Laws Hosting's Blog

Apache, the most common used web server software, has become the talking point.

It appears that a tool to DoS Apache is floating about. Developers of the Apache open-source project warned users of the Web server software last Wednesday that a denial-of-service (DoS) tool is circulating that exploits a bug in the program.

The Apache project said it would release a fix for Apache 2.0 and 2.2 in the next 48 hours. All versions in the 1.3 and 2.0 lines are said to be vulnerable to attack. The group no longer supports the older Apache 1.3. ‘The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server,’ Apache said in an advisory. The bug is not new. Michal Zalewski, a security engineer who works for Google, pointed out that he had brought up the DoS exploitability of Apache more than four-and-a-half years ago. In lieu of a fix, Apache offered steps administrators can take to defend their Web servers until a patch is available.

In the mean time:

Mitigation:
============

However there are several immediate options to mitigate this issue until
a full fix is available:

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.

Option 1: (Apache 2.0 and 2.2)

# Drop the Range header when more than 5 ranges.  CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
Option 2: (Also for Apache 1.3)

# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* – [F]

The number 5 is arbitrary. Several 10′s should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.

2) Limit the size of the request field to a few hundred bytes. Note that while
this keeps the offending Range header short – it may break other headers;
such as sizeable cookies or security fields.

LimitRequestFieldSize 200

Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.

See: http://httpd.apache.org/docs/2.2/mod…questfieldsize

3) Use mod_headers to completely dis-allow the use of Range headers:

RequestHeader unset Range

Note that this may break certain clients – such as those used for
e-Readers and progressive/http-streaming video.

4) Deploy a Range header count module as a temporary stopgap measure:

http://people.apache.org/~dirkx/mod_rangecnt.c

Precompiled binaries for some platforms are available at:

http://people.apache.org/~dirkx/BINARIES.txt

5) Apply any of the current patches under discussion – such as:

http://mail-archives.apache.org/mod_…

Here’s a little how-to for dealing with “w00tw00t” scans on webservers. Laws Hosting already implements this procedure, but its nice to know.

You might see these scans in your logs as:

.. "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 ...

Using Iptables

The quickest method of making sure it never reaches your webserver (and thus wasting resources like processor, disk space [log files], etc) is to use iptables, and it can be done with a one-liner like this:

iptables -I INPUT -d xxx.xxx.xxx.xxx -p tcp –dport 80 -m string –to 70 –algo bm –string ‘GET /w00tw00t.at.ISC.SANS.’ -j DROP

Simply replace xxx.xxx.xxx.xxx with the IP of your web server. If you want to use this for a range of IPs (ie., you’re using failover IPs to host web servers), simply replace the “-d xxx.xxx.xxx.xxx” portion with:

where start.xxx.xxx.xxx and end.xxx.xxx.xxx are the first and last IPs of your web servers respectively.

If you wish to have a fancier option, one where it will for example blacklist an IP for a certain period, etc., have a look at SpamCle@ner’s website.

They go deeper into this subject and have provided two scripts near the end of their article. Simply save one of these scripts in a file named, for example, /opt/blockw00t.sh and make it executable with:

You can run it manually with typing “/opt/blockwoot.sh” in the shell or to automatically load it at boot time you can add it to your /etc/rc.localfile, or on Debian/Ubuntu systems add it to your /etc/network/interfaces like so:

As you probably know, Laws Hosting is a Linux UK Web Hosting company. TheWHIR recently published an articled entitled the Key Benefits of Linux Hosting. It’s kind of a lengthy article, so I thought we’d breakdown the main benefits listed in a short list found below. Voile!

• The most important feature of Linux hosting is its flexibility;
• Cost effective;
• Extensible;
• Stability;
• Takes less CPU power to operate functions;
• Fast processing time.

Even if you don’t use Linux to run your desktop PC, you can certainly take advantage of Linux UK Web Hosting offered at Laws Hosting. The operating system that you use for your desktop PC should not impact your choice of web hosts. Linux web servers make hosting easy. The primary hosting tasks are almost identical for both Linux and Windows web servers, but the advantages found with Linux hosting are vast. Learn more about such advantages and more below.

A Brief Look at Linux

• Linux is a free, UNIX-based operating system. Unix is a computer operating system that is powerful, designed for multitasking and built to be used by a number of people at once.
• Linux is Open-Source. This pertains to a type of program whose source code is usually free and is readily available to anyone interested in using and/or working with the program.
• The Linux operating system is specifically praised for its functionality, adaptability and robustness.

What Is Linux Hosting?

A simple explanation is “web hosting on a Linux-based server allowing developers to create their site within the Linux Operating System”. A Linux server enables web developers to use popular and powerful open-source programs like PHP, MySQL, PostgreSQL, Python, Ruby, SSH and many more to build their site.

Do I Need to Know How to Use Linux to Use Laws Hosting’s Servers?

No. A benefit of hosting your site at Laws Hosting is that you get to experience all of the advantages of Linux Hosting (explained below), but you don’t necessarily need to know how to use Linux thanks to the DirectAdmin control panel. All of our web hosting accounts are managed with this award-winning control panel. DirectAdmin makes web hosting account management a breeze even for those who are brand new to the Linux server hosting environment.

Main Advantages of Linux Hosting From Laws Hosting

Since a server’s operating system controls the basic, vital functions of the server, it is important to be aware of the advantages one will experience when choosing a Linux host.

• In addition to the amazing hosting support that Laws Hosting customers receive from our staff, keep in mind that Linux has a huge, active network of helpful developers. Those hosting their sites in a Linux environment will have access to this invaluable support community. With such a large number of developers, Linux is a very progressive platform; new ideas emerge rapidly and more innovative work can be done within the community. The many advantages of Linux Hosting ultimately stem from this huge developer community.
• A Linux host is perfect for those looking for a developer friendly environment. Laws Hosting offers our customers support for the open-source tools, like PHP and Perl scripting, that are needed to create their sites.
• Linux hosting has a well earned reputation for stability and security. This can once again be attributed to the gigantic open-source community of developers, all of which work tirelessly to find, patch and fix any bugs that are discovered.
• Open Source software is generally free. This cost-effectiveness factor allows users to spend their available resources on activities like promoting their site or project instead of on costly software.
• Those hosting their sites on the Linux platform experience faster page loads and better performance. The speed and performance of Linux can actually be attributed to another key benefit, its flexibility. Linux is flexible in the sense that it is highly suited for fine-tuned, task-specific system configurations. This gives system administrators the ability to configure Linux servers to perform at an optimal level.

There is a hack in phpMyAdmin, we have seen various blogs and hosts in panic, thankfully Laws Hosting wasn’t affected as we take extra measures in the way we install phpMyAdmin on our servers.

What we heard is that the systems acted totally normal, except for the fact that it ran ssh brute force attacks against several randomly chosen remote servers. So what happened?

The attacker used a vulnerability in phpMyAdmin, which once had been installed, used one or two times, and then forgotten (version 2.10.xx or so..). Sadly enough, whoever installed phpMyAdmin did not remove the setup.php file (which you are encouraged to do in the readme). This setup.php was the attackers starting point. He/she injected a ssh client running as root in /tmp/dd_ssh that started about 100 child processes.

The cleanup was as follows:

• Removed phpMyAdmin
• Removed all suspicious files in /tmp
• Restarted the network interfaces
• Changed all user passwords
• Installed fail2ban
• Changed /tmp to be non-executable

Suggestions for today:

• Keep your phpMyAdmin up to date
• Search for installations on all your servers NOW!
• Do NOT install in a folder named “phpmyadmin”, “sqladmin” or similar. Use a non-guessable name.
• Protect it at least using htaccess
• Last but not least: if you can access your server via ssh, there’s no need for phpMyAdmin. Setup a ssh tunnel, use your favourite mySQL GUI, and bingo, you’re safe.

We advise our clients not to install their own phpMyAdmin on their domains, and just use our versions that we supply.

One of the problems we see with passwords is that users forget them. In an effort to not forget them, they use simple things like their dog’s name, their son’s first name and birthdate, the name of the current month- anything that will give them a clue to remember what their password is – this is very very dangerous.

For the curious hacker who has somehow gained access to your computer system this is the equivalent of locking your door and leaving the key under the doormat. Without even resorting to any specialised tools a hacker can discover your basic personal information – name, children’s name, birthdate, pet names, etc. and try all of those out as potential passwords.

To create a secure password that is easy for you to remember, follow these simple steps:

1. Do not use personal information. You should never use personal information as a part of your password. It is very easy for someone to guess things like your last name, pet’s name, child’s birth date and other similar details.
2. Do not use real words. There are tools available to help attackers guess your password. With today’s computing power, it doesn’t take long to try every word in the dictionary and find your password, so it is best if you do not use real words for your password.
3. Mix different character types. You can make a password much more secure by mixing different types of characters. Use some uppercase letters along with lowercase letters, numbers and even special characters such as ‘&’ or ‘%’.
4. Use a passphrase. Rather than trying to remember a password created using various character types which is also not a word from the dictionary, you can use a passphrase. Think up a sentence or a line from a song or poem that you like and create a password using the first letter from each word.For example, rather than just having a password like ‘yr$1Hes’, you could take a sentence such as “I like to read about security” and convert it to a password like ‘!l2rAs”. By substituting the number ’2′ for the word ‘to’ and using an exclamation point in place of the ‘I’, you can use a variety of character types and create a secure password that is hard to crack, but much easier for you to remember.
5. Use a password management tool. Another way to store and remember passwords securely is to use some sort of password management tool. These tools maintain a list of usernames and passwords in encrypted form. Some will even automatically fill in the username and password information on sites and applications.

Using the tips above will help you create passwords that are more secure, but you should still also follow the following tips:

• Use different passwords. You should use a different username & password for each login or application you are trying to protect. That way if one gets compromised the others are still safe. Another approach which is less secure, but provides a fair tradeoff between security and convenience, is to use one username and password for sites and applications that don’t need the extra security, but use unique usernames and more secure passwords on sites such as your bank or credit card companies.
• Change your passwords. You should change your password at least every 30 to 60 days. You should also not re-use a password for at least a year.
• Enforce stronger passwords: Rather than relying on every user of the computer to understand and follow the instructions above, you can configure Microsot Windows password policies so that Windows will not accept passwords that don’t meet the minimum requirements.