Simple web application firewall using .htaccess

Apache provides a simple web application firewall by a allowing for a “.htaccess” file with certain rules in it. This is a file you put in your document root and may restrict or allow access from certain specific IP addresses. NB: These commands may also be put directly in the virtual host configuration file in “/etc/apache2/sites-available/”.

Use Case #1: Test environment

Sometimes you may want to lock down a site and only grant access from a limited set of IP addresses. The following example (for Apache 2.2) only allows access from the IP address “127.0.0.1” and blocks any other request:

Order Allow,Deny
Deny from all
Allow from 127.0.0.1

In Apache 2.4 the syntax has slightly changed:

Require all denied
Require ip 127.0.0.1

You can find your IP address on: whatismyipaddress.com

Use Case #2: Application level firewall

If you run a production server and somebody is abusing your system with a lot of requests then you may want to block a specific IP address. The following example (for Apache 2.2) only blocks access from the IP address “172.28.255.2” and allows any other request:

Order deny,allow
Allow from all
Deny from 172.28.255.2

In Apache 2.4 the syntax has slightly changed:

Require all granted
Require not ip 172.28.255.2

If you want to block an entire range you may also specify CIDR notation:

Require all granted
Require not ip 10.0.0.0/8
Require not ip 172.16.0.0/12
Require not ip 192.168.0.0/16

NB: Not only IPv4, but also IPv6 addresses may be used.

RewriteCond and RewriteRule tricks for .htaccess

The Apache web server has a module called “mod_rewrite”. It allows for redirecting and modifying the requested URL. Below are some of the most popular modifications and redirects that can be executed. Put these commands in a  “.htaccess” file in the document root of the web site. In order of popularity:

#1. Redirect everything the www subdomain

With or without “www”? Not such a hard question considering that you can answer on both and redirect one. This snippet, which can be combined with the previous one, redirects all non-www requests to the www subdomain:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{HTTP_HOST} !^www\. [NC]
 RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

Having your website on the “www” subdomain may be beneficial when dealing with CDN or security services.

#2. Redirect everything to HTTPS

There is hardly any reason not to run your website over SSL (HTTPS). Also it is very important that you answer to both HTTP and HTTPS. This snippet redirects all non-HTTPS traffic to HTTPS:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{HTTPS} !on [NC]
 RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

It is important to choose one true (canonical) URL for SEO reasons.

#3. PHP file to handle all non-static requests

Also known as the front controller pattern. This mechanism is the basis for any web framework. In PHP it allows you to read the actual requested path in the $_SERVER[‘REQUEST_URI’] global variable. The rewrite looks like this:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>

Note that the PHP file is bypassed for existing files (static content).

#4. Rewrite GET parameter to URL part

If you have an URL that you should be calling with “GET /orders?id=13” and you want it to respond as if “GET /orders/13” was called, then you may use the following:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_URI} ^/orders [NC]
 RewriteCond %{QUERY_STRING} ^id=([0-9]+)$ [NC]
 RewriteRule ^(.*)$ %{REQUEST_URI}/%1\? [R,L]
</IfModule>

This is especially useful when migrating URL schemes and need legacy support. Note how the escaped question mark at the end of the “RewriteRule” removes the GET parameter(s).

 

Linux commands “astu” and “astsu” in Mr. Robot

mr_robot

People told me that the hacking in “Mr Robot” was pretty accurate. Mr Robot is a TV series about a hacker named “Elliot”. I had to see it, but until now I was lacking the time. Last Sunday was a prefect lazy day and I took the time to finally watch it. I must admit it was pretty amazing to see the inside of a data-center and all the geeky Linux command line screens in a such a popular TV series.

Linux commands “astu” and “astsu”

When Elliot (the main character) is hacking he uses two Linux commands frequently: “astu” and “astsu”. The commands play a critical role in the series. I did not know what they did, so I wondered:

Did anyone figure out what the “astsu” command is supposed to be? Did he just type random characters or what? The other commands I noticed were all real.

On which some other user on the Cyberpunk and Science Fiction board replied:

It seems to be used like sudo (or ssh) would so I guess the idea was that the company that he works for has its own way to allow safe privilege escalation and this is the tool they install astsu = AllSafe Toolkit Super User (allsafe security being the company name).

You should read the Mr. Robot Episode 1 Analysis for more detail on the actual commands used during the hacking.

Things I liked

Some things were really spot on in the series and I liked them a lot:

  1. The correctness, detail and accuracy of the hacking that goes on.
  2. Elliot has some social challenges and thus feels like an outsider.
  3. Elliot is unhappy and this is his strength, as he has nothing to lose.

But not everything was good, there was also some stuff that bothered me in the series.

Things that bothered me

Here is a list of the most annoying things in the series:

  1. Elliot uses a smart-phone and he never switches SIM or phone.
  2. Elliot’s schizophrenia is making his conspiracy thinking less genuine.
  3. Computers and downers do not match. Caffeine on the other hand…

I feel the makers of Mr. Robot should have thought these things over better. Nevertheless they made an enjoyable TV series. Recommended!

 

3 popular GOTO conference talks

GOTO conferences are for developers by developers. On gotocon.com you find the upcoming conferences:

  • GOTO London: Sep. 14 – 18, 2015
  • GOTO Copenhagen: Oct. 5 – 8, 2015
  • GOTO Berlin: Dec. 2 – 4, 2015
  • GOTO Chicago: May 2016
  • GOTO Amsterdam: June 13 – 15, 2016

There have already been many GOTO conferences. Many of the past talks are available on YouTube. Below you find 3 interesting talks from the YouTube GOTO conference channel.

1) Introduction to NoSQL

goto_happy_unhappy_sql

A GOTO classic from the 2012 Aarhus conference. This is actually the most viewed talk on the YouTube GOTO conference channel. Martin Fowler explains what NoSQL is and when it needs to be applied. Like no other he explains the advantages of SQL and the circumstances under which choosing NoSQL may make sense. Apart from the NoSQL topics, his explanation of off-line locks and document based databases is so good that is enough reason by itself to watch this video.

2) Challenges in implementing microservices

goto_how_fast_can_you_go

This video was recorded more recently (August 2015) in Amsterdam. Fred George explains how Web and SOA have led to new paradigms for structuring enterprise applications. Instead of a few, business­ related services, he developed systems made of many small short-lived services. This approach is called “micro­services” and Fred George talks about his experience building applications in this paradigm.

3) How Go is making us faster

goto_go_is_making_us_faster

In July 2015 Wilfried Schobeiri explained in Chicago on a GOTO conference why Go is a good match for microservices. I’m not sure about the factual correctness of the speed comparisons with C++ and Java, but Go is definitely very fast. The thing to take away from this talk is that Go might be a great match for microservices, since it has a nice standard library/toolset, easy parallelism/concurrency and simple deployment.

How to run OSX in a VM on VirtualBox

osx_linux

Would it not be great to be able to run OSX on a virtual machine? Now you can*! All you need is a disk image of the retail DVD of “Apple Mac OSX Snow Leopard 10.6” and you can install it inside VirtualBox. Alternatively if you have a Mac (or know somebody who does) you can create a bootable image of (the free) “Apple Mac OSX Yosemite 10.10” and install that version. Instructions below.

Apple Mac OSX Snow Leopard 10.6

You need:

  1. VirtualBox 4
  2. ISO of retail DVD for “Apple Mac OSX Snow Leopard 10.6” (buy here)
  3. Follow instructions carefully

Open VirtualBox and create a virtual machine named “osx”. Then close the entire VirtualBox application and go to the command line. Run:

VBoxManage modifyvm osx --cpus 1
VBoxManage modifyvm osx --vram 128
VBoxManage setextradata osx VBoxInternal2/EfiGopMode 5
VBoxManage setextradata osx "VBoxInternal2/SmcDeviceKey" "ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"

Open VirtualBox again and start the virtual machine. Mount “Apple Mac OSX 10.6 Snow Leopard Retail.iso” and install. After installation (30 minutes) the system will reboot and it is ready for use.

Apple Mac OSX Yosemite 10.10

You need:

  1. VirtualBox 4
  2. Bootable image of “Apple Mac OSX Yosemite 10.10” (using “iesd”)
  3. Follow instructions carefully

The latest version of Apple’s OSX can also be run under VirtualBox. Download it for free from the “Apple App Store”. You do need a Mac with a valid Apple-id for this. Make sure you have the “XCode Command-Line tools” installed on this Mac. Then run the following commands to convert the download into a bootable disk image:

gem install iesd
iesd -i /Applications/Install\ OS\ X\ Yosemite.app -o Desktop/yosemite.dmg -t BaseSystem

Move “yosemite.dmg” to your Virtualbox environment and use it instead of the Snow Leopard DVD image. Note that this image does support multiple CPUs, so this will allow you to speed things up.

*) Known issues

Here are the issues on the various platforms:

  • OSX 10.6 [Linux] can only be used with a single CPU
  • OSX 10.6 [Linux] sound is not working properly
  • OSX 10.10 [Linux] cannot login on Linux
  • OSX 10.10 [Linux] graphics are very slow
  • OSX 10.10 [Linux] sound is not working

Note that Apple only allows and supports running OSX in a VM on OSX. As you can see I only tested on Ubuntu 14.04 as a host (which is not supported). Let me know whether or not the above instructions work for you (on Windows or OSX).

Conclusion

It is not working very well (out-of-the-box), but it does work a little. Enough to get you started. With some serious tinkering you may even fix it to an acceptable level. If you do, please let me know!

Links

  1. http://virtualbox-snow-leopard.blogspot.de/
  2. http://engineering.bittorrent.com/2014/07/16/how-to-guide-for-mavericks-vm-on-mavericks/
  3. http://kernelpanik.net/running-mac-osx-yosemite-on-kvm-hypervisor/
  4. http://www.virtualbox.org/manual/ch08.html