This question already has answers here:
Apache 2.4.x ip blacklist
(2 answers)
Closed 2 years ago.
Hello I'd like to permenently ban anything requesting the directory "/backups/" now how can I do that using a PHP script or mod_security?
I want to do this in a similar manner as iptables does this if possible.
I figured out how to do this on my own.
create a script in /bin called "blockip" containing the following
if [ -z "$1" ]
then
echo "No argument supplied"
exit 1
fi
echo "Blocking IP address $1"
iptables -A INPUT -s $1 -j DROP
then
chmod +x /bin/blockip
and now run
sudo visudo
add this:
nobody ALL = NOPASSWD: /your/script
make sure it is chmod 755
and add this code to index.php in the directory.
exec("sudo blockip ".escapeshellcmd($_SERVER['REMOTE_ADDR']));
Related
We are attempting to set up Apache Mod Evasion to prevent future DOS attacks on one of our servers. Everything seems to be working well outside of email notifications. The stack is running PHP 7.1 and Apache2.4 on Ubuntu Server 16.04.
Email works fine via a test command:
sudo su - www-data -s /bin/bash -c 'echo "this is the body" | mail -s "Subject" webdev#domain.edu webdev#domain.edu'
Here is the mod evasion.conf:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 1
DOSSiteCount 1
DOSPageInterval 10
DOSSiteInterval 10
DOSBlockingPeriod 10
DOSEmailNotify root
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/log/mod_evasive"
</IfModule>
Here is the ssmtp.conf file:
root=webdev#domain.edu
FromLineOverride=YES
Debug=YES
UseSTARTTLS=YES
UseTLS=YES
mailhub=email-smtp.us-east-1.amazonaws.com:465
AuthUser=#######
AuthPass=#######
AuthMethod=LOGIN
Here is the revaliases file:
root:noreply#domain.edu:email-smtp.us-east-1.amazonaws.com:25
www-data:noreply#domain.edu:email-smtp.us-east-1.amazonaws.com:25
mod_evasive has a hard-coded command of the mailer invocation, defined as MAILER inside the source-code and also mentioned in e.g. this bug report.
#define MAILER "/bin/mail %s"
%s is substituted by the value of directive DOSEmailNotify when sending mails. However, nowadays on most systems /bin/main is not used and you might want to use sendmail instead. What you could do, is to create a wrapper script as /bin/mail (assumed that this binary does not exist at all or is not used).
#!/bin/bash
if [ "$1" != "" ]
then
/usr/sbin/sendmail -t "$1"
fi
Adjust the path to your sendmail binary and finally make the script executable using chmod 0755 /bin/mail.
System: Ubuntu 14.04 LAMP running on Parallels VM set up with Vagrant
I'm writing my first non-trivial shell script to add new web projects to a dev VM on my Mac laptop.
Create a default folder structure in /var/www/
Add a .conf vhost file to /etc/apache2/sites-available with the new domain replacing placeholders via sed
Enable the new site and restart apache
I've got the folders and files copying over and sed seems happy customizing my index.html and .conf vhost file, but a2ensite doesn't seem to see the .conf file in /etc/apache2/sites-available/
I test for its existence and even print a debug listing: ls -al /etc/apache2/sites-available/ | grep $CONFFILE before attempting to enable the site.
I've read here and elsewhere about the importance of having the .conf extension since Ubuntu 13 (or 14) which seems to be a very common issue. My vhost file has the .conf extension so this seems like a different issue.
Can anyone point me in the right direction? I haven't been able to find other postings with this particular problem.
My feeling is that I've got an error in my $CONFFILE variable expansion in the a2ensite command because the error does not show the .conf extension even though the directory listing does:
ERROR: Site /etc/apache2/sites-available/example-com-80 does not exist!
Edit:
After running a2ensite from the command line per Micheal's suggestion below, it seemed to parse fine, but still doesn't show the extension:
$ sudo a2ensite example-com-80.conf
Enabling site example-com-80.
To activate the new configuration, you need to run:
service apache2 reload
End Edit
Edit: Found answer
After searching with broader terms, a2ensite instead of Ubuntu 14.04 Vagrant etc, I found a two year old question where #raina77ow points out that a2ensite just wants the site name, not the whole path. Changing sudo a2ensite /etc/apache2/sites-available/$CONFFILE to sudo a2ensite $CONFFILE
makes the script work as intended. This also explains why my previous attempts to run a2ensite from the command line failed; I was running it from inside /var/www/templates/ and passing in the whole path to the .conf file.
Now, a stackoverflow question, how best should I indicate this is the solution with the limited reputation that I have? And give credit properly?
See edit above for solution
Console output with example.com:
$ ./newvhost
New Server Name with Top Level Domain: example.com
Validating: example.com
New DocumentRoot created: /var/www/example
Copying template structure
Creating: example-com-80.conf
-rw-r--r-- 1 root root 811 Feb 17 15:11 example-com-80.conf
Enabling site
ERROR: Site /etc/apache2/sites-available/example-com-80 does not exist!
newvhost script:
OLDIFS=$IFS
IFS="."
printf "New Server Name with Top Level Domain: "
read NEW_SUBDOMAIN NEW_TLD
IFS=$OLDIFS
NEW_FULL_NAME="$NEW_SUBDOMAIN.$NEW_TLD"
echo "Validating: $NEW_FULL_NAME"
if [[ "$NEW_TLD" != "com" && "$NEW_TLD" != "dev" ]] ; then
echo -e "\E[31;1mTLD must be com or dev! \033[0m"
exit 1
fi
if [ -d "/var/www/$NEW_SUBDOMAIN" ]; then
echo -e "\E[31;1mRoot directory /var/www/$NEW_SUBDOMAIN already exists!\033[0m"
exit 1
fi
mkdir /var/www/$NEW_SUBDOMAIN
if [ -d "/var/www/$NEW_SUBDOMAIN" ]; then
echo "New DocumentRoot created: /var/www/$NEW_SUBDOMAIN"
else
echo -e "\E[31;1mUnable to make directory\033[0m"
exit 1
fi
echo "Copying template structure"
cp /var/www/templates/structure/. /var/www/$NEW_SUBDOMAIN/ -R
sed -i "s/TEMPLATE/$NEW_FULL_NAME/g" /var/www/$NEW_SUBDOMAIN/index.html
CONFFILE="$NEW_SUBDOMAIN-$NEW_TLD-80.conf"
echo "Creating: $CONFFILE"
sudo cp /var/www/templates/vhost_template.conf /etc/apache2/sites-available/$CONFFILE
sudo sed -i "s/FULLNAME/$NEW_FULL_NAME/g" /etc/apache2/sites-available/$CONFFILE
sudo sed -i "s/DOMAINNAME/$NEW_SUBDOMAIN/g" /etc/apache2/sites-available/$CONFFILE
if [ -e "/etc/apache2/sites-available/$CONFFILE" ]; then
ls -al /etc/apache2/sites-available/ | grep $CONFFILE # DEGBUG Listing to doubly confirm $CONFFILE exists
echo "Enabling site"
sudo a2ensite /etc/apache2/sites-available/$CONFFILE
sudo apache2ctl graceful
fi
Thanks,
Any other suggestions for improving the script are very welcome as long as that doesn't run afoul with the terms of StackOverflow.
The answer, in short, is that a2ensite just wants the name of the site.conf and not the whole path to the file.
So sudo a2ensite example-com-80.conf
I found this in an earlier answer by #raina77ow.
I have an automatic script which works, only it just never makes a home directory. The data is extracted from a database.
Heres the script:
$SQL -s -e "SELECT uid, password FROM registrations WHERE processed = 0" \
| while read A B; do
sudo useradd $A -p $B -m /home/
as you can see the -m is there, but it seems to ignore it and never make a home directory and I have no idea why. I must be missing something but i've no idea what
If you run man useradd you'll see that the -m does not expect a parameter.
Running it this way should do the trick (or at least it just did on my Debian Squeeze):
useradd $A -p $B -m
In the man pages you'll also find other useful options such as: -d or -b
This question already has answers here:
Why does sudo change the PATH? [closed]
(18 answers)
Closed 3 years ago.
I'm trying to execute a script from a different server using ssh
Here's the command I'm using from server 1 to launch a query on server 2:
ssh -t user#xxx.xxx.xxx.xx "cd /var/www/vhosts/xxxxx/subdomains/preprod/; sudo ./replace.sh";
but the problem is that when I do sudo the $home = /root while the script is under: /var/www/vhosts/xxxxx/subdomains/preprod/
How can i tell sudo to preserve the environment?
I tried sudo -P - , sudo -H, without any luck.
That's what I got from the man page.
sudo -E
-E The -E (preserve environment) option will override the env_reset
option in sudoers(5)). It is only
available when either the matching
command has the SETENV tag or the
setenv option is set in sudoers(5).
I am using Mac OSX 10.6 and doing web development on it. I know a small amount about writing shell scripts, but I am not really versed in them as of yet.
What I would like to do is to write a shell script that will simply ask for a local site alias and the document directory and it will then append the new alias onto hosts with something like "127.0.0.1 mysite.local" on a new line at the bottom of etc/hosts.
Then the script would append Apache's httpd-vhosts.conf file with something like this:
<VirtualHost *:80>
DocumentRoot "/Repositories/myproject/mysite.com/trunk/htdocs"
ServerName mysite.local
ServerAlias mysite.localhost
</VirtualHost>
Then it would finally run the command to restart my Apache server. Now I know the terminal command to restart Apache, that is simple enough. I also know how to read in the site name and path from the user running the script. Such as below:
#!/bin/bash
read -p "New local site name: " site
read -p "Site path (ex:/Repositories/myproject/mysite.com/trunk/htdocs): " sitepath
What I don't know how to do is to append text to a file from terminal.
Any thoughts or helpful ideas?
Thanks,
Patrick
Untested, but it should work:
#!/bin/bash
read -p "New local site name: " SITE
read -p "Site path (ex:/Repositories/myproject/mysite.com/trunk/htdocs): " SITEPATH
#/etc/hosts
cp /etc/hosts /etc/hosts.original
echo -e "127.0.0.1\t${SITE}.local" >> /etc/hosts
#httpd-vhosts.conf
VHOSTSFILE="/etc/apache2/httpd-vhosts.conf"
cp $VHOSTSFILE ${VHOSTSFILE}.original
echo "<VirtualHost *:80>" >> $VHOSTSFILE
echo -e "\tDocumentRoot \"${SITEPATH}\"" >> $VHOSTSFILE
echo -e "\tServerName ${SITE}.local" >> $VHOSTSFILE
echo -e "\tServerAlias ${SITE}.localhost" >> $VHOSTSFILE
echo '</VirtualHost>' >> $VHOSTSFILE
#restart apache
>> redirects the output to the given file, appending the contents to the file. I’m also using -e to allow \t to be expanded to a tab character.
Note that you need to run this script with sudo. I've also included commands to backup the original files before modifying them, just in case.
I made some tweaks and did some extra stuff in the above answer, because this didn't work for me but it helped me to come up with another solution. This answer is only for Mac users.
First go in your /etc/apache2/httpd.conf and uncomment virtual host reference, which is this line Include /private/etc/apache2/extra/httpd-vhosts.conf
Now create a bash file I did that in my user’s home named as imran, you need to replace it with your username.
I placed it inside /Users/imran named as create_new_site.sh. I gave it executeable permissions, so it can be easily executed using chmod +x create_new_site.sh
Code for the script is as below:
#!/bin/bash
read -p "New local site name (prefix to .local): " SITE
SITEPATH=$SITE
sudo chmod -R a+w /Users/imran/Sites/web
SITEPATH="/Users/imran/Sites/web/${SITEPATH}"
mkdir -p $SITEPATH
#/etc/hosts
cp /etc/hosts /etc/hosts.original
echo -e "127.0.0.1\t${SITE}.local" >> /etc/hosts
#httpd-vhosts.conf
VHOSTSFILE="/etc/apache2/extra/httpd-vhosts.conf"
cp $VHOSTSFILE ${VHOSTSFILE}.original
echo "<VirtualHost *:80>" >> $VHOSTSFILE
echo -e "\tDocumentRoot \"${SITEPATH}\"" >> $VHOSTSFILE
echo -e "\tServerName ${SITE}.local" >> $VHOSTSFILE
echo '</VirtualHost>' >> $VHOSTSFILE
echo '<?php phpinfo();' > "${SITEPATH}/phpinfo.php"
sudo chmod -R a+w $SITEPATH
#restart apache
sudo apachectl restart
echo "All done! visit, let's visit http://${SITE}.local/phpinfo.php"
Once that is done you can start creating new sites using sudo ./create_new_site.sh. Remember that you need to be in your home directory, which you can go via cd ~ command. Now let's suppose you created a site with name test. You should be able to visit http://test.local/phpinfo.php to see your vhost working.