Pages

[Gregg]

Well, after reading about a new type of php injection attack, one thing mentioned was that it was noticed because mod_security was in use and the admin actively looked over his logs. Now I will not say I  could live with no other modules but I would like at least mod_security to work.

Now I do not expect version 2.5.x of mod_security to work but I was hoping just a little that 2.6, since it is still in development and has not been released yet might. It will have to be made to work with Apache 2.3 at some point. I am hoping it is not after 2.3 goes GA as 2.4.

Well, that is not the case. Like all the other modules it builds against 2.3 without problem, but when you load it and start Apache, Apache crashes hard and shows a crash in libapr-1.dll. I found that a little odd cause it compiles with and runs on 2.2 with the exact same apr version.

I wish my C was better and my understanding of some things, I'd try and track down the problem. Its in Apache and not APR but I can not find a nice little list that says

ap_this_function(bla,bla,bla) is now ap_that_function(bla,blu,bla,bla) of all the things changed. My lack of some understanding keeps me from seeing the smaller details like same function names but it is fed differently. I blame my college that I took C in for a whole year. Many things were not covered that I think should have been, though I am not claiming I haven't forgotten some of it. So I'm looking for a more advanced class at the colleges here. Problem is, most are online and I do not learn well that way. I need interaction with others, I learned that in college way back when.

[mario]

Did you try something different than mod_sec? Which one did you try?

[Gregg]

antiloris <- will load, Apache starts, crashes on first request.
limitipconn <- will not load
geoip <- will not load

Granted I have not tried in awhile.

I think the biggest thing is the new error logging api
however, I have had to build fcgid each new alpha cause they keep changing the mmn numbers and even tho the module would work, the mmn mismatch keeps Apache from starting.

Things that drive me nuts.
Always get two of these at startup
[Fri Aug 27 11:07:30.108400 2010] [warn] [pid 5964:tid 284] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Fri Aug 27 11:07:30.547400 2010] [warn] [pid 5964:tid 284] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

Personally, the server KNOWS it is SNI compatible, that message should not appear, and even if it should, one is enough. 2.2 does this also tho.

[Gregg]

mod_macro 1.1.11 works!

For me this is good news since I have lots of little vhost that are pretty much same config but for server name & doc root. I was hoping when switching in the future to use mod_macro. Looks like I can start ahead of time. Good time to clean out config of abandoned things as well.

[mario]

I tried mod_log_rotate and if works fine :-) With and without the signature patch I made

[Gregg]

Interesting, due to the other post I went and looked at mine, I see I had set one to be compiled against 2.3, don't think I had ever done it tho. But if it works, guess it can be added in next go. Just one more project to add in.

[Gregg]

toss one more on the list .... mod_antiloris/0.4.1 ... well needs to be tested but you cannot really launch a decent slowloris attack from a Win box, not enough connections.

http://httpd.apache.org/docs/trunk/developer/new_api_2_4.html

That page sucks! I saw a rather long complaint about it on the dev list today (still Sunday here ... for another hour)
It's nice of them to say "ap_get_scoreboard_worker is gratuitously made non-back-compatible as an alternative version is introduced." but really nothing else. So ok, it changed, to what? How?

Since Apache crashes on first request with mod_antiloris, I figured it had to be something major. I finally just assumed by that crappy doc that it might be the scoreboard. Search the module for ap_get_scoreboard_worker and what do you know, one call to it.

Cool, doesn't mean I'll figure it out but I started having a look through the greek in scorboard.c. Search out the declare for ap_get_scoreboard_worker, find it, yep, much different, but right above it is

Code Select Expand


AP_DECLARE(worker_score *) ap_get_scoreboard_worker_from_indexes(int x, int y)
{
    if (((x < 0) || (x >= server_limit)) ||
        ((y < 0) || (y >= thread_limit))) {
        return(NULL); /* Out of range */
    }
    return &ap_scoreboard_image->servers[x][y];
}


The call in mod_antiloris;
ws_record = ap_get_scoreboard_worker(i, j);

Hmmmm, look at that, now look at ap_get_scoreboard_worker in 2.2.17

Code Select Expand


AP_DECLARE(worker_score *) ap_get_scoreboard_worker(int x, int y)
{
    if (((x < 0) || (server_limit < x)) ||
        ((y < 0) || (thread_limit < y))) {
        return(NULL); /* Out of range */
    }
    return &ap_scoreboard_image->servers[x][y];
}


Why couldn't they have just said it changed to ap_get_scoreboard_worker_from_indexes?
Looks pretty backward compatible to me since its verbatim. Besides that, the new ap_get_scoreboard_worker turns around and calls ap_get_scoreboard_worker_from_indexes  *smh*

So anyway, make that change, add the per-module logging stuff (which thankfully is explained well on that page), compile, start Apache and I'll be danged, it Works! and logs as it should.
[Sun Nov 28 23:27:34.900000 2010] [antiloris:notice] [pid 1544:tid 324] mod_antiloris 0.4.1 started

That will be nice when running both limitipconn and antiloris since they both have the same exact error message.

____ Edit ____

I was able to set off mod_antiloris somehow;
[Tue Nov 30 00:12:46.481000 2010] [antiloris:warn] [pid 5208:tid 992] Rejected, too many connections in READ state from ::1

A correction to above: mod_limitipconn's error message is very similar, but not exact.
mod_limitipconn has been ported, it was a little more involved but not much.

[Gregg]

Not claiming victory just yet but I do have mod_security loading, announcing and using Steffen's test, working with minimal rules.

I just put it live on the Atom so we will see what happens. If it lasts till Wednesday or Thursday, I'll throw the core rules at it.