• What is LogJam Attack ?

    What is LogJam Attack ?

    Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography.

    Who is Affected ?
    Websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers are at risk for the Logjam attack

    How we will prevent this on Application side ?
    Update your applications ssl.conf file with the updated SSLCipherSuite and restart the service .

    1) Apache
    Disable support for SSLv2 and SSLv3 and enable support for TLS, explicitly allow/disallow specific ciphers in the given order :
    SSLProtocol             all -SSLv2 -SSLv3
    SSLHonorCipherOrder     on
    2) Nginx
    ssl_prefer_server_ciphers on;
    3) Apache Tomcat  ( in server.xml)
    4) Postfix ( /etc/postfix/main.cf )
    smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
    5) Sendmail ( LOCAL_CONFIG section of your /etc/mail/sendmail.mc )


    Reference : https://weakdh.org

  • POODLE: SSLv3.0 vulnerability

    What is POODLE ?

    POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

    How to Fix ?

    At present there is no working patch for this bug . So that Admin needs to manually disable SSLv3 on their servers .

    Disable SSLv3 – Apache

    1) Add ”   SSLProtocol All -SSLv2 -SSLv3  ”  to httpd.conf

    2) Restart apache service .

    Disable SSLv3 – Nginx

    1) Add   ” ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ”  to nginx.conf under ssl section .

    2) Restart nginx service .

    Disable SSLv3 – PostFix

    1) change smtpd_tls_mandatory_protocols to ”  smtpd_tls_mandatory_protocols =!SSLv2,!SSLv3 ”

    2) Restart postfix server .

    Disable SSLv3 – Weblogic

    Start weblogic with the following JVM option   ” -Dweblogic.security.SSL.protocolVersion=TLS1  ”

    How to Diagnose ?

    # openssl s_client -connect localhost:443 -ssl3

    ==> If you have already disabled sslv3 , then the output will be as follows

    20888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
    20888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

    ==> If you are not disabled the sslv3 and you are getting the following output , then your server is vulnerable to POODLE  !!.

    depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
    verify return:1

    Certificate chain
     0 s:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]
       i:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/[email protected]

    Reference :-



  • CentOs Fix for Bash Bug ( CVE-2014-6271 & CVE-2014-7169 )

    After couple of days trouble today we got a fix from Centos for the so famous bash security issue ( For known loop holes
    CVE-2014-6271 & CVE-2014-7169 )

    CentOS 5 Fix  :-

    * i386:
    ( sha256sum ) 9755e86ad8536c908f95340be308190b52989bfa0d9268a461c40a3f0d493bc7  :  bash-3.2-33.el5_10.4.i386.rpm

    * x86_64:
    ( sha256sum) b1e14edd0d675c6fb0be64cb875fbd9fac208a58e427ea32f373c9359b35642c   :  bash-3.2-33.el5_10.4.x86_64.rpm

    CentOS 6 Fix: –

    * x86_64:


    * i386:


    Test Output : –

    [root@ ~]# rpm -qa | grep bash

    [root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;
    bash: X: line 0: syntax error near unexpected token `=’
    bash: X: line 0: `X () { (a)= >\’
    bash: error importing function definition for `X’
    [root@ ~]#

    * After updating to latest bash rpm.

    [root@ ~]# rpm -qa | grep bash
    [root@ ~]#

    [root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;
    [root@ ~]#


    Reference :-


  • shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

    Today I saw an interesting error ,while restarting apache
    ]# /etc/init.d/httpd restart
    shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
    Stopping httpd: [ OK ]
    Starting httpd: shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
    [ OK ]
    may be you also face this or already faced.
    Don’t surprise …Just do a  ” cd  / ”   , or  cd  to any direcotry ..  it will fix the error !!   😉

    Why this error ?
    Usually the current working directory ( CWD ) will not exists ( in my case i have deleted the folder from another shell and trying to restart apache )

  • Moin Moin Wiki Active Directory Integration

    I was trying to setup AD integration for our moinmoin wiki . Unfortunately I couldnt see that much straightforward documentation on this. Here I am sharing my settings which worked pretty well.

    I have created a user wiki.admin in the AD and used that to query the Active directory .


    # Active Directory authentication  starts here
    from MoinMoin.auth.ldap_login import LDAPAuth
    ldap_authenticator1 = LDAPAuth (
    bind_dn = ‘[email protected]’,
    bind_pw = ‘password’,
    base_dn = ‘DC=adminlogs,DC=info’,
    # LDAP REFERRALS (0 needed for AD)
    search_filter = ‘(sAMAccountName=%(username)s)’,
    # often ‘givenName’ – ldap attribute we get the first name from
    # often ‘sn’ – ldap attribute we get the family name from
    # often ‘displayName’ – ldap attribute we get the aliasname from
    coding = ‘utf-8’,
    timeout = 10,
    # set to True to automatically create/update user profiles
    # whether to emit “invalid username or password” msg at login time or not
    auth = [ldap_authenticator1, ]
    # this is a list, you may have multiple ldap authenticator as well as other authenticators
    cookie_lifetime = (1, 1)
    # no anon user sessions, 1h session lifetime for logged-in users
    # Active Directory authentication  ends here


    Add the above in your wikiconfigy.py file and restart apache ..Thats its !!  You will be able to authenticate using Active directory credentials 🙂

  • New PHP-CGI exploit: CVE-2012-1823, Badly affecting php scripts

    Recently some folks reported an interesting and nasty bug with php which will allow an intruder to view the source code and access the file systems.

    As per the update from php ( http://php.net ) , this bug has gone unnoticed for at least past 8 years .

    # Who all are affected ?

    If you are using Apache mod_cgi to run PHP you may be vulnerable to this bug.

    # Are you safe ?

    Just pass the argument “ ?-s “ to any of  your php pages and see.  Are you shocked ???
    If you pass the following arguments in your site , say example.com :

    1 ) http://example.com/index.php?-s
    Will dump your source code of the file index.php ( in simple words it will display the content of the file index.php )

    2) http://example.com/index.php?-dauto_prepend_file%3d/etc/passwd+-n
    Will display your /etc/passwd file !!!!!!!

    # Which all php versions are affected ?

    The PHP Group – PHP 5.3.11,PHP 5.3.10, 5.4.0 and  5.4.1

    # How to fix ?

    To fix this, upgrade your php to PHP 5.3.12 or PHP 5.4.2.

    # Any Patch ?

    Yes , php has provided  a temporary work around . I have tested and confirmed ( in php 5.3.10 )that  this will close the loop hole .
    Apply the following rewrite rule in your sites DocumentRoot .htaccess file .

             RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
             RewriteRule ^(.*) $1? [L]


    # More Reference ?

  • STrace : Third Eye of a System Admin


    It was a monday early morning , I got a call from my SL1 team in offshore . It was regarding a unique issue of one application which is hosted in Apache tomcat platform .  After the initial investigation ,team updated the following and escalated the ticket to my queue.

    1) Site was not loading / 500 Internal Server Error
    2) Apache error log was throwing “ Premature End of Script “

    I started to work on that issue and found that particular “php” processes for that site was hitting the Maximum allowed connections in Apache . I couldnt find anymore info from apache logs .

    For example , if adminlogs.info is the site and “ admin “ is the username , 50 is the maximum allowed number of connections.

    # Ps aux | grep admin | wc -l

    I decided to kill all these processes and restart apache . As expected , the site started to work as normal . But after few minutes its again hit the limit 50 !!!!  I felt something is stuck somewhere and the process cycle is not completing properly .

    And finally it was time to take a deeper look on the issue !!

    strace : strace is an excellent diagnostic tool for linux admins which will trace the system calls and signals.

    I decided to use strace to dig the above mentioned process , for example if the pid is “12345 “

    1) [email protected]:~ # strace -f -p 12345
    Process 27776 attached – interrupt to quit
    select (1024, [13], [], NULL, NULL

    here it clearly shows the system call is stuck with the ” Select ” query . Unfortunately , in the earlier stage of investigation we were not able to find/understand the file descriptor #13.

    ( In the above strace output , the first argument (1024) is the max number of file descriptors in a set, the second ([13]) is the set of file descriptors polled for reading, the third ([] – empty set) is the set of file descriptors polled for writing. )

    2) We can see the details of file descriptor (13) using  the ” lsof ” command as follows

    [email protected]:~ # lsof  -p 27776

    php-5.3.6 27009 dw02290c   13u IPv4 1612251401                 TCP server.web-global.com:49062->ldap-global4.com:ldap(ESTABLISHED)

    The above ” lsof ” output revealed that the file descriptor “13u ”  is stuck with a system call to a remote/backend ldap server . And due to which the process does not get any response from the remote ldap server and hence it became stuck/hung .

    3)  I confirmed the above connections using netstat command also

    [email protected]:~ # netstat -a | grep  ldap-global4.com
    tcp        0      0 server.web-global.com:49062  ldap-global4.com:ldap  ESTABLISHED

    4)  Then we advised the client to remove the above problem ldap server “ ldap-global4.com” from the configured server pool of their  application ( Issue was present in the staging site also ) . And later deployed the changes to live site after testing in staging site/ server.

    Hope this would be helpful to some of my friends facing such issues in future.

  • 101 tricks to increase your Apache Web Server Performance

    There are no tricks or short cuts to tune Apache for maximum performance. As per my experience, it will take a minimum 10 to 15 days to tweak and force the webserver to provide maximum performance. There are also other bottle necks like bad coding, cross over scripting, improper indexed tables  and hardware issues. So if your webserver is slow then do check the above errors before blaming apache

    I would like to share some Apache performance tuning methods to boost your server performance for a minimum of 20 to 40%.

    Healthy body hosts a healthy life & mind , First and most important thing is to select a good hardware for your webserver .

    A webserver should have a strong CPU support , fast network card and plenty of Ram. Just like other services RAM is the most important spec and never compel a webserver to swap.Selecting the above things also depends on the number of websites hosted and the network traffic. If you are hosting a normal website with average traffic. I will suggest at least 4 GB ram

    Old is not always gold , If you need fastest webserver then go for latest softwares

    Select latest and stable Os and software’s to setup a perfect web server.  Most of the vendors will introduce significant performance improvements in new versions.
    Also update all the 3rd party software’s on your server to latest one to avoid vulnerabilities.

    Load less and perform more , Compile time configuration options

    1) Load the necessary modules only : –

    Apache server is a modular program and which giving a great control to admins to select the necessary modules in the installation time or later.

    We can compile apache in two ways , as static binary or as Dynamic Shared Object ( DSO) . Advantage of DSO over static is , if we compile apache as DSO (–enable so)  then we can add or drop modules with out disturbing the running apache using the the tool ” apxs “. But for static installation ,  you need to recompile the whole apache to include an additional module.  For more deatils visit :  LAMP server setup

    2) Select Appropriate MPM :-

    Apache is comes with a list of Multi process modules ( MPM ). MPM is responsible for binding to network ports on the machine, accepting requests, and dispatching children to handle the requests . We can choose appropriate MPM as per the requirements. To know more about apache mpm modules refer here :

    3) Process handling :-

    For example ,

    • StartServers 10
    • MinSpareServers 10
    • MaxSpareServers 25
    • ServerLimit 300
    • MaxClients 300
    • MaxRequestsPerChild 10000

    With the above configuration, we start with 10-25 processes and set a top limit of  300. Anything above this number will cause serious swapping and thrashing under a load.

    The StartServers directive sets the number of child server processes created on startup. As the number of processes is dynamically controlled depending on the load, there is usually little reason to adjust this parameter

    The MinSpareServers directive sets the desired minimum number of idle child server processes. An idle process is one which is not handling a request. If there are fewer than MinSpareServers idle, then the parent process creates new children at a maximum rate of 1 per second

    The  MaxSpareServers directive sets the desired maximum number of idle child server processes. An idle process is one which is not handling a request. If there are more than MaxSpareServers  idle, then the parent process will kill off the excess processes.

    Tuning of this parameter should only be necessary on very busy sites. Setting this parameter to a large number is almost always a bad idea. If you are trying to set the value lower than MinSpareServers, Apache will automatically adjust it to MinSpareServers + 1

    The MaxRequestPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestPerChild  requests, the child process will die. If  MaxRequestPerChild is 0, then the process will never expire

    Note that when more connections are attempted than there are workers, the connections are placed into a queue. The default queue size value is 511 and can be adjusted with the ListenBackLog directive. (The maximum length of the queue of pending connections. Generally no tuning is needed or desired, however on some systems it is desirable to increase this when under a TCP SYN flood attack)

    Requests vs. Client Connections

    1) KeepAlive

    Enable HTTP persistent connections to improve latency times and reduce server load significantly [25% of original load is not uncommon].

    prefork MPM:

    KeepAlive On
    KeepAliveTimeout 2
    MaxKeepAliveRequests 80

    worker MPM:

    KeepAlive On
    KeepAliveTimeout 15
    MaxKeepAliveRequests 80

    With the prefork MPM, it is recommended to set ‘KeepAlive’ to ‘Off’. Otherwise, a client will tie up an entire process for that span of time. Though in my experience, it is more useful to simply set the ‘KeepAliveTimeout’ value to something very low [2 seconds seems to be the ideal value]. This is not a problem with the worker MPM [thread-based].

    With the worker, the default 15 second timeout is setup to keep the connection open for the next page request; to better handle a client going from link to link. Check logs to see how long a client remains on each page before moving on to another link. Set value appropriately [do not set higher than 60 seconds].

    2) Timeout

    Lower the amount of time the server will wait before failing a request.

    Other RunTime Configurations : –

    1) Hostname Lookups

    If you are enabling hostname lookups then Apache will try to log host names instead of IP . This will give lots of additional work to apache , because to every request dns lookup to be completed before finishing the request. Hostnamelookup directive is set to default off prior with apache1.3. Leave it Off and use post-processing program such as logresolve to resolve IP addresses in Apache’s access logfiles. Logresolve is comes with Apache.

    2) FollowSymLinks and SymLinkIfOwnerMatch

    Wherever in your URL-space you do not have an Options FollowSymLinks, or you do have an Options SymLinksIfOwnerMatch Apache will have to issue extra system calls to check up on symlinks. One extra call per filename component. For example, if you had:

    DocumentRoot /www/htdocs
    <Directory />
    Options SymLinksIfOwnerMatch

    and a request is made for the URI /index.html. Then Apache will perform lstat(2) on /www, /www/htdocs, and /www/htdocs/index.html. The results of these lstats are never cached, so they will occur on every single request. If you really desire the symlinks security checking you can do something like this:

    DocumentRoot /www/htdocs
    <Directory />
    Options FollowSymLinks

    <Directory /www/htdocs>
    Options -FollowSymLinks +SymLinksIfOwnerMatch

    This at least avoids the extra checks for the DocumentRoot path. Note that you’ll need to add similar sections if you have any Alias or RewriteRule paths outside of your document root. For highest performance, and no symlink protection, set FollowSymLinks everywhere, and never set SymLinksIfOwnerMatch

    3) Allow override

    If you are keeping the allow override settings as enable , then apache will search for .htaccess file in each directory . For example

    DocumentRoot /usr/local/apache/htdocs
    <Directory />
    AllowOverride all

    If a request is made for URI /index.html, then Apache will attempt to open /.htaccess, /usr/.htaccess, /usr/local/.htaccess, /usr/local/apache/.htacces and /usr/local/apache/htdocs/.htaccess. These additional file system lookups add to the latency. If .htaccess is required for a particular directory, then enable it for that directory alone. If you don’t want .htaccess then use “ AllowOverride None “

    4) Negotiation

    If at all possible, avoid content-negotiation if you’re really interested in every last ounce of performance.

    Instead of using

    DirectoryIndex index

    Use a complete list of options:

    DirectoryIndex  index.cgi index.pl index.shtml index.html

    Also use the most common one as first value.

    You can read more about negotiation here : http://httpd.apache.org/docs/2.0/content-negotiation.html

    5) Extended Status

    If mod_status is included, make sure that directive ‘ExtendedStatus’ is set to ‘Off’. Otherwise, Apache will issue several extra time-related system calls on every request made.

    Extended Status Off

    Performance Boosting Modules

    1) mod_expires

    Include mod_expires for the ability to set expiration dates for specific content; utilizing the ‘If-Modified-Since’ header cache control sent by the user’s browser/proxy. Will save bandwidth and drastically speed up your site for [repeat] visitors.
    Note that this can also be implemented with mod_headers.

    2) mod_deflate

    With mod_deflate, you can compress HTML, text or XML files to approx. 20 – 30% of their original sizes, thus saving you server traffic

    LoadModule deflate_module modules/mod_deflate.so
    <Location />
    AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml application/x-javascript

    Here I have discussed only basic performance tweaks , we need to work closely with a webserver to tune its to get maximum performance .  To achieving maximum performance,  will depends on lots of other things like  how tweaked your mysql/DB server , how secure your server etc.  I am expecting your suggestions and advices on this.

    Reference : –  http://httpd.apache.org/docs/2.0/misc/perf-tuning.html

  • Admin Tips 2 : Monitor linux services using bash script

    Scenario : –

    In one of my resin server,  resin service was crashing due to some resource usage.  It was happening at night time.

    I used the following script to monitor the status and restart resin if its not running .

    # vi /home/resin/check-resin.sh

    run=`ps ax | grep /usr/java/jdk1.6.0_14/bin/java | grep -v grep | cut -c1-5 | paste -s -`
    if [ "$run" ];
    echo "resin is running" > /home/resin/check_resin.log
    /usr/local/resin/bin/resin-servers.sh restart
    mail -s "resin server restarted by check-resin script " admin[at]adminlogs[dot]info < /usr/local/www/hosts/www.adminlogs.info/log/stdout.log

    Or the issue is only for a single website ( shared resin hosting ) , you can use the following script and restart the respective server only.

    # vi /home/resin/check-resin.sh

    cd /tmp
    wget www.adminlogs.info:8080
    if [ $? -gt 0 ]; then
    /usr/local/resin/bin/resin-adminlogs.sh restart
    mail -s "adminlogs resin server restarted by check-resin script "  admin[at]adminlogs[dot]info < /usr/local/www/hosts/www.adminlogs.info/log/stdout.log

    $? contains the return code of the last executed process. -gt means greater than. Usually programs return zero on success or something else on failure

    After  making the following small changes ( use appropriate daemon) you can use the above script to monitor other services like Apache, ftpd,mysql etc as follows :-

    For example :-

    #  Vi check_httpd.sh

    run=`ps ax | grep /usr/local/apache/bin/httpd  | grep -v grep | cut -c1-5 | paste -s -`
    if [ “$run” ];
    echo “apache is running” > /home/admin/check_httpd.log
    /usr/local/apache/bin/apachectl -k restart
    mail -s “Apache server restarted by check-httpd script ” admin [at]adminlogs[dot]info < /usr/local/apache/logs/error.log

    Or ( only for apache )

    # Vi check_httpd.sh

    cd /tmp
    wget adminlogs.info:80
    if [ $? -gt 0 ]; then
    /usr/local/apache/bin/apachectl -k restart
    mail -s “Apache server restarted by check-httpd script ” admin [at]adminlogs[dot]info < /usr/local/apache/logs/error.log

    Add the script to crontab ( It will check the status in every 5 minutes )

    */5 * * * * /bin/bash check_httpd.sh

    Its worked fine  and now I have no worry about that website and getting good sleep 🙂


  • Difference between Prefork and Worker apache modules.

    MPM stands for multiprocessing module. We can see the default mpm using the command ”  httpd -l ”

    Apache 2 is mainly comes with the following  MPM’s

    This Multi-Processing Module is optimized for Windows NT.
    Multi-Processing Module implementing an exclusively threaded web server optimized for Novell NetWare


    1) Prefork MPM

    prefork mpm  handles requests just like apche 1.3. As the name implies this will pre fork necessary child process while starting apache. It is suitable for websites which avoids threading for compatibility for non-thread-safe libraries .  It is also known as the best mpm for isolating each request.

    Working : –
    A single control process is responsible for launching child processes which listen for connections and serve them when they arrive. Apache always tries to maintain several spare or idle server processes, which stand ready to serve incoming requests. In this way, clients do not need to wait for a new child processes to be forked before their requests can be served.
    We can adjust this spare process through the apche conf. For a normal server which is having 256 simultaneous  connections can use the default prefork settings.

    Perfork is the default module given by apache.

    # StartServers: number of server processes to start
    # MinSpareServers: minimum number of server processes which are kept spare
    # MaxSpareServers: maximum number of server processes which are kept spare
    # MaxClients: maximum number of server processes allowed to start
    # MaxRequestsPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestsPerChild requests, the child process will die. If MaxRequestsPerChild is 0, then the process will never expire

    2) Worker MPM

    This Multi-Processing Module (MPM) implements a hybrid multi-process multi-threaded server. By using threads to serve requests, it is able to serve a large number of requests with fewer system resources than a process-based server.

    The most important directives used to control this MPM are ThreadsPerChild, which controls the number of threads deployed by each child process and MaxClients, which controls the maximum total number of threads that may be launched.

    Advantage      : Memory usage and performanance wise its better than prefork
    Disadvantage : worker will not work properly with languages like php

    Working : –

    A single control process (the parent) is responsible for launching child processes. Each child process creates a fixed number of server threads as specified in the ThreadsPerChild directive, as well as a listener thread which listens for connections and passes them to a server thread for processing when they arrive.

    Apache always tries to maintain a pool of spare or idle server threads, which stand ready to serve incoming requests. In this way, clients do not need to wait for a new threads or processes to be created before their requests can be served. The number of processes that will initially launched is set by the StartServers directive. During operation, Apache assesses the total number of idle threads in all processes, and forks or kills processes to keep this number within the boundaries specified by MinSpareThreads and MaxSpareThreads. Since this process is very self-regulating, it is rarely necessary to modify these directives from their default values. The maximum number of clients that may be served simultaneously (i.e., the maximum total number of threads in all processes) is determined by the MaxClients directive. The maximum number of active child processes is determined by the MaxClients directive divided by the ThreadsPerChild directive

    You can refer more about these multiprocessing modules here  :Apace Modules