Archive for October, 2009

Re: SSH Brute Force Attempts…

Monday, October 26th, 2009

And they’re still at it:

Brute Force Attempts

Re: assertion failed: String.c:140: “s->buf” in lusca (LUSCA_HEAD-r13894)

Saturday, October 24th, 2009

This bug is also in Revision: 14342.

Apparently  abusing the String libraries is bad:

Heh, there’s a good reason why strdupC*() doesn’t allow NULL strings. :)

So, have a patch that patches accessLogCustom in src/access_log.c to handle being given StringNull from httpHeaderGetByName or httpHeaderGetByNameListMember.

Download lusca-src-access_log.c.patch.txt

--- lusca-cache-read-only/src/access_log.c	2009-10-24 15:51:04.000000000 +0100
+++ lusca-cache-read-only-andy/src/access_log.c	2009-10-24 16:01:45.000000000 +0100
@@ -544,32 +544,52 @@
 	case LFT_REQUEST_HEADER:
 	    if (al->request)
 		sb = httpHeaderGetByName(&al->request->header, fmt->data.header.header);
-	    out = stringDupToC(&sb);
-	    dofree = 1;
+	    if (sb.buf == NULL) {
+	        out = NULL;
+	        dofree = 0;
+	    } else {
+	        out = stringDupToC(&sb);
+	        dofree = 1;
+	    }
 	    quote = 1;
 	    break;

 	case LFT_REPLY_HEADER:
 	    if (al->reply)
 		sb = httpHeaderGetByName(&al->reply->header, fmt->data.header.header);
-	    out = stringDupToC(&sb);
-	    dofree = 1;
+	    if (sb.buf == NULL) {
+	        out = NULL;
+	        dofree = 0;
+	    } else {
+	        out = stringDupToC(&sb);
+	        dofree = 1;
+	    }
 	    quote = 1;
 	    break;

 	case LFT_REQUEST_HEADER_ELEM:
 	    if (al->request)
 		sb = httpHeaderGetByNameListMember(&al->request->header, fmt->data.header.header,
                                                                           fmt->data.header.element, fmt->data.header.separator);
-	    out = stringDupToC(&sb);
-	    dofree = 1;
+	    if (sb.buf == NULL) {
+	        out = NULL;
+	        dofree = 0;
+	    } else {
+	        out = stringDupToC(&sb);
+	        dofree = 1;
+	    }
 	    quote = 1;
 	    break;

 	case LFT_REPLY_HEADER_ELEM:
 	    if (al->reply)
 		sb = httpHeaderGetByNameListMember(&al->reply->header, fmt->data.header.header,
                                                                           fmt->data.header.element, fmt->data.header.separator);
-	    out = stringDupToC(&sb);
-	    dofree = 1;
+	    if (sb.buf == NULL) {
+	        out = NULL;
+	        dofree = 0;
+	    } else {
+	        out = stringDupToC(&sb);
+	        dofree = 1;
+	    }
 	    quote = 1;
 	    break;

assertion failed: String.c:140: “s->buf” in lusca (LUSCA_HEAD-r13894)

Friday, October 23rd, 2009

Lusca is a fork of the Squid Web Proxy maintained by Adrian Chadd.

Issue 72: http://code.google.com/p/lusca-cache/issues/detail?id=72

The assertion failure is caused by stringDupToCOffset in libmem\String.c not handling null strings. I can’t see any sensible reason for it not to handle a null string and return an empty one.

stringDupToCOffset:

/*
 * This routine REQUIRES the string to be something and not NULL
 * This copies -from- offset to the end of the string.
 */
char *
stringDupToCOffset(const String *s, int offset)
{
        char *d;
        assert(s->buf);
        assert(offset <= s->len);
        d = xmalloc(s->len + 1 - offset);
        memcpy(d, s->buf + offset, s->len - offset);
        d[s->len - offset] = '\0';
        return d;
}

The following patch fixes stringDupToCOffset to accept a null string and return an empty one:

--- libmem/String.c.o   2009-10-23 12:42:49.000000000 -0400
+++ libmem/String.c     2009-10-23 12:21:53.000000000 -0400
@@ -137,10 +137,10 @@
 stringDupToCOffset(const String *s, int offset)
 {
        char *d;
-       assert(s->buf);
+       /* assert(s->buf); */
        assert(offset <= s->len);
        d = xmalloc(s->len + 1 - offset);
-       memcpy(d, s->buf + offset, s->len - offset);
+       if (s->len > 0) memcpy(d, s->buf + offset, s->len - offset);
        d[s->len - offset] = '\0';
        return d;
 }

SSH Brute Force Attempts…

Friday, October 23rd, 2009

Seriously! Leave me alone!

Fortunately, you can see DenyHosts making a significant impact on the actual number of failed logins vs refused attempts.

Refused Login Attempts

Failed Login Attempts

They are, however, still going with significant force!

Debugging Apache child segmentation faults using mod_whatkilledus and mod_backtrace

Thursday, October 22nd, 2009

One of the annoying things about debugging Apache segmentation faults is that you cannot get an Apache Child to give you a core dump! This really makes your debugging a little blind.

Fear not! There is an answer!

mod_whatkilledus

mod_whatkilledus is an experimental module for Apache httpd 2.x which tracks the current request and logs a report of the active request when a child process crashes. You should verify that it works reasonably on your system before putting it in production.

Download: Author (Local)

[Mon Oct 19 17:18:42 2009] pid 9723 mod_whatkilledus sig 11 crash
[Mon Oct 19 17:18:42 2009] pid 9723 mod_whatkilledus active connection: 10.0.0.5:30311->10.0.0.1:80 (conn_rec 853b1b0)
[Mon Oct 19 17:18:42 2009] pid 9723 mod_whatkilledus active request (request_rec 85be720):
GET / HTTP/1.0|Host:example.com|User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-GB; rv%3a1.9.0.14) Gecko/2009090216 Ubuntu/8.10 (intrepid) Firefox/3.0.14|Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8|Accept-Language:en-gb,en;q=0.5|Accept-Encoding:gzip,deflate|Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7|Cache-Control:max-age=259200|Connection:keep-alive
[Mon Oct 19 17:18:42 2009] pid 9723 mod_whatkilledus end of report

mod_backtrace

mod_backtrace is an experimental module for Apache httpd 2.x which collects backtraces when a child process crashes. Currently it is implemented only on Linux and FreeBSD, but other platforms could be supported in the future. You should verify that it works reasonably on your system before putting it in production.

Download: Author (Local)

[Mon Oct 19 17:18:42 2009] pid 9723 mod_backtrace backtrace for sig 11 (thread “pid” 9723)
[Mon Oct 19 17:18:42 2009] pid 9723 mod_backtrace main() is at 8068c3a
/usr/local/apache2/modules/mod_backtrace.so[0xb68baa2b]
/usr/local/apache2/bin/httpd(ap_run_fatal_exception+0x46)[0x8089d11]
/usr/local/apache2/bin/httpd[0x808b707]
/usr/local/apache2/bin/httpd[0x808b742]
/lib/libc.so.6[0xb7d5e5f8]
/usr/local/apache2/modules/libphp5.so[0xb75cc5d0]
/usr/local/apache2/modules/libphp5.so[0xb75d10e7]
/usr/local/apache2/modules/libphp5.so(zif_curl_setopt+0x189)[0xb75d2922]
/usr/local/apache2/modules/libphp5.so[0xb78a39ae]
/usr/local/apache2/modules/libphp5.so[0xb78a91f1]
/usr/local/apache2/modules/libphp5.so(execute+0x202)[0xb78a352e]
/usr/phpapache2/lib/php/20060613/eaccelerator.so[0xb65c6232]
/usr/local/apache2/modules/libphp5.so[0xb78a3b1d]
/usr/local/apache2/modules/libphp5.so[0xb78a4600]
/usr/local/apache2/modules/libphp5.so(execute+0x202)[0xb78a352e]
/usr/phpapache2/lib/php/20060613/eaccelerator.so[0xb65c6232]
/usr/local/apache2/modules/libphp5.so[0xb78a3b1d]
/usr/local/apache2/modules/libphp5.so[0xb78a4600]
/usr/local/apache2/modules/libphp5.so(execute+0x202)[0xb78a352e]
/usr/phpapache2/lib/php/20060613/eaccelerator.so[0xb65c6232]
[Mon Oct 19 17:18:42 2009] pid 9723 mod_backtrace end of backtrace

Parking in Covent Garden

Sunday, October 11th, 2009

Looks like someone doesn’t know how to park:

Parking in London