Getting anaconda log and traceback manually without scp

June 15, 2012, 5:04 pm

≫ Next: hydra is now available in fedora

If you’re testing anaconda and you want to get log and traceback manually but you don’t have ssh server to scp, you can try:


Switch to virtual terminal: ctl-alt-F2
Run cd /tmp ; python -m SimpleHTTPServer
Browse $IP:8000

↧

hydra is now available in fedora

June 15, 2012, 5:05 pm

≫ Next: Greybird theme for Fedora

≪ Previous: Getting anaconda log and traceback manually without scp

I've packaged hydra (currently 7.3) for fedora 16 and 17+, you can install it using:

su -c 'yum install hydra hydra-frontend'

↧

Greybird theme for Fedora

June 17, 2012, 7:44 am

≫ Next: CentOS 6.3 released

≪ Previous: hydra is now available in fedora

Just to let you know that I've packaged Greybird theme (an Xfce theme from Shimmer project) for fedora 17+, after the installation and activation your Xfce desktop should look to something like this screenshot (from Xfce.org):

Installation:

yum install greybird-*

Edit:

Here's an actual screenshot of Fedora 17 Xfce with Greybird theme and elementary Dark icons:

↧

CentOS 6.3 released

July 9, 2012, 2:25 pm

≫ Next: How to add nginx logs to logwatch reports

≪ Previous: Greybird theme for Fedora

CentOS 6.3 for i386 and x86_64 architectures has been released.

Announcement: http://lists.centos.org/pipermail/centos-announce/2012-July/018706.html
Release notes: http://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.3

↧

How to add nginx logs to logwatch reports

August 19, 2012, 3:10 am

≫ Next: mod_security 2.6.7 for el5/el6 (RHEL, CentOS)

≪ Previous: CentOS 6.3 released

If you're using nginx package from EPEL6 (uses the same log format as Apache httpd by default) and you want to have a daily report of nginx logs with logwatch, here's a way to do it (there's multiples):

Create the following files:

/etc/logwatch/conf/logfiles/nginx.conf:


LogFile = nginx/*access.log
LogFile = nginx/*access.log.1

Archive = nginx/*access.log.*.gz

# Expand the repeats (actually just removes them now)
*ExpandRepeats

# Keep only the lines in the proper date range...
*ApplyhttpDate

/etc/logwatch/conf/services/http.conf:


###########################################################################
# Configuration file for http filter 
###########################################################################

Title = "nginx"

# Which logfile group...
LogFile = nginx

# Define the log file format
#
# This is now the same as the LogFormat parameter in the configuration file
# for httpd.  Multiple instances of declared LogFormats in the httpd
# configuration file can be declared here by concatenating them with the
# '|' character.  The default, shown below, includes the Combined Log Format,
# the Common Log Format, and the default SSL log format.
#$LogFormat = "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"|%h %l %u %t \"%r\" %>s %b|%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

# The following is supported for backwards compatibility, but deprecated:
# Define the log file format
#
#   the only currently supported fields are:
#   client_ip
#   request
#   http_rc
#   bytes_transfered
#   agent
#
#$HTTP_FIELDS = "client_ip ident userid timestamp request http_rc bytes_transfered referrer agent"
#$HTTP_FORMAT = "space     space space    brace    quote   space        space       quote   quote" 
# Define the field formats
#
#   the only currently supported formats are:
#   space = space delimited field
#   quote = quoted ("..") space delimited field
#   brace = braced ([..]) space delimited field

# Flag to ignore 4xx and 5xx error messages as possible hack attempts
#
# Set flag to 1 to enable ignore
# or set to 0 to disable
$HTTP_IGNORE_ERROR_HACKS = 0

# Ignore requests
# Note - will not do ANY processing, counts, etc... just skip it and go to
# the next entry in the log file. 
# Examples:
# 1. Ignore all URLs starting with /model/ and ending with 1 to 10 digits
#   $HTTP_IGNORE_URLS = ^/model/\d{1,10}$
#
# 2. Ignore all URLs starting with /model/ and ending with 1 to 10 digits and
#   all URLS starting with /photographer and ending with 1 to 10 digits
#   $HTTP_IGNORE_URLS = ^/model/\d{1,10}$|^/photographer/\d{1,10}$
#   or simply:
#   $HTTP_IGNORE_URLS = ^/(model|photographer)/\d{1,10}$

# To ignore a range of IP addresses completely from the log analysis,
# set $HTTP_IGNORE_IPS. For example, to ignore all local IP addresses:
#
#   $HTTP_IGNORE_IPS = ^10\.|^172\.(1[6-9]|2[0-9]|3[01])\.|^192\.168\.|^127\.
#

# The variable $HTTP_USER_DISPLAY defines which user accesses are displayed.
# The default is not to display user accesses:
$HTTP_USER_DISPLAY = 0
# To display access failures:
# $HTTP_USER_DISPLAY = "$field{http_rc} >= 400"
# To display all user accesses except "Unauthorized":
# $HTTP_USER_DISPLAY = "$field{http_rc} != 401"


# vi: shiftwidth=3 tabstop=3 et

↧

mod_security 2.6.7 for el5/el6 (RHEL, CentOS)

August 25, 2012, 9:55 am

≫ Next: mod_security core rules package for EPEL (RHEL/CentOS)

≪ Previous: How to add nginx logs to logwatch reports

mod_security 2.6.7 for el5/el6 (RHEL, CentOS) will be in epel-testing [1][2], core rules packages will follow soon (waiting for epel branches [3]).

EPEL devel list post: https://www.redhat.com/archives/epel-devel-list/2012-August/msg00068.html

↧

mod_security core rules package for EPEL (RHEL/CentOS)

August 28, 2012, 11:30 am

≫ Next: Some Openbox tips

≪ Previous: mod_security 2.6.7 for el5/el6 (RHEL, CentOS)

mod_security core rules packages are in EPEL testing

↧

Some Openbox tips

September 12, 2012, 1:33 am

≫ Next: The new fedora pastebin service is in staging

≪ Previous: mod_security core rules package for EPEL (RHEL/CentOS)

1. Add shutdown and reboot to openbox menu

Add the following lines to ~/.config/openbox/menu.xml

<item label="Restart">
<action name="Execute">
<prompt>
  Are you sure you want to reboot ?
</prompt>
<command>dbus-send --system --print-reply --dest="org.freedesktop.ConsoleKit" /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Restart</command>
</action>
</item>
<item label="Shutdown">
<action name="Execute">
<prompt>
  Are you sure you want to shutdown ?
</prompt>
<command>dbus-send --system --print-reply --dest="org.freedesktop.ConsoleKit" /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Stop</command>
</action>
</item>

2. Auto-move window to a specific desktop

Add the following lines to ~/.config/openbox/rc.xml in applications section, you can get app/window proprieties using obxprop utility (included in openbox package).

<application name="App_Name">
<desktop>2</desktop>
</application>

3.Window snapping (like in Gnome 3)

Win-Up: Maximize window
Win-Down: Minimize window
Win-Left: Snap window to the left side
Win-Right: Snap window to the right side

Add the following lines to ~/.config/openbox/rc.xml in keyboard section

<keybind key="W-Up">
<action name="ToggleMaximize"/>
</keybind>
<keybind key="W-Down">
<action name="ToggleMaximize"/>
</keybind>
<keybind key="W-Left">
<action name="UnmaximizeFull"/>
<action name="MoveResizeTo">
<x>0</x>
<y>0</y>
<width>50%</width>
<height>100%</height>
</action>
<action name="ToggleMaximizeVert"/>
</keybind>
<keybind key="W-Right">
<action name="UnmaximizeFull"/>
<action name="MoveResizeTo">
<x>50%</x>
<y>0</y>
<width>50%</width>
<height>100%</height>
</action>
<action name="ToggleMaximizeVert"/>
</keybind>

↧

The new fedora pastebin service is in staging

October 19, 2012, 9:44 pm

≫ Next: New mod_security and mod_security_crs packages

≪ Previous: Some Openbox tips

The new fedora pastebin service is in staging:

http://paste.stg.fedoraproject.org/

Please test and report any issues via email (athmane AT fedoraproject.org) or IRC (athmane in #fedora-admin)

↧

New mod_security and mod_security_crs packages

November 15, 2012, 2:59 am

≫ Next: HEADS-UP: mod_security packages security update

≪ Previous: The new fedora pastebin service is in staging

I just pushed security/bugfix updates for mod_security 2.7.1-3 and mod_security_crs 2.2.6-3 packages, if you are using them please test and provide karma in bodhi.

Note: there's no packages for EPEL5 because of the old libxml2 in RHEL5/CentOS5.

Update: I've pushed an update with backported fixes (from 2.7) in EPEL5, please test. https://admin.fedoraproject.org/updates/mod_security-2.6.8-2.el5

Details:

Update to 2.7.1
Update Core rules set to 2.2.6
Fix build against libxml2 >= 2.9 (upstreamed)
Add some missing directives RHBZ #569360
Fix multipart/invalid part ruleset bypass issue (CVE-2012-4528) (RHBZ #867424, #867773, #867774)

↧

HEADS-UP: mod_security packages security update

April 9, 2013, 8:27 am

≫ Next: HEADS-UP: Fedora/EPEL mod_security packages security update

≪ Previous: New mod_security and mod_security_crs packages

I recently pushed a security update for mod_security for CVE-2013-1915 mod_security: Vulnerable to XXE attacks.

If you're using this package, please test and provide karma.

↧

HEADS-UP: Fedora/EPEL mod_security packages security update

May 28, 2013, 12:50 pm

≫ Next: Nginx with mod_security support repo for Fedora 20 and EPEL 6 (RHEL 6 / CentOS 6)

≪ Previous: HEADS-UP: mod_security packages security update

I've pushed a mod_security update for CVE-2013-2765: NULL pointer dereference (DoS, crash) when forceRequestBodyVariable action triggered and unknown Content-Type was used.

↧

Nginx with mod_security support repo for Fedora 20 and EPEL 6 (RHEL 6 / CentOS 6)

December 20, 2013, 5:56 am

≫ Next: Getting started with ModSecurity for Nginx

≪ Previous: HEADS-UP: Fedora/EPEL mod_security packages security update

ModSecurity for Nginx is a web server module for nginx, because of nginx extensibility model (does not use dynamically loaded modules), I can't just build mod_security like the one for Apache HTTPd, nginx module must be added at compile time.

So I made a repo of a modified Nginx with mod_security support, currently only available for Fedora 20 and EPEL 6 (RHEL 6 / CentOS 6) (can extend it latter - just ask).

I'll try to track the main package version, if you have issues with this repo, email me at athmane (AT) fedora domain or ping me on IRC (athmane)

http://repos.fedorapeople.org/repos/athmane/nginx-mod_security/

Next blog post we'll see how to use Core rules set with Nginx

Edit: http://blog.madjoudj.com/2013/12/getting-started-with-modsecurity-for.html

Edit 2: I forgot to specify that ModSecurity for Nginx is a BETA quality and you should not use it in production (for instance large POST requests to backend may timeout).

↧

Getting started with ModSecurity for Nginx

December 20, 2013, 7:01 am

≫ Next: Some tricks for using i3: tiling window manager

≪ Previous: Nginx with mod_security support repo for Fedora 20 and EPEL 6 (RHEL 6 / CentOS 6)

This is a quick guide on how to install nginx with mod_security and enable core rules set, this setup can also be used to protect your backend servers by running nginx as reverse proxy and achieve both greater performance and security.

The initial setup:

On Fedora:


# cd /etc/yum.repo.d/
# curl -O 'http://repos.fedorapeople.org/repos/athmane/nginx-mod_security/fedora-nginx-mod_security.repo'

On EL6:


# cd /etc/yum.repo.d/
# curl -O 'http://repos.fedorapeople.org/repos/athmane/nginx-mod_security/epel-nginx-mod_security.repo'

Install the packages:


# yum install nginx mod_security_crs

Make sure you get the version of nginx with mod_security (it has modsec_VERSION in release tag).

Generate mod_security rules:


# cp  /etc/nginx/mod_security.conf  /etc/nginx/mod_security.conf.default
# cat /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf \
/etc/httpd/modsecurity.d/activated_rules/modsecurity_*.conf >> /etc/nginx/mod_security.conf
# cp /etc/httpd/modsecurity.d/activated_rules/modsecurity_*.data /etc/nginx/

NB. I'll think of a better way to handle Core rules set in nginx.

Start nginx:
On Fedora:


# systemctl start nginx

On EL6:


# service nginx start

Quick test:

Let's try to simulate an LFI (Local file inclusion) by injecting '?../../../../etc/passwd' in the URL , normally you'll get nginx default page or your site/webapp, but with this setup, we get 403 forbidden, you can now tweak the rules or disable some as you'd do with mod_security for Apache.

You can check the logs, and as you can see the attack was tagged as FILE INJECTION :


# tail /var/log/nginx/error.log
2013/12/20 15:42:33 [error] 935#0: [client 192.168.NNN.NNN] ModSecurity: Access denied with code 403 (phase 2). 
Pattern match "(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)
\\b|\\/etc\\/)" at ARGS_NAMES:../../../../etc/passwd. [file "/etc/nginx/mod_security.conf"] [line "1514"] [id 
"950005"] [rev "3"] [msg "Remote File Access Attempt"] [data "Matched Data: /etc/ found within ARGS_NAMES:../../../..
/etc/passwd: ../../../../etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] 
[tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] 
[hostname ""] [uri "/"] [unique_id "AcjjArAc9cAcAcAcqcAcAcAc"]

↧

Some tricks for using i3: tiling window manager

December 23, 2013, 12:37 am

≫ Next: Official blog about CentOS 7 (news, views and reports)

≪ Previous: Getting started with ModSecurity for Nginx

A couple months ago, I switched from traditional desktops to i3 tiling window manager, mainly because of my workflow.

In this post, I'll try to share some tricks and config that helped me to use i3 and replace a desktop

Installation


# Base i3wm
yum install i3 i3lock dmenu 

# Other stuff we need later
yum install feh scrot dunst network-manager-applet polkit-gnome

i3 config file is located in: ~/.i3/config (the system wide config is: /etc/i3/config)

Font

The default font is a bitmap x11 font '-misc-fixed-...' which can be problematic if you have application title with utf-8 and right-to-left languages, luckily i3 does support freetype fonts.


font pango:Sans 10

Status bar

The status bar can be placed on top and extended to display additional information, by default the output of i3status is displayed in i3 bar and configured via '~/.i3status.conf' ('man i3status' for more details)


bar {
        status_command i3status
        position top
}

Screen locking

i3lock does a great job, here's an example of binding Ctrl+Alt+l to lock the screen:


bindsym Control+Mod1+l exec --no-startup-id i3lock -c 000000 -d

Autostarting applications

I use autostarting feature to get some of desktop experience, like forcing settings, running applications and services.


exec --no-startup-id xset r rate 300 32 
exec --no-startup-id synclient TapButton1=1
exec --no-startup-id nm-applet &
exec --no-startup-id /usr/libexec/polkit-gnome-authentication-agent-1 &
exec --no-startup-id sh -c 'source ~/.fehbg'&

xset r rate 300 32 set keyboard autorepeat, makes typing faster.
synclient TapButton1=1 enable clicking when tapping laptop touchpad.
nm-applet & starts NetworkManager applets
... polkit-gnome-authentication-agent-1 starts PolicyKit agent, eg: virt-manager requires this
sh -c 'source ~/.fehbg' use feh to set background, basically you only need to run feh, right-click and select 'File > Background > Set (Tiled|Centered|...)'

Audio volume, brightness control and print screen keys

This will assign the extra keyboard keys (aka multimedia keys) to their functionality, I see a lot of people running other desktop settings daemon to get this eg: gnome-settings-daemon (which is no longer provided by Gnome)

XF86Audio*: for controlling the audio volume.
XF86MonBrightness*: for controlling screen/display brightness.
Print: take a screenshot using scrot (lightweight cli app)


bindsym XF86AudioLowerVolume exec --no-startup-id /usr/bin/pactl set-sink-volume 0 -- -5% && killall -SIGUSR1 i3status
bindsym XF86AudioRaiseVolume exec --no-startup-id /usr/bin/pactl set-sink-volume 0 -- +5% && killall -SIGUSR1 i3status
bindsym XF86AudioMute exec --no-startup-id /usr/bin/pactl set-sink-volume 0 0  && killall -SIGUSR1 i3status
bindsym XF86MonBrightnessUp exec --no-startup-id /usr/bin/xbacklight -inc 5
bindsym XF86MonBrightnessDown exec --no-startup-id /usr/bin/xbacklight -dec 5
bindsym Print exec --no-startup-id scrot

Enable floating for some applications

It is possible to force certain application to run in floating instead of the default tilling, this may include your media player (it minimizes in the tray) or a buggy application, use xprop to get x11 client name (or the application name).


for_window [class="Audacious"] floating enable

Desktop notification

dunst is lightweight notification-daemon which works perfectly with i3wm, you only need to install it.

Launching application on a specific workspace

i3wm has the ability to launch an application on a specific workspace, eg:


set $2 2:web
...
...
...
assign [class="^Firefox.*$"] $2

↧

Official blog about CentOS 7 (news, views and reports)

December 31, 2013, 1:52 am

≫ Next: New nginx with mod_security module builds

≪ Previous: Some tricks for using i3: tiling window manager

Check the new official blog about CentOS 7, if you're looking get more information about CentOS 7 build progress, tools and tests suite update or just random thoughts about CentOS 7 and RHEL7 beta

http://seven.centos.org/

↧

New nginx with mod_security module builds

February 24, 2014, 7:51 am

≫ Next: ModSecurity 2.8.0 RC1 for Apache / Nginx packages

≪ Previous: Official blog about CentOS 7 (news, views and reports)

I've built new nginx packages with mod_security module for Fedora 20/19 and EPEL6 (tested on CentOS 6).

Those packages are in COPR instead of fedora people repos:

http://copr-fe.cloud.fedoraproject.org/coprs/athmane/nginx-mod_security/

Please note that mod_security for nginx is still considered a beta quality, so don't use it in your production boxes.

↧

ModSecurity 2.8.0 RC1 for Apache / Nginx packages

April 3, 2014, 6:49 am

≫ Next: HEADS-UP: EPEL5 mod_security-2.6.8-5 security update is broken

≪ Previous: New nginx with mod_security module builds

I've built ModSecurity 2.8.0 RC1 for Apache / Nginx in Fedora COPR, I'll update Rawhide branch once 2.8.0 is officially released.

The packages are for Fedora 20 and Rawhide, EPEL 6 and 7 (CentOS 6.x, RHEL 6.x and 7beta)

Feel free to email me or comment here, if you encounter bugs

mod_security module for Apache httpd: http://copr.fedoraproject.org/coprs/athmane/mod_security/
Nginx+mod_security built-in/bundle: http://copr.fedoraproject.org/coprs/athmane/nginx-mod_security/

↧

HEADS-UP: EPEL5 mod_security-2.6.8-5 security update is broken

April 18, 2014, 1:00 pm

≫ Next: HEADS-UP: mod_qos Update

≪ Previous: ModSecurity 2.8.0 RC1 for Apache / Nginx packages

While ago, I pushed a mod_security security update (one line patch for CVE-2013-5705) without testing it thoroughly on EL5, which turns out to be broken(httpd does not start) [1].

I usually test all packages before pushing updates, but at that time I didn't have access to my build box (which has all my test VMs)

If you're going to update mod_security on EL5 box, you should get the one from epel5-testing:
https://admin.fedoraproject.org/updates/mod_security-2.6.8-6.el5

Sorry for any inconvenience caused.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1089343

↧

HEADS-UP: mod_qos Update

October 12, 2014, 9:31 am

≫ Next: Newer mod_security packages for EPEL (CentOS/RHEL)

≪ Previous: HEADS-UP: EPEL5 mod_security-2.6.8-5 security update is broken

I've pushed mod_qos-11.5 into testing, I didn't want to keep 10.x because it does not support IPv6 properly.

If you happen to use mod_qos, I'd really appreciate your feedback either in Bugzilla, Bodhi, email or irc

EPEL6 (Tested on CentOS 6): https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3260/mod_qos-11.5-1.el6
Fedora 20: https://admin.fedoraproject.org/updates/FEDORA-2014-12653/mod_qos-11.5-1.fc20
Fedora 21: https://admin.fedoraproject.org/updates/FEDORA-2014-12643/mod_qos-11.5-1.fc21
EPEL7: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3436/mod_qos-11.5-1.el7

EDIT: EPEL7 package

↧