Wednesday Nov 18, 2009

More on Intrusion Detection

I found that experimental Intrusion Detection module as explained in my previous blog doesn't work as expected if an external plugin's AuthTrans SAF is added in obj.conf request processing and if that SAF returns REQ_PROCEED. This may be a rarely happen in customer deployments. Will try to fix it in next update release/ next major release and will let you know when it is fixed.

My id.conf :

SecRuleEngine on 
SecRequestBodyAccess on
SecRule REQUEST_BODY "junk"

case 1: I created a dummy plugin having AuthTrans function myauth1; which just returns REQ_NOACTION it works fine. (look at <ws7-install-dir>/samples/nsapi/ for examples of how to create a plugin)

    #ifdef XP_WIN32
    #define NSAPI_PUBLIC __declspec(dllexport)
    #else /\* !XP_WIN32 \*/
    #define NSAPI_PUBLIC
    #endif /\* !XP_WIN32 \*/

    #include "nsapi.h"

    extern "C"
    NSAPI_PUBLIC int myauth1(pblock \*pb, Session \*sn, Request \*rq)
    {
        return REQ_NOACTION;
    }

Added in Magnus.conf

Init fn="load-modules" shlib="myauth.so" funcs="myauth1"

Error logs in that case show :

    ...
    ... func_exec reports: executing fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true" Directive="AuthTrans" magnus-internal="1"
    ... func_exec reports: fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true" Directive="AuthTrans" magnus-internal="1" returned -2 (REQ_NOACTION)

    ... func_exec reports: executing fn="myauth1" Directive="AuthTrans"
    ... func_exec reports: fn="myauth1" Directive="AuthTrans" returned -2 (REQ_NOACTION)

    ... func_exec reports: executing fn="magnus-internal/secrule-filters-insert"
    ... func_exec reports: fn="magnus-internal/secrule-filters-insert" returned -2 (REQ_NOACTION)

    ... func_exec reports: executing fn="ntrans-j2ee" name="j2ee" Directive="NameTrans"
    ...
       

case 2: When I change this AuthTrans SAF to return REQ_PROCEED, it doesn't work as expected:

    #ifdef XP_WIN32
    #define NSAPI_PUBLIC __declspec(dllexport)
    #else /\* !XP_WIN32 \*/
    #define NSAPI_PUBLIC
    #endif /\* !XP_WIN32 \*/
    #include "nsapi.h"

    extern "C"
    NSAPI_PUBLIC int myauth2(pblock \*pb, Session \*sn, Request \*rq)
    {
        return REQ_PROCEED;
    }

Added in Magnus.conf

Init fn="load-modules" shlib="myauth.so" funcs="myauth2"

Error logs in that case shows :

    ... func_exec reports: executing fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true" Directive="AuthTrans" magnus-internal="1"
    ... func_exec reports: fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true" Directive="AuthTrans" magnus-internal="1" returned -2 (REQ_NOACTION)

    ... func_exec reports: executing fn="myauth2" Directive="AuthTrans"
    ... func_exec reports: fn="myauth2" Directive="AuthTrans" returned 0 (REQ_PROCEED)

    ... func_exec reports: executing fn="ntrans-j2ee" name="j2ee" Directive="NameTrans
    ...
Note fn="magnus-internal/secrule-filters-insert" is not getting executed here.

You can add this secrule-filters-insert SAF above your ExternalPluginAuthTransSAF function:

<Object name="default">
AuthTrans fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true"
AuthTrans fn="magnus-internal/secrule-filters-insert"
AuthTrans fn="ExternalPluginAuthTransSAF"
NameTrans fn="ntrans-j2ee" name="j2ee"
...
</Object>
This will work fine when ExternalPluginAuthTransSAF function returns REQ_PROCEED but when it returns REQ_NOATCION, these filters will be added twice.

You can make a dynamic library of myauth2 plugin as shown above and put it below "ExternalPluginAuthTransSAF"
<Object name="default">
AuthTrans fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true"
AuthTrans fn="magnus-internal/secrule-filters-insert"
AuthTrans fn="ExternalPluginAuthTransSAF"
AuthTrans fn="myauth"
NameTrans fn="ntrans-j2ee" name="j2ee"
...
</Object>

Monday Jul 20, 2009

Running Open Web Server on FreeBSD

Running Open Web Server on FreeBSD

Downloaded Free BSD from ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/7.2/7.2-RELEASE-i386-dvd1.iso.gz

and installed it.

For reference, see http://wikis.sun.com/display/wsFOSS/Checkout+and+Build+Instructions

To search for a package, I used cd /usr/ports; make search name="mercurial" and so on.

First make sure that you already have these components

GNU make 3.81 /usr/local/bin/gmake
C/C++ Compiler 4.2.1 /usr/bin/g++ and gcc
Zlib  /usr/lib/libz.so already installed
Perl 5.8.9 /usr/bin/perl
CVS  1.11.22.1 /usr/bin/cvs

Install/Build these Components

Mercurial
cd /usr/ports/devel/mercurial; make install

Java SE

5 or 6

Due to license problems had to manually download and putting it in /usr/ports/distfiles
For JDK 5 : cd /usr/posts/java/jdk15; make install and download the following files into /usr/ports/distfiles

  • http://www.java.net/download/tiger/tiger_u16/jdk-1_5_0_16-fcs-bin-b02-jrl-28_may_2008.jar
  • http://www.java.net/download/tiger/tiger_u16/jdk-1_5_0_16-fcs-src-b02-jrl-28_may_2008.jar
  • tzupdater-1_3_12-2009a.zip from http://www.filewatcher.com/m/tzupdater-1_3_12-2009a.zip.261842.0.0.html
  • Java(TM) Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0 - jce_policy-1_5_0.zip
  • http://www.eyesbeyond.com/freebsddom/java/jdk15.html - bsd-jdk15-patches-9.tar.bz2
For JDK 6 : cd /usr/posts/java/diablo-jdk16; make install and download the following files into /usr/ports/distfiles
  • Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 jce_policy-6.zip
  • Java SE Timezone Updater 1.3.15 - tzupdater-1_3_15-2009g.zip
  • http://www.freebsdfoundation.org/cgi-bin/download?download=diablo-caffe-freebsd7-i386-1.6.0_07-b02.tar.bz2
Ant  cd /usr/ports/devel/apache-ant; make install
NSPR cd /usr/ports/devel/nspr; make install
NSS cd /usr/ports/security/nss; make install

Xerces

C++

cd /usr/ports/textproc/xerces-c2; make install
cd /usr/ports/textproc/xerces-c2-devel; make install
selected Use ICU transcoder option. Build thread safe version of library.
Got an error

"/usr/bin/ld: can not find -lgcc_pic"

For this we need to manually modify "files/filepatch-src-xercesc-Makefile.incl"

and change "-lgcc_pic" to "-lgcc"

Xalan

C++

cd /usr/ports/textproc/xalan; make install
Selected INMEN and TRANSCODER_ICU options.
PCRE
cd /usr/ports/devel/pcre; make install
ICU cd /usr/ports/devel/icu; make install
SASL cd /usr/ports/security/cyrus-sasl2; make install

Mozilla
LDAP

C SDK\*


  • cd /usr/ports/convertors/libiconv; make install
  • cd /usr/ports/convertors/iconv; make install
  • cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -P -rLDAPCSDK_6_0_5_RTM DirectorySDKSourceC
  • cd mozilla
  • Add this patch
    Index: directory/c-sdk/configure
    ===================================================================
    RCS file: /cvsroot/mozilla/directory/c-sdk/configure,v
    retrieving revision 5.65
    diff -u -r5.65 configure
    --- directory/c-sdk/configure   17 Sep 2007 17:46:23 -0000      5.65
    +++ directory/c-sdk/configure   22 Jul 2009 07:27:11 -0000
    @@ -4362,12 +4362,7 @@
     EOF
         CFLAGS="$CFLAGS $(DSO_CFLAGS) -ansi -Wall"
    -    MOZ_OBJFORMAT=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
    -    if test "$MOZ_OBJFORMAT" = "elf"; then
    -        DLL_SUFFIX=so
    -    else
    -        DLL_SUFFIX=so.1.0
    -    fi
    +   DLL_SUFFIX=so
         DSO_CFLAGS=-fPIC
         DSO_LDOPTS=-Bshareable
         ;;
    Index: directory/c-sdk/ldap/libraries/libldap/Makefile.in
    ===================================================================
    RCS file: /cvsroot/mozilla/directory/c-sdk/ldap/libraries/libldap/Makefile.in,v
    retrieving revision 5.23
    diff -u -r5.23 Makefile.in
    --- directory/c-sdk/ldap/libraries/libldap/Makefile.in  20 Jun 2007 17:57:11 -0000      5.23
    +++ directory/c-sdk/ldap/libraries/libldap/Makefile.in  22 Jul 2009 07:27:12 -0000
    @@ -267,6 +267,10 @@
     EXTRA_LIBS = -L$(dist_libdir) -l$(LBER_LIBNAME) -pthread
     endif
    +ifeq ($(OS_ARCH), FreeBSD)
    +EXTRA_LIBS += -L$(dist_libdir) -l$(LBER_LIBNAME) -L/usr/lib -lcompat
    +endif
    +
     ifeq ($(HAVE_SASL), 1)
     EXTRA_LIBS += $(SASL_LINK)
     endif
  • cd directory/c-sdk
  • ./configure --with-sasl-inc=/usr/local/include/sasl

       --with-sasl-lib=/usr/local/lib

         --with-nspr-lib=/usr/local/lib --with-nspr-inc=/usr/local/include/nspr/ --with-nspr

         --with-nss-lib=/usr/local/lib/nss --with-nss-inc=/usr/local/include/nss/nss/ --with-nss

  • gmake
  • cd ../../dist/
  • sudo mkdir /usr/local/include/mozldap /usr/local/lib/mozldap
  • sudo cp public/ldap/\* /usr/local/include/mozldap/
  • sudo cp lib/\* /usr/local/lib/mozldap/

\*Note  There is one /usr/ports/net/ldapsdk. It downloads and builds ldapsdk_12311998.tar.gz.

But I can see it in ancient now from mozilla site http://ftp.mozilla.org/pub/mozilla.org/directory/c-sdk/ancient/

So I built Mozilla C SDK myself.

Hack IN NSPR

One manual hack you need to do in "/usr/local/include/prinet.h" 

#if defined(FREEBSD) || defined(BSDI) || defined(QNX)
#include <rpc/types.h> /\* the only place that defines INADDR_LOOPBACK \*/
#endif

replace it by

#ifndef INADDR_LOOPBACK
#define INADDR_LOOPBACK         (u_long)0x7F000001
#endif

Building Open Web Server

  • /usr/local/bin/hg clone ssh://anon@hg.opensolaris.org/hg/webstack/webserver
  • cd webserver
  • DOWNLOAD AND PATCH THESE DIFFS
  • gmake BUILD_VARIANT=OPTIMIZED
  • gmake BUILD_VARIANT=OPTIMIZED install

Go to work/FreeBSD7.2-RELEASE_OPT.OBJ/https-test/bin/ directory and start the server instance using startserv script.

For the last two gmake commands, you can add WS_INSTALL_ROOT=/opt/ws if you want the server instance to be installed in /opt/ws/https-test

References:

Friday Jul 17, 2009

Running Open Web Server on MacOS

Running Open Web Server on MacOS 

I tried to run Open Web Server on iMac with Mac OS X 10.5.7 on it.

Install http://svn.macports.org/repository/macports/downloads/MacPorts-1.7.1/MacPorts-1.7.1-10.5-Leopard.dmg as per http://www.macports.org/install.php

Already existing Components

To build Open Web Server, first we need to have a few components. I already have /usr/bin/make, JAVA SE(/usr/bin/javac etc.), /usr/bin/ant, C/C+ compiler(/usr/bin/gcc and /usr/bin/g++),/usr/bin/perl, /usr/bin/cvs, /usr/lib/libz.\*, /usr/lib/libsasl2.\*, installed. Double check these component versions as per the table given in http://wikis.sun.com/display/wsFOSS/Checkout+and+Build+Instructions#CheckoutandBuildInstructions-RequiredLibrariesandTools

Install Mercurial, NSS, NSPR, Xerces C++, Xalan C++, PCRE, ICU

sudo port install mercurial nspr nss pcre icu xercesc xalanc

Building and Installing Mozilla LDAP C SDK

  • cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -P -rLDAPCSDK_6_0_5_RTM DirectorySDKSourceC
  • cd mozilla/directory/c-sdk
  • ./configure --with-sasl --with-nspr-inc=/opt/local/include/nspr --with-nspr-lib=/opt/local/lib/nspr --with-nspr --with-nss-inc=/opt/local/include/nss --with-nss-lib=/opt/local/lib/nss --with-nss
  • make
  • cd ../../dist/
  • sudo mkdir /usr/local/include/mozldap /usr/local/lib/mozldap
  • sudo cp public/ldap/\* /usr/local/include/mozldap/
  • sudo cp lib/\* /usr/local/lib/mozldap/

Building Open Web Server

  • cd
  • hg clone ssh://anon@hg.opensolaris.org/hg/webstack/webserver
  • cd webserver
  • Download and apply this patch
  • make
  • make install
  • cd work/Darwin9.7.0_DBG.OBJ/https-test/bin
  • Manually substitute in startserv script, LD_LIBARAY_PATH to DYLD_LIBRARY_PATH before starting the server. Make similar changes in all the scripts like stopserv.
  • ./startserv

As you can see the server starts up on port 8080.

Note that

I am using "_xpatomic_locked.h" for now. Their performance needs to be optimized using functions in /usr/include/libkern/OSAtomic.h.
NSPR's PR_GetLibraryFilePathname dumps if called with NULL as first argument on MAC so added a hack of PR_GetLibraryFilePathname("ns-httpd40"..).
Some filenames are ugly like defines___.mk will fix it later.

If you see entries in error log like :

failure : HTTP3360: connection limit (1) exceeded.
PollManager::RequestReservation() keep-alive subsystem full

Run Web Server in finest log level ( set <log-level>finest</log-level> in server/xml). And look for messages like
fine: operating system file descriptor limit is 256
fine: allocating 1 file descriptors to the connection queue, 1 file descriptors to keep-alive connections, and 1 file descriptors to the file cache

fine: 130 connection maximum (1 queued, 128 active, 1 keep-alive)
fine: HTTP3066: HTTP keep-alive subsystem will accomodate up to 1 connections

$ulimit -a
open files                      (-n) 256
...
Now I changed it to 1024 :
$ulimit -n 1024

$./https-test/bin/startserv
fine: operating system file descriptor limit is 1024
fine: allocating 128 file descriptors to the connection queue, 128 file descriptors to keep-alive connections, and 8 file descriptors to the file cache
fine: 384 connection maximum (128 queued, 128 active, 128 keep-alive)
fine: HTTP3066: HTTP keep-alive subsystem will accomodate up to 128 connections

References

  1. Build instructions for Open Web Server
  2. https://bugzilla.mozilla.org/show_bug.cgi?id=504893
  3. http://developer.apple.com/documentation/Darwin/Reference/ManPages/man3/barrier.3.html
  4. http://devworld.apple.com/technotes/tn2002/tn2071.html
  5. http://lists.apple.com/archives/unix-porting/2002/Sep/msg00021.html
  6. http://dev.eclipse.org/newslists/news.eclipse.tools.cdt/msg16863.html
  7. http://blogs.sun.com/Janice/entry/http3360_connection_limit_1_exceeded

Friday Jul 10, 2009

Installing Sun Java System Web Server 7.0 on CentOS 5.3 or Fedora 10-11 or Ubuntu

Installing Sun Java System Web Server 7.0 on CentOS 5.3 or Fedora 10/11 or Ubuntu

In my free time, I just tried out Sun Java System Web Server 7.0 update 5 on CentOS 5.3 and Fedora10 and 11 and Ubuntu. Joe Mccabe has also written a similar blog on this

Download Sun Java System Web Server 7.0 for Linux and extract the contents of tar.gz file

$gunzip  sjsws-7_0u5-linux-i586.tar.gz; tar -xvf sjsws-7_0u5-linux-i586.tar

Run installer, it will fail

$./setup

error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory

CentOS

To fix this problem  install "compat-libstdc++-33" package as shown below
$sudo yum -y install compat-libstdc++-33

Now run setup, it will work fine.

Fedora 10/11

Install "compat-libstdc++-33" package as shown below
$sudo yum -y install compat-libstdc++-33

There is one more problem in Fedora 11 but is I heard fixed in 7.0 update 6 (onwards).

If you get error message like

lib/libfreebl3.so: version `NSSRAWHASH_3.12.3' not found (required by /lib64/libcrypt.so.1)

You need workaround as given in https://forums.oracle.com/forums/thread.jspa?threadID=2212337

Ubuntu

You need to install libstdc++5 as shown below

$sudo apt-get install libstdc++5


If you get an error which has something that looks like /bin/domainname not found, you need to install

$sudo apt-get install nis

I have tested on Ubuntu 9.04.

*Note that Sun Java System Web Server 7.0 update 5 or 6 is not officially certified or supported on CentOS or Fedora or Ubuntu, but here's how you can make it work.

References

Outdated links :


Thursday May 14, 2009

Installing Sun Java System Web Server 7.0 on Mandriva

Installing Sun Java System Web Server 7.0 on Mandriva

If you are getting an error "The Runtime User ID does not exist. Specify a valid UNIX user." while installing Sun Java System Web Server on Mandriva, all you have to do is create a softlink as shown below.  Its simple !

#ln -s /bin/id /usr/bin/id

You can also check if /usr/bin/cat exists or not. If it doesn't, then you have to create a softlink as given below

#ln -s /bin/cat /usr/bin/cat
  

\*Note that Sun Java System Web Server is not officially certified or supported on Mandriva

About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today