3 posts categorized "ubuntu"


New Doc: How To Enable SSLv2 and TLSv1.2 in OpenSSL 1.0.1c on Ubuntu 13.04

A new HOWTO article detailing changes one needs to make in order to compile SSLv2 and TLSv1.2 client support into an Ubuntu 13.04 installation running OpenSSL 1.0.1c has been posted to the Techstacks HOW TO site: How To Enable SSLv2 and TLSv1.2 in OpenSSL 1.0.1c on Ubuntu 13.04


Mitigating the Apache Range Header DoS on Ubuntu Apache 2.2

If you are running apache 2.2 (the current version in Ubuntu Server on my recently created VM being 2.2.17) and you wish to mitigate your web server against exploitation by the Apache Range Header Denial of Service vulnerability and the killapache exploit, below is the mitigation steps that worked best for me.

Ubuntu's Apache 2 implementation utilizes httpd.conf for user specific server configuration changes. The mitigation suggestion from the Apache Software Foundation that had the most favorable impact was scrubbing the Range Header if an incoming request contains more than 5 ranges within that specific request. Please note that this fix may not help with future versions of the exploit.

The workaround makes use of mod_headers, which, on a stock ubuntu server apache2 installation, is not enabled. You can enable it using the command line:

sudo a2enmod headers

Once that is complete, modify your servers httpd.conf and add the following directives:

SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range

If you want to enable logging of hosts sending you those range requests, modify the configuration file for your virtual server—if you add it to the httpd.conf, the log file will get created but nothing will get logged. For example, if you are using the instance, modify the /etc/apache2/sites-available/default configuration file and add the following line somewhere that makes sense:

CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range

That's all you need to do. Pretty straightforward workaround but hopefully a more formal fix will be made available by the Ubuntu Server team soon.


Tomcat 6 Directory Locations on Ubuntu Server 11.04

I started playing around with Ubuntu Server on a locally created virtualbox virtual machine today and used aptitude to install tomcat 6.0.28.  Being used to the implementation one downloads directly from the Apache Software Foundation, quite a few minutes were spent figuring out where files were placed.  Below are the locations for folks spending time searching the web to find out things like where the webapps directory is on Ubuntu Server 11.04 or where the tomcat6 access logs might be located.

Default Installation Paths

Logs:  /var/log/tomcat6

Binaries and Libs:  /usr/share/tomcat6 (although libs are symlinked to /usr/share/java and some jars inside the bin directory get symlinked to /usr/share/java as well)

System start/stop/status script: /etc/init.d/tomcat6.

CATALINA_HOME:  /usr/share/tomcat6

CATALINA_BASE:  /var/lib/tomcat6

The default webapps directory location is under /var/lib/tomcat6/

Configuration files are under /etc/tomcat6/

I haven't given it a try yet but I prefer storing java options inside a setenv.sh script but the /etc/init.d/tomcat6 doesn't have any reference to setenv.sh like /usr/share/tomcat6/bin/catalina.sh does, so it will be interesting to see whether enabling jmx via setenv.sh will work or if I'll need to modify /etc/init.d/tomcat6.