0-Day Exploit “Apache-Killer”

Today I read about a 0-day exploit for the apache webserver on golem.de.

A quick test if the webserver on my debian VPS is also vulnerable was successful. :-(

But the proposed workaround works quite well for me.
Here are the steps, that I did to prevent my own apache webserver from being exploited (default apache2 installation debian squeeze):

#edit /etc/apache2/conf.d/security and add the following line (e.g. at the end of the file):
RequestHeader unset Range
#reload apache
/etc/init.d/apache2 reload

Testresults:
Before:

perl apachekiller.pl 62.75.151.120 50
host seems vuln
ATTACKING 62.75.151.120 [using 50 forks]

After:

perl apachekiller.pl 62.75.151.120 50
Host does not seem vulnerable

GREAT! :-) Simply trick, but works fine.

Ubuntu Surfstation

For a public surfstation available for free we needed to have a system, that just simply always works. No user should be able to reset any configuration-settins, change the wallpaper, modify favorites or anything like that. The decision of the operating system was easy: Linux! :-)

The needed tasks to install this system are the following:

– Download and install Ubuntu (the “Gnome Edition”) with all updates (there should be tons of howtos for this in the net)

– During the installation create a user that will be automatically logged in.

– Disable all keyboard-shortcuts in the system-settings dialogue.

– Install the following two addons in Firefox: BlockSite and OpenKiosk
In the OpenKiosk Adminscreen (can be started directly from Firefox) you can customize your “hardened” Firefox. I personally set fullscreen mode, increased the reset interval to 3 minutes, enabled a 30 seconds warning before the reset and removed the Print button and zoom controls.

– Configure Firefox to start automatically when the user logs in.

– Create the file /etc/X11/xorg.conf with the following content. This disables the Ctrl+Alt+F1,Ctrl+Alt+F2, etc. shortcuts for switching through the gettys.

Section "ServerFlags"
 Option "DontVTSwitch" "true"
EndSection

– Mount the root Filesystem readonly with the aufs Filesystem. This ensures that a reboot of the Surfstation/Terminal resets everything to default settings (although there shouldn’t be many changes besides the browser history) Here is a great Tutorial for that.

VMWare: Debian NICs don’t come up after removing and adding virtual network card

A long time has passed after the last post to this blog. But I’m still alive and today there will be another. ;-)

Yesterday I stumbled upon some problems in our virtual infrastructure regarding the Debian Linux Servers. For several reasons (most important is a dedicated network for NFS) i needed to add another virtual network card to those servers. I also removed the existing card, because the type of that card was still “Flexible” and I wanted to change that to “E1000″ anyway.

So in short: 1 card (Flexible) was removed, 2 cards (E1000) were added. Sounds easy, but it wasn’t! :-(

SIOCSIFADDR: No such device
eth0: ERROR while getting interface flags: No such device
SIOCSIFADDR: No such device
SIOCSIFADDR: No such device
eth0: ERROR while getting interface flags: No such device
eth0: ERROR while getting interface flags: No such device

The interfaces don’t come up and i had no idea why!

After some investigation this issue seemed to be related to udev. The MAC address of the old NIC was still in the file /etc/udev/rules.d/z25_persistent-net.rules, but of course the MAC has changed after migrating to the new E1000 card.

The solution is to edit the above mentioned file and replace the wrong MAC address value(s) with the new ones.

After that the appropriate servies need to be restarted:

/etc/init.d/udev restart
/etc/init.d/networking restart

or in short:

reboot

That’s it! :-)

How to create Colorkey images with GIMP

Note to myself:

1. File => Open
2. Image => Mode => Grayscale
3. Edit => Copy
4. Edit => Undo
5. Layer => New => Transparency => ok
6. Edit => Paste
7. Layer => Anchor Layer
8. Layer => Mask => Add Layer Mask => White (full opacitiy) => Add
9. Now use the Paintbrush-Tool to (re)color the parts of the image you like

Here’s a sample image:

Colorkey image made with GIMP
Colorkey image made with GIMP

Chive as an alternative to phpMyAdmin

Most of the mysql-admins out there will know phpmyadmin as a very helpful and reliable database administration tool. It’s available in most linux distros, can easily be installed and is for sure a very nice tool. Today I stumbled upon an alternative mysql administration-tool driven by php called chive.

From the project-website you can quickly see, that it already has a vast feature list and doesn’t need to hide after phpmyadmin.
My first impression is absolutely great and i think this tool can drain off phpmyadmin one day, but that’s of course a very subjective opinion.

More screenshots can be found here: http://www.chive-project.com/Screenshots

Switching to nginx and php-fpm, so LAMP becomes LEMP

About two and a half years ago i ordered a virtual server for private purposes at Server4you. That was quite a long time ago and in the meantime you can get the same server for less money or a better server for the same price ;-)
As migrating from an old productline to a new one isn’t possible at Server4you I decided to order a new server and migrate all my services to it so that i can quit the old machine afterwards.

And here we go:
LAMP (Linux, Apache, MySQL and PHP) is quite common and i also used this setup (Apache with mod_php) for hosting some small websites on my old server. The planned migration made me think about alternatives and I crawled through many blogposts about NGINX – a webserver which gains more and more popularity in our days (see this survey for more details).
Therefor i decided to give it a try and that’s where LEMP comes from (NGINX is pronounced as Engine-X)

Another new thing i wanted to try out is the integration of PHP in a different way. A project called PHP-FPM (FastCGI Process Manager) adds some new features to the ‘normal’ FastCGI implementation. It’s more or less a patch for the PHP sourcecode and it seems like it will go directly to the PHP core with PHP version 5.3.3.

After a bit of compilation and writing some scripts to automate this for future use all the websites (mostly WordPress) run on my LEMP setup. To get SEO-friendly URLs with WordPress on nginx is a bit more tricky than before, because .htaccess files are not beeing parsed by nginx, but the effort is really worth it.

Here is a related snippet from my nginx configuration file for this blog (slightly modified):

server {
            listen   80;
            server_name www.schmalenegger.com;

            access_log /logs/schmalenegger.com_access.log;
            error_log /logs/schmalenegger.com_error.log;

            location / {

                        root   /var/www/schmalenegger.com/;
                        index  index.php index.html;

                        # Basic version of Wordpress parameters, supporting nice permalinks.
                        include /etc/nginx/wordpress_params.regular;
                        }

            # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
            #
            location ~ \.php$ {
            fastcgi_pass 127.0.0.1:9999;
            fastcgi_index index.php;
            include /etc/nginx/fastcgi_params;
            include /etc/nginx/fastcgi_params.default;
            fastcgi_param SCRIPT_FILENAME /var/www/schmalenegger.com/$fastcgi_script_name;
            }
      }

And this is the content from /etc/nginx/wordpress_params.regular:

# WordPress pretty URLs:
if (-f $request_filename) {
break;
}
if (-d $request_filename) {
break;
}
rewrite ^(.+)$ /index.php?q=$1 last;

To be honest, I didn’t measure the differences between the performances of both setups, but I can really feel, that the webpages are being loaded much faster than before and also the memory consumption of nginx is absolutly awesome. So I’m quite happy with this new setup, but sometimes there are still some pitfalls to deal with.

Recovering a lost root password for MySQL

Once in a while (hopefully not to often) you need to recover the root password of a mysql database. Here is a quick guide how I do this normally:

1. Stop the running database (if it isn’t stopped already)

/etc/init.d/mysql stop

2. Start the database with the ‘skip-grant-tables’ option

mysqld_safe –skip-grant-tables &

3. Open the mysql console

mysql -u root

4. Set a new password for root (replace yournewpassword with a password of your choice)

mysql> UPDATE user SET Password=PASSWORD('yournewpassword') WHERE user = 'root';

5. Make the changes work immediately

mysql> FLUSH PRIVILEGES;

6. Stop the database again

kill `/path/to/mysql.pid` || killall mysqld

7. Start it up again the usual way

/etc/init.d/mysql start

That’s it :-)