Multiple SSL certificates on single IP address

Multiple SSL certificates on single IP address

Create the virtual host ssl inside the sites-available

#cd /etc/apache2/sites-available/
#cp default-ssl.conf web1.com-ssl.conf
#cp default-ssl.conf web2.com-ssl.conf

Make sure link on the /etc/apache2/sites-enable exist, the origin from the sites-available

#cd /etc/apache2/sites-enable
#ln -s /etc/apache2/sites-available/web1.com-ssl.conf
#ln -s /etc/apache2/sites-available/web2.com-ssl.conf
#ls -la /etc/apache2/sites-enabled
total 8
drwxr-xr-x 2 root root 4096 Apr 13 18:49 .
drwxr-xr-x 9 root root 4096 Apr 13 18:39 ..
lrwxrwxrwx 1 root root 35 Feb 15 09:57 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root 58 Apr 13 18:48 web1.com-ssl.conf -> /etc/apache2/sites-available/web1.com-ssl.conf
lrwxrwxrwx 1 root root 54 Apr 13 18:49 web2.com-ssl.conf -> /etc/apache2/sites-available/web2.com-ssl.conf

Set up iptables On Debian 8

Faster way paste this on console

/sbin/iptables -F && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP && /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP && /sbin/iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT && /sbin/iptables -A INPUT -i lo -j ACCEPT && /sbin/iptables -A OUTPUT -o lo -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT && /sbin/iptables -P OUTPUT ACCEPT && /sbin/iptables -P INPUT DROP

IP-Tables are not persistent On Debian 8, save permanent the new rules to the master iptables file:

#iptables-save > /etc/iptables.up.rules

Make sure the iptables rules are started on a reboot we’ll create a new file:

#nano /etc/network/if-pre-up.d/iptables

Add these lines to it:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

The file needs to be executable so change the permissions:

#chmod +x /etc/network/if-pre-up.d/iptables
#iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

 

Sudo user in Debian

Install the “sudo” Command
You need to run this command as root user:

user@debian:~$ su -
Password:
root@debian:~ # apt-get install sudo

Create a new user account.

#/usr/sbin/adduser admin

Add the user to the sudo group; By default on Debian systems, members of the group sudo are granted with sudo access. To add a user to the sudo group use the usermod command:

#usermod -aG sudo admin

Check the sudo access

#id admin
uid=1001(admin) gid=1001(admin) groups=1001(admin),27(sudo)

The user admin a member of sudo group now and to work as a root, every command must start with sudo (sudo reboot, sudo vim, sudo del, sudo mkdir, sudo……)

Error and solutions

admin@debian9:~$ sudo ifconfig
sudo: unable to resolve host (none)

Solutions

Insert hostname to /etc/hostname and /etc/hosts something like:

127.0.0.1    localhost.localdomain localhost
127.0.1.1    debian9

SSL test on Qualys SSL Labs Rating A Configuration

Minimal Debian * Jessie and Apache V 2.4.10

Fix DNS CAA No to Yes by add CAA record on DNS Server

Clouddns: Add CAA Record, select the Provider (If available : Comodo, Digicert, etc), if manual insert field Answer with 0 (Number 0 -255), Tag with issue and Value with comodoca.com (if Comodo SSL),, letsencrypt.org (If Lets Encrypt SLL) then Save All Changes, wait 1 hour to complete.  Then check CAA status at https://caatest.co.uk

Incorrect SNI alerts

Insert below within section VirtualHost conf then #service apache2 restart

nano /etc/apache2/sites-available/default-ssl.conf

Insert at the bottom before closed tag of the VirtualHost “</VirtualHost>”

ServerName example.com
ServerAlias www.example.com example.com

Enable Apache OCSPStapling

Specify cached response location (outside <VirtualHost>, before <VirtualHost _default_:443>

SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)

The placed must before the following text:

## SSL Virtual Host Context
<VirtualHost _default_:443>

Below the configuration on /etc/apache2/sites-enable/default-ssl.conf

** activate Header first in with command #a2enmod headers

SSLEngine on

SSLCipherSUite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"

# This TLSv1.2 only
SSLProtocol TLSv1.2
# To use TLSv1.2 and TLSv1.3 uncomment line below and comment one above. Please read note above.
#SSLProtocol +TLSv1.2 +TLSv1.3

#enable of OCSP stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

#if you want to add DHE (Diffie-Hellman key exchange), HTTPD 2.4.8 later, run openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 uncomment below
#SSLOpenSSLConfCmd Curves secp384r1
#SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

SSLCertificateFile /etc/apache2/ssl/example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com.key
SSLCertificateChainFile /etc/apache2/ssl/example.com.ca-bundle

#Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" activate first in with command #a2enmod headers
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

Enable Headers

#a2enmod headers

Enable SSL

#a2enmod ssl

Apply SSL Module to Site

#a2ensite default-ssl

To activate the new configuration, you need to run:

#service apache2 reload

Other SSL / TLS Settings on /etc/apache2/mods-enabled/ssl.conf

#Turn of SSL Compression & Ensure Ciphers are used in order

SSLCompression off
SSLHonorCipherOrder on

Enable SSL log by add script below the ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog 

ErrorLog ${APACHE_LOG_DIR}/ssl_engine.log
LogLevel debug

Sometimes error occurred, example log below

[Mon Nov 25 09:54:07.361518 2019] [ssl:error] [pid 5035] (70007)The timeout specified has expired: [client 84.240.234.36:32844] AH01985: error reading response from OCSP server

Solution

SSLStaplingResponderTimeout 3

When Sectigo’s OCSP Responder servers did not respond fast enough, the OSCP requests failed and the errors noted on this thread were logged to the Apache error log. Disable OCSP Stapling:

SSLUseStapling off

Or, instead of disabling OCSP Stapling, we could increase the default timeout value (11 seconds appeared to be suitable for yesterday’s issue):

SSLStaplingResponderTimeout 11