Jaime Frutos Morales's blog

25/06/2009

Installation & configuration of mod_evasive in Ubuntu Server 9.04

Filed under: SysAdmin, Ubuntu — acidborg @ 14:44

From its README file:

Mod_evasive is an evasive maneuvers module for Apache to provide evasive
action in the event of an HTTP DoS or DDoS attack or brute force attack. It
is also designed to be a detection tool, and can be easily configured to talk
to ipchains, firewalls, routers, and etcetera.

Detection is performed by creating an internal dynamic hash table of IP
Addresses and URIs, and denying any single IP address from any of the following:

  • Requesting the same page more than a few times per second.
  • Making more than 50 concurrent requests on the same child per second.
  • Making any requests while temporarily blacklisted (on a blocking list).”

Its installation is quite easy:

apt-get install libapache2-mod-evasive

To configure it, create a directory to place its log files:

mkdir /var/log/apache2/mod_evasive
chown www-data:www-data /var/log/apache2/mod_evasive

Afterwards, create its configuration file with a default content (change “]” and “[” for “>” and “<" respectively):

[ifmodule mod_evasive20.c]
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/apache2/mod_evasive
DOSEmailNotify root@localhost
DOSWhitelist 127.0.0.1
[/ifmodule]

This values should be optimized depending on the use of your server. Here are the params’ descriptions:

  • DOSHashTableSize: Size of the hash table used to store the IPs.
  • DOSPageCount: Number of pages allowed per DOSPageInterval.
  • DOSPageInterval: Time in seconds used by DOSPageCount.
  • DOSSiteCount: Number of objects allowed per DOSSiteInterval.
  • DOSSiteInterval: Time in seconds used by DOSSiteCount.
  • DOSBlockingPeriod: Time in seconds that IPs will be banned. If an IP tries to access the server within this period, the count will be restarted.
  • DOSLogDir: Optional. Directory to store the logs. If not specified, /tmp will be used.
  • DOSEmailNotify: Optional. Mail where notifications will be sent.
  • DOSSystemCommand: Optional. Command to execute if an IP is blocked. For example:
  • DOSSystemCommand "/sbin/iptables -I INPUT -p tcp --dport 80 -s %s -j DROP"

  • DOSWhitelist: Optional. List of IPs which won’t be blocked.
  • To finish the configuration process, restart Apache:

    /etc/init.d/apache2 restart

    You can test whether it works using a script included in the deb package:

    perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl

    23/06/2009

    How to install & use debtags

    Filed under: SysAdmin, Ubuntu — acidborg @ 14:13

    Debtags is a command line interface and maintenance tool for debtags’ information. It’s quite useful to search for deb packages with some specific tags.

    To install it, run the following command:

    apt-get install debtags

    Here are some useful options offered by debtags:

    • Update all packages’ tags:

      debtags update

    • Check debtags’ database:

      debtags selfcheck

    • Show tags’ vocabulary:

      debtags tagcat

    • Show all tags:

      debtags tagcat | grep Tag: | awk {'print $2;'}

    • Show info about a package:

      debtags show package

      Result for debtags show bash:

      Package: bash
      Essential: yes
      Priority: required
      Section: shells
      Installed-Size: 1344
      Maintainer: Ubuntu Core developers
      Original-Maintainer: Matthias Klose
      Architecture: amd64
      Version: 3.2-5ubuntu1
      Replaces: bash-completion (<< 20060301-0), bash-doc (<= 2.05-1) Depends: base-files (>= 2.1.12), debianutils (>= 2.15)
      Pre-Depends: libc6 (>= 2.8), libncurses5 (>= 5.6+20071006-3)
      Recommends: bash-completion (>= 20060301-0)
      Suggests: bash-doc
      Conflicts: bash-completion (<< 20060301-0)
      Filename: pool/main/b/bash/bash_3.2-5ubuntu1_amd64.deb
      Size: 628764
      MD5sum: f71c09143a675a8daede1a668ee98941
      SHA1: 384ef13302e3f11d49399519fe7231c166d253fc
      SHA256: fe15a51dc70b4b0d5ed0556c670ffdf5b0297bb509480f22336684ee156b1d30
      Description: The GNU Bourne Again SHell
      Bash is an sh-compatible command language interpreter that executes
      commands read from the standard input or from a file. Bash also
      incorporates useful features from the Korn and C shells (ksh and csh).
      .
      Bash is ultimately intended to be a conformant implementation of the
      IEEE POSIX Shell and Tools specification (IEEE Working Group 1003.2).
      .
      The Programmable Completion Code, by Ian Macdonald, is now found in
      the bash-completion package.
      Bugs: https://bugs.launchpad.net/ubuntu/+filebug
      Origin: Ubuntu
      Task: minimal, mythbuntu-backend-master, mythbuntu-backend-slave, mythbuntu-desktop, mythbuntu-frontend

    • Show a package’s tags:

      debtags tag ls package

      Result for debtags tag ls bash

      implemented-in::c
      interface::shell
      role::program
      scope::utility
      suite::gnu
      uitoolkit::ncurses

    • Show packets similar or related to a given package:

      debtags related package -d 1

      Result for debtags related bash -d 1

      bash-minimal - The GNU Bourne Again SHell (minimal version)
      es - (short description not available)
      fish - a friendly interactive shell
      tcsh - TENEX C Shell, an enhanced version of Berkeley csh
      zsh-beta - A shell with lots of features (dev tree)

    • More packages are listed if you increment the value of -d.

    • Show packages with a given tag::

      debtags search tag

      For example, to obtain IPv6 enabled packages: debtags search tagprotocol::ipv6

    • Show packages with no tags:

      debtags todo

    • Show stats about packages’ tags:

      debtags stats

      Result for debtags stats in Ubuntu 9.04:

      Total count of packages: 34703
      Total count of packages (according to APT): 34703
      Total count of packages (according to Debtags): 32603
      Number of facets: 30
      Number of tags: 578
      Number of packages with tags, but no special::not-yet-tagged tags: 24547 (75.3%)
      Number of packages with special::not-yet-tagged tags: 8056 (24.7%)
      Number of packages with only special::not-yet-tagged tags: 2932 (9.0%)
      Number of packages with no tags: 0 (0.0%)


    12/06/2009

    Installing ModSecurity for Apache in Ubuntu Server 9.04

    Filed under: SysAdmin, Ubuntu — acidborg @ 09:41

    From its web: “ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.”

    Its installation is simple:

    apt-get install libapache-mod-security

    To enable ModSecurity in Apache, create the file /etc/apache2/conf.d/mod_security.conf with this content:

    (Sorry for the images of the code, but LiveJournal doesn’t allow XML code inside the posts)

    Then, make a directory to store the logs generated by ModSecurity:

    mkdir /var/log/apache2/mod_security

    ln -s /var/log/apache2/mod_security /etc/apache2/logs

    After that, download the latest set of rules (called modsecurity-code-rules*.tar.gz).

    Afterwards, configure the set of rules:

    mkdir /etc/apache2/conf.d/mod_security

    cp modsecurity-core-rules* /etc/apache2/conf.d/mod_security/

    cd /etc/apache2/conf.d/mod_security

    tar xvfz modsecurity-core-rules*

    rm CHANGELOG LICENSE README modsecurity-core-rules*.tar.gz

    If you want to disable any rule, just create the file /etc/apache2/conf.d/mod_security/modsecurity_crs_99_disabled_rules.conf and tell ModSecurity which rules on which locations you want to disable (you can know rule numbers reading ModSecurity log files in /var/log/apache2/mod_security ). For example:

    To let logrotate do its job, replace the first line of /etc/logrotate.d/apache2 with this one:

    /var/log/apache2/*.log /var/log/apache2/mod_security/*.log {

    Finally, restart your Apache server:

    /etc/init.d/apache2 restart

    08/06/2009

    Installing & using etckeeper in Ubuntu 9.04

    Filed under: SysAdmin, Ubuntu — acidborg @ 16:28

    Etckeeper is a collection of tools to store /etc in a version control system. It allows you to read the changes that have been made to the files in /etc, document these changes and recover a previous version of a modified file in case we made some changes that we don’t want to keep.

    Its installation is trivial:

    apt-get install etckeeper

    By default, Bazaar Distributed Version Control System is used, but you can use Git, Mercurial or Darcs instead. You just have to edit its configuration file (/etc/etckeeper/etckeeper.conf) and uncomment the line with your favorite DVCS (and comment the line VCS=”bzr” if you don’t want to use Bazaar).

    To initialize etckeeper use:

    etckeeper init

    To make your first commit to etckeeper use:

    etckeeper commit "Initial commit"

    Any time you make a change to any file in /etc and you want to document it, use the previous command with the corresponding explanation.

    Changes to /etc before installing new software using dpkg or apt are kept automatically by default. You can change this by editing its configuration file and uncommenting “AVOID_COMMIT_BEFORE_INSTALL=1”. Besides, etckeeper commits changes automatically every day, so if you want to avoid it, uncomment “AVOID_DAILY_AUTOCOMMITS=1” in its configuration file.

    Here are some useful commands to take advantage of etckeeper if you use Bazaar DVCS:

    • To show etckeeper’s history:

      bzr log --line /etc

    • To show differences between the last version and the current state of /etc:

      bzr diff /etc

    • To show changes in version X:

      bzr diff -cX /etc

    • To recover version X of a FILE:

      bzr revert -rX /etc/FILE

    04/06/2009

    Ubuntu man pages repository

    Filed under: SysAdmin, Ubuntu — acidborg @ 18:37

    Reading a lot of man pages and searching through them in a regular basis isn’t always easy. So, if you feel more comfortable using your web browser than using your console, you can use the Ubuntu man pages repository.

    You can browse through all the man pages or just search for the command or config file you’re looking for, choosing the Ubuntu release you use. But the most useful option, IMHO, is the search plugin they provide so that you can search from your browser’s bar, without entering this web whenever you want to look for a man page.

    Blog at WordPress.com.