Re: apache DOS tool
On Mon, Jun 22, 2009 at 08:31:01PM +1200, Richard Toohey wrote: On 20/06/2009, at 8:24 AM, Peter van Oord van der Vlies wrote: Hi, Today i some pages are publishing news about a apache DOS tool for example (http://isc.sans.org/diary.html?storyid=6601) and http:// ha.ckers.org/blog/20090617/slowloris-http-dos/ Does this applies to the openbsd apache to ? Peter Looks like it is old ... http://marc.info/?l=apache-httpd-bugsm=124533720717343w=2 And advice here ... http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos (Yes, I appreciate that it doesn't directly answer your question, but might help someone ...) Nope, this does not help at all. Reducing the Timeout helps for a second. But reducing the timeout in slowloris.pl too, makes the apache unreachable within seconds again. Havent't testet OpenBSD's Apache-1.3 so far. But the only thing, that helps currently IMHO, is to limit the number of established connections per IP. So, one client is not able to block all the available apache processes (threads) anymore. So long, Aiko -- :wq b
Re: apache DOS tool
On Mon, Jun 22, 2009 at 09:32:56PM +1200, Richard Toohey wrote: The solution, like the problem, lies in the network layer. See iptables and similar network stack filters to provide protection against this vector./unquote Seems like they (and you) are saying are Apache is not the place for the fix? The apache would be the right place to fix the issue IMHO since other webservers are not affected that much. Maybe something like not counting an unfinished request as an active workerthread. But this is up to the people who know the program internals, which I don't. So long, Aiko -- :wq b
Re: ImageMagick and chroot
Marcos Laufer wrote:
Hello ,
Has anyone had luck in making ImageMagick work into the www chroot
environment?
Yes, run the following script and you are done.
#!/bin/sh
CHROOT=/var/www
# Make dirs
[ ! -d $CHROOT/bin ] mkdir -p $CHROOT/bin
[ ! -d $CHROOT/usr/local/bin ] mkdir -p $CHROOT/usr/local/bin
[ ! -d $CHROOT/usr/local/lib ] mkdir -p $CHROOT/usr/local/lib
[ ! -d $CHROOT/usr/lib ] mkdir -p $CHROOT/usr/lib
[ ! -d $CHROOT/usr/X11R6/lib ] mkdir -p $CHROOT/usr/X11R6/lib/
[ ! -d $CHROOT/usr/libexec ] mkdir -p $CHROOT/usr/libexec
[ ! -d $CHROOT/var/run ] mkdir -p $CHROOT/var/run
SH=/bin/sh
if [ -x $SH ]; then
cp -f $SH $CHROOT/$SH
else
echo No shit. $SH not found! :)
fi
LD_HINTS=/var/run/ld.so.hints
if [ -f $LD_HINTS ]; then
cp $LD_HINTS $CHROOT/$LD_HINTS
else
echo $LD_HINTS not found. Still wondering thou.
fi
CONVERT=$(which convert | awk '{print $1}')
if [ ! -z $CONVERT ] [ -x $CONVERT ]; then
cp -f $CONVERT $CHROOT/$CONVERT
for i in $(ldd $CONVERT | awk '{if ($3 == rlib) {print $7}}'); do
if [ -f $i ]; then
cp -f $i $CHROOT/$i
fi
done
else
echo convert not found.
exit 1
fi
COMPOSITE=$(which composite | awk '{print $1}')
if [ ! -z $COMPOSITE ] [ -x $COMPOSITE ]; then
cp -f $COMPOSITE $CHROOT/$COMPOSITE
for i in $(ldd $COMPOSITE | awk '{if ($3 == rlib) {print $7}}'); do
if [ -f $i ]; then
cp -f $i $CHROOT/$i
fi
done
else
echo composite not found.
exit 1
fi
IDENTIFY=$(which identify | awk '{print $1}')
if [ ! -z $IDENTIFY ] [ -x $IDENTIFY ]; then
cp -f $IDENTIFY $CHROOT/$IDENTIFY
for i in $(ldd $IDENTIFY | awk '{if ($3 == rlib) {print $7}}'); do
if [ -f $i ]; then
cp -f $i $CHROOT/$i
fi
done
else
echo identify not found.
exit 1
fi
HTH,
Aiko
--
Aiko Barz [EMAIL PROTECTED]
Web: http://www.haeckser.de
Secure Apache Webserver
Hello, I already discussed this subject on the list. There were several possible solutions for this subject and I have chosen one, I would like to present now. The problem: I have several vhosts, which are used by several people. The Apache is running with $UID 67. Users can access the system by using scponly, which is jailed into /var/www. No problem here so far. This issue was, that all scripts must be readable or even writeable for the Apache Webserver. So one hacked page could damage other vhosts by writing some PHP code to access the other vhosts within /var/www. My solution: 1. I made SuExec working within the chroot environment. (http://www.openbsdsupport.org/ApacheSuexecChroot.html) 2. I wrote a patch for suexec.c to handle *.php correctly. (http://files.haeckser.net/haeckser.net/suexec.patch) 3. I compiled PHP by my own with CGI-support and moved the binary into the chroot. 4. I removed mod_php and mod_perl and set the Apache directives User, Group, AddHandler cgi-script and Options +ExecCGI. Now, every PHP-script has the permissions 700 and gets executed with its own $UID. I feel much better now. :) Bye, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de
Secure Apache Webserver
Hi *, I use OpenBSD+Apache+Chroot for my webservices. The users can access their vhosts by using scponly, which is chrooted into /var/www as well. /htdocs/www.example.net belongs to theuser:www and has the permissions rwxr-x---. The issue: If my users start to install a php-Filebrowser, they are able to access the other Webdirectories and could read config.php, because they are doing it with the permissions of the webserver. Write access would be possible as well, since some parts need to have write access. I started to patch suExec to make it handle *.php and to make it chroot-ready, but I wasn't successful so far. suPHP seems to have issues with 1.3.29 and ordering new IP-addressese for having multible webserver intances seems to be difficult. Any hints appreciated, Aiko -- :wq
Re: chrooted sftponly - how ?
On Mon, Sep 18, 2006 at 03:23:37PM +0200, Bambero wrote:
Hello
Is there any good way to setup chrooted sftp-server without shell access ?
I wrote a shell script for this kind of stuff. Maybe you can use it
for yourself. I keep my users within an OpenLDAP database and want to
enable some users to access the www directory on my OpenBSD webserver
by scponly. Maybe you can use some parts of it.
#!/bin/sh
#
# Written by Aiko Barz
#
altroot=/var/www
USERSHELL=/opt/sbin/scponlyc
function checkChroot
{
##
# Hierachy
##
if [ ! -d $altroot ]; then
mkdir -p $altroot
chown root:daemon $altroot
fi
if [ ! -d $altroot/bin ]; then
mkdir -p $altroot/bin
chown root:daemon $altroot/bin
fi
if [ ! -d $altroot/etc ]; then
mkdir -p $altroot/etc
chown root:daemon $altroot/etc
fi
if [ ! -d $altroot/lib ]; then
mkdir -p $altroot/lib
chown root:daemon $altroot/lib
fi
if [ ! -d $altroot/usr ]; then
mkdir -p $altroot/usr
chown root:daemon $altroot/usr
fi
if [ ! -d $altroot/usr/bin ]; then
mkdir -p $altroot/usr/bin
chown root:daemon $altroot/usr/bin
fi
if [ ! -d $altroot/usr/sbin ]; then
mkdir -p $altroot/usr/sbin
chown root:daemon $altroot/usr/sbin
fi
if [ ! -d $altroot/usr/lib ]; then
mkdir -p $altroot/usr/lib
chown root:daemon $altroot/usr/lib
fi
if [ ! -d $altroot/usr/libexec ]; then
mkdir -p $altroot/usr/libexec
chown root:daemon $altroot/usr/libexec
fi
if [ ! -d $altroot/usr/libexec/openssh ]; then
mkdir -p $altroot/usr/libexec/openssh
chown root:daemon $altroot/usr/libexec/openssh
fi
##
# Static commands
##
CHGRP=$(which chgrp)
if [ -x $CHGRP ]; then
cp $CHGRP $altroot/usr/sbin
fi
CHMOD=$(which chmod)
if [ -x $CHMOD ]; then
cp $CHMOD $altroot/$CHMOD
fi
CHOWN=$(which chown)
if [ -x $CHOWN ]; then
cp $CHOWN $altroot/usr/sbin
fi
LN=$(which ln)
if [ -x $LN ]; then
cp $LN $altroot/$LN
fi
LS=$(which ls)
if [ -x $LS ]; then
cp $LS $altroot/$LS
fi
MKDIR=$(which mkdir)
if [ -x $MKDIR ]; then
cp $MKDIR $altroot/$MKDIR
fi
MV=$(which mv)
if [ -x $MV ]; then
cp $MV $altroot/$MV
fi
RM=$(which rm)
if [ -x $RM ]; then
cp $RM $altroot/$RM
fi
RMDIR=$(which rmdir)
if [ -x $RMDIR ]; then
cp $RMDIR $altroot/$RMDIR
fi
ECHO=$(which echo)
if [ -x $ECHO ]; then
cp $ECHO $altroot/$ECHO
fi
PWD=$(which pwd)
if [ -x $PWD ]; then
cp $PWD $altroot/$PWD
fi
GROUPS=$(which groups)
if [ -x $GROUPS ]; then
cp $GROUPS $altroot/$GROUPS
fi
##
# Dynamic commands
##
ID=$(which id)
if [ -x $ID ]; then
cp $ID $altroot/$ID
for lib in $(ldd $ID | awk '{if ($3 == rlib){print $5}}'); do
if [ -f $lib ]; then
cp -f $lib $altroot/$lib
fi
done
fi
PASSWD=$(which passwd)
if [ -x $PASSWD ]; then
cp $PASSWD $altroot/$PASSWD
for lib in $(ldd $PASSWD | awk '{if ($3 == rlib){print $5}}'); do
if [ -f $lib ]; then
cp -f $lib $altroot/$lib
fi
done
fi
QUOTA=$(which quota)
if [ -x $QUOTA ]; then
cp $QUOTA $altroot/$QUOTA
for lib in $(ldd $QUOTA | awk '{if ($3 == rlib){print $5}}'); do
if [ -f $lib ]; then
cp -f $lib $altroot/$lib
fi
done
fi
SCP=$(which scp)
if [ -x $SCP ]; then
cp $SCP $altroot/$SCP
for lib in $(ldd $SCP | awk '{if ($3 == rlib){print $5}}'); do
if [ -f $lib ]; then
cp -f $lib $altroot/$lib
fi
done
fi
RSYNC=$(which rsync)
if [ -x $RSYNC ]; then
cp $RSYNC $altroot/$RSYNC
for lib in $(ldd $RSYNC | awk '{if ($3 == rlib){print $5}}'); do
if [ -f $lib ]; then
cp -f $lib $altroot/$lib
fi
done
fi
SFTP=/usr/libexec/sftp-server
if [ -x $SFTP ]; then
cp $SFTP $altroot/$SFTP
for lib in $(ldd $SFTP | awk '{if ($3 == rlib){print $5}}'); do
if [ -f $lib ]; then
cp -f $lib $altroot/$lib
fi
done
fi
##
# ld.so
##
LD_SO=/usr/libexec/ld.so
if [ -f $LD_SO ]; then
cp -f $LD_SO $altroot/$LD_SO
fi
LD_SO_HINTS=/var/run/ld.so.hints
if [ -f $LD_SO_HINTS ]; then
cp -f $LD_SO_HINTS $altroot/$LD_SO_HINTS
fi
##
# passwd
##
FILE=/etc/master.passwd
if [ ! -f $altroot/$FILE ]; then
touch $altroot/$FILE
fi
}
function addUser
{
if [ ! -z $1 ]; then
USERNAME=$1
useradd -d $altroot -s $USERSHELL -L ldap $USERNAME
i
Re: cgi with chroot
On Tue, 2006-05-30 at 15:34 -0700, prad wrote:
i tried to got a ksh script to work after i copied the ksh into /var/www/bin
my understanding is that the chrooted environment doesn't give access to
the /bin/ksh program.
/var/www/bin/sh is working for me.
i tried the same thing with ruby (copied both ruby and erb into /var/www/bin)
and got the same thing again.
Ruby is working for me too. Check this out:
#!/bin/sh
WWW=/var/www
# Path
[ ! -d $WWW/bin ] mkdir -p $WWW/bin
[ ! -d $WWW/usr/bin ] mkdir -p $WWW/usr/bin
[ ! -d $WWW/usr/local/bin ]mkdir -p $WWW/usr/local/bin
[ ! -d $WWW/usr/local/sbin ] mkdir -p $WWW/usr/local/sbin
[ ! -d $WWW/usr/local/lib ]mkdir -p $WWW/usr/local/lib
[ ! -d $WWW/usr/lib ] mkdir -p $WWW/usr/lib
[ ! -d $WWW/var/run ] mkdir -p $WWW/var/run
# cp ruby
RUBY=$(which ruby)
cp -f $RUBY $WWW/$RUBY
# cp env
ENV=$(which env)
cp -f $ENV $WWW/$ENV
# Ruby stuff
rsync -va /usr/local/lib/ruby $WWW/usr/local/lib
# cp libs
for LIB in $(ldd $RUBY | awk '{if ($3 == rlib) {print $7}}'); do
cp -f $LIB $WWW/$LIB
done
# cp hints
cp -f /var/run/ld.so.hints $WWW/var/run/ld.so.hints
I have got one more script that fixes ImageMagick which is needed by
Typo3.
Bye,
Aiko
--
Aiko Barz [EMAIL PROTECTED]
Web: http://www.haeckser.de
Re: [UPDATE] php5 to version 5.1.4 (IMPORTANT - ACK)
Tomasz Pajor wrote: Could you please attach a patch. Would you trust me? :) Simply use the patch from Robert Nagy. Look at Makefile.inc and change V= 5.1.3 into V= 5.1.4 Now you should correct or simply remove the distinfo file. Happy updating. :) Bye, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: [UPDATE] php5 to version 5.1.4 (IMPORTANT - ACK)
Robert Nagy wrote: Hi. 5.0.3 is out so here is a new diff. Test it please. I took your patch and changed 5.1.3 into 5.1.4. PHP5 is working again. Thnx a lot. Wordpress[1] and Squirrelmail[2] do NOT work with 5.0.5, repeat NOT working. During the login process of wordpress I kept getting errors like those ones: [notice] child pid 24922 exit signal Segmentation fault (11) [notice] child pid 9586 exit signal Bus error (10) [notice] child pid 11501 exit signal Bus error (10) [notice] child pid 9109 exit signal Bus error (10) [notice] child pid 11810 exit signal Segmentation fault (11) So, I would be really happy if your patch enters OPENBSD_3_9... Bye, Aiko PS.: I tested the hardened PHP with the default apache webserver. [1]: http://www.wordpress.org [2]: http://www.squirrelmail.org -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: nsswitch
Spruell, Darren-Perot wrote: By each user having its own UID, you mean each is a local UNIX user account? Yes and no. My users would have a unix-account if the ldap-accounts were visible to OpenBSD. (Nevertheless they are not allowed to login.) You're not doing virtual user setup with qmail-ldap? Nope. Assuming you were, you could use the deliveryProgramPath attribute, e.g.: deliveryProgramPath: /usr/local/bin/maildrop .mailfilter Works in my environment, but I'm using the virtual user setup with one UNIX user. That's what most admins do because it's much easier to administrate. But I like the idea of running each process with its own uid. I spent a lot of time in making this work. cgis and cronjobs are written in c for example. Currently, I'm figuring out if it is possible for me to write my own filter. Bye, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de
Re: nsswitch
Adam wrote: What's wrong with just using maildrop's ldap support? I use the current version of maildrop right now. The current version of maildrop dropped the ldap-support in favour of courier-authlib. And courier-authlib is not able to lookup a uid directly at this time. (I checked the code.) I didn't check older versions of maildrop. Maybe I could use the ldap-port of maildrop but I'm completely on my own then. No more updates... Bye, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de
nsswitch
I googled, but I couldn't figure out the current status. My problem: I tried to move my mailservers from Linux to OpenBSD. It's a qmail-ldap system with its users stored in OpenLDAP. Each of my users has its own UID. There is only one troublemaker: maildrop. It depends on getpwuid and getpwnam. But OpenBSD doesn't know anything about my LDAP-users. Solution: There are some solutions. maildrop could lookup the account data directly before invoking getpwuid and getpwnam. (I prefer not to write this patch. It ends up in courier-authlib and so on.) The dirty hack is to use the environment variables which are provided by qmail-local ($USER, $HOME). (This is safe for me because chuid gets called before executing maildrop. I'm not happy with this solution.) Another solution would be something like nsswitch. Are there any plans to implement something like this? Bye, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de
