To list Iptables rules as commands ready to be entered, use the -S iptables option:

List iptables forward rules as commands

List iptables NAT rules as commands

Find php scripts that use mail() function to spam in your Linux server

Every shared web hosting provider runs into this issue at least monthly when a customer experiments with or leaves unattended a php script that is either designed for testing purpopses or designed to serve the contact / feedback page of his website and accepts HTTP GET or POST data as input data for mail function in PHP.
The worst case is when ...

How to copy x509 extensions from CSR to signed PEM with OpenSSL

Edit openssl.cnf, go to the authority section, my case "" and uncomment the following line:


This is often required for x509 extension Subject Alternative Name. SubjectAltName is a x509 extension that permits various literal values to be included in the signed certificate. It is used for ipsec VPNs, more ...

OpenSSL CSR signing error: The countryName field needed to be the same in the CA certificate and the request



This is a generic OpenSSL error that occurs when the certificate signing request ...

So today I finally allocated some time to enable IPv6 for the forum. I did this via HE tunnel broker free service (IPv6 /64 in ipv4 tunnel).

Since I chose to enable IPv6 in packet-mode on the SRX (packets are forwarded without security inspection), the server needed some security hardening: disable all daemons on IPv6, except for web server.

Few useful notes:
1. Use following lsof commands to check your IPv6 running daemons:
- lsof ...

This is not recommended if SElinux is a requirement. Using it only for test:

When accessing an URL that is protected and intended for authenticated users, the browsers authenticates to the server with a cookie (PHPSESSID or whatever else). Based on that cookie, the server does internal checks to see if the user is authenticated or not.

If you have access to that URL and you want to test it from CLI, here is how to test it with CURL.

First, I'll test this such resource with curl without ...

Some free Certificate Authorities on the internet are not root CAs, but are intermediate level. This means that they will sign one's SSL certificate, but they are not recognized by the browser because most of the browsers only recognize root CAs.

How to see certificate chain of a HTTPS website:
# openssl s_client -connect ivorde.ro:443 -tls1
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
--- ...

You can download Nemesis tool from http://nemesis.sourceforge.net/ and libnet library from http://code.google.com/p/ips-builder/downloads/detail?name=libnet-1.0.2a.tar.gz&can=2&q=

Untar Libnet first and enter the directory:


make sure your PATH variable contains the directory where libnet-config is. (after installing libnet, it should be in /usr/lib)
Install nemesis:


Now Nemesis is ready to use.

How to disable ssh daemon reverse lookups for clients IP addresses.

What are IP reverse lookups

It is the DNS PTR (Pointer) query that maps an IP address to a fully qualified domain name or hostname. IP reverse lookups can be manually resolved with dig or nslookup commands:

SSH reverse lookups

According to man sshd_config SSH daemon will do a reverse lookup of incoming connection source IP and then ...