Re: [CentOS] Apache warns Web server admins of DoS attack tool
Thanks Tom, On 09/01/2011 02:05 AM, Tom Lanyon wrote: For EL 4, 5, 6: https://rhn.redhat.com/errata/RHSA-2011-1245.html rpms for C5 are pushed into the 5.6/cr/ repo; the c6 build is running now, we will have the cr stuff up for that today and get this into there as well. Unless Tru gets to it before me, I'll get the c4 builds out as well in a bit. - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
m.r...@5-cent.us said the following on 25/08/11 18:33: Anyone have any idea how soon RHEL and CentOS will be releasing the patch package? Apparently Apache just released a patch: https://www.apache.org/dist/httpd/Announcement2.2.html Source: http://nakedsecurity.sophos.com/2011/08/31/apache-2-2-20-released-to-fix-dos-vulnerability/ Ciao, luigi -- / +--[Luigi Rosa]-- \ Sinclair: Good morning, Lieutenant Commander. Sleep well? Ivanova: Sleeping is not the problem. Waking up, that is a problem. I've always had a hard time getting up when it's dark outside. Sinclair: But in space it's always dark. Ivanova: I know. I know. --Signs and Portents ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 08/30/2011 11:33 PM, Thomas Harold wrote: Someday, perhaps we'll end up back on an authenticated version of NNTP, with support for bbcode, images, and the front end reader of your choice... Thats quite a good idea - and something that we explored at length when looking for a replacement software for the existing forums. And while that would be nice to have, reduce content duplication and assert some level of authority across venues etc, its still not really the master-solution. The bridge would be good to have, but there are lots of people who chose a venue to work with based on their own expectations, comfort level and media they prefer working with. In some cases, like the people here on the list - mailing lists are the way to go. Others prefer to use the forums. While plenty hang out on IRC. Lets not take the choice away from people. - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
thus Karanbir Singh spake: On 08/30/2011 11:33 PM, Thomas Harold wrote: Someday, perhaps we'll end up back on an authenticated version of NNTP, with support for bbcode, images, and the front end reader of your choice... Thats quite a good idea - and something that we explored at length when looking for a replacement software for the existing forums. And while that would be nice to have, reduce content duplication and assert some level of authority across venues etc, its still not really the master-solution. The bridge would be good to have, but there are lots of people who chose a venue to work with based on their own expectations, comfort level and media they prefer working with. In some cases, like the people here on the list - mailing lists are the way to go. Others prefer to use the forums. While plenty hang out on IRC. Lets not take the choice away from people. - KB Just released: https://www.apache.org/dist/httpd/Announcement2.2.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
Hi, On 08/31/2011 10:56 AM, Timo Schoeler wrote: Just released: https://www.apache.org/dist/httpd/Announcement2.2.html thanks. I guess we should wait on a fix from upstream, make sure its tested etc. If there is interest in doing a local fix/build for c4/5/6 testing repo's, please submit a patch and I can push it through the buildsys. For the main distro, lets wait on the upstream fix. - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Wed, Aug 31, 2011 at 4:32 AM, Karanbir Singh mail-li...@karan.org wrote: On 08/30/2011 11:33 PM, Thomas Harold wrote: Someday, perhaps we'll end up back on an authenticated version of NNTP, with support for bbcode, images, and the front end reader of your choice... Thats quite a good idea - and something that we explored at length when looking for a replacement software for the existing forums. And while that would be nice to have, reduce content duplication and assert some level of authority across venues etc, its still not really the master-solution. Unless there are hub sites that aggregate all the feeds this sounds like it would require per-target, per-client, per-platform configuration to set up authenticated access, which would be fairly horrible for anyone who likes to use multiple programs on multiple devices to access a large number of sites. And inventing a new protocol for programs that don't exist to do something that many of us think is already handled correctly by email probably isn't a great idea. The bridge would be good to have, but there are lots of people who chose a venue to work with based on their own expectations, comfort level and media they prefer working with. In some cases, like the people here on the list - mailing lists are the way to go. Others prefer to use the forums. While plenty hang out on IRC. Lets not take the choice away from people. I still think rss could work with existing aggregators like google reader to make forum reading tolerable and clicking through to reply not too annoying, but the feed needs to include the whole posting or enough to catch most of them without having to click through. Is that something that can be configured? I tried to look on the xoops newbb site but their rss feed actually just gives an error which doesn't look promising. Also, it would be nice if the web side had a mobile view so you didn't have to zoom in to be able to read each article when you click through on a phone. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 31/08/2011, at 11:07 PM, Karanbir Singh wrote: On 08/31/2011 10:56 AM, Timo Schoeler wrote: Just released: https://www.apache.org/dist/httpd/Announcement2.2.html thanks. I guess we should wait on a fix from upstream, make sure its tested etc. If there is interest in doing a local fix/build for c4/5/6 testing repo's, please submit a patch and I can push it through the buildsys. For the main distro, lets wait on the upstream fix. For EL 4, 5, 6: https://rhn.redhat.com/errata/RHSA-2011-1245.html Tom ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Mon, Aug 29, 2011 at 6:38 PM, Scott Robbins scot...@nyc.rr.com wrote: The first look isn't promising - there is only a small amount of text displayed and clicking through to get the rest doesn't recognize mobile browsers so you always have to zoom in for a reasonable font size when using the phone app. And a large percent of the admittedly small sample looks more like spam or off-topic than what we see here. Is anyone interested in seeing things like: Atlantica online OG Realms Private Server or Does CentOS join Micorsoft strategy? One of those was probably fairly quickly removed as spam. The second one is really not typical of the forum. OK, but even ignoring the content, the rss experience is very bad - and it seems like the best hope to attract email users to reading the forum (short of a gateway that would likely propagate the worst features of both). Is there any way to add selective feeds for each section, get more content text included to make it less likely to have to click through, and perhaps have a mobile view available if you do click though on a mobile device? Is anyone else even trying to use rss regularly? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/28/2011 12:37 PM, Les Mikesell wrote: On Sun, Aug 28, 2011 at 10:20 AM, Keith Robertske...@karsites.net wrote: The CentOS Forums are a very very good resource for many people and the people spending time managing and posting there are doing a very good job. I'm guessing you were unable to get value from the forums since your expectations and forums deliverables dont match. That's fine, but it does not imply that the entire forums are 'useless'. I'd say the forums have ALOT of usefull info, but the main Centos activity is centered on IMHO this list - cannot speak for the other centos lists, as I'm ONLY on this one for now. The problem with forums is that if you have more than a couple of interests you kill the whole day bouncing around in a web browser logging into them and figuring out their user interface differences. Could the rss feed be made a little more obvious? It might work to plug it into google reader or other feed consolidator. Someday, perhaps we'll end up back on an authenticated version of NNTP, with support for bbcode, images, and the front end reader of your choice... Maybe a merger of some sort between forums / email discussion threads and NNTP. There are things that the web forum does well, things that NNTP does well and things that mailing lists do well. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/25/2011 7:05 PM, Always Learning wrote: On Thu, 2011-08-25 at 14:36 -0700, John R Pierce wrote: On 08/25/11 1:45 PM, Always Learning wrote: I have broken-up the very large conf file (/etc/httpd/conf/httpd.conf) into 3 main parts. Part 1 is left in situ. Parts 2 and 3 are located elsewhere. the existing EL httpd.conf includes /etc/httpd/conf.d/*.conf and any changes are expected to be made there rather than editing the stock file. Hi John, No Centos updates are likely to interfere with my Apache server options and virtual hosts. The existing /etc/httpd/conf/httpd.conf is large and laborious to read and fully understand especially with so many useful comments. 'including' the parts that do change and are not operating system dependant, meaning putting them somewhere which has no connection to the operating system, for example /data/config/apache/server.conf /data/config/apache/domain.* means, I believe, that if a change to one small file goes wrong then there is absolutely no danger to 'damaging' any of the other files and the source of the problem is quick and easy to identify. Thus 'change damage' is strictly limited to one small self-contained file and can not affect any of the other files. I have too much experience of so-called collateral damage inadvertently caused to other parts of a file being changed. It costs time and money to trace and diagnose problems, so economically it is a good idea to eliminate as much as possible non-involved configuration parameters. As you will have noticed Apache actually offers the ability to fragment configuration parameters to other files by supplying - for the benefit of people like me - the 'include' facility. If Apache never wanted folks to use this useful facility, it would never have offered the 'include' ability. Anyone who has ever worked on the nightmare called Windoze will know that one tiny fault in the Registry can cause the entire operating system to malfunction. Spreading the risk with Apache configuration files is my chosen method to minimise potential disruption and it works very successfully for me on Centos 5.3, 5.4, 5.5, 5.6 and hopefully on 5.7 and 6.1 et al. Which is why all of my server's config files are version controlled (I use FSVS with a SVN back-end repository, but there are dozens of tools). Being able to diff your config files when you mangle it to the breaking point is a wonderful thing. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Sunday, August 28, 2011 06:47:08 PM Les Mikesell wrote: So, if the forums provide a usable rss feed, reading them shouldn't be that bad, even though you have to follow the links to read longer messages and reply. If the forums have useful RSS feeds, yeah, that would work. I use Kontact; the default feed reader for Kontact is Akregator, which works reasonably well as long as the RSS feed is reasonable (that is, you can get all useful content without having to go to the forum website; if the forum RSS feed requires me to go to the website for essential things like subjects and thread starters, then it's unreasonable). Otherwise I find web forums require a complete change in workflow; that is, I have to go look at the website and navigate around, with different interfaces, logins, and paradigms. I like e-mail when done right (folderized, threaded, etc). When done wrong it's useless, too, for that matter. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Mon, Aug 29, 2011 at 10:21 AM, Lamar Owen lo...@pari.edu wrote: On Sunday, August 28, 2011 06:47:08 PM Les Mikesell wrote: So, if the forums provide a usable rss feed, reading them shouldn't be that bad, even though you have to follow the links to read longer messages and reply. If the forums have useful RSS feeds, yeah, that would work. I use Kontact; the default feed reader for Kontact is Akregator, which works reasonably well as long as the RSS feed is reasonable (that is, you can get all useful content without having to go to the forum website; if the forum RSS feed requires me to go to the website for essential things like subjects and thread starters, then it's unreasonable). Otherwise I find web forums require a complete change in workflow; that is, I have to go look at the website and navigate around, with different interfaces, logins, and paradigms. I like e-mail when done right (folderized, threaded, etc). When done wrong it's useless, too, for that matter. Not so sure about usability - it looks like the rss is all-or-nothing and I have no interest at all in CentOS4. I'll see how it shows up in google reader. The QA forum works fine that way to pick up the occasional announcement, though. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Mon, Aug 29, 2011 at 10:53 AM, Les Mikesell lesmikes...@gmail.com wrote: So, if the forums provide a usable rss feed, reading them shouldn't be that bad, even though you have to follow the links to read longer messages and reply. If the forums have useful RSS feeds, yeah, that would work. I use Kontact; the default feed reader for Kontact is Akregator, which works reasonably well as long as the RSS feed is reasonable (that is, you can get all useful content without having to go to the forum website; if the forum RSS feed requires me to go to the website for essential things like subjects and thread starters, then it's unreasonable). Otherwise I find web forums require a complete change in workflow; that is, I have to go look at the website and navigate around, with different interfaces, logins, and paradigms. I like e-mail when done right (folderized, threaded, etc). When done wrong it's useless, too, for that matter. Not so sure about usability - it looks like the rss is all-or-nothing and I have no interest at all in CentOS4. I'll see how it shows up in google reader. The QA forum works fine that way to pick up the occasional announcement, though. The first look isn't promising - there is only a small amount of text displayed and clicking through to get the rest doesn't recognize mobile browsers so you always have to zoom in for a reasonable font size when using the phone app. And a large percent of the admittedly small sample looks more like spam or off-topic than what we see here. Is anyone interested in seeing things like: Atlantica online OG Realms Private Server or Does CentOS join Micorsoft strategy? Clicking on the first one of those gave me a 'you do not have permission to access this forum' error, which might mean someone removed it after the rss entry was picked up, but still not a great user experience. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 29/08/11 21:11, Les Mikesell wrote: Clicking on the first one of those gave me a 'you do not have permission to access this forum' error, which might mean someone removed it after the rss entry was picked up, but still not a great user experience. Yes, that was spam and was removed by a moderator hence the permissions error you see. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Mon, Aug 29, 2011 at 03:11:31PM -0500, Les Mikesell wrote: On Mon, Aug 29, 2011 at 10:53 AM, Les Mikesell lesmikes...@gmail.com wrote: The first look isn't promising - there is only a small amount of text displayed and clicking through to get the rest doesn't recognize mobile browsers so you always have to zoom in for a reasonable font size when using the phone app. And a large percent of the admittedly small sample looks more like spam or off-topic than what we see here. Is anyone interested in seeing things like: Atlantica online OG Realms Private Server or Does CentOS join Micorsoft strategy? One of those was probably fairly quickly removed as spam. The second one is really not typical of the forum. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 Jonathon: You think I just want attention? Buffy: No, I think you're up here in a clock tower with a high-powered rifle because you want to blend in. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 08/26/2011 09:01 AM, Rudi Ahlers wrote: The CentOS forum is pretty useless IMO The CentOS Forums are a very very good resource for many people and the people spending time managing and posting there are doing a very good job. I'm guessing you were unable to get value from the forums since your expectations and forums deliverables dont match. That's fine, but it does not imply that the entire forums are 'useless'. - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Sun, Aug 28, 2011 at 6:01 AM, Karanbir Singh mail-li...@karan.org wrote: On 08/26/2011 09:01 AM, Rudi Ahlers wrote: The CentOS forum is pretty useless IMO The CentOS Forums are a very very good resource for many people and the people spending time managing and posting there are doing a very good job. I'm guessing you were unable to get value from the forums since your expectations and forums deliverables dont match. That's fine, but it does not imply that the entire forums are 'useless'. Just to second KB's view ... Anyone who thinks the CentOS Forums are not a valuable source as one of the help venues CentOS offers is encouraged to try and make it better instead of expressing his/her opinion as 'useless'. Why this is important? Google knows: http://blog.toracat.org/2010/05/search-is-on-an-update/ Also ... if you value what ELRepo provides, you'd like to know that the ELRepo Project would not have been born without the Forums: http://blog.toracat.org/2009/06/elrepo-project/ Akemi -- done with enough adv of own blogs :-D ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Sun, 28 Aug 2011, Karanbir Singh wrote: To: CentOS mailing list centos@centos.org From: Karanbir Singh mail-li...@karan.org Subject: Re: [CentOS] Apache warns Web server admins of DoS attack tool On 08/26/2011 09:01 AM, Rudi Ahlers wrote: The CentOS forum is pretty useless IMO The CentOS Forums are a very very good resource for many people and the people spending time managing and posting there are doing a very good job. I'm guessing you were unable to get value from the forums since your expectations and forums deliverables dont match. That's fine, but it does not imply that the entire forums are 'useless'. I'd say the forums have ALOT of usefull info, but the main Centos activity is centered on IMHO this list - cannot speak for the other centos lists, as I'm ONLY on this one for now. Personally, I prefer to participate in an active mailing list, where there are many others that usually reply in near-real time. Kind Regards, Keith - Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Sun, Aug 28, 2011 at 10:20 AM, Keith Roberts ke...@karsites.net wrote: The CentOS Forums are a very very good resource for many people and the people spending time managing and posting there are doing a very good job. I'm guessing you were unable to get value from the forums since your expectations and forums deliverables dont match. That's fine, but it does not imply that the entire forums are 'useless'. I'd say the forums have ALOT of usefull info, but the main Centos activity is centered on IMHO this list - cannot speak for the other centos lists, as I'm ONLY on this one for now. The problem with forums is that if you have more than a couple of interests you kill the whole day bouncing around in a web browser logging into them and figuring out their user interface differences. Could the rss feed be made a little more obvious? It might work to plug it into google reader or other feed consolidator. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Sun, 2011-08-28 at 11:37 -0500, Les Mikesell wrote: The problem with forums is that if you have more than a couple of interests you kill the whole day bouncing around in a web browser logging into them and figuring out their user interface differences. Could the rss feed be made a little more obvious? It might work to plug it into google reader or other feed consolidator. Forums = too slow = too much hard work for little gain Emails = instant = quick = easy -- With best regards, Paul. England, EU. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Sun, Aug 28, 2011 at 12:13 PM, Always Learning cen...@u61.u22.net wrote: On Sun, 2011-08-28 at 11:37 -0500, Les Mikesell wrote: The problem with forums is that if you have more than a couple of interests you kill the whole day bouncing around in a web browser logging into them and figuring out their user interface differences. Could the rss feed be made a little more obvious? It might work to plug it into google reader or other feed consolidator. Forums = too slow = too much hard work for little gain Emails = instant = quick = easy I agree in principle, but remember that you are really interacting with your own tools, so if they are slow or inconvenient you can use a different tool. There are some email readers (Apple's, at least) that handle rss feeds pretty much the same as email. Google reader or other feed aggregators make it easy to read a bunch from different sources all in one place with whatever groupings you like - and always maintain the same 'unread' view across different client browsers or phone apps. So, if the forums provide a usable rss feed, reading them shouldn't be that bad, even though you have to follow the links to read longer messages and reply. Seems to work fine for the QA forum, anyway. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
--On Thursday, August 25, 2011 9:09 PM +0100 Always Learning cen...@u61.u22.net wrote: The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:- I try to minimize changes to main files. Presumably putting that code in a separate file (eg. conf.d/RangeVulnerabilityWorkaround.conf) should work equally well? Hi, Attached is what I've put into /etc/httpd/conf.d/CVE-2011-3192.conf and I'll just remove it after the coming update is done. At least killapache.pl doesn't kill anymore. Works for me, YMMW. Simon CVE-2011-3192.conf Description: Binary data ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
--On Thursday, August 25, 2011 9:09 PM +0100 Always Learning cen...@u61.u22.net wrote: The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:- I try to minimize changes to main files. Presumably putting that code in a separate file (eg. conf.d/RangeVulnerabilityWorkaround.conf) should work equally well? Hi, Attached is what I've put into /etc/httpd/conf.d/CVE-2011-3192.conf and I'll just remove it after the coming update is done. At least killapache.pl doesn't kill anymore. Works for me, YMMW. Sorry, forgot to mention that this is for EL4. Simon ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
I don't see any mention of this in the CentOS announcements forum. I'd consider dropping the mailing list and switching to forums if this kind of warning appeared there. https://www.centos.org/modules/newbb/viewforum.php?forum=53 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, Aug 26, 2011 at 9:45 AM, Kenneth Porter sh...@sewingwitch.com wrote: I don't see any mention of this in the CentOS announcements forum. I'd consider dropping the mailing list and switching to forums if this kind of warning appeared there. https://www.centos.org/modules/newbb/viewforum.php?forum=53 ___ The CentOS forum is pretty useless IMO -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog: http://Blog.SoftDux.com Office: 087 805 9573 Cell: 082 554 7532 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Thu, 2011-08-25 at 22:56 -0700, John R Pierce wrote: by putting all your site specific configurations in various .conf files in the conf.d directory, your stuff is portable, and can be rpm deployed on any el system without complications. That is exactly the flexibility I have when I put my site specific Apache stuff in /data/config/apache Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, 2011-08-26 at 08:13 +0200, Simon Matter wrote:
Attached is what I've put into /etc/httpd/conf.d/CVE-2011-3192.conf and
I'll just remove it after the coming update is done.
At least killapache.pl doesn't kill anymore.
Works for me, YMMW.
IfModule mod_setenvif.c
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range
/IfModule
Very useful. Thanks Simon.
I found the Range temporary solution stopped the loading of a MySQL
table vua PHPmyAdmin,
--
With best regards,
Paul.
England,
EU.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool (temp fix update)
On Thursday 25 Aug 2011, Colin Coles wrote: There are some work-around suggestions here: http://lwn.net/Articles/456268/ This has now been updated as original work-around was incomplete: http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082427.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
--On Thursday, August 25, 2011 9:09 PM +0100 Always Learning cen...@u61.u22.net wrote: The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:- I try to minimize changes to main files. Presumably putting that code in a separate file (eg. conf.d/RangeVulnerabilityWorkaround.conf) should work equally well? Hi, Attached is what I've put into /etc/httpd/conf.d/CVE-2011-3192.conf and I'll just remove it after the coming update is done. At least killapache.pl doesn't kill anymore. Works for me, YMMW. Sorry, forgot to mention that this is for EL4. And while looking into it again I realize that my solution is not really a solution... Simon ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/26/2011 7:27 AM, Always Learning wrote: On Thu, 2011-08-25 at 22:56 -0700, John R Pierce wrote: by putting all your site specific configurations in various .conf files in the conf.d directory, your stuff is portable, and can be rpm deployed on any el system without complications. That is exactly the flexibility I have when I put my site specific Apache stuff in /data/config/apache Paul. I think the point is making use of what is by default built in to apache on our CentOS boxes. And this is and has been for some time making use of the include directed to look in /etc/httpd/conf.d directory and read in any *.conf files in that directory. So, why try to teach somebody to use another structure and customization? And why is this a good idea? Well, it does add complication in having multiple files to deal with. But the upside to that is it does reduce the number of edits to the main conf file. What is useful about this? Well, I do remember one time editing httpd.conf in Vi and after I finished Apache wouldn't restart. Panic of course immediately sets in when a webserver is not running and I looked and looked and looked and looked and couldn't find any problem with what I had done. Finally, after what seemed like an eternity, I found that I must have accidentally hit the 'x' key just after opening the file and had deleted the first '#' from the first line. I was working on a new virtual server during that edit and just knew I hadn't edited anywhere else... so had been totally concentrating on the end of the conf file instead of really looking at the top. If this had been in vhost.conf, I could have easily moved vhost.conf to vhost.conf.bak and immediately known that it was not the problem... and actually, wouldn't have had the main conf open to start with so would never have made that mistake. So, argue all you want, but many programs 'by default' add their apache conf files into /etc/httpd/conf.d so why not follow conventions? If you die, the next admin should know to look there first. And, removing or doing a temp something.conf.bak file quickly takes potential errors out of the equation. To me, the use of this includes directory is simply good practice for multiple reasons. On this list, teaching best 'standard' practices is a good idea. Who is going to think to tell someone to go look in /data/config/apache for a configuration two years from now when something breaks due to following non-standard practices? John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, 2011-08-26 at 10:59 -0400, John Hinton wrote: To me, the use of this includes directory is simply good practice for multiple reasons. On this list, teaching best 'standard' practices is a good idea. Who is going to think to tell someone to go look in /data/config/apache for a configuration two years from now when something breaks due to following non-standard practices? Unlike some other installations everything is documented, so everyone knows. Keeping information a secret from other workers is not practised here. Apache creates a default set-up. Default for those who need something which 'works out of the box'. Apache then gives the creative person the facilities to experiment and, as you illustrated, the ability to minimise collateral disruption when something goes wrong when changing files (like the mouse wheel button pasting copied text into unwanted places). Everything in, for example /data, is entire operating system independent. Simple. The operating system dependant parts of Apache are in the /etc /usr and /var directories, so they can be updated with other operating system revisions. Remember the /etc /usr /var directories are operating system directories, so we keep non-operating system items out of them. If I wanted to move everything to another operating system, for example Solaris or BCD, everything in /data will work on the new operating system without changes ! Just needs a few quick changes to the operating system configuration files. Simple, Easy and Reliable. An English saying is: Rules were made for the guidance of wise men but for the obedience of fools. Naturally I am not implying, nor would I, that anyone on this list are in the latter category. However I believe that saying makes a valid point. Once upon a time people were killed for believing the world was not flat and if one sailed far enough their ship would drop-off the edge of the world. Blind and unthinking obedience and the intellectual inability to question and experiment are not conducive to the successful development and using of computers. Please note I do not teach on here. I've already got a large workload :-) Best regards, Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, Aug 26, 2011 at 10:37 AM, Always Learning cen...@u61.u22.net wrote: Apache creates a default set-up. Default for those who need something which 'works out of the box'. 'Apache' is infinitely configurable. It is the upstream/Centos distribution that provides a working base configuration that is also the expected base for a large number of optional packages. Apache then gives the creative person the facilities to experiment and, as you illustrated, the ability to minimise collateral disruption when something goes wrong when changing files (like the mouse wheel button pasting copied text into unwanted places). That's kind of irrelevant. The thing that matters in a distribution managed by a package manager is that the base and optional components don't conflict with each other. In many places the distribution handles this by splitting what might be one big file into a directory of included components so each package can manage its own optional components. Apache is one of these. There are a number of web applications available in the base and 3rd party repos that drop snippets of apache config into /etc/httpd.conf.d and if you add your own packages you can do the same without conflict as long as you choose a different filename. Everything in, for example /data, is entire operating system independent. Simple. The operating system dependant parts of Apache are in the /etc /usr and /var directories, so they can be updated with other operating system revisions. Remember the /etc /usr /var directories are operating system directories, so we keep non-operating system items out of them. Your are kind of missing the point there. Do you also think /home belongs to the OS and put your own files elsewhere? If I wanted to move everything to another operating system, for example Solaris or BCD, everything in /data will work on the new operating system without changes ! Just needs a few quick changes to the operating system configuration files. Simple, Easy and Reliable. That's equivalent to saying you should always install programs from source tarballs with 'configure; make; make install'. You can do that across different platforms, but that's probably much less important to most people than having automatic updates available from packages already well tested on your distribution. Once in a while there is a good reason to do something that isn't pre-packaged, but even then you don't have to do it in a way that is incompatible with existing packages. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
Les, There are no /home directories on our servers. Data we create which is NOT essential for the operating system to function is usually not in an operating system directory. 'yum update' still works successfully. Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, Aug 26, 2011 at 11:13 AM, Always Learning cen...@u61.u22.net wrote: Les, There are no /home directories on our servers. I thought you were trying to give general advice - or that what you posted might be taken that way. Data we create which is NOT essential for the operating system to function is usually not in an operating system directory. That's interesting, but not a necessary condition for anything. 'yum update' still works successfully. But, can you still 'yum install' any/all of the large number of packaged web applications from the base and 3rd party repos that will drop additional files into conf.d and expect a certain base setup? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, 2011-08-26 at 11:22 -0500, Les Mikesell wrote: But, can you still 'yum install' any/all of the large number of packaged web applications from the base and 3rd party repos that will drop additional files into conf.d and expect a certain base setup? Definitely. That is essential. Non-operating system customisations go in /data Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/26/2011 12:13 PM, Always Learning wrote: Les, There are no /home directories on our servers. Data we create which is NOT essential for the operating system to function is usually not in an operating system directory. 'yum update' still works successfully. Paul. All good that you customize your servers and that shows the beauty of our chosen OS. However, posting non-standard configs on this list shows up in google searches all over the place and has a good potential to confuse those that need some help. That's my point. Obviously your point is you can put them anywhere and your company has decided that is a best practice. I would never argue against your decision to do that. Meanwhile, the original 'good suggestion' to use the /etc/httpd/conf.d directory for adding the patches has been totally watered down by this blathering (me included) which would best be under a totally different thread about how you can put stuff any where you want. Or, 'the merits of using a data directory'. You don't teach? If you post, you teach... like it or not. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, Aug 26, 2011 at 11:30 AM, Always Learning cen...@u61.u22.net wrote: But, can you still 'yum install' any/all of the large number of packaged web applications from the base and 3rd party repos that will drop additional files into conf.d and expect a certain base setup? Definitely. That is essential. Non-operating system customisations go in /data But there is nothing related in those two statements. It would be equally true if you put your customizations in differently named files under /etc/httpd/conf.d and in directories under /var/www/html. The difference is that anyone familiar with the standard layout could look at a system and understand it quickly where your non-standard locations would have to be carefully documented and a new admin would need to waste time figuring it out. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/26/2011 12:30 PM, Always Learning wrote: On Fri, 2011-08-26 at 11:22 -0500, Les Mikesell wrote: But, can you still 'yum install' any/all of the large number of packaged web applications from the base and 3rd party repos that will drop additional files into conf.d and expect a certain base setup? Definitely. That is essential. Non-operating system customisations go in /data OK, so if you do an install of squirrelmail from a repo, is that operating system or customization? Where does squirrelmail.conf wind up? Are you running two include lines in httpd.conf? One for /data/apache/custom and one for /etc/httpd/conf.d? Or maybe doing a ln from conf.d to custom? John ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, 2011-08-26 at 11:46 -0500, Les Mikesell wrote: But there is nothing related in those two statements. It would be equally true if you put your customizations in differently named files under /etc/httpd/conf.d and in directories under /var/www/html. The difference is that anyone familiar with the standard layout could look at a system and understand it quickly where your non-standard locations would have to be carefully documented and a new admin would need to waste time figuring it out. As previously mentioned everything is documented, so too is the logic for the decisions. We do not willingly add anything to /etc/httpd/conf.d or to /var/www/html. Our chosen operating system does not require it. Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Aug 26, 2011, at 8:37 AM, Always Learning wrote: On Fri, 2011-08-26 at 10:59 -0400, John Hinton wrote: To me, the use of this includes directory is simply good practice for multiple reasons. On this list, teaching best 'standard' practices is a good idea. Who is going to think to tell someone to go look in /data/config/apache for a configuration two years from now when something breaks due to following non-standard practices? Unlike some other installations everything is documented, so everyone knows. Keeping information a secret from other workers is not practised here. Apache creates a default set-up. Default for those who need something which 'works out of the box'. Apache then gives the creative person the facilities to experiment and, as you illustrated, the ability to minimise collateral disruption when something goes wrong when changing files (like the mouse wheel button pasting copied text into unwanted places). Everything in, for example /data, is entire operating system independent. Simple. The operating system dependant parts of Apache are in the /etc /usr and /var directories, so they can be updated with other operating system revisions. Remember the /etc /usr /var directories are operating system directories, so we keep non-operating system items out of them. If I wanted to move everything to another operating system, for example Solaris or BCD, everything in /data will work on the new operating system without changes ! Just needs a few quick changes to the operating system configuration files. Simple, Easy and Reliable. An English saying is: Rules were made for the guidance of wise men but for the obedience of fools. Naturally I am not implying, nor would I, that anyone on this list are in the latter category. However I believe that saying makes a valid point. Once upon a time people were killed for believing the world was not flat and if one sailed far enough their ship would drop-off the edge of the world. Blind and unthinking obedience and the intellectual inability to question and experiment are not conducive to the successful development and using of computers. Please note I do not teach on here. I've already got a large workload :-) Best regards, oy - no wonder you turn off selinux - you are determined to re-engineer things that were designed with logic and intent. Perhaps you should use some other non-redhat type of distribution (debian/ubuntu) to get a feel for the fact that there actually is intelligent ways to plan out configuration files and gasp, in /etc/ Craig ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
Always Learning wrote: On Fri, 2011-08-26 at 11:46 -0500, Les Mikesell wrote: But there is nothing related in those two statements. It would be equally true if you put your customizations in differently named files under /etc/httpd/conf.d and in directories under /var/www/html. The difference is that anyone familiar with the standard layout could look at a system and understand it quickly where your non-standard locations would have to be carefully documented and a new admin would need to waste time figuring it out. snip We do not willingly add anything to /etc/httpd/conf.d or to /var/www/html. Our chosen operating system does not require it. Does not require? I dunno. My current job, and the last two - that goes back to '06 - *all* did minimal changes to /etc/httpd/conf/httpd.conf, and put *everything* else in /etc/httpd/conf.d, including ssl.conf. IIRC, in fact, the package install puts proxy_agp.conf there. Also, it makes things a *lot* cleaner to have website1.conf, website2.conf, etc in conf.d, rather than in one huge httpd.conf. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, 2011-08-26 at 12:47 -0400, John Hinton wrote: OK, so if you do an install of squirrelmail from a repo, is that operating system or customization? Where does squirrelmail.conf wind up? We do not use Squirrelmail. Are you running two include lines in httpd.conf? One for /data/apache/custom and one for /etc/httpd/conf.d? Or maybe doing a ln from conf.d to custom? /etc/httpd/conf/httpd.conf has:- 112: Include conf.d/*.conf 126: User apache 127: Group apache 128: 129: # Section 2: 'Main' server configuration 130: 131: Include /data/config/apache/server.conf 132: 133: #- Section 3: Virtual Hosts --- 134: 135: include /data/config/apache/domain.* 136: 137: #-- Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
Always Learning wrote: On Fri, 2011-08-26 at 12:47 -0400, John Hinton wrote: OK, so if you do an install of squirrelmail from a repo, is that operating system or customization? Where does squirrelmail.conf wind up? We do not use Squirrelmail. Paul, you've completely missed what John was asking: what qualifies as o/s, and what qualifies as third party, or whatever? Which is apache, or php, or gcc, or tomcat5? Certainly, tomcat and httpd get fired off by root at system boot. snip mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, 2011-08-26 at 13:37 -0400, m.r...@5-cent.us wrote: Paul, you've completely missed what John was asking: what qualifies as o/s, and what qualifies as third party, or whatever? Which is apache, or php, or gcc, or tomcat5? Certainly, tomcat and httpd get fired off by root at system boot. Mark, I don't know about your systems but on ours php gcc tomcat5 do NOT require customisation. Apache does. For example:- ServerAdmin ServerName DirectoryIndex DefaultLanguage LanguagePriority and all the other site options Keeping the bits that remain static separate from the bits that change per server is our choice. Putting virtual hosts, including those with sub-domains, in a individual 'domain name' text file ensures for us smooth running. For us deleting a virtual host is deleting one named text file. Adding a virtual host means creating one text file. Changing a virtual host means changing one file. Moving a virtual host to a different server or even to a different operating system means moving one file. Of course it requires a service httpd restart or reload Meanwhile nothing else is disrupted, or at risk of disruption or inadvertently altered. We like quickness, simpleness and easiness. Keep it plain and simple is our motive. Those who like dumping everything in one large text file can. I was speaking to a sys admin this week who has only 1,200 virtual hosts in the main Apache file. Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, Aug 26, 2011 at 1:00 PM, Always Learning cen...@u61.u22.net wrote: Putting virtual hosts, including those with sub-domains, in a individual 'domain name' text file ensures for us smooth running. No one has suggested otherwise. The question is, what do you gain by putting this file in a place where no one but you would know to look for it instead of the place that is conveniently provided? And for the things that might be sensitive to loading order, how do you control that with different include locations? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 08/26/11 11:00 AM, Always Learning wrote: Those who like dumping everything in one large text file can. I was speaking to a sys admin this week who has only 1,200 virtual hosts in the main Apache file. which part of /etc/httpd/conf.d/*.conf are you missing? Each vhost gets its OWN conf file, ideally packaged with the vhost's application files and depedencies as an RPM, so it can be deployed/undeployed by a single command, or included in a kickstart, or whatever... there should be NOTHING in the main httpd.conf that needs changing, I haven't had to touch that file in years on any of my EL4/5/6 systems. I put global stuff in a /etc/httpd/conf.d/00globalstuff.conf (the *.conf files are loaded in sort order so a 00something file will get loaded before any others). -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
Always Learning wrote: On Fri, 2011-08-26 at 13:37 -0400, m.r...@5-cent.us wrote: Paul, you've completely missed what John was asking: what qualifies as o/s, and what qualifies as third party, or whatever? Which is apache, or php, or gcc, or tomcat5? Certainly, tomcat and httpd get fired off by root at system boot. I don't know about your systems but on ours php gcc tomcat5 do NOT require customisation. Apache does. For example:- ServerAdmin ServerName DirectoryIndex DefaultLanguage LanguagePriority and all the other site options Keeping the bits that remain static separate from the bits that change per server is our choice. shakes head Yeah, but that's a very non-standard concept. If you and the rest of your team go out to lunch, and are killed by food poisoning, or an out-of-control senior citizen, anyone walking in will take a good bit longer to find where all versions of *Nix normally put their configuration files, ain't. And you *are* customizing /etc/httpd/conf/httpd.conf. Putting virtual hosts, including those with sub-domains, in a individual 'domain name' text file ensures for us smooth running. For us deleting a virtual host is deleting one named text file. Adding a virtual host Missed that part, but that's what I said everybody seems to do... but they do it in /etc/httpd/conf.d snip Those who like dumping everything in one large text file can. I was speaking to a sys admin this week who has only 1,200 virtual hosts in the main Apache file. So, you were speaking to the guy who was at the bottom of their class? That's inane. I stay with std. practice, as much as I can. It works, too. The first time I ever did system admin, back in the mid-nineties, I'd worked in Unix for about 4 years, but never done admin work. For the next 9 or 10 mos, along with my wife, I slept with Frisch's Essential Systems Administration. from O'Reilly. When the division had grown from 4 teams to 27, and the co. brought in a sysadmin team, they told me that my box was one of *two* that looked normal; everyone else was a disaster (everyone had root, and/or directories scattered all over, including in /...). Leaving stuff in std. places is *not* security risk, it's making life easier. And remember, if you go on vacation, whoever has to take care of it will have to take the time to figure it out, rather than go to where everyone expects stuff. Oh, and php *certainly* requires configuration. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/26/2011 1:18 PM, Always Learning wrote: Are you running two include lines in httpd.conf? One for /data/apache/custom and one for /etc/httpd/conf.d? Or maybe doing a ln from conf.d to custom? /etc/httpd/conf/httpd.conf has:- 112: Include conf.d/*.conf 126: User apache 127: Group apache 128: 129: # Section 2: 'Main' server configuration 130: 131: Include /data/config/apache/server.conf 132: 133: #- Section 3: Virtual Hosts --- 134: 135: include /data/config/apache/domain.* 136: 137: #-- OK, so you have just chosen to put your vhost confs in an alternate directory. There are sound reasons for doing that, like ease of backups and dumb minded restores that any low level tech could do. Me... I just do a single vhost.conf file for all virtual servers. Works fine for me thus far and there's less trash to look through when trying to find a conf file. All good. I backup all of /etc and am not worried as we have no dumb minded techs that would ever be doing a restore so don't need an easier solution. Doing what you are doing might be a simpler solution or a vastly more complex solution... all depending on the services running... upgrade frequency and how well everything works during those updates. It all depends on what the servers are doing. To suggest others follow in your footsteps however is very short sighted. Again, I would never tell you that you shouldn't do it your way. That would be very short sighted of me. The two includes in httpd.conf allows both areas to load, but does break 'alternative' installs, such as squirrelmail as just one of many examples (assuming you got rid of the /etc/httpd/conf.d include). So, yum install squirrelmail would not work without customization on your system, along with a number of other system wide tools one might want to run under apache. Python, php, manual, welcome, webalizer, ssl, squid, proxy_ajp, perl, cacti are all examples. Again though, adding in one new conf file for a temporary patch has nothing to do with how your servers are set up but how the vast majority of CentOS servers 'are' set up and to suggest an alternative area is just off the topic and potentially confusing to those that are trying to follow a step by step procedure down to the letter. I'm done with this this part of this thread and hope it can get back to what it was intended to do and that was simply how to avoid this DoS attack... NOT how to relocate where files are stored. I do recognize the merits of what you are doing. John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, 2011-08-26 at 14:34 -0400, John Hinton wrote: OK, so you have just chosen to put your vhost confs in an alternate directory. There are sound reasons for doing that, like ease of backups and dumb minded restores that any low level tech could do. Thank you. To suggest others follow in your footsteps however is very short sighted. I have never, not once, suggested others copy my layout. The two includes in httpd.conf allows both areas to load, but does break 'alternative' installs, such as squirrelmail as just one of many examples (assuming you got rid of the /etc/httpd/conf.d include). We have no intention of using Squirrel Mail. So, yum install squirrelmail would not work without customization on your system, along with a number of other system wide tools one might want to run under apache. Python, php, manual, welcome, webalizer, ssl, squid, proxy_ajp, perl, cacti are all examples. We have no problems running Apache with MySQL, PHP, SSL ... to suggest an alternative area is just off the topic and potentially confusing to those that are trying to follow a step by step procedure down to the letter. I have never, not once, suggested others copy my layout. I do recognize the merits of what you are doing. Thank you. Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, 2011-08-26 at 14:19 -0400, m.r...@5-cent.us wrote: If you and the rest of your team go out to lunch, and are killed by food poisoning, or an out-of-control senior citizen, anyone walking in will take a good bit longer to find where all versions of *Nix normally put their configuration files, ain't. And you *are* customizing /etc/httpd/conf/httpd.conf. We have D-O-C-U-M-E-N-T-A-T-I-O-N which remains behind we we go home, go to lunch and go on holiday. I stay with std. practice, as much as I can. I do too but where there are multiple servers using almost the same setup, the changeable bits are 'included' and kept in individual files. I slept with Frisch's Essential Systems Administration. from O'Reilly. I'll have a look but I prefer to sleep with someone who is warm and cuddly. Not sure a book is an adequate substitute however interesting the text may be :-) Oh, and php *certainly* requires configuration. Can't remember what I changed in /etc if I changed it. Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Friday, August 26, 2011 03:02:06 PM Always Learning wrote: On Fri, 2011-08-26 at 14:19 -0400, m.r...@5-cent.us wrote: And you *are* customizing /etc/httpd/conf/httpd.conf. We have D-O-C-U-M-E-N-T-A-T-I-O-N which remains behind we we go home, go to lunch and go on holiday. I stay with std. practice, as much as I can. I do too but where there are multiple servers using almost the same setup, the changeable bits are 'included' and kept in individual files. What can you do with this setup that you can't with the standard way of putting those files, including other includes, in the standard /etc/httpd/conf.d/ directory? As the stock httpd.conf is already set up to do those automatic includes out of /etc/httpd/conf.d/, no customization nor special documentation is required to handle essentially everything you've said on this topic. If you put those individual vhost files in the /etc/httpd/conf.d/ directory, you don't have to do anything at all extra, and you don't have to document it, since it's already the standard way, which saves you time and money. (Or, to paraphrase a common rejoinder in NANOG, 'I encourage my competitors to do it that way.') You can have a single file per vhost, no problem, in /etc/httpd/conf.d/. You can back it up easily (/etc should be a stock part of everyone's backups, right?). You can subinclude, even making a subtree under the /etc/httpd/conf.d/ directory. And it's all already set up to just work with SELinux and the other RHEL (RHCE!) documented ways of doing things. And it IS the standard way of doing what you're saying is the way you do things. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
Forget it. He won't listen and will continue to further his nonsensical methods of configuration with silly justifications that don't hold up. Please, just let him be right so he'll stop needing to get the last word in all the time and perhaps this thread can die. John -- Those who know do not speak; those who speak do not know. -- Tao pgpAqbK9XtR38.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, 2011-08-26 at 15:13 -0400, Lamar Owen wrote: And it IS the standard way of doing what you're saying is the way you do things. Thanks. Have a nice weekend. Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/26/2011 3:02 PM, Always Learning wrote: Oh, and php *certainly* requires configuration. Can't remember what I changed in /etc if I changed it. It should be there in your documentation... ;) LOL!!! Me? My documentation is in my head... 'burned' into my brain, from following upstream's suggestions for the last 15 or more years. And yes that 'upstream book' has been revised over those years, but not everything. John ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, 2011-08-26 at 15:25 -0400, John Hinton wrote: On 8/26/2011 3:02 PM, Always Learning wrote: Oh, and php *certainly* requires configuration. Can't remember what I changed in /etc if I changed it. It should be there in your documentation... ;) LOL!!! Me? My documentation is in my head... 'burned' into my brain, from following upstream's suggestions for the last 15 or more years. And yes that 'upstream book' has been revised over those years, but not everything. With so much valuable information in your head, don't let Mark take you out to lunch in case you get food poisoning, run-over or mugged by a group of old pensioners ;-) I only wish I have come to Linux years ago. It is so refreshingly nice. Everything a real operating system should be and reminiscent of the once great Mainframes. Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
Always Learning wrote: On Fri, 2011-08-26 at 14:19 -0400, m.r...@5-cent.us wrote: If you and the rest of your team go out to lunch, and are killed by food poisoning, or an out-of-control senior citizen, anyone walking in will take a good bit longer to find where all versions of *Nix normally put their configuration files, ain't. And you *are* customizing /etc/httpd /conf/httpd.conf. We have D-O-C-U-M-E-N-T-A-T-I-O-N which remains behind we we go home, go to lunch and go on holiday. Right. And you have a 100% confidence level that it will a) *always* be up to date, b) available, and c) actually readable http://24.5-cent.us/http://24.5-cent.us/egoless_documentation.doc We'll ignore the old Dilbert where, was it Dogbert or Dilbert, who stood on a chair, with their head over the top of the cube farm, and yelled out, HAS ANYONE RTFM?!, and got no answers I stay with std. practice, as much as I can. I do too but where there are multiple servers using almost the same setup, the changeable bits are 'included' and kept in individual files. I slept with Frisch's Essential Systems Administration. from O'Reilly. I'll have a look but I prefer to sleep with someone who is warm and cuddly. Not sure a book is an adequate substitute however interesting the text may be :-) I did say that was in addition to my ...late... wife. Oh, and php *certainly* requires configuration. Can't remember what I changed in /etc if I changed it. Oh, no, it used to be worse - I'd have to edit the sucker down in, where was it, /usr/lib/php, or /usr/local/lib/php? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, 2011-08-26 at 16:12 -0400, m.r...@5-cent.us wrote: Right. And you have a 100% confidence level that it will a) *always* be up to date, b) available, and c) actually readable I've always been praised for my good documentation. http://24.5-cent.us/http://24.5-cent.us/egoless_documentation.doc 404 Error File Not Found http://24.5-cent.us/egoless_documentation.doc - was that an IQ test ? I did say that was in addition to my ...late... wife. Sorry to learn of your loss. Oh, no, it used to be worse - I'd have to edit the sucker down in, where was it, /usr/lib/php, or /usr/local/lib/php? Not there on Centos 5.6 and /usr/local is empty. Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
Always Learning wrote: On Fri, 2011-08-26 at 15:25 -0400, John Hinton wrote: On 8/26/2011 3:02 PM, Always Learning wrote: snip I only wish I have come to Linux years ago. It is so refreshingly nice. Everything a real operating system should be and reminiscent of the once great Mainframes. You don't think they're still great? Check IBM, who's sales of m'frames keep up, and grow. Y'know, 'bout 10 years ago, using their VM (that they've had since the seventies...), one of their engineers found that he could comfortably run 32000 instances of Linux on one big iron, and only maxed it out at over 48000 VMs And, of course, IBM really, *really wants folks to use Linux. I mean, if *you* were Big Blue, would you want to support, uh, sys38/4000/RISC6000/AIX/DOS/VSE/SP/whatever letters in the last 15 years)/MVS/zOS... or just Linux? (You've grown your business, and need a bigger machine? Great! Here's the next large box, just throw it on, maybe just recompile, and no porting needed!) mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
Always Learning wrote: On Fri, 2011-08-26 at 16:12 -0400, m.r...@5-cent.us wrote: Right. And you have a 100% confidence level that it will a) *always* be up to date, b) available, and c) actually readable I've always been praised for my good documentation. http://24.5-cent.us/http://24.5-cent.us/egoless_documentation.doc 404 Error File Not Found http://24.5-cent.us/egoless_documentation.doc - was that an IQ test ? Sorry, typing too fast, had to go do actual work. g snip Oh, no, it used to be worse - I'd have to edit the sucker down in, where was it, /usr/lib/php, or /usr/local/lib/php? Not there on Centos 5.6 and /usr/local is empty. php used to get installed in one of those, back in RHEL 3. Of course, where I was, we had to actually *build* the damn thing, since out of the box didn't support encryption. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 08/26/11 2:16 PM, m.r...@5-cent.us wrote: And, of course, IBM really, *really wants folks to use Linux. I mean, if *you* were Big Blue, would you want to support, uh, sys38/4000/RISC6000/AIX/DOS/VSE/SP/whatever letters in the last 15 years)/MVS/zOS... or just Linux? (You've grown your business, and need a bigger machine? Great! Here's the next large box, just throw it on, maybe just recompile, and no porting needed!) they still push z/OS (the descendent of OS/370) as a primary mainframe OS for large scale database and batch processing, and AIX on Power servers for big database servers and such.Linux still has vertical scaling issues for larger workloads, and transaction processing doesn't scale well horizontally without massive complications. System/38 long ago (late 1980s) gave way to AS/400 which is now IBM i (aka i5/OS), and runs on the same Power servers as AIX, either virtualized or whole-iron. RS/6000 long ago was renamed pSeries or Power, and is hardware, which runs AIX, i, and Linux. but, i don't believe CentOS runs on Z (descendent of System/370) or Power (also known as PowerPC) architectures, so this is all off topic. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Fri, 2011-08-26 at 15:38 -0700, John R Pierce wrote: they still push z/OS (the descendent of OS/370) Whatever happened to IBM 360 and OS/360 ? Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 08/26/11 3:42 PM, Always Learning wrote: they still push z/OS (the descendent of OS/370) Whatever happened to IBM 360 and OS/360 ? circa 1970, virtual memory hardware was added and it became the System/370, and the various flavors of OS/360 became OS/VS1, OS/VS2, which became MVS, which spawned an endless train of eTLA's leading up to today's z/OS. Amazingly enough, many programs written in the 1960s for the MFT and MVT flavors of OS/360 still run on today's z/OS without any modifications or even recompilation. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 08/25/2011 05:33 PM, m.r...@5-cent.us wrote: Anyone have any idea how soon RHEL and CentOS will be releasing the patch package? keep an eye on this : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3192#c5 - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Thursday 25 Aug 2011, m.r...@5-cent.us wrote: Anyone have any idea how soon RHEL and CentOS will be releasing the patch package? Excerpt: Computerworld - Developers of the Apache open-source project today warned users of the popular Web server software that a denial-of-service (DoS) tool is circulating that exploits a bug in the program. The tool, called Apache Killer, showed up last Friday in a post to the Full Disclosure security mailing list. Today, the Apache project acknowledged the vulnerability that the attack tool exploits, and said it would release a fix for Apache 2.0 and 2.2 in the next 48 hours. --- end excerpt --- http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_adm ins_of_DoS_attack_tool There are some work-around suggestions here: http://lwn.net/Articles/456268/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Thu, 2011-08-25 at 12:33 -0400, m.r...@5-cent.us wrote:
Anyone have any idea how soon RHEL and CentOS will be releasing the patch
package?
Excerpt:
Computerworld - Developers of the Apache open-source project today
warned users of the popular Web server software that a denial-of-service
(DoS) tool is circulating that exploits a bug in the program.
http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_adm
ins_of_DoS_attack_tool
There are some work-around suggestions here:
http://lwn.net/Articles/456268/
Thanks Mark for the warning and also to Colin. I am sure CENTOS users
appreciate it. I certainly do.
The temporary fix is shown on several web sites as this, shown below,
added to Apache's conf file:-
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
I've done this on the Apache's main conf file and restarted it. httpd
appear to be working normally on reliable Centos 5.6.
Its great having a Centos mailing list where concerned Centos users can
post news about issues affecting other Centos users, even if the posting
user accidentally forgets to mention which version of Centos is
affected.
Have a nice day everyone.
Paul.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
--On Thursday, August 25, 2011 9:09 PM +0100 Always Learning cen...@u61.u22.net wrote: The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:- I try to minimize changes to main files. Presumably putting that code in a separate file (eg. conf.d/RangeVulnerabilityWorkaround.conf) should work equally well? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Thu, 2011-08-25 at 13:31 -0700, Kenneth Porter wrote: --On Thursday, August 25, 2011 9:09 PM +0100 Always Learning cen...@u61.u22.net wrote: The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:- I try to minimize changes to main files. Presumably putting that code in a separate file (eg. conf.d/RangeVulnerabilityWorkaround.conf) should work equally well? I have a different set-up but I believe your suggestion should work. I have broken-up the very large conf file (/etc/httpd/conf/httpd.conf) into 3 main parts. Part 1 is left in situ. Parts 2 and 3 are located elsewhere. #-- Section 2: 'Main' server configuration - Include /data/config/apache/server.conf #--- Section 3: Virtual Hosts - include /data/config/apache/domain.* #-- Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Thu, 25 Aug 2011, Always Learning wrote: To: CentOS mailing list centos@centos.org From: Always Learning cen...@u61.u22.net Subject: Re: [CentOS] Apache warns Web server admins of DoS attack tool On Thu, 2011-08-25 at 13:31 -0700, Kenneth Porter wrote: --On Thursday, August 25, 2011 9:09 PM +0100 Always Learning cen...@u61.u22.net wrote: The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:- I try to minimize changes to main files. Presumably putting that code in a separate file (eg. conf.d/RangeVulnerabilityWorkaround.conf) should work equally well? I have a different set-up but I believe your suggestion should work. I have broken-up the very large conf file (/etc/httpd/conf/httpd.conf) into 3 main parts. Part 1 is left in situ. Parts 2 and 3 are located elsewhere. #-- Section 2: 'Main' server configuration - Include /data/config/apache/server.conf #--- Section 3: Virtual Hosts - include /data/config/apache/domain.* #-- I've done something similar with the modules section, as that what appears to change the most between the default httpd.conf files :) #--- # Dynamic Shared Object (DSO) Support Include conf/dso-modules # The php install script will look in this file # for 'LoadModule' directives. # # To keep the php installer happy, we load the libphp5.so # module here, in this file. # LoadModule foo_module modules/mod_foo.so # LoadModule php5_modulemodules/libphp5.so LoadModule php5_modulemodules/libphp5.so #--- Kind Regards, Keith Roberts - Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 08/25/11 1:45 PM, Always Learning wrote: I have broken-up the very large conf file (/etc/httpd/conf/httpd.conf) into 3 main parts. Part 1 is left in situ. Parts 2 and 3 are located elsewhere. the existing EL httpd.conf includes /etc/httpd/conf.d/*.conf and any changes are expected to be made there rather than editing the stock file. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Thu, 2011-08-25 at 14:36 -0700, John R Pierce wrote: On 08/25/11 1:45 PM, Always Learning wrote: I have broken-up the very large conf file (/etc/httpd/conf/httpd.conf) into 3 main parts. Part 1 is left in situ. Parts 2 and 3 are located elsewhere. the existing EL httpd.conf includes /etc/httpd/conf.d/*.conf and any changes are expected to be made there rather than editing the stock file. Hi John, No Centos updates are likely to interfere with my Apache server options and virtual hosts. The existing /etc/httpd/conf/httpd.conf is large and laborious to read and fully understand especially with so many useful comments. 'including' the parts that do change and are not operating system dependant, meaning putting them somewhere which has no connection to the operating system, for example /data/config/apache/server.conf /data/config/apache/domain.* means, I believe, that if a change to one small file goes wrong then there is absolutely no danger to 'damaging' any of the other files and the source of the problem is quick and easy to identify. Thus 'change damage' is strictly limited to one small self-contained file and can not affect any of the other files. I have too much experience of so-called collateral damage inadvertently caused to other parts of a file being changed. It costs time and money to trace and diagnose problems, so economically it is a good idea to eliminate as much as possible non-involved configuration parameters. As you will have noticed Apache actually offers the ability to fragment configuration parameters to other files by supplying - for the benefit of people like me - the 'include' facility. If Apache never wanted folks to use this useful facility, it would never have offered the 'include' ability. Anyone who has ever worked on the nightmare called Windoze will know that one tiny fault in the Registry can cause the entire operating system to malfunction. Spreading the risk with Apache configuration files is my chosen method to minimise potential disruption and it works very successfully for me on Centos 5.3, 5.4, 5.5, 5.6 and hopefully on 5.7 and 6.1 et al. However you are entirely free to configure your servers as you wish. That same freedom extends to me too. Best regards, Paul. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 8/26/11, Always Learning cen...@u61.u22.net wrote: On Thu, 2011-08-25 at 14:36 -0700, John R Pierce wrote: the existing EL httpd.conf includes /etc/httpd/conf.d/*.conf and any changes are expected to be made there rather than editing the stock file. Hi John, No Centos updates are likely to interfere with my Apache server options and virtual hosts. The existing /etc/httpd/conf/httpd.conf is large and laborious to read and fully understand especially with so many useful comments. 'including' the parts that do change and are not operating system dependant, meaning putting them somewhere which has no connection to the operating system, for example /data/config/apache/server.conf /data/config/apache/domain.* means, I believe, that if a change to one small file goes wrong then there is absolutely no danger to 'damaging' any of the other files and the source of the problem is quick and easy to identify. Thus 'change damage' is strictly limited to one small self-contained file and can not affect any of the other files. I have too much experience of so-called collateral damage inadvertently caused to other parts of a file being changed. It costs time and money to trace and diagnose problems, so economically it is a good idea to eliminate as much as possible non-involved configuration parameters. As you will have noticed Apache actually offers the ability to fragment configuration parameters to other files by supplying - for the benefit of people like me - the 'include' facility. If Apache never wanted folks to use this useful facility, it would never have offered the 'include' ability. I think you're misunderstanding John there? Rather than suggesting using a single large httpd.conf file, he seems to be just pointing out that the default config already includes any *.conf files inside the conf.d directory so you could just add the additional/sub .conf files in there for consistency. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache warns Web server admins of DoS attack tool
On 08/25/11 10:48 PM, Emmanuel Noobadmin wrote: I think you're misunderstanding John there? Rather than suggesting using a single large httpd.conf file, he seems to be just pointing out that the default config already includes any *.conf files inside the conf.d directory so you could just add the additional/sub .conf files in there for consistency. and modifying a config file thats part of the base RPM can easily cause issues downstream. if nothing else, an httpd update will leave a .rpmnew file there for you to puzzle over and match against your changes. by putting all your site specific configurations in various .conf files in the conf.d directory, your stuff is portable, and can be rpm deployed on any el system without complications. but AlwaysTalking seems to know better. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
