Creating your Own “Access Groups” In Linux

Posted by Nessa | Posted in Uncategorized | Posted on 22-05-2007

0

We started cracking down a bit on system binaries being executeable by end users on our shared hosting servers, which consisted of chmod-ing things like ‘wget’ to 700 so only root users have access. If you’re on shared host, it’s likely that you’ve encountered this kind of restriction before, and if you’re a server admin you probably know why this is necessary.

A typical scenario I’ve seen in many cases is some user’s crappity software gets exploited and executes the ‘wget’ command to download hacks and warez onto the server. I’ve also seen typical Linux functions be abused by hack processes because the access was not being controlled — it’s only safe to say that certain system binaries should be restricted to only trusted users….programs that I find particularly pervious to hacks are those like wget, lynx, scp, sh, and exec.

The issue with this (and the point of this article) is that if you suddenly disable these functions you’ll probably find yourself with a dozen complaints from your users who were using them. I’m all about fairness, so I’m not about to tell someone to rewrite their scripts because of a server-side change. Instead, I created a group on the server and added those users to be able to have access to what they needed, and chgroup-ed the binaries to that group.

I’ll use the wget example first. Say you have ‘user1‘ and ‘user2‘ that both need to be able to use wget, which is currently set to root:root 700. You’ll need to first create a file called ‘addtogroup.sh’ and insert this script:

#!/bin/bash
if [ $# -ge 2 ]; then
if [ $UID == 0 ]; then
egrep ^$1 /etc/group > /dev/null
if [ $? == 0 ]; then
GROUPNAME=$1
shift
while [ $# -gt 0 ]; do
CURRENT=$1
echo $GROUPNAME `groups $CURRENT` |sed 's/.*: //g' | sed 's/ /,/g' | usermod -G `cat -`,$GROUPNAME $CUR$
shift
done
else
echo "the group $1 does not exist."
fi
else
echo "you must be ROOT to run this script."
fi
else
echo "usage: $0 grp usr1 [usr2 ... usrN]"
fi

I know, I know, you’re probably asking why I dont use useradd +G or something like that. I tried, but in this case those commands are not appropriate. Anyways, go ahead and create your group:

root@vps [~]# groupadd wgetters

Now, simply run the script and add your users to that group:

root@vps[~]# sh addtogroup.sh wgetters user1 user2

Run id user1 to make sure that user was added to the group — you should see something like this:

uid=32010(user1) gid=32012(user1) groups=32012(user1),32014(wgetters)

Now if you chown the wget binary to root:wgetters / 750 , then only the users in that group can use wget, and their actual group identity would be unaffected.

It wouldn’t hurt mentioning that wget is often unnecessary, as many scripts can be run other ways:

php -q scriptname.php

perl scriptname.cgi

python scriptname.py

lynx http://website.com/somefile.php (assuming that you have lynx enabled)

Preventing DOS Attacks with mod_evasive

Posted by Nessa | Posted in Uncategorized | Posted on 18-03-2007

2

I recently had to deal with a guy whos VPS was constantly being hit by the same IPs over and over until the server crapped out and refused to do anything…it was royally a pain in the ass because I literally had about 10 seconds between starting up the server and having it crash again. Needless to say that those 10 seconds were spent stopping Apache to give me enough time to do a netstat -n and block the assholes who were flooding the server. I then decided to installed mod_evasive, which is a simple Apache module that monitors the amount of connections from one IP and blocks any that reach a set limit. Here’s how you do it via SSH:


wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -xvzf mod_evasive_1.10.1.tar.gz
cd mod_evasive_1.10.1
/usr/local/apache/bin/apxs -cia mod_evasive.c

Once the module is compiled, restart Apache and add this to your httpd.conf:


<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 50
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>

DOSHashTableSize – Size of the hash table. The greater this setting, the more memory is required – faster

DOSPageCount – Max number of requests for the same page within the ‘DOSPageInterval’ interval

DOSSiteCount – Max number of requests for a given site, uses the ‘DOSSiteInterval’ interval.

DOSPageInterval - Interval for the ‘DOSPageCount’ threshold in second intervals.

DOSSiteInterval- Interval for the ‘DOSSiteCount’ threshold in second intervals.

DOSBlockingPeriod – Blocking period in seconds if any of the thresholds are met. The user will recieve a 403 (Forbidden) when blocked, and the timer will be reset each time the site gets hit when the user is still blocked.

A good supplementary script to mod_evasive is ddos, which will send you an email whenever an IP is blocked for too many connections. It also works as a backup in case Apache gets too hammered with connections. All you have to do is:


wget http://www.inetbase.com/scripts/ddos/install.sh
perl install.sh

Now you just edit /usr/local/ddos/ddos.conf .

Installing Ruby on cPanel

Posted by Nessa | Posted in Uncategorized | Posted on 15-01-2007

12

Here’s how to install Ruby on Rails on a cPanel system:

Update: These instructions were modified for Ruby 1.8.6, since 1.8.5 is no longer available!

First install Ruby:

wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6.tar.gz
tar -xvzf ruby-1.8.6.tar.gz
cd ruby-1.8.6
./configure
make
make install

Now, install the Gems and Rails:

wget http://rubyforge.org/frs/download.php/11289/rubygems-0.9.0.tgz
tar -xvzf rubygems-0.9.0.tgz
cd rubygems-0.9.0
ruby setup.rb
gem install rails

Install Fast CGI

wget fastcgi.com/dist/fcgi-2.4.0.tar.gz
tar -xvzf fcgi-2.4.0.tar.gz
cd fcgi-2.4.0
./configure
make
make install

wget fastcgi.com/dist/mod_fastcgi-2.4.2.tar.gz
tar -xvzf mod_fastcgi-2.4.2.tar.gz
cd mod_fastcgi-2.4.2
/usr/local/apache/bin/apxs -o mod_fastcgi.so -c *.c
/usr/local/apache/bin/apxs -i -a -n fastcgi mod_fastcgi.so
gem install fcgi

Edit the Apache config file and add the fcgi module:

pico /usr/local/apache/conf/httpd.conf

LoadModule fastcgi_module libexec/mod_fastcgi.so
FastCgiIpcDir /tmp/fcgi_ipc/
AddHandler fastcgi-script .fcgi
< /IfModule>

Then restart Apache

Install RMagick and GetText:

wget http://umn.dl.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-1.1.7.tar.gz
tar -xvzf GraphicsMagick-1.1.7.tar.gz
cd GraphicsMagick-1.1.7
./configure
make
make install

Install MySQL for Ruby:

gem install mysql

Now make the test Installation. To do this, log in as your user (not root)

su user
cd ~
rails test
cd public_html
ln -s ../test/public/ rails
cd ../test/
chmod -Rf 777 tmp/
cd public
chmod 755 dispatch.fcgi
pico .htaccess

Now, find the line in the .htaccess that looks something like this:

RewriteRule ^(.*)$ dispatch.cgi [QSA,L]

And change “dispatch.cgi” to “dispatch.fcgi”

To see if you’ve installed everything properly, just browse to the Rails folder:

http://yourdomain.com/rails/