All Projects → richardforth → Apache2buddy

richardforth / Apache2buddy

Licence: apache-2.0
apache2buddy

Programming Languages

perl
6916 projects

Projects that are alternatives of or similar to Apache2buddy

Apache24 Modules
Modules for Apache 2.4 and maybe 2.2
Stars: ✭ 12 (-95.96%)
Mutual labels:  apache, apache2, httpd
Modsecurity
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analys…
Stars: ✭ 5,015 (+1588.55%)
Mutual labels:  apache, apache2
Apache Ultimate Bad Bot Blocker
Apache Block Bad Bots, (Referer) Spam Referrer Blocker, Vulnerability Scanners, Malware, Adware, Ransomware, Malicious Sites, Wordpress Theme Detectors and Fail2Ban Jail for Repeat Offenders
Stars: ✭ 441 (+48.48%)
Mutual labels:  apache, apache2
H5ai
HTTP web server index for Apache httpd, lighttpd and nginx.
Stars: ✭ 4,650 (+1465.66%)
Mutual labels:  apache, apache2
Server Configs Apache
Apache HTTP server boilerplate configs
Stars: ✭ 2,916 (+881.82%)
Mutual labels:  apache, httpd
Redirect.rules
Quick and dirty dynamic redirect.rules generator
Stars: ✭ 69 (-76.77%)
Mutual labels:  apache, apache2
vhost-gen
Configurable vHost generator for Apache 2.2, Apache 2.4 and Nginx
Stars: ✭ 111 (-62.63%)
Mutual labels:  apache, apache2
mod authnz jwt
An authentication module for Apache httpd using JSON Web Tokens
Stars: ✭ 74 (-75.08%)
Mutual labels:  httpd, apache2
apachelogs
Parse Apache access logs
Stars: ✭ 19 (-93.6%)
Mutual labels:  apache, httpd
Mod auth gssapi
GSSAPI Negotiate module for Apache
Stars: ✭ 78 (-73.74%)
Mutual labels:  apache, httpd
mod fastcgi
FastCGI.com mod_fastcgi apache 2 module fork from http://repo.or.cz/mod_fastcgi.git + last SNAP-0910052141 snapshot
Stars: ✭ 23 (-92.26%)
Mutual labels:  apache, apache2
Apache-Directory-Listing
A directory listing theme for Apache
Stars: ✭ 138 (-53.54%)
Mutual labels:  apache, apache2
lunaticlog
Fake HTTP log generator module, test if your monitor system can survive under the log spikes.
Stars: ✭ 35 (-88.22%)
Mutual labels:  apache
narnia
🚧 EXPERIMENTAL 🚧 Secure hidden service webserver
Stars: ✭ 24 (-91.92%)
Mutual labels:  httpd
tomcter
😹 Tomcter is a python tool developed to bruteforce Apache Tomcat manager login with Apache Tomcat default credentials.
Stars: ✭ 18 (-93.94%)
Mutual labels:  apache
Docker Lamp
Docker with Apache, MySql, PhpMyAdmin and Php
Stars: ✭ 276 (-7.07%)
Mutual labels:  apache
Smart Contract Search Engine
Takes a link to a smart contract's raw ABI file and an RPC URL and then indexes all instances of that smart contract
Stars: ✭ 265 (-10.77%)
Mutual labels:  apache2
htpw
htpw is a project to increase the security of your WordPress!
Stars: ✭ 42 (-85.86%)
Mutual labels:  apache
formulize
Unified data management. One system to handle all data entry, collection, and reporting, across all your unique workflows. Simplify processes. Make people happy.
Stars: ✭ 21 (-92.93%)
Mutual labels:  reporting
gradle-console-reporter
Gradle plugin to report various kinds of summaries to console.
Stars: ✭ 49 (-83.5%)
Mutual labels:  reporting

execution

old method:

# curl -sL ***redacted*** | perl

** DOMAIN EXPIRY NOTICE **

There is no intention of renewing the domain:

    	apache2buddy.pl

Please use extreme caution! Running arbirary
code as root is high risk and the domain
will not be associated with this code.

We took steps in 2018 to move the code to
github exclusively and have it run  from
there directly with curl and perl.

new method:

# curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | perl

landing page

########### IMPORTANT SAFETY ANNOUNCEMENT #################

This is the NEW landing page for apache2buddy.pl

Please don't curl and perl the domain any more.

For security reasons, the following 
execution method will bring you to this page:

  # curl -sL ***redacted*** | perl

Instead please run / bookmark the following:

  # curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | perl
  
This method is much safer.

For more information on this change refer to the README.md:
https://github.com/richardforth/apache2buddy/blob/master/README.md

Pay specific attention to the "Security Concerns" and 
"Typocamping is a thing and why you should be concerned" 
sections.

If you still don't understand the dangers of typocamping, remember,
you just ran THIS script, on your server as root. Thankfully I am
a good guy.

The domain will slowly be phased out and will eventually be released.
This landing page marks the start of that process. 

############### END IMPORTANT SAFTEY ANNOUNCEMENT ##############

Best Practice

Best Practice is to check the code against either the md5sums or sha256sums (or both) before execution of the code.

Example:

--- a2bchk.sh ---
#!/bin/bash
# example of testing md5sums prior to execution

scriptmd5sum=`curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | md5sum | cut -d " " -f1`
originmd5sum=`curl -s https://raw.githubusercontent.com/richardforth/apache2buddy/master/md5sums.txt | cut -d " " -f1`
echo $scriptmd5sum
echo $originmd5sum
if [ $scriptmd5sum == $originmd5sum ]
then
        scriptsha256sum=`curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | sha256sum | cut -d " " -f1`
        originsha256sum=`curl -s https://raw.githubusercontent.com/richardforth/apache2buddy/master/sha256sums.txt | cut -d " " -f1`
        echo $scriptsha256sum
        echo $originsha256sum
        if [ $scriptsha256sum == $originsha256sum ]
        then
                # execute the code, its safe - we can assume
                curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | perl
        else
                echo "Error: SHA256SUM mismatch, execution aborted."
        fi
else
        echo "Error: MD5SUM mismatch, execution aborted."
fi
--- end a2bchk.sh ---

If the md5sums or sha256sums do not match, then changes have been made and its untested, so do not proceed until they match.

Risk Factors

  • Running arbitrary code as root (Dangerous)
  • Compromised script could result in root level compromise of your server
  • Runaway processes doing not what they are supposed to (this actually happened in testing, thankfully all of the known exceptions have been caught)

Security concerns

While I do everything I can to ensure the code is clean and free from harmful bugs, there is a risk of malware being run, for example "typocamping", therefore if you do curl and perl the domain, be sure to type it absolutely correctly.

In order to mitigate the risks I am now urging you to curl and perl directly from github, like so:

# curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | perl

This is a MUCH safer method than curling the domain, and making a typo and being left at the mercy of "typocampers".

Any attempts going forward to curl and perl the domain, will give you the landing page above.

typo squatting / camping is a thing, and why you should be concerned.

First of all I am just a dude, with a github acount and enough money to keep one domain going. I don't have infinite wealth, so buying up all the different likely typo'ed versions of my domain, is impossible. This is a concern if you are curling and perling a domain, as root. can you see the problem if you ran "curl -sL redacted | perl" ?

Typo campers COULD take advantange of this and register a domain that is close to mine, in the vague hope of a typo that results in you hitting their site instead of mine, and what if THAT site contained a very malicious perl script?

thats typocamping in a nutshell, and, for that reason, I want to stop using the domain, and phase it out.

Supporting links:

https://www.brandshield.com/typosquatting-ways-to-protect-your-brand/

https://arstechnica.com/security/2016/06/college-student-schools-govs-and-mils-on-perils-of-arbitrary-code-execution/

https://nakedsecurity.sophos.com/typosquatting/

Logging

On every execution, an entry is made in a log file: /var/log/apache2buddy.log on your server.

Example log line:

    2016/05/24 10:14:15 Model: "Prefork" Memory: "490 MB" Maxclients: "50" Recommended: "54" Smallest: "8.49 MB" Avg: "8.49 MB" Largest: "8.49 MB" Highest Pct Remaining RAM: "91.84%" (86.64% TOTAL RAM)

This is to help you get an idea of changes over time to your apache tuning requirements. Maybe this will help you decide when you need more RAM, or when you need to start streamlining your code. Tracking when performace started degrading.

Remember it only puts a new entry in the log file on each new execution. Its not designed to be run as a cron job or anything.

Log Rotation

Log rotation should not be necessary because this script is NOT designed to be run as a cron job so it should never really fill your disks, if you ran this on your server a year or six months ago, maybe its just nice to see what the results were from back then? You get the idea.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].