Archive for December, 2006
Compile php 4.4.1 from source
cd /usr/local/src/
wget http://ve.php.net/get/php-4.4.1.tar.gz/from/us2.php.net/mirror
tar -zxf php-4.4.1.tar.gz
cd php-4.4.1
up2date libpng-devel libjpeg-devel freetype-devel freetype libjpeg libpng
ln -s /usr/lib/libjpeg.so.62 /usr/lib/libjpeg.so
ln -s /usr/lib/libpng.so.3.1.2.2 /usr/lib/libpng.so
‘./configure’ ‘–host=i386-redhat-linux’ ‘–build=i386-redhat-linux’ ‘–target=i386-redhat-linux-gnu’ ‘–program-prefix=’ ‘–prefix=/usr’ ‘–exec-prefix=/usr’ ‘–bindir=/usr/bin’ ‘–sbindir=/usr/sbin’ ‘–sysconfdir=/etc’ ‘–datadir=/usr/share’ ‘–includedir=/usr/include’ ‘–libdir=/usr/lib’ ‘–libexecdir=/usr/libexec’ ‘–localstatedir=/var’ ‘–sharedstatedir=/usr/com’ ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–cache-file=../config.cache’ ‘–with-config-file-path=/etc’ ‘–with-config-file-scan-dir=/etc/php.d’ ‘–enable-force-cgi-redirect’ ‘–disable-debug’ ‘–enable-pic’ ‘–disable-rpath’ ‘–enable-inline-optimization’ ‘–with-bz2′ ‘–with-db4=/usr’ ‘–with-curl=/usr’ ‘–with-dom=/usr’ ‘–with-exec-dir=/usr/bin’ ‘–with-png-dir=/usr’ ‘–with-gd’ ‘–enable-gd-native-ttf’ ‘–with-ttf’ ‘–with-gettext’ ‘–with-ncurses’ ‘–with-gmp’ ‘–with-iconv’ ‘–with-jpeg-dir=/usr’ ‘–with-openssl’ ‘–with-png’ ‘–with-pspell’ ‘–with-regex=system’ ‘–with-xml’ ‘–with-expat-dir=/usr’ ‘–with-zlib’ ‘–with-layout=GNU’ ‘–enable-bcmath’ ‘–enable-exif’ ‘–enable-ftp’ ‘–enable-magic-quotes’ ‘–enable-safe-mode’ ‘–enable-sockets’ ‘–enable-sysvsem’ ‘–enable-sysvshm’ ‘–enable-discard-path’ ‘–enable-track-vars’ ‘–enable-trans-sid’ ‘–enable-yp’ ‘–enable-wddx’ ‘–enable-mbstring’ ‘–enable-mbstr-enc-trans’ ‘–enable-mbregex’ ‘–without-oci8′ ‘–with-pear=/usr/share/pear’ ‘–with-kerberos=/usr/kerberos’ ‘–with-ldap=shared’ ‘–with-mysql=shared’ ‘–enable-memory-limit’ ‘–enable-bcmath’ ‘–enable-shmop’ ‘–enable-versioning’ ‘–enable-calendar’ ‘–enable-dbx’ ‘–enable-dio’ ‘–enable-mcal’ ‘–with-apxs2filter=/usr/sbin/apxs’
make
make install
No commentshow to install apache Mod_evasive
One way to stop one of the more basic attacks on a server is mod_evasive.This how-to will walk though the process of installing and configuring mod_evasive. This apache module will help protect against people sending too many requests to the webserver in an attempt to flood it. If it detects too many connections the offending ip will be blocked from the accessing apache for This is especially useful when the server is continuously getting attacked. With this default configuration it will block the offending ip for 10 minutes. If it continues to try and flood mod_evasive will automatically add more time to this.
*Update* Feb 1 2005 - Now links to the latest version of mod_evasive from the old name of mod_dosevasive.
**NOTE** This module has been known to cause problems with frontpage server extensions. If you them you should not install this module or just be aware of the fact it might break them.
Follow this section for Apache 1.3.x.
—–command—–
cd /usr/local/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/local/apache/bin/apxs -cia mod_evasive.c
—–command—–
Follow this section for Apache 2.0.x.
—–command—–
up2date -i httpd-devel
cd /usr/local/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/sbin/apxs -cia mod_evasive20.c
—–command—–
If you are adding the is module to apache 1.3.x the following lines need to be added to the httpd.conf below the AddModule section.
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
If you are using apache 2.0.x you need to scroll to below the LoadModule section in the httpd.conf and add the following:
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSBlockingPeriod 600
Exit and save out of the httpd.conf
Now it should be ready to go. Exit out of pico and restart apache.
—–command—–
service httpd restart
—–command—–
For now I have removed the mailing feature from my configuration. If you would like it you need to add “DOSEmailNotify root” in the IfModule section of your httpd.conf. If you are having trouble with mod_evasive emailing you then you probably need to make sure that the mail configuration is correct. By default the it is set to /bin/mail which you may have to sym-link to the correct mail binary. You can also edit the line containing the following: “#define MAILER “/bin/mail -t %s” in the source code to change which it is pointing to.
No commentsApache 2 Install and Upgrade Guide
Apache 2 Install and Upgrade Guide
Apache 2 upgrade - Apache 2 installation
Note: This how-to has worked fine on plesk and cpanel servers and numerous tests. I cannot guarentee it will work on yours and cannot take responsibility for the outcome. I do not recommend running this how-to on an ensim server.
Note: Text in green are commands that should be run from the root shell
FRESH INSTALL - Apache 2 installation
This part of the how-to is for a clean install only, for upgrades please scroll down.
Make a copy of your current httpd.conf incase you need to roll-back
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf_back
Download The Apache Tar.Gz File
wget http://www.tux.org/pub/net/apache/d…d-2.0.47.tar.gz
Extract The File To Your Server
tar -xz -f httpd*
Move Into The Extracted Folder
cd httpd*
Run The Configuration File, (The bits following ./configure were custom wrote by me, you may customise these how you wish)
./configure –prefix=/usr/local/apache –with-php –with-mysql –with-susexec –enable-mods-shared=all –disable-info
Run The Make File
make
Run The Install Make File
make install
Apache 2.0 is now installed on your system
The four lines below are certain security measures that can be taken to hide the identity of apache. *These are optional*
Edit The http.conf File
pico -w /usr/local/apache/conf/httpd.conf
Disable Apache Signatures (Security)
Locate ServerSignature and change to off
Add the line below, after ServerSignature off
ServerTokens ProductOnly
Save httpd.conf
CTRL + X then “Y” then “enter” without the “’s
Start Your New Apache
/usr/local/apache/bin/apachectl start
Your sites should now be working.
Please scroll down to the bottom of the page, after performing the commands above
Apache 2 Upgrade - Upgrading Apache
Make a copy of your current httpd.conf incase you need to roll-back
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf_back
Download The Apache Tar.Gz File
wget http://www.tux.org/pub/net/apache/d…d-2.0.47.tar.gz
Extract The File To Your Server
tar -xz -f httpd*
Move Into The Extracted Folder
cd httpd*
Run The Configuration File
./config.nice
Run The Make File
make
Run The Install Make File
make install
Start Apache
/usr/local/apache/bin/apachectl restart
All done, you should now have a successfully upgraded/installed apache configuration.
No commentsHow to install mod_security for Apache
How to install mod_security for Apache
What is mod_security?
ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. ModSecurity supports both branches of the Apache web server.
Rfx Networks Recommended:
“mod_security is great and I encourage it be used by everyone; it does have the potential to break some web applications but so far iv seen very few issues to say the least. Likewise it is easy to fix any applications that may break with the granular filter rules that can be setup to either deny or allow certain content. Overall mod_security is a needed addition to apache, providing a layer of security yet unseen for apache. I highly encourage you read the reference document on the modsecurity.org site (under documentation) to better understand each directive and the role it plays in protecting your server and sites.”
Requirements:
Apache Web Server 1.3x or 2.x
Note: We have confirmed this security addon works with Cpanel based servers.
How to install?
1. Login to your server through SSH and su to the root user.
2. First your going to start out by grabbing the latest version of mod_security
wget http://www.modsecurity.org/download/mod_security-1.7.4.tar.gz
3. Next we untar the archive and cd into the directory:
tar zxvf mod_security-1.7.4.tar.gz
cd mod_security-1.7.4/
4. Now you need to determine which version of apache you use:
APACHE 1.3.x users
cd apache1/
APACHE 2.x users
cd apache2/
5. Lets Compile the module now:
/usr/local/apache/bin/apxs -cia mod_security.c
6. Ok, now its time to edit the httpd conf file. First we will make a backup just incase something goes wrong:
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup
7. Now that we have backed it all up, we can edit the httpd.conf. Replace pico with nano depending on what you have
pico /usr/local/apache/conf/httpd.conf
8. Lets look for something in the config, do this by holding control and pressing W and you are going to search for
9. Now add this
SecFilterEngine On
SecServerSignature “Apache”
SecFilterCheckUnicodeEncoding Off
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterScanPOST On
SecFilterDefaultAction “deny,log,status:403″
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”
SecFilterSelective HTTP_Transfer-Encoding “!^$”
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”
SecFilter “../”
SecFilter “viewtopic\.php\?” chain
SecFilter “chr\(([0-9]{1,3})\)” “deny,log”
SecFilterSelective THE_REQUEST “wget ”
SecFilterSelective THE_REQUEST “lynx ”
SecFilterSelective THE_REQUEST “scp ”
SecFilterSelective THE_REQUEST “ftp ”
SecFilterSelective THE_REQUEST “cvs ”
SecFilterSelective THE_REQUEST “rcp ”
SecFilterSelective THE_REQUEST “curl ”
SecFilterSelective THE_REQUEST “telnet ”
SecFilterSelective THE_REQUEST “ssh ”
SecFilterSelective THE_REQUEST “echo ”
SecFilterSelective THE_REQUEST “links -dump ”
SecFilterSelective THE_REQUEST “links -dump-charset ”
SecFilterSelective THE_REQUEST “links -dump-width ”
SecFilterSelective THE_REQUEST “links http:// ”
SecFilterSelective THE_REQUEST “links ftp:// ”
SecFilterSelective THE_REQUEST “links -source ”
SecFilterSelective THE_REQUEST “mkdir ”
SecFilterSelective THE_REQUEST “cd /tmp ”
SecFilterSelective THE_REQUEST “cd /var/tmp ”
SecFilterSelective THE_REQUEST “cd /etc/httpd/proxy ”
SecFilterSelective THE_REQUEST “/config.php?v=1&DIR ”
SecFilterSelective THE_REQUEST “/../../ ”
SecFilterSelective THE_REQUEST “&highlight=%2527%252E ”
SecFilterSelective THE_REQUEST “changedir=%2Ftmp%2F.php ”
# Very crude filters to prevent SQL injection attacks
SecFilter “delete[[:space:]]+from”
SecFilter “insert[[:space:]]+into”
SecFilter “select.+from”
# Weaker XSS protection but allows common HTML tags
SecFilter “<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter “<(.|n)+>”
10. Save the file Ctrl + X then Y
11. Restart Apache
/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start
You’ve successfully installed mod_security!
No commentsHow to install PRM (Process Resource Monitor)
How to install PRM (Process Resource Monitor)
PRM (Process Resource Monitor)
Introduction
PRM monitors the process table on a given system and matches process id’s with set resource limits in the config file or per-process based rules. Process id’s that match or exceed the set limits are logged and killed; includes e-mail alerts, kernel logging routine and more…
How it works?
PRM works on the basis that once a process id is found matching resource limits; there is a corresponding trigger and wait value. The trigger value increments upwards from zero (0) to the defined value, pausing the duration of seconds defined as wait value. There after the status of the flagged pid is checked again, if still above or equal to resource limits the trigger/wait cycle begins again till the max trigger value is reached. When this trigger value is reached the given process is logged/killed.
This all together has the effect that applications with short burst resource spikes (e.g: apache, mysql etc..) are not killed; but rather on applications with prolonged resource consumption. Using the rule system, you can define different wait/trigger/resource values for any application.
Installation
First we must fetch the package:
wget http://www.rfxnetworks.com/downloads/prm-current.tar.gz
And extract it:
tar xvfz prm-current.tar.gz
The current version of prm as of this writing is 0.3, so lets cd to the 0.3 extracted path:
cd prm-0.3/
And finally run the enclosed install.sh script:
./install.sh
Configuration
The prm installation is located at ‘/usr/local/prm’, and the configuration file is labeled ‘conf.prm’.
Open the ‘/usr/local/prm/conf.prm’ file with your preferred editor. There is an array of options in this file but we will only be focusing on the main variables.
Lets skip down to the user e-mail alert’s section and set the USR_ALERT value to ‘1′; enabling alerts.
# enable user e-mail alerts [0=disabled,1=enabled] USR_ALERT=”1″
And configure our e-mail addresses for alerts:
# e-mail address for alerts USR_ADDR=”root, you@domain.com”
Check the 5,10, or 15 minute load average; relative to the later option below for min. load level.
# check 5,10,15 minute load average. [1,2,3 respective of 5,10,15] LC=”1″
PRM optionally has a required load average for running. If the load is not equal to or greater than this value; PRM will not run. Setting this value to zero will force the script to always run but this should not be needed.
# min load level required to run (decimal values unsupported) MIN_LOAD=”1″
This is the introduction described wait value, used for pauses between trigger increments. The value of wait multiplied by the value of kill_trig equal the duration of time before a process is killed (10×3=30seconds).
# seconds to wait before rechecking a flagged pid (pid’s noted resource # intensive but not yet killed). WAIT=”10″
The trigger limit before processes are killed, described in detail in the above ‘wait’ description and introduction.
# counter limit that a process must reach prior to kill. The counter value # increases for a process flagged resource intensive on rechecks. KILL_TRIG=”3″
The max percentage of CPU a process should be allowed to use before PRM flags it for killing.
# Max CPU usage readout for a process - % of all cpu resources (decimal values unsupported) MAXCPU=”35″
The max percentage of MEM a process should be allowed to use before PRM flags it for killing.
# Max MEM usage readout for a process - % of system total memory (decimal values unsupported) MAXMEM=”15″
That is it; you should tweak the MAXCPU/MAXMEM limits to your desired needs but the defaults should be fine for most.
Usage
The executable program resides in ‘/usr/local/prm/prm’ and ‘/usr/local/sbin/prm’. The prm executable can receive one of two arguments:
-s Standard run
-q Quiet run
The log path for prm is ‘/usr/local/prm/prm_log’, as well pid specific logs are stored in ‘/usr/local/prm/killed/’.
A default cronjob for PRM is installed to ‘/etc/cron.d/prm’, and is configured to run once every 5 minutes.
There is a provided ignore file, to ignore processes based on string rules. The ignore file is located at ‘/usr/local/prm/ignore’. This file supports line separated ignore strings. As a default the strings ‘root, named and postgre’ are ignored by PRM; this script was not intended to monitor root processes but rather user land tasks. It could easily watch root processes by removing the given line in the ignore file but this is strongly discouraged.
No comments