AH00072

Problem:
Previously working, but now
Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443

Probable Cause:
Any two or more .conf files have Listen 443 or <VirtualHost _default_:443> in them.

Tentative Solution:
Edit your /etc/httpd/httpd.conf or other /etc/httpd/conf.d/*.conf files making sure you don’t have two files requesting port 443. It seems recent Apache versions are more strict and will fail to run, whereas older versions did not complain. Technically, I just the renamed /etc/httpd/conf.d/ssl.conf to /etc/httpd/conf.d/ssl.conf.OFF so that my actual /etc/httpd/conf.d/live_ssl.conf file was used.
  

https SSL cipher remediation for webservers 2015

I don’t know jack! I am NOT a security professional by trade, but please at least be aware that simply installing an SSL certificate on your server does NOT make it secure.

Thanks to Qualys SSL Labs (https://www.ssllabs.com/ssltest/), testing your server for SSL security is dead simple. I recommend every public site you manage to be tested immediately!

Once you know your status, here are some invaluable information resources you will need for remediation:

Configuring Apache, Nginx, and OpenSSL for Forward Secrecy : https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

Setup your [Windows] IIS for SSL Perfect Forward Secrecy and TLS 1.2 : https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

Additionally I had one server that used stunnel (https://www.stunnel.org) on Windows. I found the following was good settings for C:\Program Files (x86)\stunnel\stunnel.conf:

sslVersion = all
options = NO_SSLv2
options = NO_SSLv3

ciphers = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

Again, I am NOT a security expert, so please do not blindly reconfigure your settings without fully understanding what you are doing. I do not think my advice is wrong, but there absolutely might be better settings available.

Here is a good Mozilla resource for Server Side TLS (https://wiki.mozilla.org/Security/Server_Side_TLS) including a link to Mozilla SSL Configuration Generator (https://mozilla.github.io/server-side-tls/ssl-config-generator/)

As Always, Good Luck!

Please comment or tip me or use any/all of my affiliate links; Thank YOU!

You can thank me with bitcoin.    

---

Install nfsight plugin for nfsen on CentOS 6

Install nfsight plugin for nfsen netflow/sflow collector/analyser on CentOS 6 (and probably RedHat 6)

This was done with nfsen 1.3.6p1 and nfdump 1.6.6 -- i have not yet upgraded to any newer versions which may may be different.

This was one of the most difficult installations I've done to date.  I had attempted to do so at least twice if not thrice without success.  The key was to know about the chgrp command which I had not used before.  Also mysql was not something I was overly familiar with.  I attempted this task knowing I had failed in the past, but I also knew I had gained more Linux experience since those attempts.  I was very excited to succeed this time.

Here are my notes, because quite frankly I have not found any hints online other than the official installation guide which is bare minimum.

Please comment, especially if you find errors or know better solutions.  Enjoy.

Edit: newer nfsight version available: nfsight-beta-20140905.tgz ; just replace references.

######################################################
### Install nfsight plugin for nfsen on CentOS 6.4 ###
### http://sourceforge.net/p/nfsight/home/Nfsight/ ###
### Prerequisite: nfsen/nfdump already operational ###
######################################################

#################################################################
### Your nfsen and webserver directories may indeed be different.
### Apply settings as they pertain to your directory structure.
###
### My server's configuration:
### nfsen installed to /usr/local/nfsen
### nfsen website installed to /var/www/html/nfsen
### website owner=root, group=apache
###
### All commands performed as root.
#################################################################

### install prerequisites
yum install mysql mysql-server perl-DBI perl-DBD-MySQL php-mysql

### download and untar nfsight v.20130323
cd ~
wget http://sourceforge.net/projects/nfsight/files/nfsight-beta-20130323.tgz/download
tar xvfz nfsight-beta-20130323.tgz
cd ~/nfsight-beta-20130323

### following http://sourceforge.net/p/nfsight/wiki/Installation/

### copy nfsight.pm to plugins directory
cp ~/nfsight-beta-20130323/backend/nfsight.pm /usr/local/nfsen/plugins/

### make nfsight data directory and set rights
mkdir /var/www/html/nfsen/plugins/nfsight
chgrp -R apache /var/www/html/nfsen/plugins/nfsight

### make nfsight website directory
mkdir /var/www/html/nfsen/nfsight

### copy frontend to nfsight website directory
cp -R ~/nfsight-beta-20130323/frontend/* /var/www/html/nfsen/nfsight/

### set rights to nfsight website
chgrp -R apache /var/www/html/nfsen/nfsight/

### unsure if necessary - set write permissions for apache
chmod g+w /var/www/html/nfsen/nfsight/
chmod g+w /var/www/html/nfsen/plugins/nfsight
### if nothing else apache must write config.php
### touch /var/www/html/nfsen/nfsight/config.php
### chmod g+w /var/www/html/nfsen/nfsight/config.php

### install mysql service and start it 
yum install chkconfig 
chkconfig mysqld on
service mysqld start

### first time setup of mysql
/usr/bin/mysql_secure_installation


#################################################################
### create nfsight database -- probably overkill but this worked
#################################################################
mysql -u root -p 
Enter password: 

mysql> CREATE DATABASE nfsight

mysql> GRANT ALL PRIVILEGES ON nfsight.* TO root@'%' IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on nfsight.* TO root@localhost IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON nfsight.* TO 'root'@'%' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye

#################################################################
### launch http://yourserver/nfsight/installer.php
### 
### setup as you desire including proper paths:
### URL = /nfsight/
### Path to data files = /var/www/html/nfsen/plugins/nfsight
#################################################################

#################################################################
### settings can be edited later without installer.php: 
### nano /var/www/html/nfsen/nfsight/config.php
### nano /var/www/html/nfsen/nfsight/detail.php
#################################################################

#################################################################
### edit detail.php to include proper paths:
### /bin/grep
### /bin/cat
### /usr/bin/pcv
#################################################################
nano /var/www/html/nfsen/nfsight/detail.php


#################################################################
### edit /usr/local/nfsen/etc/nfsen.conf
### add settings as output by installer.php
### 
### your setting may vary:
#################################################################
@plugins = (
[ '*', 'nfsight' ],
);

%PluginConf = (\
nfsight => {
            path => "/var/www/html/nfsen/plugins/nfsight",
                expiration => "180",
                processing_timer => "",
                network => {
                        "10.0.0.0" => "8",
                },
                scanner_limit => "5",
                bidirectional_via_nfdump => "",
                print_int_scanner => "1",
                print_ext_scanner => "1",
                print_int_client => "0",
                print_ext_client => "0",
                print_int_server => "1",
                print_ext_server => "0",
                print_int_invalid => "0",
                print_ext_invalid => "0",
                sql_host => "localhost",
                sql_port => "3306",
                sql_user => "root",
                sql_pass => "password",
                sql_db => "nfsight",
        },

);
#################################################################

### restart nfsen
/usr/local/nfsen/bin/nfsen stop
/usr/local/nfsen/bin/nfsen start
/usr/local/nfsen/bin/nfsen status

### edit cron jobs as decribed from installer.php
crontab -e
06 * * * *  /usr/bin/wget --no-check-certificate -q -O - http://management:aggregate@127.0.0.1/nfsight/aggregate.php


#################################################################
### optional: install picviz
#################################################################
### picviz 0.6-8 has only one dependency issue in CentOS 6.4
### picviz 0.6-8 requires libev available in the EPEL repository
### What is EPEL?: https://fedoraproject.org/wiki/EPEL
#################################################################

### Install the EPEL repository 
### This is the 64-bit version, you may need to locate the 32-bit version
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

### install picviz prerequisite libev from EPEL
yum install libev

### install picviz 0.6-8 64-bit
wget https://depots.global-sp.net/CentOS/6/x86_64/picviz-0.6-8.el6.x86_64.rpm
rpm -i picviz-0.6-8.el6.x86_64.rpm 
wget https://depots.global-sp.net/CentOS/6/x86_64/picviz-plugin-pngcairo-0.6-8.el6.x86_64.rpm
rpm -i picviz-plugin-pngcairo-0.6-8.el6.x86_64.rpm 

### fix errors decribed by nfsight regarding picviz
chmod g+w /var/www/html/nfsen/nfsight/cache
chmod g+x /var/www/html/nfsen/nfsight/bin/biflow2picviz.pl

---------------

Please consider crypto tipping:
  

Redirect http to https on Apache server (httpd)

After googling http to https redirect, I found several answers that simply did not work (for me).  Finally I came across one that did:

In the directory of your web-content, create the file .htaccess and fill it with these directives:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*) https://%{HTTP_HOST}%{REQUEST_URI}

That's it.

This worked on CentOS 6.3 and Apache 2.2.15

p.s. Don't forget your firewall settings.
Please consider crypto tipping: