Posts Tagged ‘freebsd’

« Older Entries
Newer Entries »

How to Secure Apache on FreeBSD against Range header DoS vulnerability (affecting Apache 1.3/2.x)

Tuesday, August 30th, 2011

How to Secure Apache webserver on FreeBSD and CentOS against Range: header Denial of Service attack

Recently has become publicly known for the serious hole found in all Apache webserver versions 1.3.x and 2.0.x and 2.2.x. The info is to be found inside the security CVE-2011-3192 https://issues.apache.org/bugzilla/show_bug.cgi?id=51714

Apache remote denial of service is already publicly cirtuculating, since about a week and is probably to be used even more heavily in the 3 months to come. The exploit can be obtained from exploit-db.com a mirror copy of #Apache httpd Remote Denial of Service (memory exhaustion) is for download here

The DoS script is known in the wild under the name killapache.pl
killapache.pl PoC depends on perl ForkManager and thus in order to be properly run on FreeBSD, its necessery to install p5-Parallel-ForkManager bsd port :


freebsd# cd /usr/ports/devel/p5-Parallel-ForkManager
freebsd# make install && make install clean
...

Here is an example of the exploit running against an Apache webserver host.


freebsd# perl httpd_dos.pl www.targethost.com 50
host seems vuln
ATTACKING www.targethost.com [using 50 forks]
:pPpPpppPpPPppPpppPp
ATTACKING www.targethost.com [using 50 forks]
:pPpPpppPpPPppPpppPp
...

In about 30 seconds to 1 minute time the DoS attack with only 50 simultaneous connections is capable of overloading any vulnerable Apache server.

It causes the webserver to consume all the machine memory and memory swap and consequently makes the server to crash in most cases.
During the Denial of Service attack is in action access the websites hosted on the webserver becomes either hell slow or completely absent.

The DoS attack is quite a shock as it is based on an Apache range problem which started in year 2007.

Today, Debian has issued a new versions of Apache deb package for Debian 5 Lenny and Debian 6, the new packages are said to have fixed the issue.

I assume that Ubuntu and most of the rest Debian distrubtions will have the apache’s range header DoS patched versions either today or in the coming few days.
Therefore work around the issue on debian based servers can easily be done with the usual apt-get update && apt-get upgrade

On other Linux systems as well as FreeBSD there are work arounds pointed out, which can be implemented to close temporary the Apache DoS hole.

1. Limiting large number of range requests

The first suggested solution is to limit the lenght of range header requests Apache can serve. To implement this work raround its necessery to put at the end of httpd.conf config:


# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
CustomLog logs/range-CVE-2011-3192.log common env=bad-req-range

2. Reject Range requests for more than 5 ranges in Range: header

Once again to implement this work around paste in Apache config file:

This DoS solution is not recommended (in my view), as it uses mod_rewrite to implement th efix and might be additionally another open window for DoS attack as mod_rewrite is generally CPU consuming.


# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$)
# RewriteCond %{HTTP:request-range} !(bytes=[^,]+(?:,[^,]+){0,4}$|^$)
RewriteRule .* - [F]

# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range

3. Limit the size of Range request fields to few hundreds
To do so put in httpd.conf:


LimitRequestFieldSize 200

4. Dis-allow completely Range headers: via mod_headers Apache module

In httpd.conf put:


RequestHeader unset Range
RequestHeader unset Request-Range

This work around could create problems on some websites, which are made in a way that the Request-Range is used.

5. Deploy a tiny Apache module to count the number of Range Requests and drop connections in case of high number of Range: requests

This solution in my view is the best one, I’ve tested it and I can confirm on FreeBSD works like a charm.
To secure FreeBSD host Apache, against the Range Request: DoS using mod_rangecnt, one can literally follow the methodology explained in mod_rangecnt.c header:


freebsd# wget http://people.apache.org/~dirkx/mod_rangecnt.c
..
# compile the mod_rangecnt module
freebsd# /usr/local/sbin/apxs -c mod_rangecnt.c
...
# install mod_rangecnt module to Apache
freebsd# /usr/local/sbin/apxs -i -a mod_rangecnt.la
...

Finally to load the newly installed mod_rangecnt, Apache restart is required:


freebsd# /usr/local/etc/rc.d/apache2 restart
...

I’ve tested the module on i386 FreeBSD install, so I can’t confirm this steps works fine on 64 bit FreeBSD install, I would be glad if I can hear from someone if mod_rangecnt is properly compiled and installed fine also on 6 bit BSD arch.

Deploying the mod_rangecnt.c Range: Header to prevent against the Apache DoS on 64 bit x86_amd64 CentOS 5.6 Final is also done without any pitfalls.


[root@centos ~]# uname -a;
Linux centos 2.6.18-194.11.3.el5 #1 SMP Mon Aug 30 16:19:16 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
[root@centos ~]# /usr/sbin/apxs -c mod_rangecnt.c
...
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -o mod_rangecnt.la -rpath /usr/lib64/httpd/modules -module -avoid-version mod_rangecnt.lo
[root@centos ~]# /usr/sbin/apxs -i -a mod_rangecnt.la
...
Libraries have been installed in:
/usr/lib64/httpd/modules
...
[root@centos ~]# /etc/init.d/httpd configtest
Syntax OK
[root@centos ~]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

After applying the mod_rangecnt patch if all is fine the memory exhaustion perl DoS script‘s output should be like so:


freebsd# perl httpd_dos.pl www.patched-apache-host.com 50
Host does not seem vulnerable

All of the above pointed work-arounds are only a temporary solution to these Grave Apache DoS byterange vulnerability , a few days after the original vulnerability emerged and some of the up-pointed work arounds were pointed. There was information, that still, there are ways that the vulnerability can be exploited.
Hopefully in the coming few weeks Apache dev team should be ready with rock solid work around to the severe problem.

In 2 years duration these is the second serious Apache Denial of Service vulnerability after before a one and a half year the so called Slowloris Denial of Service attack was capable to DoS most of the Apache installations on the Net.

Slowloris, has never received the publicity of the Range Header DoS as it was not that critical as the mod_range, however this is a good indicator that the code quality of Apache is slowly decreasing and might need a serious security evaluation.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Computer Security, FreeBSD, Linux, System Administration, Web and CMS | No Comments »

How to block IP address with pf on FreeBSD, NetBSD and OpenBSD

Wednesday, July 27th, 2011

Pf Firewall BSD logo

I’ve noticed some IPs which had a kind of too agressive behaviour towards my Apache webserver and thus decided to filter them out with the Firewall.
As the server is running FreeBSD and my firewall choise is bsd’s pf I added the following lines to my /etc/pf.conf to filter up the abiser IP:

table persist file "/etc/pf.blocked.ip.conf"
EXT_NIC="ml0" # interface connected to internet
block drop in log (all) quick on $EXT_NIC from to any
 echo '123.123.123.123' >> /etc/pf.blocked.ip.conf

As you see I’m adding the malicious IP to /etc/pf.blocked.ip.conf, if I later decide to filter some other IPs I can add them up there and they will be loaded and filtered by pf on next pf restart.

Next I restarted my pf firewall definitions to make the newly added rules in pf.conf to load up.

freebsd# pfctl -d
freebsd# pfctl -e -f /etc/pf.conf

To show all IPs which will be inside the blockips filtering tables, later on I used:

pfctl -t blockips -T show

I can also later use pf to add later on new IPs to be blocked without bothering to restart the firewall with cmd:

freebsd# pfctl -t blockedips -T add 111.222.333.444

Deleting an IP is analogous and can be achieved with:

freebsd# pfctl -t blockedips -T delete 111.222.333.444

There are also logs stored about pf IP blocking as well as the other configured firewall rules in /var/log/pflog file.
Hope this is helpful to somebody.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in FreeBSD, System Administration | 2 Comments »

Few sshd server Security Tips that will improve your server security

Monday, May 2nd, 2011

On each and every newly installed Linux or FreeBSD server. I’m always very cautious about three configuration directives for the ssh server.
This are X11Forwarding , Protocol and PermitRootLogin

One needs to be very watchful about this three ones, as tuning the right values surely prevents the server from many of the security issues that might rise up with the SSH server.

Many Linuxes like Debian and Ubuntu comes with X11Forwarding yes e.g. (X11Forwarding) enabled by default, this is an useless option in most of the cases as the servers I do administrate does not run a X environment.

Some older Linux distributions I have dealt with has the ssh Protocol 1 enabled by default and therefore, whether I do inherit an old server I have to start administrating the first thing I do is to check if the /etc/ssh/sshd_config‘s Protocol 1 option is enabled and if it is enabled I disable it.

PermitRootLogin is also an option which I often turn off as logging in via remote ssh is potentially dangerous as root password might get sniffed.

In overall the 3 sshd option’s I do check out in /etc/sshd/sshd_config on each newly installed Linux server are:

X11Forwarding yes
PermitRootLogin yes
Protocol 1

I always change this three options in my /etc/sshd/sshd_config
to:

X11Forwarding no
PermitRootLogin no
Protocol 2

One other options sshd server options which is good to be tuned is:

LoginGraceTime 120

Decreasing it to:

LoginGraceTime 60

is generally a good idea.

Of course after the changes I do restart the ssh daemon in order for the new configuration to take place:

linux:~# /etc/init.d/sshd restart
...

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in FreeBSD, Linux, System Administration | No Comments »

“named: the working directory is not writable” message on FreeBSD

Friday, November 26th, 2010

Recently I’ve noticed in my FreeBSD router in /var/log/messages the following messages;

Nov 25 15:23:47 pcfreak named[11339]: starting BIND 9.4.3-P2 -t /var/named -u bind
Nov 25 15:23:47 pcfreak named[11339]: command channel listening on 127.0.0.1#953
Nov 25 15:23:47 pcfreak named[11339]: command channel listening on ::1#953
Nov 25 15:23:47 pcfreak named[11339]: the working directory is not writable

My first reaction was that the BIND server is not working so I checked to resolve a couple of the domains which I’ve addedto my slave named server.

It appears each of the domains were resolving perfectly fine. However when I tried to resolve from the Internet I found it quite strangebecause I couldn’t resolve.

After a quick look up on the Internet about the same Issue I came to the following thread in freebsd.forums.org where the same problem was explained and an explanation on how to fix the error is explained there.

Anyways it seems the named[11339]: the working directory is not writable is not a crucial message and it’s just a warning

Thus you can safely ignore the message and continue on. I guess my problems with domains resolving from the Internet are caused because my ISP is filtering some UDP ports or something so I’ll contact them right away and check if this is the problem.

Tags: , , , , ,
Posted in FreeBSD | No Comments »

Howto delete multiple files in Linux and FreeBSD / How to deal with “Argument list too long” error while deleting many files in directory

Wednesday, April 7th, 2010

Linux has some Limitations on the number of files you can delete within a directory, therefore if you try to delete let’s say 100000 files with a quarantine mails from spamassassin.
In that case you are about to face an error Argument list too long . The amount of files you can delete in Linux is tied with something specified by a file:
/usr/include/linux/limits.h
This limitation is a limitation caused by kernel_limits. In order to check the limitation on your Linux distribution, you have to execute the command:

egrep ARG_MAX /usr/include/linux/limits.h

You should receive a result on most Linux distrubutions similar to:
#define ARG_MAX 131072 /* # bytes of args + environ for exec() */

The 131072 is actually a default limitation on Debian GNU/Linux as well.The reason for the error is that the the maximum number (in bytes) of the arguments to a command could be equal max to the ARG_MAX defined in the limits.h.
For instance rm -f * in a directory with 40000 fileswould be evaluted as rm -f file1 file2 file3 … file40000. Therefore at a certain point the maximum limitation of 131072 bytes long for arguments or 128KB is about to be reached and then the command let’s say ls * would refuse to list the files in the directory showing up the annoying Argument list too long error.
There are a couple of ways to deal with that unpleasant situation.

1. You can use the linux find command to delete the files, you have to execute after changing dir (cd) to the directory where the multiple files are located:
find . -exec rm -fr {} ; 2. Second approach to the problem is passing the xargs command to find .
For instance execute the command:

find . -name "*" -print | xargs rm

3. In FreeBSD to get around the “Argument list too long” problem”, in bash shell you have to execute:

for files in *.*; do rm -f $files; done

4. Another possible way is to increase the ARG_MAX value in limits.h though this approach in my personal belief could have a negative impact on some productive servers, therefore it’s not a recommended.
Yet if you desire to do so simply edit /usr/include/linux/limits.h and change the ARG_MAX to your value of choice.

Tags: , , , , ,
Posted in FreeBSD, System Administration | 3 Comments »

Disable DNS recursion and AXFR requests in BIND on Debian Linux and FreeBSD / How to test a nameserver if AXFR requests are allowed with dig command

Monday, March 15th, 2010

I am playing with bind on a newly configured server and therefore doing my best to configure the nameserver in a good manner. In that manner of thoughts I remembered about the good old “recursion” which could pose a security hole in your DNS systems. I won’t buffle on how bad it is for a BIND domain resolver to have Domain recursion switched on, there is plenty of information you can read further online. Anyways here is a brief overview on recursion:
Recursive DNS is essentially the opposite of Custom DNS. Custom DNS is an authoritative DNS service that allows others to find your domain, and Recursive DNS allows you to resolve other people’s domains.

So considering the above definition if you decide to leave the default behaviour of the Bind nameserver (which by the way is also default behaviour of many other DNS servers including Microsoft DNS), this would mean that your DNS will be left open for the whole world to be able to serve resolve requests for any domain name requested by end users. In other words somebody out there might decide to use your nameserver to resolve all internet domains, like: google.com, yahoo.co.uk etc.

It is wise to enable recursion only for localhost on your bind name server, So to achieve that on Debian:
Open /etc/bind/named.conf.options and insert into it
Right before the options {

acl recurseallow { 1.2.3.4; 127.0.0.1; };

Also in the options {} include the following lines:

allow-recursion { recurseallow; };recursion yes;

On FreeBSD you need to include the same in /var/named/etc/namedb/named.conf by default or any other location if you have some specific named.conf file location.

Another truly Vital things to include in /etc/bind/named.conf.options on Debian Lenny among options {} is:

auth-nxdomain no;

Including this in the options {} configuration block would completely disable AXFR transfer requests on your nameserver on FreeBSD the procedure is absolutely analogous, just open /var/named/etc/namedb/named.conf and include the auth-nxdomain no; in the options configuration block.

To stress out the importance of disable AXFR it’s important to know that if you don’t disable the AXFR which is enabled by default in many nameservers out there you’re risking that a malicious person could list the whole zone files for each and every of the configured domains in the DNS server and consequently the attacker can learn a lot about the DNS topology of your network etc.
So to complete the article I’m gonna give an example on how the dig command can be used in order to check a certain DNS server if it has enabled the AXFR requests (e.g. if it’s vulnerable to this type of DNS information leak).

dig @somenameserver.net somedomainname.net axfr

In the above example somenameserver.net = is a random name server hosting a specific DNS domain
somedomainname.net = is the DNS domain name / (a.k.a. zone file) hosted on somenameserver.net

If everything is configured properly in your the namesever you’re running the axfr test against you should see something like:

; <<>> DiG 9.6.1-P1 <<>> @somenameserver.net somedomainname.net axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.

Tags: , , , , ,
Posted in Computer Security, System Administration | 2 Comments »

FreeBSD 7 Installation and setup for tightened security / Multiple IPs in Jail problems

Wednesday, February 20th, 2008

In Saturday I went to Bergon. To help with the install and configuration of a FreeBSD 7 system to Static and Kiril(e.g. Arkadietz).The install went smoothly. Then I csupped following the handbook canonical way for rebuild world and kernel and stuff.Also I get to know personally the Bergon’s ISP owner and administrator Drago btw he looks like really good man.We spoke about the GDBOP actions when some times ago GDBOP agents break into a server room next to the office and tookBergon’s storage servers for users http://free-zone.cc (An FTP for Users). He said the GDBOP IT specialists doesn’t know evenelementary unix commands like “df” and “du” and he had to tell them what to type. We walked through the server’s room.He had some interesting servers I also observed the fiber optics and stuff. After setupping the newly installed serverto the server room. We went to the place “Seasons” and we drinked “Stolichno Tymno” and we ate Pizza on drago’s account.The idea of this FreeBSD installation was to make the machine hera.bergon.net a freeshell machine for local Bergon users assecure as possible. To achieve that I have set this sysctl settings:security.bsd.see_other_uids=0security.bsd.see_other_gids=0net.inet.tcp.msl=7500net.inet.tcp.blackhole=2net.inet.udp.blackhole=1net.inet.icmp.icmplim=50kern.ipc.somaxconn=32768Also I have installed AIDA . Also I have setupped jail with the ideato add the users into jail unfortunately. After running the jail I experienced problems with setupping multiple ips into thejail so I asked for help in ##freebsd in freenode it turned out that by default FreeBSD jail doesn’t support virtual IPs but thereis a patch to enable that unfortunately the patch is for still for FreeBSD 5,6 or 6.2 none available for 7. After somediscussion in ##freebsd I found out there is something that would do the work but it’s not still stable enough it’s calledVIMAGE, VIMAGE looks promising but will be ready maybe in FreeBSD 8 check it out here .The only think which left from the FreeBSD configuration is to setup firewall I intend to make a firewall based on “PF” but I have to spend some time reading for PF. Also I’ve upgraded the kernel at home to:FreeBSD jericho.pcfreak 7.0-PRERELEASE FreeBSD 7.0-PRERELEASE #0: Mon Feb 18 14:12:03 EET 2008 hipo@jericho.pcfreak:/usr/obj/usr/src/sys/GENERIC i386Apart from the geek stuff, yesterday I was to the fountain with Narf, today I had a walk in the Central park with Damqncho. Yesterday and today were quiet days thanks ofcourse to God almighty 🙂 Also Our Heavenly Father gives me peace through our Lord and Saviour Jesus Christ day after day through the Power of the Holy spirit 🙂 Unfortunately still I’m not too much of a healthy. But I still say The Lord is my rock I won’t be in use! Today in the college we had a business Meeting on the topic of “A New Product” I was the Personnel Manager, the last time meeting I wasa head of sales. After school and going out for a walk I went to my grandma and grandpa Georgi and Dimitrichka, after that I went to see my other grandma which is so a cool grandma (I love her much). Another good news even though they’re old ones are that my grandmother decided to give me 150$ more for buying the laptop. The only thing left is to choose the right laptop :). In USA thinkpads T series are so cheap starting from (around 950$), a good model costs something like 1150$ the same models here cost almost 1800$ pff… To end this post I would say I thank The Lord for giving me quiteful and peaceful days and blessing me in my work and in my studies. Hope he will continue to bless me in the future too.END—–

Tags: , , , , ,
Posted in Computer Security, FreeBSD | 1 Comment »

Linux / FreeBSD Text Based Gallery Generator (llgal, igal, igal2, bbgallery)

Monday, September 14th, 2009

Recently I was looking for a handy way to generate nice html or php like gallery.After some asking in freenode and some help provided by some guys from #debian chanas well as some personal research. I came across 4 handy progs that works like a charm.Here is a list of the generators:
1. llgal (llgal is an easy and fast on-line gallery generator based on iGal)
2. igal1 and igal2 (igal is a quick and easy program for placing your images online.)
3. bbgallery (small perl script generating the galleries)
.All of this gives you a way to modify the default templates according to your willings.
Be aware that bbgallery requires perl html compatability.
A small example of what you can expect from the newly generated gallery can be seen here generated with llgal and some more here generated with igal .
I personally liked more the generated default galleries with igal because they looked a bit more fancy although that llgal includes a way more advanced possibilities and options.
One of the main things that could lead you into using llgal instead of igal is that llgal supports generation of galleries from directories and subdirectories in a recursive manner, where the end generated output lists you all your pictures from directories and it’s sublinks into a common gallery right into the root directory it was executed.
One more helpful tip in case if you decide to include all subdirectories in a unique gallery use:
llgal –Pall .
llgal comes with a handy howto that describes many of the fancy llgal features.
Hope you have some fun with this three.
END—–

Tags: , , , , ,
Posted in Linux and FreeBSD Desktop, System Administration | 4 Comments »

Linux / FreeBSD Color Selector and picker

Wednesday, September 23rd, 2009

Today I spend my day partly playing with the GIMP. This days I have the enthusiasm,to start learning this nice linux design software.
I have to solve a task where I wanted to change the background of a picture with an existing color
in the header of a website.
Therefore I needed some kind of color picker which is able to pick up
colors directly from any running application on the screen. Luckily I found the solution quickly,
with the help by a guy in #debian in irc.freenode.net. I was suggested to look for color picker via
$ apt-cache search color picker . The first thing that popped up was exactly what I was looking for. It’scalled GCOLOR2. Hope this post will help to somebody out there looking for a color picker for Linux, FreeBSD.
END—–

Tags: , , , ,
Posted in Linux and FreeBSD Desktop | No Comments »

A fix for problem with FreeBSD php pcre & qmail installation

Wednesday, July 22nd, 2009

Few weeks ago I came around a problem with the php installed on my FreeBSD box seems like a shitty error occured when I tried to install squirrelmail as well as joomla. The following Warning message showed up every time I tried to access some of the scripts of the aforementioned ones.
“[Thu Jun 11 20:39:15 2009] [error] [client xxx.xxx.xxx.xxx] PHP Warning: preg_replace() [function.preg-replace]: Internal pcre_fullinfo() error -3 in somefile.php on line 169[Thu Jun 11 20:39:15 2009] [error] [client xxx.xxx.xxx.xxx] PHP Warning: preg_match() [function.preg-replace]: Internal pcre_fullinfo() error -3 in somefile.php on line 275″
I looked for a solution and it seemed the solution was as simple as adding “-with-pcre-regex=yes” to the Makefile of /usr/ports/lang/php5 a recompile and hooray pcre works correctly! Another problem I faced was with a qmail+vpopmail installation which seemed not to recognize the existence of some email addresses in the vpopmail installation. The cause for that was that my /var/qmail/control/locals was containing the name contained also in /var/qmail/control/virtualdomains. Simply removing the domain from locals and restarting qmail did the trick.Apart from all that I remembered an interesting website which you might find interesting to visit, a video from it was suggested by Sha’nar (Hope he had a safe journey to God). Here is thewebsiteisdown itself. Yes this days I’m mostly bored and in a spiritual roaming … Anyways thanks and glory be to God for his mercies on me.END—–

Tags: , , ,
Posted in FreeBSD | 2 Comments »

« Older Entries
Newer Entries »