vennedey.net

Generate exceptions for mod_security from log messages

On Fri, 14 Sep 2018 21:39:31 +0200 by Falco Nordmann - Write a comment

I just had to help a customer to deploy a typo3 installation on a apache webserver runnig with mod_security2 enabled. Since this module blocked many requests I needed to define a bunch of exceptions in the clients vHost configuration. To make this easy for the future I came up with this little piece of bash to generate the exceptions directly from the messages is the apache error log.

root@webhost:~# export last_url=""; grep ModSecurity /var/log/apache2/error.log | grep -P "\[id \"\d+\"\]" | grep -P "\[uri \".*?\"\]" | grep --color -Po "\[id \"\d+\"\]|\[uri \".*?\"\]" | cut -d\" -f2 | xargs -n2 echo | while read l; do id="`echo \"$l\" | sort -n | cut -d' ' -f1`"; url="`echo \"$l\" | cut -d' ' -f2`"; echo -e "$url|$id"; done | sort -u | while read l; do url="`echo \"$l\" | cut -d'|' -f1`"; id="`echo \"$l\" | cut -d'|' -f2`"; [ -n "$last_url" -a "$url" != "$last_url" ] && echo -e "\t</IfModule>\n</Location>"; [ "$url" != "$last_url" ] && echo -e "<Location \"$url\">\n\t<IfModule mod_security2.c>"; echo -e "\t\tSecRuleRemoveById $id";  last_url="$url"; done; echo -e "\t</IfModule>\n</Location>"; unset last_url;

Running this produces Location blocks for the URLs blocked by the module with exceptions for the triggered rules that can be included into the vHost configuration.

<Location "/typo3/ajax.php">
        <IfModule mod_security2.c>
                SecRuleRemoveById 921130
                SecRuleRemoveById 941100
                SecRuleRemoveById 941110
                SecRuleRemoveById 941140
                SecRuleRemoveById 941160
                SecRuleRemoveById 941270
                SecRuleRemoveById 949110
                SecRuleRemoveById 980130
        </IfModule>
</Location>
<Location "/typo3/alt_doc.php">
        <IfModule mod_security2.c>
                SecRuleRemoveById 921130
                SecRuleRemoveById 941100
                SecRuleRemoveById 941110
                SecRuleRemoveById 941140
                SecRuleRemoveById 941160
                SecRuleRemoveById 941270
                SecRuleRemoveById 949110
                SecRuleRemoveById 980130
        </IfModule>
</Location>
<Location "/typo3/mod.php">
        <IfModule mod_security2.c>
                SecRuleRemoveById 921130
                SecRuleRemoveById 941100
                SecRuleRemoveById 941110
                SecRuleRemoveById 941140
                SecRuleRemoveById 941160
                SecRuleRemoveById 941270
                SecRuleRemoveById 949110
                SecRuleRemoveById 980130
        </IfModule>
</Location>
<Location "/typo3/sysext/install/Start/Install.php">
        <IfModule mod_security2.c>
                SecRuleRemoveById 921130
                SecRuleRemoveById 930120
                SecRuleRemoveById 942100
                SecRuleRemoveById 949110
                SecRuleRemoveById 980130
        </IfModule>
</Location>

Just double check that no exception for evil requests was generated from the log by accident.

Jailspaces update for Debian Stretch

On Fri, 24 Aug 2018 17:02:19 +0200 by Falco Nordmann - Write a comment

Today Jailspaces was upgraded along with my article about chrooted php-fpm webspaces with nginx and all the small helper tools mentioned in there to work on the actual Debian release stretch. Since some bugs got fixed in Debian within the last 2 years I could remove some ugly workarounds from the tools that were needed in the past to make everything working smooth. The Docker image is not longer supported and was not upgraded since it was used very rarely. I hope you enjoy the update.

I am in Berlin for the Nextcloud Conference during the next days, so if you want to meet up drop me an e-mail.

Build & install ceph-deploy RPM package on CentOS 7

On Tue, 03 Jan 2017 12:44:02 +0100 by Falco Nordmann - Write a comment

The last weeks I spend some time testing Openstack and setting up an Openstack cluster using Ansible for deployment and configuration management. Now I like to take a closer look into Ceph, since it can be used as a backend for Cinder, Glance and Swift. But when following the instructions for CentOS 7 as outlined in the docs and trying to install ceph-deploy from the repository I ran into some dependency problem:

[root@host ~]# yum install ceph-deploy
...
Error: Package: ceph-deploy-1.5.36-0.noarch (ceph-noarch)
           Requires: python-distribute
           Available: python-setuptools-0.9.8-4.el7.noarch (base)
               python-distribute = 0.9.8-4.el7
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

There are other people who have had the same problem and there is also a patch available. Since the patch came without any further instructions I needed to figure out how to apply it. I used a fresh CentOS 7 Docker image to setup the build environment. Of course this will also work without Docker but if you just need a quick throwaway environment it becomes a handy tool.

root@workstation:~# docker run -it --name=ceph-deploy centos

[root@cc9153b3d205 /]# cd
[root@cc9153b3d205 ~]# yum install git python-virtualenv curl gnupg redhat-lsb-core createrepo which rpm-build rpm-sign epel-release
[root@cc9153b3d205 ~]# git clone https://github.com/ceph/ceph-deploy.git
[root@cc9153b3d205 ~]# cd ceph-deploy/
[root@cc9153b3d205 ceph-deploy]# ./bootstrap
[root@cc9153b3d205 ceph-deploy]# curl -L -O http://tracker.ceph.com/attachments/download/2389/ceph-deploy.spec.patch
[root@cc9153b3d205 ceph-deploy]# patch ceph-deploy.spec < ceph-deploy.spec.patch
[root@cc9153b3d205 ceph-deploy]# yum install python-mock python-tox pytest

The build script needs a local GnuPG key to sign the resulting rpm package. To generate a new one, run:

[root@cc9153b3d205 ceph-deploy]# gpg --gen-key

If your terminal got destroyed after key generation (specific to Docker), run reset to restore it.

Now you need to find out the ID of the freshly generated key.

[root@cc9153b3d205 ceph-deploy]# gpg --list-keys

The ID is a 8 digit hex number. If you got it, you are ready to build the package.

[root@cc9153b3d205 ceph-deploy]# export KEYID=8D42C98B; scripts/build-rpm.sh

The package can now be retrieved from /root/ceph-deploy/rpmbuild/RPMS/noarch/ceph-deploy-1.5.36-0.noarch.rpm and can be installed on the traget system using yum:

[root@host ~]# yum --nogpgcheck localinstall ceph-deploy-1.5.36-0.noarch.rpm

If you used Docker to set up your build environment, exit from the container and remove it:

[root@cc9153b3d205 ~]# exit
root@workstation:~# docker rm ceph-deploy

Virtualmin: Break sharing SSL certificates

On Mon, 19 Dec 2016 19:31:54 +0100 by Falco Nordmann - Write a comment

I recently ran into some problems trying to activate https for some virtual servers in Virtualmin. After enabling SSL for the virtual server foo.bar.example.com and clicking Manage SSL Certificate I got the message

This virtual server shares its SSL certificate with baz.example.com, so it cannot be edited on this page. Use its Manage SSL Certificate page to change SSL settings.

Since baz.example.com has a wildcard certificate *.example.com, I think that Virtualmin tries to be smart and wants to use the same certificate for foo.bar.example.com, which will not work since foo.bar.example.com is not part of *.example.com.

To get around this and allow separate SSL configuration for foo.bar.example.com one need to break the link between these both virtual servers SSL configurations. To do so, first find the Virtualmin configuration for the given virtual server:

root@host:~# cd /etc/webmin/virtual-server/domains
root@host:~# grep -rFx 'dom=foo.bar.example.com' .
./145382287315480:dom=foo.bar.example.com

Open the file and edit the ssl_cert, ssl_key and ssl_chain directives to point to a location individual for the virtual server. Do not use locations served by the apache webserver!

/etc/webmin/virtual-server/domains/145382287315480
ssl_cert  = /var/www/vserver/bar.example.com/domains/foo.bar.example.com/ssl.cert
ssl_key   = /var/www/vserver/bar.example.com/domains/foo.bar.example.com/ssl.key
ssl_chain = /var/www/vserver/bar.example.com/domains/foo.bar.example.com/ssl.ca

Now delete the ssl_same=… directive from the configuration. This will isolate the SSL configuration for this virtual server.

Save the configuration, and in Virtualmin click Manage SSL Certificate again. You are now able to change SSL settings for the given virtual server.