Mario

Welcome to my world

Archive for category linux

mod_fcgid is crashing apache windows and linux

Nov 25

Posted by mario in apache, linux, php, Technik | 1 Comment

With apache 2.3.15 I had kinda  the same issue with mod_fcgidon ubuntu 8.04 as on windows.  With -k restart or -k graceful the server did not die like on windows, but the server delivered than only a 200 OK response header, but nothing more. Switching from worker mpm to event mpm seemed to solve this, but the server died later :-/

Since it has talmost the same issues like on windows I could make a patch that fixes this. Grab the patch (patched against trunk) for the patch for 2.3.6

The bug 50309 is now longer than a year listet. Bad that none applied it yet.

Tags: , , , , , ,

Secure apache against CVE-2011-3389 aka Beast attack

Oct 20

Posted by mario in apache, linux, Technik | 3 Comments

During the summer rumours about a new attack against SSL started circulating (CVE-2011-3389).
As it turns out, the attack itself was conceived years ago, deemed impractical, but it was nevertheless fixed in TLS 1.1. The new attack technique introduced a few optimizations to make it practical.

In terms of mitigation, I expect this problem will be largely addressed on the client side, despite a potential compatibility problem that may cause some TLS sites to stop working.

With this config you can avoid that attack.

SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

Tags: , , , ,

vserver ubuntu IPv6 network

Sep 22

Posted by mario in apache, linux, Technik | 1 Comment

Since some days there is IPv6 available for my server. But I noticed it just today. Editing /etc/network/interfaces and adding a new virtual interface didn’t work at all. The /etc/init.d/networking restart just showed errors. And ifconfig venet0 wasn’t satisfying.

What works is /etc/network/interfaces just adding the loopbback

iface lo inet6 loopback
        adress ::1
        netmask 128
        gateway fe80::1

Now the trick is to add /etc/rc.local and add this before exit 0

ip addr add 2a01:238:40ab:cd12:dead:beef:dead:beef/128 dev venet0
ip route add default via fe80::1 dev venet0

Than execute /etc/rc.local
Wonder o wonder. Ifconfig works and also ping6 ipv6.example.com

Than I had to add the new ipv6 adress to my apache config

Listen [2a01:238:40ab:cd12:dead:beef:dead:beef]:80

Don’t forget a to create a symlink from rc.local to /etc/rc2.d/S21rc2.local

Tags: , , , , , , ,

Scroll console output on FreeBSD

Jun 15

Posted by mario in linux, Technik | No Comments

People coming from Linux will find that they can’t scroll back through the console output the same way on FreeBSD.

In FreeBSD you need to press “Scroll Lock” and use the arrow keys, PageUp and PageDown to be able to scroll backwards and forwards the console output. To go back to the prompt press “Scroll Lock” again.

Tags: , ,

configure apache 2.3 build

Mar 31

Posted by mario in apache, linux | No Comments

./configure –prefix=/opt/apache2 –enable-pie –enable-mods-shared=all –enable-authn-dbd –enable-so –disable-include –enable-deflate –enable-headers –enable-expires –enable-ssl=shared –enable-mpms-shared=all –with-mpm=worker –enable-rewrite –with-z=/home/mario/apache24/httpd-2.3.11-beta/srclib/zlib –enable-module=ssl –enable-fcgid

for fcgid

APXS=/opt/apache2/bin/apxs ./configure.apxs

Tags: , , , ,

sudo owns me!

Feb 26

Posted by mario in linux | No Comments

Today I installed sudo on my freeBSD test server. Typed a wrong password and got: You type like i drive. owned! That is a difference from freeBSD to linux sudo

sudo -s also works.

sudo also has an insult mode, which will question your intelligence if you enter a password in wrong.

Tags: , , , , , ,

fun with chmod

Feb 23

Posted by mario in fun, linux, Technik | No Comments

Fun thing to do as root, in root: chmod -R 666 * Just as bad as rm -rf *, but more fun. “The files are all there, but I can’t do anything with them!” And you can’t change permissions, since chmod isn’t executable either. :-)

Tags: , , , , ,

Install Tweetdeck on Ubuntu 10.04 64 bit

Sep 24

Posted by mario in linux | 1 Comment

The worse thing about this is that there is only a 32 bit version of adobe air which is needed to run tweetdeck.

sudo apt-get install lib32asound2 lib32gcc1 lib32ncurses5 lib32stdc++6 lib32z1 libc6 libc6-i386 lib32nss-mdns
wget http://frozenfox.freehostia.com/cappy/getlibs-all.deb
sudo dpkg -i getlibs-all.deb
sudo getlibs -l libnss3.so.1d libnssutil3.so.1d libsmime3.so.1d libssl3.so.1d libnspr4.so.0d libplc4.so.0d \
libplds4.so.0d libgnome-keyring.so libgnome-keyring.so.0 libgnome-keyring.so.0.1.1
sudo ldconfig

Download the AdobeAIRInstaller.bin from http://get.adobe.com/de/air/otherversions/

chmod +x ~/Desktop/AdobeAIRInstaller.bin
sudo ~/Desktop/AdobeAIRInstaller.bin

Keept the /opt folder

goto http://www.tweetdeck.com/desktop/

Tags: , , , , , ,

lynx

Aug 4

Posted by mario in fun, linux | No Comments

Rechts vor Lynx.
Ich bin lynxhänder.
Im wilden westen wurden die Leute gelynxt.
Meine Lynxdrüsen sind geschwollen.
Lynx Du mich etwa an?

Wem noch ein lynxige Sachen einfallen, der darf gerne einen Kommentar hinterlassen. Spambots sind ausgeschlossen.

Tags: , , ,

Wieder einmal aufgeweckt vom embedded Linux

Apr 17

Posted by mario in linux | No Comments

Heute Nacht bin ich mal wieder von meinem embedded Linux aufgewacht, wie schon einmal. Nach der letzten Attacke hatte fail2ban installiert, was erstaunlich einfach ging.

sudo apt-get install fail2ban
sudo nano /etc/fail2ban/jail.conf
sudo /etc/init.d/fail2ban restart

Fertig! Das war es schon.

Und dennnoch blinkte die LED unaufhörtlich in der Nacht. Über 100 IP adressen, die gehackt haben bis endlich ruhe war. Alle anderen computer waren ausgeschaltet, so dass die anderen Ports vom Portforwarding beim scan zumindest closed oder filtert anzeigen müssen. So viel Ernergie wegen einem offnen SSH port bei einer IP die sich alle 24 Stunden ändert? Mich wundert, dass der kleine NSLU2 nicht aufgegeben hat bei einem solchen DDOS, immerhin dauert es schon mal 3,5 Stunden um alleine nmap zu compilieren ;-) Naja 266 MHz und 32 MB RAM sind auch nicht gerade viel, aber als Eingang in mein Netzwerk hat es für mich immer gereicht. Fragt sich nur, was ich als nächstes gegen einen solchen Angriff machen kann. Fail2ban scheint da nicht mehr zu reichen. Ideen?

Tags: , , , , , ,

Archives by Subject:

Archives by Month: