Apache Timeout : Optimizations by limiting stale processes

Timeout is another keyword provided by apache for use, this should help you to limit the stale usage of the apache server under three conditions:

1. Limits the time that the apache processes are to wait for the HTTP GET request.

2. Timeouts between the wait time for PUT or POST activities.

3. The time delays on the ACK signals on requests.

The default timer settings are set to 1200 seconds but this can be altered based on the incoming requests on to the server.

Timeout 60

value should be ideal for an active server.

RLimitCPU : CPU limiting for apache.

Another Unique tool available with apache which helps to limit the CPU resource usage by apache processes. The values passed on are in seconds or as 'max' which should use the full usage settings as specified on the operating system parameters. The clause takes up one or two arguments based on the minimum and maximum limits that are to be set.

CPU resource limits are expressed in seconds per process.

Again this will be active for all the sub processes from the apache server but will stand invalid for the main activities or the direct child of the apache server.

RLimitCPU 60 120

should be ideal for normal and extreme php queries that are to work with the server. Although you can use the max value for servers as per requirement and can update the limit set by operating system by logging on to the system as root.

Apache Optimization : Simple techniques

With the increase in the number of clients using the webserver it becomes an important step to optimize the normal webserver to its best to gain performance and to make efficient use of the resources. By default Apache does provide you with a few keywords which when used to its best can yield maximum usage of resources.

1. RLimitMem

Normally the apache server will be using the memory limits specified by the operating system although you will find it comparatively less or at some occasions huge memory limits being used. We will be able to set the memory usage by the apache server on a particular machine using the RLimitMem value set properly. The property is available right from apache 1.2 and is most effective while you find apache server using more server resources that it should be.

The RLimitMem takes up two arguments to define the minimum soft resource limit and the maximum resource limit. It takes up values in bytes or you can use the keyword 'max' which will make it access the maximum memory slot available through the operating system.

RLimitMEM 1048576 2097152

should be ideal for a large server. Please note that once you keep the clause as max and you wish to update the memory usage you will need to login as root or to edit the details on startup phase.

Again, the limit will be applicable to all the processes that are forked out of the main process, this should include the CGI and SSI exec programs, but this limit will stand invalid for main apache processes like logging of stats.

Networking Tools on Windows

These are a set of command line options available with windows platforms for checking out connectivity and modifying the details there.

Display Connection Configuration: ipconfig /all

Display DNS Cache Info Configuration: ipconfig /displaydns

Clear DNS Cache: ipconfig /flushdns

Release All IP Address Connections: ipconfig /release

Renew All IP Address Connections: ipconfig /renew

Re-Register the DNS connections: ipconfig /registerdns

Change/Modify DHCP Class ID: ipconfig /setclassid


Network Connections: control netconnections

Network Setup Wizard: netsetup.cpl

Test Connectivity: ping www.whatismyip.com

Trace IP address Route: tracert

Displays the TCP/IP protocol sessions: netstat

Display Local Route: route

Display Resolved MAC Addresses: arp

Display Name of Computer Currently on: hostname

Display DHCP Class Information: ipconfig /showclassid

These could be used for instructing the clients or check for the connectivity to the server.

Apache Mod_Rewrite: Basics & rule writing

Rewrite module one among the powerful tools available with apache to get most of the configurations by-passed and have the sites function like desire. Here are the basics for this:

Expressions in use:

^ represents the start of a string as in case of any other Linux programmes.

$ represents the end of the string or to denote the end of a string.

. Any single character.

(a|b) represents the method for comparison.. i.e, a or b

(a,b,c) Group a section for use

[abc] define the item in range for here it will be a b or c

[^abc] defines the item NOT in range a b or c

a? experssion will count a zero or any one having 'a' as positive results

a* will check for zero or more of a

a+ will check for 1 or more of a

a{3} will check for exactly 3 of a

a{3,6} will check for values between 3 and 6

!(pattern) will check for the details when the patterns do not match.


Redirection Header Code

Here are the normal codes used up for apache to represent errors/warning messages. These can be used in the .htaccess redirection rules to have the required results displayed.

301 redirect permanently
302 redirect permanantly
403 forbidden entries
404 not found
410 Gone

Rewrite Rule Flags
The following set are characters and patterns used for defining rules via .htaccess.

R[=code] redirect to a url using optional coding entries.
F sends out a forbidden header message.
G sends out a "no longer exist" message.
P used to represent proxy entries
L to represent last rule
N to represent next rule or to restart the rules
C to represent the chain of rules
T= is used to define mime types
NS is used to skip the request if it is a internal sub request
NC to define if the entry is case sensitive
QSA to append the query string
NE to define " do not escape" output
PT is known as passthrough
S=x is used to skip x rules
E=var:value used to set environmental variables

Condition Flags
NC - Case sensitive entry
OR - To define the conditional entries.

Format of variables used
Here is the format of the variables available.

%{name of the variable}

The common list of variables in use are:

HTTP_USER_AGENT
HTTP_REFERER
HTTP_COOKIE
HTTP_FORWARDED
HTTP_HOST
HTTP_PROXY_CONNECTION
HTTP_ACCEPT

The details of requests in use are:

REMOTE_ADDR
REMOTE_HOST
REMOTE_USER
REMOTE_IDENT
REQUEST_METHOD
SCRIPT_FILENAME
PATH_INFO
QUERY_STRING
AUTH_TYPE

Server variables available are:

DOCUMENT_ROOT
SERVER_ADMIN
SERVER_NAME
SERVER_ADDR
SERVER_PORT
SERVER_PROTOCOL
SERVER_SOFTWARE

Time variables available are:

TIME_YEAR
TIME_MON
TIME_DAY
TIME_HOUR
TIME_MIN
TIME_SEC
TIME_WDAY
TIME

Special variables in use are:

API_VERSION
THE_REQUEST
REQUEST_URI
REQUEST_FILENAME
IS_SUBREQ

Directives in use are:

RewriteEngine
RewriteOptions
RewriteLog
RewriteLogLevel
RewriteLock
RewriteMap
RewriteBase
RewriteCond
RewriteRule

These are the main variables and details used for defining rules sing apache mod_rewrite to carryout modifications to site without accessing or modifying the main apache configuration

Here are some of the common rules used to define how the variables can be used with rewrite rule:

1. When the site is permanently redirected to a different url:

RewriteCond %{HTTP_HOST} ^www.domainname.com$ [NC]
RewriteRule ^(.*)$ http://www.newdomainname/$1 [R=301,L]

2. Page when moved temporarily:

RewriteRule ^page.htm$ new_page [R, NC, L]

Adding Mod_security with apache

Adding Mod_Security With Apache2

Mod Security, one of the powerful tools in use for security maintenance in apache servers. The most widely used tool, and with simplest of installations

Visit the url:

https://bsn.breach.com/account/login.php

use the username: Prasul
password : Prasul2004

>> Downloads section you should find the list of softwares available, check the

modsecurity-apache/

directory to find the list of softwares which will include the latest version as well as that of the previous 1.9.x versions. Once you have selected this you can copy the link location and on the shell type the command

wget --no-check-certificate "url u copied without this quotes"

here is what I have done:

cd /usr/local/src

wget --no-check-certificate https://bsn.breach.com/downloads/t=e75bb42feca2d6c5ef356f122d408872/modsecurity-apache/modsecurity-apache_2.1.3.tar.gz

this got me the file named modsecurity-apache_2.1.3.tar.gz which was untarred using:

tar -xzvf modsecurity-apache_2.1.3.tar.gz
cd modsecurity-apache_2.1.3/

here you will find two directories

apache1 and apache 2

based on the configuration and software in use, choose the folder. i am proceeding with apache2 since I have it running up..

cd apache2/

Once you have this updated, check for the module unique_id to be installed. The module should be turned on with the default installation if otherwise, uncomment the entry from your httpd.conf file to have this module enabled and have your apache server restarted.

Now you will need to use the command :

which libxml2

or

locate libxml2 if you do have updatedb running.

Else you should try finding the file at /usr/includes directory.
<<====== LibXML2 installation
If you are missing this you can install the same using the following simple steps:

cd /usr/local/src
wget http://xmlsoft.org/sources/libxml2-2.6.29.tar.gz
wget http://xmlsoft.org/sources/libxslt-1.1.21.tar.gz

tar -xzvf libxml2-2.6.29
cd libxml2-2.6.29/
./configure --prefix=/usr && make
make test
make install
cd ..
tar -xzvf libxslt-1.1.21
cd libxslt-1.1.21
./configure --prefix=/usr && make
make install

you can try running make test before make install to verify the settings but in most occasions you should be good to go with the above steps.

========>>

So now you have the known path to libxml2, enter the modsecurity directory and move along to apache 2 directory there,

cd /usr/local/src/modsecurity-apache_2.1.3/apache2/
pico MakeFile

search and update the location to libxml2 there as:

INCLUDES=-I/usr/include/libxml2

once this is done, save and exit the file and use the command

make
/usr/local/apache2/bin/apachectl stop
make install

pico /usr/local/apache2/conf/httpd.conf

add the entry :

LoadModule security2_module modules/mod_security2.so

or can use:



LoadModule security_module /usr/lib/httpd/modules/mod_security.so


save and exit the file and start apache.

/usr/local/apache2/bin/apachectl start

now you should have apache up with mod security on.make sure that you make a good copy of httpd.conf before adding up the rules. The following are the basic rules and for further filtering I will add up to this. Here is something that is basically done:

use IfModule mod_security.c or use the Include clause to have the modules working:

cd /etc/modsecurity/
touch rules.conf
pico /usr/local/apache2/conf/httpd.conf

add the line:

Include /etc/modsecurity/rules.conf

or

Include conf.d/*.conf

save and exit the file. Now restart apache. This should help you work out the configuration in a smooth way. To start with you can use the following set of rules:

pico /etc/mod_security/rules.conf

add the following entries.

# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log suspicious requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log
# Debug level set to a minimum
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"

""

This should be the basic setup for the modules. I will add few more rules for work.

< "IfModule" >

# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly

SecFilterEngine On

# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1

SecServerResponseToken Off

#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"

#SecUploadDir /tmp
#SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log

#And now, the rules
#Remove any of these Include lines you do not use or have rules for.

#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf

#Application protection rules
Include /etc/modsecurity/rules.conf

#Comment spam rules
Include /etc/modsecurity/blacklist.conf

#Bad hosts, bad proxies and other bad players
Include /etc/modsecurity/blacklist2.conf

#Bad clients, known bogus useragents and other signs of malware
Include /etc/modsecurity/useragents.conf

#Known bad software, rootkits and other malware
Include /etc/modsecurity/rootkits.conf

#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
Include /etc/modsecurity/proxy.conf

#Additional rules for Apache 2.x ONLY!  Do not add this line if you use Apache 1.x
Include /etc/modsecurity/apache2-rules.conf
< / IfModule >

You can also check on the rulesets available at:
http://www.gotroot.com/downloads/ftp/mod_security/apache2/apache2-gotrootrules-
latest.tar.gz

these should work perfectly with apache2.

Apache 2.2.6 Review

Apache Web Server- Introduction

The word Apache entered English via Spanish, but the ultimate origin is uncertain. The apache project was responsible for producing the most reliable and efficient of free web servers currently available. Because of its simplicity in use and the effectiveness of configurations, apache http server has been able to cover up to 50% of the total active web servers in the world.

The project is currently active under the Apache Software foundation, which is responsible for the development, support and maintenance of the software. The software has been success in large counts and was successful in evolving into the next stage as the version 2 of the basic software. Apache version 2 or the apache2 will be the main point of discussion here. Taking back to the history, the project name was so chosen, since apache represents the name of the American tribe which is best known for their extensive skills in warfare and endurance. As for apache, endurance run has always been the active point of discussion. The project started with codebase of NCSA HTTPd(National Center for Supercomputing Applications webserver, one of the earliest web servers developed by a group of programmers led by Mr. Robert McCool. The NCSA project was later suspended on 1998 and since this happened, apache foundation has removed the relevant codes from the apache web server. Apache server developers have not restricted themselves to a OS platform and has been able to develop the software to its best functionality on UNIX, Linux, Solaris and Mac OS X. They have equal functionalities and procedures available which helps the user to cover up most of the cross platform troubles. Apache software Foundation, in the aim to achieve the best of development has made the software a part of Open Source programs. Thus providing the software for free and still maintaining the best of reputation.

Mr. Robert McCool was responsible for the development for the first version of the software. Mr. Robert had left the NCSA by the mid of 1994 and the code was available for public. On a later stage the new patches and updates for the software were circulated over via emails. Apache had undergone an overhaul with development on the later stages starting from 1995, with a significant effort from Mr. Rob Hartill and crew, they were able to develop new features like pre-forked child processes and later during the development, features like API for better extensibility, pool-based memory allocation, and an adaptive pre-forking process model were added to the software thus making it the best available one. The softwares were subjected to beta testing and addition of standard modules Apache1.0 was launched on December1, 1995.

1.1 Evolution of the server

The development has risen close to the release of Apache 2.2 which includes the maximum changes and updates. Mailing lists stands out as the main source for updates and developments for the project. Although the core members of the foundation still provide their best to the project. Apache 2.2 has made considerable changes to both core program and the list of modules available for the software. Major features like:

==>Bundled authentication and authorization modules have been updated. Mod_authn_alias configurations should provide the best options for the new authentication.

==>Modules like cache, disk_cache, mem_cache has been updated and the new feature by the name htcacheclean has been active for the new version of apache

==>Configuration files are now categorized. You will now have separate configuration files rather than having a single httpd.conf file which was considered to be the central point on earlier versions.

==>Gracefulshutdowntimeout variable has been added to the server to specify the timeout required for the graceful reboot of server.

==>Couple more features like proxies; Regular Expression library has been updated.==>Smart filter module is another important update to the version which allows the firewall to be added with rules that can help filter the results based on the response header or environment variable. It is now able to cover up the dependencies with respect to the earlier release apache2.0

==>Now apache can withstand the 2GB limit which it tend to have in the previous versions. Normally the service used to stop at the point but the latest release will be able to cover files above the limit.

==>Event MPM allows creating separate thread for KEEPALIVE requests and accepting connections. This should help in preventing the timeout delays for accepting new connections.

==>Also introduces new API by the name APR 1.0 API

httpd -M

option is quite remarkable and will let you know the details on the modules loaded on to the current configuration. It has been quite helpful in troubleshooting of most apache errors that you will encounter during the run.

1.2 Installation

Installation instructions for the software will be simple and quite neat.

cd /usr/local/src
wget http://www.uniontransit.com/apache/httpd/httpd-2.2.6.tar.gz
tar -xzvf httpd-2.2.6.tar.gz
cd httpd-2.2.6
./configure --prefix=/usr/local/apache2
make
make install

The compile and installation should be simple as that. Although you will like to use additional options such as


--enable-rewrite=shared FOR ENABLING REWRITE MODULES
--enable-speling=shared FOR SPELL CHECK
--enable-so LOADING UP .SO MODULES SPECIFIED
--enable-cgi LOAD UP CGI
--enable-usertrack TRACE BACK APACHE ROUTE
--enable-deflate

 --enable-ssl \
--enable-mime-magic

1.2Configuration

Apache2 presents modularized configuration of sites and functions which should keep the main configuration file free and neat. You will be able to add the virtual host entries to a different file without altering the details of main httpd.conf file. Again, the location doesn't change for the old settings you will still find the apache configuration file at:
pico /usr/local/apache2/conf/httpd.conf

the attributes are similar to what we had for the old versions and to add to this you will have a few more directives which should make the work a better place. So the process of decentralization of configurations has really helped. The configuration settings are same as in previous settings, you will need to use

LoadModule

Or the traditional

“, AddModule, ClearModuleList”

As you will be familiar you will find the following directives still active on the server and you will be able to configure it as per requirements:

• Directory
• DirectoryMatch
• Files
• FilesMatch
• Location
• LocationMatch
• VirtualHost

Again you can use the directives like

· AccessFileName

· AllowOverride

As for the function AllowOverride which is mostly confused for the functionality, please make sure that it is entered in the “” tags so that you get the full functionality. You can still get the details of usage at:

http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

Since the functions are already used with older versions of apache, you should find it quite similar.

"<" VirtualHost [2001:db8::a00:20ff:fea7:ccea]">"
ServerAdmin webmaster@host.example.com
DocumentRoot /www/docs/host.example.com
ServerName host.example.com
ErrorLog logs/host.example.com-error_log
TransferLog logs/host.example.com-access_log
"<"/VirtualHost">"

This will be an addition as it presents to you with the ipv6 format for address based addition of websites.

These are quite noticable changes, although the review part is just complete for the time. But
I am still working with the servers for details. Now for the exact review of the software, the installation worked fine no possible errors were viewed. I had installed this on the apache 1.3 upgraded machine so there was nothing to be added. I will have to try installing on a fresh machine for checks on this regard, meanwhile if you do have trouble with these, then please add comments so that I will keep the records updated.

The cons for the software is it first hand look from 1.3 to 2, when you will view the details you may find it troublesome in getting to the configuration files. You should find this in /usr/local/apache2/conf/sites/
and there are noticable configuration updates there.

As for the security side, w.r.t, to secunia, the release is one of the most stable of configurations and the most secure of available configuration. Currently no hacks have been found to happen with the software and it also has the effective fix for the apache2 ddos vulnerability. Since these are the merits for apache 2.2. I will be constantly updating the thread with the issues am to face. Hope at the end of the day we have a perfect fix or may be a new release.