web notes - a blog

Apologies for the short post. I had trouble with GD - the issue was that I had php-gd instead of php82-gd

php82-8.2-5.el9.remi.x86_64
php82-php-8.2.21-1.el9.remi.x86_64
php82-php-cli-8.2.21-1.el9.remi.x86_64
php82-php-common-8.2.21-1.el9.remi.x86_64
php82-php-fpm-8.2.21-1.el9.remi.x86_64
php82-php-gd-8.2.21-1.el9.remi.x86_64
php82-php-intl-8.2.21-1.el9.remi.x86_64
php82-php-mbstring-8.2.21-1.el9.remi.x86_64
php82-php-mysqlnd-8.2.21-1.el9.remi.x86_64
php82-php-opcache-8.2.21-1.el9.remi.x86_64
php82-php-pdo-8.2.21-1.el9.remi.x86_64
php82-php-sodium-8.2.21-1.el9.remi.x86_64
php82-php-xml-8.2.21-1.el9.remi.x86_64
php82-runtime-8.2-5.el9.remi.x86_64

Error messages:

[2024-07-13T20:46:04.111489+00:00] request.CRITICAL: Uncaught PHP Exception Symfony\Component\Validator\Exception\LogicException: "Corrupted images detection requires installed and enabled GD extension."
[2024-07-13T21:54:31.829868+00:00] request.CRITICAL: Gd driver not installed {"exception":"[object] (Imagine\\Exception\\NotSupportedException(code: 0): Gd driver not installed

I kept getting a divide by zero error (Signal 8) with wkhtmltopdf under Rocky Linux

RPM in use: wkhtmltox-0.12.6.1-2.almalinux9.x86_64.rpm (credit to: https://forums.rockylinux.org/t/need-to-install-wkhtmltopdf-for-rocky-linux-9-how/6758/2)

This was running under Ibexa, with Symfony.

I stripped it down to test with the output of the application on the command line and isolated the issue to a <link> tag for Bootstrap 4.3 by commenting out tags until I found which one was causing the issue.

I don't care what the issue was - upgrading Bootstrap to 4.6 worked

I hope this helps someone - it was frustrating.

Who is trying to log into my SSH?

grep -i 'from invalid user' secure | sed "s/.* invalid user \([^ ]\+ [^ ]\+\) port .*/\1/i" | cut -f1 -d' ' | sort -u

and where are they coming from?

grep -i 'from invalid user' secure | sed "s/.* invalid user \([^ ]\+ [^ ]\+\) port .*/\1/i" | cut -f2 -d' ' | sort -u

One of the tools I am using to secure a server is Fail2ban. It was working well for SSH and I wanted to extend it to provide more protection for Apache.

I installed it and enabled it.

jail.d/apache-modsecurity.conf

[apache-modsecurity]
enabled = true
backend = auto
port = http,https
filter = apache-modsecurity
logpath = %(apache_error_log)s
bantime = 19200
maxretry = 2
findtime = 3600
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

filter.d/apache-modsecurity.conf 

# Fail2Ban apache-modsec filter
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# apache-common.local
before = apache-common.conf

[Definition]
failregex = ^%(_apache_error_client)s(?: \[client [\d\.:]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*\]\s*)*Access denied with code [45]\d\d (?:.*)$
ignoreregex =

# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
# Author: Daniel Black
# Sergey G. Brester aka sebres (review, optimization)

Helpful commands

• firewall-cmd --permanent --zone=public --add-service=http - allow HTTP through (add https as well)
• fail2ban-client reload apache-modsecurity - reload the Apache ModSecurity configuration
• fail2ban-client status apache-modsecurity - check the status of Apache ModSecurity configuration
• fail2ban-client get apache-modsecurity failregex - get the regex which will cause fail2ban to ban entries (if maxretries)
• fail2ban-regex /var/log/httpd/error_log '^\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client (?:\[?(?:(?:::f{4,6}:)?(?P(?:\d{1,3}\.){3}\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P[\w\-.^_]*\w))(:\d{1,5})?\](?: \[client [\d\.:]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d (?:.*)$' - check the regex
• h-rules | grep http - list the current http (and https) - there's probably a better way to do this

sudo find /var/lib/php/session -mmin +24 -type f -exec ls -l {} \;

Yes, that's the whole post