Creating a self-signed cert

If you need to support or serve your website using SSL, but only for personal purposes, such as a webmail, you’ve probably come across the problem of creating your own server certificate.

Secure Sockets Layer (SSL), are cryptographic protocols which provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.

If so, run the following to create a self-signed cert:

1.   Via a terminal window, run these commands in sequence:

openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl rsa -in server.key -out signingkey.key
openssl x509 -in server.csr -out selfsigned_digicert.crt -req -signkey signingkey.key -days 3650
chmod 600 server.key
chmod 600 selfsigned_digicert.crt
mkdir -p /etc/pki/tls/private
mkdir -p /etc/pki/tls/certs
cp server.key /etc/pki/tls/private/localhost.key
cp selfsigned_digicert.crt /etc/pki/tls/certs/localhost.crt

1.   Restart HTTP (I run FC6), like so:

server httpd restart

That’s it!  You can now serve your website via SSL…Don’t forget to open up your firewall to accept them (TCP port 443).

Bad-Behavior MediaWiki Plugin Fix

If you use MediaWiki to power your wiki, you’ve probably heard of the Bad-Behavior plugin to help fight spam.

Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots. It goes far beyond User-Agent and Referer, however. Bad Behavior is available for several PHP-based software packages, and also can be integrated in seconds into any PHP script.

I was all for it after I read the description as well as the functions it adds to one’s wiki.  So, I did the following:

1.   Downloaded it like so:

wget http://www.bad-behavior.ioerror.us/download/bad-be…

2.   Unzipped it with the -a option (for ASCII mode):

unzip -a bad-behavior-2.0.10.zip

3.   Copied the whole folder to /path-to-wiki/extensions

cp -R /path-to-wiki/extensions

4.   Edited LocalSettings.php an added the following line at the end of the file:

include( ‘./extensions/Bad-Behavior/bad-behavior-mediawiki.php’ );

The include statement above should’ve worked where a new table would’ve been added in my MediaWiki DB, but this did not happen, and when clicking on any link, I would just get a blank page.

My HTTPD logs also showed “undefined variable” errors, so after searching for fixes, I found that the following line had to be added just below the require_once(“includes/DefaultSettings.php”) line to resolve the issues. 

Apparently, you’ll need this if you’re using a certain combination of Apache-PHP-MediaWiki versions:

require_once( “includes/DatabaseFunctions.php” );

I restarted Apache and all worked fine.  You can also add the Bad-Behavior 2 Extended extension if you’d like, which I did.

Use another SMTP server with Postfix

Over the weekend, I finally installed and configured my own e-mail server. What a challenge that was!

I’m successfully running Postfix, Dovecot, Spamassassin, Amavisd-new, ClamAV, SQLgrey, and Squirrelmail. I, however, encountered problems sending to Gmail.

It returned with the following message:

host gmail-smtp-in.l.google.com[64.233.163.27] said:
550-5.7.1 [76.170.212.236] Our system has detected an unusual amount of unsolicited 550-5.7.1 mail originating from your IP address. To protect our
550-5.7.1 users from spam, mail sent from your IP address has been 550-5.7.1 rejected. Please visit 550-5.7.1
http://www.google.com/mail/help/bulk_mail.html to review 550 5.7.1 our Bulk Email Senders Guidelines. 39si20019987nzk (in reply to end of DATA command)

Rejected? Huh? Apparently, my IP address has been blacklisted because Google couldn’t identify my server; also because I don’t have a static IP.

They said:

To ensure that Gmail can identify you:

  • Use a consistent IP address to send bulk mail.
  • Keep valid reverse DNS records for the IP address(es) from which you send mail, pointing to your domain.
  • Use the same address in the ‘From:’ header on every bulk mail you send.

We also recommend publishing an SPF record, and signing with DomainKeys.

At this point, I don’t really want to run and maintain my own DNS server nor obtain a static IP (everything works fine and it’s cheaper!), so I found a way around it: Set Postfix to use another SMTP server.

Here’s how:

1. Edit /etc/postfix/main.cf, and add or edit this line:

relayhost = smtp.servertouse.com

2. Restart the Postfix service (I run FC6), so:

sudo service postfix restart

That’s it! Your server will now send to the SMTP server specified above rather than sending directly to the destination, which as a result, will not be “rejected” by Gmail or the like. ;0)

Yoggie, a miniature security firewall appliance solution

A friend and coworker of mine, Arthur Freyman, told me about a miniature device that provides all the security you’ll ever need out-of-the-box. It’s called Yoggie.

Reading the specs and services it provides is so far pretty good – and not surprising, it runs Linux under the covers.

Just think how cool it would be taking this device/gadget along with you when you’re on a road trip or working/surfing at a Starbucks…I think it’s an excellent idea and product from a bird’s eye view. Unfortunately, neither of us has tried it yet, but one of us will soon.

Here’s a screenshot of the architecture.

If you have one, let me know, and watch out for a future blog post on this in the not so distant future. =0)

Memorable and reliable DNS servers you can use

My area is “owned” by Comcast, now Time Warner, when it comes to cable TV and Internet services.  Unfortunately, their DNS servers have become unreliable numerous times over the years.

With that in mind, I’d like to share memorable IP addresses of DNS servers that I use that I have found to be very reliable.  Thanks to Level 3 for letting the public use them.

They are:

  • 4.2.2.1
  • 4.2.2.2
  • 4.2.2.3
  • 4.2.2.4
  • 4.2.2.5
  • 4.2.2.6

You can definitely make use of them for all your DNS queries/needs.  In fact, running a simple ICMP ping test resulted in Level 3’s DNS servers out-performing Comcast/Time Warner’s DNS servers.

Comcast/Time Warner

C:\>ping 68.87.66.196

Pinging 68.87.66.196 with 32 bytes of data:

Reply from 68.87.66.196: bytes=32 time=82ms TTL=45
Reply from 68.87.66.196: bytes=32 time=48ms TTL=45
Reply from 68.87.66.196: bytes=32 time=52ms TTL=45
Reply from 68.87.66.196: bytes=32 time=51ms TTL=45

Ping statistics for 68.87.66.196:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 48ms, Maximum = 82ms, Average = 58ms

Level 3

C:\>ping 4.2.2.2

Pinging 4.2.2.2 with 32 bytes of data:

Reply from 4.2.2.2: bytes=32 time=37ms TTL=246
Reply from 4.2.2.2: bytes=32 time=16ms TTL=246
Reply from 4.2.2.2: bytes=32 time=12ms TTL=246
Reply from 4.2.2.2: bytes=32 time=15ms TTL=246

Ping statistics for 4.2.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 12ms, Maximum = 37ms, Average = 20ms

So use them!  Enjoy.  =0)