Slowloris DoS Tool: It Can Bring Down Apache 1.x/2.x

Posted on in Categories Apache, Networking, News, PF Firewall, RedHat/Fedora Linux, Security Alert, UNIX, Windows server last updated June 19, 2009

Apache Security Update – a flaw In Apache can be used to carry out DoS. Slowloris is a new Apache DoS tool which can use slow Internet links to bring down Apache servers, rather than flooding networks. Most D/DoS tool requires faster net connections but this tool works with minimal bandwidth. This tool can lead to a DoS attack on Apache 1.x, 2.x, dhttpd, GoAhead WebServer, and Squid, while MS IIS6.0, IIS7.0, and lighttpd are confirmed not vulnerable to this attack.

mod_compress: Lighttpd Gzip Compression To Improve Download and Browsing Speed

Posted on in Categories Apache, High performance computing, Howto, lighttpd, Linux, News, php, UNIX last updated April 26, 2008

Gzip compression reduces response times by reducing the size of the HTTP response. This document describes gzipping http traffic which can reduces the response size by about 70%. Approximately 90% of today’s Internet traffic travels through browsers that claim to support compression.

Download of the day: phpMyVisites free and open source websites statistics and analytics software

Posted on in Categories Apache, Download of the day, lighttpd, Linux, UNIX, Windows server last updated October 3, 2007

phpMyVisites is a free and powerful open source (GNU/GPL) software for websites statistics and audience measurements software. I’m currently using this software and it totally rocks. This software gives out lots of information on websites visitors, visited pages, software/hardware utilization. The installation is entirely automated and very simple. I’m currently using the same software here. This software is much better than old AWstats package. Web analytics is the study of the behaviour of website visitors. In a commercial context, web analytics especially refers to the use of data collected from a web site to determine which aspects of the website work towards the business objectives; for example, which landing pages encourage people to make a purchase.

From the project home page:

phpMyVisites is web statistics software. It is also often called web analytics. phpMyVisites is open source and free. You can download it, install it on your webserver, and get your first statistics after 2 minutes! Then all these numbers may be very useful to improve your website results. If you understand how your visitors behave, if you try to analyse your audience and extract information from the web analytics reports, you can definitely boost your website!

Software features

  • A clean and user-friendly interface to present data and to aid in data analysis.
  • Clear and concise graphics presenting important information in an easy-to-understand format.
  • Free: phpMyVisites is completely free.
  • Precise visitor statistics over a period of time (day/week/month/year).
  • Visitor Frequency: new visitors, regular (known) visitors, and how often visitors view the web site.
  • Management of web site statistics and all file types (PDF, Image, etc.).
  • Web site page classification available (by groups, by subgroups, etc.).
  • Visitor Analysis: Statistics for pages where visitors leave the web site and for pages where the visitors enter the web site.
  • Geographical Statistics: Classification by continent/country (interactive world map).
  • Technical Configuration Statistics: Web browsers, resolution, managed plug-in, etc.).
  • Complete and clear statistics about web site discovery: How do visitors come to the web site?
  • Live Clearly Defined Web Site Discovery Tools: Search Engines, Web Sites, Partner Sites, Newsletters and Direct Access
  • Able to detect more than 300 internationally-used search engines and keyword associations.
  • Define web sites as partners and add an unlimited number of newsletters.
  • One software installation and track all your website
  • Receive web site statistics everyday by e-mail, by RSS feed, etc.
  • And much more..

phpMyVisites free and open source websites statistics and analytics software

phpMyVisites free and open source websites statistics and analytics software
You can see sample reports and screenshots here

Download phpMyVisites

You need a webserver such as Apache, Lighttpd, IIS, etc.) that supports the following :

  1. php > 4.3
  2. Mysql database
  3. GD Library
  4. TTF support (Freetype) etc

=> Visit official site to download phpMyVisites software.

Security breach: Facebook index.php source code leaked

Posted on in Categories Apache, Beyond nixCraft, Security last updated August 12, 2007

Facebook is one of the famous web 2.0 portal, its php source code was leaked on the Internet. This blog post has posted index.php home page source code. According to facebook:

Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way.

However a misconfigured webserver can easily give out php file to all end users.

Lighttpd web server setup custom PHP.INI file for each user or domain

Posted on in Categories Howto, lighttpd, Linux, RedHat/Fedora Linux, Ubuntu Linux, UNIX last updated July 16, 2007

You can provide each user or domain its own php.ini file. There are two basic ways to provide each user a php.ini file:

a) Setup chrooted jail for each domain and user will get /etc/php.ini inside each jail
b) Setup individual fastcgi instance for each domain along with php.ini

Let us say you have two domains as follows

  1. theos.in php.ini location /home/lighttpd/theos.in/php.ini
  2. cyberciti.biz php.ini location /home/lighttpd/cyberciti.biz/php.ini
  3. /etc/php.ini – generic file for the rest of all domains

You need to add following directives to lighttpd.conf file:

$HTTP["host"]  =~ "(^|\.)theos\.in$" {
  server.document-root = "/home/lighttpd/theos.in/http/"
  accesslog.filename         = "/var/log/lighttpd/theos.in/access.log"
  server.error-handler-404 = "/index.php?error=404"
  fastcgi.server    = ( ".php" =>
        ((
                "bin-path" => "/usr/bin/php-cgi -c /home/lighttpd/theos.in/php.ini",
                "socket" => "/home/lighttpd/theos.in/php-cgi.socket",
        ))
)
}

$HTTP["host"]  =~ "(^|\.)cyberciti\.biz$" {
  server.document-root = "/home/lighttpd/cyberciti.biz/http/"
  accesslog.filename         = "/var/log/lighttpd/theos.in/access.log"
  server.error-handler-404 = "/index.php?error=404"
  fastcgi.server    = ( ".php" =>
        ((
                "bin-path" => "/usr/bin/php-cgi -c /home/lighttpd/cyberciti.biz/php.ini",
                "socket" => "/home/lighttpd/cyberciti.biz/php-cgi.socket",
        ))
)
}

Note option -c /path/to/my/custom/php.ini passed to /usr/bin/php-cgi. It will force php to Look for php.ini file in the directory path specified by us.

Now end users can modify php.ini as per requirements.

Pitfalls

  • Although a user can make changes to php.ini file, you still need to restart a web server using root or equivalent privileges
  • This may also open your box to new security issue such as wrong php.ini settings or user can load any custom php modules

You can apply same settings to Apache web server using jail or lighttpd fastcgi as a proxy.

Can someone steal my PHP script without hacking server?

Posted on in Categories Apache, Howto, lighttpd, Linux distribution, Networking, php, Security, Tips, Troubleshooting last updated May 2, 2007

Adarsh asks:

Can someone steal my PHP code or program without hacking my Linux box? Can someone snoop script over plain HTTP session?

Short answer is no. PHP is server side thingy.

However a misconfigured webserver can easily give out php file to all end users. You need to make sure that mod_php / mod_fastcgi loaded and correct MIME type is setup. To avoid such problem always test your server before moving to production environment. Most Linux distro configures both Apache and PHP out of box.

How do I stop downloading php source code?

The first step should be stopping a webserver.
# /etc/init.d/httpd stop
OR
# /etc/init.d/lighttpd stop

If you are using Lighttpd…

Next bind webserver to 127.0.0.1 for testing purpose. Open lighttpd websever config file and bind server address to 127.0.0.1
# vi /etc/lighttpd/lighttpd.conf
Bind to localhost/127.0.0.1:
server.bind = "127.0.0.1"
Start lighttpd:
# /etc/init.d/lighttpd start
Now follow these instructions to configure php as fastcgi module. Now test your configuration using url http://127.0.0.1/test.php. PHP should work on server. If not working, refer to server log file.

If you are using Apache…

Open httpd.conf file and bind apache to 127.0.0.1:
# vi httpd.conf
The Listen directive instructs Apache to listen to more than one IP address or port; by default it responds to requests on all IP interfaces, but only on the port given by the Port directive.
Listen 127.0.0.1:80
Start apache:
# /etc/init.d/httpd start
Now make sure php is installed use apt-get or rpm command to verify the same:
# rpm -qa | grep -i php
OR
# dpkg --list | grep -i php
If PHP is not installed just follow these instructions to install PHP. Next make sure httpd.conf or php.conf has following directives:
LoadModule php4_module modules/libphp4.so
AddType application/x-httpd-php .php

Note: the path may differ in your setup. Now restart httpd:
# /etc/init.d/httpd restart
A sample php code:

<HTML><HEAD>PHP</TITLE></HEAD>
<BODY>
<?php   phpinfo(); ?>
</BODY>
</HTML>

Finally when php started to work properly, make sure you bind back a server IP address from 127.0.0.1 to public IP address.

Another option is keep your source code out of webroot and server all php requests from php application server using mod_proxy and multiple back-end servers.

How to optimize a web page for faster and better experience

Posted on in Categories Apache, High performance computing, Howto, lighttpd, Linux, Tips, Tuning, UNIX last updated March 21, 2007

You may have noticed that most my webpage are loading bit faster. Here is what I did:

a) CSS code moved to its own file and included CSS at the top

b) Removed unnecessary (read as fancy web 2.0 stupid stuff) external javascript snippets

c) I’ve moved external javascript to bottom of page/template engine. For example google analytics JS code moved to bottom of webpage.

d) Turn on Apache gzip/mod_deflate compression

e) Turn on WordPress caching

f) Turn on php script caching (I’m using eAccelerator)

g) Tweak MySQL for optimization. Turn on query cache and other settings.

h) If possible switch to lighttpd or use squid / lighttpd as caching server for old good Apache.

If you have tons of cash to burn (assuming that your web app demands performance):

  • Consider using CDN (Content Delivery Network) such as Akamai or SAVVIS.
  • Server load balancing

However there are some external JS script snippets such as Google Adsense which slows down loading of a webpage. In few months I may roll out a new template and I will try to fix this issue 🙂

I’m interested to know what other people’s experiences with web page optimization. Feel free to share your tips.