English

Securing Apache and PHP in Ubuntu

Many of us know that Linux is a very secure system and Ubuntu is nowadays one of the most chosen options by many system administrators, however, a basic installation is not always perfect and we need to “touch things” in order to make it as good as possible.

The problem in Linux, specially in version 12.04, is that a basic installation of Apache 2 and PHP leaves a lot of clues about what we are actually using, so the ideal scenario would be to hide such information to avoid as much as possible an external attack because we have provided, for example, the PHP version that the system is using. Image that, for some reason, tomorrow somebody discovers a lack of security in our PHP version and we are announcing widely in the server’s headers that this version is the one we use. This could potentially be used by hackers in order to attack our systems.

As an example of this just use the following command agains the IP address of a plan Ubuntu installation with just Apache and PHP:

curl -X https://direcciondelservidor

you would probably get something like this:

Date: Fri, 19 Sep 2014 13:09:20 GMT

Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.11

Obviously we are giving “too much” information to any possible attacker so what we need to do is to remove it. To do that we need to do the following steps:

Edit the file /etc/php5/apache2/php.ini and add or modify the following lines:

disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off

Following that edit the file /etc/php5/apache2/conf.d/security and do the same operation but with the following lines:

ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header unset ETag
FileETag None

Finally we need to edit the Apache config file where you have defined your website. If you have not changed the default one then it should be /etc/apache2/sites-available/default, and as before we need to add/edit some lines. These ones need to go where you have defined your VirtualHost block:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* – [R=405,L]

These lines require to have the Apache’s module mod_rewrite activated, so in order to make sure it is being used, execute the following command:

sudo a2enmod rewrite

And finally…

sudo service apache2 restart

If everything went fine we can execute again the curl command against our server and we will see something similar to this:

Date: Fri, 19 Sep 2014 13:17:29 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN

Much better now, isn’t it?

 

Fixing Shellshock vulnerability in Ubuntu

These days we have heard about the Shellshock vulnerability that affects to many unix based OSs. Well, of course Linux is among them so it’s affected.

The first step is to check if you Linux (Ubuntu) version is affected, so in order to make a quick test open a terminal and run thefollowing commands (3 in total):

1)

env X='() { :;}; echo' /bin/cat /etc/passwd; echo 'Welcome to he Simple ShellShock Tester By Svieg';echo 'Your infos are at risk';

2)

env x='() { :;}; echo Your system is vulnerable update ASAP' bash -c "echo Visit svieg.wordpress.com for update info"
3)

env X='() { (a)=>\' bash -c "echo date"

If for some reason any of the commands return the text saying that the computer is vulnerable or in the 3rd one you get the date instead of an error message, then your computer is in risk.

Ubuntu has fixed the problem the 25th of September, so expect fixing the problem with the typical:

sudo apt-get update; apt-get upgrade

Don't be fooled by phone companies when you go out

Nowadays is really simple, and cheap, to travel outside your country and go out in just a couple of hours. I think almost everybody who’s reading this post have though at least once “What will we do with our mobile when we arrive to …?” Of course, mobile companies give you the chance to use “Roaming services”, so you don’t loose your phone number when you are outside and are capable of being in touch.. the problem is when you begin making calls or receiving them!! Yes, when you make a call using these roaming services you have to pay an extra cost, usually the cost of a international call, but same happens when you receive a call!! Yes, amazing? Really… if you are in Germany, but your SIM card is from UK and you get a call from the UK you have to pay an extra cost, even for SMS messages…

But all this “extra cost” doesn’t stop here. What about Internet? Wow! If you feel extremely generous you can activate data and begin to pay in some situations 1€ for 1MB… so if you are receiving an e-mail with a 3MB photo inside you are paying 3€…. errmm…. yes, you are right, it’s reeeeeeeeealllly expensive.

After two travels to the UK I’ve been investigating about how much money will I have to invest in having a SIM card for my “one week stay” and I was really surprised, it was much more cheaper to buy a SIM card for one week than using roaming services. The only problem: you loose your number while you are in the destination country, but.. what the hell!! You still can use Whatsapp, Email,Skype, Viber…. are you sure you are unconnected? What I did was the following…

  • Unlocking Service: 13€
  • SIM card with Internet: 15 GBP (18€), but there are someones from 10€
  • Skype Direct Spanish Number: 5€

So .. why an Skype Direct Spanish Number? Because with this I can give a telephone number to my Spanish contacts, so they still can call me when I am outside. The only thing is that I receive the call through Skype, but if you get Wifi or a decent 3G signal it won’t be a problem. So I’ve invested 36€, but on my next trip I’ll only have to invest a 15GBP top-up for staying one week….

What would have happened if I had used the roaming services instead of this?

  • Making a call with my actual company: Add 0.36€ for one minute to what I’m paying for a call
  • Receiving a call: 0.11€ for one minute.
  • Internet: 10€ for 10Mb in blocks of 10Mb.

I’ve used in this week about 50Mb of data…. so I don’t have to calc anything about the calls, I would have expended 50€ just because using Internet versus the 36€ I’ve paid for all.

Without doubt I have saved money!!!

 

Life is easier with TinyMCE

As you all probably know I work as a System Administrator on a company that has a newspaper. Several months ago somebody asked something like: “When will we have on the web a system to put bold, italic and colours inside the articles?” I knew there were libraries and plugins to do that, but until today  I din’t have the time to make such experiments… However, the day has arrived..

After “webing” a little I found a couple of “wysiwyg html editor” to put inside an HTML/PHP document, but nothing that made me say “WOWWW!!” until I found TinyMCE… yes, I said “WOOW!” but not because it’s great but because it’s tiny!!! Yes, as its own name says this little, tiny, ridiculous library permits yourself to convert an HTML TextArea on a fully wordprocessor… What do you need? JavaScript!! Nothing more.. so let’s activate some “boxes” with editors inside…

First of all, go to www.tinymce.com and download the package. As you can see there are several versions, even one which works fine using JQuery over it, but this is not the case. Upack the archive and upload the content of the tinymce directory inside your web folder. After that create an html document and put this inside it…

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "https://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="https://www.w3.org/1999/xhtml" dir="ltr"> <head> <title>TinyMCE Test</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"/>  <script type="text/javascript" src="tiny_mce/tiny_mce.js"> </script>  <script type="text/javascript">  tinyMCE.init({         mode : "textareas" });  </script> </head> <body>     <textarea name="content" cols="50" rows="15">This will be inside your box.</textarea&gt </body>  </html> 

Go to your browser and point where your document is saved and… yes! you’ll see a wonderfull “textarea box” where you can put your text in bold style and many things more…

Downloading from FTP servers in Java

Some months ago I needed a program which did the following:

– Connectsto an FTP host

– Check everything inside the remote folder

– Download all the files

– Delete all the files

– Wait a minute until the next connection

I found a very tiny program which did it ok but it has a problem, it’s always hanging and the information I had to receive was not properly updated, so I took the decision to make myself a program to do the same. The decision of using Java as the programming language was easy, but my Java skills were not as good as a year ago.

Luckily I found a great class called JvFTP (Yes! You have guessed: Java FTP) that works. After some tries this was the result:

import cz.dhl.io.*;
import cz.dhl.ftp.*;

import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;

public class FTPClass {
    public static final int    BUFFER_SIZE = 10240;
    
    public static void ftpdownload(String host, String user, String pass) {
        /*
         * Creates the connection to the FTP Server using the given parameters
         */
        FtpConnect cn = FtpConnect.newConnect(“ftp://” + host);
        cn.setUserName(user);
        cn.setPassWord(pass);
        Ftp cl = new Ftp();

        try {
            /*
             * Connects to the host
             */
            cl.connect(cn);

            /*
             * Gets current path
             */
            CoFile dir = new FtpFile(cl.pwd(), cl);

            /*
             * Gets the list of files inside the directory
             */
            CoFile fls[] = dir.listCoFiles();
            if (fls != null)
                for (int n = 0; n < fls.length; n++) {
                    /*
                     * Prints the name of the file. If it’s a directory it’ll be discarded
                     */
                    System.out.println(
                        fls[n].getName() + (fls[n].isDirectory() ? “/” : “”));
                    String pathFile = fls[n].getName() + (fls[n].isDirectory() ? “/” : “”);
                    /*
                     * Creates the InputStream from the FTP connection
                     */
                    FtpFile file = new FtpFile(pathFile, cl);              
                    InputStream in = file.getInputStream();
                    /*
                     * Creates the OutputStream to the file in the local disk
                     */
                    OutputStream out= new FileOutputStream(fls[n].getName());
                    byte[] buffer= new byte[BUFFER_SIZE];
                    /*
                     * Reads and writes…
                     */
                    while (true) {
                      int k= in.read(buffer);
                      if (k < 0)
                        break;
                      out.write(buffer, 0, k);
                    }
                    in.close();
                    out.close();
                }
            
        } catch (IOException e) {
            System.out.println(e);
        } finally { /* disconnect from server
              * this must be always run */
            cl.disconnect();
        }
    }
    public static void main(String args[]) {
        ftpdownload(“myhost”, “myuser”, “mypass”);
    }
}

Microsoft and the updates… They did it again

I’ve been all this week trying the get myself comfortable with Windows 2008 Server. Yes, I know that this system came out 4 years ago, but until TODAY I haven’t felt the need to change.

Anyway, the first steps have been very good, perhaps better than I thought at the begining. Windows 2008 is fast, really fast when you have multicore processors, the problem is the huge amount of memory it likes to eat. Yes, at least 4GB is more than recommended, specially if you are dealing with the 64 bit version, which is, in my honest opinion, the best you can do.

For my testing purposes I am using a brand new HP Proliant DL120 server. The installation time took about 1 hour. After that I could install WITH NO PROBLEMS the Hyper-V service and have a virtual machine with Windows 2003, because there are still some programs we need which refuse to work in Windows 2008.

Everything went fine until I had to install Service Pack and a lot of KB updates. After that, my “loved” RDP service (Terminal Server) to control the server remotelly stop working… HOW? WHAT? Yes, after the needed reboot to complete the installation of updates RDP stopped working and that obviouslly a problem for a System Administrator like me, who likes to control everything from a desk and not having to move to the room where all the servers are. Luckily I found the solution… and yes, as always a mistake from Microsoft: KB2667402.

What happened was that this KB never has to be installed before Service Pack 1 and the installer did that. It was installed and then Service Pack. The solution is to uninstall this KB from the command line and then leave Windows Update to search for it again. To do such thing the command from a shell is:

wusa /uninstall /kb:2667402

Voila!!! The server will reboot and Terminal Server will work again.