Mario – Page 15 – Welcome to my world

Poodle is back and against TLS, too CVE-2014-8730

Posted on 09.12.201415.03.2018 by mario

With CVE-2014-8730 the POODLE attack is back. However with the right config it is not an issue. https://mariobrandt.de/archives/apache/current-2013-bullet-proof-ssl-config-779/ is still the right config for this :) Make sure that your server is bullet proof, too.

nano goto line number

Posted on 10.11.2014 by mario

It is very hidden how to go to a line number in linux nano editor

strg + w
strg + t
enter Line number

Apache 2.4 global IP blocking list for all vhosts

Posted on 05.11.2014 by mario

It is a pain in the ass to set a bunch of IP adresses in each vhost or where ever you need it. But with Apache 2.4 it is quiet easy to have a global list and use that anywhere in your config.

Define BADIPS "188.40 46.4 176.9 46.166 46.21 78.46 91.207.7.21 0.0.0.0 91.207.7.182"
<VirtualHost *:80>
    ServerName mariobrandt.de
    ServerAlias www.mariobrandt.de
    DocumentRoot /var/www/
    FileETag MTime Size
    <Directory /var/www/>
        Options Indexes FollowSymLinks Multiviews ExecCGI
        AllowOverride None
    <RequireAll>
    Require all granted
    Require not ip ${BADIPS}
    </RequireAll>
        AddHandler fcgid-script .php
        FCGIWrapper /usr/bin/php5-cgi .php
    </Directory>
    ErrorLog /var/log/apache2/mario_error.log
    LogLevel warn

    CustomLog /var/log/apache2/mario_access.log combined

</VirtualHost>

virtualbox not identified network

Posted on 25.07.201407.08.2014 by mario

When you install Virtualbox on Windows Vista or Windows 7 it will install an additional virtual network adapter on the host system. This “Virtualbox Host-Only Adapter” causes the Windows network detection to show an additional “unidentified” network. And while this “unidentified” network is present the windows firewall settings will stay on “Public”. This behavior is undesirable because you want to be able to switch your firewall settings based on your location (home/work/public).

The solution: Edit your registry and make that networks a NdisDeviceType. Open regedit and navigate to HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
Browse through the subkeys (named 0000, 0001, etc) until you find the subkey containing the virtualbox network adapter, this is the one where the “DriverDesc” key has “VirtualBox Host-Only Ethernet Adapter” as value. Add a new DWORD value with a name of “*NdisDeviceType” and a value of “1” Disable en re-enable the virtuabox host-only network adapter.

Why that works? From http://msdn.microsoft.com/en-us/library/bb201634.aspx

*NdisDeviceTypeThe type of the device. The default value is zero, which indicates a standard networking device that connects to a network. Set *NdisDeviceType to NDIS_DEVICE_TYPE_ENDPOINT (1) if this device is an endpoint device and is not a true network interface that connects to a network. For example, you must specify NDIS_DEVICE_TYPE_ENDPOINT for devices such as smart phones that use a networking infrastructure to communicate to the local computer system but do not provide connectivity to an external network.

mod_fcgid is polluting my error log on windows

Posted on 14.06.2014 by mario

Well I really like mod_fcgid with PHP on my Apaches on Windows. But since every time a PHP process get it’s signal to die, mod_fcgid creates on windows an entry in the error log cause the graceful stop always fails.

There in a patch for that! I made a bug report (54597), but it didn’t go in the code yet. If you wanna patch it yourself, here it is.

--- modules/fcgid/fcgid_pm_main.c	(revision 1448988)
+++ modules/fcgid/fcgid_pm_main.c	(working copy)
@@ -333,10 +333,17 @@ 
                                   current_node->proc_pool);
         }
         else {
+#ifndef WIN32
             ap_log_error(APLOG_MARK, APLOG_WARNING, 0, main_server,
                          "mod_fcgid: process %" APR_PID_T_FMT
                          " graceful kill fail, sending SIGKILL",
                          current_node->proc_id.pid);
+#else
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, main_server,
+                         "mod_fcgid: process %" APR_PID_T_FMT
+                         " graceful kill fail, sending SIGKILL",
+                         current_node->proc_id.pid);
+#endif
             proc_kill_force(current_node, main_server);
         }
     }

apache HTTP Strict Transport Security with long duration

Posted on 09.04.201415.03.2018 by mario

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
How to achieve apache with a bullet proof SSL config and HTTP Strict Transport Security (HSTS) with long duration
Here is goes

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15553000; includeSubDomains"
</IfModule>
SSLUseStapling on
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

This gives a A+ at Qualys SSL Labs SSL Test.

Find the largest files on your linux system

Posted on 20.01.2014 by mario

Find the largest files on your linux system

cd /
du -k | sort -n | perl -ne 'if ( /^(\d+)\s+(.*$)/){$l=log($1+.1);$m=int($l/log(1024)); printf  ("%6.1f\t%s\t%25s  %s\n",($1/(2**(10*$m))),(("K","M","G","T","P")[$m]),"*"x (1.5*$l),$2);}'

current 2013 bullet proof SSL config

Posted on 10.12.201315.03.2018 by mario

Now in December 2013 the best available SSL config with a 4096 bit RSA Key and httpd Apache 2.4.7 with OpenSSL/1.0.1e.

SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

YES Windows XP is no longer supported with this. But for me there is no more need to do so.

The SSL Test Lap Test shows a very good result. The Cipher Strength is at 100%. So any browser will use a 256 bit encrypted connection to that server.

For female geeks

Posted on 18.08.2013 by mario

001101010011011000110011001100100011011000111000001101110011011000110100001110010011010000111000001101100011010000110110001110000011011000110010001101100100010100110101001100100011011101000001001101000011100100110100001110000011010100110010001101110011011000110100001110010011010000110111001101100011010000110111001101100011010000111001001101000011011100110011001110010011011100110101001101000011100100110100001101110011010000110101001101100011011100110101010000010011010000110111001101000011011000110011001100000011010101000001001101010011001100110100001100100011001100110011001101100011000100110101001110000011010100110010001101100100011000110100001110010011010000110111001100110011000100110110010000110011010100110000001101110011011100110011010001000011001101000100

Good bye spam!

Posted on 11.08.2013 by mario

Since the spam increased that much up to 10k spam each week I searched for a solution. It came out that the combination of Akismet and Stop Spammer Registrations Plugin made it possible to have only 1 or 2 spam comments in the queue. I love it!

Good bye de@r spam!