You are not logged in.

#26 2005-06-26 18:54:12

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

The overhead you would get from a lo socket, vs a file socket, would probably not be that great. The added complexity (and security issues) would likely outweigh the potential speed benefit.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#27 2005-06-28 17:43:52

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Now I backed a bit from chrooting and got into logging - it is very important to have proper "eyes" to see what is happening at the server. I would like to have the ability to read apache logs in more clear way than just grep -ir'ing through raw files. So I need to have logs copied (or piped) directly to database. It must also be clear how should logging happen with chrooting of apache. There is nice white paper written by Antony Shearer about this logging to database - topic.

I would also like to see the nice diagrams of server's statistic - these pages could be sent automatically to my e-mail - a daily action report smile

As as solution I found these: Iptables log analyzer (and installation guide) and fwanalog that uses great webstats engine analog. Then there is also Logrep that seems to support many common log formats. php-syslog-ng is for going through system logs.

EDIT: 03.07.05: ACID could be used in conjuction with logsnorter that would extract logs information from iptables logs.

Offline

#28 2005-06-29 18:59:16

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

I am trying at first to get iptables analyzer to work  - got database created easily and copied php scripts to their place. From browser everything seemed ok - and then realized why all seemed so empty - the data needs to be inserted to database somehow and analyzer has a Perl script and daemon for this.

I started to look more carefully at the start-up and update scripts. update_db.pl seems to need DBI.pm module for Perl in order to insert the data to the database. I installed perl-dbi package but now mysql module seems to be missing (DBD/mysql.pm).

The iptablelog - start up script is very odd - probably for somekind of generic sys v - system. Start-up section looks like this:

start)
      echo -n "Starting $LONGNAME: ";
      start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON -- --background
      echo $NAME;
        ;;

So this needs to be completely rewritten for Arch.

Offline

#29 2005-07-04 11:42:38

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

I got the Iptables Analyzer to work. Now I'll try to make a package (at least partly ready) so that installation would be easier.

EDIT: I made the package usable with default apache installation, but in production environment it is important to protect the iptables logging properly.
All the restricted stuff could be put in a certain virtualhost - there could be for example phpmyadmin, too.

Like this:

<VirtualHost *:80>
    ServerName localhost
    ServerAdmin celeon@gmail.com
    ScriptAlias /cgi-bin/ /home/httpd/clients/local/cgi-bin/
    DocumentRoot /home/httpd/clients/local
    SuexecUserGroup "local" "clients"
    <Directory /home/httpd/clients/local>
          Options -Indexes -FollowSymLinks ExecCGI
          AllowOverride none
          Order deny,allow
          Deny from all
          Allow from 127.0.0.1
    </Directory>
</VirtualHost>

In a production environment, ssl should used when logging in to sites (I'll try to find out how to implement that for certain virtual hosts) and also  restrict the ip addresses that can access those login pages. As a third (and outmost) layer of protection, you could only allow certain ip addresses to connect to certain registered subhost . For example mysecrets.com should point to /home/httpd/clients/local and connection to mysecrets.com is allowed only for certain ip.

Offline

#30 2005-07-06 13:34:07

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

IPtables log analyzer is now added to AUR, under name iptlogger. Now I'll try to  get fwanalog to work. Can't wait to see the diagrams smile

EDIT: a new version of the log analyzer package is out now - no manual editing of configuration files is required now. Just edit the firewall file's LOG rules and start the daemon after running the installation script.

Offline

#31 2005-07-09 11:14:51

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

I got analog and fwanalog ready now smile
Then let's see how good those other things are - I'll see how logrep and acid are working.

Offline

#32 2005-07-09 15:50:27

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

I wouldn't put analog on a webhost machine. Go with webalizer. Analog has far more security issues on a regular basis than does webalizer.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#33 2005-07-10 08:22:18

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Doesn't seem too good to have any of these perl scripts available online,I think. I would use them merely via cron. I don't want to have apache too bloated with modules - more stuff - more things to keep an eye on. Then there is also awstats. That seems to be even better than webalizer and analog.

EDIT: found something interesting: apache:logmonster for multiple hosts logs analysis

Offline

#34 2005-07-10 17:46:47

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Now I am implementing more security-related packages - mod_dosevasive and mod_throttle. I also found a very interesting forums discussion about the use of both of them and mod_security.

The interesting mod_dosevasive ability is to execute a command on a possible dos event. Like this:

DOSSystemCommand "iptables -I INPUT -s %s -j DROP"

One of the discussers on that forum has implemented a script that does  automatic ip address blocking for certain minutes using iptables: http://xrl.us/esjt

EDIT: mod_dosevasive is now ready at AUR.
I've  found an interestng site with guides on how to act on dos attack or when server is under too heavy load. There are also some more security-related guides in there. Article on how to secure /tmp seems very useful - in Arch it is not that secure as default.

EDIT (11.07.05): mod_throttle doesn't exist for Apache 2 and also it has a reputation of being troublesome. There are these two then: mod_bwshare (seems be pretty similar to mod_throttle) and mod_watch that can generate nice reports on how much load a vrtual host has on system.

For monitoring a DOS attack there is mod_status:
Add these to global cope:

LoadModule status_module        lib/apache/mod_status.so

<Location /server-status>
   SetHandler server-status
   Order deny,allow
   Deny from all
   Allow from 127.0.0.1
</Location>

ExtendedStatus On

And go to http://localhost/server-status. It is good to use Lynx for it if you have a server machine with no screen attached to it.

EDIT: mod_watch author has disabled all downloads - and so it might be a security risk to use it, because no one has not taken over the developement. Oh well.... Then got to make just mod_bwshare ready.

Offline

#35 2005-07-12 21:18:46

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

mod_bwshare is now ready - default configuration seems to be agressive so it needs to be set carefully for certain needs.

The module also has some bugs - for example when compiled as DSO module, reverse DNS lookups are always on (that makes server a bit slower). Another problem is that configure parameters don't always take effect. More...

It is interesting to combine mod_dosevasive and then mod_bwshare. mod_dosevasive protects against fast hammering attacks while mod_dosevasive against slower spiders and other automatic downloaders.

Offline

#36 2005-07-13 06:02:34

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Found a Gentoo ebuild that would automatically put  apache to chroot I think in Arch the same kind of package should be made for improved security.

Offline

#37 2005-07-24 11:46:39

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

I think I finally found an answer to my needs and this whole topic smile I found a story on slashdot about isolating apache virtual hosts

Also check these: intro to vservers
linux-vserver
vserver admin's guide

I have been bugged by the fact that although I can improve the security of apache and all the users by 1)creating chroot for apache and mysql indepndently 2)using suexec to prevent users from seeing/editing each other's files, I started to think of how to allow users to use only a certain amount of mysql space (by creating soft links from /var/lib/mysql to user's homedirs?) and how to make it more simple to administer this all.

A virtualization would be the answer! I have ruled out the real emulators (like quem) since they are using too much resources during the emulation process. Then I am left with kernel mode virtual machines that are working more closely with kernel. There are two of them known to me now - xen and linux-vserver. Of those two, xen is a resources hog because it needs certain amount of memory reserved for it and also all the stuff needs to be copied to each virtual machine - like kernel and libraries. In vserver I can just make immutable hard links.

I can assing local ip addresses to each virtual server so it is kind of running  a NAT on the kernel side. Now I must think more carefully of logging stuff. Firewall will be still at the "host" server side, but mod_security and mod_dosevasive will be at each virtual servers - perhaps I could make syslog-ng on each virtual server to send their logs directly to the host server.

For being more paranoid - I hope to be able to chroot apache/php and mysql processes in each virtual server smile

EDIT: there are also per vserver quota tools

Offline

#38 2005-07-27 16:27:53

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

I got the ACID thing ready now. Found out that the developement of ACID was taken over by BASE project and used this instead. It is in AUR now. It is a lot better than that previous iptlogger with more possibilities of tracking down possible crackers.

Offline

#39 2005-08-17 09:22:22

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Progress in vserver - someone has made a page about arch and vserver to vserver's wiki. Had some problems with the PKGBUILD in there: there was a missing iproute package dependency and the 0.30.207 (alpha) version did not compile cleanly. I set the version to the latest and compilation finished.

Offline

#40 2005-08-17 17:24:11

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

xen should be more performant than vserver, or user-mod-linux.
One of these days when I have some time, I am going to take a crack at getting Xen working on Arch.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#41 2005-08-17 18:00:39

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

I still believe vserver is faster (according to that article at FSM) because it can use the same resources as the "real thing" and you can set hard links to stuff. Xen and UML seem more like emulators, they have real kernels of their own and use more disk space. Their security is better, though.
It would be great to test all those three against the "real server".

I still haven't got my vserver working though.  It seems I get it running but on that instant I lose keyboard control and have to reboot. I'll try with another computer.

EDIT: I discussed with people at #vserver in irc.oftc.net and immediately got good advice smile I had to remove /dev/console from guest and then also set kernel.vshelper = /usr/lib/util-vserver/vshelper to /etc/sysctl.conf and then did sysctl -p. Now I could get the vserver guest to start without losing keyboard on host. Now lets see how to get in...

EDIT: entering was easy, just typed "vserver test enter" to enter my test guest. The next thing is to try to build a network between host and guest - a "virtual lan".

EDIT: some ideas are here at these sites and also some more tips:
Debian Grimoire tips
Gentoo howto

Offline

#42 2005-08-25 10:27:08

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

I finally got networking to work, with the help of Bertl (the vserver developer) at #vserver. He took me through the configuring of NAT between vserver guest and host. One iptables line did it finally:

iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -j SNAT --to 85.x.x.x

where 85.x.x.x is my public ip address and I am using addresses like 192.168.10x for my vserver guests.

Now I already got new ideas what could be done next. I want to be able to use Apache's nice modules to improve security and my users' privacy (like mod_security) to prevent spammers and crackers enterting via open web port.  I'd like to use Apache on host only and then perhaps use mod_proxy somehow in the middle and then lighttpd instances on each of the guests. Having many Apache instances for my users doesn't seem too good because of resource usage.

EDIT: checked Apache's mod_proxy pages - seems like I need to implement a reverse proxy that appears to the client just like an ordinary web server.

Offline

#43 2005-08-26 11:07:16

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

That all was very easy. I got lighttpd and php working and I am using apache in an umbrella-like role now with mod_security. Feels like birthday big_smile

First created localhost for vserver guest. I wrote about it to Arch wiki at vserver wiki site.

Then I set up lighttpd in guest by following cactus's guide. Only trouble was that his repo is not active now (Fix it, please smile ) - luckily I had the old PKGBUILDS from the time I tried lighttpd in May. I watched how the php-fastcgi instances started up.

I recompiled apache and made it to have a config option of --enable-mods-shared=all  instead of --enable-mods-shared=most. I activated the two needed modules like this:

Loadmodule proxy_module         lib/apache/mod_proxy.so
Loadmodule proxy_http_module    lib/apache/mod_proxy_http.so

Then added this to virtual host:

ProxyRequests Off
    <Proxy *>
       Order deny,allow
       Allow from all
    </Proxy>
    ProxyPass /mini http://192.168.0.104:412/
    ProxyPassReverse /mini http://192.168.0.104:412/

Then I just made some dummy php test pages, added links to them in guest's lighttpd index.html page. Typed /mini/ after the url of my apache virtual host's address and there was the page via proxy. I also did a mod_security test, like copied ohbehave.php (that was described earlier in this thread) to guest and activated mod_security under virtual host like this:

    SecFilterEngine DynamicOnly
    SecFilterSelective "POST_PAYLOAD" "testime" "redirect:http://apublicaddress/mini/ohbehave.php"

and it worked,too. There are some small problems,though - no images get transferred through proxy (they are not visible on php info page for example) and if you try to use /mini, without trailing slash,then urls at hyperlinks won't get rewritten properly by proxy_http_module - for example http://myaddress/mini/page.html becomes http://myaddress/page.html.

EDIT: image problem doesn't exist, it was only somehow php info-related problem. gd works fine and generates images.

Offline

#44 2005-08-26 15:30:17

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

lighttpd is in extra now, so you dont need to get it from my repo. Likewise, I put php-cgi into the aur, and then moved it to [community]. So you can get a good binary package of it out of there.

My repo will be back in a bit, but in my webhost move, I had to rework my dns a bit...
that lighttpd guide needs an update too, since 1.4 has changed a few things in lighttpd land.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#45 2005-09-11 18:24:14

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

Now the company behind Virtuozzo is backing the new open source project - Open Virtuozzo. According to the article on their site, the Open Virtuozzo is on the same abstraction level as Linux Vserver - virtualization on OS level. Some more news on the same topic.Would be cool to test virtuozzo and compare the two.

My project with vserver has been a bit on hold, I wanted to have some more protection and so saw that I could use the grsecurity patch. The problem was that the latest patch is for kernel version 2.6.11.12 and I I tried to get earlier version of vserver, too. I found the appropriate older vserver patch from the experimental section of the vserver site but patching the kernel with both of them did not work, I got errors.

Luckily there are ready-made vserver-grsecurity patches that can be applied to older kernels.
the most recent one - for 2.6.11.9
some others,on vserver site

My first test with grsecurity did not work at all because I had all the security options on. Even SSH daemon did not start up because I had the non-executable stack option turned on. I had to turn that option off. According to discussion at Fulldisclosure, setting non-executable stacks on doesn't add any security. Found also a Gentoo wiki page about setting up a usable grsecurity system.

EDIT: Virtuozzo seems to be for RedHat and Fedora - so user space tools must probably be modded to be able to use them on Arch. After a glance to Open Virtuozzo manual, all the operations seem to be quite similar to those of vserver.

Offline

#46 2005-09-28 13:49:14

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

The next important step for me has been to be able to make new vservers fast while using the vserver's ability to save disk space by using hard,immutable links instead of copying the same stuff all over again. For this I've found the vskel script.

Basic test with the Arch base install went very well. I made a new proto vserver, set up the Arch base system in there and then exited and chrooted into it. This was needed because some vserver's security measures prevented perl from working properly in there for some reason. Then after chrooted in, I was able to use vskel to make the skeleton of this basic system and finally exited from chroot and copied the skeleton over to the host. Making a new vserver took just one command and I was able to enter the new vserver and start to operate with it.

Then I'll to try to make a skeleton of full system consisting of mysql, lighttpd and php. I also must try two other important vskel operations - like turning skeleton into temporary vserver for package maintenance and then back to skeleton.

EDIT: worked also well, only had to manually copy a .conf file in /etc/vservers to tmp_skel_myskel.conf, then I was able to enter the temporary vserver, tmp_skel_myskel. I removed some packages and then exited and issued the --split-skel command and the skeleton was updated. After I generated a new vserver using that new skeleton, I saw that those removed packages were not present in there, just like they should.

Offline

#47 2005-10-01 10:19:55

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

After some more testing, I found out that the legacy configuration system the vskel uses seems harder to use than the newer one. Last time the vskel script was updated was 2003. For example on vserver start, no daemons are started inside vserver. So I am now making a bash script that will make use of vskel for vserver generation and then will change the config from the legacy one to the newer one.

Offline

#48 2005-10-01 15:45:44

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Making Arch suitable for hosting with secure php support

good work on all this sven.
smile


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#49 2005-10-01 18:43:50

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

It has been like a long but very rewarding journey smile
When I started with this in June, I did not know it would take so long - but it was then when I got myself that Hacking Linux - book and got paranoid enough and wanted do things right, if I would like to host some people's CMSs on my server.

Big lines seem to be on the right track for me now. When I'll get that script ready, I have grsecurity and selinux to learn. And then I still have to set up mod_security rules, made of snort rules, and logging to another server.

EDIT: I found a wiki page about implementing vserver per context quotas - this is important because I would not want any one user to use up all the disk space in his vserver guest.

Offline

#50 2005-10-04 15:36:20

sven
Member
Registered: 2005-02-01
Posts: 311

Re: Making Arch suitable for hosting with secure php support

I made many scripts - like one for a new vserver creation, one for deletion and still got to do a script for apache, that will enable automatic removal and adding a new vserver. I tried to take a modular approach instead of making a one giant script.

Now I got stuck with that quota part because hard links are still counted as "whole files" and are making a new vserver seem very big, like 800 MB to standard tools, like du. And so vdlimit fails when I try to use a smaller quota, like 250 MB.

I discussed a bit on vserver channel at IRC and the solution is a better command for vdlimit and to patch coreutils package using this patch and another one. Let's try them out...

EDIT: along the way found something else interesting - how to make df command to work. The guy who made the previous patches told me to use this: ln -sf /proc/mounts /etc/mtab inside a guest in order to get df to work.

Offline

Board footer

Powered by FluxBB