How to check if a SSL Certificate is expired

Have you ever wondered how you can check the validity of a certain SSL certificate from shell / SSH? There is an useful script that we typically use on our end. If the location provided below is no longer available, please feel free to contact us as we have a copy.

wget http://prefetch.net/code/ssl-cert-check -O /PATH/TO/SAVE/FILE

Replace “/PATH/TO/SAVE/FILE” wieth your own preferred path of choice e.g. “/usr/local/src/ssl-cert-check”. We will now use this path in our example.

cd /usr/local/src/
chmod +x ssl-cert-check
./ssl-cert-check -c /PATH/TO/SSL/YOURDOMAIN.CRT

The script will output whether the certificate is still valid. Enjoy.

How to secure SSH

In our work with clients, we do a lot of server management and security hardening on the servers before it’s released to the clients. One of the first things we typically work on is to ensure SSHd is secured. The reason is that any kernel root exploit will be made easier with shell access.

This tutorial is not meant to be all encompassing, although we will cover a few key areas. We will use Redhat / CentOS Linux distribution as an example and file paths will vary depending on the distribution. We will also use “nano” as the text editor in the examples.

Change the SSH port

While security by obscurity is heavily criticized in some quarters, the truth is due to the time taken to scan all the ports, unless it’s a targeted attack, this step should immediately stop scanners dead in their tracks.

nano /etc/ssh/sshd_config

Change:

#Port 22

to (Replace “NEW_PORT” with your port of choice)

Port <NEW_PORT>

Allow only strong protocols

Version 1 of the SSH protocol has many weaknesses, of which it’s out of scope of this article to discuss. But we will be disabling it.
Change:

#Protocol 2,1"

to

Protocol 2

Allow only strong protocols

Version 1 of the SSH protocol has many weaknesses, of which it’s out of scope of this article to discuss. But we will be disabling it.
Change:

#Protocol 2,1"

to

Protocol 2

Disable Password Authentication

We advise that you consider using only key authentication with your server. This means that even if someone someone get your password, your server will continue to be secure. If you are unsure about how to generate a SSH keypair, do refer to our quick tip here.

Change:

#PasswordAuthentication yes

to

PasswordAuthentication no

On top of that, you would need to disable direct root login:

Change:

#PermitRootLogin yes

to

PermitRootLogin without-password

 

Restart SSHd:

/etc/init.d/sshd restart

Enjoy better SSH security!

How to generate SSH keypairs

We will be using Redhat / CentOS conventions in our examples in terms of the file paths.

Generate the Key Pair

ssh-keygen -t rsa -b 2048

This should generate the files in ~/.ssh/, “id_rsa” and “id_rsa.pub”

id_rsa is your private key and should NEVER be given out. id_rsa.pub is your public key which can be freely shared.

Enjoy better security!

Reclaiming space from PHP error logs

If you ever have a Cpanel server running after a while, you would notice invariably that most of the accounts or users will have accumulated error logs within their home directories. When you have a running server for a while, this can take up many GB. Here’s a quick way to reclaim some space:

find /home/ -name error_log  -exec rm -rf {} \;

Enjoy some extra space!