« Previous

0-Day Exploit “Apache-Killer”

Published at: Thursday, 25. August 2011

Today I read about a 0-day exploit for the apache webserver on golem.de.

A quick test if the webserver on my debian VPS is also vulnerable was successful. :-(

But the proposed workaround works quite well for me.
Here are the steps, that I did to prevent my own apache webserver from being exploited (default apache2 installation debian squeeze):

#edit /etc/apache2/conf.d/security and add the following line (e.g. at the end of the file):
RequestHeader unset Range
#reload apache
/etc/init.d/apache2 reload

Testresults:
Before:

perl apachekiller.pl 62.75.151.120 50
host seems vuln
ATTACKING 62.75.151.120 [using 50 forks]

After:

perl apachekiller.pl 62.75.151.120 50
Host does not seem vulnerable

GREAT! :-) Simply trick, but works fine.

1 Comment

Ubuntu Surfstation

Published at: Friday, 05. August 2011

For a public surfstation available for free we needed to have a system, that just simply always works. No user should be able to reset any configuration-settins, change the wallpaper, modify favorites or anything like that. The decision of the operating system was easy: Linux! :-)

The needed tasks to install this system are the following:

- Download and install Ubuntu (the “Gnome Edition”) with all updates (there should be tons of howtos for this in the net)

- During the installation create a user that will be automatically logged in.

- Disable all keyboard-shortcuts in the system-settings dialogue.

- Install the following two addons in Firefox: BlockSite and OpenKiosk
In the OpenKiosk Adminscreen (can be started directly from Firefox) you can customize your “hardened” Firefox. I personally set fullscreen mode, increased the reset interval to 3 minutes, enabled a 30 seconds warning before the reset and removed the Print button and zoom controls.

- Configure Firefox to start automatically when the user logs in.

- Create the file /etc/X11/xorg.conf with the following content. This disables the Ctrl+Alt+F1,Ctrl+Alt+F2, etc. shortcuts for switching through the gettys.

Section "ServerFlags"
 Option "DontVTSwitch" "true"
EndSection

- Mount the root Filesystem readonly with the aufs Filesystem. This ensures that a reboot of the Surfstation/Terminal resets everything to default settings (although there shouldn’t be many changes besides the browser history) Here is a great Tutorial for that.

No Comments , , , ,

VMWare: Debian NICs don’t come up after removing and adding virtual network card

Published at: Friday, 29. July 2011

A long time has passed after the last post to this blog. But I’m still alive and today there will be another. ;-)

Yesterday I stumbled upon some problems in our virtual infrastructure regarding the Debian Linux Servers. For several reasons (most important is a dedicated network for NFS) i needed to add another virtual network card to those servers. I also removed the existing card, because the type of that card was still “Flexible” and I wanted to change that to “E1000″ anyway.

So in short: 1 card (Flexible) was removed, 2 cards (E1000) were added. Sounds easy, but it wasn’t! :-(

SIOCSIFADDR: No such device
eth0: ERROR while getting interface flags: No such device
SIOCSIFADDR: No such device
SIOCSIFADDR: No such device
eth0: ERROR while getting interface flags: No such device
eth0: ERROR while getting interface flags: No such device

The interfaces don’t come up and i had no idea why!

After some investigation this issue seemed to be related to udev. The MAC address of the old NIC was still in the file /etc/udev/rules.d/z25_persistent-net.rules, but of course the MAC has changed after migrating to the new E1000 card.

The solution is to edit the above mentioned file and replace the wrong MAC address value(s) with the new ones.

After that the appropriate servies need to be restarted:

/etc/init.d/udev restart
/etc/init.d/networking restart

or in short:

reboot

That’s it! :-)

No Comments , ,

Klar, ich hab ja auch sonst nichts zu tun…

Published at: Tuesday, 02. November 2010

No Comments

How to create Colorkey images with GIMP

Published at: Tuesday, 27. April 2010

Note to myself:

1. File => Open
2. Image => Mode => Grayscale
3. Edit => Copy
4. Edit => Undo
5. Layer => New => Transparency => ok
6. Edit => Paste
7. Layer => Anchor Layer
8. Layer => Mask => Add Layer Mask => White (full opacitiy) => Add
9. Now use the Paintbrush-Tool to (re)color the parts of the image you like

Here’s a sample image:

Colorkey image made with GIMP

Colorkey image made with GIMP

3 Comments ,

Chive as an alternative to phpMyAdmin

Published at: Monday, 22. March 2010

Most of the mysql-admins out there will know phpmyadmin as a very helpful and reliable database administration tool. It’s available in most linux distros, can easily be installed and is for sure a very nice tool. Today I stumbled upon an alternative mysql administration-tool driven by php called chive.

From the project-website you can quickly see, that it already has a vast feature list and doesn’t need to hide after phpmyadmin.
My first impression is absolutely great and i think this tool can drain off phpmyadmin one day, but that’s of course a very subjective opinion.

More screenshots can be found here: http://www.chive-project.com/Screenshots

No Comments , , ,

Switching to nginx and php-fpm, so LAMP becomes LEMP

Published at: Wednesday, 20. January 2010

About two and a half years ago i ordered a virtual server for private purposes at Server4you. That was quite a long time ago and in the meantime you can get the same server for less money or a better server for the same price ;-)
As migrating from an old productline to a new one isn’t possible at Server4you I decided to order a new server and migrate all my services to it so that i can quit the old machine afterwards.

And here we go:
LAMP (Linux, Apache, MySQL and PHP) is quite common and i also used this setup (Apache with mod_php) for hosting some small websites on my old server. The planned migration made me think about alternatives and I crawled through many blogposts about NGINX – a webserver which gains more and more popularity in our days (see this survey for more details).
Therefor i decided to give it a try and that’s where LEMP comes from (NGINX is pronounced as Engine-X)

Another new thing i wanted to try out is the integration of PHP in a different way. A project called PHP-FPM (FastCGI Process Manager) adds some new features to the ‘normal’ FastCGI implementation. It’s more or less a patch for the PHP sourcecode and it seems like it will go directly to the PHP core with PHP version 5.3.3.

After a bit of compilation and writing some scripts to automate this for future use all the websites (mostly WordPress) run on my LEMP setup. To get SEO-friendly URLs with WordPress on nginx is a bit more tricky than before, because .htaccess files are not beeing parsed by nginx, but the effort is really worth it.

Here is a related snippet from my nginx configuration file for this blog (slightly modified):

server {
            listen   80;
            server_name www.schmalenegger.com;

            access_log /logs/schmalenegger.com_access.log;
            error_log /logs/schmalenegger.com_error.log;

            location / {

                        root   /var/www/schmalenegger.com/;
                        index  index.php index.html;

                        # Basic version of Wordpress parameters, supporting nice permalinks.
                        include /etc/nginx/wordpress_params.regular;
                        }

            # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
            #
            location ~ \.php$ {
            fastcgi_pass 127.0.0.1:9999;
            fastcgi_index index.php;
            include /etc/nginx/fastcgi_params;
            include /etc/nginx/fastcgi_params.default;
            fastcgi_param SCRIPT_FILENAME /var/www/schmalenegger.com/$fastcgi_script_name;
            }
      }

And this is the content from /etc/nginx/wordpress_params.regular:

# WordPress pretty URLs:
if (-f $request_filename) {
break;
}
if (-d $request_filename) {
break;
}
rewrite ^(.+)$ /index.php?q=$1 last;

To be honest, I didn’t measure the differences between the performances of both setups, but I can really feel, that the webpages are being loaded much faster than before and also the memory consumption of nginx is absolutly awesome. So I’m quite happy with this new setup, but sometimes there are still some pitfalls to deal with.

1 Comment , , , , ,

Recovering a lost root password for MySQL

Published at: Monday, 28. December 2009

Once in a while (hopefully not to often) you need to recover the root password of a mysql database. Here is a quick guide how I do this normally:

1. Stop the running database (if it isn’t stopped already)

/etc/init.d/mysql stop

2. Start the database with the ‘skip-grant-tables’ option

mysqld_safe –skip-grant-tables &

3. Open the mysql console

mysql -u root

4. Set a new password for root (replace yournewpassword with a password of your choice)

mysql> UPDATE user SET Password=PASSWORD('yournewpassword') WHERE user = 'root';

5. Make the changes work immediately

mysql> FLUSH PRIVILEGES;

6. Stop the database again

kill `/path/to/mysql.pid` || killall mysqld

7. Start it up again the usual way

/etc/init.d/mysql start

That’s it :-)

No Comments ,

Connecting to MSSQL databases with PHP from Linux

Published at: Thursday, 22. October 2009

I needed to get some data from existing MSSQL databases with PHP. Connecting to such servers is a bit more tricky than mysql, because the mssql extension from php needs also a correctly configured TDS installation. But we’re lucky, there is an opensource implementation of the tds protocoll called FreeTDS. If you don’t want to use tds you can also try to get it to work with ODBC, but ODBC is very slow and that’s why it’s also not part of this blog post.

So here we go…

1. Installation of FreeTDS:
- Get the latest release of FreeTDS from here: http://freetds.org/ (the time i write this it’s 0.82)
- Extract and compile it:

tar xzvf freetds-stable.tgz
cd freetds-0.82/
./configure --prefix=/opt/freetds --with-tdsver=8.0
make
make install

- Edit /opt/freetds/etc/freetds.conf and add your MSSQL server like this:

[MSSQLserver]
host = hostname or ip
port = 1433
tds version = 8.0

MSSQLserver is used in your php code afterwards, so it might be a good idea to think of an appropriate name.

2. Installation of PHP
- Get the latest release of PHP from here: http://www.php.net/downloads.php
- Extract and compile it:

tar xjvf php-5.3.0.tar.bz2
cd php-5.3.0/
./configure --prefix=/opt/php --with-apxs2 --with-mssql=/opt/freetds
make
make install

This is a very limited version of PHP just to show the required options in order to get PHP to work with MSSQL. If you have additional requirements like mysql-support or gd processing stuff you need to add those options to the configure call.

After that you need to tell Apache to load the appropriate module (libphp5.so). Add the following line to your httpd.conf file:

LoadModule php5_module        /usr/lib/httpd/modules/libphp5.so

The location of the module may vary.

If everything went fine, you can now start to ‘CRUD’ your MSSQL data. Have fun…

1 Comment , , ,

NIC bonding (aka NIC teaming) with Debian Lenny

Published at: Monday, 05. October 2009

In order to move our Nagios installation from a virtual server to a dedicated hardware machine i installed Debian Lenny on a HP Proliant DL 380 G5. This server has two integrated NICs which can easily be used together as a network bond. So if one way to or from the server failes, the machine is still available through the other card.

All the necessary requirements such as the bonding module and stuff are available in the debain standard kernel (the time i wrote this: 2.6.26-2-amd64)

What’s still left to do is to install the ifenslave package:

 apt-get install ifenslave-2.6

and to modify some configuration files
/etc/modprobe.d/arch/i386 or /etc/modprobe.d/arch/i386 (depending on your architecture):

alias bond0 bonding
options bonding mode=1 miimon=100 downdelay=200 updelay=200

Mode 1 (also called: active-backup) means, that only one interface is active. The other one comes only into play, when the first (active) card fails. So this mode is only for fault tolerance and not for loadbalancing, but the configuration of this mode is very simple, because it doesn’t require additional switch configuration.

Edit /etc/network/interfaces and configure the bond0 interface:

auto bond0
iface bond0 inet static
   address 10.10.0.25
   netmask 255.255.255.0
   gateway 10.10.0.1
   up /sbin/ifenslave bond0 eth0 eth1
   down /sbin/ifenslave -d bond0 eth0 eth1

Don’t configure any additional network settings for eth0 and eth1!

For testing purposes you can now load the bonding module (will also be done automatically when the servers boots):

modprobe bonding

and restart your network:

/etc/init.d/networking restart

Now you should be able to ping the server from another host and plug/unplug the cables of the two integrated NICs while the server always answers the ping requests.

3 Comments ,
« Previous