My Experiences with Databases

Oracle,MySQL,SQL SERVER,Python,Azure,AWS,Oracle Cloud,GCP Etc

  • Enter your email address to follow this blog and receive notifications of new posts by email.

  • Total Views

    • 315,906 hits
  • $riram $anka


    The experiences, Test cases, views, and opinions etc expressed in this website are my own and does not reflect the views or opinions of my employer. This site is independent of and does not represent Oracle Corporation in any way. Oracle does not officially sponsor, approve, or endorse this site or its content.Product and company names mentioned in this website may be the trademarks of their respective owners.

Archive for the ‘Security’ Category

Install & Configure SSL for Apache-Nginx using Lets Encrypt-CertBot.

Posted by Sriram Sanka on September 28, 2022


One can Install Apache and Nginx using YUM Or DNF in the Selected Unix flavor whereas by default it is a non-secure sub-domain when you access.

Lets encrypt offers free SSL which can be configured to get the SSL for your domain irrespective of Private Or Public Domains. In case of Private Domains , you just need to add a text Entry to Pass the Validations.

For this I am using Oracle Cloud Instance(Always Free).

Change the Host Name using hostnamectl as below

[root@certbot ~]# hostnamectl set-hostname certbot.ramoradba.com
[root@certbot ~]# hostname

As its the Initial Login after Instance provision , run the yum update and Install Apache and/or Nginx as per your choice.

Run Yum Update and make sure everything updated without any issues.

Install Apache-httpd using yum repo.

Try Access the IP/Hostname to see the Installed Apache Default Page.

Install Nginx using Yum

Try to Access Nginx from the Browser

Enable EPEL Repo to Configure Snap and Certbot

Enable the Socket and run the below to Install certbot ,

systemctl enable --now snapd.socket
ln -s /var/lib/snapd/snap /snap
snap install certbot --classic

Restart your session to get the Certbot ,You can Configure SSL for Nginx Or Apache as below, Add an Entry in you domain controller for your IP matching with the Host Name Configured.

Adding Domain Entry for the HostName

You can Either Configure SSL and Install Or Choose the certonly Option to Get the Certificates only, you can configure your SSL.conf as per your webserver configuration
Also In case , your System is not internet facing, You can choose the Preferred Challenges as either http or DNS You can review the Supported Challenged here https://letsencrypt.org/docs/challenge-types/

certbot --nginx -d <subdomain>.ramoradba.com
certbot --apache -d <subdomain>.ramoradba.com

Make Sure you have a Virtual_Host entry available with the domain you chose., Otherwise it will fail.

<VirtualHost *:80>
    ServerName certbot.ramoradba.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
certbot --apache -d certbot.ramoradba.com

Reload your browser session to see the Installed Certificate .

Apache with SSL Configured

Thanks for your visit, Hope you like it.

Posted in Apache, Installation, Linux, Nginx, Security, ssl | Tagged: , , , , , , | Leave a Comment »

Log4j Zero-Day RCE (CVE-2021-44228) Vulnerability

Posted by Sriram Sanka on December 11, 2021


I came to know about this Critical Vulnerability last night, and below is actual info same as the original content/Post by REDHAT https://access.redhat.com/security/cve/cve-2021-44228, Posting this as it is as I thought Its more clear in their Page on their words.

Description

A flaw was found in the Java logging library Apache Log4j 2 in versions from 2.0-beta9 and before and including 2.14.1. This could allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker’s JNDI LDAP server lookup.

Statement

This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:

  • A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,
  • A log statement in the endpoint that logs the attacker controlled data.

Due to the existence of JMS Appender which can use JNDI in the log4j 1.x, it is possible that log4j version 1.x is also affected by this vulnerability. The impact is still under investigation.

Mitigation

There are two possible mitigations for this flaw in versions from 2.10 to 2.14.1:
– Set the system property log4j2.formatMsgNoLookups to true, or
– Remove the JndiLookup class from the classpath. For example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`

Possible Workaround :

In order to mitigate vulnerabilities, users should switch log4j2.formatMsgNoLookups to true by adding:”‐Dlog4j2.formatMsgNoLookups=True” to the JVM command for starting the application.

Latest log4j API can be downloadable from https://logging.apache.org/log4j/2.x/download.html

Source :

https://access.redhat.com/security/cve/cve-2021-44228

https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/

https://www.lunasec.io/docs/blog/log4j-zero-day/

https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228

Posted in Security | Leave a Comment »

 
Tales From A Lazy Fat DBA

Its all about Databases & their performance, troubleshooting & much more .... ¯\_(ツ)_/¯

Thinking Out Loud

Michael T. Dinh, Oracle DBA

Notes On Oracle

by Mehmet Eser

Oracle Diagnostician

Performance troubleshooting as exact science

deveshdba

get sum oracle stuffs

Data Warehousing with Oracle

Dani Schnider's Blog

ORASteps

Oracle DBA's Daily Work

DBAspaceblog.com

Welcome everyone!! The idea of this blog is to help the DBA in their daily tasks. Enjoy.

Anand's Data Stories

Learn. Share. Repeat.

Tanel Poder's blog: Core IT for geeks and pros

Oracle Performance Tuning, Troubleshooting, Internals

Yet Another OCM

Journey as an Oracle Certified Master

DBAtricksWorld.com

Sharing Knowledge is ultimate key to Gaining knowledge...

Neil Chandler's DB Blog

A resource for Database Professionals

DBA Kevlar

Tips, tricks, (and maybe a few rants) so more DBA's become bulletproof!

OraExpert Academy

Consulting and Training

%d bloggers like this: