« May 2005 | Main | July 2005 »
June 25, 2005
Known Vulnerabilities in Ruby-1.8.2_3
Portaudit reported a known vulnerability in ruby-1.8.2_3 package(lang/ruby18), but the ports hasn't released a fixed version yet.
Affected package: ruby-1.8.2_3
Type of problem: ruby -- arbitrary command execution on XMLRPC server.
Information for ruby-1.8.2_3:
Continue reading "Known Vulnerabilities in Ruby-1.8.2_3"
Category : Security
Posted by FreeBSD Newbie at 11:54 PM | Comments (0)
June 24, 2005
Execute Commands in PHP
Sometimes I login to the server only for running a simple command, such as uptime. It can be more convenient to do this with a simple PHP page, for example, the following code will display the the output of uptime command:
<?php passthru("uptime"); ?>
For more details about how to execute Unix/Linux command in PHP, please refer to PHP online manual.
Category : PHP
Posted by FreeBSD Newbie at 11:59 PM | Comments (0)
June 22, 2005
sysctl.conf Sample
Here is a sysctl.conf sample which changed many kernel variables, such as kern.ipc.somaxconn, net.inet.tcp.blackhole and net.inet.udp.blackhol, it also used net.inet.tcp.drop_synfin, net.inet.ip.rtexpire and net.inet.ip.rtminexpire.net.inet.tcp.drop_synfin
This variable is similar with net.inet.tcp.blackhole and will cause the kernel to drop all TCP packets that have the SYN and FIN bits set. It's not enough to change it with sysctl command or add to sysctl.conf file, the kernel has to be recompiled with TCP_DROP_SYNFIN option. On my FreeBSD 5.3, I got the following error, probably because it's a default kernel.
% sysctl net.inet.tcp.drop_synfin
sysctl: unknown oid 'net.inet.tcp.drop_synfin'
net.inet.ip.rtexpire and net.inet.ip.rtminexpire are explained in detail in the handbook.
Append the file here as a backup, from http://www.thern.org/projects/sysctl.conf
Continue reading "sysctl.conf Sample"
Category : Security
Posted by FreeBSD Newbie at 06:40 PM | Comments (1)
June 21, 2005
Reduce Server Visibility
Learnt a tip from the book "Mastering FreeBSD and OpenBSD Security". Servers connected to the Internet receive lots of network probes (automate scans). When the probes are to connect to a TCP and UDP port where no process is listening, the default kernel will compose a TCP reset packet, or an ICMP port unreachable message, and send it as a response.
This is not good for security reasons and system resource. To change the default kernel's behavior, there are two related variables in sysctl, add the following two lines in /etc/sysctl.conf, the system will drop these kinds of packets:
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
To make them go into effect immediately without reboot, run:
# sysctl net.inet.tcp.blackhole=2
# sysctl net.inet.udp.blackhole=1
By searching "net.inet.tcp.blackhole" with Google, I found a good article: Preventing Denial of Service Attacks, which coincidentally (or inevitably) used these two parameters and kern.ipc.somaxconn as important means, making a system more robust is surely helpful to fight against DoS attack, and vice versa.
Category : Security
Posted by FreeBSD Newbie at 08:37 PM | Comments (0)
June 20, 2005
FreeBSD Reviews
Today, I read two articles along with their comments about FreeBSD: Review: FreeBSD 5.4 and Linus compares Linux and BSDs, I think they can be summarized in one sentence: FreeBSD is not for general purpose and doesn't work well as a workstation. Although I love FreeBSD, I think their opinions are quite true. I never installed FreeBSD, never read anything about installation, X-windows, printing, ie. almost everything I don't need to manage a remote dedicated server, but according to my limited experience, I can expect the difficulties to use FreeBSD on a desktop computer. But I couldn't care less about desktop usage, I'm very happy with FreeBSD on the server side, and I don't hope FreeBSD team tailor FreeBSD for everything like Linux in the future.
To me, FreeBSD's efficiency, stability, usability and secruity as a server is great. If there are more documents and tutorials for those popular software, it's even better.
Category : FreeBSD General
Posted by FreeBSD Newbie at 07:00 PM | Comments (0)
June 19, 2005
AllowUsers
Currently every website matches one shell account on my servers, I always feel it's insecure to have more than a dozen accounts, but never taken a minute to think about how to change it.
AllowUsers parameter in sshd is just for it, to allow only one account to login with ssh, add the following line in /etc/sshd_config:
AllowUsers account_name
If you have a static IP address for login, you can make it more secure, for example:
AllowUsers account_name@192.168.1.32
Restart sshd after the file is modified:
# /etc/rc.d/sshd reload
For detailed information, please refer to the handbook.
Note: you should test the login before closing all terminals, a spelling error can lock yourself out of the server.
Update: Using a static IP address for login is strongly recommended, it's much more important than limiting the account number.
Category : Security
Posted by FreeBSD Newbie at 07:10 PM | Comments (0)
June 18, 2005
Portaudit Follow-up
Portaudit does not only make security checking much easier, but also make it automate. The security daily run fetches the latest portaudit database (#portaudit -F) and checks all installed packages (%portaudit -a). Now, I can know the latest package information about known vulnerabilities by reading emails. There is also another entry in the handbook specially for this tool.
The usability of FreeBSD is amazing, if you manage the server in the right way, almost everything has been taken care of very well.
Category : Security
Posted by FreeBSD Newbie at 04:59 PM | Comments (0)
Performance Tuning
I have been considering to upgrade my 10 MB uplink, but after read the system tuning in the handbook, I realized something else was more important than the bandwidth limit, especially kern.ipc.somaxconn:
The default value 128 is typically too low for robust handling of new connections in a heavily loaded web server environment. For such environments, it is recommended to increase this value to 1024 or higher.
I raised kern.ipc.somaxconn to 1024 with the sysctl command:
# sysctl kern.ipc.somaxconn=1024
To avoid running this command every time the server reboots, I also added the following line to /etc/sysctl.conf:
kern.ipc.somaxconn=1024
Apache could be a bottleneck too. I also modified Apache configuration and did a graceful restart:
MaxKeepAliveRequests 200 (from 100)
MaxClients 300 (from 150)
Category : Apache
Posted by FreeBSD Newbie at 01:56 AM | Comments (1)
June 15, 2005
10MB or 100MB Uplink?
Very occasionally my websites are inaccessible for several seconds, then back to normal, soon inaccessible again. The uptime is very good and unlikely to be a performance problem, the only reason I can think of is network congestion. Currently I'm using 10 MB uplink, and I have been wondering if 100 MB uplink is only for heavy servers, or most servers can benefit from it as well.I monitored the bandwidth usage for two days with netstat command, but still not sure about it. I plan to upgrade if I see the problem again.
# netstat -b -w 60 > /var/log/netstat.log &
Continue reading "10MB or 100MB Uplink?"
Category : FreeBSD General
Posted by FreeBSD Newbie at 10:08 PM | Comments (0)
June 12, 2005
portaudit
After the email server problem, I started to pay close attention to the ports update, the lesson told me it's ultra important to keep all packages up to date. Actually all information about how to handle ports is in the handbook, read it carefully if you haven't, only several small pages.
Besides CVSup to keep your ports tree up to date, another very important program is portaudit, it's extremely convenient to monitor all installed packages.
portaudit checks installed packages for known vulnerabilities and generates reports including references to security advisories.
Two simple commands get everything done:
1. Fetch the current database of known vulnerabilities from the FreeBSD servers. It's recommended to run this command before you install any new ports, you will be warned if you are installing a package with known vulnerabilities.
# portaudit -F
2. Print a vulnerability report for all installed packages, can you find any other easier means? ;-)
% portaudit -a (Here I use % to indicate that the command doesn't need root privilege, this rule applies to all new blog entries).
Portaudit follow-up
I ran "portaudit -a" on my server and got the following report, updated all packages except for MySQL, I just can't start it, and no error messages. (Update: this is due to the changes of mysql start script)
Category : Security
Posted by FreeBSD Newbie at 02:06 AM | Comments (0)
June 11, 2005
FreeBSD Resource
FreeBSD Resource Collections
FreeBSD Handbook
FreeBSD Hypertext Man Pages
FreeBSD Security Alert
FreeBSD articles on ONLamp.com
I'll keep adding new websites, please let me know if you know any other websites which should be listed here.
Category : FreeBSD General
Posted by FreeBSD Newbie at 05:34 AM | Comments (0)
June 10, 2005
Move Apache Log Files
When I checked emails with Outlook Express today, all POP3 accounts on my two servers gave me an error message "Invalid username or password", which really freaked me out. Later I found it's because /var file system used up again. My ISP assigned 4GB to /var by default, I thought it's enough after I linked /var/db to other place, obviously I underestimated Apache log files - which can consume 4GB in a couple of weeks. To avoid any possible strange errors, also to make /var/log cleaner (I placed Apache logs file under /var/log/), I decide to move out Apache log files too.
This is quite simple though, make a folder /home/apachelog/, link it to /var/log/www. In order to keep it more flexible, I didn't use /home/apachelog/ directly in httpd.conf file.
Detailed Steps
1. # mkdir /home/apachelog
2. # ln -s /home/apachelog /var/log/www
3. Make a global replace in Apache configuration file.
vi command: :%s/\/var\/log/\/var\/log\/www/g
4. Restart Apache
5. Modify Awstats configuration files for every domain.
By the way, I'm reading the book "Mastering FreeBSD and OpenBSD Security", only finished a small part so far, but I find it's a great book, I hope I can learn some practical tips soon.
Category : Apache
Posted by FreeBSD Newbie at 11:15 PM | Comments (0)
June 03, 2005
Great FreeBSD Security Page
Just found a great security alert website for FreeBSD on the ports help page, this will make things much easier. Bookmark it.
Category : Security
Posted by FreeBSD Newbie at 12:20 AM | Comments (0)
June 01, 2005
More About Apache Log File Rotation
As I wrote earlier, I remove old Apache log files by deleting all of them and doing a graceful restart, this is also what Apache documentations suggested, everything works well except that Apache doesn't release the disk space used by the deleted log files. As a result, "du" command shows that /var was using 100% disk space, but if I run "df -ma" under /var, it's only using 23 MB. Postfix can't receive any emails since disk space was used up, which gave an error message like: "Out: 452 Insufficient system storage". A non-graceful Apache restart solved the problem.
In Summary
"apachectl graceful" doesn't work 100% correctly, it holds the disk space used by deleted log files. I didn't test how it works if the new log file uses different file name.
Category : Apache
Posted by FreeBSD Newbie at 05:34 AM | Comments (0)