Friday, September 25, 2009

mod_security subversion conflict

SkyHi @ Friday, September 25, 2009
Trying to check out an SVN repository is answered with a '400 Bad Request'

Error: PROPFIND request failed on '/repos/myproject/!svn/vcc/default'
Error: PROPFIND of '/repos/myproject/!svn/vcc/default':
400 Bad Request (https://name.ofmyserver.com)


http://troublesdeath.blogspot.com/

mod_evasive

SkyHi @ Friday, September 25, 2009
Sous centos/fedora:
view sourceprint?
1.yum install mod_evasive

Editer le fichier de configuration /etc/httpd/conf.d/mod_evasive.conf et le configurer de la manière suivante:
view sourceprint?
01.vi /etc/httpd/conf.d/mod_evasive.conf
02.DOSHashTableSize 3097
03.DOSPageCount 3
04.DOSSiteCount 50
05.DOSPageInterval 2
06.DOSSiteInterval 2
07.DOSBlockingPeriod 10
08.DOSEmailNotify votreemail@votredomaine.com
09.#DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"[

DOSSystemCommand “/bin/echo %s >> /var/log/mod_evasive/dos_evasive.log && /bin/date >> /var/log/mod_evasive/dos_evasive.log”
view sourceprint?
01.DOSLogDir "/var/log/mod_evasive/"
02.DOSWhitelist 127.0.0.1
03.#DOSWhitelist 192.168.0.*
04.DOSWhiteList 66.249.67.*
05.DOSWhiteList 66.249.71.*
06.DOSWhiteList 66.249.66.*
07.DOSWhiteList 66.249.72.*
08.DOSWhiteList 66.249.65.*
09.DOSWhiteList 66.249.65.*
10.DOSWhiteList 66.249.66.*
11.DOSWhiteList 66.249.71.*

DOSPageCount : Nombre maximal de requêtes qu’une adresse IP source peut réaliser sur la même ressource (même URL) pendant une unité de temps sans être ajoutée à la liste noire.

DOSSiteCount : Nombre maximal de requêtes qu’une adresse IP source peut réaliser sur le même enfant pendant une unité de temps sans être ajoutée à la liste noire.

DOSPageInterval : Temps évoquée dans la directive DOSPageCount (en seconde).

DOSSiteInterval : Temps évoquée dans la directive DOSSiteCount (en secondes).

DOSBlockingPeriod : Durée pendant laquelle tous les accès des adresses IP en liste noire seront refusés et recevront une erreur 403. Pas besoin de mettre beaucoup puisque l’IP sera blacklisté temps qu’elle n’arrête pas de flooder

DOSEmailNotify : Adresse email à prévenir lorsqu’une IP est interceptée

DOSSystemCommand : Commande a exécuter. Par exemple bloquer pat Iptables, ajouter l’adresse IP dans la blackliste du routeur, loguer l’IP…

DOSWhiteList : Adresse IP a ne jamais blacklister. Il est bon d’ajouter les adresses IP des GoogleBot.

Il faut ensuite créer le dossier des logs et mettre les droits pour qu’apache puisse ecrire dedans
view sourceprint?
1.mkdir /var/log/mod_evasive/
2.chown -R apache.apache /var/log/mod_evasive

Il n’est pas recommandé de bloquer les IP directement avec Iptables apr mod_evasive car dans ce cas la il faut autoriser l’utilisateur apache a utiliser Iptables. Et la ca devient très dangereux en terme de sécurité.

Mais bon pour ceux qui veulent le faire, editer le fichier /etc/sudoers et ajouter la ligne : apache ALL=NOPASSWD:/sbin/iptables (ce qui est gênant c’est justement le NOPASSWD……..)

Reference: http://blog.apyka.com/index.php/tag/flood/

regrex ip address pattern match

SkyHi @ Friday, September 25, 2009

#!/bin/sh
masq='(^|[^.0-9])((25[0-5]|2[0-4][0-9]|1?[0-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1?[0-9]?[0-9])([^\.]|$)'
cat badip2.txt |egrep "$masq" > badip3.txt




Reference: http://www.unix.com/shell-programming-scripting/66386-problem-regexp-ip-adress-pattern.html

Thursday, September 24, 2009

How to monitor which domain burst CPU in Apache (Linux)

SkyHi @ Thursday, September 24, 2009
Thinking about monitoring CPU usage of each domain running on the same server (Virtual host), everybody would say apache-status mod is one of the best choice available (for free). Unfortunately, CPU usage seem confusing here. I expected CPU usage similar to the value shown when using top command. But the value shown here is accumulated number of seconds that thread-worker use CPU, not a single snapshot shown in top command.

Better solution is using apache-top (http://swik.net/apache-top). It’s similar to top command but again CPU usage displayed here is not what I want as it’s the same thing shown in apache-status. Any way out? To achieve what I want, I will show you the way to (quick and dirty.. and may be silly) use top and apache-top together. Surprisingly, it’s work fine. I finally found the domain which load CPU heavily.

Step1: Install apache-top

Make sure that you have

* python 2.4
* Apache 2.0 webserver with mod_status and the ExtendedStatus directive activated. You will also need to be allowed to access from your ip address.

Download apache-top from here
(See more detail in http://www.fr3nd.net/projects/apache-top/)

Step2: Run both top and apache-top

$ top
/>./apache-top.py -u

In this step you have to quick enough to see top screen and find PID of the process load CPU heavily and then look at apache-top screen to see which domain running on that particular PID. Not easy huh… If you’re not fast enough, PID may already be changed.

Step3: Sync both screen

In top screen

* display only process of apache by pressing “u” and enter apache’s username (my server is www-data)
* display only PID and CPU% by pressing “f” and then toggle fields via field letter
* sort by PID by pressing “F” and then select sort field via field letter.

In apache-top screen

* display all process by pressing “a”
* sort by PID (to have same sequence as top screen) by pressing “P”

Then move window to align both screen together

screen001

For now, I can see PID 31610, 31601 load which is xxx.com (hidden) load CPU heavily.

By PHUPHA.>>

Reference: http://www.abzolutetech.com/wordpress/2009/04/how-to-monitor-which-domain-load-cpu-in-apache-linux/68.html

linux top

SkyHi @ Thursday, September 24, 2009
[root@home]# top -c
12:21:51 up 19 min, 1 user, load average: 0.01, 0.03, 0.04
69 processes: 68 sleeping, 1 running, 0 zombie, 0 stopped
CPU states: 2.5% user 0.9% system 0.0% nice 0.0% iowait 96.4% idle
Mem: 904396k av, 256240k used, 648156k free, 0k shrd, 14196k buff
45880k active, 188816k inactive
Swap: 1020116k av, 0k used, 1020116k free 147884k cached

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
2175 root 0 0 9232 9232 9020 S 0.9 1.0 0:15 0 /usr/local/apache/bin/httpd
1 root 8 0 504 504 456 S 0.0 0.0 0:04 0 init [3]
2 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 keventd
3 root 19 19 0 0 0 SWN 0.0 0.0 0:00 0 ksoftirqd_CPU0
4 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 kswapd
5 root 9 0 0 0 0 SW 0.0 0.0 0:00 0 bdflush




The top 10 monopolizing process would be better if sorted as a numberic key :


ps -eo pcpu,pid,user,args | sort -k 1 -r -n | head -10

Wednesday, September 23, 2009

linux memory infomation

SkyHi @ Wednesday, September 23, 2009
[home]# dmidecode
# dmidecode 2.7
SMBIOS 2.31 present.
57 structures occupying 2076 bytes.
Table at 0x000EF7D0.

Handle 0x0000, DMI type 0, 20 bytes.
BIOS Information
Vendor: IBM
Version: 2AKT48AUS
Release Date: 01/18/2005
Address: 0xE4540
Runtime Size: 113344 bytes
ROM Size: 512 kB
Characteristics:
PCI is supported
PNP is supported
APM is supported
BIOS is upgradeable
BIOS shadowing is allowed
ESCD support is available
Boot from CD is supported
EDD is supported
ACPI is supported
USB legacy is supported
AGP is supported
LS-120 boot is supported
Smart battery is supported
BIOS boot specification is supported

Handle 0x0001, DMI type 1, 25 bytes.
System Information
Manufacturer: IBM
Product Name: 8187WHA
Version: Not Specified
Serial Number: KCRA3YX
UUID: 1A89BEAD-5181-3409-AED7-587B543F988D
Wake-up Type: Power Switch

Handle 0x0002, DMI type 2, 8 bytes.
Base Board Information
Manufacturer: IBM
Product Name: IBM
Version: Not Specified
Serial Number: Not Specified

Handle 0x0003, DMI type 3, 17 bytes.
Chassis Information
Manufacturer: IBM
Type: Desktop
Lock: Not Present
Version: Not Specified
Serial Number: Not Specified
Asset Tag: .........................
Boot-up State: Safe
Power Supply State: Safe
Thermal State: Safe
Security Status: None
OEM Information: 0x00000000

Handle 0x0004, DMI type 4, 35 bytes.
Processor Information
Socket Designation: WMT478/NWD
Type: Central Processor
Family: Unknown
Manufacturer: GenuineIntel
ID: 41 0F 00 00 FF FB EB BF
Version: Intel(R) Pentium(R) 4 CPU 2.80GHz
Voltage: 1.8 V
External Clock: 133 MHz
Max Speed: 3400 MHz
Current Speed: 2800 MHz
Status: Populated, Enabled
Upgrade: Socket 478
L1 Cache Handle: 0x0005
L2 Cache Handle: 0x0006
L3 Cache Handle: Not Provided
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified

Handle 0x0005, DMI type 7, 19 bytes.
Cache Information
Socket Designation: L1 Cache
Configuration: Enabled, Socketed, Level 1
Operational Mode: Write Back
Location: Internal
Installed Size: 0 KB
Maximum Size: 256 KB
Supported SRAM Types:
Burst
Pipeline Burst
Asynchronous
Installed SRAM Type: Asynchronous
Speed: Unknown
Error Correction Type: Unknown
System Type: Data
Associativity: Unknown

Handle 0x0006, DMI type 7, 19 bytes.
Cache Information
Socket Designation: L2 Cache
Configuration: Enabled, Socketed, Level 2
Operational Mode: Write Back
Location: Internal
Installed Size: 1024 KB
Maximum Size: 512 KB
Supported SRAM Types:
Burst
Pipeline Burst
Asynchronous
Installed SRAM Type: Burst
Speed: Unknown
Error Correction Type: Unknown
System Type: Unknown
Associativity: Unknown

Handle 0x0007, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: J6
Internal Connector Type: 9 Pin Dual Inline (pin 10 cut)
External Reference Designator: COM 1
External Connector Type: DB-9 male
Port Type: Serial Port 16550A Compatible

Handle 0x0008, DMI type 126, 9 bytes.
Inactive

Handle 0x0009, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: J20
Internal Connector Type: 25 Pin Dual Inline (pin 26 cut)
External Reference Designator: Parallel
External Connector Type: DB-25 female
Port Type: Parallel Port ECP/EPP

Handle 0x000A, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: J1M1
Internal Connector Type: None
External Reference Designator: Keyboard
External Connector Type: Circular DIN-8 male
Port Type: Keyboard Port

Handle 0x000B, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: J1M1
Internal Connector Type: None
External Reference Designator: PS/2 Mouse
External Connector Type: Circular DIN-8 male
Port Type: Keyboard Port

Handle 0x000C, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: 4REARUSB/BOT
Internal Connector Type: None
External Reference Designator: USB 1
External Connector Type: Access Bus (USB)
Port Type: USB

Handle 0x000D, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: 4REARUSB/MIDL
Internal Connector Type: None
External Reference Designator: USB 2
External Connector Type: Access Bus (USB)
Port Type: USB

Handle 0x000E, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: 4REARUSB/MIDH
Internal Connector Type: None
External Reference Designator: USB 3
External Connector Type: Access Bus (USB)
Port Type: USB

Handle 0x000F, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: 4REARUSB/TOP
Internal Connector Type: None
External Reference Designator: USB 4
External Connector Type: Access Bus (USB)
Port Type: USB

Handle 0x0010, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: 2REARUSB/BOT
Internal Connector Type: None
External Reference Designator: USB 5
External Connector Type: Access Bus (USB)
Port Type: USB

Handle 0x0011, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: 2REARUSB/TOP
Internal Connector Type: None
External Reference Designator: USB 6
External Connector Type: Access Bus (USB)
Port Type: USB

Handle 0x0012, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: FRONTUSB/BOT
Internal Connector Type: None
External Reference Designator: USB 7
External Connector Type: Access Bus (USB)
Port Type: USB

Handle 0x0013, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: FRONTUSB/TOP
Internal Connector Type: None
External Reference Designator: USB 8
External Connector Type: Access Bus (USB)
Port Type: USB

Handle 0x0014, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: Not Specified
Internal Connector Type: None
External Reference Designator: Audio Line In
External Connector Type: Mini Jack (headphones)
Port Type: Audio Port

Handle 0x0015, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: Not Specified
Internal Connector Type: None
External Reference Designator: Audio Line Out
External Connector Type: Mini Jack (headphones)
Port Type: Audio Port

Handle 0x0016, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: Not Specified
Internal Connector Type: None
External Reference Designator: Microphone
External Connector Type: Mini Jack (headphones)
Port Type: Audio Port

Handle 0x0017, DMI type 8, 9 bytes.
Port Connector Information
Internal Reference Designator: J12
Internal Connector Type: None
External Reference Designator: Network
External Connector Type: RJ-45
Port Type: Network Port

Handle 0x0018, DMI type 9, 13 bytes.
System Slot Information
Designation: AGP
Type: 32-bit AGP
Current Usage: Available
Length: Long
ID: 10
Characteristics:
3.3 V is provided

Handle 0x0019, DMI type 9, 13 bytes.
System Slot Information
Designation: PCI Slot #1 - J1001I
Type: 32-bit PCI
Current Usage: Available
Length: Long
ID: 1
Characteristics:
3.3 V is provided

Handle 0x001A, DMI type 9, 13 bytes.
System Slot Information
Designation: PCI Slot #2 - J901I
Type: 32-bit PCI
Current Usage: Available
Length: Long
ID: 2
Characteristics:
3.3 V is provided

Handle 0x001B, DMI type 9, 13 bytes.
System Slot Information
Designation: PCI Slot #3 - J901I
Type: 32-bit PCI
Current Usage: Available
Length: Long
ID: 3
Characteristics:
3.3 V is provided

Handle 0x001C, DMI type 10, 6 bytes.
On Board Device Information
Type: Other
Status: Disabled
Description: IBM Embedded Security Hardware Type 0

Handle 0x001D, DMI type 10, 6 bytes.
On Board Device Information
Type: Sound
Status: Enabled
Description: AD1981

Handle 0x001E, DMI type 11, 5 bytes.
OEM Strings
String 1: BB:2A48A

Handle 0x001F, DMI type 12, 5 bytes.
System Configuration Options
Option 1: JP 7: 1-2 Normal, 2-3 Clear CMOS/Boot Block Recovery

Handle 0x0020, DMI type 13, 22 bytes.
BIOS Language Information
Installable Languages: 1
enUS
Currently Installed Language: enUS

Handle 0x0021, DMI type 15, 29 bytes.
System Event Log
Area Length: 112 bytes
Header Start Offset: 0x0000
Header Length: 16 bytes
Data Start Offset: 0x0010
Access Method: General-purpose non-volatile data functions
Access Address: 0x0000
Status: Valid, Not Full
Change Token: 0x00000008
Header Format: Type 1
Supported Log Type Descriptors: 3
Descriptor 1: POST error
Data Format 1: POST results bitmap
Descriptor 2: Single-bit ECC memory error
Data Format 2: Multiple-event
Descriptor 3: Multi-bit ECC memory error
Data Format 3: Multiple-event

Handle 0x0022, DMI type 16, 15 bytes.
Physical Memory Array
Location: System Board Or Motherboard
Use: System Memory
Error Correction Type: None
Maximum Capacity: 4 GB
Error Information Handle: Not Provided
Number Of Devices: 4

Handle 0x0023, DMI type 17, 27 bytes.
Memory Device
Array Handle: 0x0022
Error Information Handle: No Error
Total Width: 64 bits
Data Width: 64 bits
Size: 512 MB
Form Factor: DIMM
Set: 1
Locator: J4
Bank Locator: CH_A_DIMM0
Type: DDR
Type Detail: Synchronous
Speed: Unknown
Manufacturer: Not Specified
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified

Handle 0x0024, DMI type 17, 27 bytes.
Memory Device
Array Handle: 0x0022
Error Information Handle: No Error
Total Width: Unknown
Data Width: Unknown
Size: No Module Installed
Form Factor: DIMM
Set: 1
Locator: J5
Bank Locator: CH_A_DIMM1
Type: DDR
Type Detail: Synchronous
Speed: Unknown
Manufacturer: Not Specified
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified

Handle 0x0025, DMI type 17, 27 bytes.
Memory Device
Array Handle: 0x0022
Error Information Handle: No Error
Total Width: Unknown
Data Width: Unknown
Size: No Module Installed
Form Factor: DIMM
Set: 1
Locator: J15
Bank Locator: CH_B_DIMM0
Type: DDR
Type Detail: Synchronous
Speed: Unknown
Manufacturer: Not Specified
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified

Handle 0x0026, DMI type 17, 27 bytes.
Memory Device
Array Handle: 0x0022
Error Information Handle: No Error
Total Width: Unknown
Data Width: Unknown
Size: No Module Installed
Form Factor: DIMM
Set: 1
Locator: J16
Bank Locator: CH_B_DIMM1
Type: DDR
Type Detail: Synchronous
Speed: Unknown
Manufacturer: Not Specified
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified

Handle 0x0027, DMI type 19, 15 bytes.
Memory Array Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0001FFFFFFF
Range Size: 512 MB
Physical Array Handle: 0x0022
Partition Width: 0

Handle 0x0028, DMI type 20, 19 bytes.
Memory Device Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0001FFFFFFF
Range Size: 512 MB
Physical Device Handle: 0x0023
Memory Array Mapped Address Handle: 0x0027
Partition Row Position: Unknown
Interleave Position: Unknown
Interleaved Data Depth: Unknown

Handle 0x0029, DMI type 20, 19 bytes.
Memory Device Mapped Address
Starting Address: 0x0001FFFFC00
Ending Address: 0x0001FFFFFFF
Range Size: 1 kB
Physical Device Handle: 0x0024
Memory Array Mapped Address Handle: 0x0027
Partition Row Position: Unknown
Interleave Position: Unknown
Interleaved Data Depth: Unknown

Handle 0x002A, DMI type 20, 19 bytes.
Memory Device Mapped Address
Starting Address: 0x0001FFFFC00
Ending Address: 0x0001FFFFFFF
Range Size: 1 kB
Physical Device Handle: 0x0025
Memory Array Mapped Address Handle: 0x0027
Partition Row Position: Unknown
Interleave Position: Unknown
Interleaved Data Depth: Unknown

Handle 0x002B, DMI type 20, 19 bytes.
Memory Device Mapped Address
Starting Address: 0x0001FFFFC00
Ending Address: 0x0001FFFFFFF
Range Size: 1 kB
Physical Device Handle: 0x0026
Memory Array Mapped Address Handle: 0x0027
Partition Row Position: Unknown
Interleave Position: Unknown
Interleaved Data Depth: Unknown

Handle 0x002C, DMI type 23, 13 bytes.
System Reset
Status: Enabled
Watchdog Timer: Present
Boot Option: Do Not Reboot
Boot Option On Limit: Do Not Reboot
Reset Count: Unknown
Reset Limit: Unknown
Timer Interval: Unknown
Timeout: Unknown

Handle 0x002D, DMI type 24, 5 bytes.
Hardware Security
Power-On Password Status: Disabled
Keyboard Password Status: Enabled
Administrator Password Status: Disabled
Front Panel Reset Status: Not Implemented

Handle 0x002E, DMI type 25, 9 bytes.
System Power Controls
Next Scheduled Power-on: 12-31 23:59:59

Handle 0x002F, DMI type 26, 20 bytes.
Voltage Probe
Description: Voltage Probe
Location: Processor
Status: OK
Maximum Value: Unknown
Minimum Value: Unknown
Resolution: Unknown
Tolerance: Unknown
Accuracy: Unknown
OEM-specific Information: 0x00000000

Handle 0x0030, DMI type 27, 12 bytes.
Cooling Device
Temperature Probe Handle: 0x0031
Type: Fan
Status: OK
OEM-specific Information: 0x00000000

Handle 0x0031, DMI type 28, 20 bytes.
Temperature Probe
Description: Temperature Probe
Location: Processor
Status: OK
Maximum Value: Unknown
Minimum Value Unknown
Resolution: Unknown
Tolerance: Unknown
Accuracy: Unknown
OEM-specific Information: 0x00000000

Handle 0x0032, DMI type 29, 20 bytes.
Electrical Current Probe
Description: Electrical Current Probe
Location: Processor
Status: OK
Maximum Value: Unknown
Minimum Value: Unknown
Resolution: Unknown
Tolerance: Unknown
Accuracy: Unknown
OEM-specific Information: 0x00000000

Handle 0x0033, DMI type 30, 6 bytes.
Out-of-band Remote Access
Manufacturer Name: Intel
Inbound Connection: Enabled
Outbound Connection: Disabled

Handle 0x0034, DMI type 32, 20 bytes.
System Boot Information
Status:

Handle 0x0035, DMI type 126, 5 bytes.
Inactive

Handle 0x0036, DMI type 126, 4 bytes.
Inactive

Handle 0x0037, DMI type 127, 4 bytes.
End Of Table

Handle 0x0038, DMI type 127, 4 bytes.
End Of Table


[home]#lshw
*-memory
description: System Memory
physical id: 1000
slot: System board or motherboard
size: 768MB
capacity: 1GB
*-bank:0
description: DIMM SDRAM Synchronous 266 MHz (3.8 ns)
physical id: 0
slot: DIMM_A
size: 512MB
width: 64 bits
clock: 266MHz (3.8ns)
*-bank:1
description: DIMM SDRAM Synchronous 266 MHz (3.8 ns)
physical id: 1
slot: DIMM_B
size: 256MB
width: 64 bits
clock: 266MHz (3.8ns)

server kernel: __alloc_pages: 0-order allocation failed

SkyHi @ Wednesday, September 23, 2009
Jun 19 23:00:08 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x1d2/0)
>Jun 19 23:00:11 server kernel: __alloc_pages: 2-order allocation failed (gfp=0x1f0/0)
>Jun 19 23:00:11 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x1d2/0)
>Jun 19 23:00:11 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x1f0/0)
>Jun 19 23:00:12 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x1d2/0)
>Jun 19 23:00:12 server kernel: __alloc_pages: 2-order allocation failed (gfp=0x1f0/0)
>Jun 19 23:00:13 server syslogd: /var/log/messages: Cannot allocate memory
>Jun 19 23:00:13 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x1f0/0)
>Jun 19 23:00:13 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x1d2/0)
>Jun 19 23:00:13 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x1d2/0)
>Jun 19 23:00:13 server kernel: VM: killing process fetchnews
>Jun 19 23:00:15 server kernel: __alloc_pages: 0-order allocation failed (gfp=0x1f0/0)


VM = Virtual Memory. the kernel ran out of REAL and Virtual memory, and
processes were still demanding more.

To survive this, the kernel goes into lifesaver mode and begins "reaping"
processes somewhat randomly in order to free memory so that it won't crash.
(I think the only process safe from reaping is probably init).

How to fix it?
1> Don't run more on your system than memory will allow.
2> find the software with the memory leak, kill it, and upgrade to a version
without that leak...
3> Buy more memory or add another swap partition.

Reference: http://aplawrence.com/Bofcusm/518.html

Mod_Security whitelist ip

SkyHi @ Wednesday, September 23, 2009
Mod_security white list:

You can also add a white list to this module. For this you need to add the folowing lines to the modsecurity_crs_10_config.conf:



#Whitelist Apache logs


SecRule REMOTE_ADDR "^192\.2\.1\.1$"phase:1,nolog,allow,ctl:ruleEngine=Off




#SecResponseBodyLimit

You can increase SecResponseBodyLimit if you get a message like:

"ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified)".

Have a look into modsecurity_crs_10_config.conf file and modify on the last line the "524288" value to "2097152" :


SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2097152


Reference: http://www.starhost.ro/Linux-Tutorials/modsecurity-install.html


OR

Change 524288 to larger value, or change option ‘SecResponseBodyAccess’ to Off, save and restart apache

apachectl restart


Reference: http://www.honyi.tw/hy-bb3/viewtopic.php?f=10&t=75

#cat modsecurity_crs_10_config.conf

# Set web server identification string
#
# TODO In case you use Apache, you may want specify a simple server signature
# instead of the detailed Apache default signature that list most modules
# used on the specific Apache deployment:
# "Apache/2.2.0 (Fedora)"
# For this directive to work, you need to set Apache ServerTokens
# to Full (this is the default option)
#SecServerSignature "Apache/2.2.0 (Fedora)"

vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
SecRequestBodyAccess On
#SecResponseBodyAccess Off
SecResponseBodyLimit 2097152

Tuesday, September 22, 2009

etc/shadow

SkyHi @ Tuesday, September 22, 2009
Because the /etc/passwd file must be world-readable (the main reason being that this file is used to perform the translation from UID to username), there is a risk involved in storing everyone's password in /etc/passwd. True, the passwords are encrypted. However, it is possible to perform attacks against passwords if the encrypted password is available.

If a copy of /etc/passwd can be obtained by an attacker, an attack that can be carried out in secret becomes possible. Instead of risking detection by having to attempt an actual login with every potential password generated by password-cracker, an attacker can use a password cracker in the following manner:

* A password-cracker generates potential passwords
* Each potential password is then encrypted using the same algorithm as the system
* The encrypted potential password is then compared against the encrypted passwords in /etc/passwd

The most dangerous aspect of this attack is that it can take place on a system far-removed from your organization. Because of this, the attacker can use the highest-performance hardware available, making it possible to go through massive numbers of passwords very quickly.

Therefore, the /etc/shadow file is readable only by the root user and contains password (and optional password aging information) for each user. As in the /etc/passwd file, each user's information is on a separate line. Each of these lines is a colon delimited list including the following information:

* Username — The name the user types when logging into the system. This allows the login application to retrieve the user's password (and related information).
* Encrypted password — The 13 to 24 character password. The password is encrypted using either the crypt(3) library function or the md5 hash algorithm. In this field, values other than a validly-formatted encrypted or hashed password are used to control user logins and to show the password status. For example, if the value is ! or *, the account is locked and the user is not allowed to log in. If the value is !! a password has never been set before (and the user, not having set a password, will not be able to log in).
* Date password last changed — The number of days since January 1, 1970 (also called the epoch) that the password was last changed. This information is used in conjunction with the password aging fields that follow.
* Number of days before password can be changed — The minimum number of days that must pass before the password can be changed.
* Number of days before a password change is required — The number of days that must pass before the password must be changed.
* Number of days warning before password change — The number of days before password expiration during which the user is warned of the impending expiration.
* Number of days before the account is disabled — The number of days after a password expires before the account will be disabled.
* Date since the account has been disabled — The date (stored as the number of days since the epoch) since the user account has been disabled.
* A reserved field — A field that is ignored in Red Hat Enterprise Linux.

Here is an example line from /etc/shadow:

juan:$1$.QKDPc5E$SWlkjRWexrXYgc98F.:12825:0:90:5:30:13096:

This line shows the following information for user juan:

* The password was last changed February 11, 2005
* There is no minimum amount of time required before the password can be changed
* The password must be changed every 90 days
* The user will get a warning five days before the password must be changed
* The account will be disabled 30 days after the password expires if no login attempt is made
* The account will expire on November 9,2005

For more information on the /etc/shadow file, see the shadow(5) man page


Reference: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Introduction_To_System_Administration_/s3-acctsgrps-shadow.html

Monday, September 21, 2009

Centos clamav

SkyHi @ Monday, September 21, 2009
sudo rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm


sudo yum --enablerepo=rpmforge install clamd
Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
clamd i386 0.95.2-4.el5.rf rpmforge 213 k
Installing for dependencies:
clamav i386 0.95.2-4.el5.rf rpmforge 2.7 M
clamav-db i386 0.95.2-4.el5.rf rpmforge 21 M

Transaction Summary
=============================================================================
Install 3 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 24 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): clamd-0.95.2-4.el5 100% |=========================| 213 kB 00:01
(2/3): clamav-0.95.2-4.el 100% |=========================| 2.7 MB 00:04
(3/3): clamav-db-0.95.2-4 100% |=========================| 21 MB 00:26


sudo /sbin/chkconfig clamd on

sudo /sbin/service clamd start


sudo freshclam


0 2 * * * /usr/bin/freshclam -quiet
#0 3 * * * clamscan -r /var/www/html

Reference: http://d.hatena.ne.jp/littlebuddha/20080430/1209543993