web notes - a blog

Many hours of searching and suffering were spent trying to resolve this ...

Apache-Error: [file "mod_proxy_ajp.c"] [line 743] [level 7] AH00894: declining URL fcgi://localhost/var/www/html/site/public/index.php

This is a Symfony application (ibexa DXP, formerly eZ Platform, previously eZ Publish), CentOS 8 server, with PHP 7.4, mod_security, selinux enabled, etc.

The error was thrown on the graphql requests to support the sub-items display of the admin interface.

The root cause of the issue was an application error.

The message from Symfony

[2022-01-05T18:34:58.709826+00:00] request.CRITICAL: Uncaught PHP Exception Overblog\GraphQLBundle\Resolver\UnresolvableException: "Could not found type with alias "RepositoryLanguage". Do you forget to define it?" at /var/www/html/site/vendor/overblog/graphql-bundle/src/Resolver/TypeResolver.php line 72 {"exception":"[object] (Overblog\\GraphQLBundle\\Resolver\\UnresolvableException(code: 0): Could not found type with alias \"RepositoryLanguage\". Do you forget to define it? at /var/www/html/site/vendor/overblog/graphql-bundle/src/Resolver/TypeResolver.php:72)"} []

This also took me a long time to unravel - about an hour ... because I haven't worked with eZ in a while

Solution was to copy all these files https://github.com/bgamrat/improved-journey/tree/main/config/graphql/types/ezplatform into the config.

Next, it was time to make this blog post with the goal of helping you!

I changed the username for security, to a word I rarely use. So of course I forgot it. As well as the password. Tried to email a password reset, but that failed too ... selinux, remember?

setsebool -P httpd_can_sendmail 1

I also tried to reset the password at the database level, but that looked like more effort.

So - it was a grand adventure, the installation works and I can go do other things.

Who is trying to log into my SSH?

grep -i 'from invalid user' secure | sed "s/.* invalid user \([^ ]\+ [^ ]\+\) port .*/\1/i" | cut -f1 -d' ' | sort -u

and where are they coming from?

grep -i 'from invalid user' secure | sed "s/.* invalid user \([^ ]\+ [^ ]\+\) port .*/\1/i" | cut -f2 -d' ' | sort -u

EXIF

pip install exifread

#!/usr/bin/python3 

import sys
import exifread

def main(argv):
	imagefile = ''
	if len(sys.argv) < 2:
		print('exif.py <imagefile>')
		sys.exit(1)

	imagefile = sys.argv[1]

	with open(imagefile,'rb') as imagefile:
		tags = exifread.process_file(imagefile)
		for key in tags:
			if key.find('Thumbnail') == -1:
				print(key,'->',tags[key])

main(sys.argv[1:])

.docx

pip install python-docx

#!/usr/bin/python3 

import sys
import docx

def main(argv):
	docxfile = ''
	if len(sys.argv) < 2:
		print('dcx.py <docxfile>')
		sys.exit(1)

	docxfile = sys.argv[1]
	doc = docx.Document(docxfile)

	props = doc.core_properties
	for p in dir(props):
		attr = getattr(props,p)
		if not p.startswith('_') and not callable(attr):
			print(p,':',attr)

main(sys.argv[1:])

PDF

pip install pdfminer

#!/usr/bin/python3 

import sys
from pdfminer.pdfparser import PDFParser
from pdfminer.pdfdocument import PDFDocument

def main(argv):
	pdffile = ''
	if len(sys.argv) < 2:
		print('pdf.py <pdffile>')
		sys.exit(1)

	pdffile = sys.argv[1]

	fp = open(pdffile, 'rb')
	parser = PDFParser(fp)
	doc = PDFDocument(parser)

	props = doc.info[0]
	for p in props:
		attr = props[p]
		if not p.startswith('_') and not callable(attr):
			print(p,':',attr)

main(sys.argv[1:])

This isn't actually useful, it's here to remind me what I did ... if you use this, be sure to start with the github link. Also - I forgot about the installation. Install stuff.

Tools

• Bison - Bison is a general-purpose parser generator that converts an annotated context-free grammar into a deterministic LR or generalized LR (GLR) parser employing LALR(1) parser tables. (Generates C++)
• Flex - flex is a tool for generating scanners: programs which recognize lexical patterns in text. (Tokens).
• gcc - The GNU Compiler Collection includes front ends for C, C++, Objective-C, Fortran, Ada, Go, and D, as well as libraries for these languages (libstdc++,...). GCC was originally written as the compiler for the GNU operating system. The GNU system was developed to be 100% free software, free in the sense that it respects the user's freedom.

First

Does everything you do work the first time? Probably not. Start with someone else's stuff.

https://github.com/meyerd/flex-bison-example 

$ bison -d calc.y
$ flex calc.l
$ gcc calc.tab.c lex.yy.c -o calc -lm
$ ./calc

Write a little bash script because you're going to have to run your stuff, over and over

#!/bin/bash
if [ $# != 1 ];
then
    echo -e "\nUsage $0 <filename>\n\tExample: $0 one\n";
    exit 1;
fi;
bison -d "$1.y"
flex -l -o "$1.c" "$1.l"
gcc -lm "$1.tab.c" "$1.c" -o "$1"
./$1

Files

The two files I created are attached, with .txt extensions.

The goal was to create a little assembler. In this case, the assembler supports three commands - LOAD, CLEAR and STORE. It's interactive, meaning it behaves as an interpreter, rather than creating 'machine' code.

It was a good exercise and I like the example.

  y.txt

  l.txt

One of the tools I am using to secure a server is Fail2ban. It was working well for SSH and I wanted to extend it to provide more protection for Apache.

I installed it and enabled it.

jail.d/apache-modsecurity.conf

[apache-modsecurity]
enabled = true
backend = auto
port = http,https
filter = apache-modsecurity
logpath = %(apache_error_log)s
bantime = 19200
maxretry = 2
findtime = 3600
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

filter.d/apache-modsecurity.conf 

# Fail2Ban apache-modsec filter
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# apache-common.local
before = apache-common.conf

[Definition]
failregex = ^%(_apache_error_client)s(?: \[client [\d\.:]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*\]\s*)*Access denied with code [45]\d\d (?:.*)$
ignoreregex =

# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
# Author: Daniel Black
# Sergey G. Brester aka sebres (review, optimization)

Helpful commands

• firewall-cmd --permanent --zone=public --add-service=http - allow HTTP through (add https as well)
• fail2ban-client reload apache-modsecurity - reload the Apache ModSecurity configuration
• fail2ban-client status apache-modsecurity - check the status of Apache ModSecurity configuration
• fail2ban-client get apache-modsecurity failregex - get the regex which will cause fail2ban to ban entries (if maxretries)
• fail2ban-regex /var/log/httpd/error_log '^\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client (?:\[?(?:(?:::f{4,6}:)?(?P(?:\d{1,3}\.){3}\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P[\w\-.^_]*\w))(:\d{1,5})?\](?: \[client [\d\.:]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d (?:.*)$' - check the regex
• h-rules | grep http - list the current http (and https) - there's probably a better way to do this