Re: apache DOS tool
On Mon, Jun 22, 2009 at 08:31:01PM +1200, Richard Toohey wrote: On 20/06/2009, at 8:24 AM, Peter van Oord van der Vlies wrote: Hi, Today i some pages are publishing news about a apache DOS tool for example (http://isc.sans.org/diary.html?storyid=6601) and http:// ha.ckers.org/blog/20090617/slowloris-http-dos/ Does this applies to the openbsd apache to ? Peter Looks like it is old ... http://marc.info/?l=apache-httpd-bugsm=124533720717343w=2 And advice here ... http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos (Yes, I appreciate that it doesn't directly answer your question, but might help someone ...) Nope, this does not help at all. Reducing the Timeout helps for a second. But reducing the timeout in slowloris.pl too, makes the apache unreachable within seconds again. Havent't testet OpenBSD's Apache-1.3 so far. But the only thing, that helps currently IMHO, is to limit the number of established connections per IP. So, one client is not able to block all the available apache processes (threads) anymore. So long, Aiko -- :wq b
Re: apache DOS tool
On Mon, Jun 22, 2009 at 09:32:56PM +1200, Richard Toohey wrote: The solution, like the problem, lies in the network layer. See iptables and similar network stack filters to provide protection against this vector./unquote Seems like they (and you) are saying are Apache is not the place for the fix? The apache would be the right place to fix the issue IMHO since other webservers are not affected that much. Maybe something like not counting an unfinished request as an active workerthread. But this is up to the people who know the program internals, which I don't. So long, Aiko -- :wq b
Re: ImageMagick and chroot
Marcos Laufer wrote: Hello , Has anyone had luck in making ImageMagick work into the www chroot environment? Yes, run the following script and you are done. #!/bin/sh CHROOT=/var/www # Make dirs [ ! -d $CHROOT/bin ] mkdir -p $CHROOT/bin [ ! -d $CHROOT/usr/local/bin ] mkdir -p $CHROOT/usr/local/bin [ ! -d $CHROOT/usr/local/lib ] mkdir -p $CHROOT/usr/local/lib [ ! -d $CHROOT/usr/lib ] mkdir -p $CHROOT/usr/lib [ ! -d $CHROOT/usr/X11R6/lib ] mkdir -p $CHROOT/usr/X11R6/lib/ [ ! -d $CHROOT/usr/libexec ] mkdir -p $CHROOT/usr/libexec [ ! -d $CHROOT/var/run ] mkdir -p $CHROOT/var/run SH=/bin/sh if [ -x $SH ]; then cp -f $SH $CHROOT/$SH else echo No shit. $SH not found! :) fi LD_HINTS=/var/run/ld.so.hints if [ -f $LD_HINTS ]; then cp $LD_HINTS $CHROOT/$LD_HINTS else echo $LD_HINTS not found. Still wondering thou. fi CONVERT=$(which convert | awk '{print $1}') if [ ! -z $CONVERT ] [ -x $CONVERT ]; then cp -f $CONVERT $CHROOT/$CONVERT for i in $(ldd $CONVERT | awk '{if ($3 == rlib) {print $7}}'); do if [ -f $i ]; then cp -f $i $CHROOT/$i fi done else echo convert not found. exit 1 fi COMPOSITE=$(which composite | awk '{print $1}') if [ ! -z $COMPOSITE ] [ -x $COMPOSITE ]; then cp -f $COMPOSITE $CHROOT/$COMPOSITE for i in $(ldd $COMPOSITE | awk '{if ($3 == rlib) {print $7}}'); do if [ -f $i ]; then cp -f $i $CHROOT/$i fi done else echo composite not found. exit 1 fi IDENTIFY=$(which identify | awk '{print $1}') if [ ! -z $IDENTIFY ] [ -x $IDENTIFY ]; then cp -f $IDENTIFY $CHROOT/$IDENTIFY for i in $(ldd $IDENTIFY | awk '{if ($3 == rlib) {print $7}}'); do if [ -f $i ]; then cp -f $i $CHROOT/$i fi done else echo identify not found. exit 1 fi HTH, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de
Secure Apache Webserver
Hello, I already discussed this subject on the list. There were several possible solutions for this subject and I have chosen one, I would like to present now. The problem: I have several vhosts, which are used by several people. The Apache is running with $UID 67. Users can access the system by using scponly, which is jailed into /var/www. No problem here so far. This issue was, that all scripts must be readable or even writeable for the Apache Webserver. So one hacked page could damage other vhosts by writing some PHP code to access the other vhosts within /var/www. My solution: 1. I made SuExec working within the chroot environment. (http://www.openbsdsupport.org/ApacheSuexecChroot.html) 2. I wrote a patch for suexec.c to handle *.php correctly. (http://files.haeckser.net/haeckser.net/suexec.patch) 3. I compiled PHP by my own with CGI-support and moved the binary into the chroot. 4. I removed mod_php and mod_perl and set the Apache directives User, Group, AddHandler cgi-script and Options +ExecCGI. Now, every PHP-script has the permissions 700 and gets executed with its own $UID. I feel much better now. :) Bye, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de
Secure Apache Webserver
Hi *, I use OpenBSD+Apache+Chroot for my webservices. The users can access their vhosts by using scponly, which is chrooted into /var/www as well. /htdocs/www.example.net belongs to theuser:www and has the permissions rwxr-x---. The issue: If my users start to install a php-Filebrowser, they are able to access the other Webdirectories and could read config.php, because they are doing it with the permissions of the webserver. Write access would be possible as well, since some parts need to have write access. I started to patch suExec to make it handle *.php and to make it chroot-ready, but I wasn't successful so far. suPHP seems to have issues with 1.3.29 and ordering new IP-addressese for having multible webserver intances seems to be difficult. Any hints appreciated, Aiko -- :wq
Re: chrooted sftponly - how ?
On Mon, Sep 18, 2006 at 03:23:37PM +0200, Bambero wrote: Hello Is there any good way to setup chrooted sftp-server without shell access ? I wrote a shell script for this kind of stuff. Maybe you can use it for yourself. I keep my users within an OpenLDAP database and want to enable some users to access the www directory on my OpenBSD webserver by scponly. Maybe you can use some parts of it. #!/bin/sh # # Written by Aiko Barz # altroot=/var/www USERSHELL=/opt/sbin/scponlyc function checkChroot { ## # Hierachy ## if [ ! -d $altroot ]; then mkdir -p $altroot chown root:daemon $altroot fi if [ ! -d $altroot/bin ]; then mkdir -p $altroot/bin chown root:daemon $altroot/bin fi if [ ! -d $altroot/etc ]; then mkdir -p $altroot/etc chown root:daemon $altroot/etc fi if [ ! -d $altroot/lib ]; then mkdir -p $altroot/lib chown root:daemon $altroot/lib fi if [ ! -d $altroot/usr ]; then mkdir -p $altroot/usr chown root:daemon $altroot/usr fi if [ ! -d $altroot/usr/bin ]; then mkdir -p $altroot/usr/bin chown root:daemon $altroot/usr/bin fi if [ ! -d $altroot/usr/sbin ]; then mkdir -p $altroot/usr/sbin chown root:daemon $altroot/usr/sbin fi if [ ! -d $altroot/usr/lib ]; then mkdir -p $altroot/usr/lib chown root:daemon $altroot/usr/lib fi if [ ! -d $altroot/usr/libexec ]; then mkdir -p $altroot/usr/libexec chown root:daemon $altroot/usr/libexec fi if [ ! -d $altroot/usr/libexec/openssh ]; then mkdir -p $altroot/usr/libexec/openssh chown root:daemon $altroot/usr/libexec/openssh fi ## # Static commands ## CHGRP=$(which chgrp) if [ -x $CHGRP ]; then cp $CHGRP $altroot/usr/sbin fi CHMOD=$(which chmod) if [ -x $CHMOD ]; then cp $CHMOD $altroot/$CHMOD fi CHOWN=$(which chown) if [ -x $CHOWN ]; then cp $CHOWN $altroot/usr/sbin fi LN=$(which ln) if [ -x $LN ]; then cp $LN $altroot/$LN fi LS=$(which ls) if [ -x $LS ]; then cp $LS $altroot/$LS fi MKDIR=$(which mkdir) if [ -x $MKDIR ]; then cp $MKDIR $altroot/$MKDIR fi MV=$(which mv) if [ -x $MV ]; then cp $MV $altroot/$MV fi RM=$(which rm) if [ -x $RM ]; then cp $RM $altroot/$RM fi RMDIR=$(which rmdir) if [ -x $RMDIR ]; then cp $RMDIR $altroot/$RMDIR fi ECHO=$(which echo) if [ -x $ECHO ]; then cp $ECHO $altroot/$ECHO fi PWD=$(which pwd) if [ -x $PWD ]; then cp $PWD $altroot/$PWD fi GROUPS=$(which groups) if [ -x $GROUPS ]; then cp $GROUPS $altroot/$GROUPS fi ## # Dynamic commands ## ID=$(which id) if [ -x $ID ]; then cp $ID $altroot/$ID for lib in $(ldd $ID | awk '{if ($3 == rlib){print $5}}'); do if [ -f $lib ]; then cp -f $lib $altroot/$lib fi done fi PASSWD=$(which passwd) if [ -x $PASSWD ]; then cp $PASSWD $altroot/$PASSWD for lib in $(ldd $PASSWD | awk '{if ($3 == rlib){print $5}}'); do if [ -f $lib ]; then cp -f $lib $altroot/$lib fi done fi QUOTA=$(which quota) if [ -x $QUOTA ]; then cp $QUOTA $altroot/$QUOTA for lib in $(ldd $QUOTA | awk '{if ($3 == rlib){print $5}}'); do if [ -f $lib ]; then cp -f $lib $altroot/$lib fi done fi SCP=$(which scp) if [ -x $SCP ]; then cp $SCP $altroot/$SCP for lib in $(ldd $SCP | awk '{if ($3 == rlib){print $5}}'); do if [ -f $lib ]; then cp -f $lib $altroot/$lib fi done fi RSYNC=$(which rsync) if [ -x $RSYNC ]; then cp $RSYNC $altroot/$RSYNC for lib in $(ldd $RSYNC | awk '{if ($3 == rlib){print $5}}'); do if [ -f $lib ]; then cp -f $lib $altroot/$lib fi done fi SFTP=/usr/libexec/sftp-server if [ -x $SFTP ]; then cp $SFTP $altroot/$SFTP for lib in $(ldd $SFTP | awk '{if ($3 == rlib){print $5}}'); do if [ -f $lib ]; then cp -f $lib $altroot/$lib fi done fi ## # ld.so ## LD_SO=/usr/libexec/ld.so if [ -f $LD_SO ]; then cp -f $LD_SO $altroot/$LD_SO fi LD_SO_HINTS=/var/run/ld.so.hints if [ -f $LD_SO_HINTS ]; then cp -f $LD_SO_HINTS $altroot/$LD_SO_HINTS fi ## # passwd ## FILE=/etc/master.passwd if [ ! -f $altroot/$FILE ]; then touch $altroot/$FILE fi } function addUser { if [ ! -z $1 ]; then USERNAME=$1 useradd -d $altroot -s $USERSHELL -L ldap $USERNAME i
Re: cgi with chroot
On Tue, 2006-05-30 at 15:34 -0700, prad wrote: i tried to got a ksh script to work after i copied the ksh into /var/www/bin my understanding is that the chrooted environment doesn't give access to the /bin/ksh program. /var/www/bin/sh is working for me. i tried the same thing with ruby (copied both ruby and erb into /var/www/bin) and got the same thing again. Ruby is working for me too. Check this out: #!/bin/sh WWW=/var/www # Path [ ! -d $WWW/bin ] mkdir -p $WWW/bin [ ! -d $WWW/usr/bin ] mkdir -p $WWW/usr/bin [ ! -d $WWW/usr/local/bin ]mkdir -p $WWW/usr/local/bin [ ! -d $WWW/usr/local/sbin ] mkdir -p $WWW/usr/local/sbin [ ! -d $WWW/usr/local/lib ]mkdir -p $WWW/usr/local/lib [ ! -d $WWW/usr/lib ] mkdir -p $WWW/usr/lib [ ! -d $WWW/var/run ] mkdir -p $WWW/var/run # cp ruby RUBY=$(which ruby) cp -f $RUBY $WWW/$RUBY # cp env ENV=$(which env) cp -f $ENV $WWW/$ENV # Ruby stuff rsync -va /usr/local/lib/ruby $WWW/usr/local/lib # cp libs for LIB in $(ldd $RUBY | awk '{if ($3 == rlib) {print $7}}'); do cp -f $LIB $WWW/$LIB done # cp hints cp -f /var/run/ld.so.hints $WWW/var/run/ld.so.hints I have got one more script that fixes ImageMagick which is needed by Typo3. Bye, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de
Re: [UPDATE] php5 to version 5.1.4 (IMPORTANT - ACK)
Tomasz Pajor wrote: Could you please attach a patch. Would you trust me? :) Simply use the patch from Robert Nagy. Look at Makefile.inc and change V= 5.1.3 into V= 5.1.4 Now you should correct or simply remove the distinfo file. Happy updating. :) Bye, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: [UPDATE] php5 to version 5.1.4 (IMPORTANT - ACK)
Robert Nagy wrote: Hi. 5.0.3 is out so here is a new diff. Test it please. I took your patch and changed 5.1.3 into 5.1.4. PHP5 is working again. Thnx a lot. Wordpress[1] and Squirrelmail[2] do NOT work with 5.0.5, repeat NOT working. During the login process of wordpress I kept getting errors like those ones: [notice] child pid 24922 exit signal Segmentation fault (11) [notice] child pid 9586 exit signal Bus error (10) [notice] child pid 11501 exit signal Bus error (10) [notice] child pid 9109 exit signal Bus error (10) [notice] child pid 11810 exit signal Segmentation fault (11) So, I would be really happy if your patch enters OPENBSD_3_9... Bye, Aiko PS.: I tested the hardened PHP with the default apache webserver. [1]: http://www.wordpress.org [2]: http://www.squirrelmail.org -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: nsswitch
Spruell, Darren-Perot wrote: By each user having its own UID, you mean each is a local UNIX user account? Yes and no. My users would have a unix-account if the ldap-accounts were visible to OpenBSD. (Nevertheless they are not allowed to login.) You're not doing virtual user setup with qmail-ldap? Nope. Assuming you were, you could use the deliveryProgramPath attribute, e.g.: deliveryProgramPath: /usr/local/bin/maildrop .mailfilter Works in my environment, but I'm using the virtual user setup with one UNIX user. That's what most admins do because it's much easier to administrate. But I like the idea of running each process with its own uid. I spent a lot of time in making this work. cgis and cronjobs are written in c for example. Currently, I'm figuring out if it is possible for me to write my own filter. Bye, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de
Re: nsswitch
Adam wrote: What's wrong with just using maildrop's ldap support? I use the current version of maildrop right now. The current version of maildrop dropped the ldap-support in favour of courier-authlib. And courier-authlib is not able to lookup a uid directly at this time. (I checked the code.) I didn't check older versions of maildrop. Maybe I could use the ldap-port of maildrop but I'm completely on my own then. No more updates... Bye, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de
nsswitch
I googled, but I couldn't figure out the current status. My problem: I tried to move my mailservers from Linux to OpenBSD. It's a qmail-ldap system with its users stored in OpenLDAP. Each of my users has its own UID. There is only one troublemaker: maildrop. It depends on getpwuid and getpwnam. But OpenBSD doesn't know anything about my LDAP-users. Solution: There are some solutions. maildrop could lookup the account data directly before invoking getpwuid and getpwnam. (I prefer not to write this patch. It ends up in courier-authlib and so on.) The dirty hack is to use the environment variables which are provided by qmail-local ($USER, $HOME). (This is safe for me because chuid gets called before executing maildrop. I'm not happy with this solution.) Another solution would be something like nsswitch. Are there any plans to implement something like this? Bye, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de