JMC's questions

Goal: Reduce Server Load from Malicious Requests

Sometimes servers receive a large number of requests for pages that dont exist. Usually the requests are malicious in nature because the attacker is looking for an admin panel or other files using brute force.

These requests can severely degrade server performance because Apache spins up so many connections. When tools such as Fail2ban aren't able to stop them (i.e. attacks using multiple subnets instead of single ips) what are the options?

Is there a way to configure Apache or another add-on tool to override the web application and return a non load intensive 404 page (static .html, etc)?

I'm working with an apache 2.2 server that is receiving lots of requests for content that does not exist on the server (edit: the specific content request changes frequently). It appears to be an attack from someone with access to a large number of hacked websites, because the requests are from vastly different sources and they all started at one time. They are also probing the server for common vulnerabilities like /admin.php etc peppered throughout the attack.

Example from the access logs:

"Get /picofperson.jpg HTTP/1.1" 404 201 "http://www.somerealwebsiteaddress.com/regular/13/3.html" "Mozilla/3.0 (Windows NT 6.3; WOW)"

Question: What is a good way to mitigate this type of attack and does this type of attack have a formal name besides ddos?

I'm currently blocking unusual user agents and requests from specific referrers, but the attack continues to morph.

After updating PAM secure log started showing:

su: PAM unable to dlopen(/lib64/security/pam_rootok.so): /lib64/security/pam_rootok.so: undefined symbol: selinux_check_access
su: PAM adding faulty module: /lib64/security/pam_rootok.so

Given the name of the file this seems like a serious concern, but I can't find any information about the error. I don't let anyone log onto this server so I'm not trying to protect against local users, but I still want PAM to work properly against anyone who has gained unauthorized access.

Edit: pam_rootok.so does exist and its permissions are the same as the other files under /lib64/security. Also su seems to work since I can still move from non-root users to root.

On CentOS linux, I just deleted a large log file over 3gb on XFS file system. After deleting the file, the available file space did not return to the drive seen via df -h. Is there anything I can do to find the missing free space?

I'm looking at a server that might be misconfigured to handle Denial of Service. The database was knocked offline after the attack, and was unable to restart itself after it failed to restart when the attack subsided.

Details of the Attack:

The Attacker either intentionally or unintentionally sent 1000's of search queries using the applications search query url within a couple of seconds. It looks like the server was overwhelmed and it caused the database to log this message:

121118 20:28:55 InnoDB: Initializing buffer pool, size = 512.0M
InnoDB: mmap(549453824 bytes) failed; errno 12

Server Specs: 1.5GB of dedicated memory

Are there any obvious mis-configurations here that I'm missing?

**mysql.log**
121118 20:28:54 mysqld_safe Number of processes running now: 0
121118 20:28:54 mysqld_safe mysqld restarted
121118 20:28:55 [Warning] option 'slow_query_log': boolean value '/var/log/mysqld.slow.log' wasn't recognized. Set to OFF.
121118 20:28:55 [Note] Plugin 'FEDERATED' is disabled.
121118 20:28:55 InnoDB: The InnoDB memory heap is disabled
121118 20:28:55 InnoDB: Mutexes and rw_locks use GCC atomic builtins
121118 20:28:55 InnoDB: Compressed tables use zlib 1.2.3
121118 20:28:55 InnoDB: Using Linux native AIO
121118 20:28:55 InnoDB: Initializing buffer pool, size = 512.0M
InnoDB: mmap(549453824 bytes) failed; errno 12
121118 20:28:55 InnoDB: Completed initialization of buffer pool
121118 20:28:55 InnoDB: Fatal error: cannot allocate memory for the buffer pool
121118 20:28:55 [ERROR] Plugin 'InnoDB' init function returned error.
121118 20:28:55 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
121118 20:28:55 [ERROR] Unknown/unsupported storage engine: InnoDB
121118 20:28:55 [ERROR] Aborting

**ulimit -a**
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 13089
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 1024
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

**httpd.conf**
StartServers 10
MinSpareServers 8
MaxSpareServers 12
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000

**my.cnf**
innodb_buffer_pool_size=512M
# Increase Innodb Thread Concurrency = 2 * [numberofCPUs] + 2
innodb_thread_concurrency=4
# Set Table Cache
table_cache=512
# Set Query Cache_Size
query_cache_size=64M
query_cache_limit=2M
# A sort buffer is used for optimizing sorting
sort_buffer_size=8M
# Log slow queries
slow_query_log=/var/log/mysqld.slow.log
long_query_time=2
#performance_tweak
join_buffer_size=2M

**php.ini**
memory_limit = 128M
post_max_size = 8M

I've noticed there are a large number of servers running Magento Commerce that will return a fatal error showing the system path:

Fatal error: Uncaught exception 'Exception' with message 'File '/usr/local/www/magento/data1702/media/css' does not exists.' in /usr/local/www/magento/data1702/lib/Varien/File/Transfer/Adapter/Http.php:96 Stack trace: #0 /usr/local/www/magento/data1702/get.php(205): Varien_File_Transfer_Adapter_Http->send('/usr/local/www/...') #1 /usr/local/www/magento/data1702/get.php(165): sendFile('/usr/local/www/...') #2 {main} thrown in /usr/local/www/magento/data1702/lib/Varien/File/Transfer/Adapter/Http.php on line 96

Magento as an application is generally good about supressing error messages. How can a linux server running apache be configured to avoid returning this error message since the app has problems suppressing it.

Running yum --security check-update returns this message:

Security: kernel-3.x.x-x.63 is an installed security update 
Security: kernel-3.x.x-x.29 is the currently running version

I already ran the yum security update on the kernel, but it looks like it didn't change the version running on the system. What needs to be done to make it run the new kernel? Are there any concerns about why it didn't change during the installation process? The yum log just shows installed for the new kernel no error messages.

I have a server that no longer lists the current security relevant updates when using:

yum list-security or yum --security check-updates

At one point yum tried to update a package and couldn't figure out how to resolve the dependencies. Since that time, new security updates aren't showing (I know there are some because I run other server with similar software packages). Yum shows that the only security relevant package is the one that failed. What steps can I take to get yum working again?

yum update still works on any package I manually tell it to update.

I have a CentOS "development / testing" server that runs extremely slowly. It's running Apache and Mysql using PHP. Top reports that 98% of the CPU utilization is frequently spent on "st" - Steal Time. What could cause a server to spend so much CPU on steal time, and how can I diagnose the problem? I didn't notice the problem until after I granted a third party developer root access (for all I know it has a root kit running, though unlikely).

OS: CentOs

Whenever apache (apache2) creates a file or directory it automatically sets the permissions to 777. I want it's directories to be 775 and files 664. How can I fix this?

I'm working with a dedicated CentOS server where the base exposed webdirectory is /var/www/html

For security, who should own the html directory "root" or "apache"?

The perms are drwxrwxr-x (are those optimal?)

Are there any IP address blacklisting programs for Linux servers that allow the administrator to specify certain conditions that trigger an iptables blacklist on IP addresses scanning for vulnerabilities?

Example:

An IP address scans my web server for every default URL of phpMyAdmin. That's obviously a bot I don't want to be communicating with my server, so I'd like to blacklist its IP address for a day.

What options do I have for stopping those bots?

I'm having trouble redirecting urls that include cgi-bin in the path

Example:

http://website.com/cgi-bin/pc.storefront/en/product/product.aspx?iid=123

.htaccess
redirect 301 /cgi-bin/pc.storefront/en/product/product.aspx?iid=123 http://website.com/homepage.html

With that redirect the server returns: /cgi-bin/pc.storefront/en/product/product.aspx does not exist on this server error messaging.

However, if keeping everything the same and removing cgi-bin from the equation then the redirect works perfectly.

The server is apache2 using mod_rewrite. cgi is also disabled in httpd.conf. Are the any concerns related to redirecting cgi-bin?

I want to connect to a Linux Database Server on a private subnet through a Linux SSH Bastion Server situated on a public subnet. I also want to create a tunnel to port 3306.

When I attempt to create the SSH connection from the Bastion server, I receive "Permission Denied (publickey)." message.

ssh -L 10.0.0.10:22:10.0.1.10:22 [email protected]

Here's the debug output where it fails:

> debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).

The correct Public key is already on DB Server, so I think I need to enter the private RSA key somewhere. Where do I enter the private key? Also are there any sshd config changes required to create the tunnel on 3306?

I want to improve the performance of a web application running on Apache, so I created a Raid Array on /dev/md0.

Now I need to figure out how to move the application to the array and make sure that Apache will still serve it when someone accesses my domain.

Web application is in the directory: /var/www/html - Raid Array device is: /dev/md0

How do I make the application run on the array?

Cross Posted at: https://unix.stackexchange.com/questions/21713/move-web-directory-to-raid-array

I'm trying to find documentation that discusses a secure way to create a permanent connection between an Apache Webserver and a separate MySQL database server. I'm not having a lot of luck finding the standard process to connect the two securely. How is this typically done?

Back story: I was cleaning up hacked web space on a shared host the other day, and found a script in the web directory that allows the attacker to inject code into all php and html files in the web directory. It had access to everything in the web directory, but I'm not sure which user permissions the file had.

Question: I think it would be difficult to prevent a php script running on a shared web host from having access to other web files (php, html, etc), due to lack of server configuration options. Is there a way to configure a linux apache http server (where you have full root access) so that even if the attacker was able to upload a script like that to the web directory, it wouldn't have access to modify other files on the server?

How do I kill the process running php scripts on a linux box? I'm using Debian with php5.

Sometimes during development a php script will continue to interact with a 3rd party webserver even after I've hit stop on the browser that I was testing it in. If I accidentally write an infinite loop, then it can get pretty annoying for the 3rd party. I can stop my local webserver, but the script usually continues where it left off once I restart the local server. What can I do to stop the script until I run it again?

I'm running a Cent OS Linux apache web server, and its primary function is to serve the content in an iframe to one specific ip address. I want to see all ip addresses that have accessed the web server over the last month. Is there generally a log I can view with that information on apache web servers? I haven't installed any extra logging, it's a basic apache install. I understand that all configurations are different.

I tried to create a development server by copying a website from one host to a second different host, but the servers seem to handle virtual paths differently.

On the main server this works:

<link href="/styles/styles.css" rel="stylesheet" type="text/css">

On the dev server the same path would need to be written as (without the first slash):

<link href="styles/styles.css" rel="stylesheet" type="text/css">

How can I make the dev server work with the main servers files without rewritting the paths? Is this something I can do from .htaccess with mod rewrite?