apache forward vhost to local service / protect with htpasswd htaccess

So we got the following situation. We have a service which is providing a webinterface using something that is not based on apache, so it’s standalone. But as we are aware that many of those 3rd party services contain security leaks I like to put those behind htaccess/htpasswd (which is quite secure as far as I know).

So we have already a service that is running on localhost on a specific port. For me it is the Deluge webinterface, a pretty awesome torrent client/server construct.

The server I was configuring was running Plesk 11, but without it’s even easier. First we need to load the following modules for apache:

a2enmod proxy_http
a2enmod proxy

Next, we need to setup a domain/subdomain which should forward through to our local service. In the vhost-configuration for that domain we have to add the following code:

<Proxy *>
AuthType Basic
AuthName "Hello, please log in"
AuthUserFile /var/www/vhosts/DOMAIN/conf/.htpasswd
Require user USERNAME
</Proxy>
 
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:1234/
ProxyPassReverse / http://localhost:1234/

In my situation and Plesk 11, we need to put this code in the vhost.conf file in the conf-folder for that specific domain. After than we have to run:

/opt/psa/admin/sbin/httpdmng --reconfigure-all

in order to include those changes made in the vhost.conf file. Restart apache and everything shoud be fine. Oh yes, you have to create the htpasswd file /var/www/vhosts/DOMAIN/conf/.htpasswd!

:)

And all awesome, our domain forwards through to the local webinterface and protecting it with htpasswd!

http://stackoverflow.com/questions/8541182/apache-redirect-to-another-port

http://stackoverflow.com/questions/724599/setting-up-an-apache-proxy-with-authentication

http://dev.deluge-torrent.org/wiki/UserGuide/ThinClient

htaccess htpasswd / howto log login attemts with mod_security

Hey all you out there wearing your tin foil-head. Today we want to enable authentication attempts to be logged in a log-file so that we can process it with OSSEC or a another logwatch software. First let’s install mod-security, here how it can be done for Debian:

apt-get install libapache-mod-security mod-security-common

The package mod-security-common contains some common useful filters! After installation those filters can be found here:

/usr/share/doc/mod-security-common/examples/rules/

Now we want to create a default config for our beautiful new modsec module! We create the file /etc/apache2/conf.d/mod-security.conf with following content:

<IfModule security2_module>
    # Only record the interesting stuff
    SecAuditEngine RelevantOnly
    SecAuditLog /var/log/apache2/modsec_audit.log
 
    Include /usr/share/doc/mod-security-common/examples/rules/*conf
    Include /usr/share/doc/mod-security-common/examples/rules/base_rules/*conf
</IfModule>

This means that we enable logging and specify the path as well as load all those common filters. Now let’s enable the module

a2enmod mod-security

And restart apache!

/etc/init.d/apache2 restart

Check if it is really loaded:

apache2ctl -M

Check if module is installed to be persistent enabled:

ls -lh /etc/apache2/mods-enabled | grep mod-security

To test if the module is correctly loaded and if the common filters are active, just try to call a domain on your server appending “?cd/”. This URL should be blocked!

The rule that specifies this can be found in modsecurity_crs_40_generic_attacks.conf. Although I don’t know yet what exactly the reason for this filter is. you?

So in your log file you should see something like this:

Message: Pattern match "\bcd\b\W*?[\/]" at ARGS_NAMES:cd/etc. [file "/usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "396"] [id "958821"] [rev "2.0.5"] [msg "System Command Injection"] [data "cd/"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"]

Very well. Moving to logging htaccess/htpasswd login attempts, this should be working as well. In my logs after a false login for example:

Apache-Error: [file "/build/buildd-apache2_2.2.16-6+.../mod_auth_basic.c"] [line 264] [level 3] user test2 not found: /folder/testl

And for this we can write a beautiful OSSEC or fail2ban rule to actually bock users :)

http://blog.bertelsen.co/2011/11/modsecurity2-on-debian-wheezy.html

http://www.fbis.ch/index-de.php?page=11&frameset=4 (German)

This would be interesting as well as a follow up:

http://snippets.aktagon.com/snippets/563-Brute-Force-Authentication-Protection-with-ModSecurity

Amazon AWS – change key pair when lost private key

I don’t know how that can happen at all to someone, but yes it is possible to loose a private key. In the old days you would just boot the locked system with a usb/cdrom, mount the filesystem and change the password/ssh-key. But now in the modern days and Amazon AWS – it is still the same! :) Awesome tutorials/information for doing so:

http://alestic.com/2011/02/ec2-fix-ebs-root

http://stackoverflow.com/questions/7881469/change-key-pair-for-ec2-instance

http://seabourneinc.com/2011/01/19/change-key-pairs-on-aws-ec2-instance/

After you have attached the volume to another instance, just run “fdisk -l” to look up the device-id. It was /dev/xvdg for me rather than the chosen /dev/sdg.

Cheers!

Wamp WordPress Error 101

Ok that was a weird one. I was setting up a local copy of this website to do some theme changes on my Windows 7 Wamp installation. I ran into an error 101:

Capture

The error occurs:

The error occurs not:

Latest WordPress version 3.5.1.

Latest Wamp.

I spent too much time already on this error too investigate further why. I think it is just my local Wamp installation. I’ll have a look if I have the same problem with other wordpress installations.

Cheers.

SASL filter for fail2ban not working. Or is it?

Over a few weeks I got warnings from my good friend Ossec regarding SASL LOGIN authentication failures. I use Ossec for monitoring and fail2ban for banning. This has traditional background!

Feb 19 00:39:29 server postfix/smtpd[24297]: warning: d5152EB84.static.telenet.be[81.82.235.132]: SASL LOGIN authentication failed: authentication failure

You can easily check one of your regular expressions that run through the log files by using fail2ban-regex:

fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/sasl.conf

But this run is successful, so why is fail2ban not banning those? Actually, like ‘iptables -L’ shows me, it is dropping those packages:

Chain fail2ban-sasl (1 references)
target     prot opt source               destination
DROP       all  --  d51530E0B.static.telenet.be  anywhere
RETURN     all  --  anywhere             anywhere

And also the fail2ban log shows that it is logging SASL as it should:

server:~# cat /var/log/fail2ban.log | grep sasl
2013-02-17 12:17:46,434 fail2ban.actions: WARNING [sasl] Ban 81.136.192.131
2013-02-17 12:17:47,528 fail2ban.actions: WARNING [sasl] 81.136.192.131 already banned
2013-02-17 13:32:57,983 fail2ban.actions: WARNING [sasl] Ban 71.119.68.210
2013-02-17 15:17:46,581 fail2ban.actions: WARNING [sasl] Unban 81.136.192.131
2013-02-17 16:32:58,078 fail2ban.actions: WARNING [sasl] Unban 71.119.68.210
2013-02-18 02:16:27,047 fail2ban.actions: WARNING [sasl] Ban 81.82.235.132
2013-02-18 02:16:27,136 fail2ban.actions: WARNING [sasl] 81.82.235.132 already banned
2013-02-18 05:16:27,541 fail2ban.actions: WARNING [sasl] Unban 81.82.235.132
2013-02-18 09:11:09,116 fail2ban.actions: WARNING [sasl] Ban 81.82.255.140
2013-02-18 12:11:09,759 fail2ban.actions: WARNING [sasl] Unban 81.82.255.140
2013-02-19 00:39:30,165 fail2ban.actions: WARNING [sasl] Ban 81.82.235.132
2013-02-19 03:39:30,972 fail2ban.actions: WARNING [sasl] Unban 81.82.235.132
2013-02-19 09:15:32,387 fail2ban.actions: WARNING [sasl] Ban 81.83.14.11

Actually I feel more and more like a tech-twat as I now while writing this post even checked my mails and saw that I get notifications from fail2ban to inform me about a new sasl ban how it should be :)

I was just wondering because Ossec was showing me more than 3 (limit in fail2ban) failed log entries and I thought fail2ban would not work.

Calm down guys! All good.

Symfony 2.1: boolean attribute is not comparable with getUnitOfWork

I found this error (or maybe its me who is doing something wrong^^) because I want to check if there have been changes on an Entity before updating the database, if there haven’t been changes I don’t update the db.

I have a boolean attribute in my Entity:

/**
 * @var boolean $showAddress
 *
 * @ORM\Column(name="show_address", type="boolean", nullable=false)
 */
private $showAddress;

I create a choice-field for it in my form-builder:

    $builder->add('show_address', 'choice', array(
        'choices'   => array('False', 'True')
        ));

Before persisting in my database I check if there have been changes on the Entity in my Controller:

$unitOfWork = $em->getUnitOfWork();
$unitOfWork->computeChangeSets();
$changes = $unitOfWork->getEntityChangeSet($ENTITY);

Even if there HAVEN’T been any changes on the boolean field, getEntityChangeSet shows differences anyway as the old value is always boolean (true or false) and the new value is always integer (0 or 1):

array (size=1)
  'showAddress' => 
    array (size=2)
      0 => boolean true
      1 => int 1

Is that an error or am I doing something wrong?

Small workaround that works for me is converting the value of the new Entity to boolean before checking for changes:

$ENTITY->setShowAddress((bool)$ENTITY->getShowAddress());

EDIT 11.10.2012

The problem can be solved by using ChoiceLists! I almost new it was something I did wrong ;)

        $builder->add('show_address', 'choice', array(
            'choice_list' => new ChoiceList(array(true, false), array('True', 'False')),
        ));

Symfony2 – Validation not working for embedded Form Type

A few days ago I described a problem regarding the validation for embedded forms: symfony-2-form-username-password-individual-error-message/. If you want to know what kind of form we are talking about have a look here, as its the example I used!

I updated from Symfony version 2.0 to 2.1 what was actually not too bad – but took me indeed about 2 hours. Ok but thats another story! We can solve the problem now using the “cascade_validation” option when building our form like this:

$form = $this->createForm(new RegistrationType(), new Registration(), array(
            'cascade_validation' => true
            ));

And the whole error validation works fine! :)

how to add HTML5 placeholders to Symfony Form Element

HTML5 placeholders are just awesome, if you don’t know what I mean have a look at this small exampe here:

If you don’t see anything written inside the textbox you might browse with a non HTML5 browser! There is a nice jQuery Plugin, placeholder, that allows you to use placeholders without any changes in older browser environments! Anyway, how can you add these placeholders inside a Symfony 2 Form?

So we did already generate our form inside our controller. Inside our twig template we have one field for a username:

<form action="ACTION" method="post" {{ form_enctype(form) }}>
{{ form_widget(form.user.username) }}
</form>

To add a placeholder to it just use the following:

<form action="ACTION" method="post" {{ form_enctype(form) }}>
{{ form_widget(form.user.username, { 'attr': {'placeholder': 'choose a username!' } }) }}
</form>

And if you want to translate the placeholder-text, here we go:

<form action="ACTION" method="post" {{ form_enctype(form) }}>
{{ form_widget(form.user.username, { 'attr': {'placeholder': 'user.form.placeholder.username'|trans } }) }}
</form>

That’s it, easy and nice!

Symfony 2 – form username password individual error message

There is an error with the Symfony 2.0 Version in the way its handling the error messages when you use a confirmation of an entry (for example the confirmation of a password if a new user registrates). You can catch the error message if both passwords don’t match, but you can’t get the validation error if one password field doesn’t match the validation details (like max length etc).

I set quite a bit on solving that problem – good news are that it should be fixed in the now released Symfony version 2.1! I’ll check it out next days…

Here are a few links that helped me getting further information.

https://github.com/symfony/symfony/issues/1971
https://github.com/symfony/symfony/issues/3969

suspected malware on wordpress

I received some questions about that problem from a friend of mine. As many people are using wordpress, there is big interest in finding security problems in current and older versions. So we should always keep our WordPress-Version AND Plugin-Versions up-to-date. Helpfull for me as I host many WordPress-Installations is following plugin:

http://wordpress.org/extend/plugins/wp-updates-notifier/

It notifies you if there is a new core, plugin or themes version available. I’m also trying now the WordPress Wordfence Plugin:

http://wordpress.org/extend/plugins/wordfence/

Just have a look through the features and decide if it is something for your needs as well. I really like the comparison of all wordpress files against the repository for unwant changes. But if you use WordPress in another language it might tell you false warnings, as it checks just against the english wordpress version! But therefore the integrated diff-tool can show fast if the warning is true or can be ignored because of language issues.

Any more suggestions besides using good file permissions?

123