How to install mod_security for Apache
How to install mod_security for Apache
What is mod_security?
ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. ModSecurity supports both branches of the Apache web server.
Rfx Networks Recommended:
“mod_security is great and I encourage it be used by everyone; it does have the potential to break some web applications but so far iv seen very few issues to say the least. Likewise it is easy to fix any applications that may break with the granular filter rules that can be setup to either deny or allow certain content. Overall mod_security is a needed addition to apache, providing a layer of security yet unseen for apache. I highly encourage you read the reference document on the modsecurity.org site (under documentation) to better understand each directive and the role it plays in protecting your server and sites.”
Requirements:
Apache Web Server 1.3x or 2.x
Note: We have confirmed this security addon works with Cpanel based servers.
How to install?
1. Login to your server through SSH and su to the root user.
2. First your going to start out by grabbing the latest version of mod_security
wget http://www.modsecurity.org/download/mod_security-1.7.4.tar.gz
3. Next we untar the archive and cd into the directory:
tar zxvf mod_security-1.7.4.tar.gz
cd mod_security-1.7.4/
4. Now you need to determine which version of apache you use:
APACHE 1.3.x users
cd apache1/
APACHE 2.x users
cd apache2/
5. Lets Compile the module now:
/usr/local/apache/bin/apxs -cia mod_security.c
6. Ok, now its time to edit the httpd conf file. First we will make a backup just incase something goes wrong:
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup
7. Now that we have backed it all up, we can edit the httpd.conf. Replace pico with nano depending on what you have
pico /usr/local/apache/conf/httpd.conf
8. Lets look for something in the config, do this by holding control and pressing W and you are going to search for
9. Now add this
SecFilterEngine On
SecServerSignature “Apache”
SecFilterCheckUnicodeEncoding Off
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterScanPOST On
SecFilterDefaultAction “deny,log,status:403″
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”
SecFilterSelective HTTP_Transfer-Encoding “!^$”
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”
SecFilter “../”
SecFilter “viewtopic\.php\?” chain
SecFilter “chr\(([0-9]{1,3})\)” “deny,log”
SecFilterSelective THE_REQUEST “wget ”
SecFilterSelective THE_REQUEST “lynx ”
SecFilterSelective THE_REQUEST “scp ”
SecFilterSelective THE_REQUEST “ftp ”
SecFilterSelective THE_REQUEST “cvs ”
SecFilterSelective THE_REQUEST “rcp ”
SecFilterSelective THE_REQUEST “curl ”
SecFilterSelective THE_REQUEST “telnet ”
SecFilterSelective THE_REQUEST “ssh ”
SecFilterSelective THE_REQUEST “echo ”
SecFilterSelective THE_REQUEST “links -dump ”
SecFilterSelective THE_REQUEST “links -dump-charset ”
SecFilterSelective THE_REQUEST “links -dump-width ”
SecFilterSelective THE_REQUEST “links http:// ”
SecFilterSelective THE_REQUEST “links ftp:// ”
SecFilterSelective THE_REQUEST “links -source ”
SecFilterSelective THE_REQUEST “mkdir ”
SecFilterSelective THE_REQUEST “cd /tmp ”
SecFilterSelective THE_REQUEST “cd /var/tmp ”
SecFilterSelective THE_REQUEST “cd /etc/httpd/proxy ”
SecFilterSelective THE_REQUEST “/config.php?v=1&DIR ”
SecFilterSelective THE_REQUEST “/../../ ”
SecFilterSelective THE_REQUEST “&highlight=%2527%252E ”
SecFilterSelective THE_REQUEST “changedir=%2Ftmp%2F.php ”
# Very crude filters to prevent SQL injection attacks
SecFilter “delete[[:space:]]+from”
SecFilter “insert[[:space:]]+into”
SecFilter “select.+from”
# Weaker XSS protection but allows common HTML tags
SecFilter “<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter “<(.|n)+>”
10. Save the file Ctrl + X then Y
11. Restart Apache
/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start
You’ve successfully installed mod_security!
No commentsHow to install PRM (Process Resource Monitor)
How to install PRM (Process Resource Monitor)
PRM (Process Resource Monitor)
Introduction
PRM monitors the process table on a given system and matches process id’s with set resource limits in the config file or per-process based rules. Process id’s that match or exceed the set limits are logged and killed; includes e-mail alerts, kernel logging routine and more…
How it works?
PRM works on the basis that once a process id is found matching resource limits; there is a corresponding trigger and wait value. The trigger value increments upwards from zero (0) to the defined value, pausing the duration of seconds defined as wait value. There after the status of the flagged pid is checked again, if still above or equal to resource limits the trigger/wait cycle begins again till the max trigger value is reached. When this trigger value is reached the given process is logged/killed.
This all together has the effect that applications with short burst resource spikes (e.g: apache, mysql etc..) are not killed; but rather on applications with prolonged resource consumption. Using the rule system, you can define different wait/trigger/resource values for any application.
Installation
First we must fetch the package:
wget http://www.rfxnetworks.com/downloads/prm-current.tar.gz
And extract it:
tar xvfz prm-current.tar.gz
The current version of prm as of this writing is 0.3, so lets cd to the 0.3 extracted path:
cd prm-0.3/
And finally run the enclosed install.sh script:
./install.sh
Configuration
The prm installation is located at ‘/usr/local/prm’, and the configuration file is labeled ‘conf.prm’.
Open the ‘/usr/local/prm/conf.prm’ file with your preferred editor. There is an array of options in this file but we will only be focusing on the main variables.
Lets skip down to the user e-mail alert’s section and set the USR_ALERT value to ‘1′; enabling alerts.
# enable user e-mail alerts [0=disabled,1=enabled] USR_ALERT=”1″
And configure our e-mail addresses for alerts:
# e-mail address for alerts USR_ADDR=”root, you@domain.com”
Check the 5,10, or 15 minute load average; relative to the later option below for min. load level.
# check 5,10,15 minute load average. [1,2,3 respective of 5,10,15] LC=”1″
PRM optionally has a required load average for running. If the load is not equal to or greater than this value; PRM will not run. Setting this value to zero will force the script to always run but this should not be needed.
# min load level required to run (decimal values unsupported) MIN_LOAD=”1″
This is the introduction described wait value, used for pauses between trigger increments. The value of wait multiplied by the value of kill_trig equal the duration of time before a process is killed (10×3=30seconds).
# seconds to wait before rechecking a flagged pid (pid’s noted resource # intensive but not yet killed). WAIT=”10″
The trigger limit before processes are killed, described in detail in the above ‘wait’ description and introduction.
# counter limit that a process must reach prior to kill. The counter value # increases for a process flagged resource intensive on rechecks. KILL_TRIG=”3″
The max percentage of CPU a process should be allowed to use before PRM flags it for killing.
# Max CPU usage readout for a process - % of all cpu resources (decimal values unsupported) MAXCPU=”35″
The max percentage of MEM a process should be allowed to use before PRM flags it for killing.
# Max MEM usage readout for a process - % of system total memory (decimal values unsupported) MAXMEM=”15″
That is it; you should tweak the MAXCPU/MAXMEM limits to your desired needs but the defaults should be fine for most.
Usage
The executable program resides in ‘/usr/local/prm/prm’ and ‘/usr/local/sbin/prm’. The prm executable can receive one of two arguments:
-s Standard run
-q Quiet run
The log path for prm is ‘/usr/local/prm/prm_log’, as well pid specific logs are stored in ‘/usr/local/prm/killed/’.
A default cronjob for PRM is installed to ‘/etc/cron.d/prm’, and is configured to run once every 5 minutes.
There is a provided ignore file, to ignore processes based on string rules. The ignore file is located at ‘/usr/local/prm/ignore’. This file supports line separated ignore strings. As a default the strings ‘root, named and postgre’ are ignored by PRM; this script was not intended to monitor root processes but rather user land tasks. It could easily watch root processes by removing the given line in the ignore file but this is strongly discouraged.
No comments
Getting started with SSH Tutorial
Getting started with SSH Tutorial
Getting started with SSH Tutorial - Connecting to your server with SSH
Secure Shell (SSH), sometimes known as Secure Socket Shell, is a UNIX-based command interface and protocol for securely getting access to a remote computer. It is widely used by network administrators to control Web and other kinds of servers remotely. SSH is actually a suite of three utilities - slogin, ssh, and scp - that are secure versions of the earlier UNIX utilities, rlogin, rsh, and rcp. SSH commands are encrypted and secure in several ways. Both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted. SSH uses RSA public key cryptography for both connection and authentication. Encryption algorithms include Blowfish, DES, and IDEA. IDEA is the default.
The server you are connecting to must be running SSH, and you must be running a secure shell client on your own machine as well, more details on getting a secure shell client are below.
Step 1) Download the SSH client on your local machine, we are assuming you’re using Windows. If not then see other PuTTY download options here: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Windows PuTTY Download
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
Step 2) Save the file to your desktop and double click it.
Step 3) You should see a something that looks like this, asking you what server you want to connect to.
Click for larger screenshot
Step 4) Enter your servers IP and click on Open.
Step 5) Enter your account’s username to connect then enter your password.
Click for larger screenshot
Step 6) Change to the root user, type: su –
That’s it! You have now logged into your server using SSH.
Now get comfortable with it and learn some shell/SSH commands in the article listed below.
lingerd - Setup and Installation
lingerd - Setup and Installation
WHAT IS LINGERD?
Under high load, a dynamic page server running Apache with mod_php spends a lot of its time doing an operation called “lingering close”, which amounts to waiting a second or two on a connection just to make sure it gets closed properly.
Lingerd, then, is a daemon (service) designed to take over this job. Unlike Apache, which uses one process per connection, lingerd can do thousands of lingers in parallel, from a single process. The end result is that Apache needs much fewer running processes to handle the same load, which greatly increases its scalability, and diminishes the load on the server.
For technical reasons, lingerd is only effective on servers where keep-alives are disabled. To get the most out of your servers, for a high traffic site, you need to have the dynamic webpages served from one Apache server, and the images and other static data from another. The dynamic page server can then use lingerd.
HOW STABLE IS IT?
Lingerd has been in production use for a few months, and has lingered nearly 2,000,000 connections with no errors, under Linux.
More testing is still needed under other platforms (eg BSD, Solaris). Lingerd is not portable to Windows.
WHERE DO I FIND IT?
The homepage for lingerd is at http://www.iagora.com/about/software/lingerd/
The daemon itself can be found at ftp://iagora.com/pub/software/lingerd/lingerd-0.94.tar.gz
HOW DO I USE IT?
Installing lingerd is fairly simple, but it does require recompiling Apache from source.
Here are some quick installation instructions for Apache with mod_php and lingerd (see http://www.phpbuilder.com/manual/install-unix.php for more details), under Unix or Linux:
1. tar zxvf apache_1.3.x.tar.gz
2. tar zxvf php-3.0.x.tar
3. tar zxvf lingerd-0.94.tar
4. cd lingerd-0.94
5. vi config.h
(set the right directories for SOCKPATH and PID_FILE; these directories
must be writeable by the userid that Apache runs as)
6. vi apache-1.3/ap_lingerd.h
(set SOCKPATH here too)
7. make ; make install
(also set the system up to start lingerd automatically, e.g by
adding the line “/usr/local/sbin/lingerd” to your
/etc/rc.d/rc.local file)
8. cp apache-1.3/ap_lingerd.* ../apache_1.3.x/src/main/
9. cd ../apache_1.3.x
10. patch -p0 -d src/ < ../lingerd-0.94/apache-1.3/aplinger.diff
11. ./configure --prefix=/www
12. cd ../php-3.0.x
13. ./configure --with-mysql --with-apache=../apache_1.3.x --enable-track-vars
14. make ; make install
15. cd ../apache_1.3.x
16. ./configure --prefix=/www --activate-module=src/modules/php3/libphp3.a
17. make ; make install
To see if lingerd is running, and how many connections it has been handling, watch out for its messages in /var/log/messages.
Lingerd is not tightly tied to the dynamic programming language, so it can be used with PHP3, PHP4, and also with other scripting engines like mod_perl, mod_snake or mod_dtcl.
You can find more information about lingerd in its homepage at http://www.iagora.com/about/software/lingerd/ , and in the documentation files included in the distribution.
No commentsInstalling Pico on FreeBSD
Installing Pico on FreeBSD
Pico is a simple, display-oriented text editor based on the Pine message system composer. As with Pine, commands are displayed at the bottom of the screen, and context-sensitive help is provided. As characters are typed they are immediately inserted into the text.
Editing commands are entered using control-key combinations. As a work-around for communications programs that swallow certain control characters, you can emulate a control key by pressing ESCAPE twice, followed by the desired control character, e.g. “ESC ESC c” would be equivalent to entering a ctrl-c. The editor has five basic features: paragraph justification, searching, block cut/paste, a spelling checker, and a file browser.
Installing Pico
Login to SSH as root.
Sometimes, direct root login is disabled. If it is disabled do the following:
# su -
# password: [Enter your WHM root pass]
# [Hostname]: [Ready to work ]
To Download ports:
# /stand/sysinstall
- Go to Configure (post install)
- Go to Distributions
- Select ‘ports’
- Select ‘ok’
From there select FTP transfer (ftp.freebsd.org is ok) and it should download the ports into /usr/ports. When it’s done, just exist sysinstall and run the commands I stated earlier.
It’ll take a while to download.
after its finished downloading, do this:
# cd /usr/ports/editors/pico
# make install
This will install Pico for you, then you are finished!
Pico Commands
Options
+n
Causes pico to be started with the cursor located n lines into the file. (Note: no space between “+” sign and number)
-a
Display all files including those beginning with a period (.).
-b
Enable the option to Replace text matches found using the “Where is” command.
-d
Rebind the “delete” key so the character the cursor is on is rubbed out rather than the character to its left.
-e
Enable file name completion.
-f
Use function keys for commands. This option supported only in conjunction with UW Enhanced NCSA telnet.
-h
List valid command line options.
-j
Enable “Goto” command in the file browser. This enables the command to permit explicitly telling pilot which directory to visit.
-g
Enable “Show Cursor” mode in file browser. Cause cursor to be positioned before the current selection rather than placed at the lower left of the display.
-k
Causes “Cut Text” command to remove characters from the cursor position to the end of the line rather than remove the entire line.
-m
Enable mouse functionality. This only works when pico is run from within an X Window System “xterm” window.
-nn
The -nn option enables new mail notification. The n argument is optional, and specifies how often, in seconds, your mailbox is checked for new mail. For example, -n60 causes pico to check for new mail once every minute. The default interval is 180 seconds, while the minimum allowed is 30. (Note: no space between “n” and the number)
-o dir
Sets operating directory. Only files within this directory are accessible. Likewise, the file browser is limited to the specified directory subtree.
-rn
Sets column used to limit the “Justify” command’s right margin
-s speller
Specify an alternate program spell to use when spell checking.
-t
Enable “tool” mode. Intended for when pico is used as the editor within other tools (e.g., Elm, Pnews). Pico will not prompt for save on exit, and will not rename the buffer during the “Write Out” command.
-v
View the file only, disallowing any editing.
-version
Print Pico version and exit.
-w
Disable word wrap (thus allow editing of long lines).
-x
Disable keymenu at the bottom of the screen.
-z
Enable ^Z suspension of pico.
-q
Termcap or terminfo definition for input escape sequences are used in preference to sequences defined by default. This option is only available if pico was compiled with the TERMCAP_WINS define turned on.
Written by: Ibrahim Ezzy (ibrahim.Ezzy@Searchxs.com) and allera.
No comments