Pedro's blog: db2, mysql, php, linux and performance


Protecting .svn folders with htaccess
09/04/2010, 21:01
Filed under: Apache,GNU/Linux,Security | Tags: , , ,

After configuring a subversion server for web projects you should take care about the .svn directories and files, ¿how may I secure them from the Internet savage? I found an easy way to do it with the .htaccess file:

RewriteEngine on
RewriteRule .*\.svn/.* – [F]

Don’t forget to enable mod_rewrite, and if you are already using some rule like

RewriteRule ^.*$

be sure of writing first the new rule:

RewriteRule .*\.svn/.* – [F]

RewriteRule ^.*$

Source: http://forum.webfaction.com/viewtopic.php?id=1069





phpMyAdmin and mod_security
15/03/2010, 21:08
Filed under: Apache,GNU/Linux,Security | Tags: , , , , ,

Sometimes a high level of security in a website can be painful. In my case, I lost some phpMyAdmin functionalities because the use of mod_security. The /var/log/httpd/modsec_debug.log said:

[15/Mar/2010:20:31:42 +0100] [thesite.com/sid#80082db8][rid#80643ac0][/phpMyAdmin/import.php][2] Warning. Pattern match “(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(? …” at ARGS:prev_sql_query. [file “/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf”] [line “66”] [id “950001“] [msg “SQL Injection Attack“] [data “select * from `users`“] [severity “CRITICAL”] [tag “WEB_ATTACK/SQL_INJECTION”]


[15/Mar/2010:20:31:42 +0100] [
thesite.com/sid#80082db8][rid#80643ac0][/phpMyAdmin/import.php][2] Warning. Pattern match “(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(? …” at ARGS:sql_query. [file “/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf”] [line “66”] [id “950001“] [msg “SQL Injection Attack“] [data “select * from `users` where“] [severity “CRITICAL”] [tag “WEB_ATTACK/SQL_INJECTION”]


[15/Mar/2010:20:31:42 +0100] [
thesite.com/sid#80082db8][rid#80643ac0][/phpMyAdmin/import.php][1] Access denied with code 400 (phase 2). Pattern match “\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})” at ARGS:sql_query. [file “/etc/httpd/conf/modsecurity/modsecurity_crs_20_protocol_violations.conf”] [line “64”] [id “950107“] [msg “URL Encoding Abuse Attack Attempt”] [severity “WARNING”]

So, I had to add some local rules to the file /etc/httpd/modsecurity.d/modsecurity_localrules.conf

<LocationMatch “/phpMyAdmin/import.php”>
SecRuleRemoveById 950107
SecRuleRemoveById 950001
</LocationMatch>

I restarted the apache and everything is working!

Updated (16/03/2010):

I still had some troubles, so, I decided to disable mod_security totally on phpMyAdmin directory with the line:

SecRule REQUEST_URI ^/phpMyAdmin phase:1,allow,ctl:ruleEngine=off

In the file /etc/httpd/modsecurity.d/modsecurity_localrules.conf

Cheers!



Disable log on htaccess
30/01/2010, 9:45
Filed under: General,PHP,Security | Tags: , ,

How to disable the logging function of a well defined php script with the htaccess file?

SetEnvIf Request_URI “^/yourdir/yourfile\.php$” dontlog



Halt permission on Linux
11/12/2009, 14:58
Filed under: General,GNU/Linux,Security | Tags: , , ,

Hey folks!

I had to give halt and reboot permissions to a linux user, let’s talk about it:

Login as root and:

$visudo

this will open the file /etc/sudoers, then add the following next lines:

%users YOURHOSTHERE = /sbin/halt, /sbin/reboot

And if you don’t want to have to type a password each time then use this line:

%users YOURHOSTHERE = NOPASSWD: /sbin/halt, /sbin/reboot

Save and close the file.

By now, every user in the users group (/etc/group )  is able to run halt and reboot commands:

#sudo /sbin/halt

#sudo /sbin/reboot

If you don’t want to type the sudo command every time, then add this lines to the ~/.bash_profile of every user:

alias halt=’sudo /sbin/halt’
alias reboot=’sudo /sbin/reboot’

Done!

Source: https://www.linuxquestions.org/questions/slackware-14/halt-or-poweroff-permission-for-users-173360/