CyberKeeda In Social Media
Showing posts with label Apache. Show all posts
Showing posts with label Apache. Show all posts

Apache Hardening : Limit Request Size


By default Apache has no limit on the total size of the HTTP request i.e. unlimited and when you allow large requests on a web server its possible that one could be a victim of Denial of service attacks. We can Limit the requests size of an Apache directive “LimitRequestBody” with the directory tag.

This is generally preffered for websites/blogs that gives an upload option through http protocol
Unlimited upload size can really effect and site can be compromised by attackers  using DDos.

One can set the value in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed in a request body. You can set this limit according to your site needs.


Here in this example, my_uploads is a directory which contains files uploaded by users. We are We We will put a limit of  500K  for this by making the changes in Apache configuration file ( httpd.conf ).

<Directory "/var/www/mywebsite/my_uploads">
LimitRequestBody 512000
</Directory>


Read more ...

Installation of Apache Tomcat on Ubuntu





Steps.
  • Download and install OpenJDK package for java ( Mandatory )
  • Download Tomcat tarball from Official Tomcat Webpage
  • Untar / Unzip the tarball.
  • Make a directory specific for tomcat and it's relevant files
  • Move tomcat files to specific tomcat directory
  • Locate the startup.sh and shutdown.sh file in order to start/stop

Here we are about to download and install Tomcat 8 on CentOS 6.8

Install OpenJDK to fulfill java requirement.
## sudo apt-get instal openjdk*
Make a directory specific for Tomcat.
## sudo mkdir /opt/tomcat
Download Apache Tomcat from here official website 

Move the downloaded tarball apache-tomcat-x.xx.x.tar.gz into /opt/tomcat

## sudo mv  apache-tomcat-8.5.13.tar.gz /opt/tomcat/
Unzip the tarball
## tar -xvf apache-tomcat-8.5.13.tar.gz
After unzipping the tarball there would be something folder named as apache-tomcat-8.xx.xx

Toggle into unzipped directory

## cd /opt/tomcat/apache-tomcat-8.xx.xx/bin/
Look for file startup.sh and shutdown.sh

# Start tomcat using the startup script

## ./startup.sh
Stop the same from.

## ./shutdown.sh

 Once you toggle into unzipped tomcat parent directory below are the sub directories that has a significance value and it's is responsibility.
 Lets go through the Apache Tomcat Directory and know why they exists,


bin  ==> It contains all binary and script files for running tomcat
lib  ==> Contains shared library files used by tomcat
conf ==> Contains configuration files such as port, directories etc
logs ==> Contains various log files related to tomcat, ex -- catalina.out
temp ==> Conatins temp files associated with tomcat 
webapps ==> Important folder,application war files are dumped over here only
work ==> If application contain any jsp then jsp is translated and converted into servlet its stores here.

Tomcat looks for multiple environment variables to be defined in order to run, these are enlisted below.
  • CATALINA_HOME
  • CATALINA_BASE
  • CATALINA_TMPDIR
  • JRE_HOME/JAVA_HOME
  • CLASSPATH
The mandatory environment variable that are supposed to defined in order to run Tomcat.


CATALINA_HOME
  1. This one is the most important Environment variable that needs to be defined in order to run multiple instances of tomcat within same host.
  2. This directory defined must point to the main tomcat instance which contains all extracted binary data including the bin and lib directory
  3. So based on CATALINA_HOME we will get lib and bin directory
CATALINA_BASE
Based on above variable, server uses conf, logs, webapps, work folder





Read more ...

How to fix : OpenSSL Sweet 32 Birthday attack Vulnerability






Sweet32 Birthday attack, which affects the triple-DES cipher. OpenSSL has rated the triple-DES vulnerability as low, they stated “triple-DES should now be considered as ‘bad’ as RC4.”

The Sweet32 Birthday attack does not affect SSL Certificates; certificates do not need to be renewed, reissued, or reinstalled.


Fix :

Verify the CIPHER status from below commands.

One can use openssl ciphers  command to see a list of available ciphers for OpenSSL




openssl ciphers

To check the status of DES and 3DES cipher below commands will help.

 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -ssl2
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -ssl3 
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1 
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1_1 
 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1_2



Find your Open SSL  config file ( openssl.conf )   and locate     SSLCipherSuite

You might find a lot of ciphers written parallel along with SSLCipherSuite.

Just Add  ! before DES and 3DES to disable CIPHER successive with :

 ! -- It states don't use
 : -- It states a begining of CIPHER
It should look like below

SSLCipherSuite !3DES:!DES 

Save and close ssl config file and restart apache to reflect changes.

On Ubuntu/Debian

systemctl restart apache2

On RHEL/CentOS

systemctl restart httpd
Read more ...

SOLVED PHP Installed but still php : command not found



I have encountered the problem while upgrading PHP version from 5.3 to 5.4 or 5.5

By default RHEL keeps its stable version of PHP within system, even after upgradation.
This is the reason why it show the default last version even after upgrading.
'

cybeerkeeda@Linux-Maniac:~ php -v
PHP 5.3.3 (cli) (built: Nov 29 2012 14:12:23)
Copyright (c) 1997-2010 The PHP Group



But Wait... we know we have upgraded the version of PHP to 5.4

For some user , while running the same command , it shows command not found

cybeerkeeda@Linux-Maniac:~ php -v
bash: php: command not found


Fix : Fix it permanently by enabling it by sourcing the path.

cybeerkeeda@Linux-Maniac:~ source /opt/rh/php54/enable
Run again the php command to verify
cybeerkeeda@Linux-Maniac:~ php -v

PHP 5.4.14 (cli) (built: May 23 2013 15:42:19)
Copyright (c) 1997-2013 The PHP Group




Hope it gonna work for you too.




Read more ...

PHP How to install, configure and enable ZIP Extension from source code within centos / rhel 6



So Enabling ZIP within PHP 5.6 dose not meet with the common approach of enabling a extension, Since it requires the libzip packages with a greater version of 0.11 or more.

RHEL ships libzip greater then 0.9 with RHEL 7.3 or more, hence the approach for enabling this must be slight different.


To avoid these challenges, we must go the way of installation of modules using PECL

Download Packages as required from --  http://pecl.php.net/package/zip

Here I have downloaded     zip-1.11.0.tgz

Now just execute the below mentioned PECL command.

# pecl install zip-1.11.0.tgz

# pecl uninstall XXXX

Though it will guide it to rest of the work but still I too want to add.

Locate your php.ini file and the

You should add "extension=zip.so" to php.ini

Once you are done, remember to reload/restart apache to apply the effect / changes.

Verify -: You should see, something like below within your phpinfo.php page






Read more ...

How to Install OCi8 extension within PHP and Apache



Necessity is the mother of Invention ( * googling ).

I get to know this how to install oci8 from various blogs and forums, hence consolidated all the points from different blogs and forums, so that you don't have to look for it.

Oracle extension has a dependency of Oracle Client Packages.

Download the oracle client packages from Oracle Offcl website


I have downloaded the below mentioned packages

oracle-instantclient12.1-basic-12.1.0.2.0-1.x86_64.rpm
oracle-instantclient12.1-basiclite-12.1.0.2.0-1.x86_64.rpm
oracle-instantclient12.1-devel-12.1.0.2.0-1.x86_64.rpm
oracle-instantclient12.1-odbc-12.1.0.2.0-1.x86_64.rpm
oracle-instantclient12.1-sqlplus-12.1.0.2.0-1.x86_64.rpm

Ignore the package conflicts between old and new, hence use U with rpm

# rpm -Uvh oracle-instantclient12.1-basic-12.1.0.2.0-1.x86_64.rpm
# rpm -Uvh  oracle-instantclient12.1-basic-12.1.0.2.0-1.x86_64.rpm

Same way, install the remaining packages too.

Once done, confirm the ORACLE_HOME as it will be required for oci8 installation

# echo $ORACLE_HOME

If it shows the old versions path as 10.1 or 9.01 path or any other, atleast for the installation we have to set the path temporarily to new location where Oracle client package exists

Set environment variable temporarily for Oracle clinet 12 version

# export ORACLE_HOME="/usr/lib/oracle/12.1/client64/"

Verify using command

# echo $ORACLE_HOME

It must show  /usr/lib/oracle/12.1/client64/

-* It might be even required to set the set the LD_LIBRARY_PATH

# export LD_LIBRARY_PATH=/usr/lib/oracle/12.1/client64/lib


*** Remember it is temporary environment variable not permanent, once user exits from the terminal it will show the permanent path

You can set the permanent path in bash environment files.

Installation of oci8 package from PECL.
Now Download the oci8 packages from Pecl official website


Remember, you must download the linux package with an extension of tgz else pecl will not recognize the package provided to it for installation.


Run the last command to install and enable oci8 extension.
# pecl install  oci8-2.0.5.tgz 

If the installation completed successfully, locate your php.ini and add the following line.

extension=oci8.so

#locate php.ini

In my case, i found it within /usr/local/lib/php.ini, run the below command to add the above line

# echo "extension=oci8.so" >>  php.ini

That’s it !!! Enough

But for me, it was not even enough for the installation I got some additional errors as

checking Oracle ORACLE_HOME install directory... /usr/lib/oracle/12.1/client64/lib/
checking ORACLE_HOME library validity... configure: error: Expected an ORACLE_HOME top level directory but /usr/lib/oracle/12.1/client64/lib/ appears to be an Instant Client directory. Try --with-oci8=instantclient,/usr/lib/oracle/12.1/client64/lib/
ERROR: `/var/tmp/oci8/configure --with-oci8=/usr/lib/oracle/12.1/client64/lib/' failed

Here is the fix for it, again a temporary path for PECL

# echo "instantclient,/usr/lib/oracle/12.1/client64/lib" | pecl install oci8-2.0.5.tgz

Here I just passed , what it is asking for :)

Confirm the same, using phpinfo.php page you must get a category of oci8 extension like the below mentioned screenshot.



Read more ...

How to enable PHP LDAP module / extension in XAMP



Before proceeding,do check whether LDAP module is enabled by default or not, you can verify the same using phpinfo.php page.

To check create the a php file within htdocs folder as phpinfo.php

create a notepad file and rename it as phpinfo.php

paste the below mentioned code into it and save it into  htdocs folder

<?php
        phpinfo();
?>


Open the browser and hit, https://localhost/phpinfo.php

If you find the below mentioned screenshot, Well !!! you don't need to do anything PHP_LDAP module is already enabled within your XAMP server.



Now, if you can't find anything like that just follow the steps.


  • Change directory to C :  -- xampp -- php

  • Find and Copy the listed files 
  1.      libeay32.dll
  2.      libsasl.dll
  3.      ssleay32.dll
  • Copy into C:\Windows\System32

  • Now again toggle / change directory into C :  -->  xampp -->  php
  • Find and open file named   php.ini 
  • Again find and UnComment the below mentioned line to enable it.
       ;extension=php_ldap.dll


and make it look like the below screenshot by removing the  ;
to look it as extension=php_ldap.dll


Now restart Apache from XAMP control pannel



Read more ...

PHP Installed but browser is not loading php script, showing as a raw html text



So I encountered the problem , while loading php file with Apache.

I was expecting a page with php information as i have uploaded the phpinfo.php into /var/www/html
restarted apache,

Aww.. i got just text when i hit down the browser as

<?php
        phpinfo();
?>

Now, if your are running in the same problem, below mentioned is the fix.

open your http.conf file and append the below lines within it.

AddHandler php5-script .php

AddType text/html .php


Restart Apache and reload webpage again, the problem will be solved.


Read more ...

Install Apache 2.4 on Centos / RHEL 6 from Source Code



Apache 2.4 is not shipped within RHEL / Centos 6.XX and even it's not within RHN or Centos central repository.

The best way is to download the tar ball and compile it within your host, since if you are installing it for your firm obviously It might be not allowed to directly download packages from internet.


Requirement / Dependencies

Even installation of apache from tarball needs two utilty , make sure both are installed within your server/host to proceed ahead

Apache Portable Runtime Packages.

  1. apr
  2. apr-util
  3. distache
  4. distache-devel
Download and install it one by one, as all are dependencies of one another, take a chill pill and go ahead.

Download APR packages from - http://apr.apache.org/
Download Distache packages from the link - Download
Download the apache tarball from apache's official website

Build and install the APR packages

[root@localhost]# mkdir -p /usr/local/httpd-build
Move and extract the apr packages into it.
Then execute the below mentioned command
[root@localhost httpd-build]# rpmbuild -tb apr-1.5.1.tar.bz2
[root@localhost httpd-build]# rpm -Uvh /root/rpmbuild/RPMS/x86_64/apr-1.5.1-1.x86_64.rpm /root/rpmbuild/RPMS/x86_64/apr-devel-1.5.1-1.x86_64.rpm
RPM packages are written to /root/rpmbuild/RPMS/ folder when built. We will only install apr-util and apr-util-devel packages necessary for Apache 2.4.9 build.
[root@localhost httpd-build]# rpmbuild -tb apr-util-1.5.3.tar.bz2
[root@localhost httpd-build]# rpm -Uvh /root/rpmbuild/RPMS/x86_64/apr-util-1.5.3-1.x86_64.rpm /root/rpmbuild/RPMS/x86_64/apr-util-devel-1.5.3-1.x86_64.rpm
While installing APR packages, if it shows dependencies of dustache packages , download and install the rpms provide din the above link.

Once APR packages were installed, we can proceed ahead with the installation of Apache 2.4.X

Extract the Apache 2.4 tarball downloaded from above provided link.

[root@localhost httpd-build]# tar -xvf httpd-2.4.xx
[root@localhost httpd-build]# cd httpd-2.4.xx

Configure.

[root@localhost httpd-build] ./configure --prefix=PREFIX
If it shows any error or you are not sure to add prefixes within it, go with default configuration by removing prefixes
[root@localhost httpd-build] ./configure

Compile

[root@localhost httpd-build] make

Install

[root@localhost httpd-build] make install

If all done successfully without any error, you are done with the installation.

Default Directory

[root@localhost httpd-build] cd /usr/local/apache2/

Customize

[root@localhost httpd-build] vim /usr/local/apache2/conf/httpd.conf

Test

[root@localhost httpd-build] sh /usr/local/apache2/bin/apachectl -k start
Go to your browser and hit http://localhost or http://your ip address
If all set you will get a page saying.

It Works !


Do comment, in case you ge any error while installing Apache 2.4, next blog post will be helpfull to you as it is relevant with Apache 2.4..
Installation of PHP 5.6 on Centos/RHEL 6

Read more ...

Configuring A High Availability Cluster (Heartbeat) On CentOS

This guide shows how you can set up a two node, high-availability HTTP cluster with heartbeat on

CentOS. Both nodes use the Apache web server to serve the same content.

Pre-Configuration Requirements

1. Assign hostname node01 to primary node with IP address 10.64.61.80 to eth0.

2. Assign hostname node02 to slave node with IP address 10.64.61.81.

Run the commands now...

Note: on node01

#uname –n

must return node01.

On node02

#uname –n

must return node02.

10.64.61.82 is the virtual IP address that will be used for our Apache webserver (i.e., Apache will

listen on that address).

Configuration

1. Download and install the heartbeat package. In our case we are using CentOS so we will install heartbeat with yum:

#yum install heartbeat

or download these packages:

heartbeat-2.08

heartbeat-pils- 2.08

heartbeat-stonith- 2.08

2. Now we have to configure heartbeat on our two node cluster. We will deal with three files. These are:

authkeys

ha.cf

haresources

3. Now moving to our configuration. But there is one more thing to do, that is to copy these files to the /etc/ha.d directory. In our case we copy these files as given below:

#cp /usr/share/doc/heartbeat-2.1.2/authkeys /etc/ha.d/

#cp /usr/share/doc/heartbeat-2.1.2/ha.cf /etc/ha.d/

#cp /usr/share/doc/heartbeat-2.1.2/haresources /etc/ha.d/

4. Now lets start configuring heartbeat. First we will deal with the authkeys file, we will use authentication method 2 (sha1). For this we will make changes in the authkeys file as below.


#vi /etc/ha.d/authkeys

Then add the following lines:

auth 2
2 sha1 test-ha

Change the permission of the authkeys file:

chmod 600 /etc/ha.d/authkeys

5. Moving to our second file (ha.cf) which is the most important. So edit the ha.cf file with vi:

#vi /etc/ha.d/ha.cf

Add the following lines in the ha.cf file:

logfile /var/log/ha-log
logfacility local0
keepalive 2
deadtime 30
initdead 120
bcast eth0
udpport 694
auto_failback on
node node01
node node02

Note: node01 and node02 is the output generated by #uname -n

6. The final piece of work in our configuration is to edit the haresources file. This file contains theinformation about resources which we want to highly enable. In our case we want the webserver (httpd) highly available:


#vi /etc/ha.d/haresources

Add the following line:

node01 10.64.61.82 httpd

7. Copy the /etc/ha.d/ directory from node01 to node02:

#scp -r /etc/ha.d/ root@node02:/etc/

8. As we want httpd highly enabled let&#39;s start configuring httpd:

#vi /etc/httpd/conf/httpd.conf

Add this line in httpd.conf:

Listen 10.64.61.82:80

9. Copy the /etc/httpd/conf/httpd.conf file to node02:

#scp /etc/httpd/conf/httpd.conf root@node02:/etc/httpd/conf/

10. Create the file index.html on both nodes (node01 &amp; node02):

On node01:

echo &quot;node01 apache test server&quot; &gt; /var/www/html/index.html

On node02:

echo &quot;node02 apache test server&quot; &gt; /var/www/html/index.html


11. Now start heartbeat on the primary node01 and slave node02:

#/etc/init.d/heartbeat start

12. Open web-browser and type in the URL:

http://10.64.61.82

It will show node01 apache test server.

13. Now stop the hearbeat daemon on node01:

#/etc/init.d/heartbeat stop

In your browser type in the URL http://10.64.61.82 and press enter.

It will show node02 apache test server.

14. We don't need to create a virtual network interface and assign an IP address (10.64.61.82)

to it. Heartbeat will do this for you, and start the service (httpd) itself. So don;t worry about

this.

Don't use the IP addresses 10.64.61.80 and 10.64.61.81 for services. These addresses are used

by heartbeat for communication between node01 and node02. When any of them will be used

for services/resources, it will disturb hearbeat and will not work. Be carefull!!!

Read more ...

Fix Vulnerability -- Apache Web Server ETag Header Information Disclosure



To fix this bug, we have to simply update the apache configuration http.conf file.

To remove the complete Etag info then use FileETag None
To hide only Inode info then use FileETag -INode

By removing the ETag header, you disable caches and browsers from being able to validate files, so they are forced to rely on your Cache-Control and Expires header.
Read more ...

Protect your website from DDOS attacks using apache modules ( mod_evasive )



Below mentioned apache module is quiet famous in terms of security


mod_evasive


mod_evasive works very efficiently, it takes one request to process and processes it very well. It prevents DDOS attacks from doing as much damage. This feature of mod_evasive enables it to handle the HTTP brute forceand Dos or DDos attack. This module detects attacks with three methods.
  1. If so many requests come to a same page in a few times per second.
  2. If any child process trying to make more than 50 concurrent requests.
  3. If any IP still trying to make new requests when its temporarily blacklisted.
Find and un comment the line within your http.conf file to make it as
LoadModule evasive20_module modules/mod_evasive24.so

Read more ...

Protect website from brute force attacks using apache modules ( mod_security )



Below mentioned apache module is quiet famous in terms of security

mod_security


  • It works as a firewall and it is used to monitor real traffic
  • It protects websites from brute force attack
Install on Redhat/CentOS
       # yum install mod_secuirty
       # service httpd restart

Find and un comment the line within your http.conf file to make it as

LoadModule security2_module modules/mod_security2.so

          


    Read more ...
    Designed By Jackuna