35/jre/lib/security/cacerts

5. Test CA


A. save the SSLPoke.java  file

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke {
    public static void main(String[] args) {
                if (args.length != 2) {
                        System.out.println("Usage: "+SSLPoke.class.getName()+" ");
                        System.exit(1);
                }
                try {
                        SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
                        SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));

                        InputStream in = sslsocket.getInputStream();
                        OutputStream out = sslsocket.getOutputStream();

                        // Write a test byte to get a reaction :)
                        out.write(1);

                        while (in.available() > 0) {
                                System.out.print(in.read());
                        }
                        System.out.println("Successfully connected");

                } catch (Exception exception) {
                        exception.printStackTrace();
                }
        }
}


B. javac SSLPoke.java

C. java SSLPoke  192.168.1.1 443
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1764)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:958)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:114)
        at SSLPoke.main(SSLPoke.java:23)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
        at sun.security.validator.Validator.validate(Validator.java:218)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
        ... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
        ... 15 more


D. openssl s_client -connect 192.168.1.1:443

save BEGIN END into test.cer (include BEGIN and END lines)

E. import the cert
keytool -import -alias TWCAroot -keystore /usr/java/jdk1.6.0_35/jre/lib/security/cacerts -trustcacerts -file test.cer

F. java SSLPoke  192.168.1.1 443
Successfully connected