A quick test if the webserver on my debian VPS is also vulnerable was successful.

But the proposed workaround works quite well for me.
Here are the steps, that I did to prevent my own apache webserver from being exploited (default apache2 installation debian squeeze):

Testresults:
Before:

After:

GREAT! Simply trick, but works fine.

The needed tasks to install this system are the following:

- Download and install Ubuntu (the “Gnome Edition”) with all updates (there should be tons of howtos for this in the net)

- During the installation create a user that will be automatically logged in.

- Disable all keyboard-shortcuts in the system-settings dialogue.

- Install the following two addons in Firefox: BlockSite and OpenKiosk
In the OpenKiosk Adminscreen (can be started directly from Firefox) you can customize your “hardened” Firefox. I personally set fullscreen mode, increased the reset interval to 3 minutes, enabled a 30 seconds warning before the reset and removed the Print button and zoom controls.

- Configure Firefox to start automatically when the user logs in.

- Create the file /etc/X11/xorg.conf with the following content. This disables the Ctrl+Alt+F1,Ctrl+Alt+F2, etc. shortcuts for switching through the gettys.

- Mount the root Filesystem readonly with the aufs Filesystem. This ensures that a reboot of the Surfstation/Terminal resets everything to default settings (although there shouldn’t be many changes besides the browser history) Here is a great Tutorial for that.

Yesterday I stumbled upon some problems in our virtual infrastructure regarding the Debian Linux Servers. For several reasons (most important is a dedicated network for NFS) i needed to add another virtual network card to those servers. I also removed the existing card, because the type of that card was still “Flexible” and I wanted to change that to “E1000″ anyway.

So in short: 1 card (Flexible) was removed, 2 cards (E1000) were added. Sounds easy, but it wasn’t!

The interfaces don’t come up and i had no idea why!

After some investigation this issue seemed to be related to udev. The MAC address of the old NIC was still in the file /etc/udev/rules.d/z25_persistent-net.rules, but of course the MAC has changed after migrating to the new E1000 card.

The solution is to edit the above mentioned file and replace the wrong MAC address value(s) with the new ones.

After that the appropriate servies need to be restarted:

or in short:

That’s it!

1. File => Open
2. Image => Mode => Grayscale
3. Edit => Copy
4. Edit => Undo
5. Layer => New => Transparency => ok
6. Edit => Paste
7. Layer => Anchor Layer
8. Layer => Mask => Add Layer Mask => White (full opacitiy) => Add
9. Now use the Paintbrush-Tool to (re)color the parts of the image you like

Here’s a sample image:

Colorkey image made with GIMP

From the project-website you can quickly see, that it already has a vast feature list and doesn’t need to hide after phpmyadmin.
My first impression is absolutely great and i think this tool can drain off phpmyadmin one day, but that’s of course a very subjective opinion.

More screenshots can be found here: http://www.chive-project.com/Screenshots

And here we go:
LAMP (Linux, Apache, MySQL and PHP) is quite common and i also used this setup (Apache with mod_php) for hosting some small websites on my old server. The planned migration made me think about alternatives and I crawled through many blogposts about NGINX – a webserver which gains more and more popularity in our days (see this survey for more details).
Therefor i decided to give it a try and that’s where LEMP comes from (NGINX is pronounced as Engine-X)

Another new thing i wanted to try out is the integration of PHP in a different way. A project called PHP-FPM (FastCGI Process Manager) adds some new features to the ‘normal’ FastCGI implementation. It’s more or less a patch for the PHP sourcecode and it seems like it will go directly to the PHP core with PHP version 5.3.3.

After a bit of compilation and writing some scripts to automate this for future use all the websites (mostly WordPress) run on my LEMP setup. To get SEO-friendly URLs with WordPress on nginx is a bit more tricky than before, because .htaccess files are not beeing parsed by nginx, but the effort is really worth it.

Here is a related snippet from my nginx configuration file for this blog (slightly modified):

And this is the content from /etc/nginx/wordpress_params.regular:

To be honest, I didn’t measure the differences between the performances of both setups, but I can really feel, that the webpages are being loaded much faster than before and also the memory consumption of nginx is absolutly awesome. So I’m quite happy with this new setup, but sometimes there are still some pitfalls to deal with.

1. Stop the running database (if it isn’t stopped already)

2. Start the database with the ‘skip-grant-tables’ option

3. Open the mysql console

4. Set a new password for root (replace yournewpassword with a password of your choice)

5. Make the changes work immediately

6. Stop the database again

7. Start it up again the usual way

That’s it

So here we go…

1. Installation of FreeTDS:
- Get the latest release of FreeTDS from here: http://freetds.org/ (the time i write this it’s 0.82)
- Extract and compile it:

- Edit /opt/freetds/etc/freetds.conf and add your MSSQL server like this:

MSSQLserver is used in your php code afterwards, so it might be a good idea to think of an appropriate name.

2. Installation of PHP
- Get the latest release of PHP from here: http://www.php.net/downloads.php
- Extract and compile it:

This is a very limited version of PHP just to show the required options in order to get PHP to work with MSSQL. If you have additional requirements like mysql-support or gd processing stuff you need to add those options to the configure call.

After that you need to tell Apache to load the appropriate module (libphp5.so). Add the following line to your httpd.conf file:

The location of the module may vary.

If everything went fine, you can now start to ‘CRUD’ your MSSQL data. Have fun…

All the necessary requirements such as the bonding module and stuff are available in the debain standard kernel (the time i wrote this: 2.6.26-2-amd64)

What’s still left to do is to install the ifenslave package:

and to modify some configuration files
/etc/modprobe.d/arch/i386 or /etc/modprobe.d/arch/i386 (depending on your architecture):

Mode 1 (also called: active-backup) means, that only one interface is active. The other one comes only into play, when the first (active) card fails. So this mode is only for fault tolerance and not for loadbalancing, but the configuration of this mode is very simple, because it doesn’t require additional switch configuration.

Edit /etc/network/interfaces and configure the bond0 interface:

Don’t configure any additional network settings for eth0 and eth1!

For testing purposes you can now load the bonding module (will also be done automatically when the servers boots):

and restart your network:

Now you should be able to ping the server from another host and plug/unplug the cables of the two integrated NICs while the server always answers the ping requests.