Posts Tagged ‘hash’

OSCommerce how to change / reset lost admin password

Monday, October 16th, 2017

reset-forgotten-lost-oscommerce-password-howto-Os_commerce-logo.svg

How to change / reset OSCommerce lost / forgotten admin password?

The password in OSCommerce is kept in table "admin", so to reset password connect to MySQL with mysql cli client.

First thing to do is to generate the new hash string, you can do that with a simple php script using the md5(); function

 

root@pcfreak:/var/www/files# cat 1.php
<?
$pass=md5('password');
echo $pass;
?>

 

root@pcfreak:/var/www/files# php 1.php
5f4dcc3b5aa765d61d8327deb882cf99
root@pcfreak:/var/www/files#

 

Our just generated string (for text password password) is hash: 5f4dcc3b5aa765d61d8327deb882cf99

Next to update the new hash string into SQL, we connect to MySQL:

 

$ mysql -u root -p

 


And issue following command to modify the encrypted hash string:

 

UPDATE `DB`.`admin` SET `admin_password` = '5f4dcc3b5aa765d61d8327deb882cf99' WHERE `admin`.`admin_id` = 6;

Secure Apache webserver against basic Denial of Service attacks with mod_evasive on Debian Linux

Wednesday, September 7th, 2011

Secure Apache against basic Denial of Service attacks with mod evasive, how webserver DDoS works

One good module that helps in mitigating, very basic Denial of Service attacks against Apache 1.3.x 2.0.x and 2.2.x webserver is mod_evasive

I’ve noticed however many Apache administrators out there does forget to install it on new Apache installations or even some of them haven’t heard about of it.
Therefore I wrote this small article to create some more awareness of the existence of the anti DoS module and hopefully thorugh it help some of my readers to strengthen their server security.

Here is a description on what exactly mod-evasive module does:

debian:~# apt-cache show libapache2-mod-evasive | grep -i description -A 7

Description: evasive module to minimize HTTP DoS or brute force attacks
mod_evasive is an evasive maneuvers module for Apache to provide some
protection in the event of an HTTP DoS or DDoS attack or brute force attack.
.
It is also designed to be a detection tool, and can be easily configured to
talk to ipchains, firewalls, routers, and etcetera.
.
This module only works on Apache 2.x servers

How does mod-evasive anti DoS module works?

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address which matches the criterias:

  • Requesting the same page more than number of times per second
  • Making more than N (number) of concurrent requests on the same child per second
  • Making requests to Apache during the IP is temporarily blacklisted (in a blocking list – IP blacklist is removed after a time period))

These anti DDoS and DoS attack protection decreases the possibility that Apache gets DoSed by ana amateur DoS attack, however it still opens doors for attacks who has a large bot-nets of zoombie hosts (let’s say 10000) which will simultaneously request a page from the Apache server. The result in a scenario with a infected botnet running a DoS tool in most of the cases will be a quick exhaustion of system resources available (bandwidth, server memory and processor consumption).
Thus mod-evasive just grants a DoS and DDoS security only on a basic, level where someone tries to DoS a webserver with only possessing access to few hosts.
mod-evasive however in many cases mesaure to protect against DoS and does a great job if combined with Apache mod-security module discussed in one of my previous blog posts – Tightening PHP Security on Debian with Apache 2.2 with ModSecurity2
1. Install mod-evasive

Installing mod-evasive on Debian Lenny, Squeeze and even Wheezy is done in identical way straight using apt-get:

deiban:~# apt-get install libapache2-mod-evasive
...

2. Enable mod-evasive in Apache

debian:~# ln -sf /etc/apache2/mods-available/mod-evasive.load /etc/apache2/mods-enabled/mod-evasive.load

3. Configure the way mod-evasive deals with potential DoS attacks

Open /etc/apache2/apache2.conf, go down to the end of the file and paste inside, below three mod-evasive configuration directives:

<IfModule mod_evasive20.c>
DOSHashTableSize 3097DOS
PageCount 30
DOSSiteCount 40
DOSPageInterval 2
DOSSiteInterval 1
DOSBlockingPeriod 120
#DOSEmailNotify hipo@mymailserver.com
</IfModule>

In case of the above configuration criterias are matched, mod-evasive instructs Apache to return a 403 (Forbidden by default) error page which will conserve bandwidth and system resources in case of DoS attack attempt, especially if the DoS attack targets multiple requests to let’s say a large downloadable file or a PHP,Perl,Python script which does a lot of computation and thus consumes large portion of server CPU time.

The meaning of the above three mod-evasive config vars are as follows:

DOSHashTableSize 3097 – Increasing the DoSHashTableSize will increase performance of mod-evasive but will consume more server memory, on a busy webserver this value however should be increased
DOSPageCount 30 – Add IP in evasive temporary blacklist if a request for any IP that hits the same page 30 consequential times.
DOSSiteCount 40 – Add IP to be be blacklisted if 40 requests are made to a one and the same URL location in 1 second time
DOSBlockingPeriod 120 – Instructs the time in seconds for which an IP will get blacklisted (e.g. will get returned the 403 foribden page), this settings instructs mod-evasive to block every intruder which matches DOSPageCount 30 or DOSSiteCount 40 for 2 minutes time.
DOSPageInterval 2 – Interval of 2 seconds for which DOSPageCount can be reached.
DOSSiteInterval 1 – Interval of 1 second in which if DOSSiteCount of 40 is matched the matched IP will be blacklisted for configured period of time.

mod-evasive also supports IP whitelisting with its option DOSWhitelist , handy in cases if for example, you should allow access to a single webpage from office env consisting of hundred computers behind a NAT.
Another handy configuration option is the module capability to notify, if a DoS is originating from a number of IP addresses using the option DOSEmailNotify
Using the DOSSystemCommand in relation with iptables, could be configured to filter out any IP addresses which are found to be matching the configured mod-evasive rules.
The module also supports custom logging, if you want to keep track on IPs which are found to be trying a DoS attack against the server place in above shown configuration DOSLogDir “/var/log/apache2/evasive” and create the /var/log/apache2/evasive directory, with:
debian:~# mkdir /var/log/apache2/evasive

I decided not to log mod-evasive DoS IP matches as this will just add some extra load on the server, however in debugging some mistakenly blacklisted IPs logging is sure a must.

4. Restart Apache to load up mod-evasive debian:~# /etc/init.d/apache2 restart
...

Finally a very good reading which sheds more light on how exactly mod-evasive works and some extra module configuration options are located in the documentation bundled with the deb package to read it, issue:

debian:~# zless /usr/share/doc/libapache2-mod-evasive/README.gz

How to fix postfix mail server error ‘relay access denied’ on FreeBSD

Wednesday, January 30th, 2013

If you're running a newly configured Postfix SMTP server and you get in /var/log/maillog errors like:

Relay access denied

i.e. in log whenever you try to deliver a mail to the mail server you get something like:

Jan 29 10:05:04 600h postfix/smtpd[4624]: NOQUEUE: reject: RCPT from mxtb-pws3.mxtoolbox.com[64.20.227.133]: 554 5.7.1 <test@example.com>: Relay access denied; from=<supertool@mxtoolbox.com> to=<test@example.com> proto=ESMTP helo=<please-read-policy.mxtoolbox.com>

This is to because the virtualdomain to which postfix is trying to deliver is not added among the domains for which relaying is allowed.

To fix it edit /etc/postfix/main.cf ; find line

relay_domains = $mydestination

and add all domains, for which relaying should be allowed. Let's say you have virtual domains example.com and example1.com to enable relaying, add to conf:

relay_domains = $mydestination example.com example1.com

Also whether, virtual domain names are read from a separate configured hashed .db file like /etc/postfix/virtual.db

Usually done via /etc/postfix/main.cf via vars:

virtual_mailbox_maps = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual

Its necessery to run cmd;

postmap virtual
# ls -al /etc/postfix/virtual*
-rwxrwxrwx  1 root  wheel      45 Jan 29 05:27 /etc/postfix/virtual
-rwxrwxrwx  1 root  wheel  131072 Jan 29 10:58 /etc/postfix/virtual.db

This command re-builds virtual.db including all newly input domains in /etc/postfix/virtual

Finally to load new configs its necessary to restart postfix;

This particular Postfix is running on FreeBSD so to restart it;

# /etc/rc.d/postfix restart
....

 

 

Enable Apache libphp extension to interpret PHP scripts on FreeBSD 9.1

Saturday, January 12th, 2013

Enable php scripts to be interpreted / executed by PHP on freebsd
First you have to have installed and properly set up Apache from port, in my case this is Apache:

 

freebsd# pkg_info | grep -i apache
ap22-mod_fastcgi-2.4.6_3 A fast-cgi module for Apache
apache22-2.2.23_4   Version 2.2.x of Apache web server with prefork MPM.
apr-1.4.6.1.4.1_3   Apache Portability Library

I've installed it from source port /usr/ports/www/apache22, with:

freebsd# cd /usr/ports/www/apache22;
freebsd# make install clean
.....
Then to be able to start Apache from init script and make it run automatically on FBSD system reboot:

 

echo 'apache22_enable="YES"' >> /etc/rc.conf

I've also installed php5-extensions port;

freebsd# cd /usr/ports/lang/php5-extensions/
freebsd# make install clean
....
freebsd# cp -rpf /usr/local/etc/php.ini-production /usr/local/etc/php.ini

I had to select the exact Apache PHP library extensions I need, after selecting and installing, here is the list of PHP extensions installed on system:

freebsd# pkg_info | grep -i php5
php5-5.4.10         PHP Scripting Language
php5-bz2-5.4.10     The bz2 shared extension for php
php5-ctype-5.4.10   The ctype shared extension for php
php5-dom-5.4.10     The dom shared extension for php
php5-filter-5.4.10  The filter shared extension for php
php5-gd-5.4.10      The gd shared extension for php
php5-gettext-5.4.10 The gettext shared extension for php
php5-hash-5.4.10    The hash shared extension for php
php5-iconv-5.4.10   The iconv shared extension for php
php5-json-5.4.10    The json shared extension for php
php5-mbstring-5.4.10 The mbstring shared extension for php
php5-mcrypt-5.4.10  The mcrypt shared extension for php
php5-mysql-5.4.10   The mysql shared extension for php
php5-pdo-5.4.10     The pdo shared extension for php
php5-pdo_sqlite-5.4.10 The pdo_sqlite shared extension for php
php5-phar-5.4.10    The phar shared extension for php
php5-posix-5.4.10   The posix shared extension for php
php5-session-5.4.10 The session shared extension for php
php5-simplexml-5.4.10 The simplexml shared extension for php
php5-sqlite3-5.4.10 The sqlite3 shared extension for php
php5-tokenizer-5.4.10 The tokenizer shared extension for php
php5-xml-5.4.10     The xml shared extension for php
php5-xmlreader-5.4.10 The xmlreader shared extension for php
php5-xmlwriter-5.4.10 The xmlwriter shared extension for php
php5-zip-5.4.10     The zip shared extension for php
php5-zlib-5.4.10    The zlib shared extension for php

By default DirectoryIndex is not set to process index.php and .php, file extensions will not be interpreted by libphp, instead requests to .php, just opens them as plain text files.

In Apache config httpd.conf, libphp5 module should be displaying as loaded, like so:

freebsd# grep -i php5 /usr/local/etc/apache22/httpd.conf
LoadModule php5_module        libexec/apache22/libphp5.so

Next step find in /usr/local/etc/apache22/httpd.conf lines:

<IfModule dir_module>

DirectoryIndex index.html

Change

DirectoryIndex index.html

to

DirectoryIndex index.php index.html

(If you would like index.php to be processed as primary whether an Apache directory contains both .php and .html files.

After DirectoryIndex index.php, paste following;

<IfModule mod_dir.c>
    <IfModule mod_php3.c>
        <IfModule mod_php5.c>
            DirectoryIndex index.php index.php3 index.html
        </IfModule>
        <IfModule !mod_php4.c>
            DirectoryIndex index.php3 index.html
        </IfModule>
    </IfModule>
    <IfModule !mod_php3.c>
        <IfModule mod_php5.c>
            DirectoryIndex index.php index.html index.htm
        </IfModule>
        <IfModule !mod_php4.c>
            DirectoryIndex index.html
        </IfModule>
    </IfModule>
</IfModule>

Open /usr/local/etc/apache22/httpd.conf. I use vim so:

vim /usr/local/etc/apache22/httpd.conf

and press CTRL+g to go to last line of file. Last line is:

Include etc/apache22/Includes/*.conf

I press I to insert text and paste before the line:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phpS

AddType application/x-httpd-php .php .htm .html

And save with the usual vim esc+ :x! (exit, save and overwrite changes command).

Then restart Apache to load new settings, after testing Apache config is okay;

freebsd# apache2ctl -t
Syntax OK
freebsd# /usr/local/sbin/apachectl -k restart

To test php conduct the usual test if php is interpretting code with phpinfo(); by creating  file php_info.php and pasting inside:

<?php
phpinfo();
?>

One important note, to make here is if you try to use phpinfo(); test code like:

<?
phpinfo();
?>

You will get in your browser empty pages content – which usually appear only, if PHP execution fails. Even if you try to enable PHP errors to be displayed in browser by setting

display_errors = On in /usr/local/etc/php.ini, or configuring a separate php error_log file with setting variable error_log, i.e.:

error_log = /var/log/php_error.log

No error or warning is to be both displayed in browser or recorded in log. After consulting in irc.freenode.net #php, I was pointed out by nezZario that this unusual behavior is normal for PHP 5.4, as well as explained this behavior is controlled by var called:

Short Open Tags

To enable Short Open Tags to interpret PHP code inside <? set in /usr/local/etc/php.ini

short_open_tag = On