If you are going to be using RT, you need to get the “RT Essentials” book written by Jesse Vincent, Robert Spier, Dave Rolsky, Darren Chamberlain, and Richard Foley. It is a good reference and a quick read. For up-to-date information, see the RT Wiki and the Best Practical Solutions blog site.

Prerequisites

To start, please review the following posts:

1. An Apache Implementation
2. Apache and OpenSSL
3. PHP Implementation
• PHP as a Module
• PHP as a CGI
• PHP Configuration Modifications
4. Introduction to MySQL
5. Setting Up and Securing MySQL: References
6. Implementing a Web Application Firewall with ModSecurity

Install Software

With Apache, MySQL, PHP, OpenSSL, and ModSecurity installed, we are now ready to focus on software packages required by RT.

1. Installing expat.

Different operating systems will vary on whether expat, the XML parser, is installed. Expat is needed to complete the cpan install for XML::RSS. Check your particular operating system.

 root# cd /usr/local/src
 /usr/local/src root# wget http://downloads.sourceforge.net/expat/expat-2.0.1.tar.gz
 /usr/local/src root# tar xzf expat-2.0.1.tar.gz
 /usr/local/src root# cd expat-2.0.1
 /usr/local/src/expat-2.0.1 root# ./configure
 /usr/local/src/expat-2.0.1 root# make
 /usr/local/src/expat-2.0.1 root# make check
 /usr/local/src/expat-2.0.1 root# make install

2. Install FastCGI

For RT, you can install mod_perl or mod_fastcgi. In this posting, we are going to walks through the installation of FastCGI. Information concerning mod_perl will be provided below so the reader can chose what fits best in their environment. FastCGI is much simpler to install and allows the core Apache process to stay small in size. With FastCGI, RT runs as a separate process from Apache allowing RT to be stopped and restarted without affecting the Apache server. In general, FastCGI programs are easier to manage.

The Apache module mod_fastcgi allows a web server to run CGI scripts via a separate, persistent program. PHP comes with FastCGI support compiled in by default, so nothing needs to be done to the PHP installation.

You can have the Apache program call FastCGI, and have it run as the same user as the Apache server or use suexec to have FastCGI switch to a different user. Under some operating systems, suexec may not get compiled and installed when installing Apache. Check if suexec is installed, and if not go back to the Apache source, compile it, and install it. Initially, we are not going to use the suexec program. Instead we will create the group “rt”, add user httpd to group rt, and set permissions that way. You may choose later to use suexec.

 root# ls -la /usr/local/apache/bin/suexec
ls: /usr/local/apache/bin/suexec: No such file or directory
 root# cd /usr/local/src/httpd-2.2.8
 /usr/local/src/httpd-2.2.8 root# make suexec
 /usr/local/src/httpd-2.2.8 root# cp ./support/suexec /usr/local/apache/bin/suexec

Now, we are ready to get mod_fastcgi installed.

 root# cd /usr/local/src
 /usr/local/src root# wget http://www.fastcgi.com/dist/mod_fastcgi-2.4.6.tar.gz
 /usr/local/src root# tar xzf mod_fastcgi-2.4.6.tar.gz
 /usr/local/src root# cd mod_fastcgi-2.4.6
 /usr/local/src/mod_fastcgi-2.4.6 root# cp Makefile.AP2 Makefile
 /usr/local/src/mod_fastcgi-2.4.6 root# make top_dir=/usr/local/apache
 /usr/local/src/mod_fastcgi-2.4.6 root# make top_dir=/usr/local/apache install
 /usr/local/src/mod_fastcgi-2.4.6 root# /usr/local/apache/bin/apachectl stop
 /usr/local/src/mod_fastcgi-2.4.6 root# vi /usr/local/apache/conf/httpd.conf

Add the following lines to the Apache httpd.conf file:

# Load the mod_fastcgi module.
LoadModule fastcgi_module modules/mod_fastcgi.so

Check if installation and configuration is working.

 /usr/local/src/mod_fastcgi-2.4.6 root# /usr/local/apache/bin/apachectl configtest
Syntax OK
 /usr/local/src/mod_fastcgi-2.4.6 root# /usr/local/apache/bin/apachectl start
 /usr/local/src/mod_fastcgi-2.4.6 root# cat /var/www/logs/error_log | grep -i fastcgi
[Fri Aug 01 12:17:22 2008] [notice] FastCGI: process manager initialized (pid 15221)
[Fri Aug 01 12:17:22 2008] [notice] Apache/2.2.8 (Unix) mod_ssl/2.2.8
OpenSSL/0.9.7a mod_fastcgi/2.4.6 configured -- resuming normal operations

For in depth coverage of mod_perl, Stas Bekman and Eric Cholet have written the book, “Practical mod_perl.” They have made the complete book available online in both HTML and PDF format under the Creative Commons Attributes Share-Alike License. Stas Bekman and Jim Brandt have also written the “mod_perl2 User’s Guide Book” where 50% of the book’s proceeds go to The Perl Foundation.

If you are installing under Mac OS X, mod_perl may complain about Perl 5.8.8 being built without threads and you will get a message about building perl with -Duserthreads. If you are determined to use mod_perl, consider dropping back to Apache 1.3.x and using mod_perl 1.x. While Apache 1.3.x is legacy code, and I tend to want to use the code that is being actively developed, there is an argument for using Apache 1.3.x. One major feature of Apache 2.x is threading. On Windows, where most basic libraries are and must be threadsafe, Apache 2 is really the only choice. Earlier Mac OS X releases did not include a completely thread-safe libc, so threading is still not fully supported in Perl. This is why the Perl version that comes with Mac OS X is not compiled to use threads. To use Apache2.x, Perl will need to be configured to use threads. The code is available from the Perl web site.

Rather than getting bogged down in compiling Perl to use thread, we will move ahead and use FastCGI. By the time this post, I will have worked on getting RT installed under Linux, Mac OS X, and FreeBSD. Figuring out what software works best in a multi OS environment can be challenging.

3. Configure RT

Let us start by adding the group RT. Under many operating systems, this would be done with the simple command “groupadd rt.” Things are always more interesting under Mac OS X, where you would have to first look at what group ids (gid), choose an unused gid, and then create the rt group using that gid. Under Mac OS X Leopard, group rt would be created with the commands:

 root# dscl . list /groups PrimaryGroupID | sort -k 2,2 -n
 root# dscl . create /groups/rt gid gid-of-rt
 root# dscl . create /groups/rt passwd '*'
 root# dscl . read /groups/rt
AppleMetaNodeLocation: /Local/Default
Password: *
PrimaryGroupID: gid-of-rt
RecordName: rt
RecordType: dsRecTypeNative:groups

RT’s primary maintenance and documentation site is http://www.bestpractical.com. Documentation can be found at the Best Practical Solutions RT Wiki located at http://wiki.bestpractical.com/. The latest TAR/GZ is located at http://download.bestpractical.com/pub/rt/release/rt.tar.gz. The lack of any version numbers means the version can be updated at any time. The latest version, as of this writing, is 3.8.0.

The following are the steps for downloading and configuring RT:

 root# cd /usr/local/src
 /usr/local/src root# wget http://download.bestpractical.com/pub/rt/release/rt.tar.gz
 /usr/local/src root# tar xzf rt.tar.gz
 /usr/local/src root# cd rt-3.8.0
 /usr/local/src/rt-3.6.5 root# ./configure \
  --with-web-user="httpd" \
  --with-web-group="httpd" \
  --with-rt-user="httpd" \
  --with-rt-group="rt"

4. Install Apache::TEST

Perl module Apache::TEST will not allow you to run the test check as root. You can download the module separately as a non root user and after configuring, compiling, and testing the program, you install it as root.

 root# su - goofy
 ~$ cd src
 ~/src goofy$ wget http://search.cpan.org/CPAN/authors/id/P/PH/PHRED/Apache-Test-1.30.tar.gz
 ~/src goofy$ tar xzf Apache-Test-1.30.tar.gz
 ~/src goofy$ cd Apache-Test-1.30
 ~/src goofy$ perl Makefile.PL
 ~/src goofy$ make
 ~/src goofy$ make test
 ~/src goofy$ sudo su root
 root# make instal

5. Run fixdeps Command and Install Perl Modules

Now you are ready to utilize the fixedeps utility that comes with RT to install required Perl modules. There is also the testdeps utility to test if all dependencies are installed and RT is ready to be installed. You may need to run fixdeps multiple times before testdeps reports that you have all required software packages. The first time through, it can take awhile (depending on your installation). Be aware that some perl modules may need to be installed manually. It various depending on OS and your environment. You will be able to tell which modules need manual installation by the final message provided by the fixdeps program.

 root# cd /usr/local/src/rt-3.8.0
 /usr/local/src/rt-3.8.0 root# make fixdeps
 /usr/local/src/rt-3.8.0 root# make fixdeps
 /usr/local/src/rt-3.8.0 root# make testdeps

6. Install RT

The final installation of RT is the easy part.

 /usr/local/src/rt-3.8.0 root# make install

7. Configure RT_SiteConfig.pm

We now will configure /opt/rt3/etc/RT_SiteConfig.pm. In the next step a database user and a database will be setup. We are only adding those values to the configuration file in this step. I am going to set up a hostname (rt.securitymonks.com) for my current machine. Please do not copy blindly. Change this to your environment. We will create the hostname so it only exists locally by adding an entry into the machines /etc/hosts file. Right now, I am only going to access the Apache server from this machine. In other words, the client and server will be on the same box.

 /usr/local/src/rt-3.8.0 root# vi /etc/hosts

Add the following line, adapting it to your organization:

 /usr/local/src/rt-3.8.0 root# vi /etc/hosts
##
127.0.0.1       localhost
10.1.218.202   rt.securitymonks.com

We are now ready to modify the RT_SiteConfig.pm file.

 /usr/local/src/rt-3.8.0 root# vi /opt/rt3/etc/RT_SiteConfig.pm

At minimum, add the following linesto /opt/rt3/etc/RT_SiteConfig.pm:

Set($rtname, 'BRORT');
Set($Organization, 'securitymonks');

Set($CorrespondAddress , 'john@securitymonks.com');
Set($CommentAddress , 'john@securitymonks.com');

Set($Timezone , 'US/Eastern'); # obviously choose what suits you

# THE DATABASE:

Set($DatabaseType, 'mysql'); # e.g. Pg or mysql

# These are the settings we used above when creating the RT database,
# you MUST set these to what you chose in the section above.

Set($DatabaseUser , 'rtuser');
Set($DatabasePassword , 'secret');
Set($DatabaseName , 'rtdb');

# THE WEBSERVER:

Set($WebPath , '');
Set($WebBaseURL , 'https://rt.securitymonks.com');

# Logging
Set($LogToSyslog, '');
Set($LogToFile, 'debug');
Set($LogDir, '/opt/rt3/var/log');
Set($LogToFileNamed, "rt.log");

8. Initialize the Database

RT needs to create the rtdb database, the rt db users, and initialize some tables. This can be done with the command initialize-database, which should be run only once.

 /usr/local/src/rt-3.8.0 root# make initialize-database
 /usr/local/bin/perl sbin/rt-setup-database --action init --dba root --prompt-for-dba-password
In order to create or update your RT database, this script needs to connect to your mysql
instance on localhost as root.  Please specify that user's database password below. If the
user has no database

password, just press return.

Password:
Working with:
Type:   mysql
Host:   localhost
Name:   rtdb
User:   rtuser
DBA:    root
Now creating a mysql database rtdb for RT.
Done.
Now populating database schema.
Done.
Now inserting database ACLs
Granting access to rtuser@'localhost' on rtdb.
Done.
Now inserting RT core system objects
Done.
Now inserting data
Done inserting data
Done.

Check the MySQL database out.

 /usr/local/src/rt-3.8.0 root# mysql -u rtuser -p
mysql> use rtdb;

9. Modify Apache Configuration File

Edit the /usr/local/apache/conf/httpd.conf file.

 /usr/local/src/rt-3.8.0 root# /usr/local/apache/bin/apachectl stop
 /usr/local/src/rt-3.8.0 root# vi /usr/local/apache/conf/httpd.conf

We are going to have the RT server run under our secure web server. Find the “<virtualhost _default_:443>” line, change it to “<virtualhost 10.1.218.202:443>“. Add the following lines to that section (adjusting to your environment):

   ServerName rt.securitymonks.com
   DocumentRoot /opt/rt3/share/html
   ErrorLog /usr/local/apache/logs/rt.error
   LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
   CustomLog /usr/local/apache/logs/rt.access_log combined
   AddHandler fastcgi-script fcgi
   ScriptAlias / /opt/rt3/bin/mason_handler.fcgi/

Add the user the Apache server runs as (httpd by default), to the RT group. For non Mac OS X, modify group membership by editing the file /etc/group (vi /etc/group). Mac OS X users need to user the dscl command.

 root# dscl . append /groups/rt GroupMembership httpd
 root# dscl . read /groups/rt

Change the group and permission on the log area if you have told RT to log to /opt/rt3/var/log.

 root# chgrp rt /opt/rt3/var/log
 root# chmod g+w /opt/rt3/var/log

Test the configuration of the file, and if everything checks out start up Apache.

 /usr/local/src/rt-3.8.0 root# /usr/local/apache/bin/apachectl configtest
Syntax OK
 /usr/local/src/rt-3.8.0 root# /usr/local/apache/bin/apachectl start

Remember there are now three files to check for problems with RT.

• /opt/rt3/var/log/rt.log
• /usr/local/apache/logs/rt.error
• /usr/local/apache/logs/rt.access_log

There are many configuration operations. The options chosen in this post represents only the minimal to get RT running. Please see the RT Wiki’s FastCGIConfiguration page for additional information.

10. Access RT and Change the Default Password

Now it is time to log in and change the default password. Using the entry we made in our /etc/hosts file, we can now access the site by going to https://rt.securitymonks.com. This URL should be different for your site. You will see a login screen similar to the image on the left.

Log in using the username “root” and password “password“. Once logged in, you will see the screen similar to the image below (click on the image if you need to enlarge):

Over on the left menu bar, select “Configuration.” That will bring you to the “RT Administration” screen:

Select, “Users.” That will bring you to the “Select a user” screen:

Select the user “root,” which will bring you to the “Modify the user root” screen. If you look at the lower left of the screen, there is a “Access Control area.” There is a place to enter “New Password.” Do so. The screen looks like:

Make sure to hit the “Save Changes” button at the bottom of the screen. With a working copy of RT, you are not ready to start adjusting configurations and working with the program. For additional information, Please check out the “RT Essentials” and the RT Wiki and the Best Practical Solutions blog site. Look for future posts to build upon the RT installation and database.

OpenSSL 0.9.8c-1 up to 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

Hubert Seiwert, Internet Security Specialist at Westpoint Ltd., released debian_ssh_scan.py on May 16th. The code does remote check for weak Debian sshd host keys as identified in CVE-2008-0166. The fingerprints are taken from keys generated by HD Moore’s common and uncommon keys. Mr. Seiwert also used Justin Azoff’s multi-threading code. While it is not the only scanner, Mr. Seiwert did a very nice job.

For those who might be less familiar with Python, I thought I would walk through getting debian_ssh_scan.py installed. Most distributions of Linux and Unix have Python installed and with a few additional steps you will be ready to scan your hosts for vulnerabilities.

Set HTTP_PROXY

If you need to access the Internet through a proxy server, the HTTP_PROXY environment variables should be set. This will allow wget, Python’s urllib module, and other applications (yum, apt-get etc) to use this environment variable to access http/https through the proxy server.

# export HTTP_PROXY="http://<proxy-server-ip>:<port>"

Replace “<proxy-server-ip>” with your proxy server name/ip and “<port>” with the proxy’s port.

Install setuptools

The setuptools module is a way to allow developers an easy way to build and distribute Python packages in a single-file archive called an “egg.” The steps to get setuptools installed are:

1. Download the appropriate egg for your version of Python (e.g. setuptools-0.6c8-py2.3.egg). Do NOT rename it.
2. Run it. Setuptools will install itself using the matching version of Python (e.g. python2.3), and will place the easy_install executable in the default location for installing Python scripts (as determined by the standard distutils configuration files, or by the Python installation).

To install:

# cd /home/ger/software
# wget http://pypi.python.org/packages/2.3/s/setuptools/setuptools-0.6c8-py2.3.egg
# sh setuptools-0.6c8-py2.3.egg

Install paramiko

The python module paramiko implements SSH2 protocol for secure (encrypted and authenticated) connections to remote machines. Below, the easy_install executable is used. The Python module easy_install is bundled with setuptools and allows for automatically download, build, install, and management of Python packages.

# cd /home/ger/software
# wget http://www.lag.net/paramiko/download/paramiko-1.7.3.tar.gz
# tar xzf paramiko-1.7.3.tar.gz
# cd paramiko-1.7.3
# easy_install ./

Pull Down debian_ssh_scan_v4

The python script debian_ssh_scan_v4 can now be installed.

# cd /home/ger/software
# wget http://itsecurity.net/debian_ssh_scan_v4.tar.bz2
# bzip2 -cd debian_ssh_scan_v4.tar.bz2 | tar xvf -
 # cd debian_ssh_scan_v4

Start Scanning

You are now ready to start scanning. The below IP is used only for demonstration purposes. Use your own site’s IPs.

#  ./debian_ssh_scan_v4.py 127.0.0.1:22
201691 fingerprints loaded.
127.0.0.1:22 sshd fingerprint 97382c98fe3d45fa779abd34bb65fb73 VULNERABLE (RSA 2048 bit key, pid 5214)

Modify targets.txt, if you want to create a file of IPs. Run the file of IPs through the scan program using the command:

# cat targets.txt | ./debian_ssh_scan_v4.py

Final Words

Debian has issued an update for OpenSSL. For affected systems, the software packages need to be updated and all cryptographic key material must be recreated. Please see Security Focus references for more details.

If you are using Apache 2.x, which is what we installed in the previous post, Apache supports SSL already with the mod_ssl module. If you need to check if mod_ssl is part of your Apache configuration, do so with the command:

/usr/local/apache/bin/httpd -l

Having established that mod_ssl module is installed, we will now go through the steps of generating a certificate request, approving the certificate, and add to Apache configuration file required lines to create a SSL enabled Apache server.

Key Generation

We start off by generating a non password protected 1024 bit server private key using the RSA algorithm. We will have the key stored in the file server.key.

 root#  cd /usr/local/apache/conf
 /usr/local/apache/conf root# mkdir ssl
 /usr/local/apache/conf root# cd ssl
 /usr/local/apache/conf/ssl root# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.....................................................................++++++
....++++++
e is 65537 (0x10001)

 /usr/local/apache/conf/ssl root# cat server.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDS1A7eGdTo39tnYdzYI3Ifl1/sA4ZiY7PzkDU68tZoA4WzJB9n
aSJHCbd0ESG0oPiyf/yqMyNR2ECwjLUFo1m1nrON2w3QdM5zFZZv6v7jDt40u3bT
95XwdFG4FYDw+gq6liuRAkAe2+B6WM1Qv5rN3IzhmZmPA8YjV/sbPzNmzIuNHrVw
FY0WkRzrEF6P36Z6RVJQSzgzx4pDeu5rRX88HxLdTm4Uz6maiwhLsxZv0QIDAQAB
hsqZuAY7esEvSlL9xxXHxHL9Ywl/EXnXSMcJ9ktSobs/T0favkQKulgq6ov9TzIQ
v2Z2vLEABQJBANeKaGm41GgDZp3yEIuNKUp0OjwnORpkuYf/DFA+ox1AAS2OPGjV
iua7aiHYPPF6O6Knb+6SiBRFVkjB6Pz1Fl0CQFs7mxCIHrvTjGN8EcHQ038IP/iu
AoGBAMLjcFLzghM7TDBHEMVkDs0RO4SKxaESFXkjZ3F0papFB0TQMY+AakVMwB80
7vlwjDVFhqU23IF97F7H01bA590DfIxg6c11w4PdlxHVb9Kv+K7P7mve3wbJEUV+
rYr8r+Hr25Fegzwg1tfgFLDDkDoeC3u1wbQNCmL/qksSrD6hAkEA+mc0g4S92Y6S
gDQ3JU/YLaYV4aw2Xk/v5RtNmk++73QtU++azuXSFeDbHHHsZdm2tXBOdRkCQQCv
vg68hRPLa1p0VjbfUk3kgzgoa+LHfnE4TeEAXNIqu1E6j8r5v4Pt9cnnpqSqT/vn
qzTyQmTBW621ioer5A4v2QocJ2R6XhgjDwFOmKTGs0mH
-----END RSA PRIVATE KEY-----
 /usr/local/apache/conf/ssl root# chmod 400 server.key

Certificate Signing Request (CSR)

The next step is to create a certificate-signing request (CSR), which is used as a message sent asking a certificate authority (CA) to sign a certificate. If you want a field to be empty, do not hit return. That would just select the default value. Instead, use “.”. Below, I have left my responses off. Enter your own appropriate values. The generated CSR will be the file server.csr.

 /usr/local/apache/conf/ssl root# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 /usr/local/apache/conf/ssl root#  cat server.csr

You can now send the CSR server.csr to your public CA. The CA will generate and sign the certificate. To make things more interesting, we are now going to sign our own CSR and generate a signed certificate server.crt. You can use the command “openssl x509″ to examine the certificate.

 /usr/local/apache/conf/ssl root# openssl x509 -req -days 365 -in server.csr \
-signkey server.key -out server.crt
Signature ok
subject=/C=US/ST=New
 Jersey/L=Princetown/O=PU/OU=RS/CN=podus.pu.edu/emailAddress=jbond@pu.edu
Getting Private key
 /usr/local/apache/conf/ssl root# openssl x509 -text -in server.crt
 /usr/local/apache/conf/ssl root# chmod 400 server.crt

Configuration

Now we are going to enable SSL on our Apache server running the server off port 443. The server will use the certificate generated above. We are also going to disable SSLv2 since it has some problems and is disabled by default in Internet Explorer 7, Firefox 2, Opera 9, and Safari.

Modify the apache configuration file:

/usr/local/apache/conf/httpd.conf

adding the lines:

Listen 443
<virtualhost _default_:443>
#   SSL Engine Switch:
SSLEngine on
# Path to the server certificcate
SSLCertificateFile "/usr/local/apache/conf/ssl/server.crt"
# Path to the server private key
SSLCertificateKeyFile "/usr/local/apache/conf/ssl/server.key"
# Allow SSLv3 only
SSLProtocol All -SSLv2
#   SSL Cipher Suite:
#   Disallow ciphers that are weak
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
# Make SSL work with Internet Explorer
SetEnvIf User-Agent ".*MSIE.*" \
              nokeepalive ssl-unclean-shutdown \
              downgrade-1.0 force-response-1.0
</virtualhost>

Depending on your requirements, you might want to run the server only over SSL. You can do this by stopping the server from listening on port 80. That would result in unable to connect message. Instead, it might be better to redirect traffic coming to http over to https. A great source of recipes for rewrite rule is the mod_rewrite Cookbook site.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

We will also add limitations to who can access the site by limiting who access the “/” directory. In the example below, we will limit it to 127.0.0.1. In the httpd.conf file, after the line “<Directory />” add the line:

SSLRequire  %{REMOTE_ADDR} =~ m/^127.0.0.1$/

Start Apache with the command:

/usr/local/apache/bin/apachectl start

You can try and access the web server with the URL:

http://yourhostname/

you will get the message:

Forbidden
You don't have permission to access / on this server.

Notice that the URL has changed from “http://yourhostname” to “https://yourhostname”. Now try and access the site using:

http://127.0.0.1/

You will get prompted whether to accept the certificate. Since you are accessing 127.0.0.1, it will complain about a domain name mismatch. The host you are trying to access needs to match the entry you provided for “Common Name” in the CSR, otherwise it will complain. If you accept the certificate, you can access the site.

Final Thoughts

At this point, we have secured communication between the client and the Apache web server. In my next post, we will discuss installing one more module, mod_security. Mod_security is a web application firewall and serves as another layer in our web defenses. It is not meant as a replacement for implementing good security in databases, web servers, or applications. That is why we have gone through all these additional steps first. Remember, once, SSLv2 was thought to be secure. Now we know otherwise. Vulnerabilities are continuously being discovered. Good security is about building up one’s defenses. It is a process, not a destination. Maybe one day some company will have a security solution that will defend systems against all threats. I know that is not today, no matter what sales folks might say. When that day comes, you can bet before that solution makes it to market, hackers will have found a way around it. So while we wait for the security rapture to take us to a secure promise land, implement security in layers. It is your best defense.