Ians Ramblings

If you, like me have fiddled with your MyBookLive to make it do alot more than it was designed to including updating the version of PHP, be aware if it throws a load of “cannot modify header” errors when launching the UI you just need to do the following: -

Edit your php.ini and ensure that error reporting goes to the apache error log not to the end user. The UI will now come up, the errors themselves are caused by the cake framework calling deprecated methods in the new version of PHP, clearly the better fix would be to upgrade the cake framework on the box but who knows what issues that could cause.

Just been looking into mod_security. It’s a fairly exhaustive security module for Apache. Hugely configurable and by the looks of it, extremely useful.

So far, I am just using it’s base rules but I also wanted to limit the number of allowed attempted login requests, I did this by creating a new config file in conf.d along with the existing initial config. You can call it what you want .conf then add contents such as:

[code]
SecDebugLog "/var/log/httpd/data/debug.log"
SecDebugLogLevel 2
SecDataDir "/var/log/httpd/data/data/"

SecServerSignature "AMIGA OS Apache/1.2"
#SecAction "initcol:ip=%{REMOTE_ADDR},pass,nolog"
SecRule RESPONSE_STATUS ^401$ "t:none,phase:5,nolog,setvar:ip.auth_attempt=+1,expirevar:ip.auth_attempt=60"
SecRule IP:AUTH_ATTEMPT "@gt 20" "log,drop,phase:1,msg:'Possible Brute Force Attack'
[/code]

Another cheeky thing just slipped in there is changing the server’s identification string, just to help stop potential attackers knowing which exact version of Apache you are running, and  on what platform

The config there, allows up to 20 logins before it starts dropping the connection to that IP. If the login attempts stop for more than a minute it will start allowing logins again from that IP.

Recently at work we have had some fairly nasty brute force attacks from over 200 unique IP addresses.

Been looking into a few options, but one fairly quick option to get set up is mod_evasive for Apache.

http://www.mydigitallife.info/2007/08/15/install-mod_evasive-for-apache-to-prevent-ddos-attacks/

I am currently trialling it, so will post an update. I am also looking at mod_security.

This is far from comprehensive, but if you are getting an awful lot of HEAD requests in your Apache logs from odd user agents, such as the “Morpheus F’ing Scanner” or such, then the following ReWrite rules might be useful for black holing them.
[code]
RewriteCond %{HTTP_USER_AGENT} ^Morfeus
RewriteRule ^.*$ - [F]
RewriteCond %{HTTP_USER_AGENT} ^.*DigiExt
RewriteRule ^.*$ - [F]
[/code]

Passing the spaces in a URL through to another URL using a proxy style re-write in Apache can be a slight pain because as standard it basically cuts off the URL at the first space.

The answer is rather easy once you know how: -

[sourcecode language="bash"]
RewriteEngine ON
RewriteMap escape int:escape
RewriteRule ^/search/([^/]+)/?$       http://%{HTTP_HOST}/index.php?action=search&search_txt=${escape:$1} [P]
[/sourcecode]

In this example index.php should then receive whatever is after /search/ on the url until the next optional /

This has been described many times and in many ways by so many sites, but usually the descriptions are long and tedious. If you simply want to know how to get your website’s pages to be compressed if the browser supports it, or not if the browser doesn’t add the following lines to your Apache configuration file: -

[sourcecode language="bash"]
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
[/sourcecode]

Basically compress anything that can be compressed using the gzip algorithm ignore images because they are already compressed.

I put these directives within my Virtualhost but they could be just used in an .htaccess file I believe.

To test it is working, install the firefox web developers plugin, open your page, click the information drop down and select the option to view the page headers you should see something like: -

[sourcecode language="bash"]
Date: Tue, 09 Mar 2010 10:42:56 GMT
Server: Apache/2.2.x (SGI)
X-Powered-By: PHP/5.1.xx
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 09 Mar 2010 10:42:57 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip —– This being the item of interest
Content-Length: 12115
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from conway
Connection: keep-alive
200 OK

[/sourcecode]