Support

anewday · #11 06-26-2009, 04:15 PM

Just a word of caution...the user agent can easily be spoofed, many botnets do this.

grniyce · #12 06-28-2009, 07:20 PM

Sasha, good mod_security rules will help with a large percentage of what you are getting hit with, and reduce the load on your server quite a bit. Due to the size of the forums you're running you'd be better with:

Static req/sec: 15
Dynamic req/sec: 5

-KaaL- · #13 06-29-2009, 10:33 PM

Thank you all for your responses. Ty Ant.

I have installed ClamAV and ModClamAV on my DA

Also installed Mod Security2 and have put the rules as given by Ant on the other thread.

http://www.litespeedtech.com/support...ead.php?t=2982

When i restart httpd i get this error...
LiteSpeed Administrator i get these in Error Log..

Code:

2009-06-30 00:16:25.543	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: XML:/*
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_BODY
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_PROTOCOL
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_HEADERS:Content-Encoding
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: GLOBAL:alerted_960903_compression
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_PROTOCOL
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_STATUS
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: WEBSERVER_ERROR_LOG
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: Transfer-Encoding)/'
2009-06-30 00:16:25.546	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQBODY_PROCESSOR_ERROR
2009-06-30 00:16:25.546	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_URI_RAW

UPDATED

grniyce · #14 06-30-2009, 12:03 PM

Quote:

Originally Posted by -KaaL-

Thank you all for your responses. Ty Ant.

I have installed ClamAV and ModClamAV on my DA

Also installed Mod Security2 and have put the rules as given by Ant on the other thread.

http://www.litespeedtech.com/support...ead.php?t=2982

When i restart httpd i get this error...
LiteSpeed Administrator i get these in Error Log..

Code:

2009-06-30 00:16:25.543	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: XML:/*
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_BODY
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_PROTOCOL
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_HEADERS:Content-Encoding
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: GLOBAL:alerted_960903_compression
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_PROTOCOL
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: RESPONSE_STATUS
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: WEBSERVER_ERROR_LOG
2009-06-30 00:16:25.545	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: Transfer-Encoding)/'
2009-06-30 00:16:25.546	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQBODY_PROCESSOR_ERROR
2009-06-30 00:16:25.546	ERROR	[[HTAccess]] rewrite: unknown server variable while parsing: REQUEST_URI_RAW

UPDATED

I get some of the same errors, and I asked about them in an email to LS Support, and they responded that they don't mean anything, because if you wait a few minutes and refresh the page the errors are all gone. They are mod_security alerts, so technically you could go through the mod_security log and find out what it triggering it, but I never have and everything works fine.

grniyce · #15 06-30-2009, 12:08 PM

Another good tool to install and configure is MailScanner. You can protect yourself from the HTML:Iframe injections, and it works perfectly with ClamAV. Just configure everything, start it, and it scans incoming and outgoing mail for spam to protect your server from rogue spam scripts, as well as from people trying to use your server as a mail bomber / spammer / etc.

http://www.mailscanner.info/

Make sure you have all the php.ini disable_functions set in the default /usr/local/lib/php.ini
Make sure you have safe mode cgi so cgi scripts CANNOT override the default php.ini permissions (as that is what the latest crackers are using to root boxes).

I have SuPHP, Suhosin, Safe Mode, Safe CGI Mode, mod_perl, mod_security, mod_bandwidth, and when setting up packages choose for users to NOT have cgi access unless you know that person and can trust them. It's what puts you at risk for more sql injections and so forth.

I learned the hard way. Then once all that is recompiled, build matching php in LSWS.

anewday · #16 06-30-2009, 02:05 PM

Quote:

Originally Posted by grniyce

Make sure you have safe mode cgi so cgi scripts CANNOT override the default php.ini permissions (as that is what the latest crackers are using to root boxes)

How to do this?

grniyce · #17 06-30-2009, 05:33 PM

I don't give anyone CGI access unless they request it for special reasons.

Note: A common misbelief is that VPS already have CGI safe-moded, but in reality it depends upon the actual setup they have. Most can be circumvented and end up rooting the entire box, hence wiping out your VPS and the rest of the raid storage; thus putting you at financial responsibility for the damage caused if it happens. You can Google 'safe mode cgi' and see the supply of workarounds.

Now as far as the protection part, well I can only offer enough knowledge to show what I did, and I use WHM/cPanel. So here are my steps I took, which I assume should exist in other Admin Panels.

Click Basic cPanel/WHM Setup and scroll to the CGI Access option and put a n there instead of a y.

Now whenever you create any new packages the CGI Access option will be unselected automatically; however, if you have already created some packages, you should edit each package and unselect CGI Access.

Now when I built Apache I chose these options by doing the exhaustive list of options and selecting all of the below. You will see the option for Safe PHP CGI.

I have also attached my default build to this post, as you can use that too, but be prepared to make some Suhosin edits in the php.ini if you run certain content. Usually just having this pasted at the bottom of the php.ini once everything is built will solve any issues associated with running Suhosin in environments such as bulletin boards.

Code:

[suhosin]
suhosin.post.max_vars = 2048
suhosin.request.max_vars = 10000
suhosin.cookie.encrypt = Off
suhosin.session.encrypt = Off
suhosin.log.sapi = 511
suhosin.get.max_value_length = 1024extension="ixed.5.2.lin"

grniyce · #18 06-30-2009, 06:08 PM

Sasha a few other things you should do are these:

In your /usr/local/lib/php.ini put these where it says disable_functions:

Code:

disable_functions = "fpassthru, crack_check, crack_closedict, crack_getlastmessage, crack_opendict, psockopen, php_ini_scanned_files, hell-exec, system, dl, ctrl_dir, phpini, tmp, safe_mode, systemroot, server_software, get_current_user, HTTP_HOST, php_uname, ini_restore, popen, pclose, exec, shell_exec, suExec, passthru, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_setegid, posix_seteuid, posix_setgid, posix_times, posix_ttyname, posix_uname, posix_access, posix_get_last_error, posix_mknod, posix_strerror, posix_initgroups, posix_setsidposix_setuid, show_source, apache_setenv, define_syslog_variables, eval, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, inject_code, openlog, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, syslog, xmlrpc_entity_decode, ini_set"

now in /etc/my.cnf (this is just mine, which is on a dual Xeon 3.0ghz 4gb ram) Raghav or whomever may need to tweak yours for your specific hardware, but even applying this if you have nothing in your my.cnf will help reduce load averages and (d)dos effects

Code:

[mysqld]
datadir=/var/lib/mysql
local-infile = 0
skip-locking
skip-innodb
skip-bdb
safe-show-database
max_connections = 800
key_buffer = 64M
myisam_sort_buffer_size = 64M
join_buffer_size = 1M
read_buffer_size = 2M
sort_buffer_size = 2M
read_rnd_buffer_size = 2M
table_cache = 1024
record_buffer = 1M
thread_cache_size = 128
wait_timeout = 30
connect_timeout = 10
interactive_timeout = 10
tmp_table_size = 64M
max_heap_table_size = 64M
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 64M
query_cache_type = 1
thread_concurrency = 4
default-storage-engine = MyISAM

[mysqld_safe]
open_files_limit = 8192

[mysqldump]
quick
max_allowed_packet = 100M

[myisamchk]
key_buffer = 64M
sort_buffer = 64M
read_buffer = 16M
write_buffer = 16M

Also, in LSWS Admin / Configuration change the Keep Alive requests to like 100 and make the timeout 3 seconds.

As for CSF, after many many attempts to get the configuration set appropriately I found these settings work the best:

Config Server CSF Settings Word Document

Cyber-DL · #19 06-30-2009, 11:01 PM

Quote:

Originally Posted by -KaaL-

Hello,

I am planning to buy LiteSpeed Enterprise for my server.
But i would just like to make sure it would be worth the price.

I am currently using the Trial Version ..
Linux CentOS 32bit with DA

I just want to get the right setting..
I have followed most of the threads.. including http://www.litespeedtech.com/how-tos.html#qa_dos

But just didnt know how to mitigate attacks from different IPs.

I read the last point there about General Context. But i didnt understand that part..

I have posted an image of a log of an attack i experience..

Thank you,
Arvind.

wow KaaL , amazing log , i'm using DA , how can i access this log for my server ?!

-KaaL- · #20 06-30-2009, 11:57 PM

I have done all what has been said by Ant. Appreciate it.
But the Mod Security rules you posted on the other thread forbids members to post reply or post a new thread ... i think some settings has to be lowered..

Thank you again..

Quote:

Originally Posted by Cyber-DL

wow KaaL , amazing log , i'm using DA , how can i access this log for my server ?!

APACHE 1.x
http://httpd.apache.org/docs/1.3/mod/mod_status.html

APACHE 2.x
http://httpd.apache.org/docs/2.2/mod/mod_status.html