Getting Started with Apache ModSecurity on Debian and Ubuntu

ModSecurityLogo.png

ModSecurity is a Web Application Firewall: a program that can be used to inspect information as it passes through your web server, intercepting malicious requests before they are processed by your web application.

This tutorial will show you how to install ModSecurity on Apache, and configure it with some sensible rules provided by the Open Web Application Security Project's Core Rule Set (OWASP CRS), which will help to protect your server against SQL injection, denial of service attacks, malformed requests, cross site scripting attacks, and more.

And yes, you can use this guide with your Raspberry Pi if you're running Raspbian, Ubuntu, or another Debian derivative on it.

MX Backup - Postfix Email Server

By far the most popular set of articles I have written is my Raspberry Pi Email Server tutorial. Clearly, there are plenty of people who don't like relying on freemail providers like Yahoo, Outlook and Gmail for a variety of privacy and security reasons.

However, there is one major drawback of hosting your own email server: if your server is taken offline for maintenance, or your internet connection is interrupted, then incoming email can not be delivered and may bounce.

This tutorial will describe how to set up another server to act as an MX backup. The backup server will be hosted on a separate internet connection with a different WAN IP address, and have a lower priority than your primary mail server in your Mail Exchanger (MX) DNS record. When your primary server is offline other MTAs will send email to the backup instead, and the backup will hold them until your primary mail server comes back online, and then deliver them. No more bounced emails.

The biggest challenge when setting up a backup MX is convincing a friend or family member to allow you to run a RasPi or some other server on their network; the rest of the setup is a breeze compared to the full mail server installation described in the main tutorial, because fewer components are required (just Postfix).

This guide is written for Debian and its derivatives (Raspbian, Ubuntu etc.) but since a basic postfix installation is more or less the same across different distributions you should be able to use it for any distro. My backup server runs openSUSE.

Connect Bose SoundTouch 10 to WiFi using Linux / Telnet

bose-soundtouch-10-telnet-interface.png

I recently received a Bose SoundTouch 10 speaker as a gift. The speaker itself is great, but I've found some of the features of the Android app don't work very well. Specifically, it seems to have trouble detecting the speaker and connecting to a new wifi network, endlessly looping instead.

I was convinced that there must be a way to connect to the device using Linux, and doing a little research online led me to this great post revealing that you can telnet to the Bose SoundTouch, and enable a shell.

What follows is instructions on how to connect to the SoundTouch manually using Linux (or Mac, or Windows box with PuTTY), and give it the username and password for a new wifi network so that you can start using the app again. Technically, it must be possible to add login details for a Bose account and change the hardware button presets from this interface too, but I'll leave that for you to experiment with.

Example Whitelisting Rules for Apache ModSecurity and the OWASP Core Rule Set

ModSecurityLogo.png

Recently, I've spent a lot of time tweaking my ModSecurity configuration to remove some false positives.

This tutorial will:

  • Explain the the various methods of altering ModSecurity rules starting with the crudest and working up to the more specific techniques
  • Give some varied examples of custom rules written for exception handling, with a particular focus on the rules distributed by the OWASP Core Rule Set team.

I am calling the process of removing false positives "whitelisting", but technically I should be calling it "exception handling". However, I think more people looking for this information will find it by searching for "whitelisting".

Local BIND9 Caching DNS Server

This tutorial will show you how to configure a caching BIND9 server on your local network, and configure an OpenWrt router to use it. This should result in slightly quicker DNS lookups, but to be honest, you may not notice a huge difference (my DNS lookups now take 30% less time, but I don't think this has made page loading noticeably faster). Here are a few situations where it could be particularly worthwhile:

  • You have a large LAN with lots of clients, and you want to take some load off your router
  • You are using something like modsecurity's real time RBL lookups and you want to reduce latency
  • Your ISP's nameservers are slow but you would still like to use them
  • You are a curious soul and you want to learn about DNS ;)

Whitelisting tools for Apache ModSecurity

auditlog2db-manual.png

I have written a CLI utility for Ubuntu to import ModSecurity's audit log file into an sqlite database, which should be a great help to people building whitelists to reduce false positives. This supersedes my previous efforts with BASH scripts. Packages are available for Ubuntu Trusty and Utopic (14.04 & 14.10) in my Personal Package Archive on Launchpad.

To create my app I had to learn about:

  • C++ development on Ubuntu including two third party libraries (Boost Regex and SQLite)
  • Version control using Git
  • The GNU build system "Autotools"
  • How to build .deb packages for Ubuntu and Debian
  • How to upload packages to a Personal Package Archive (PPA) on Launchpad

I plan on writing detailed tutorials for most of this, but there's quite a lot to get through so it could take a while!

DNS Basics for Websites and Email Servers

DNS-signpost.jpg

This article aims to explain what various DNS records are and how to use them. It is aimed at people hosting websites and email servers on a home server such as a raspberry pi.

How DNS Works

DNS stands for Domain Name System. In a nutshell, it's the system that we use to translate human readable domain names (e.g. samhobbs.co.uk) into the Internet Protocol (IP) addresses for those services (e.g. 195.166.151.235).

The DNS system has a strict hierarchy, and lookups are performed recursively using a client/server model. This means that when your computer asks for the IP address for "subdomain.example.com", the DNS resolver you are using starts at the top and works backwards to find the address. The servers at the top of the pyramid (root name servers) direct clients to the name servers reponsibe for Top Level Domains (TLD, e.g. .com), and that server in turn is able to tell the client which name server is authoritative for the second level domain (e.g. example.com), and so on. Usually for small sites, the DNS records for your domain are managed by your Domain Name Registrar.

The DNS resolver doesn't have to perform all these lookups every time, because each record has a Time To Live (TTL) in seconds, which tells the client how long they can cache the information for until it should be refreshed. That's Time To Live (live free), not Live (live electrical circuit), which is how I first read it!

There are loads of different types of DNS record, so I've picked the most important ones you might need or want to use. These are:

  1. DNS A - used to map a host name to an IP address
  2. Mail Exchanger (MX) - used to tell clients which hostnames are used for email services
  3. Sender Policy Framework (SPF) - used to define which servers are allowed to send email from your domain name
  4. Pointer (PTR) - the opposite of DNS A, this record maps an IP address to the hostname

For a website, you only need a DNS A record. For an email server, you need at least a DNS A record and an MX record; PTR and SPF records will help you get your email through spam filters.

I'll be illustrating how to set up the different types of record using Namecheap, my Domain Name Registrar, as an example. If you haven't registered a domain name yet, I'd recommend Namecheap -avoid GoDaddy if you can, since they have some pretty horrible pricing practices and consistently back the wrong side when it comes to internet censorship acts like SOPA and PIPA.

Dynamic DNS with ddclient on Raspberry Pi and Ubuntu

This tutorial will show you how to configure ddclient on Raspbian and Ubuntu. Many tutorials don't explain what to do if your server is behind a router, but this one will.

I recently set up a backup server on an internet connection that has a dynamic IP address. So far, I've been spoiled at home because my ISP (PlusNet) makes switching to a static IP address easy and cheap, so obviously I did that. This time though, I didn't have that option, and I didn't want to configure a dynamic dns client on that router either, so I had to set it up on the server itself.

Can't Connect to LuCi After OpenWrt Upgrade - Solution

openwrt-barrier-breaker.png

I just upgraded my OpenWrt router from Attitude Adjustment (12.09) to Barrier Breaker (14.07) on my TP-Link WDR3600. There are many methods of doing this, I chose the GUI way in the web interface LuCi. I downloaded the new firmware, uploaded it via LuCi, it flashed successfully and rebooted. My config files were preserved and all of my devices reconnected successfully. Great!

But wait... no LuCi! Whatever I tried, I couldn't get LuCi to connect. After tearing my hair out for a bit, I discovered what was wrong.

Private Internet Access OpenVPN in Kubuntu 14.04 (Trusty Tahr)

OpenVPN Logo

I recently purchased a VPN service from Private Internet Access (PIA), because I wanted to learn about openvpn and thought it would be a neat way to get an outside view of my network. At £25/year, I think PIA is great value.

PIA provides a shell script that you can run to set up the OpenVPN to connect to their servers, but I wanted to know how to do it manually. It took me a while to figure out exactly how to connect to it using Kubuntu's Network Management widget, so hopefully this will save you some trouble.

This method should be the same for any distribution using a recent version KDE's Plasma desktop.

Pages

Subscribe to samhobbs.co.uk RSS