UNIX Consulting and Expertise
Golden Apple Enterprises Ltd. » Posts for tag 'solaris 10'

Installing mod_evasive with Sun’s Webstack Comments Off on Installing mod_evasive with Sun’s Webstack

Looking for UNIX and IT expertise? Why not get in touch and see how we can help?

I’ve been running Webstack builds on some of my servers for a while now, and have been pretty happy with the performance and the ease of configuration. One of my webhosts deals with some pretty high traffic, and odds are that such a visible machine will sooner or later come under a DoS attack.

mod_evasive is an Apache module specifically designed to deal with this. From the author’s site:

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

So this is how you go about installing mod_evasive when using Sun’s Webstack build of Apache. Apache’s extension tool (apxs) makes this a quick and simple task, but bear in mind that you will need the Sun Studio compiler installed on your build box. Because you’re not throwing this together on a live webserver, right?

Just to provide the numbers for the build environment I’ve used in this example – I’ve got Sun Studio 12 Update 1 installed, and the box is running Solaris 10 10/09, with Webstack 1.5, which gives me Apache 2.2.11. However there’s nothing too specific, version wise, in any of this, and the process should be the pretty much the same for different versions of Webstack and Solaris 10.

First of all, head on over to Jonathan Zdziarski’s site to download the latest version (1.10.1 as of writing this).

bash-3.00# wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
--09:29:02--  http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
           => `mod_evasive_1.10.1.tar.gz'
Resolving www.zdziarski.com... 209.51.159.242
Connecting to www.zdziarski.com|209.51.159.242|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20,454 (20K) [application/x-tar]

100%[====================================>] 20,454        62.37K/s            

09:29:03 (62.25 KB/s) - `mod_evasive_1.10.1.tar.gz' saved [20454/20454]

Then uncompress the archive and extract the files:

bash-3.00# gzcat mod_evasive_1.10.1.tar.gz | tar -xvf -
x mod_evasive, 0 bytes, 0 tape blocks
x mod_evasive/.cvsignore, 26 bytes, 1 tape blocks
x mod_evasive/LICENSE, 18103 bytes, 36 tape blocks
x mod_evasive/Makefile.tmpl, 470 bytes, 1 tape blocks
x mod_evasive/README, 14269 bytes, 28 tape blocks
x mod_evasive/mod_evasive.c, 19395 bytes, 38 tape blocks
x mod_evasive/mod_evasive20.c, 18242 bytes, 36 tape blocks
x mod_evasive/mod_evasiveNSAPI.c, 15621 bytes, 31 tape blocks
x mod_evasive/test.pl, 406 bytes, 1 tape blocks
x mod_evasive/CHANGELOG, 1373 bytes, 3 tape blocks

With Webstack, apxs can be found at /opt/webstack/apache2/2.2/bin/apxs

Simple call apxs and get it to build the Apache 2.0 version of the mod_evasive module:

bash-3.00# /opt/webstack/apache2/2.2/bin/apxs -cia mod_evasive20.c

Important point here – if you expect this to work, you’ll need at least the following setup:

bash-3.00# export PATH=/usr/ccs/bin:/opt/sunstudio12.1/bin:$PATH

apxs will run off, compile the module, and copy everything into place, and then the final message it gives you is this:

[activating module `evasive20' in /etc/opt/webstack/apache2/2.2/conf.d/modules-32.load]

And sure enough, we’ve now got:

bash-3.00# grep evasive /etc/opt/webstack/apache2/2.2/conf.d/modules-32.load
LoadModule evasive20_module   /var/opt/webstack/apache2/2.2/libexec/mod_evasive20.so

Looking good so far, but we have a final chunk of configuration to put into place. mod_evasive needs a few tunables adding to control how it responds to traffic. These are some sensible defaults which I’d recommend trying out initially:

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>

I highly recommend reading through the README that came with the source, and then keeping a sharp eye on what your webserver does, to see if you need to tweak any defaults. I’d also suggest adding the email alerting option inside the IfModule configuration:

DOSEmailNotify    [email protected]

Now you just need to restart Apache:

bash-3.00# svcadm restart sun-apache22
bash-3.00# svcs sun-apache22
STATE          STIME    FMRI
online          9:56:05 svc:/network/http:sun-apache22

mod_evasive comes with a test script – test.pl – and I’d recommend running that in your test/build environment, to check that everything works as it should.

Hopefully this has shown how easy it is to build mod_evasive DoS protection into Sun’s Webstack build of Apache running on Solaris 10.

Free Solaris 10 security training Comments Off on Free Solaris 10 security training

Looking for UNIX and IT expertise? Why not get in touch and see how we can help?

Over on his blog at Sun Glen Brunett has announced he’s published a new version of the Solaris 10 Deep Dive security training. He’s updated it to cover new features and tools available in the latest 10/09 release of Solaris 10.

The updated Deep Dive includes things like nss_LDAP support for shadowAccount, ZFS quotas, and an example of using the Solaris Trusted Extensions. As usual it’s well written and aims to expose a huge amount of technology very quickly – so grab a copy and have a read through.

You can grab the PDF here or the OpenOffice version here.

Glenn’s blog at Sun is well worth subscribing to to keep on top of general security issues and discussions, and if you like the latest Deep Dive update be sure to drop him a line.

Finding the WWN in Solaris followup – making it easier Comments Off on Finding the WWN in Solaris followup – making it easier

Looking for UNIX and IT expertise? Why not get in touch and see how we can help?

In the previous post I listed the ‘long way round’ to find out the WWN from active HBA links in Solaris. The commands I listed before will work on all recent releases of Solaris. If you’re able to migrate to Solaris 10, you can make things easier for yourself.

cfgadm will take a verbose flag, which will print out a listing that includes the full device path. This will definitely work on Solaris 9 and 10 – I’m afraid I don’t have an 8 box to test though.

bash-3.00# cfgadm -lv 
Ap_Id                          Receptacle   Occupant     Condition  Information
When         Type         Busy     Phys_Id
c0                             connected    configured   unknown
unavailable  scsi-bus     n        /devices/[email protected]/[email protected]/[email protected]/[email protected]/[email protected]:scsi
c1                             connected    configured   unknown
unavailable  scsi-bus     n        /devices/[email protected]/[email protected]/[email protected]/[email protected],2/LSILogic,[email protected]:scsi
c2                             connected    configured   unknown
unavailable  fc-private   n        /devices/[email protected]/[email protected]/[email protected]/SUNW,[email protected]/[email protected],0:fc
c3                             connected    unconfigured unknown
unavailable  fc           n        /devices/[email protected]/[email protected]/[email protected]/SUNW,[email protected],1/[email protected],0:fc
c4                             connected    configured   unknown
unavailable  fc-private   n        /devices/[email protected]/[email protected]/[email protected]/SUNW,[email protected]/[email protected],0:fc
c5                             connected    unconfigured unknown
unavailable  fc           n        /devices/[email protected]/[email protected]/[email protected]/SUNW,[email protected],1/[email protected],0:fc
usb0/1                         empty        unconfigured ok
unavailable  unknown      n        /devices/[email protected]/[email protected]/[email protected]/[email protected]/[email protected]:1
usb0/2                         empty        unconfigured ok
unavailable  unknown      n        /devices/[email protected]/[email protected]/[email protected]/[email protected]/[email protected]:2
usb1/1.1                       empty        unconfigured ok
unavailable  unknown      n        /devices/[email protected]/[email protected]/[email protected]/[email protected]/[email protected]/[email protected]:1.1
usb1/1.2                       empty        unconfigured ok
unavailable  unknown      n        /devices/[email protected]/[email protected]/[email protected]/[email protected]/[email protected]/[email protected]:1.2
usb1/1.3                       empty        unconfigured ok
unavailable  unknown      n        /devices/[email protected]/[email protected]/[email protected]/[email protected]/[email protected]/[email protected]:1.3
usb1/1.4                       empty        unconfigured ok
unavailable  unknown      n        /devices/[email protected]/[email protected]/[email protected]/[email protected]/[email protected]/[email protected]:1.4
usb1/2                         empty        unconfigured ok
unavailable  unknown      n        /devices/[email protected]/[email protected]/[email protected]/[email protected]/[email protected]:2

If you have Solaris 10 8/07 or later, then you’ll find that the dump_map option to luxadm will take the short notation for an HBA that cfgadm uses.

bash-3.00# luxadm -e dump_map /dev/cfg/c2
Pos AL_PA ID Hard_Addr Port WWN         Node WWN         Type
0     1   7d    0      210000e08b86f840 200000e08b86f840 0x1f (Unknown Type,Host Bus Adapter)
1     ad  23    ad     50060e8014118960 50060e8014118960 0x0  (Disk device)

Again, this all works only if the HBA has a live link – it needs some cable plugged in, and you need to have something listening at the other end. I’ll be exploring how to find the WWN of your HBAs – even if they’re not plugged in – soon, using some other features of Solaris.

Top of page / Subscribe to new Entries (RSS)