Confirm that a certificate matches a private key with OpenSSL

To prep for a maintenance to thwart HeartBleed I wanted to confirm that a new certificate matched a new key that I received from my developers
You can do this easily with two openssl commands:


$ openssl x509 -noout -modulus -in server.crt | openssl md5
c73310ec894a2518a153144e7abb3c19

Now do the same for the private key

$ openssl rsa -noout -modulus -in server.key | openssl md5
c73310ec894a2518a153144e7abb3c19

If these two hashes match, then the certificate and key are a match

Mac OSX one-liners to get specific IP Info

I needed to allow users to print very specific networking information with ease.
A typical user doesn’t want to decipher all of the extra info and steps an ifconfig or similar command can bring.
While building this script, I ended up with quite a few one-liners that could be useful for every day admin tasks

Print ONLY IP Address
ipconfig getifaddr en0

print ONLY Gateway
route -n get default | awk '/gateway: / {print $2;} '

print ONLY Network Mask for Wi-Fi connection
networksetup -getinfo "Wi-Fi" | awk '/Subnet mask:/ {print $3;} '

print ONLY Network Address
ip=$(ipconfig getifaddr en0) && nm=$(networksetup -getinfo "Wi-Fi" | awk '/Subnet mask:/ {print $3;} ') && IFS=. read -r i1 i2 i3 i4 <<< "$ip" && IFS=. read -r m1 m2 m3 m4 <<< "$nm" && printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$(($i2 & m2))" "$((i3 & m3))" "$((i4 & m4))"

Print all DNS servers on one line
cat /etc/resolv.conf | awk '/nameserver / {print $2;} ' | tr "\n" " "

Delete .DS_Store files

OSX Finder automatically creates DS_Store files when you browse to a directory. The DS_Store file contains information about custom attributes in a folder like the position of icons or the choice of a background image. Uploading it with other files opens the risk of outside users to obtain information about your computer or just create unneeded clutter

Often times when I want to FTP upload a directory it will have a .DS_Store file at the root of each folder.
I of course don’t want this uploaded with my FTP transfer.
Execute this command in the folder you want to delete all .DS_Store files from

sudo find . -name ".DS_Store" -depth -exec rm {} \;

PHP file_get_contents fails silently on files greater than 2Gb

Trying to run a script with file_get_contents on a file > 2Gb kept on failing silently
To fix this, I had to recompile my PHP with “D_FILE_OFFSET_BITS=64”
eg:
CFLAGS="-D_FILE_OFFSET_BITS=64" ./configure

http://www.php.net/manual/en/intro.filesystem.php

No external libraries are needed to build this extension, but if you want PHP to support LFS (large files) on Linux, then you need to have a recent glibc and you need compile PHP with the following compiler flags: -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64.

Bash script to find empty folders recursively

I was recently tasked with determining if a folder did not have any files in it other than more empty folders.

The one exception that was made was hidden files, we can forget about these. In this case these were all .DS_Store and “.rsrc” folders

This script will output whether a folder is empty if all other folders inside of it are also empty

 

#!/bin/bash

if [ ! $1 ]
then
    mydir=`/bin/pwd`
else
    mydir=$1
fi

echo "Searching folder: " $mydir

echo "Empty folders found:"
findempty() {
    find "${1:-.}" -mindepth 1 -maxdepth 1 -type d -not -path '*/\.*' | while read -r dir
    do
    if [[ -z "$(find "$dir" -mindepth 1 -type f -not -path '*/\.*')" ]] >/dev/null
        then
            findempty "$dir"
            dirlevel="${dir//[^\/]/}";
            if [[ ${#dirlevel} == 1 ]]
            then
                echo "empty: $mydir${dir:1}"
            fi
    else
        if [[ ${#dirlevel} == 1 ]]
        then
                echo "not empty: $mydir${dir:1}"
        fi
    fi
    done
}

findempty

Viewing or Recovering Pre-Shared Keys (PSK) in plain text on a Cisco ASA

About 4 months ago I began taking a deep dive into Cisco Networking from my new job. Since then, I have obtained my Cisco Certified Systems Engineer certification. The first of many planned Cisco certifications for me. It’s been a ton of fun, but I’m always learning new commands to use on these devices. I’ll try to share the most useful non-common one’s for you.

One command that has been extremely helpful when setting up and troubleshooting VPNs is ‘more system:running-config

You probably already know that simply using the ‘show run’ command will display the PSK with asterisks (****). Running the ‘more system:running-config’ command will display the running configuration with unencrypted passwords, including the PSK. If the PSK wasn’t documented or you just need to verify, it can be proven very useful!

Another handy command when troubleshooting a problematic VPN is to turn on debug mode for the VPN.

debug crypto ca 20

If you’re not at the console, you will need to use the ‘terminal monitor’ (or simply ‘term mon’) command to see the output. Don’t forget to turn debug off when you are finished!

Install missing libmhash and libmcrypt on CentOS 6 or RHEL 6

I recently began making the migration to RHEL 6. So far so good, except for a few unexpected hurdles. One of these was installing PHP on my web servers. The issue is that libmcrypt and libmhash cannot be found in the default repositories. When I attempted to build PHP, I received the following error:

configure: error: mcrypt.h not found. Please reinstall libmcrypt

Attempting to install libmcrypt-devel with only the default repositories installed will lead to a frustrating ‘nothing to do’ result from yum.

The only solution that I have found short of compiling libmcrypt from source, is to install the EPEL repositories. EPEL to the rescue!

rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm

Once installed, ‘yum install libmcrypt-devel’ will work as expected and you can continue with your configuration.

Changing the Time Zone in CentOS and RHEL

I recently checked the time on one of my servers and realized that the time was WAY off. NTP was running and forcing an NTP update with “ntpdate -u ” only corrected the time by nanoseconds. I read the date and time again, this time a little closer. It turns out that the clock was set to a European time zone for some reason.

So how do you change the time zone on a Linux server? Baffled that I had never done this before, I wanted to share with you how I did this.

All options for time zones are listed throughout /usr/share/zoneinfo. You will need to browse this folder to find the time zone appropriate for your server. For me, it was “US/Central” but I could have also chosen “America/Chicago”.

Now that we know the location of our appropriate time zone file, we need to create a symlink (or simply replace) the existing active one which is located at /etc/localtime. I prefer a symlink to prevent duplicate files whenever possible. Also, creating a symbolic link will ensure that any time zone changes (such as when Daylight Savings Time occurs – this happened to the US in 2007) will be put into place correctly. Save yourself the trouble and just create a symlink :)

In my example, I will create a symbolic link for US/Central time. Change “US/Central” to your appropriate time zone. Create a backup of localtime if you wish first…

rm /etc/localtime
ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime

Ta-da, your time zone is now changed. You can verify in a variety of ways, but the easiest would be to simply type ‘date’ at your command prompt.