Anyone have any idea how soon RHEL and CentOS will be releasing the patch package?
Excerpt: Computerworld - Developers of the Apache open-source project today warned users of the popular Web server software that a denial-of-service (DoS) tool is circulating that exploits a bug in the program.
The tool, called "Apache Killer," showed up last Friday in a post to the "Full Disclosure" security mailing list.
Today, the Apache project acknowledged the vulnerability that the attack tool exploits, and said it would release a fix for Apache 2.0 and 2.2 in the next 48 hours. --- end excerpt ---
http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_admins_of_DoS_attack_tool
mark
On 08/25/2011 05:33 PM, m.roth@5-cent.us wrote:
Anyone have any idea how soon RHEL and CentOS will be releasing the patch package?
keep an eye on this : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3192#c5
- KB
I don't see any mention of this in the CentOS announcements forum. I'd consider dropping the mailing list and switching to forums if this kind of warning appeared there.
On Thursday 25 Aug 2011, m.roth@5-cent.us wrote:
Anyone have any idea how soon RHEL and CentOS will be releasing the patch package?
Excerpt: Computerworld - Developers of the Apache open-source project today warned users of the popular Web server software that a denial-of-service (DoS) tool is circulating that exploits a bug in the program.
The tool, called "Apache Killer," showed up last Friday in a post to the "Full Disclosure" security mailing list.
Today, the Apache project acknowledged the vulnerability that the attack tool exploits, and said it would release a fix for Apache 2.0 and 2.2 in the next 48 hours. --- end excerpt ---
http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_adm ins_of_DoS_attack_tool
There are some work-around suggestions here: http://lwn.net/Articles/456268/
On Thursday 25 Aug 2011, Colin Coles wrote:
There are some work-around suggestions here: http://lwn.net/Articles/456268/
This has now been updated as original work-around was incomplete:
http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082427.html
On Thu, 2011-08-25 at 12:33 -0400, m.roth@5-cent.us wrote:
Anyone have any idea how soon RHEL and CentOS will be releasing the patch package?
Excerpt: Computerworld - Developers of the Apache open-source project today warned users of the popular Web server software that a denial-of-service (DoS) tool is circulating that exploits a bug in the program.
<http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_adm ins_of_DoS_attack_tool>
There are some work-around suggestions here: http://lwn.net/Articles/456268/
Thanks Mark for the warning and also to Colin. I am sure CENTOS users appreciate it. I certainly do.
The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:-
# Drop the Range header when more than 5 ranges. # CVE-2011-3192 SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range env=bad-range
# optional logging. CustomLog logs/range-CVE-2011-3192.log common env=bad-range
I've done this on the Apache's main conf file and restarted it. httpd appear to be working normally on reliable Centos 5.6.
Its great having a Centos mailing list where concerned Centos users can post news about issues affecting other Centos users, even if the posting user accidentally forgets to mention which version of Centos is affected.
Have a nice day everyone.
Paul.
--On Thursday, August 25, 2011 9:09 PM +0100 Always Learning centos@u61.u22.net wrote:
The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:-
I try to minimize changes to main files. Presumably putting that code in a separate file (eg. conf.d/RangeVulnerabilityWorkaround.conf) should work equally well?
On Thu, 2011-08-25 at 13:31 -0700, Kenneth Porter wrote:
--On Thursday, August 25, 2011 9:09 PM +0100 Always Learning centos@u61.u22.net wrote:
The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:-
I try to minimize changes to main files. Presumably putting that code in a separate file (eg. conf.d/RangeVulnerabilityWorkaround.conf) should work equally well?
I have a different set-up but I believe your suggestion should work.
I have broken-up the very large conf file (/etc/httpd/conf/httpd.conf) into 3 main parts. Part 1 is left in situ. Parts 2 and 3 are located elsewhere.
#-------------- Section 2: 'Main' server configuration -------------
Include /data/config/apache/server.conf
#--------------- Section 3: Virtual Hosts -------------------------
include /data/config/apache/domain.*
#----------------------------------------------------------------------
Paul.
On Thu, 25 Aug 2011, Always Learning wrote:
To: CentOS mailing list centos@centos.org From: Always Learning centos@u61.u22.net Subject: Re: [CentOS] Apache warns Web server admins of DoS attack tool
On Thu, 2011-08-25 at 13:31 -0700, Kenneth Porter wrote:
--On Thursday, August 25, 2011 9:09 PM +0100 Always Learning centos@u61.u22.net wrote:
The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:-
I try to minimize changes to main files. Presumably putting that code in a separate file (eg. conf.d/RangeVulnerabilityWorkaround.conf) should work equally well?
I have a different set-up but I believe your suggestion should work.
I have broken-up the very large conf file (/etc/httpd/conf/httpd.conf) into 3 main parts. Part 1 is left in situ. Parts 2 and 3 are located elsewhere.
#-------------- Section 2: 'Main' server configuration -------------
Include /data/config/apache/server.conf
#--------------- Section 3: Virtual Hosts -------------------------
include /data/config/apache/domain.*
#----------------------------------------------------------------------
I've done something similar with the modules section, as that what appears to change the most between the default httpd.conf files :)
#----------------------------------------------------------- # Dynamic Shared Object (DSO) Support Include conf/dso-modules
# The php install script will look in this file # for 'LoadModule' directives. # # To keep the php installer happy, we load the libphp5.so # module here, in this file.
# LoadModule foo_module modules/mod_foo.so # LoadModule php5_module modules/libphp5.so LoadModule php5_module modules/libphp5.so
#-----------------------------------------------------------
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
On 08/25/11 1:45 PM, Always Learning wrote:
I have broken-up the very large conf file (/etc/httpd/conf/httpd.conf) into 3 main parts. Part 1 is left in situ. Parts 2 and 3 are located elsewhere.
the existing EL httpd.conf includes /etc/httpd/conf.d/*.conf and any changes are expected to be made there rather than editing the stock file.
On Thu, 2011-08-25 at 14:36 -0700, John R Pierce wrote:
On 08/25/11 1:45 PM, Always Learning wrote:
I have broken-up the very large conf file (/etc/httpd/conf/httpd.conf) into 3 main parts. Part 1 is left in situ. Parts 2 and 3 are located elsewhere.
the existing EL httpd.conf includes /etc/httpd/conf.d/*.conf and any changes are expected to be made there rather than editing the stock file.
Hi John,
No Centos updates are likely to interfere with my Apache server options and virtual hosts. The existing /etc/httpd/conf/httpd.conf is large and laborious to read and fully understand especially with so many useful comments.
'including' the parts that do change and are not operating system dependant, meaning putting them somewhere which has no connection to the operating system, for example
/data/config/apache/server.conf /data/config/apache/domain.*
means, I believe, that if a change to one small file goes wrong then there is absolutely no danger to 'damaging' any of the other files and the source of the problem is quick and easy to identify. Thus 'change damage' is strictly limited to one small self-contained file and can not affect any of the other files.
I have too much experience of so-called collateral damage inadvertently caused to other parts of a file being changed. It costs time and money to trace and diagnose problems, so economically it is a good idea to eliminate as much as possible non-involved configuration parameters.
As you will have noticed Apache actually offers the ability to fragment configuration parameters to other files by supplying - for the benefit of people like me - the 'include' facility. If Apache never wanted folks to use this useful facility, it would never have offered the 'include' ability.
Anyone who has ever worked on the nightmare called Windoze will know that one tiny fault in the Registry can cause the entire operating system to malfunction. Spreading the risk with Apache configuration files is my chosen method to minimise potential disruption and it works very successfully for me on Centos 5.3, 5.4, 5.5, 5.6 and hopefully on 5.7 and 6.1 et al.
However you are entirely free to configure your servers as you wish. That same freedom extends to me too.
Best regards,
Paul.
On 8/26/11, Always Learning centos@u61.u22.net wrote:
On Thu, 2011-08-25 at 14:36 -0700, John R Pierce wrote:
the existing EL httpd.conf includes /etc/httpd/conf.d/*.conf and any changes are expected to be made there rather than editing the stock file.
Hi John,
No Centos updates are likely to interfere with my Apache server options and virtual hosts. The existing /etc/httpd/conf/httpd.conf is large and laborious to read and fully understand especially with so many useful comments.
'including' the parts that do change and are not operating system dependant, meaning putting them somewhere which has no connection to the operating system, for example
/data/config/apache/server.conf /data/config/apache/domain.*
means, I believe, that if a change to one small file goes wrong then there is absolutely no danger to 'damaging' any of the other files and the source of the problem is quick and easy to identify. Thus 'change damage' is strictly limited to one small self-contained file and can not affect any of the other files.
I have too much experience of so-called collateral damage inadvertently caused to other parts of a file being changed. It costs time and money to trace and diagnose problems, so economically it is a good idea to eliminate as much as possible non-involved configuration parameters.
As you will have noticed Apache actually offers the ability to fragment configuration parameters to other files by supplying - for the benefit of people like me - the 'include' facility. If Apache never wanted folks to use this useful facility, it would never have offered the 'include' ability.
I think you're misunderstanding John there? Rather than suggesting using a single large httpd.conf file, he seems to be just pointing out that the default config already includes any *.conf files inside the conf.d directory so you could just add the additional/sub .conf files in there for consistency.
On 08/25/11 10:48 PM, Emmanuel Noobadmin wrote:
I think you're misunderstanding John there? Rather than suggesting using a single large httpd.conf file, he seems to be just pointing out that the default config already includes any *.conf files inside the conf.d directory so you could just add the additional/sub .conf files in there for consistency.
and modifying a config file thats part of the base RPM can easily cause issues downstream. if nothing else, an httpd update will leave a .rpmnew file there for you to puzzle over and match against your changes. by putting all your site specific configurations in various .conf files in the conf.d directory, your stuff is portable, and can be rpm deployed on any el system without complications.
but AlwaysTalking seems to know better.
On Thu, 2011-08-25 at 22:56 -0700, John R Pierce wrote:
by putting all your site specific configurations in various .conf files in the conf.d directory, your stuff is portable, and can be rpm deployed on any el system without complications.
That is exactly the flexibility I have when I put my site specific Apache stuff in /data/config/apache
Paul.
On 8/26/2011 7:27 AM, Always Learning wrote:
On Thu, 2011-08-25 at 22:56 -0700, John R Pierce wrote:
by putting all your site specific configurations in various .conf files in the conf.d directory, your stuff is portable, and can be rpm deployed on any el system without complications.
That is exactly the flexibility I have when I put my site specific Apache stuff in /data/config/apache
Paul.
I think the point is making use of what is by default built in to apache on our CentOS boxes. And this is and has been for some time making use of the include directed to look in /etc/httpd/conf.d directory and read in any *.conf files in that directory. So, why try to teach somebody to use another structure and customization?
And why is this a good idea? Well, it does add complication in having multiple files to deal with. But the upside to that is it does reduce the number of edits to the main conf file. What is useful about this? Well, I do remember one time editing httpd.conf in Vi and after I finished Apache wouldn't restart. Panic of course immediately sets in when a webserver is not running and I looked and looked and looked and looked and couldn't find any problem with what I had done. Finally, after what seemed like an eternity, I found that I must have accidentally hit the 'x' key just after opening the file and had deleted the first '#' from the first line.
I was working on a new virtual server during that edit and just knew I hadn't edited anywhere else... so had been totally concentrating on the end of the conf file instead of really looking at the top. If this had been in vhost.conf, I could have easily moved vhost.conf to vhost.conf.bak and immediately known that it was not the problem... and actually, wouldn't have had the main conf open to start with so would never have made that mistake.
So, argue all you want, but many programs 'by default' add their apache conf files into /etc/httpd/conf.d so why not follow conventions? If you die, the next admin should know to look there first. And, removing or doing a temp something.conf.bak file quickly takes potential errors out of the equation. To me, the use of this includes directory is simply good practice for multiple reasons. On this list, teaching best 'standard' practices is a good idea. Who is going to think to tell someone to go look in /data/config/apache for a configuration two years from now when something breaks due to following non-standard practices?
John Hinton
On Fri, 2011-08-26 at 10:59 -0400, John Hinton wrote:
.... To me, the use of this includes directory is simply good practice for multiple reasons. On this list, teaching best 'standard' practices is a good idea. Who is going to think to tell someone to go look in /data/config/apache for a configuration two years from now when something breaks due to following non-standard practices?
Unlike some other installations everything is documented, so everyone knows. Keeping information a secret from other workers is not practised here.
Apache creates a default set-up. Default for those who need something which 'works out of the box'. Apache then gives the creative person the facilities to experiment and, as you illustrated, the ability to minimise collateral disruption when something goes wrong when changing files (like the mouse wheel button pasting copied text into unwanted places).
Everything in, for example /data, is entire operating system independent. Simple. The operating system dependant parts of Apache are in the /etc /usr and /var directories, so they can be updated with other operating system revisions. Remember the /etc /usr /var directories are operating system directories, so we keep non-operating system items out of them.
If I wanted to move everything to another operating system, for example Solaris or BCD, everything in /data will work on the new operating system without changes ! Just needs a few quick changes to the operating system configuration files. Simple, Easy and Reliable.
An English saying is: "Rules were made for the guidance of wise men but for the obedience of fools". Naturally I am not implying, nor would I, that anyone on this list are in the latter category. However I believe that saying makes a valid point.
Once upon a time people were killed for believing the world was not flat and if one sailed far enough their ship would drop-off the edge of the world. Blind and unthinking obedience and the intellectual inability to question and experiment are not conducive to the successful development and using of computers.
Please note I do not teach on here. I've already got a large workload :-)
Best regards,
Paul.
On Fri, Aug 26, 2011 at 10:37 AM, Always Learning centos@u61.u22.net wrote:
Apache creates a default set-up. Default for those who need something which 'works out of the box'.
'Apache' is infinitely configurable. It is the upstream/Centos distribution that provides a working base configuration that is also the expected base for a large number of optional packages.
Apache then gives the creative person the facilities to experiment and, as you illustrated, the ability to minimise collateral disruption when something goes wrong when changing files (like the mouse wheel button pasting copied text into unwanted places).
That's kind of irrelevant. The thing that matters in a distribution managed by a package manager is that the base and optional components don't conflict with each other. In many places the distribution handles this by splitting what might be one big file into a directory of included components so each package can manage its own optional components. Apache is one of these. There are a number of web applications available in the base and 3rd party repos that drop snippets of apache config into /etc/httpd.conf.d and if you add your own packages you can do the same without conflict as long as you choose a different filename.
Everything in, for example /data, is entire operating system independent. Simple. The operating system dependant parts of Apache are in the /etc /usr and /var directories, so they can be updated with other operating system revisions. Remember the /etc /usr /var directories are operating system directories, so we keep non-operating system items out of them.
Your are kind of missing the point there. Do you also think /home belongs to the OS and put your own files elsewhere?
If I wanted to move everything to another operating system, for example Solaris or BCD, everything in /data will work on the new operating system without changes ! Just needs a few quick changes to the operating system configuration files. Simple, Easy and Reliable.
That's equivalent to saying you should always install programs from source tarballs with 'configure; make; make install'. You can do that across different platforms, but that's probably much less important to most people than having automatic updates available from packages already well tested on your distribution. Once in a while there is a good reason to do something that isn't pre-packaged, but even then you don't have to do it in a way that is incompatible with existing packages.
Les,
There are no /home directories on our servers.
Data we create which is NOT essential for the operating system to function is usually not in an operating system directory.
'yum update' still works successfully.
Paul.
On Fri, Aug 26, 2011 at 11:13 AM, Always Learning centos@u61.u22.net wrote:
Les,
There are no /home directories on our servers.
I thought you were trying to give general advice - or that what you posted might be taken that way.
Data we create which is NOT essential for the operating system to function is usually not in an operating system directory.
That's interesting, but not a necessary condition for anything.
'yum update' still works successfully.
But, can you still 'yum install' any/all of the large number of packaged web applications from the base and 3rd party repos that will drop additional files into conf.d and expect a certain base setup?
On Fri, 2011-08-26 at 11:22 -0500, Les Mikesell wrote:
But, can you still 'yum install' any/all of the large number of packaged web applications from the base and 3rd party repos that will drop additional files into conf.d and expect a certain base setup?
Definitely. That is essential. Non-operating system customisations go in /data
Paul.
On Fri, Aug 26, 2011 at 11:30 AM, Always Learning centos@u61.u22.net wrote:
But, can you still 'yum install' any/all of the large number of packaged web applications from the base and 3rd party repos that will drop additional files into conf.d and expect a certain base setup?
Definitely. That is essential. Non-operating system customisations go in /data
But there is nothing related in those two statements. It would be equally true if you put your customizations in differently named files under /etc/httpd/conf.d and in directories under /var/www/html. The difference is that anyone familiar with the standard layout could look at a system and understand it quickly where your non-standard locations would have to be carefully documented and a new admin would need to waste time figuring it out.
On Fri, 2011-08-26 at 11:46 -0500, Les Mikesell wrote:
But there is nothing related in those two statements. It would be equally true if you put your customizations in differently named files under /etc/httpd/conf.d and in directories under /var/www/html. The difference is that anyone familiar with the standard layout could look at a system and understand it quickly where your non-standard locations would have to be carefully documented and a new admin would need to waste time figuring it out.
As previously mentioned everything is documented, so too is the logic for the decisions.
We do not willingly add anything to /etc/httpd/conf.d or to /var/www/html. Our chosen operating system does not require it.
Paul.
Always Learning wrote:
On Fri, 2011-08-26 at 11:46 -0500, Les Mikesell wrote:
But there is nothing related in those two statements. It would be equally true if you put your customizations in differently named files under /etc/httpd/conf.d and in directories under /var/www/html. The difference is that anyone familiar with the standard layout could look at a system and understand it quickly where your non-standard locations would have to be carefully documented and a new admin would need to waste time figuring it out.
<snip>
We do not willingly add anything to /etc/httpd/conf.d or to /var/www/html. Our chosen operating system does not require it.
"Does not require"?
I dunno. My current job, and the last two - that goes back to '06 - *all* did minimal changes to /etc/httpd/conf/httpd.conf, and put *everything* else in /etc/httpd/conf.d, including ssl.conf. IIRC, in fact, the package install puts proxy_agp.conf there.
Also, it makes things a *lot* cleaner to have website1.conf, website2.conf, etc in conf.d, rather than in one huge httpd.conf.
mark
On 8/26/2011 12:30 PM, Always Learning wrote:
On Fri, 2011-08-26 at 11:22 -0500, Les Mikesell wrote:
But, can you still 'yum install' any/all of the large number of packaged web applications from the base and 3rd party repos that will drop additional files into conf.d and expect a certain base setup?
Definitely. That is essential. Non-operating system customisations go in /data
OK, so if you do an install of squirrelmail from a repo, is that operating system or customization? Where does squirrelmail.conf wind up? Are you running two include lines in httpd.conf? One for /data/apache/custom and one for /etc/httpd/conf.d? Or maybe doing a ln from conf.d to custom?
John
On Fri, 2011-08-26 at 12:47 -0400, John Hinton wrote:
OK, so if you do an install of squirrelmail from a repo, is that operating system or customization? Where does squirrelmail.conf wind up?
We do not use Squirrelmail.
Are you running two include lines in httpd.conf? One for /data/apache/custom and one for /etc/httpd/conf.d? Or maybe doing a ln from conf.d to custom?
/etc/httpd/conf/httpd.conf has:-
112: Include conf.d/*.conf
126: User apache 127: Group apache 128: 129: #------------ Section 2: 'Main' server configuration ------------ 130: 131: Include /data/config/apache/server.conf 132: 133: #------------- Section 3: Virtual Hosts --------------------------- 134: 135: include /data/config/apache/domain.* 136: 137: #------------------------------------------------------------------
Paul.
Always Learning wrote:
On Fri, 2011-08-26 at 12:47 -0400, John Hinton wrote:
OK, so if you do an install of squirrelmail from a repo, is that operating system or customization? Where does squirrelmail.conf wind up?
We do not use Squirrelmail.
Paul, you've completely missed what John was asking: what qualifies as o/s, and what qualifies as third party, or whatever? Which is apache, or php, or gcc, or tomcat5? Certainly, tomcat and httpd get fired off by root at system boot. <snip>
mark
On Fri, 2011-08-26 at 13:37 -0400, m.roth@5-cent.us wrote:
Paul, you've completely missed what John was asking: what qualifies as o/s, and what qualifies as third party, or whatever? Which is apache, or php, or gcc, or tomcat5? Certainly, tomcat and httpd get fired off by root at system boot.
Mark,
I don't know about your systems but on ours
php gcc tomcat5
do NOT require customisation. Apache does. For example:-
ServerAdmin ServerName DirectoryIndex DefaultLanguage LanguagePriority and all the other site options
Keeping the bits that remain static separate from the bits that change per server is our choice.
Putting virtual hosts, including those with sub-domains, in a individual 'domain name' text file ensures for us smooth running. For us deleting a virtual host is deleting one named text file. Adding a virtual host means creating one text file. Changing a virtual host means changing one file. Moving a virtual host to a different server or even to a different operating system means moving one file. Of course it requires a
service httpd restart or reload
Meanwhile nothing else is disrupted, or at risk of disruption or inadvertently altered. We like quickness, simpleness and easiness. Keep it plain and simple is our motive.
Those who like dumping everything in one large text file can. I was speaking to a sys admin this week who has only 1,200 virtual hosts in the main Apache file.
Paul.
On Fri, Aug 26, 2011 at 1:00 PM, Always Learning centos@u61.u22.net wrote:
Putting virtual hosts, including those with sub-domains, in a individual 'domain name' text file ensures for us smooth running.
No one has suggested otherwise. The question is, what do you gain by putting this file in a place where no one but you would know to look for it instead of the place that is conveniently provided? And for the things that might be sensitive to loading order, how do you control that with different include locations?
On 08/26/11 11:00 AM, Always Learning wrote:
Those who like dumping everything in one large text file can. I was speaking to a sys admin this week who has only 1,200 virtual hosts in the main Apache file.
which part of /etc/httpd/conf.d/*.conf are you missing? Each vhost gets its OWN conf file, ideally packaged with the vhost's application files and depedencies as an RPM, so it can be deployed/undeployed by a single command, or included in a kickstart, or whatever...
there should be NOTHING in the main httpd.conf that needs changing, I haven't had to touch that file in years on any of my EL4/5/6 systems. I put global stuff in a /etc/httpd/conf.d/00globalstuff.conf (the *.conf files are loaded in sort order so a 00something file will get loaded before any others).
Always Learning wrote:
On Fri, 2011-08-26 at 13:37 -0400, m.roth@5-cent.us wrote:
Paul, you've completely missed what John was asking: what qualifies as o/s, and what qualifies as third party, or whatever? Which is apache, or php, or gcc, or tomcat5? Certainly, tomcat and httpd get fired off by root at system boot.
I don't know about your systems but on ours
php gcc tomcat5
do NOT require customisation. Apache does. For example:-
ServerAdmin ServerName DirectoryIndex DefaultLanguage LanguagePriority and all the other site options
Keeping the bits that remain static separate from the bits that change per server is our choice.
<shakes head> Yeah, but that's a very non-standard concept. If you and the rest of your team go out to lunch, and are killed by food poisoning, or an out-of-control senior citizen, anyone walking in will take a good bit longer to find where all versions of *Nix normally put their configuration files, ain't. And you *are* customizing /etc/httpd/conf/httpd.conf.
Putting virtual hosts, including those with sub-domains, in a individual 'domain name' text file ensures for us smooth running. For us deleting a virtual host is deleting one named text file. Adding a virtual host
Missed that part, but that's what I said everybody seems to do... but they do it in /etc/httpd/conf.d <snip>
Those who like dumping everything in one large text file can. I was speaking to a sys admin this week who has only 1,200 virtual hosts in the main Apache file.
So, you were speaking to the guy who was at the bottom of their class? That's inane.
I stay with std. practice, as much as I can. It works, too. The first time I ever did system admin, back in the mid-nineties, I'd worked in Unix for about 4 years, but never done admin work. For the next 9 or 10 mos, along with my wife, I slept with Frisch's Essential Systems Administration. from O'Reilly. When the division had grown from 4 teams to 27, and the co. brought in a sysadmin team, they told me that my box was one of *two* that looked normal; everyone else was a disaster (everyone had root, and/or directories scattered all over, including in /...).
Leaving stuff in std. places is *not* security risk, it's making life easier. And remember, if you go on vacation, whoever has to take care of it will have to take the time to figure it out, rather than go to where everyone expects stuff.
Oh, and php *certainly* requires configuration.
mark
On Fri, 2011-08-26 at 14:19 -0400, m.roth@5-cent.us wrote:
If you and the rest of your team go out to lunch, and are killed by food poisoning, or an out-of-control senior citizen, anyone walking in will take a good bit longer to find where all versions of *Nix normally put their configuration files, ain't. And you *are* customizing /etc/httpd/conf/httpd.conf.
We have D-O-C-U-M-E-N-T-A-T-I-O-N which remains behind we we go home, go to lunch and go on holiday.
I stay with std. practice, as much as I can.
I do too but where there are multiple servers using almost the same setup, the changeable bits are 'included' and kept in individual files.
I slept with Frisch's Essential Systems Administration. from O'Reilly.
I'll have a look but I prefer to sleep with someone who is warm and cuddly. Not sure a book is an adequate substitute however interesting the text may be :-)
Oh, and php *certainly* requires configuration.
Can't remember what I changed in /etc if I changed it.
Paul.
On Friday, August 26, 2011 03:02:06 PM Always Learning wrote:
On Fri, 2011-08-26 at 14:19 -0400, m.roth@5-cent.us wrote:
And you *are* customizing /etc/httpd/conf/httpd.conf.
We have D-O-C-U-M-E-N-T-A-T-I-O-N which remains behind we we go home, go to lunch and go on holiday.
I stay with std. practice, as much as I can.
I do too but where there are multiple servers using almost the same setup, the changeable bits are 'included' and kept in individual files.
What can you do with this setup that you can't with the standard way of putting those files, including other includes, in the standard /etc/httpd/conf.d/ directory? As the stock httpd.conf is already set up to do those automatic includes out of /etc/httpd/conf.d/, no customization nor special documentation is required to handle essentially everything you've said on this topic. If you put those individual vhost files in the /etc/httpd/conf.d/ directory, you don't have to do anything at all extra, and you don't have to document it, since it's already the standard way, which saves you time and money. (Or, to paraphrase a common rejoinder in NANOG, 'I encourage my competitors to do it that way.')
You can have a single file per vhost, no problem, in /etc/httpd/conf.d/. You can back it up easily (/etc should be a stock part of everyone's backups, right?). You can subinclude, even making a subtree under the /etc/httpd/conf.d/ directory. And it's all already set up to just work with SELinux and the other RHEL (RHCE!) documented ways of doing things. And it IS the standard way of doing what you're saying is the way you do things.
Forget it. He won't listen and will continue to further his nonsensical methods of configuration with silly justifications that don't hold up. Please, just let him be "right" so he'll stop needing to get the last word in all the time and perhaps this thread can die.
John
On 8/26/2011 3:02 PM, Always Learning wrote:
Oh, and php *certainly* requires configuration.
Can't remember what I changed in /etc if I changed it.
It should be there in your documentation... ;) LOL!!! Me? My documentation is in my head... 'burned' into my brain, from following upstream's suggestions for the last 15 or more years. And yes that 'upstream book' has been revised over those years, but not everything.
John
On Fri, 2011-08-26 at 15:25 -0400, John Hinton wrote:
On 8/26/2011 3:02 PM, Always Learning wrote:
Oh, and php *certainly* requires configuration.
Can't remember what I changed in /etc if I changed it.
It should be there in your documentation... ;) LOL!!! Me? My documentation is in my head... 'burned' into my brain, from following upstream's suggestions for the last 15 or more years. And yes that 'upstream book' has been revised over those years, but not everything.
With so much valuable information in your head, don't let Mark take you out to lunch in case you get food poisoning, run-over or mugged by a group of old pensioners ;-)
I only wish I have come to Linux years ago. It is so refreshingly nice. Everything a real operating system should be and reminiscent of the once great Mainframes.
Paul.
Always Learning wrote:
On Fri, 2011-08-26 at 15:25 -0400, John Hinton wrote:
On 8/26/2011 3:02 PM, Always Learning wrote:
<snip>
I only wish I have come to Linux years ago. It is so refreshingly nice. Everything a real operating system should be and reminiscent of the once great Mainframes.
You don't think they're still great? Check IBM, who's sales of m'frames keep up, and grow. Y'know, 'bout 10 years ago, using their VM (that they've had since the seventies...), one of their engineers found that he could comfortably run 32000 instances of Linux on one big iron, and only maxed it out at over 48000 VMs....
And, of course, IBM really, *really wants folks to use Linux. I mean, if *you* were Big Blue, would you want to support, uh, sys38/4000/RISC6000/AIX/"DOS/VSE/SP/<whatever letters in the last 15 years)>/MVS/zOS... or just Linux? (You've grown your business, and need a bigger machine? Great! Here's the next large box, just throw it on, maybe just recompile, and no porting needed!)
mark
On 08/26/11 2:16 PM, m.roth@5-cent.us wrote:
And, of course, IBM really, *really wants folks to use Linux. I mean, if *you* were Big Blue, would you want to support, uh, sys38/4000/RISC6000/AIX/"DOS/VSE/SP/<whatever letters in the last 15 years)>/MVS/zOS... or just Linux? (You've grown your business, and need a bigger machine? Great! Here's the next large box, just throw it on, maybe just recompile, and no porting needed!)
they still push z/OS (the descendent of OS/370) as a primary mainframe OS for large scale database and batch processing, and AIX on Power servers for big database servers and such. Linux still has vertical scaling issues for larger workloads, and transaction processing doesn't scale well horizontally without massive complications.
System/38 long ago (late 1980s) gave way to AS/400 which is now IBM i (aka i5/OS), and runs on the same Power servers as AIX, either virtualized or whole-iron. RS/6000 long ago was renamed pSeries or Power, and is hardware, which runs AIX, i, and Linux.
but, i don't believe CentOS runs on Z (descendent of System/370) or Power (also known as PowerPC) architectures, so this is all off topic.
On 08/26/11 3:42 PM, Always Learning wrote:
they still push z/OS (the descendent of OS/370)
Whatever happened to IBM 360 and OS/360 ?
circa 1970, virtual memory hardware was added and it became the System/370, and the various flavors of OS/360 became OS/VS1, OS/VS2, which became MVS, which spawned an endless train of eTLA's leading up to today's z/OS. Amazingly enough, many programs written in the 1960s for the MFT and MVT flavors of OS/360 still run on today's z/OS without any modifications or even recompilation.
Always Learning wrote:
On Fri, 2011-08-26 at 14:19 -0400, m.roth@5-cent.us wrote:
If you and the rest of your team go out to lunch, and are killed by food poisoning, or an out-of-control senior citizen, anyone walking in will take a good bit longer to find where all versions of *Nix normally put their configuration files, ain't. And you *are* customizing /etc/httpd
/conf/httpd.conf.
We have D-O-C-U-M-E-N-T-A-T-I-O-N which remains behind we we go home, go to lunch and go on holiday.
Right. And you have a 100% confidence level that it will a) *always* be up to date, b) available, and c) actually readable.... http://24.5-cent.us/http://24.5-cent.us/egoless_documentation.doc We'll ignore the old Dilbert where, was it Dogbert or Dilbert, who stood on a chair, with their head over the top of the cube farm, and yelled out, "HAS ANYONE RTFM?!", and got no answers....
I stay with std. practice, as much as I can.
I do too but where there are multiple servers using almost the same setup, the changeable bits are 'included' and kept in individual files.
I slept with Frisch's Essential Systems Administration. from O'Reilly.
I'll have a look but I prefer to sleep with someone who is warm and cuddly. Not sure a book is an adequate substitute however interesting the text may be :-)
I did say that was in addition to my ...late... wife.
Oh, and php *certainly* requires configuration.
Can't remember what I changed in /etc if I changed it.
Oh, no, it used to be worse - I'd have to edit the sucker down in, where was it, /usr/lib/php, or /usr/local/lib/php?
mark
On Fri, 2011-08-26 at 16:12 -0400, m.roth@5-cent.us wrote:
Right. And you have a 100% confidence level that it will a) *always* be up to date, b) available, and c) actually readable....
I've always been praised for my good documentation.
http://24.5-cent.us/http://24.5-cent.us/egoless_documentation.doc
404 Error File Not Found
http://24.5-cent.us/egoless_documentation.doc - was that an IQ test ?
I did say that was in addition to my ...late... wife.
Sorry to learn of your loss.
Oh, no, it used to be worse - I'd have to edit the sucker down in, where was it, /usr/lib/php, or /usr/local/lib/php?
Not there on Centos 5.6 and /usr/local is empty.
Paul.
Always Learning wrote:
On Fri, 2011-08-26 at 16:12 -0400, m.roth@5-cent.us wrote:
Right. And you have a 100% confidence level that it will a) *always* be up to date, b) available, and c) actually readable....
I've always been praised for my good documentation.
http://24.5-cent.us/http://24.5-cent.us/egoless_documentation.doc
404 Error File Not Found http://24.5-cent.us/egoless_documentation.doc - was that an IQ test ?
Sorry, typing too fast, had to go do actual work. <g> <snip>
Oh, no, it used to be worse - I'd have to edit the sucker down in, where was it, /usr/lib/php, or /usr/local/lib/php?
Not there on Centos 5.6 and /usr/local is empty.
php used to get installed in one of those, back in RHEL 3. Of course, where I was, we had to actually *build* the damn thing, since out of the box didn't support encryption.
mark
On 8/26/2011 1:18 PM, Always Learning wrote:
Are you running two include lines in httpd.conf? One for /data/apache/custom and one for /etc/httpd/conf.d? Or maybe doing a ln from conf.d to custom? /etc/httpd/conf/httpd.conf has:-
112: Include conf.d/*.conf
126: User apache 127: Group apache 128: 129: #------------ Section 2: 'Main' server configuration ------------ 130: 131: Include /data/config/apache/server.conf 132: 133: #------------- Section 3: Virtual Hosts --------------------------- 134: 135: include /data/config/apache/domain.* 136: 137: #------------------------------------------------------------------
OK, so you have just chosen to put your vhost confs in an alternate directory. There are sound reasons for doing that, like ease of backups and dumb minded restores that any low level tech could do. Me... I just do a single vhost.conf file for all virtual servers. Works fine for me thus far and there's less trash to look through when trying to find a conf file. All good. I backup all of /etc and am not worried as we have no dumb minded techs that would ever be doing a restore so don't need an easier solution. Doing what you are doing might be a simpler solution or a vastly more complex solution... all depending on the services running... upgrade frequency and how well everything works during those updates. It all depends on what the servers are doing. To suggest others follow in your footsteps however is very short sighted. Again, I would never tell you that you shouldn't do it your way. That would be very short sighted of me.
The two includes in httpd.conf allows both areas to load, but does break 'alternative' installs, such as squirrelmail as just one of many examples (assuming you got rid of the /etc/httpd/conf.d include). So, yum install squirrelmail would not work without customization on your system, along with a number of other system wide tools one might want to run under apache. Python, php, manual, welcome, webalizer, ssl, squid, proxy_ajp, perl, cacti are all examples.
Again though, adding in one new conf file for a temporary patch has nothing to do with how your servers are set up but how the vast majority of CentOS servers 'are' set up and to suggest an alternative area is just off the topic and potentially confusing to those that are trying to follow a step by step procedure down to the letter.
I'm done with this this part of this thread and hope it can get back to what it was intended to do and that was simply how to avoid this DoS attack... NOT how to relocate where files are stored. I do recognize the merits of what you are doing.
John Hinton
On Fri, 2011-08-26 at 14:34 -0400, John Hinton wrote:
OK, so you have just chosen to put your vhost confs in an alternate directory. There are sound reasons for doing that, like ease of backups and dumb minded restores that any low level tech could do.
Thank you.
To suggest others follow in your footsteps however is very short sighted.
I have never, not once, suggested others copy my layout.
The two includes in httpd.conf allows both areas to load, but does break 'alternative' installs, such as squirrelmail as just one of many examples (assuming you got rid of the /etc/httpd/conf.d include).
We have no intention of using Squirrel Mail.
So, yum install squirrelmail would not work without customization on your system, along with a number of other system wide tools one might want to run under apache. Python, php, manual, welcome, webalizer, ssl, squid, proxy_ajp, perl, cacti are all examples.
We have no problems running Apache with MySQL, PHP, SSL ...
.... to suggest an alternative area is just off the topic and potentially confusing to those that are trying to follow a step by step procedure down to the letter.
I have never, not once, suggested others copy my layout.
I do recognize the merits of what you are doing.
Thank you.
Paul.
On 8/26/2011 12:13 PM, Always Learning wrote:
Les,
There are no /home directories on our servers.
Data we create which is NOT essential for the operating system to function is usually not in an operating system directory.
'yum update' still works successfully.
Paul.
All good that you customize your servers and that shows the beauty of our chosen OS. However, posting non-standard configs on this list shows up in google searches all over the place and has a good potential to confuse those that need some help. That's my point. Obviously your point is you can put them anywhere and your company has decided that is a best practice. I would never argue against your decision to do that.
Meanwhile, the original 'good suggestion' to use the /etc/httpd/conf.d directory for adding the patches has been totally watered down by this blathering (me included) which would best be under a totally different thread about how you can put stuff any where you want. Or, 'the merits of using a data directory'.
You don't teach? If you post, you teach... like it or not.
John Hinton
On Aug 26, 2011, at 8:37 AM, Always Learning wrote:
On Fri, 2011-08-26 at 10:59 -0400, John Hinton wrote:
.... To me, the use of this includes directory is simply good practice for multiple reasons. On this list, teaching best 'standard' practices is a good idea. Who is going to think to tell someone to go look in /data/config/apache for a configuration two years from now when something breaks due to following non-standard practices?
Unlike some other installations everything is documented, so everyone knows. Keeping information a secret from other workers is not practised here.
Apache creates a default set-up. Default for those who need something which 'works out of the box'. Apache then gives the creative person the facilities to experiment and, as you illustrated, the ability to minimise collateral disruption when something goes wrong when changing files (like the mouse wheel button pasting copied text into unwanted places).
Everything in, for example /data, is entire operating system independent. Simple. The operating system dependant parts of Apache are in the /etc /usr and /var directories, so they can be updated with other operating system revisions. Remember the /etc /usr /var directories are operating system directories, so we keep non-operating system items out of them.
If I wanted to move everything to another operating system, for example Solaris or BCD, everything in /data will work on the new operating system without changes ! Just needs a few quick changes to the operating system configuration files. Simple, Easy and Reliable.
An English saying is: "Rules were made for the guidance of wise men but for the obedience of fools". Naturally I am not implying, nor would I, that anyone on this list are in the latter category. However I believe that saying makes a valid point.
Once upon a time people were killed for believing the world was not flat and if one sailed far enough their ship would drop-off the edge of the world. Blind and unthinking obedience and the intellectual inability to question and experiment are not conducive to the successful development and using of computers.
Please note I do not teach on here. I've already got a large workload :-)
Best regards,
---- oy - no wonder you turn off selinux - you are determined to re-engineer things that were designed with logic and intent.
Perhaps you should use some other non-redhat type of distribution (debian/ubuntu) to get a feel for the fact that there actually is intelligent ways to plan out configuration files and gasp, in /etc/
Craig
On 8/25/2011 7:05 PM, Always Learning wrote:
On Thu, 2011-08-25 at 14:36 -0700, John R Pierce wrote:
On 08/25/11 1:45 PM, Always Learning wrote:
I have broken-up the very large conf file (/etc/httpd/conf/httpd.conf) into 3 main parts. Part 1 is left in situ. Parts 2 and 3 are located elsewhere.
the existing EL httpd.conf includes /etc/httpd/conf.d/*.conf and any changes are expected to be made there rather than editing the stock file.
Hi John,
No Centos updates are likely to interfere with my Apache server options and virtual hosts. The existing /etc/httpd/conf/httpd.conf is large and laborious to read and fully understand especially with so many useful comments.
'including' the parts that do change and are not operating system dependant, meaning putting them somewhere which has no connection to the operating system, for example
/data/config/apache/server.conf /data/config/apache/domain.*
means, I believe, that if a change to one small file goes wrong then there is absolutely no danger to 'damaging' any of the other files and the source of the problem is quick and easy to identify. Thus 'change damage' is strictly limited to one small self-contained file and can not affect any of the other files.
I have too much experience of so-called collateral damage inadvertently caused to other parts of a file being changed. It costs time and money to trace and diagnose problems, so economically it is a good idea to eliminate as much as possible non-involved configuration parameters.
As you will have noticed Apache actually offers the ability to fragment configuration parameters to other files by supplying - for the benefit of people like me - the 'include' facility. If Apache never wanted folks to use this useful facility, it would never have offered the 'include' ability.
Anyone who has ever worked on the nightmare called Windoze will know that one tiny fault in the Registry can cause the entire operating system to malfunction. Spreading the risk with Apache configuration files is my chosen method to minimise potential disruption and it works very successfully for me on Centos 5.3, 5.4, 5.5, 5.6 and hopefully on 5.7 and 6.1 et al.
Which is why all of my server's config files are version controlled (I use FSVS with a SVN back-end repository, but there are dozens of tools).
Being able to diff your config files when you mangle it to the breaking point is a wonderful thing.
--On Thursday, August 25, 2011 9:09 PM +0100 Always Learning centos@u61.u22.net wrote:
The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:-
I try to minimize changes to main files. Presumably putting that code in a separate file (eg. conf.d/RangeVulnerabilityWorkaround.conf) should work equally well?
Hi,
Attached is what I've put into /etc/httpd/conf.d/CVE-2011-3192.conf and I'll just remove it after the coming update is done. At least killapache.pl doesn't kill anymore.
Works for me, YMMW.
Simon
--On Thursday, August 25, 2011 9:09 PM +0100 Always Learning centos@u61.u22.net wrote:
The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:-
I try to minimize changes to main files. Presumably putting that code in a separate file (eg. conf.d/RangeVulnerabilityWorkaround.conf) should work equally well?
Hi,
Attached is what I've put into /etc/httpd/conf.d/CVE-2011-3192.conf and I'll just remove it after the coming update is done. At least killapache.pl doesn't kill anymore.
Works for me, YMMW.
Sorry, forgot to mention that this is for EL4.
Simon
--On Thursday, August 25, 2011 9:09 PM +0100 Always Learning centos@u61.u22.net wrote:
The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:-
I try to minimize changes to main files. Presumably putting that code in a separate file (eg. conf.d/RangeVulnerabilityWorkaround.conf) should work equally well?
Hi,
Attached is what I've put into /etc/httpd/conf.d/CVE-2011-3192.conf and I'll just remove it after the coming update is done. At least killapache.pl doesn't kill anymore.
Works for me, YMMW.
Sorry, forgot to mention that this is for EL4.
And while looking into it again I realize that my "solution" is not really a solution...
Simon
On Fri, 2011-08-26 at 08:13 +0200, Simon Matter wrote:
Attached is what I've put into /etc/httpd/conf.d/CVE-2011-3192.conf and I'll just remove it after the coming update is done. At least killapache.pl doesn't kill anymore.
Works for me, YMMW.
<IfModule mod_setenvif.c> SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range </IfModule>
Very useful. Thanks Simon.
I found the Range temporary solution stopped the loading of a MySQL table vua PHPmyAdmin,
m.roth@5-cent.us said the following on 25/08/11 18:33:
Anyone have any idea how soon RHEL and CentOS will be releasing the patch package?
Apparently Apache just released a patch: https://www.apache.org/dist/httpd/Announcement2.2.html
Source: http://nakedsecurity.sophos.com/2011/08/31/apache-2-2-20-released-to-fix-dos...
Ciao, luigi
-
Always Learning -
Colin Coles -
Craig White -
Emmanuel Noobadmin -
John Hinton -
John R Pierce -
John R. Dennison -
Karanbir Singh -
Keith Roberts -
Kenneth Porter -
Lamar Owen -
Les Mikesell -
Luigi Rosa -
m.roth@5-cent.us -
Simon Matter -
Thomas Harold