Linux: March 2012 Archives

ISC DHCPD on commit

user-pic
Vote 0 Votes

ISC DHCP on commit 可以做到在 Client 取得 IP 後執行特定 script/program

在 /etc/dhcpd.conf 加入(加在 subnet 或 global 均可)
on commit {
   set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
   set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6));
   execute("/usr/local/bin/dhcpd_on_commit", ClientIP, ClientMac);
}

ClientIP, ClientMac 就會以參數 $1, $2 帶給 script/program

若 Log 中看到 execute: no such function. 表示不支援, 這個功能似乎是 4.x 才有的, 預設 enable
./configure
--enable-execute enable support for execute() in config (default is yes)

Build Apache 2.4.x

user-pic
Vote 0 Votes

編譯 Apache 2.4.x, 需先安裝 libtool 套件, APR, APR-util, PCRE

# APR
URL=`wget -qO- http://apr.apache.org/download.cgi | awk -F\" '/apr.*bz2/ {print $2}' | head -1`
wget $URL
tar jxf apr-*
cd apr-*
./configure
make
make install
cd ..

# APR Util
URL=`wget -qO- http://apr.apache.org/download.cgi | awk -F\" '/apr-util.*bz2/ {print $2}' | head -1`
wget $URL
tar jxf apr-util-*
cd apr-util-*
./configure --with-apr=/usr/local/apr
make
make install
cd ..

# PCRE
URL=ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.bz2
wget $URL
tar jxf pcre-*
cd pcre-*
./configure
make
make install
cd ..

# Apache
URL=`wget -qO- http://httpd.apache.org/download.cgi | awk -F\" '/httpd.*bz2/ {print $2}' | head -1`
wget $URL
tar jxf httpd-*
cd httpd-*
./configure --prefix=/usr/local/apache --sysconfdir=/usr/local/apache/conf \
--enable-ssl --enable-rewrite --enable-proxy --enable-expires --enable-headers \
--enable-reqtimeout --enable-deflate --with-apr=/usr/local/apr
make
make install

註: Apache 2.4.x 要搭配 PHP 5.3.x 以上的版本, 已不支援 PHP 5.2.x (會有錯誤產生)

Slowloris HTTP DoS

user-pic
Vote 0 Votes

Slowloris HTTP DoS 是一種低頻寬的 HTTP DoS 攻擊,
AFFECTS
Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer, others...?

NOT AFFECTED
IIS6.0, IIS7.0, lighttpd, nginx, Cherokee, Squid, others...?

原理是發送不完整的 HTTP 請求封包, 並且傳送後續的 HEADER 使連線不中斷, 很快就可以把 Session 數佔滿,
使得 Web Server 無法服務其他正常用戶, 只需要一台電腦, 跟少量的頻寬, 只要幾百Kbps, 甚至幾十Kbps

測試幾台 Apache Server, 都無招架之力, 一打就掛, 有裝 mod_limitipconn 也沒什麼用,
因為還沒到 mod 處理的階段, Server 也不會有任何 Log

目前想到的只有用 Per Host RatE Limiter 呼叫 iptables 來擋

2012-03-22 Update:
有網友回應使用 mod_antiloris 可以擋, 測試之後的確可以
/usr/local/apache/bin/apxs -i -c mod_antiloris.c

在 httpd.conf 加入以下設定後重啟
LoadModule antiloris_module modules/mod_antiloris.so

IPReadLimit 10

About this Archive

This page is an archive of entries in the Linux category from March 2012.

Linux: February 2012 is the previous archive.

Linux: June 2012 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives