web notes - a blog

Who is trying to log into my SSH?

grep -i 'from invalid user' secure | sed "s/.* invalid user \([^ ]\+ [^ ]\+\) port .*/\1/i" | cut -f1 -d' ' | sort -u

and where are they coming from?

grep -i 'from invalid user' secure | sed "s/.* invalid user \([^ ]\+ [^ ]\+\) port .*/\1/i" | cut -f2 -d' ' | sort -u

One of the tools I am using to secure a server is Fail2ban. It was working well for SSH and I wanted to extend it to provide more protection for Apache.

I installed it and enabled it.

jail.d/apache-modsecurity.conf

[apache-modsecurity]
enabled = true
backend = auto
port = http,https
filter = apache-modsecurity
logpath = %(apache_error_log)s
bantime = 19200
maxretry = 2
findtime = 3600
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

filter.d/apache-modsecurity.conf 

# Fail2Ban apache-modsec filter
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# apache-common.local
before = apache-common.conf

[Definition]
failregex = ^%(_apache_error_client)s(?: \[client [\d\.:]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*\]\s*)*Access denied with code [45]\d\d (?:.*)$
ignoreregex =

# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
# Author: Daniel Black
# Sergey G. Brester aka sebres (review, optimization)

Helpful commands

• firewall-cmd --permanent --zone=public --add-service=http - allow HTTP through (add https as well)
• fail2ban-client reload apache-modsecurity - reload the Apache ModSecurity configuration
• fail2ban-client status apache-modsecurity - check the status of Apache ModSecurity configuration
• fail2ban-client get apache-modsecurity failregex - get the regex which will cause fail2ban to ban entries (if maxretries)
• fail2ban-regex /var/log/httpd/error_log '^\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client (?:\[?(?:(?:::f{4,6}:)?(?P(?:\d{1,3}\.){3}\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P[\w\-.^_]*\w))(:\d{1,5})?\](?: \[client [\d\.:]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d (?:.*)$' - check the regex
• h-rules | grep http - list the current http (and https) - there's probably a better way to do this

sudo find /var/lib/php/session -mmin +24 -type f -exec ls -l {} \;

Yes, that's the whole post

If you are using PHP-FPM with Apache and you would like to separate the error logging by user, directory or virtual host, you can use the ProxyFCGISetEnvIf directive

In a server level Apache .conf file

<Directory /home/user/public_html>
ProxyFCGISetEnvIf "true" PHP_ADMIN_VALUE "error_log=/var/log/php-fpm/user/error.log"
</Directory>

In this case, the error log for user would be

/var/log/php-fpm/user/error.log


Set up the ACL (AMI 2 Linux)

setfacl -m u:user:x /var/log/php-fpm
setfacl -m u:user:rx /var/log/php-fpm/user
setfacl -d -m u:user:r /var/log/php-fpm/user

Test it with

sudo su user
more /var/log/php-fpm/user/error.log

Credit to:

Comment from PHP.net (documentation)

https://www.php.net/manual/en/install.fpm.configuration.php#123335

PHP logo

Don't do this on a production system

I ran this on an Amazon Linux AMI - it's probably fine on CentOS, etc.

Get all the PHP 7.1 packages and make a file called php. You might have to change the .x86_64 to .i386/.i686

sudo yum list installed php71* | grep php | cut -f1 -d' ' | tr -d '.x86_64' | tr "\n" ' ' | sed "s/71/73/g" > php

Remove PHP 7.1 (remember I said not to do this on a production machine)

sudo yum remove php71*

Now edit your php file and add

sudo yum install at the beginning of the list of packages

It should look something like this

sudo yum install php73 php73-cli php73-common php73-gd php73-imap php73-intl php73-json php73-mbstring php73-mysqlnd php73-opcache php73-pdo php73-pecl-apcu php73-pecl-igbinary php73-pecl-memcached php73-pgsql php73-process php73-soap php73-ml

Run the php file with

source php

And, if you are using memcached, run this too

sudo yum install php7-pear php73-devel
sudo pecl7 install memcached
sudo pecl7 update-channels

Add this into php.ini somewhere ...

extension=memcached.so

Restart Apache

sudo apachectl restart

Bask in the glory