headers
David Fletcher | 1 Dec 01:08
Picon
Favicon

Re: Chroot, piped logging & failure to restart child process

Hi Ivan & everyone,

Re: Chroot, piped logging & failure to restart child process

I think I have found a fix for this problem, which can be applied to any
piped logging process in the chroot, including rotatelogs. It
makes use of the Monit server monitoring package
(www.tildeslash.com/monit) which can take action from outside the chroot
when the piped logging process dies. This solution isn't as nice as getting
everything to 'just work', but I think it is the best I can do for piped
logging from the chroot.

Monit can easily restart apache, therefore restarting any failed piped
logging process. However, Monit has to know that something is wrong, and it
is nice if it can find this out *before* the web server begins to lock up.

When apache tries to re-start the piped logging process it looks for the
binary it was previously running, but on the inside of the chroot. Actually
putting a copy of the binary there is a nuisance, and in any case the log
files would start going inside the chroot rather than the normal
place, which is messy. Much better is to put a simple statically linked
binary as a 'fake' rotatelogs on the inside of the chroot. When apache runs
this fake rotatelogs, this binary updates a status file (e.g.
/tmp/log_fail.txt), which Monit notices by a timestamp change, and the
server is automatically re-started.

Code for the fake fakerotatelogs.c:
-----------------------------------------------------------
#include <stdio.h>
#include <stdlib.h>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Rudi Starcevic | 6 Dec 02:53

Error: apache-monitor.pl

Hi,

This email is with regard to the apache-monitor.pl found at 
http://www.apachesecurity.net.

I found the link via modsecurity.org and I believe the author is the same.

Sorry if this is off-topic and/or not apporpriate but I didn't know 
where else to ask.

I've installed the require perl modules and got the script to execute OK 
but there is no data.

First I kept getting this error:

./apache-monitor.pl /root/scripts/httpd/me 
http://xxx.xxxxxxx.xxx/server-status
Illegal division by zero at ./apache-monitor.pl line 170.

After I hacked the script a little I got it work but no data.
For example:

RRDupdate(/root/scripts/httpd/me.rrd)=1102232242:::::0:0:0::::::::::::
RRDupdate(/root/scripts/httpd/me.rrd)=1102232547:::::0:0:0::::::::::::
RRDupdate(/root/scripts/httpd/me.rrd)=1102232659:::::0:0:0::::::::::::
RRDupdate(/root/scripts/httpd/me.rrd)=1102232670:::::0:0:0::::::::::::
RRDupdate(/root/scripts/httpd/me.rrd)=1102232672:::::0:0:0::::::::::::

Seems like it's always ::::0:0:0:::::::
(Continue reading)

Permalink | Reply | 1 comment |
headers
Ivan Ristic | 6 Dec 16:47
Gravatar

Re: Error: apache-monitor.pl


> This email is with regard to the apache-monitor.pl found at 
> http://www.apachesecurity.net.
> 
> I found the link via modsecurity.org and I believe the author is the same.

   Yep, that's me.

> Sorry if this is off-topic and/or not apporpriate but I didn't know 
> where else to ask.

   You are right, the subject is slightly off-topic. Let's move to
   private communication after this.

> I've installed the require perl modules and got the script to execute OK 
> but there is no data.
> 
> First I kept getting this error:
> 
> ./apache-monitor.pl /root/scripts/httpd/me 
> http://xxx.xxxxxxx.xxx/server-status
> Illegal division by zero at ./apache-monitor.pl line 170.

   The script has very little error handling at the moment. After I add
   error handling (soon) I will make an official release.

   In my experiments the message above appears if you omit to append
   "?auto" to the URL. It should work properly if you execute it like
   this:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Raphael Koifman | 12 Dec 16:44

problems with apache2 + chroot + httpd.pid

Hello,

First of all, thank you Ivan for this software.

I have a small problem setting up chroot for Apache2.0.52. 

The setup is as follows:

- apache2 is located at /usr/local/sbin/apache2.0.52/
- the jail is at /chroot/ust/local/sbin/apache2.0.52/logs

in httpd.conf:
- the pid location is PidFile /usr/local/sbin/apache2.0.52/logs/httpd.pid
- chroot is SecChrootDir /chroot

1) First case
If I use this configuration, Apache2 starts well and chroot is setup
[taken from error.log]

[Sun Dec 12 16:05:57 2004] [notice] mod_security: chroot checkpoint #1 (pid=18071 
ppid=18069)
[Sun Dec 12 16:05:57 2004] [notice] mod_security: chroot checkpoint #2 
(pid=18072ppid=18071)
[Sun Dec 12 16:05:57 2004] [notice] mod_security: chroot successful, path=/chroot
[Sun Dec 12 16:05:57 2004] [notice] Apache configured -- resuming normal operations

however, when I try to stop apache (bin/apachectl stop), I get the following error:
httpd (no pid file) not running

2) Second case
(Continue reading)

Permalink | Reply | 1 comment |
headers
Ivan Ristic | 13 Dec 13:18
Gravatar

Re: problems with apache2 + chroot + httpd.pid

Raphael Koifman wrote:
> Hello,
> The setup is as follows:
> 
> - apache2 is located at /usr/local/sbin/apache2.0.52/
> - the jail is at /chroot/ust/local/sbin/apache2.0.52/logs

   I think you should have a symbolic link from
   /usr/local/sbin/apache2.0.52/ to /chroot/usr/local/sbin/apache2.0.52/


> in httpd.conf:
> - the pid location is PidFile /usr/local/sbin/apache2.0.52/logs/httpd.pid
> - chroot is SecChrootDir /chroot
> 
> 1) First case
> If I use this configuration, Apache2 starts well and chroot is setup
> [taken from error.log]
> 
> [Sun Dec 12 16:05:57 2004] [notice] mod_security: chroot checkpoint #1 (pid=18071 
> ppid=18069)
> [Sun Dec 12 16:05:57 2004] [notice] mod_security: chroot checkpoint #2 
> (pid=18072ppid=18071)
> [Sun Dec 12 16:05:57 2004] [notice] mod_security: chroot successful, path=/chroot
> [Sun Dec 12 16:05:57 2004] [notice] Apache configured -- resuming normal operations
> 
> however, when I try to stop apache (bin/apachectl stop), I get the following error:
> httpd (no pid file) not running

   In this case, the pidfile is created at the correct location, at
(Continue reading)

Permalink | Reply | 0 comments |
headers
David Fletcher | 14 Dec 11:26
Picon
Favicon

Re: problems with apache2 + chroot + httpd.pid

Hi Raphael and everyone,

I had the same issue with the pid file, but I solved it by making a change to
the etc/rc.d/httpd file which starts and stops Apache. The change makes this
script aware of the chroot, and also adds code to check that the pid
does point to a running httpd process. This covers the case where Apache dies,
or power is cut etc, leaving a pid which might point to a running process other
than Apache when the server is restarted

The entire script is below. You can compare to the standard one that comes with
Apache to see the changes.

Regards,

David.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/etc/rc.d/httpd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/sh

ARGV="$@"
#
# |||||||||||||||||||| START CONFIGURATION SECTION  ||||||||||||||||||||
# --------------------                              --------------------
# 
# the path to your PID file, prior to chroot set-up, if any
PIDFILE=/usr/local/apache/logs/httpd.pid
# the path to your httpd binary, including options if necessary
HTTPD='/usr/local/apache/bin/httpd'
(Continue reading)

Permalink | Reply | 0 comments |
headers
David Fletcher | 14 Dec 11:36
Picon
Favicon

Re: Chroot, piped logging & failure to restart child process

Hi all,

Just a quick follow up on the problem I found with logging reliability when
using the chroot feature of mod_security. I suggested a fix on here before, but
it was rather clumsy.

I have been writing an additional test called "apache-status" for the Monit
project at http://www.tildeslash.com/monit/ which can check the mod_status
output of Apache. It's very configurable, and can take action if it spots that
(for example) more than 50% of Apache processes are logging, or over 25% of
processes are stuck doing DNS lookups. Actions can include restarting the
server, or simply sending an email to warn of problems.

The apache-status test is currently in the CVS version of Monit.

Regards,

David.

--

-- 
---------------------------------------
Email david <at> megapico.co.uk
---------------------------------------

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
(Continue reading)

Permalink | Reply | 2 comments |
headers
Support | 22 Dec 00:33

Santy worm

Has anyone found a way to block the Santy worm with mod_security?

http://www.f-secure.com/v-descs/santy_a.shtml

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
Permalink | Reply | 2 comments |
headers
Ivan Ristic | 22 Dec 01:09
Gravatar

Re: Santy worm

Support wrote:
> Has anyone found a way to block the Santy worm with mod_security?
> 
> http://www.f-secure.com/v-descs/santy_a.shtml

   After looking at the information available online I think the
   following may work:

   SecFilterSelective ARG_highlight %27

   Assuming the worm attempts to exploit the PHPBB highlight problem. But
   I don't have a working (and vulnerable) copy of PHPBB installed so
   don't take my word for it. If you find the source code of the worm
   send it my way and I'll craft a rule to stop it.

--

-- 
Ivan Ristic (http://www.modsecurity.org)

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
Permalink | Reply | 0 comments |
headers
Gerwin Krist -|- Digitalus Webhosting | 22 Dec 07:56
Picon
Favicon
Gravatar

Re: Santy worm


Ye we already had some site being defaced. But i made a good filter i think:

SecFilterSelective ARGS "fwrite"
SecFilterSelective ARGS "fopen"
SecFilterSelective ARGS "chr\("
SecFilterSelective ARGS "echr\("
SecFilterSelective ARGS "system\("

Support wrote:
| Has anyone found a way to block the Santy worm with mod_security?
|
| http://www.f-secure.com/v-descs/santy_a.shtml
|
|
|
|
| -------------------------------------------------------
| SF email is sponsored by - The IT Product Guide
| Read honest & candid reviews on hundreds of IT Products from real users.
| Discover which products truly live up to the hype. Start reading now.
| http://productguide.itmanagersjournal.com/
| _______________________________________________
| mod-security-users mailing list
| mod-security-users <at> lists.sourceforge.net
| https://lists.sourceforge.net/lists/listinfo/mod-security-users
|
|

--
(Continue reading)

Permalink | Reply | 0 comments |

Gmane