≡ Menu

Apache

Debian PHP 5 Security Issues

Debian 5 php5 package has serious security issues as follows:

To prevent Denial of Service attacks by exhausting the number of available temporary file names, the max_file_uploads option introduced in PHP 5.3.1 has been backported.
[click to continue…]

A few days ago I noticed that NFS performance between a web server node and NFS server went down by 50%. NFS was optimized and the only thing was updated Red Hat kernel v5.2. I also noticed same trend on CentOS 5.2 64 bit edition.

NFS server crashed each and every time web server node tried to store a large file 20-100 MB each. Read performance was fine but write performance went to hell. Finally, I had to rollback the updates. Recently, while reading Red Hat site I came across the solution.

Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5:

* a 50-75% drop in NFS server rewrite performance, compared to Red Hat
Enterprise Linux 4.6, has been resolved.

After upgrading kernel on both server and client my issue resolved:
# yum update

This is 3rd and the final installment for Urchin 6 web analytics software series. Once Urchin is installed, you need to configure tracking on your website. You need to install Urchin sensors - a small piece of javascript tracking
code on each of your website's pages. Usually all large site uses some sort of templating (themes) system.

Step # 1: Copy UTM files to webroot

You need to copy or softlink urchin.js and __utm.gif file to webroot from /usr/local/urchin/util/utm directory. If your webroot set at /home/lighttpd/cyberciti.biz/, enter:
# cp -v /usr/local/urchin/util/utm/* /home/lighttpd/cyberciti.biz/
Set appropriate file permissions:
# chown apache:apache /home/lighttpd/cyberciti.biz/urchin.js
# chown apache:apache /home/lighttpd/cyberciti.biz/__utm.gif

Step # 2: Add tracking HTML JS code in the HEAD section

On each page of your website, place the following tracking code right after the any META tags in the HEAD section:

<script src="/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
  _userv=0;
  urchinTracker();
</script>

Also make sure each website or profiles set to Urchin Traffic Monitor (UTM) as the visitor tracking method.

Step # 3: Make sure Apache logs data with cookies

You need to enable cookies in your Apache logging, add following code your httpd.conf file:

LogFormat "%h %v %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cookie}i\"" urchin

Find your domain <VirtualHost> entry for which you wish to enable this new logging format. Deactivate any existing TransferLog or CustomLog entries within a . Then insert the following new CustomLog entry, replacing the string path_to_log with the appropriate path to your log location:
CustomLog /var/log/httpd/cyberciti.biz/access.log urchin

A note about lighttpd web server

If you are using Lighttpd add following code to you lighttpd.conf file:

accesslog.format = "%h %v %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cookie}i\""

Save and close web server configuration file. Restart the server:
# service httpd restart
OR
# service lighttpd restart

How do I view reports?

Login to your account by visiting urchin admin url:
https://your.server.com:9999/
Click the Go To Report button to the right of each Profile Name to launch the reporting window for that Profile. The reporting window will allow you to view all available reports for the Profile i.e. website. Here is a sample report:

Fig.01: Urchin 6 Sample Report

Fig.01: Urchin 6 Sample Report (click to enlarge)

Conclusion

This series has shown you how to install and configure Google Urchin 6 under Red Hat Enterprise Linux 5.x. I suggest reading following section for more information.

Further readings:

Exploring Urchin Web Analytics Software

By default Urchin 6 is installed at /usr/local/urchin directory. You can change directory by typing the following command:
# cd /usr/local/urchin

Use urchinctl to control Urchin web server / scheduler

You will find urchinctl inside bin directory. It is used to control Urchin web server listing on TCP port 9999.

To start the Urchin webserver, enter:

# /usr/local/urchin/bin/urchinctl start

To restart the Urchin webserver, enter:

# /usr/local/urchin/bin/urchinctl restart
Above command is useful if you change Urchin port or other settings.

To view the Urchin webserver and scheduler status , enter:

# /usr/local/urchin/bin/urchinctl status
Sample output:

Urchin webserver is running
Urchin MASTER scheduler is running
Urchin SLAVE scheduler is running

To stop the Urchin webserver, enter:

# /usr/local/urchin/bin/urchinctl stop

/usr/local/urchin/util/utm directory

You need to use urchin.js and __utm.gif file to track the statistics. These files are also known as the UTM Sensor, which is nothing but a small amount of JavaScript code that accomplishes various tracking methods.

Automatically start / stop Urchin after RHEL reboot

You need to copy /usr/local/urchin/util/urchin_daemons file to /etc/init.d/ directory:
# cp /usr/local/urchin/util/urchin_daemons /etc/init.d/urchin
Set permissions
# chmod +x /etc/init.d/urchin
Use chkconfig tool, which provides a simple command-line tool for maintaining the /etc/rc[0-6].d directory hierarchy by relieving system administrators of the task of directly manipulating the numerous symbolic links in those directories.
# chkconfig urchin on

Now you can start, stop or restart Urchin services automatically.

Linux: Install Urchin 6 Web Analytics Software

Web analytics is the study of online behaviour in order to improve it. There are two categories; off-site and on-site web analytics. Google's Urchin 6 can be installed under Linux kernel 2.6 or 2.4 for Apache web log analysis. Urchin 6 is just like Google Analytics the most widely used hosted web analytics system. It is targeted at ecommerce or enterprise users:

Urchin Software from Google analyzes traffic for one or more websites and provides easy-to-understand reports on your visitors - where they come from, how they use your site, what converts them into customers, and much more. If you have content behind a security firewall or on an intranet or internal network that prevents you from using the Google Analytics service, Urchin Software from Google is for you.

In this small tutorial you will learn about installing Urchin 6 Web Analytics under Red Hat Enterprise Linux 5.x.

Step #1: Download Urchin 6

Visit offical site to grab latest Urchin 6 for Linux kernel 2.6. You can also use wget command as follows:
$ cd /tmp
$ wget http://dl.google.com/urchin/current_urchin6_linux2.6_kernel.zip

Step #2: Create MySQL database to store urchin data

First, connect to mysql server, enter:
$ mysql -h server-ip -u root -p
OR
$ mysql -u root -p
Once connected type the following two command to create urchin database:
mysql> create database urchin character set utf8;
Create urchin user and grant all permissions:
mysql> GRANT ALL ON urchin.* to 'urchin'@'localhost' IDENTIFIED BY 'mySecreteUrchinPassword';
mysql> quit;

Step #3: Install Urchin

Untar urchin software:
$ unzip current_urchin6_linux2.6_kernel.zip
$ mkdir urchin
$ tar -zxvf urchin6402_linux2.6_kernel.tar.gz -C urchin

Install urchin software, enter:
$ cd urchin
$ ./install.sh

Follow on screen instructions, at the end you should see information as follows:

Installation Directory: /usr/local/urchin
Webserver Port: 9999
Webserver User: nobody
Webserver Group: nobody
SQL Server Type: mysql
SQL Server: 127.0.0.1
SQL Port: 3306
SQL Database: urchin
SQL User: urchin
SQL Password: (set but not displayed)
Initialize configuration database during install: Yes
Automatic monthly geodata updates: Yes
Start Webserver and Scheduler: Yes
Please select continue or exit [Default: 1]
   1. Continue
   2. Exit
Installing Urchin
Configuring Urchin to use existing SQL server
-- Initializing SQL database for Urchin
-- Configuring SQL parameters in urchin.conf
Creating webserver configuration
Setting file ownership and permission
Starting the Urchin webserver and scheduler daemon
Urchin webserver started on port 9999
Urchin SLAVE scheduler started
Urchin MASTER scheduler started
------------------------------------------------------------------------
-- Installation Complete
------------------------------------------------------------------------
The Urchin administrative interface should be ready to use at
   http://sun.simplyguide.org:9999/
To start or stop the Urchin webserver or scheduler, run 'urchinctl start'
or 'urchinctl stop' from the installation bin directory.
The administrative interface default username is admin and the password
is urchin.  A wizard will direct you through the process of licensing
the product and changing the default password.  We strongly recommend
that you change the default value to something more secure.

Configure Urchin

You need to open default port using iptables. A sample rule, adjust it according to your setup:
/sbin/iptables -A INPUT -i ${PUB_IF} -p tcp --destination-port 9999 -j ACCEPT
Next, type the following url to start the Urchin administrative interface:
http://your-server-ip.com:9999/
OR
https://your-server-ip.com:9999/

Fig.01: Urchin 6 Login Screen

Fig.01: Urchin 6 Login Screen

The default username is admin and the password is urchin. A wizard will direct you through the process of licensing the product and changing the default password. You must obtained license from Urchin software authorized consultants.

Microsoft Backs Apache and Open Source

In the past Microsoft has been hostile to the open source movement. But At OSCON, Microsoft announced their sponsorship of "The Apache Software Foundation", joining Google and Yahoo! at Platinum level. Microsoft donated US $100k (minimum requirement, MS did not disclose how much money it had contributed) to Apache foundation. This sponsorship will enable the ASF to pay administrators and other support staff so that ASF developers can focus on writing great software.

According to Sam Ramji:

It is not a move away from IIS as Microsoft’s strategic web server technology. We have invested significantly in refactoring and adding new, state-of-the-art features to IIS, including support for PHP. We will continue to invest in IIS for the long term and are currently under way with development of IIS 8.

It is a strong endorsement of The Apache Way, and opens a new chapter in our relationship with the ASF. We have worked with Apache POI, Apache Axis2, Jakarta, and other projects in the last year, and we will continue our technical support and interoperability testing work for this open source software.

If you noticed a lot of extra "MSIE 6.0" agents in Apache web server log, try following .htaccess code (hat tip to pixelbeat)

Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1; SV1.$" [OR]
Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1;1813.$"
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=307,L]