Why CGI execution is vulnarable for shared hostings

CGi scripts work directly with Operating system with help of web server, so that they are so much vulnarable for a shared hosting dedicated server that allows execution of cgi scripts with thousents of accounts hosted on it that even one of them may try to run a vulnarable cgi script to break down the server.

So it is a good idea to completely disable running cgi scripts that normaly it is not comon for people to have them run on their websites.in this tutorial I will show you how you can disable CGI on WHM/Cpanel that is the best hosting automation panel that most of the hosting providers are using worl wide

How to Disable CGI Execution

there are to parts you should do to prevent cgi from running

login to WHM

then go to

Main >> Service Configuration >> Apache Configuration >> Global Configuration

in Global configuration just scroll down a bit and you should see

Directory ‘/’ Options

that has some options enabled

just make sure to disable

finally click on save

so lets do the part two job to disable cgi execution

go here

Main >> Server Configuration >> Basic cPanel/WHM Setup

then scroll down to see this

CGI Script Alias * Automatically create a cgi-bin script alias. This setting can be individually overridden during account creation.

that is by default assign y infront of if

you should type n in the front box of it

so you are now done and you have completely disabled cgi execution on your server

Thanks

There are Times even after uploading your script or after changing the apache handler to suphp your site would endup with this error

internal server error

when apache handler is on suphp you can not use php_flag on .htaccess instead you should use php.ini

for example if your intention is to turn register_globalOn/Off you should do it in php.ini such as the following:

also if you missed typed somthing in .htaccess for examlpe for redirection or rewrite or other .htaccess usage you may endup this Error message internal server error

Introduction to web server dos attack

When it is talked about DDos it is mainly a dos attack that is attacking the web server and this is categorised to Apache Security.

The first thing you should have i n mind is to update apache to the latest version and have the latest modules installed to prevent from being attacked from known exploits jsut because of being out-dated.

You should also do alitle optimization to apache that in default it is configured to be able to run on any kind of servers.I have also introduced some Firewalls that can detect ip addresses that have so mny connections and will block them for specific amount of time that you configure them.

Lower The Apache Timeout

Timeout directive must be a lower number than predefined value “300″ on the whole server or on the websites that are subjects to dos attack

Lower The Apache KeepAliveTime

KeepAliveTimeout directive also have to be a lower number on the sites that are subject to dos attack or on the whole server

Turn Off  Apache KeepAlive

for better preformance if your server is not powerfull and also to defend against dos attack to apache this can be Off

Lower Apache MaxClients

If your server has a low ram and also the attacker will consueme all of the ram that will resultin a high load that the only luck is to reboot then you must lower the amount of MaxClients

Install a Firewall

install a firewall to limit each ip connections let say to 200 in that case if one ips connections exeeded that number of connetion will resultin banning of that cnnetion for a period of time

Install CSF (ConfigServer Security & Firewall) & LFD

For linux servers specially centos linux  servers that I personaly have tested and was so great servers you can install CSF(ConfigServer Security & Firewall) and then enable the CT_Limit and config it with desired amount of maximum connections that each IP can have on your server open.

Install DOS_DEFLATE

You can also install dos_defalte that is not suggested by myself that it will count the whole connections of the whol ports and will have false-positive effects if a person ue ftp that is a connection hungry. but you can do some kind of optimization to it to just count port 80.

Cpanel virtualhost Function

Cpanel will always create apache configration and virtual host by its own template and every domian creation or susspenssion or termination or any thing else related to virtualhost configration of apache if being done will resultin cpanel to recreate apache virtualhost configration that will overwrite other custom modified settings.

Solution to have custom virtualhost configration

so that the cpanel will recreat virtualhost from its template how to have custom virtualhost of some domains configrations?

there is an answer to that question that is to have modified configration on elsewhere and then include it in to that virtual host but there maybe a question came to your mind that as the Cpanel will recreate the virtualhost from its template so that the include will also become overwritten.

Cpanel builtin scripts for including customized virtualhost configration

for this problem cpanle has created a ready made script that will verify your configration that should be inclueded that is

the step by step to how to do so is in the following

creating custom virtualhost configration step by step

1- create the commented include section directory such as this# Include “/usr/local/apache/conf/userdata/std/2/woshka/woshka.com/*.conf”

to create run

2-go to that directory

3-creat a config file than should be end by .conf

4-put your custom config in that config file config.conf

5-run this

or with jsut that user

/scripts/ensure_vhost_includes username

you are now finished

for confirmation that everything is fine go to that virtualhost and verify that the included section is uncommented with that custom config name

hope you enjoyed this training

have fun

voshka

you may be in some cases that apearing .php at the end of your links is not apealing to you and you want to do some modification of your URL apearience
after that you had your rewrite rules you then need to have all of the old URLs with .php extenssion to .html to avoid any broken links and lowering your SEO reputation
you just need to add the following code into your .htaccess near the other rule.

what thsi rule does is so easy to understand that in the begining it has a rewrite match rule with 301 number that is the specification of permanent redirect and the rest is the rule to be aplied with regular experession
this will match every link that has the .php at the end of it with relative url that will be aplied to every linking policy even with www. or without it to redirect it to .html .
the example.com part will be vary according to your domian name.

to have a revers action like that to redirect .html to .php you just need to change the .html and .php location in the rule
such as the following:

There are lots of times that you may be encountered this error on your websites on the server

“HTTP Error 500 – Internal server error”

Even after transfering your site to a new web hsoting or by changing the handler on suphp on your panel let say cpanel.

As the SUPHP is sensitive for permission other than 755 for directories  and 644 for files and that will result in an internal serve error

Also all of the accounts files  and folders must have an ownership equal to their acount username meaning a file with sam ownership in a directory of another user account lets say peter will also result in an internal server error

To resolvce account ownership or permission on every account modifiy the follwing code with desired username then run it into your ssh

Correcting Directory Ownership

Correcting Files Ownership

Correcting Directory Permision

Correcting Files Permision

voshka

thanks

DOSHashTableSize

DOSHashTableSize directive defines the hash table size, i.e. the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but will consume more memory for table space. It is advisable to increase this parameter on heavy load web servers.
Syntax

DOSHashTableSize 1024|value

Example

#increase size of hash table for large servers
DOSHashTableSize 2048

DOSPageCount

DOSPageCount directive sets the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the client IP address is added to the blocking list.
Syntax

DOSPageCount value

Example

DOSPageCount 10

DOSSiteCount

DOSSiteCount directive sets the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the client IP address is added to the blocking list.
Syntax

DOSSiteCount value

Example

DOSSiteCount 150

DOSPageInterval

DOSPageInterval directive sets the interval for the page count threshold. The interval is specified in seconds and may be a real number.
Syntax

DOSPageInterval value

Example

DOSPageInterval 1.5

DOSSiteInterval

DOSSiteInterval directive sets the interval for the site count threshold. The interval is specified in seconds and may be a real number.
Syntax

DOSSiteInterval value

Example

DOSSiteInterval 1.5

DOSBlockingPeriod

DOSBlockingPeriod directive sets the amount of time that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in 403 (Forbidden) response and the timer will be reset (e.g. for another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset.

The interval is specified in seconds and may be a real number.
Syntax

DOSBlockingPeriod value

Example

DOSBlockingPeriod 10.7

DOSSystemCommand

DOSSystemCommand directive specifies the system command to be executed whenever an IP address becomes blacklisted.
Syntax

DOSSystemCommand value

Example

DOSSystemCommand “cscript addFirewallRuleByIP.vbs IP=%s”

DOSCloseSocket

DOSCloseSocket directive instructs mod_evasive to send 403 code and close connection socket. It means an attacker will have to create new connection and it’s pretty good for you as it takes some time.
Syntax

DOSCloseSocket On|Off

Example

DOSCloseSocket On

this tool that is an Apache module to prevent dos attack is a very good tool but I myself couldnt get any much benefit from that
seems it has alitle bug to prevent real dos attacks and as it has not been updated for so long
it can detect but can not prevent it efficiently that even in its perl test driven with this module for creating virtual ddos in you web server indicates that it can not really prevent those bad connections

but i thouht i may be wrong and created this instruction on How to Install Mod_Evasive on Apache Webserver
may be you make the msot of this

after successfuly installing this mod it will add the following lines of evasive directives into your httpd.conf that you can edit it to match your needs

for a list of all mod_evasive directives and expalnations of each one please follow the following link

http://woshka.com/blog/apache/mod_evasive-directives-and-explaination.html

Today i want to show you how you can enable streaming flv encoded videos in jwplayers in your own web site
First i need to tell you that you need root access to the server and it is not just want has to be done just only with your website
so you need to modify the web server (apache) in your server and add flv handler to its configration and also modify the jwplayer.php
ok lets get started
ssh to your linux server with root

1-First wi will modify apache webserver by adding and compiling mod_flx modul:

Download mod_flx:

Compile and install modulewith your apache webserver:

the following should be added automaticly after compiling this module with apache into httpd.conf:

you should also add the following flv handler to httpd.conf manually:

after that you should restart apache to make sure the changes occured:

2:Second we will show you how to modify the flash palyer to enable streaming for it(in this case JwPlayer):

find /jw_player_5/jw_player5.php and open it
in the lines containing the player parameter in if statement”if($vid_file)” just add the folloing in its block of code in curly braces:

then save the file and test your video
so you are finished

Happy streaming

Explanation Of MaxClients Directive

MaxClients will define the maximum connections that could be opened to the Apache web server, any connections higher that amount will be qued until the open remaining connections get closed, and the amount of time that this connection request can wait is depended on the value of timeout directive.

Why configure MaxClients directive

If there were so many connections waiting for reply from apache occurred will cause apache go down and if it was continuous will cause apache go down repeatedly and seems to your visitors that the server is not powerful that it is really not and it is just a misconfiguration.

Needed Module To Be Compile With Apache

MaxClients is a directive of mpm_worker and mpm_prefork apache module that they must be compiled and enabled with apache so that this directive can work.

Assigning MaxClients A Value

You can assign a value to MaxClients to change connection limit in this structure

you should define MaxClients in apache global configuration that is hitpd.conf or in external text files that are included in httpd.conf enclosed by worker or prefork module definitions.

or

The maxclients value must be Lower than ServerLimit directive value.ServerLimit should be defiend uper than MaxClients directive definition inclosed by mpm worker or prefork directives.

MaxClients default value and cause of apache go down repeatedly

The default value for maxclients is 256 and according to what was said on earlier if there were an amount of requests to your web server higher than 256, let say 300, the 256 are being served and the ramaining 44 connections will be qued and stand for those active connections to be served and closed.let say 10 connections have served and will be got closed. so 10 of those 44 qued connections will be connected to the webserver and now there are 34 qued connections.if the qued connections arose forexample to 200 will cause apache go down permanently.

MaxClients is just only one directives of those that should be used for optimizing apache preformance that i have discusted them earlier in the following post:
how to optimize apache?

voshka