ssl

Monitoring SSL certificate expiration with Nagios

Hi Lads,

This is a post for nerds so I’m writing it in English. If you don’t understand English or technical stuff please close this page 😀
I’m at work and I’ve just finished to write a Nagios script to monitor expiration date of a SSL certificate.

I wanna share it with you.

To have the script working properly you just need to install OpenSSL and let the openssl
command be in your PATH environment.

This is the usage:

Usage:
check_ssl_cert.sh hostname port [warningdays]

Warning days default value is 30 days.

Some examples:

[afailla@terminus ~]$  /usr/local/nagios/bin/check_ssl_cert.sh google.com 443
OK: Certificate is valid for 289 days expires on May  2 17:02:55 2009 GMT

[afailla@terminus ~]$  /usr/local/nagios/bin/check_ssl_cert.sh google.com 443 400
CRITICAL: Certificate will expire in 289 days on May  2 17:02:55 2009 GMT

Download the script here and enjoy it.

Complimenti Debian. Si salvi chi puo’!

MANNAGGIA A DEBIAN! ‘Sta volta hanno fatto una cazzata!

Avete server Debian installati dal 2006 in poi? AGGIORNATE IMMEDIATAMENTE OPENSSL E RICREATE TUTTE LE VOSTRE CA, CERTIFICATI PEM, CHIAVI SSH DI CLIENT E SERVER.

Leggete qui:

http://www.debian.org/security/2008/dsa-1571

Ed anche qui:

http://wiki.debian.org/SSLkeys (c’e’ un tool che dovrebbe aiutarvi a capire quali server SSH sono vulnerabili e quali no… anche se non e’ detto che non possa generare falsi positivi/negativi).

“”Luciano Bello discovered that the random number generator in Debian’s openssl
package is predictable. This is caused by an incorrect Debian-specific change
to the openssl package (CVE-2008-0166). As a result, cryptographic key
material may be guessable.””

“Well, it looks like it’s more toward the minutes or seconds range, because dowkd.pl contains a simple list of around 260,000 fingerprints for these vulnerable keys… that is, if you’re vulnerable, I can look your SSH server’s host key fingerprint up in a rather small database to find your private key.Yikes.”

“It was a modification from the debian package maintainers that has cause the issue. In short they disabled the random portion of encryption process, also known as the iv, salt, seed. Which means basically means all the keys are predictable, because the randomness has been removed. This in turn creates weak keys, and a target for brute force and man in the middle attacks. The bug is limited to Debian systems, and its clones, since it was introduced by the Debian maintainers.”

Modificare il codice di un pacchetto critico come OpenSSL, frutto di lunghi studi matematici sulla crittografia e fare sta cazzata. Complimenti!!!!

Pare che la patch malsana risalga al 2 Maggio 2006. Ben 2 anni. Vi rendete conto di quanti server in tutto il mondo possono essere vulnerabili?!!!?!

Ci aspettano ore di davanti ai computer per aggiornare caterve di macchine. COMPLIMENTI!

Update:

Per sshd basta usare questi comandi:

# apt-get update
# apt-get install libssl-dev openssl
# rm /etc/ssh/ssh_host*
# dpkg-reconfigure openssh-server

Ovviamente la fingerprint del vostro server ssh cambiera’.

Update2:

Ovviamente  se usate certificati SSH RSA per accedere ai server senza password (o anche con la password) dovete ricrearli con ssh-keygen ed aggiornare authorized_keys su ogni macchina a cui avete accesso. CHE PALLE!

Ovviamente tutti i consigli solo se il vostro server e’ stato isntallato dopo il 2006 o la vostra chiave RSA e’ stata creata dopo il 2006.

Update 3: