Drupal and mod_security : Part 2
Hi all,
I've gotten quite a few emails regarding my last post about Drupal and mod_security, and what those rules I'm removing actually do. Well, I'll explain.
First Rule: 960010
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
"chain, t:lowercase, deny,log,auditlog,status:401,msg:'Request content type
is not allowed by policy',,id:'960010',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded
(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)"
This rule basically only allows certain content-type headers to be passed with the request methods listed in REQUEST_METHOD. Apparently, Drupal doesn't respect this rule in posts.
Next, 960015
SecRule &REQUEST_HEADERS:Accept "@eq 0" \
"chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015',"
SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
SecRule REQUEST_HEADERS:Accept "^$" \
"chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015',"
SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
This basically says, any request other than an OPTIONS request, *must* have an Accept header sent with it.
Next, 960032:
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,log,auditlog,status:401,msg:'Method is not allowed by policy', severity:'2',,id:'960032',"
This says any methods other than POST, GET, OPTIONS or HEAD aren't allowed. While generally this is true, and I don't know why Drupal will occasionally hit this rule, I just remove it out of completeness.
And Lastly,
Rule 950107:
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
"chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
This rule merely checks the URL encoding on a URL. I say merely, but this rule is also matched almost _all of the time_.
I haven't actually run through the Drupal code and figured out why these are completely necessary, however I do know that they've fixed quite a few peoples problems.
Anyway, hope that clarifies some things for people.
My Daily “I just found this program and it owns so you should use it too” post.
The app of the day is... Max. What does Max do exactly? well it rips CDs into various audio formats on Mac (OSX). "But why don't you use iTunes? Its superior!", said the monkey. "Because iTunes is the devil, and it will eat your soul", I replied. And then the monkey ripped his Birthday Massacre CD using Max, and was astonished that he could specify simple things, like output directories and formats, and also, he could rip into FLAC. And the Monkey smiled, and there was great joy across the land. For the land was prosperous in its ripped music, because never again would it lose a CD to scratching, maiming, or iTunes DB corruption.
The End.
Wait, I think I lost the focus of what I was doing. Oh. Use Max. Doitnow.
Lynis security scanner = Neat.
Just checked out lynis from rootkit.nl. Lynis is:
Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.
This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).
Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.
It's pretty cool, actually. I wont include all of the scanning output here, but I will show the results of a scan from a (somewhat) default CentOS 5 install. Take a look if all of this magic security stuff interests you.
================================================================================
-[ Lynis 1.2.6 Results ]-
Tests performed: 134
Warnings:
----------------------------
- [20:46:34] Warning: No password set on GRUB bootloader [test:BOOT-5121] [impact:M]
- [20:46:50] Warning: Couldn't find 2 responsive nameservers [test:NETW-2705] [impact:L]
- [20:46:55] Warning: No MySQL root password set [test:DBS-1816] [impact:H]
- [20:46:55] Warning: PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [test:PHP-2372] [impact:M]
- [20:47:00] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M]
Suggestions:
----------------------------
- [20:46:34] Suggestion: Run grub-md5-crypt and create a hashed password. After that, add a line below the line saying timeout=
- [20:46:49] Suggestion: Install package 'yum-utils' for better consistency checking of the package database [test:PKGS-7384]
- [20:46:50] Suggestion: Check your resolv.conf file and connectivity to your nameservers [test:NETW-2705]
- [20:46:55] Suggestion: Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD) [test:DBS-1816]
- [20:46:55] Suggestion: Change the expose_php line to: expose_php = Off [test:PHP-2372]
- [20:46:55] Suggestion: Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP [test:PHP-2374]
- [20:46:55] Suggestion: Change the allow_url_fopen line to: allow_url_fopen = no, to disable downloads via PHP [test:PHP-2376]
- [20:46:57] Suggestion: Enable logging to an external logging host for archiving purposes and additional protection [test:LOGG-2154]
- [20:47:00] Suggestion: Check if any NTP daemon is running or a NTP client gets executed daily, to prevent big time differences and avoid problems with services like kerberos, authentication or logging differences. [test:TIME-3104]
- [20:47:02] Suggestion: Confirm that freshclam is properly configured and keeps updating the ClamAV database [test:MALW-3286]
- [20:47:02] Suggestion: Harden the system by installing one or malware scanners to perform periodic file system scans [test:HRDN-7230]
================================================================================
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Hardening index : [49] [######### ]
================================================================================
Lynis 1.2.6
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
================================================================================
Linux tip of the day: Super fast SCP file copies.
SCP is a great way to copy files from somewhere to somewhere else, but as we all know it can be slower than (insert slow metaphor here). Here's a way you can get way speedier(really a word?) transfers using scp.
scp -c arcfour -C sourcefile desthost:
Yay! I posted.
Charging your Blackberry Pearl in Linux
Recently, I was looking for a way to charge my Pearl under Linux, and stumbled across this project: Barry .. Well thats nice and all (as a matter of fact I may install it when I get home to sync my BB), but right now, I just want to charge it! Barry has a small app included called bcharge that sets your USB port to 500mA (the power level that the BB expects when you plug it in).
I've repackaged the bcharge app and the headers, and you can get it here: bcharge.tgz
To compile, make sure you've got at least g++ and libusb installed, and then do:
tar xvzf bcharge.tgz
g++ -o bcharge bcharge.cc -lusb
And then just run bcharge a la: ./bcharge and your Blackberry should be off and charging!
VIMperator: To the EXTREME!
I've always wanted to use some sort of phrase that I would use if I were a sandy beach hobo, living in dirt on the beach of some continent somewhere. Did you see it? Wasn't it awesome? Well, in my own special crazy, it was. Anyway, on to the VIMPERATOR!
No, it's not some sort of weird kitchen appliance. And no, you wont find it shoved in the back of a drawer in your sisters bathroom when you were looking for "floss" (reads: moisturizer).
VIMperator is this awesome Firefox plugin that makes Firefox act like every geek-elites favorite editor, vim. (Don't say emacs, I'll cut you).
From the website description: "Vimperator is a free browser add-on for Firefox, which makes it look and behave like the Vim text editor."
Well isn't that what I just said? Wait, it gets better.
"It has similar key bindings and you could call it a modal web browser, as key bindings differ according to which mode you are in."
LIKE OMFG. IT IS MODAL. IT HAS THE CHANGES MODE WHEN YOU PRESSES THE KEYS.
Seriously though, it is damn awesome. Do you hate the looks from people when you use your mouse to navigate the internet? Don't like being labelled a windows user by people who can't see your screen? Using the ratpoison window manager? Then this plugin may be for you.
All in all, I liked it. But you have to be a hardcore vim lover to give this plugin the respect it deserves.
Vimperator can be found here.
ESXi: Day 16
Well, I've had a functional ESXi server up and going for a little over two weeks now. No apparent stability problems to be reported. The kernel itself is a memory pig though, much larger than the licensed version of ESX Server. ESXi is ~700MB res, while ESX is 200MB, ouch. So, I had to upgrade my RAM to 4GB. No big deal, RAM is cheap for that box anyway. At the peak of my testing, I had 10 windows VMs running concurrently (Don't worry, I have collected that many XP licenses over the years. Sad, eh?). They had very little to no performance degredation when opening applications or doing interwebby type stuff, it was kinda nice. Yesterday I nuked all of the VMs, but just because no sane person would have that many windows machines in their house, virtual or otherwise. Next up, I'll throw Gentoo and Rosetta@Home on there and see how ESXi holds up. That should be really interesting.
Wow, never would’ve guessed this.
Never would have guessed that on-disk temporary tables are that bad for performance. Peter over at the MySQL Performance Blog shows otherwise.
ESXi day one.
So, since I'm a total hardware monger and VMWare just released the ESXi hypervisor for free, I thought I might give it a shot. This was two days ago. I have two boxes at the moment that were just sitting around, a SuperMicro 1U server with a P4 1.8 (yawn) and an HP Pavilion desktop with a dual core P4 in it. So, I gave the SuperMicro a shot. Apparently, to my dismay, the SuperMicro had ACPI problems, and ESXi barfed during the install. After that, I tried to install it on the HP, with more success. The only problem was that ESXi is very limited as to what kinds of network cards it will support (probably because engineers are lazy and don't like to port kernel modules to VMKernel, or because ESXi wasn't meant for a hobbyist market). I tried a Realtek 8139, 3Com 595C-TX, SMC, Via Rhine III, and a D-Link before I decided to drop into the tech support console and rummage through ESXi's dirty laundry. Apparently, instead of the service console, they have a stripped down BusyBox console. Which is fine, I guess. I like the RedHat SC, but people have to have some reason to upgrade to ESX Full aside from VMotion and DRS. Poking around under /mod, I found that there were only a handful of mostly on board NICs supported (same driver names as linux... thats... coincidental.). One I did find on there was an e100, which I knew I had lying around somewhere. I finally braved the horrors of The Closet and found one buried next to an old DEC 10/100 NIC. Awesome. Installed, rescanned the Management Network, and away I went.
Now, when I say this isn't a hobbyists virtualization HV, I mean it. It has decent performance I guess for the particular hardware (it is a desktop, afterall), and I'm mounting my VM store off of NFS, so thats going to slow it down a tad. Not to mention, that e100 has been around since before the world was created, so network performance is going to suffer a bit.
All in all, I like it. Its not Xen (it doesn't have the speed), but I guess it makes up for it with the Virtual Infrastructure Client. Eventually, I may try it on some enterprise class hardware. If I can ever find any OTC.
Velocix content delivery network
For a while now, I've been using Velocix to accelerate my blog. Velocix is a sort of Content Delivery Network, much like Akamai and Limelight technologies. The difference between Velocix and the others is that the basic package is FREE. FREE as in "I just found a dollar in the street" FREE. Why use a CDN for a blog? Well, you never know, tomorrow I could have a stroke of genius and end up on Slashdot or Digg, and then my server would get hammered. Better to let Velocix take the load than my VPS, right? And besides, its always nice to see a startup that has a fresh look at older ideas. I haven't done a whole lot of research on the subject, but as far as I know there aren't a whole lot of CDN's that use BitTorrent as a peer distribution protocol. That's Neat. Neat with a capital "N" Neat. The management portal is nice and speedy, and they have log file downloads in W3C format available in case you're a hit monger. The one thing that would be a cool feature would be an FTP site where you could pick up your log files, and maybe for the paying customer scheduled automated log deliveries to FTP and SFTP sites. I'm not sure if any other CDN offers SFTP log delivery, but if there are any companies out there going for PCI compliance, its a must (seeing as how FTP is a horribly insecure protocol). Well, I'll go for now, but I'll leave some screen caps of the Velocix portal to wet your whistle. Go over and sign up for the basic account. It can't hurt to try! (no, Velocix didn't give me incentive to post this, either. It's unbiased.)
-
- Log files
-
- With graphs!
-
- Add a site
-
- Reports
Categories
- Gaming (3)
- General (18)
- Link Dump (3)
- Tech (13)
- Content Delivery (1)
- Linux (7)
- OSX (1)
- Virtualization (2)
- Uncategorized (5)
Z Photo a day
Archives
- March 2010
- February 2010
- August 2009
- June 2009
- April 2009
- January 2009
- December 2008
- October 2008
- September 2008
Recent Posts
- Wow.
- The world would be a much healthier place if…
- Reasons *I* love (and hate) gentoo (v2.0)
- The Curse
- Jakalope: Evolution
