How-to Lighttpd, PHP, MySQL and Eaccelerator

[reiten]

I observe similar queries in logs of my web-server too (I have lighttpd+mysql running small forum on top of RT-N16).

Someone is scanning internet looking for admin pages of typical services and other common vulnerabilities exposed to internet. That's pretty common and there's no good way to block them (at least I don't know any).

I wouldn't worry about them unless you found something relevant to your web site (like multiple strange requests to some script).

[wpte]

Its hard to block scanners like that trough iptables, you would need different software for that.

What you can do is chroot your website directory, you have several how-to's on the internet for that sort of stuff.
Even if they get in, they won't be able to access the router completely, just the webpages.

I do agree that you have to watch out these days, so many pages are being injected with weird stuff... damn hackers with their botnets

[ryzhov_al]

Someone is scanning internet looking for admin pages of typical services and other common vulnerabilities exposed to internet. That's pretty common and there's no good way to block them (at least I don't know any).

Yes. But if someone scans my router several times, i block them that way:

Code:

$ cat /tmp/local/sbin/post-firewall
#!/bin/sh
...
for banned_ip in `cat /tmp/local/sbin/banned_ips.txt`;
do
    iptables -I INPUT -s $banned_ip -j DROP
done

Code:

$ cat /tmp/local/sbin/banned_ips.txt
109.230.220.35
109.230.251.94
109.236.81.56
111.228.1.5
116.255.163.100
118.129.154.165
119.188.7.161
...

Its ugly way, i know, but some scanners are really annoying.

[jeremees]

Will that blocking thing slow down webserver? Becaus I think they use everytime different IP, and that banned_ips.txt file will get long after some time.

And what is a good way to follow access and error.log files? I made them to rotate like system log, and sended to my email as text. But email breaks those access log lines so that's hard to follow it.

[wpte]

Will that blocking thing slow down webserver? Becaus I think they use everytime different IP, and that banned_ips.txt file will get long after some time.

And what is a good way to follow access and error.log files? I made them to rotate like system log, and sended to my email as text. But email breaks those access log lines so that's hard to follow it.

iptables will block anything from that ip... it's on a low level, but yes it will slow down your system slightly. Probably it won't be noticable tho.

I'm actually working on getting snort installed and working: http://www.snort.org/
not sure how fast it is so far... but I have the idea that it's too heavy
snort is able to detect illegal attempts and able to block it

[newbiefan]

Will that blocking thing slow down webserver? Becaus I think they use everytime different IP, and that banned_ips.txt file will get long after some time.

And what is a good way to follow access and error.log files? I made them to rotate like system log, and sended to my email as text. But email breaks those access log lines so that's hard to follow it.

Well, you can use my ban list as well as the script (iptables) from here: http://wl500g.info/showthread.php?t=27852
it should be up to date....and I suggest to have a closer look to my avoid brute force script, scanners are detected and blocked for a complete day by iptables.
I have not recognized that anything is slow on my rtn when using this blocklist.
Further, there are several ways how I control my webserver.
When needed, I can help you to adapt my avbf2_6 script for gateway-usage.
Just translate by google - and no worry - someone will guide you when any problem occurs.
HTH
Have fun
newbiefan

EDIT:
Ah, I forgot: a good starting point to block Scanners and Script-Kiddies is to use url.access-deny capabilities of your lighttpd. Configure your lighty.conf to block scanners like ZmEU or Morpheus fucking scanner or without any agent aso....
Here you have a sample config to do so: http://pastebin.com/PQuMbF3Y

[ryzhov_al]

Ah, I forgot: a good starting point to block Scanners and Script-Kiddies is to use url.access-deny capabilities of your lighttpd. Configure your lighty.conf to block scanners like ZmEU or Morpheus fucking scanner or without any agent aso....

Thanks for that idea!

[pawelgt]

I have a problem with lighttpd. It didn't start automaticaly so I tried forcing it to start but it says that i havn't got config file :

[admin@WL-0026189D2E8C root]$ lighttpd
2012-05-14 15:51:07: (server.c.595) No configuration available. Try using -f option.

So i tried attaching it, but there is an error in my config...

[admin@WL-0026189D2E8C root]$ lighttpd -f /opt/etc/lighttpd/lighttpd.conf
2012-05-14 15:57:08: (configfile.c.943) source: /opt/etc/lighttpd/lighttpd.conf line: 97 pos: 19 parser failed somehow near here: (EOL)
[admin@WL-0026189D2E8C root]$

I attach my lighttpd.conf. Can someone help me with this? I have WL-500gp v2 and Olegs 1.9.2.7-10.
lighttpd.conf.txt

[!gm]

there are several line-breaks that weren't commented out (e.g. lines 92, 102, 127...)
or is that a copy-paste fault?

good luck

[pawelgt]

You are right! I corrected it, assigned config file and I'm not sure if it is already working. I've got this process :

237 ? S 0:00 lighttpd -f /opt/etc/lighttpd/lighttpd.conf
238 ? Ss 0:01 /opt/bin/php-fcgi
240 ? S 0:00 /opt/bin/php-fcgi

Is 237 lighttpd working or just config file? Also when i type my ip in browser i should see my website but it doesn't load. At http://192.168.1.1:8080/ I see some kind of php configuration.
Now when i try to start lighttpd

[admin@WL-0026189D2E8C root]$ /opt/etc/init.d/S80lighttpd start
Starting web server: lighttpd :
2012-05-14 18:55:06: (network.c.371) can't bind to port: 8080 Address already in use
[admin@WL-0026189D2E8C root]$

How to make my website working? I Attach my corrected lighttpd.conf_corrected.txt.

[!gm]

..see some kind of php configuration.

lighty is running

I doubt you have some kind of phpinfo() stuff in your docroot (line 28: /tmp/mnt/disc0_3/www/)

the server is delivering index files - just check the path

^of course you wont be able to start two lighttpd instances at the same port

[pawelgt]

You're right again!
It was my index.php

<?php
phpinfo();
?>

[!gm]

Last night, I reconstructed this how-to on my Entware device.

Now I want to share my experiences.

As lighttpd now is more modular you additionally have to

Code:

opkg install lighttpd-mod-fastcgi

afterwards you need to modify lighttpd.conf:

server.modules now needs to contain that mod_fastcgi:

Code:

server.modules = (
#       "mod_rewrite",
#       "mod_redirect",
#       "mod_alias",
#       "mod_auth",
#       "mod_status",
#       "mod_setenv",
        "mod_fastcgi"
#       "mod_proxy",
#       "mod_simple_vhost",
#       "mod_cgi",
#       "mod_ssi",
#       "mod_usertrack",
#       "mod_expire",
#       "mod_webdav"
)

also uncomment that section about the module and keep an eye at the bin-path:

Code:

#### fastcgi module
## read fastcgi.txt for more info
fastcgi.server = (
        ".php" => (
                "localhost" => (
                        "socket" => "/opt/tmp/php-fastcgi.socket",
                        "bin-path" => "/opt/bin/php-fcgi"
                )
        )
)

the php part of the howto is valid for entware, beside the new package-names (php -> php5.. etc) and a tiny typo in the eaccelator.ini:
http://code.google.com/p/wl500g-repo...s/detail?id=15

I did not install mysql, as I don't need it right now. I'm kind of sure that there is no problem.
Have fun!

[wpte]

wow good news gm!

I've only shortly tried entware out a bit, but at that time it wasn't suitable for my needs
it looks a lot better when it comes to the amount of packages, so I might give it a try again someday soon

[thE_29]

As I have a rather old version of the oleg-firmware, i updated my php, lighttpd installations.
But now, the php is not able to connect to magickwand...

It seems, that the older version of php, had the magickwand/imagemagick functions inbuilt and not dynamicly linked.. (because the imagemagick doesnt provide any of the magickwand functions)

Who is that person, who updates the packages here: http://ipkg.nslu2-linux.org/feeds/op.../cross/stable/
Because now, it is UNUSABLE!!!!

Even "phpinfo" is not working anymore... So thanks for updating the php and stuff and turning it into completly useless trash..


You will get such wonderful entries in the log:

2012-06-04 11:01:29: (mod_fastcgi.c.2676) FastCGI-stderr: PHP Fatal error: Call to undefined function NewMagickWand() in test.php on line 2

And you see "503 - service not available" or "site not found" in the browser..


When i added the extensions dir in the php.ini from the first post, i got this errors now (when calling phpinfo)

2012-06-04 11:29:22: (mod_fastcgi.c.2543) unexpected end-of-file (perhaps the fastcgi process died): pid: 10344 socket: tcp:127.0.0.1:1025
2012-06-04 11:29:22: (mod_fastcgi.c.3286) child signaled: 11
2012-06-04 11:29:22: (mod_fastcgi.c.3329) response not received, request sent: 981 on socket: tcp:127.0.0.1:1025 for /test.php?, closing connection

PS: I will never ever update anything again..

Edit2:

When i start php-fcgi in shell, i get this log:

PHP Warning: PHP Startup: Unable to load dynamic library '/opt/lib/php/extensions/magickwand.so' - File not found in Unknown on line 0

Which package delivers this extension?!?!