John's Wiki - User contributions [en]

FreeIPA - Identity Management

2025-10-25T19:25:49Z

Admin:

== Overview ==

https://raw.githubusercontent.com/freeipa/freeipa.github.io/main/src/_static/freeipa-logo-small.png

FreeIPA is an identity management & single sign on solution for Linux / Unix Networks. Its somewhat comparable to active directory in the Windows world.

== How it Works ==

Under the hood FreeIPA is really just wraps up a Kerberos KDC/KTG Server with an LDAP backend and a nice pretty web interface.

Access to hosts on the network are controlled via Host Based Access (HBA) Control Rules, which say what users are allowed access (via ssh) to what hosts.

== Restarting All IPA Services ==

You can use the command below to restart all FreeIPA services.

sudo ipactl restart

There's also a systemd daemon for the main ipa service.

sudo systemctl restart ipa

== Resetting The Admin Password ==

I've had to do this once when restoring from a backup after changing the admin pass and loosing the old one. So I might have to do it again some day.

<pre>
root@freeipa:~# export LDAPTLS_CACERT=/etc/ipa/ca.crt
root@freeipa:~# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=yourdomain,dc=net -H ldap://freeipa.yourdomain.net
New password:
Re-enter new password:
Enter LDAP Password:
</pre>

For <code>Enter LDAP Password:</code> use the Directory Manager password there (aka ldap admin).

[https://serverfault.com/questions/731024/freeipa-admin-password-reset Source]

== Let's Encrypt SSL Configuration ==

=== Basic Overview ===

My FreeIPA server uses Let's Encrypt certificates.

Here are the instructions for setting up a 3rd party cert for the ldap server & https web interface.

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

To get the CA certs loaded for LE see the section below.

=== Adding Let's Encrypt CA Authorities ===

I'm using let's encrypt for the certs for the FreeIPA server. Because of how SSL works, FreeIPA will not accept the LE certs unless it has the CA certs too. This is how you can add a CA cert for LE in Fedora/FreeIPA.

Where it started: I found the basic commands on [https://gist.github.com/lijikun/8b2b3350bce9aed7df3009e76541929c this github writeup link] and modified them.

My Commands to add the R3 CA Authority.

<pre>
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
ipa-cacert-manage install lets-encrypt-r3.pem -n R3 -t C,,
ipa-certupdate
</pre>

Found the latest ca cert file here: https://letsencrypt.org/certificates/

Then I was able to use the <code>ipa-server-certinstall</code> to install the cert.

ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"

<span style="color:orange"><b>Update</b></span>: Needs even more cert authorities.

Made / borrowed this script do get them all.

<syntaxhighlight lang="bash" line>
#!/bin/bash
# Fetches LE CA certs for FreeIPA & runs update-ca-certificates.
# John R., Oct. 2024.

[[ $EUID -ne 0 ]] && echo "Run as root!" && exit 23

set -x
if ! [[ -d /etc/pki/ca-trust/source/anchors ]]; then
mkdir -p /etc/pki/ca-trust/source/anchors
fi

wget -O /etc/pki/ca-trust/source/anchors/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /etc/pki/ca-trust/source/anchors/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-e1.crt https://letsencrypt.org/certs/lets-encrypt-e1.pem
wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
wget -O /etc/pki/ca-trust/source/anchors/e5.crt https://letsencrypt.org/certs/2024/e5.pem
wget -O /etc/pki/ca-trust/source/anchors/e6.crt https://letsencrypt.org/certs/2024/e6.pem
wget -O /etc/pki/ca-trust/source/anchors/e7.crt https://letsencrypt.org/certs/2024/e7.pem
wget -O /etc/pki/ca-trust/source/anchors/e8.crt https://letsencrypt.org/certs/2024/e8.pem
wget -O /etc/pki/ca-trust/source/anchors/r10.crt https://letsencrypt.org/certs/2024/r10.pem
wget -O /etc/pki/ca-trust/source/anchors/r11.crt https://letsencrypt.org/certs/2024/r11.pem
wget -O /etc/pki/ca-trust/source/anchors/r12.crt https://letsencrypt.org/certs/2024/r12.pem
wget -O /etc/pki/ca-trust/source/anchors/r13.crt https://letsencrypt.org/certs/2024/r13.pem

# Update at os level
update-ca-trust

# Update certs for ipa
ipa-certupdate

# List em cause why not
ipa-cacert-manage list

</syntaxhighlight>

[https://github.com/freeipa/freeipa-letsencrypt/issues/25 Original Source]

[https://github.com/BlueSquare23/Misc_Bash_Scripts/blob/master/fetch-ca-certs.sh Modified Version on my Github]

=== Renewing an expired cert ===

If the cert for the FreeIPA server expires you can still use the <code>ipa-server-certinstall</code> tool to renew it, like you normally would. However, there's a catch. You have to prepend your command with the <code>faketime</code> util and set the date to a time before when the current certificate expired.

EXPIRED!
Not After: Mon, 25 Nov 2024 02:26:25 GMT

<pre>
sudo faketime '2024-11-24 08:15:42' ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"
Directory Manager password:

Enter private key unlock password:

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
</pre>

Then just run <code>sudo ipactl restart</code> to restart the FreeIPA services.

== Additional ==

Check currently installed certs on Fedora with:

trust list --filter=ca-anchors

See only Let's Encrypt and ISGR certs:

trust list --filter=ca-anchors | grep -E 'Let.s Encrypt|Internet Security Research' -i -A 2 -B 3

FreeIPA - Identity Management

2025-10-25T19:19:21Z

Admin:

FreeIPA - Identity Management

2025-10-25T19:17:21Z

Admin:

== Overview ==

https://raw.githubusercontent.com/freeipa/freeipa.github.io/main/src/_static/freeipa-logo-small.png

FreeIPA is an identity management & single sign on solution for Linux / Unix Networks. Its somewhat comparable to active directory in the Windows world.

== How it Works ==

Under the hood FreeIPA is really just wraps up a Kerberos KDC/KTG Server with an LDAP backend and a nice pretty web interface.

Access to hosts on the network are controlled via Host Based Access (HBA) Control Rules, which say what users are allowed access (via ssh) to what hosts.

== Restarting All IPA Services ==

You can use the command below to restart all FreeIPA services.

sudo ipactl restart

There's also a systemd daemon for the main ipa service.

sudo systemctl restart ipa

== Resetting The Admin Password ==

I've had to do this once when restoring from a backup after changing the admin pass and loosing the old one. So I might have to do it again some day.

<pre>
root@freeipa:~# export LDAPTLS_CACERT=/etc/ipa/ca.crt
root@freeipa:~# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=yourdomain,dc=net -H ldap://freeipa.yourdomain.net
New password:
Re-enter new password:
Enter LDAP Password:
</pre>

For <code>Enter LDAP Password:</code> use the Directory Manager password there (aka ldap admin).

[https://serverfault.com/questions/731024/freeipa-admin-password-reset Source]

== Let's Encrypt SSL Configuration ==

=== Basic Overview ===

My FreeIPA server uses Let's Encrypt certificates.

Here are the instructions for setting up a 3rd party cert for the ldap server & https web interface.

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

To get the CA certs loaded for LE see the section below.

=== Adding Let's Encrypt CA Authorities ===

I'm using let's encrypt for the certs for the FreeIPA server. Because of how SSL works, FreeIPA will not accept the LE certs unless it has the CA certs too. This is how you can add a CA cert for LE in Fedora/FreeIPA.

Where it started: I found the basic commands on [https://gist.github.com/lijikun/8b2b3350bce9aed7df3009e76541929c this github writeup link] and modified them.

My Commands to add the R3 CA Authority.

<pre>
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
ipa-cacert-manage install lets-encrypt-r3.pem -n R3 -t C,,
ipa-certupdate
</pre>

Found the latest ca cert file here: https://letsencrypt.org/certificates/

Then I was able to use the <code>ipa-server-certinstall</code> to install the cert.

ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"

<span style="color:orange"><b>Update</b></span>: Needs even more cert authorities.

Made / borrowed this script do get them all.

<syntaxhighlight lang="bash" line>
#!/bin/bash
# Fetches LE CA certs for FreeIPA & runs update-ca-certificates.
# John R., Oct. 2024.

[[ $EUID -ne 0 ]] && echo "Run as root!" && exit 23

set -x
if ! [[ -d /etc/pki/ca-trust/source/anchors ]]; then
mkdir -p /etc/pki/ca-trust/source/anchors
fi

wget -O /etc/pki/ca-trust/source/anchors/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /etc/pki/ca-trust/source/anchors/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-e1.crt https://letsencrypt.org/certs/lets-encrypt-e1.pem
wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
wget -O /etc/pki/ca-trust/source/anchors/e5.crt https://letsencrypt.org/certs/2024/e5.pem
wget -O /etc/pki/ca-trust/source/anchors/e6.crt https://letsencrypt.org/certs/2024/e6.pem
wget -O /etc/pki/ca-trust/source/anchors/e7.crt https://letsencrypt.org/certs/2024/e7.pem
wget -O /etc/pki/ca-trust/source/anchors/e8.crt https://letsencrypt.org/certs/2024/e8.pem
wget -O /etc/pki/ca-trust/source/anchors/r10.crt https://letsencrypt.org/certs/2024/r10.pem
wget -O /etc/pki/ca-trust/source/anchors/r11.crt https://letsencrypt.org/certs/2024/r11.pem
wget -O /etc/pki/ca-trust/source/anchors/r12.crt https://letsencrypt.org/certs/2024/r12.pem
wget -O /etc/pki/ca-trust/source/anchors/r13.crt https://letsencrypt.org/certs/2024/r13.pem

# Update as os level
update-ca-trust

# Update certs for ipa
ipa-certupdate

# List em cause why not
ipa-cacert-manage list

</syntaxhighlight>

[https://github.com/freeipa/freeipa-letsencrypt/issues/25 Original Source]

[https://github.com/BlueSquare23/Misc_Bash_Scripts/blob/master/fetch-ca-certs.sh Modified Version on my Github]

=== Renewing an expired cert ===

If the cert for the FreeIPA server expires you can still use the <code>ipa-server-certinstall</code> tool to renew it, like you normally would. However, there's a catch. You have to prepend your command with the <code>faketime</code> util and set the date to a time before when the current certificate expired.

EXPIRED!
Not After: Mon, 25 Nov 2024 02:26:25 GMT

<pre>
sudo faketime '2024-11-24 08:15:42' ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"
Directory Manager password:

Enter private key unlock password:

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
</pre>

Then just run <code>sudo ipactl restart</code> to restart the FreeIPA services.

FreeIPA - Identity Management

2025-10-25T19:16:24Z

Admin:

== Overview ==

https://raw.githubusercontent.com/freeipa/freeipa.github.io/main/src/_static/freeipa-logo-small.png

FreeIPA is an identity management & single sign on solution for Linux / Unix Networks. Its somewhat comparable to active directory in the Windows world.

== How it Works ==

Under the hood FreeIPA is really just wraps up a Kerberos KDC/KTG Server with an LDAP backend and a nice pretty web interface.

Access to hosts on the network are controlled via Host Based Access (HBA) Control Rules, which say what users are allowed access (via ssh) to what hosts.

== Restarting All IPA Services ==

You can use the command below to restart all FreeIPA services.

sudo ipactl restart

There's also a systemd daemon for the main ipa service.

sudo systemctl restart ipa

== Resetting The Admin Password ==

I've had to do this once when restoring from a backup after changing the admin pass and loosing the old one. So I might have to do it again some day.

<pre>
root@freeipa:~# export LDAPTLS_CACERT=/etc/ipa/ca.crt
root@freeipa:~# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=yourdomain,dc=net -H ldap://freeipa.yourdomain.net
New password:
Re-enter new password:
Enter LDAP Password:
</pre>

For <code>Enter LDAP Password:</code> use the Directory Manager password there (aka ldap admin).

[https://serverfault.com/questions/731024/freeipa-admin-password-reset Source]

== Let's Encrypt SSL Configuration ==

=== Basic Overview ===

My FreeIPA server uses Let's Encrypt certificates.

Here are the instructions for setting up a 3rd party cert for the ldap server & https web interface.

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

To get the CA certs loaded for LE see the section below.

=== Adding Let's Encrypt CA Authorities ===

I'm using let's encrypt for the certs for the FreeIPA server. Because of how SSL works, FreeIPA will not accept the LE certs unless it has the CA certs too. This is how you can add a CA cert for LE in Fedora/FreeIPA.

Where it started: I found the basic commands on [https://gist.github.com/lijikun/8b2b3350bce9aed7df3009e76541929c this github writeup link] and modified them.

My Commands to add the R3 CA Authority.

<pre>
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
ipa-cacert-manage install lets-encrypt-r3.pem -n R3 -t C,,
ipa-certupdate
</pre>

Found the latest ca cert file here: https://letsencrypt.org/certificates/

Then I was able to use the <code>ipa-server-certinstall</code> to install the cert.

ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"

<span style="color:orange"><b>Update</b></span>: Needs even more cert authorities.

Made / borrowed this script do get them all.

<syntaxhighlight lang="bash" line>
#!/bin/bash
# Fetches LE CA certs for FreeIPA & runs update-ca-certificates.
# John R., Oct. 2024.

[[ $EUID -ne 0 ]] && echo "Run as root!" && exit 23

set -x
if ! [[ -d /usr/local/share/ca-certificates/extra ]]; then
mkdir -p /usr/local/share/ca-certificates/extra
fi

wget -O /etc/pki/ca-trust/source/anchors/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /etc/pki/ca-trust/source/anchors/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-e1.crt https://letsencrypt.org/certs/lets-encrypt-e1.pem
wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
wget -O /etc/pki/ca-trust/source/anchors/e5.crt https://letsencrypt.org/certs/2024/e5.pem
wget -O /etc/pki/ca-trust/source/anchors/e6.crt https://letsencrypt.org/certs/2024/e6.pem
wget -O /etc/pki/ca-trust/source/anchors/e7.crt https://letsencrypt.org/certs/2024/e7.pem
wget -O /etc/pki/ca-trust/source/anchors/e8.crt https://letsencrypt.org/certs/2024/e8.pem
wget -O /etc/pki/ca-trust/source/anchors/r10.crt https://letsencrypt.org/certs/2024/r10.pem
wget -O /etc/pki/ca-trust/source/anchors/r11.crt https://letsencrypt.org/certs/2024/r11.pem
wget -O /etc/pki/ca-trust/source/anchors/r12.crt https://letsencrypt.org/certs/2024/r12.pem
wget -O /etc/pki/ca-trust/source/anchors/r13.crt https://letsencrypt.org/certs/2024/r13.pem

# Update as os level
update-ca-trust

# Update certs for ipa
ipa-certupdate

# List em cause why not
ipa-cacert-manage list

</syntaxhighlight>

[https://github.com/freeipa/freeipa-letsencrypt/issues/25 Original Source]

[https://github.com/BlueSquare23/Misc_Bash_Scripts/blob/master/fetch-ca-certs.sh Modified Version on my Github]

=== Renewing an expired cert ===

If the cert for the FreeIPA server expires you can still use the <code>ipa-server-certinstall</code> tool to renew it, like you normally would. However, there's a catch. You have to prepend your command with the <code>faketime</code> util and set the date to a time before when the current certificate expired.

EXPIRED!
Not After: Mon, 25 Nov 2024 02:26:25 GMT

<pre>
sudo faketime '2024-11-24 08:15:42' ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"
Directory Manager password:

Enter private key unlock password:

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
</pre>

Then just run <code>sudo ipactl restart</code> to restart the FreeIPA services.

Virsh list all in json

2025-01-16T18:44:45Z

Admin:

The following <code>bash</code> command will list all virsh guests in json.

<syntaxhighlight lang="bash">
echo "[ $(virsh list --all|grep -Ev 'Id|----'|awk '{print "{ \"id\": \""$1"\", \"name\": \""$2"\", \"state\": \""$3 $4"\"}," }'|head -n -1) {} ]"|jq -r
</syntaxhighlight>

Output example:

<syntaxhighlight lang="json" line>
[
{
"id": "38",
"name": "Mac",
"state": "running"
},
{
"id": "39",
"name": "Dennis",
"state": "running"
},
{
"id": "40",
"name": "Charlie",
"state": "running"
},
...
</syntaxhighlight>

# TODO: Come back and redo this using the <code>columns</code> utility.
https://www.youtube.com/watch?v=uL7KvRskeog

FreeIPA - Identity Management

2024-11-28T22:09:36Z

Admin:

== Overview ==

https://raw.githubusercontent.com/freeipa/freeipa.github.io/main/src/_static/freeipa-logo-small.png

FreeIPA is an identity management & single sign on solution for Linux / Unix Networks. Its somewhat comparable to active directory in the Windows world.

== How it Works ==

Under the hood FreeIPA is really just wraps up a Kerberos KDC/KTG Server with an LDAP backend and a nice pretty web interface.

Access to hosts on the network are controlled via Host Based Access (HBA) Control Rules, which say what users are allowed access (via ssh) to what hosts.

== Restarting All IPA Services ==

You can use the command below to restart all FreeIPA services.

sudo ipactl restart

There's also a systemd daemon for the main ipa service.

sudo systemctl restart ipa

== Resetting The Admin Password ==

I've had to do this once when restoring from a backup after changing the admin pass and loosing the old one. So I might have to do it again some day.

<pre>
root@freeipa:~# export LDAPTLS_CACERT=/etc/ipa/ca.crt
root@freeipa:~# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=yourdomain,dc=net -H ldap://freeipa.yourdomain.net
New password:
Re-enter new password:
Enter LDAP Password:
</pre>

For <code>Enter LDAP Password:</code> use the Directory Manager password there (aka ldap admin).

[https://serverfault.com/questions/731024/freeipa-admin-password-reset Source]

== Let's Encrypt SSL Configuration ==

=== Basic Overview ===

My FreeIPA server uses Let's Encrypt certificates.

Here are the instructions for setting up a 3rd party cert for the ldap server & https web interface.

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

To get the CA certs loaded for LE see the section below.

=== Adding Let's Encrypt CA Authorities ===

I'm using let's encrypt for the certs for the FreeIPA server. Because of how SSL works, FreeIPA will not accept the LE certs unless it has the CA certs too. This is how you can add a CA cert for LE in Fedora/FreeIPA.

Where it started: I found the basic commands on [https://gist.github.com/lijikun/8b2b3350bce9aed7df3009e76541929c this github writeup link] and modified them.

My Commands to add the R3 CA Authority.

<pre>
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
ipa-cacert-manage install lets-encrypt-r3.pem -n R3 -t C,,
ipa-certupdate
</pre>

Found the latest ca cert file here: https://letsencrypt.org/certificates/

Then I was able to use the <code>ipa-server-certinstall</code> to install the cert.

ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"

<span style="color:orange"><b>Update</b></span>: Needs even more cert authorities.

Made / borrowed this script do get them all.

<syntaxhighlight lang="bash" line>
#!/bin/bash
# Fetches LE CA certs for FreeIPA & runs update-ca-certificates.
# John R., Oct. 2024.

[[ $EUID -ne 0 ]] && echo "Run as root!" && exit 23

set -x
if ! [[ -d /usr/local/share/ca-certificates/extra ]]; then
mkdir -p /usr/local/share/ca-certificates/extra
fi

wget -O /usr/local/share/ca-certificates/extra/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /usr/local/share/ca-certificates/extra/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-e1.crt https://letsencrypt.org/certs/lets-encrypt-e1.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
wget -O /usr/local/share/ca-certificates/extra/e5.crt https://letsencrypt.org/certs/2024/e5.pem
wget -O /usr/local/share/ca-certificates/extra/e6.crt https://letsencrypt.org/certs/2024/e6.pem
wget -O /usr/local/share/ca-certificates/extra/r10.crt https://letsencrypt.org/certs/2024/r10.pem
wget -O /usr/local/share/ca-certificates/extra/r11.crt https://letsencrypt.org/certs/2024/r11.pem

update-ca-certificates
</syntaxhighlight>

[https://github.com/freeipa/freeipa-letsencrypt/issues/25 Original Source]

[https://github.com/BlueSquare23/Misc_Bash_Scripts/blob/master/fetch-ca-certs.sh Modified Version on my Github]

=== Renewing an expired cert ===

If the cert for the FreeIPA server expires you can still use the <code>ipa-server-certinstall</code> tool to renew it, like you normally would. However, there's a catch. You have to prepend your command with the <code>faketime</code> util and set the date to a time before when the current certificate expired.

EXPIRED!
Not After: Mon, 25 Nov 2024 02:26:25 GMT

<pre>
sudo faketime '2024-11-24 08:15:42' ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"
Directory Manager password:

Enter private key unlock password:

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
</pre>

Then just run <code>sudo ipactl restart</code> to restart the FreeIPA services.

Virsh list all in json

2024-11-28T21:44:44Z

Admin:

Virsh list all in json

2024-11-28T21:42:00Z

Admin:

The following <code>bash</code> command will list all virsh guests in json.

<syntaxhighlight lang="bash" line>
echo "[ $(virsh list --all|grep -Ev 'Id|----'|awk '{print "{ \"id\": \""$1"\", \"name\": \""$2"\", \"state\": \""$3 $4"\"}," }'|head -n -1) {} ]"|jq -r
</syntaxhighlight>

Output example:

<syntaxhighlight lang="json" line>
[
{
"id": "38",
"name": "Mac",
"state": "running"
},
{
"id": "39",
"name": "Dennis",
"state": "running"
},
{
"id": "40",
"name": "Charlie",
"state": "running"
},
...
</syntaxhighlight>

Sending an Email with Python3 via smtplib

2024-11-28T21:40:33Z

Admin:

It possible to use the module [https://docs.python.org/3/library/smtplib.html <code>smtplib</code>] to send an Email with python3.

<syntaxhighlight lang="python" line>
#!/usr/bin/env python3

import smtplib
from email.message import EmailMessage

to_addr = 'to@example.com'
from_addr = 'from@example.com'
mail_server = 'mail.example.com'
passwd = 'YOUR_MAILBOX_PASSWORD'

message = EmailMessage()
message["To"] = to_addr
message["From"] = from_addr
message["Subject"] = 'Sent with Python & Smtplib'
message.set_payload('This is a test message!')

s = smtplib.SMTP_SSL(mail_server, 465)
s.login(to_addr, passwd)
s.sendmail(to_addr, from_addr, message.as_string())
s.quit()
</syntaxhighlight>

[[Category: Sending an Email with...]]

Bats - Bash Automated Testing System

2024-11-28T21:39:39Z

Admin:

= Bash Automated Testing System =

== Overview ==

Bats is a [https://testanything.org/ TAP-compliant] testing framework for Bash. It provides a simple way to verify that the UNIX programs you write behave as expected.

A Bats test file is a Bash script with special syntax for defining test cases. Under the hood, each test case is just a function with a description.

<syntaxhighlight lang="bash" line>
#!/usr/bin/env bats

@test "addition using bc" {
result="$(echo 2+2 | bc)"
[ "$result" -eq 4 ]
}
</syntaxhighlight>

(The above overview section was stolen verbatim from [https://github.com/sstephenson/bats the main projects README]).

== Install ==

=== Installing Locally ===

The steps below are to install bats at a user level (ie. ~/bin ~/.local/lib). However, Bats can also be installed at a system level (ie. root install, /usr/local) or as a [https://opensource.com/article/19/2/testing-bash-bats submodule of a pre-existing git repository] for CI purposes.

Run the commands below to install bats as well as the bats-assert helper library.

<pre>mkdir $HOME/.local/lib/bats
git clone https://github.com/ztombol/bats-support $HOME/.local/lib/bats/batscore
git clone https://github.com/ztombol/bats-assert $HOME/.local/lib/bats/batsassert
git clone --depth 1 https://github.com/sstephenson/bats $HOME/bats
cd $HOME/bats && ./install.sh $HOME/ && cd .. && rm -rf bats</pre>
== First Tests ==

The examples below are two very simple bats test cases. They test whether or not the script's own file name exists and if the file name is 'test.bats' (two tests it should always pass).

<code>test.bats</code>

<syntaxhighlight lang="bash" line>
#!/usr/bin/env bats

setup() {
# Import core and assert modules.
load $HOME/.local/lib/bats/batscore/load.bash
load $HOME/.local/lib/bats/batsassert/load.bash
}

@test "I exist," {
[ -e $BATS_TEST_FILENAME ]
}

@test 'Therefore I am!' {
assert_equal "$(basename $BATS_TEST_FILENAME)" 'test.bats'
}
</syntaxhighlight>

=== Running the First Tests ===

<pre>
./test.bats
✓ I exist!
✓ Therefore I am!

2 tests, 0 failures
</pre>

== Continued Documentation ==

This project is documented pretty well in the following locations. The below docs are also responsible for a lot of the content presented above.

Pick up where this note leaves off by [https://bats-core.readthedocs.io/en/stable/tutorial.html#your-first-test Reading the Docs on Bats].

[https://github.com/sstephenson/bats/blob/master/README.md Main / Original Project README]

[https://github.com/ztombol/bats-assert/blob/master/README.md Bats Assert README]

[https://github.com/ztombol/bats-support/blob/master/README.md Current / Bats Support Project Readme]

FreeIPA - Identity Management

2024-11-28T21:38:28Z

Admin:

== Overview ==

https://raw.githubusercontent.com/freeipa/freeipa.github.io/main/src/_static/freeipa-logo-small.png

FreeIPA is an identity management & single sign on solution for Linux / Unix Networks. Its somewhat comparable to active directory in the Windows world.

== How it Works ==

Under the hood FreeIPA is really just wraps up a Kerberos KDC/KTG Server with an LDAP backend and a nice pretty web interface.

Access to hosts on the network are controlled via Host Based Access (HBA) Control Rules, which say what users are allowed access (via ssh) to what hosts.

== Restarting All IPA Services ==

You can use the command below to restart all FreeIPA services.

sudo ipactl restart

There's also a systemd daemon for the main ipa service.

sudo systemctl restart ipa

== Resetting The Admin Password ==

I've had to do this once when restoring from a backup after changing the admin pass and loosing the old one. So I might have to do it again some day.

<pre>
root@freeipa:~# export LDAPTLS_CACERT=/etc/ipa/ca.crt
root@freeipa:~# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=yourdomain,dc=net -H ldap://freeipa.yourdomain.net
New password:
Re-enter new password:
Enter LDAP Password:
</pre>

For <code>Enter LDAP Password:</code> use the Directory Manager password there (aka ldap admin).

[https://serverfault.com/questions/731024/freeipa-admin-password-reset Source]

== Let's Encrypt SSL Configuration ==

=== Basic Overview ===

My FreeIPA server uses Let's Encrypt certificates.

Here are the instructions for setting up a 3rd party cert for the ldap server & https web interface.

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

To get the CA certs loaded for LE see the section below.

=== Adding Let's Encrypt CA Authorities ===

I'm using let's encrypt for the certs for the FreeIPA server. Because of how SSL works, FreeIPA will not accept the LE certs unless it has the CA certs too. This is how you can add a CA cert for LE in Fedora/FreeIPA.

Where it started: I found the basic commands on [https://gist.github.com/lijikun/8b2b3350bce9aed7df3009e76541929c this github writeup link] and modified them.

My Commands to add the R3 CA Authority.

<pre>
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
ipa-cacert-manage install lets-encrypt-r3.pem -n R3 -t C,,
ipa-certupdate
</pre>

Found the latest ca cert file here: https://letsencrypt.org/certificates/

Then I was able to use the <code>ipa-server-certinstall</code> to install the cert.

ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"

<span style="color:orange"><b>Update</b></span>: Needs even more cert authorities.

Made / borrowed this script do get them all.

<syntaxhighlight lang="bash" line>
#!/bin/bash
# Fetches LE CA certs for FreeIPA & runs update-ca-certificates.
# John R., Oct. 2024.

[[ $EUID -ne 0 ]] && echo "Run as root!" && exit 23

set -x
if ! [[ -d /usr/local/share/ca-certificates/extra ]]; then
mkdir -p /usr/local/share/ca-certificates/extra
fi

wget -O /usr/local/share/ca-certificates/extra/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /usr/local/share/ca-certificates/extra/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-e1.crt https://letsencrypt.org/certs/lets-encrypt-e1.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
wget -O /usr/local/share/ca-certificates/extra/e5.crt https://letsencrypt.org/certs/2024/e5.pem
wget -O /usr/local/share/ca-certificates/extra/e6.crt https://letsencrypt.org/certs/2024/e6.pem
wget -O /usr/local/share/ca-certificates/extra/r10.crt https://letsencrypt.org/certs/2024/r10.pem
wget -O /usr/local/share/ca-certificates/extra/r11.crt https://letsencrypt.org/certs/2024/r11.pem

update-ca-certificates
</syntaxhighlight>

[https://github.com/freeipa/freeipa-letsencrypt/issues/25 Original Source]

[https://github.com/BlueSquare23/Misc_Bash_Scripts/blob/master/fetch-ca-certs.sh Modified Version on my Github]

=== Renewing an expired cert ===

If the cert for the FreeIPA server expires you can still use the <code>ipa-server-certinstall</code> tool to renew it, like you normally would. However, there's a catch. You have prepend your command with the <code>faketime</code> util and set the date to a time before when the current certificate expired.

EXPIRED!
Not After: Mon, 25 Nov 2024 02:26:25 GMT

<pre>
sudo faketime '2024-11-24 08:15:42' ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"
Directory Manager password:

Enter private key unlock password:

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
</pre>

Then just run <code>sudo ipactl restart</code> to restart the FreeIPA services.

Encode.php

2024-11-28T21:36:30Z

Admin:

Encodes a file as base64 gzip compressed payload file.

<syntaxhighlight lang="php" line>
<?php
$input_file = 'info.php';
$output_file = 'x.php';

function removePhpTags($content) {
$content = preg_replace('/^<\?php\s*/', '', $content);
$content = preg_replace('/\s*\?>$/', '', $content);
return $content;
}

$file_content = file_get_contents($input_file);
$file_content = removePhpTags($file_content);

$encoded = base64_encode(gzcompress($file_content));
$payload = "<?php eval(gzuncompress(base64_decode('$encoded')));?>";
file_put_contents($output_file, $payload);
?>
</syntaxhighlight>

Japh

2024-11-28T21:35:53Z

Admin:

A perl japh is an obfuscated perl program that prints out the message <code>Just another Perl Hacker</code> or <code>Just another Perl Programmer</code>.

Here's my first ever attempt at creating a japh.

<syntaxhighlight lang="perl" line>
#!/usr/bin/env perl
# John's first japh!
use MIME::Base64;use Compress::Zlib;$s='blue23';$p='japh';@k=split
'',crypt($p,$s);%h=('1'=>'CEgt','Y'=>'CNk=','0'=>'UUjM','Q'=>'Ti0C
','w'=>'SEzO','l'=>'Ki0u','2'=>'SC1S','3'=>'yy/J','U'=>undef,'7'=>
undef,'x'=>'ylHw','N'=>'AG8p','b'=>'eJzz');$japh;foreach (@k){next
unless $h{$_};$japh.=$h{$_};};print uncompress(decode_base64($japh
))."\n";
</syntaxhighlight>

When run it output:
./japh.pl
Just another Perl Hacker

[https://www.perlmonks.org/?node_id=412464 More info]

Loris.php

2024-11-28T21:35:01Z

Admin:

Useful little PHP script for holding a connection open for testing.

<syntaxhighlight lang="php" line>
<?php
// John testing holding a connection open, will clean up. Although I guess if
// you're reading this that was a lie, sorry...
/* Debug
*/
ini_set('display_errors','1');
ini_set('display_startup_errors','1');
error_reporting (E_ALL);

echo "Randomness Begin...";

function random_string($length) {
$str = random_bytes($length);
$str = base64_encode($str);
$str = str_replace(["+", "/", "="], "", $str);
$str = substr($str, 0, $length);
return $str;
}

while (True) {
echo random_string(32) ."\n<br>\n";
}
?>
</syntaxhighlight>

How to Setup a Python Virtual Environment

2024-11-28T21:04:24Z

Admin:

<h2>What is a Virtual Environment?</h2>

Python, just like any programming language, has modules (aka, extensions, imports, includes, libraries, dependencies). These modules are just pre-written pieces of code, like functions and objects, that you can import into your project and use to extend the functionality and ease of use of the base language. Normally on your own computer you'd install modules globally at a system-wide level. The problem with depending on globally installed modules is that it makes code less portable. For example, if script.py is moved from 'system A' to 'system B', then the person doing the move must install both script.py and any dependent modules on 'system B.' This can be a problem if you don't have administrative access to 'system B.' Likewise, globally installed modules can cause problems if two pieces of software depend on different versions of the same module.

To help remedy these issues, Python has <b><u>Virtual Environments</u></b>. Virtual Environments are used to install all of your Python modules inside of a local folder that often lives inside of your project directory and is specific to it. Now, if script.py depends on <i>moduleName</i> and 'system B' lacks or has a different globally installed version of <i>moduleName</i>, then its no big deal. Along side our project we can just spin up a new python virtual env and install those required modules using a [https://notes.johnlradford.io/index.php?title=How_to_Setup_a_Python_Virtual_Environment#Requirements.txt requirements.txt] file.

<h2>Setting Up a Python Virtualenv</h2>

<h4>1) Initialize a new virtual environment:</h4>

python3 -m venv venv

That will create a directory called venv, where your locally installed modules will live.

<h4>2) Activate your virtual env:</h4>

source venv/bin/activate

That will drop you into a modified shell. Now, any modules installed using [https://pypi.org/project/pip/ pip] will automatically be installed into the venv dir.

<h4>3) Install a module locally:</h4>

pip3 install requests

<h4>4) Run some python code with your newly installed module:</h4>

python3 -c "import requests; print(requests.get('https://johnlradford.io/'))"

<h4>5) Exit your virtual env when you're done installing modules and testing your code:</h4>

deactivate

<h2>Extras:</h2>

<h3>* Requirements.txt</h3>

It is customary to include a <code>requirements.txt</code> file in your project directory for use in listing out the modules needed to re-assemble your project. Normally you'd use [https://pip.pypa.io/en/stable/cli/pip_freeze/ pip freeze] to generate a requirements.txt file. But that doesn't seem to work with python virtual envs. So instead I've used <code>pipreqs</code> to get a requirements.txt file. You can install <code>pipreqs</code> with <code>pip3</code> and then just point the tool at a dir containing a python script. It will look at the import lines from the scripts in that dir and print out a list of the required modules.

<pre>
blue@server:$app> pipreqs app/
INFO: Successfully saved requirements file in app/requirements.txt
blue@server:$app> cat app/requirements.txt
Flask==2.0.1
requests==2.22.0
beautifulsoup4==4.9.3
</pre>

<h3>* Venv Persistence / Python Sub Shells</h3>

Note, if you're testing an app you will need to be inside of the virtual env to have access to the modules the app needs. From my testing, it seems the virtual environment will remain set if you drop down into a python shell and pop back up. Likewise, it seems to remain set if you run python with the -c option like used in the example above. This all seems to be maintained via the <code>VIRTUAL_ENV</code> shell environment variable (idk just sorta spit balling there). For example,

<pre>
(venv) blue@server:$app> python3
Python 3.8.5 (default, Jan 27 2021, 15:41:15)
>>> import os
>>> os.environ['VIRTUAL_ENV']
'/var/www/html/FlaskApp/venv'
>>> quit()
(venv) blue@server:$app> echo $VIRTUAL_ENV
/var/www/html/FlaskApp/venv
(venv) blue@server:$app> deactivate
blue@server:$app> [[ -z $VIRTUAL_ENV ]] && echo "...nada..."
...nada...
</pre>

[[Category: Python]]

FreeIPA - Identity Management

2024-11-28T20:59:38Z

Admin: Created page with "== Overview == https://raw.githubusercontent.com/freeipa/freeipa.github.io/main/src/_static/freeipa-logo-small.png FreeIPA is an identity management & single sign on solution for Linux / Unix Networks. Its somewhat comparable to active directory in the Windows world. == How it Works == Under the hood FreeIPA is really just wraps up a Kerberos KDC/KTG Server with an LDAP backend and a nice pretty web interface. Access to hosts on the network are controlled via Host B..."

== Overview ==

https://raw.githubusercontent.com/freeipa/freeipa.github.io/main/src/_static/freeipa-logo-small.png

FreeIPA is an identity management & single sign on solution for Linux / Unix Networks. Its somewhat comparable to active directory in the Windows world.

== How it Works ==

Under the hood FreeIPA is really just wraps up a Kerberos KDC/KTG Server with an LDAP backend and a nice pretty web interface.

Access to hosts on the network are controlled via Host Based Access (HBA) Control Rules, which say what users are allowed access (via ssh) to what hosts.

== Restarting All IPA Services ==

You can use the command below to restart all FreeIPA services.

sudo ipactl restart

There's also a systemd daemon for the main ipa service.

sudo systemctl restart ipa

== Resetting The Admin Password ==

I've had to do this once when restoring from a backup after changing the admin pass and loosing the old one. So I might have to do it again some day.

<pre>
root@freeipa:~# export LDAPTLS_CACERT=/etc/ipa/ca.crt
root@freeipa:~# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=yourdomain,dc=net -H ldap://freeipa.yourdomain.net
New password:
Re-enter new password:
Enter LDAP Password:
</pre>

For <code>Enter LDAP Password:</code> use the Directory Manager password there (aka ldap admin).

[https://serverfault.com/questions/731024/freeipa-admin-password-reset Source]

== Let's Encrypt SSL Configuration ==

=== Basic Overview ===

My FreeIPA server uses Let's Encrypt certificates.

Here are the instructions for setting up a 3rd party cert for the ldap server & https web interface.

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

To get the CA certs loaded for LE see the section below.

=== Adding Let's Encrypt CA Authorities ===

I'm using let's encrypt for the certs for the FreeIPA server. Because of how SSL works, FreeIPA will not accept the LE certs unless it has the CA certs too. This is how you can add a CA cert for LE in Fedora/FreeIPA.

Where it started: I found the basic commands on [https://gist.github.com/lijikun/8b2b3350bce9aed7df3009e76541929c this github writeup link] and modified them.

My Commands to add the R3 CA Authority.

<pre>
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
ipa-cacert-manage install lets-encrypt-r3.pem -n R3 -t C,,
ipa-certupdate
</pre>

Found the latest ca cert file here: https://letsencrypt.org/certificates/

Then I was able to use the <code>ipa-server-certinstall</code> to install the cert.

ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"

<span style="color:orange"><b>Update</b></span>: Needs even more cert authorities.

Made / borrowed this script do get them all.

<pre>
#!/bin/bash
# Fetches LE CA certs for FreeIPA & runs update-ca-certificates.
# John R., Oct. 2024.

[[ $EUID -ne 0 ]] && echo "Run as root!" && exit 23

set -x
if ! [[ -d /usr/local/share/ca-certificates/extra ]]; then
mkdir -p /usr/local/share/ca-certificates/extra
fi

wget -O /usr/local/share/ca-certificates/extra/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /usr/local/share/ca-certificates/extra/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-e1.crt https://letsencrypt.org/certs/lets-encrypt-e1.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
wget -O /usr/local/share/ca-certificates/extra/e5.crt https://letsencrypt.org/certs/2024/e5.pem
wget -O /usr/local/share/ca-certificates/extra/e6.crt https://letsencrypt.org/certs/2024/e6.pem
wget -O /usr/local/share/ca-certificates/extra/r10.crt https://letsencrypt.org/certs/2024/r10.pem
wget -O /usr/local/share/ca-certificates/extra/r11.crt https://letsencrypt.org/certs/2024/r11.pem

update-ca-certificates
</pre>

[https://github.com/freeipa/freeipa-letsencrypt/issues/25 Original Source]

[https://github.com/BlueSquare23/Misc_Bash_Scripts/blob/master/fetch-ca-certs.sh Modified Version on my Github]

=== Renewing an expired cert ===

If the cert for the FreeIPA server expires you can still use the <code>ipa-server-certinstall</code> tool to renew it, like you normally would. However, there's a catch. You have prepend your command with the <code>faketime</code> util and set the date to a time before when the current certificate expired.

EXPIRED!
Not After: Mon, 25 Nov 2024 02:26:25 GMT

<pre>
sudo faketime '2024-11-24 08:15:42' ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"
Directory Manager password:

Enter private key unlock password:

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
</pre>

Then just run <code>sudo ipactl restart</code> to restart the FreeIPA services.

GPG Encryption

2024-09-23T16:56:22Z

Admin:

= GPG - GNU Privacy Guard =

== Overview ==

GPG is an alternative implementation of the OpenPGP standard. GPG/PGP uses [[Encoding_vs_Encryption_vs_Hashing#Symmetric_vs_Asymmetric_Encryption|asymmetric encryption]] to generate a public / private key pair. With asymmetric encryption, any data encrypted by the public key can only be decrypted by the private key and vice versa.

The intention is to make your public key known and freely available while keeping your private key secret. Other’s can then use your public key to encrypt some data and send it to you, knowing that only you can decrypt it with your private key.

== Common Commands ==

Note: We'll be using email@example.com as a stand in for a key's identifier. The GPG tool will let you use a few different things in place of email@example.com to work as a key's identifier.

To create a new key pair run the command below and follow the dialogue options.

gpg --full-generate-key

After generating your keys you can list them with the command below.

gpg --list-keys

You can list the secret keys you have with the command below.

gpg --list-secret-keys

Immediately after creating a new keypair you’ll want to sign your own key.

gpg --sign-key email@example.com

From there you’re ready to export your public key and give it to others.

gpg --output ~/gpg_key.pub --armor --export email@example.com

Once your friend has your public gpg key they can import it using the command below.

gpg --import ~/gpg_key.pub

Then to encrypt something with your public key your friend can run the below with your public key.

gpg --encrypt --sign --armor -r email@example.com file.txt

That will generate a file.txt.gpg which is the encrypted copy of the message.

Once your friend sends you the encrypted file.txt.gpg back you can verify its authenticity by running the commmand below.

gpg --always-trust --verify file.txt.gpg

Finally you can decrypt it with the below command.

gpg --decrypt file.txt.gpg

Here are some additional commands.

To delete someone else's public key from your keychain.

gpg --delete-key email@example.com

To delete your own secret key.

gpg --delete-secret-key email@example.com && gpg --delete-key email@example.com

To see how much GPG clout a particular key has check the number of signatures.

gpg --list-sig email@example.com

To list the longform keyid format ([https://phar.io/howto/uploading-public-keys.html#:~:text=Alternate%20way%20to%20submit%20your%20public%20key%20to%20the%20key%20servers%20using%20the%20CLI needed to get sub fingerprint for later upload]).

gpg --keyid-format LONG --list-keys email@example.com

To send a key to the three major key stores out there.

gpg --send-keys 156DF784C8EACD80 # OpenPGP
gpg --keyserver keys.openpgp.org --send-keys 156DF784C8EACD80 # OpenGPG
gpg --keyserver keyserver.ubuntu.com --send-keys 156DF784C8EACD80 # Ubuntu

Search a keystore for a persons key.

gpg --keyserver keys.openpgp.org --search-keys email@example.com

== Signing & Encrypting ==

GPG offers the ability to sign data and to encrypt data. Message signing ensures data integrity (aka the message has not been changed) and message authenticity (aka the message came from where it says it came from). Where as encryption ensure confidentiality (aka that the data cannot be read in transit).

In reality, signing is just encrypting a message using the private key. Then it can only be decrypted by the corresponding public key. Anyone can with the public key can decrypt and read a signed message. They know since they used the public key to decrypt it that it must have been encrypted (aka signed) with the private key and therefore must have come from the private key holder.

Signing and encryption are not mutually exclusive. With GPG its possible for data to be, encrypted and signed; encrypted and not signed; and signed but not encrypted.

The most secure method is to first encrypt a message with the recipient’s public key and then sign the message using your private key before sending it. That way on the receiving side anyone can verify that the message came from you because it can only be decrypted with your public key. Likewise, they can know that the message has not been altered in transit because again the signed file could only have been created by your private key.

The signature on a message becomes invalid if the message is altered, even if the message is sent in plain text. If someone changed the message the signature file would also need changed and the only person who can change the signature file is the private key holder.

Finally once the recipient receives the message and verifies its authenticity they can then decrypt it using their private key.

== Sources ==

https://gist.github.com/F21/b0e8c62c49dfab267ff1d0c6af39ab84

https://www.digitalocean.com/community/tutorials/how-to-use-gpg-to-encrypt-and-sign-messages

Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx

2024-07-26T19:32:46Z

Admin:

= Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx =

[[File:logos.png|thumb|none|alt=Logos|Logos]]

== Background Info ==

Okay so tldr the modsecurity project recently back in January of 2024 switched hands from Trustwave SpiderLabs to the OWASP Foundation. [https://coreruleset.org/20240115/welcome-the-newest-addition-to-the-owasp-family-modsecurity/ More info here].

This transfer of stewardship means continued development of [https://github.com/owasp-modsecurity/ModSecurity libmodsecurity3], is now under OWASP’s control. The new <code>libmodsecurity3</code> is a complete rewrite, allowing them to make it platform independent (not dependant on Apache). Tldr, [https://github.com/owasp-modsecurity/ModSecurity?tab=readme-ov-file#it-is-no-longer-just-a-module it is no longer just a module], it is its own library now, with the “Connectors” broken out into their own separate github repos.

[https://github.com/owasp-modsecurity/ModSecurity-nginx Nginx ModSecurity Connector]

Another thing, even though Nginx does have a connector and can use libmodsecurity3, the version of the package in apt its several years old already (default version in apt is v3.0.6 from 2021) and lack support for the newest features.

All of the guides I’ve found and even [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#user-content-Installation_for_NGINX the official install docs] say to just build the latest releases of the lib and connector from source. Trust me, its really not that hard.

== Nginx ModSecurity ==

I’m installing this on a burner VM running Ubuntu 22.04 and Nginx 1.18.0, just to learn and document the process before trying to integrate this further into my own systems.

[[File:fastfetch.png|thumb|none|alt=Fastfetch Img|Fastfetch Img]]

=== Overview ===

The server and Nginx are already setup stock with one Server Block (aka vhost) defined. I’m using the stock version of Nginx from apt.

What all needs setup?

* [https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.12 libmodsecurity3 - v3.0.12]
* [https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/tag/v1.0.3 ModSecurity Nginx Connector - v1.0.3]
* [https://owasp.org/www-project-modsecurity-core-rule-set/ OWASP ModSec CSR - v4.0.0]

As mentioned previously, we're going to be compiling the first two from source.

Mostly following their [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-2210 official docs]. I know that’s for 22.10 but I they don’t have one for 22.04 yet so assuming those are mostly the same apt reqs. Except our version of nginx needs to use libpcre3.

=== Apt Requirements ===

There are some requirements to build these packages.

<pre>sudo apt-get install git g++ apt-utils autoconf automake build-essential libcurl4-openssl-dev libgeoip-dev liblmdb-dev libtool libxml2-dev libyajl-dev pkgconf zlib1g-dev libpcre3 libpcre3-dev</pre>
=== Building Libmodsecurity v3.0.12 from Source ===

Pretty straight forward, just clone the repo (master is v3.0.12) then update the git submodules and build with normal make cmds.

<pre>sudo su
cd /opt
git clone https://github.com/owasp-modsecurity/ModSecurity
cd ModSecurity/
git submodule init
git submodule update
sh build.sh
./configure --with-pcre
make
make install</pre>
=== Building Nginx Connector Module v1.0.3 ===

After installing the library you can build the connector.

<span style="color:orange"><b><i>NOTE</i></b></span>: The connector module has to be compiled against the source code version of Nginx you have installed.

Check Nginx version and build flags:

<pre>root@server:/opt# nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-zctdR4/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module</pre>
To quote [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ the guide I’m following].

<blockquote>We need to compile Nginx with ModSecurity module. We will not compile/install Nginx itself but compile the Nginx module only. For this, make sure that your Nginx package is compiled with “–with-compat” flag. The –with-compat flag will make the module binary-compatible with your existing Nginx binary.
</blockquote>
First clone the source for the version of nginx you’re running. In our case, <code>nginx/1.18.0</code>.

<pre>sudo su
cd /opt
wget http://nginx.org/download/nginx-1.18.0.tar.gz
tar -xzf nginx-1.18.0.tar.gz</pre>
Then clone the latest connector module repo. After that build the modules for Nginx and copy the .so file into <code>/usr/share/nginx/modules/</code>.

<pre>git clone https://github.com/owasp-modsecurity/ModSecurity-nginx
cd nginx-1.18.0
./configure --add-dynamic-module=/opt/ModSecurity-nginx --with-compat
make modules
cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/</pre>
=== Configuring Nginx ===

Cool, so now we’ve got <code>libmodsecurity3</code> built and installed, we’ve got the nginx connector module built and installed, and we just have to setup Nginx to work with them.

==== Installing OWASP CSR v4 ====

First we’ll install core ruleset version 4. These instructions are basically exactly the same as for Apache, just pulling in the ruleset files really.

To install the core ruleset version v4.0.0 (latest stable) you can pull them from github.

<pre>sudo su
cd /opt
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
wget https://github.com/coreruleset/coreruleset/releases/download/v4.0.0/coreruleset-4.0.0.tar.gz.asc</pre>
Then you can add their pgp key and verify the signature with it.

<pre># gpg --keyserver keys.openpgp.org --recv 0x38EEACA1AB8A6E72
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 38EEACA1AB8A6E72: public key "OWASP Core Rule Set <security@coreruleset.org>" imported
gpg: Total number processed: 1
gpg: imported: 1

# gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz
gpg: Signature made Wed 14 Feb 2024 05:48:48 PM UTC
gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72
gpg: issuer "security@coreruleset.org"
gpg: Good signature from "OWASP Core Rule Set <security@coreruleset.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72</pre>
Once you’ve verified the fingerprint is legit you’re all good to extract the ruleset.

<pre>mkdir /opt/crs4
tar -xzvf v4.0.0.tar.gz --strip-components 1 -C /opt/crs4</pre>
Lastly, copy the example crs-conf file into place.

<pre>cd /opt/crs4
mv crs-setup.conf.example crs-setup.conf</pre>
==== Setting Up Module & Nginx Conf ====

Add the <code>load_module</code> line to <code>50-mod-http-modsecurity.conf</code> and then create a symlink to enable the module.

<pre>echo 'load_module modules/ngx_http_modsecurity_module.so;' > /usr/share/nginx/modules-available/mod-http-modsecurity.conf
ln -s /usr/share/nginx/modules-available/mod-http-modsecurity.conf /etc/nginx/modules-enabled/50-mod-http-modsecurity.conf</pre>
Then copy the recommended mod sec conf into place. There’s also a <code>unicode.mapping</code> that should be copied over too.

<pre>mkdir /etc/nginx/modsec/
cp /opt/ModSecurity-nginx/.github/nginx/modsecurity.conf /etc/nginx/modsec/
cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec</pre>
Now we can create our main ModSec conf: <code>/etc/nginx/modsec/main.conf</code>.

Add these lines:

<pre>Include /etc/nginx/modsec/modsecurity.conf
Include /opt/crs4/crs-setup.conf
Include /opt/crs4/rules/*.conf</pre>
Finally, in our main site’s server block we can enable mod security for our site.

<pre>vim /etc/nginx/sites-available/example.com</pre>
Add these contents to the server block.

<pre>modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;</pre>
Finally, restart Nginx and enjoy the protections of libmodsecurity3 + the OWASP ruleset!

<pre>systemctl restart nginx</pre>
You can test your new mod security setup is working correctly by visiting <code>https://yourdomain.com/?test=/etc/passwd</code> in a browser. If everything is setup correctly you should now be greeted with a 403 forbidden.

[[File:testing_modsec.png|thumb|none|alt=testing mod security|testing mod security]]

=== Sources ===

* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#user-content-Installation_for_NGINX Official ModSecurity Lib Install Docs]
* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-1804 Official Compilation recipes for libmodsecurity v3.x]
* [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ Dev Blog on Compiling ModSecurity lib & connector module]
* [https://nagekar.com/2022/07/setting-modsecurity-core-rule-set.html Dev Blog on Setting Up OWASP CRS on Nginx]

Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx

2024-07-26T19:31:05Z

Admin:

= Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx =

[[File:logos.png|thumb|none|alt=Logos|Logos]]

== Background Info ==

Okay so tldr the modsecurity project recently back in January of 2024 switched hands from Trustwave SpiderLabs to the OWASP Foundation. [https://coreruleset.org/20240115/welcome-the-newest-addition-to-the-owasp-family-modsecurity/ More info here].

This transfer of stewardship means continued development of [https://github.com/owasp-modsecurity/ModSecurity libmodsecurity3], is now under OWASP’s control. The new <code>libmodsecurity3</code> is a complete rewrite, allowing them to make it platform independent (not dependant on Apache). Tldr, [https://github.com/owasp-modsecurity/ModSecurity?tab=readme-ov-file#it-is-no-longer-just-a-module it is no longer just a module], it is its own library now, with the “Connectors” broken out into their own separate github repos.

[https://github.com/owasp-modsecurity/ModSecurity-nginx Nginx ModSecurity Connector]

Another thing, even though Nginx does have a connector and can use libmodsecurity3, the version of the package in apt its several years old already (default version in apt is v3.0.6 from 2021) and lack support for the newest features.

All of the guides I’ve found and even [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#user-content-Installation_for_NGINX the official install docs] say to just build the latest releases of the lib and connector from source. Trust me, its really not that hard.

== Nginx ModSecurity ==

I’m installing this on a burner VM running Ubuntu 22.04 and Nginx 1.18.0, just to learn and document the process before trying to integrate this further into my own systems.

[[File:fastfetch.png|thumb|none|alt=Fastfetch Img|Fastfetch Img]]

=== Overview ===

The server and Nginx are already setup stock with one Server Block (aka vhost) defined. I’m using the stock version of Nginx from apt.

What all needs setup?

* [https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.12 libmodsecurity3 - v3.0.12]
* [https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/tag/v1.0.3 ModSecurity Nginx Connector - v1.0.3]
* [https://owasp.org/www-project-modsecurity-core-rule-set/ OWASP ModSec CSR - v4.0.0]

As mentioned previously, we're going to be compiling the first two from source.

Mostly following their [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-2210 official docs]. I know that’s for 22.10 but I they don’t have one for 22.04 yet so assuming those are mostly the same apt reqs. Except our version of nginx needs to use libpcre3.

=== Apt Requirements ===

There are some requirements to build these packages.

<pre>sudo apt-get install git g++ apt-utils autoconf automake build-essential libcurl4-openssl-dev libgeoip-dev liblmdb-dev libtool libxml2-dev libyajl-dev pkgconf zlib1g-dev libpcre3 libpcre3-dev</pre>
=== Building Libmodsecurity v3.0.12 from Source ===

Pretty straight forward, just clone the repo (master is v3.0.12) then update the git submodules and build with normal make cmds.

<pre>sudo su
cd /opt
git clone https://github.com/owasp-modsecurity/ModSecurity
cd ModSecurity/
git submodule init
git submodule update
sh build.sh
./configure --with-pcre
make
make install</pre>
=== Building Nginx Connector Module v1.0.3 ===

After installing the library you can build the connector.

<span style="color:orange"><b><i>NOTE</i></b></span>: The connector module has to be compiled against the source code version of Nginx you have installed.

Check Nginx version and build flags:

<pre>root@server:/opt# nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-zctdR4/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module</pre>
To quote [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ the guide I’m following].

<blockquote>We need to compile Nginx with ModSecurity module. We will not compile/install Nginx itself but compile the Nginx module only. For this, make sure that your Nginx package is compiled with “–with-compat” flag. The –with-compat flag will make the module binary-compatible with your existing Nginx binary.
</blockquote>
First clone the source for the version of nginx you’re running. In our case, <code>nginx/1.18.0</code>.

<pre>sudo su
cd /opt
wget http://nginx.org/download/nginx-1.18.0.tar.gz
tar -xzf nginx-1.18.0.tar.gz</pre>
Then clone the latest connector module repo. After that build the modules for Nginx and copy the .so file into <code>/usr/share/nginx/modules/</code>.

<pre>git clone https://github.com/owasp-modsecurity/ModSecurity-nginx
cd nginx-1.18.0
./configure --add-dynamic-module=/opt/ModSecurity-nginx --with-compat
make modules
cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/</pre>
=== Configuring Nginx ===

Cool, so now we’ve got <code>libmodsecurity3</code> build and installed, we’ve got the nginx connector module built and installed, and we just have to setup Nginx to work with them.

==== Installing OWASP CSR v4 ====

First we’ll install core ruleset version 4. These instructions are basically exactly the same as for Apache, just pulling in the ruleset files really.

To install the core ruleset version v4.0.0 (latest stable) you can pull them from github.

<pre>sudo su
cd /opt
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
wget https://github.com/coreruleset/coreruleset/releases/download/v4.0.0/coreruleset-4.0.0.tar.gz.asc</pre>
Then you can add their pgp key and verify the signature with it.

<pre># gpg --keyserver keys.openpgp.org --recv 0x38EEACA1AB8A6E72
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 38EEACA1AB8A6E72: public key "OWASP Core Rule Set <security@coreruleset.org>" imported
gpg: Total number processed: 1
gpg: imported: 1

# gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz
gpg: Signature made Wed 14 Feb 2024 05:48:48 PM UTC
gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72
gpg: issuer "security@coreruleset.org"
gpg: Good signature from "OWASP Core Rule Set <security@coreruleset.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72</pre>
Once you’ve verified the fingerprint is legit you’re all good to extract the ruleset.

<pre>mkdir /opt/crs4
tar -xzvf v4.0.0.tar.gz --strip-components 1 -C /opt/crs4</pre>
Lastly, copy the example crs-conf file into place.

<pre>cd /opt/crs4
mv crs-setup.conf.example crs-setup.conf</pre>
==== Setting Up Module & Nginx Conf ====

Add the <code>load_module</code> line to <code>50-mod-http-modsecurity.conf</code> and then create a symlink to enable the module.

<pre>echo 'load_module modules/ngx_http_modsecurity_module.so;' > /usr/share/nginx/modules-available/mod-http-modsecurity.conf
ln -s /usr/share/nginx/modules-available/mod-http-modsecurity.conf /etc/nginx/modules-enabled/50-mod-http-modsecurity.conf</pre>
Then copy the recommended mod sec conf into place. There’s also a <code>unicode.mapping</code> that should be copied over too.

<pre>mkdir /etc/nginx/modsec/
cp /opt/ModSecurity-nginx/.github/nginx/modsecurity.conf /etc/nginx/modsec/
cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec</pre>
Now we can create our main ModSec conf: <code>/etc/nginx/modsec/main.conf</code>.

Add these lines:

<pre>Include /etc/nginx/modsec/modsecurity.conf
Include /opt/crs4/crs-setup.conf
Include /opt/crs4/rules/*.conf</pre>
Finally, in our main site’s server block we can enable mod security for our site.

<pre>vim /etc/nginx/sites-available/example.com</pre>
Add these contents to the server block.

<pre>modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;</pre>
Finally, restart Nginx and enjoy the protections of libmodsecurity3 + the OWASP ruleset!

<pre>systemctl restart nginx</pre>
You can test your new mod security setup is working correctly by visiting <code>https://yourdomain.com/?test=/etc/passwd</code> in a browser. If everything is setup correctly you should now be greeted with a 403 forbidden.

[[File:testing_modsec.png|thumb|none|alt=testing mod security|testing mod security]]

=== Sources ===

* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#user-content-Installation_for_NGINX Official ModSecurity Lib Install Docs]
* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-1804 Official Compilation recipes for libmodsecurity v3.x]
* [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ Dev Blog on Compiling ModSecurity lib & connector module]
* [https://nagekar.com/2022/07/setting-modsecurity-core-rule-set.html Dev Blog on Setting Up OWASP CRS on Nginx]

Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx

2024-07-26T19:29:55Z

Admin:

= Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx =

[[File:logos.png|thumb|none|alt=Logos|Logos]]

== Background Info ==

Okay so tldr the modsecurity project recently back in January of 2024 switched hands from Trustwave SpiderLabs to the OWASP Foundation. [https://coreruleset.org/20240115/welcome-the-newest-addition-to-the-owasp-family-modsecurity/ More info here].

This transfer of stewardship means continued development of [https://github.com/owasp-modsecurity/ModSecurity libmodsecurity3], is now under OWASP’s control. The new <code>libmodsecurity3</code> is a complete rewrite, allowing them to make it platform independent (not dependant on Apache). Tldr, [https://github.com/owasp-modsecurity/ModSecurity?tab=readme-ov-file#it-is-no-longer-just-a-module it is no longer just a module], it is its own library now, with the “Connectors” broken out into their own separate github repos.

[https://github.com/owasp-modsecurity/ModSecurity-nginx Nginx ModSecurity Connector]

Another thing, even though Nginx does have a connector and can use libmodsecurity3, the version of the package in apt its several years old already (default version in apt is v3.0.6 from 2021) and lack support for the newest features.

All of the guides I’ve found and even [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#user-content-Installation_for_NGINX the official install docs] say to just build the latest releases of the lib and connector from source. Trust me, its really not that hard.

== Nginx ModSecurity ==

I’m installing this on a burner VM running Ubuntu 22.04 and Nginx 1.18.0, just to learn and document the process before trying to integrate this further into my own systems.

[[File:fastfetch.png|thumb|none|alt=Fastfetch Img|Fastfetch Img]]

=== Overview ===

The server and Nginx are already setup stock with one Server Block (aka vhost) defined. I’m using the stock version of Nginx from apt.

What all needs setup?

* [https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.12 libmodsecurity3 - v3.0.12]
* [https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/tag/v1.0.3 ModSecurity Nginx Connector - v1.0.3]
* [https://owasp.org/www-project-modsecurity-core-rule-set/ OWASP ModSec CSR - v4.0.0]

As mentioned previously, we're going to be compiling the first two from source.

Mostly following their [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-2210 official docs]. I know that’s for 22.10 but I they don’t have one for 22.04 yet so assuming those are mostly the same apt reqs. Except our version of nginx needs to use libpcre3.

=== Apt Requirements ===

There are some requirements to build these packages.

<pre>sudo apt-get install git g++ apt-utils autoconf automake build-essential libcurl4-openssl-dev libgeoip-dev liblmdb-dev libtool libxml2-dev libyajl-dev pkgconf zlib1g-dev libpcre3 libpcre3-dev</pre>
=== Building Libmodsecurity v3.0.12 from Source ===

Pretty straight forward, just clone the repo (master is v3.0.12) then update the git submodules and build with normal make cmds.

<pre>sudo su
cd /opt
git clone https://github.com/owasp-modsecurity/ModSecurity
cd ModSecurity/
git submodule init
git submodule update
sh build.sh
./configure --with-pcre
make
make install</pre>
=== Building Nginx Connector Module v1.0.3 ===

After installing the library you can build the connector.

'''NOTE''': The connector module has to be compiled against the source code version of Nginx you have installed.

Check Nginx version and build flags:

<pre>root@server:/opt# nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-zctdR4/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module</pre>
To quote [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ the guide I’m following].

<blockquote>We need to compile Nginx with ModSecurity module. We will not compile/install Nginx itself but compile the Nginx module only. For this, make sure that your Nginx package is compiled with “–with-compat” flag. The –with-compat flag will make the module binary-compatible with your existing Nginx binary.
</blockquote>
First clone the source for the version of nginx you’re running. In our case, <code>nginx/1.18.0</code>.

<pre>sudo su
cd /opt
wget http://nginx.org/download/nginx-1.18.0.tar.gz
tar -xzf nginx-1.18.0.tar.gz</pre>
Then clone the latest connector module repo. After that build the modules for Nginx and copy the .so file into <code>/usr/share/nginx/modules/</code>.

<pre>git clone https://github.com/owasp-modsecurity/ModSecurity-nginx
cd nginx-1.18.0
./configure --add-dynamic-module=/opt/ModSecurity-nginx --with-compat
make modules
cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/</pre>
=== Configuring Nginx ===

Cool, so now we’ve got <code>libmodsecurity3</code> build and installed, we’ve got the nginx connector module built and installed, and we just have to setup Nginx to work with them.

==== Installing OWASP CSR v4 ====

First we’ll install core ruleset version 4. These instructions are basically exactly the same as for Apache, just pulling in the ruleset files really.

To install the core ruleset version v4.0.0 (latest stable) you can pull them from github.

<pre>sudo su
cd /opt
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
wget https://github.com/coreruleset/coreruleset/releases/download/v4.0.0/coreruleset-4.0.0.tar.gz.asc</pre>
Then you can add their pgp key and verify the signature with it.

<pre># gpg --keyserver keys.openpgp.org --recv 0x38EEACA1AB8A6E72
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 38EEACA1AB8A6E72: public key "OWASP Core Rule Set <security@coreruleset.org>" imported
gpg: Total number processed: 1
gpg: imported: 1

# gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz
gpg: Signature made Wed 14 Feb 2024 05:48:48 PM UTC
gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72
gpg: issuer "security@coreruleset.org"
gpg: Good signature from "OWASP Core Rule Set <security@coreruleset.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72</pre>
Once you’ve verified the fingerprint is legit you’re all good to extract the ruleset.

<pre>mkdir /opt/crs4
tar -xzvf v4.0.0.tar.gz --strip-components 1 -C /opt/crs4</pre>
Lastly, copy the example crs-conf file into place.

<pre>cd /opt/crs4
mv crs-setup.conf.example crs-setup.conf</pre>
==== Setting Up Module & Nginx Conf ====

Add the <code>load_module</code> line to <code>50-mod-http-modsecurity.conf</code> and then create a symlink to enable the module.

<pre>echo 'load_module modules/ngx_http_modsecurity_module.so;' > /usr/share/nginx/modules-available/mod-http-modsecurity.conf
ln -s /usr/share/nginx/modules-available/mod-http-modsecurity.conf /etc/nginx/modules-enabled/50-mod-http-modsecurity.conf</pre>
Then copy the recommended mod sec conf into place. There’s also a <code>unicode.mapping</code> that should be copied over too.

<pre>mkdir /etc/nginx/modsec/
cp /opt/ModSecurity-nginx/.github/nginx/modsecurity.conf /etc/nginx/modsec/
cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec</pre>
Now we can create our main ModSec conf: <code>/etc/nginx/modsec/main.conf</code>.

Add these lines:

<pre>Include /etc/nginx/modsec/modsecurity.conf
Include /opt/crs4/crs-setup.conf
Include /opt/crs4/rules/*.conf</pre>
Finally, in our main site’s server block we can enable mod security for our site.

<pre>vim /etc/nginx/sites-available/example.com</pre>
Add these contents to the server block.

<pre>modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;</pre>
Finally, restart Nginx and enjoy the protections of libmodsecurity3 + the OWASP ruleset!

<pre>systemctl restart nginx</pre>
You can test your new mod security setup is working correctly by visiting <code>https://yourdomain.com/?test=/etc/passwd</code> in a browser. If everything is setup correctly you should now be greeted with a 403 forbidden.

[[File:testing_modsec.png|thumb|none|alt=testing mod security|testing mod security]]

=== Sources ===

* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#user-content-Installation_for_NGINX Official ModSecurity Lib Install Docs]
* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-1804 Official Compilation recipes for libmodsecurity v3.x]
* [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ Dev Blog on Compiling ModSecurity lib & connector module]
* [https://nagekar.com/2022/07/setting-modsecurity-core-rule-set.html Dev Blog on Setting Up OWASP CRS on Nginx]

Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx

2024-07-26T19:29:02Z

Admin:

= Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx =

[[File:logos.png|thumb|none|alt=Logos|Logos]]

== Background Info ==

Okay so tldr the modsecurity project recently back in January of 2024 switched hands from Trustwave SpiderLabs to the OWASP Foundation. [https://coreruleset.org/20240115/welcome-the-newest-addition-to-the-owasp-family-modsecurity/ More info here].

This transfer of stewardship means continued development of [https://github.com/owasp-modsecurity/ModSecurity libmodsecurity3], is now under OWASP’s control. The new <code>libmodsecurity3</code> is a complete rewrite, allowing them to make it platform independent (not dependant on Apache). Tldr, [https://github.com/owasp-modsecurity/ModSecurity?tab=readme-ov-file#it-is-no-longer-just-a-module it is no longer just a module], it is its own library now, with the “Connectors” broken out into their own separate github repos.

[https://github.com/owasp-modsecurity/ModSecurity-nginx Nginx ModSecurity Connector]

Another thing, even though Nginx does have a connector and can use libmodsecurity3, the version of the package in apt its several years old already (default version in apt is v3.0.6 from 2021) and lack support for the newest features.

All of the guides I’ve found and even [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#user-content-Installation_for_NGINX the official install docs] say to just build the latest releases of the lib and connector from source. Trust me, its really not that hard.

== Nginx ModSecurity ==

I’m installing this on a burner VM running Ubuntu 22.04 and Nginx 1.18.0, just to learn and document the process before trying to integrate this further into my own systems.

[[File:fastfetch.png|thumb|none|alt=Fastfetch Img|Fastfetch Img]]

=== Overview ===

The server and Nginx are already setup stock with one Server Block (aka vhost) defined. I’m using the stock version of Nginx from apt.

What all needs setup?

* [https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.12 libmodsecurity3 - v3.0.12]
* [https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/tag/v1.0.3 ModSecurity Nginx Connector - v1.0.3]
* [https://owasp.org/www-project-modsecurity-core-rule-set/ OWASP ModSec CSR - v4.0.0]

As mentioned previously, we're going to be compiling the first two from source.

Mostly following their [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-2210 official docs]. I know that’s for 22.10 but I they don’t have one for 22.04 yet so assuming those are mostly the same apt reqs. Except our version of nginx needs to use libpcre3.

=== Apt Requirements ===

There are some requirements to build this package.

<pre>sudo apt-get install git g++ apt-utils autoconf automake build-essential libcurl4-openssl-dev libgeoip-dev liblmdb-dev libtool libxml2-dev libyajl-dev pkgconf zlib1g-dev libpcre3 libpcre3-dev</pre>
=== Building Libmodsecurity v3.0.12 from Source ===

Pretty straight forward, just clone the repo (master is v3.0.12) then update the git submodules and build with normal make cmds.

<pre>sudo su
cd /opt
git clone https://github.com/owasp-modsecurity/ModSecurity
cd ModSecurity/
git submodule init
git submodule update
sh build.sh
./configure --with-pcre
make
make install</pre>
=== Building Nginx Connector Module v1.0.3 ===

After installing the library you can build the connector.

'''NOTE''': The connector module has to be compiled against the source code version of Nginx you have installed.

Check Nginx version and build flags:

<pre>root@server:/opt# nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-zctdR4/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module</pre>
To quote [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ the guide I’m following].

<blockquote>We need to compile Nginx with ModSecurity module. We will not compile/install Nginx itself but compile the Nginx module only. For this, make sure that your Nginx package is compiled with “–with-compat” flag. The –with-compat flag will make the module binary-compatible with your existing Nginx binary.
</blockquote>
First clone the source for the version of nginx you’re running. In our case, <code>nginx/1.18.0</code>.

<pre>sudo su
cd /opt
wget http://nginx.org/download/nginx-1.18.0.tar.gz
tar -xzf nginx-1.18.0.tar.gz</pre>
Then clone the latest connector module repo. After that build the modules for Nginx and copy the .so file into <code>/usr/share/nginx/modules/</code>.

<pre>git clone https://github.com/owasp-modsecurity/ModSecurity-nginx
cd nginx-1.18.0
./configure --add-dynamic-module=/opt/ModSecurity-nginx --with-compat
make modules
cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/</pre>
=== Configuring Nginx ===

Cool, so now we’ve got <code>libmodsecurity3</code> build and installed, we’ve got the nginx connector module built and installed, and we just have to setup Nginx to work with them.

==== Installing OWASP CSR v4 ====

First we’ll install core ruleset version 4. These instructions are basically exactly the same as for Apache, just pulling in the ruleset files really.

To install the core ruleset version v4.0.0 (latest stable) you can pull them from github.

<pre>sudo su
cd /opt
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
wget https://github.com/coreruleset/coreruleset/releases/download/v4.0.0/coreruleset-4.0.0.tar.gz.asc</pre>
Then you can add their pgp key and verify the signature with it.

<pre># gpg --keyserver keys.openpgp.org --recv 0x38EEACA1AB8A6E72
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 38EEACA1AB8A6E72: public key "OWASP Core Rule Set <security@coreruleset.org>" imported
gpg: Total number processed: 1
gpg: imported: 1

# gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz
gpg: Signature made Wed 14 Feb 2024 05:48:48 PM UTC
gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72
gpg: issuer "security@coreruleset.org"
gpg: Good signature from "OWASP Core Rule Set <security@coreruleset.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72</pre>
Once you’ve verified the fingerprint is legit you’re all good to extract the ruleset.

<pre>mkdir /opt/crs4
tar -xzvf v4.0.0.tar.gz --strip-components 1 -C /opt/crs4</pre>
Lastly, copy the example crs-conf file into place.

<pre>cd /opt/crs4
mv crs-setup.conf.example crs-setup.conf</pre>
==== Setting Up Module & Nginx Conf ====

Add the <code>load_module</code> line to <code>50-mod-http-modsecurity.conf</code> and then create a symlink to enable the module.

<pre>echo 'load_module modules/ngx_http_modsecurity_module.so;' > /usr/share/nginx/modules-available/mod-http-modsecurity.conf
ln -s /usr/share/nginx/modules-available/mod-http-modsecurity.conf /etc/nginx/modules-enabled/50-mod-http-modsecurity.conf</pre>
Then copy the recommended mod sec conf into place. There’s also a <code>unicode.mapping</code> that should be copied over too.

<pre>mkdir /etc/nginx/modsec/
cp /opt/ModSecurity-nginx/.github/nginx/modsecurity.conf /etc/nginx/modsec/
cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec</pre>
Now we can create our main ModSec conf: <code>/etc/nginx/modsec/main.conf</code>.

Add these lines:

<pre>Include /etc/nginx/modsec/modsecurity.conf
Include /opt/crs4/crs-setup.conf
Include /opt/crs4/rules/*.conf</pre>
Finally, in our main site’s server block we can enable mod security for our site.

<pre>vim /etc/nginx/sites-available/example.com</pre>
Add these contents to the server block.

<pre>modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;</pre>
Finally, restart Nginx and enjoy the protections of libmodsecurity3 + the OWASP ruleset!

<pre>systemctl restart nginx</pre>
You can test your new mod security setup is working correctly by visiting <code>https://yourdomain.com/?test=/etc/passwd</code> in a browser. If everything is setup correctly you should now be greeted with a 403 forbidden.

[[File:testing_modsec.png|thumb|none|alt=testing mod security|testing mod security]]

=== Sources ===

* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#user-content-Installation_for_NGINX Official ModSecurity Lib Install Docs]
* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-1804 Official Compilation recipes for libmodsecurity v3.x]
* [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ Dev Blog on Compiling ModSecurity lib & connector module]
* [https://nagekar.com/2022/07/setting-modsecurity-core-rule-set.html Dev Blog on Setting Up OWASP CRS on Nginx]

Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx

2024-07-26T19:28:23Z

Admin:

= Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx =

[[File:logos.png|thumb|none|alt=Logos|Logos]]

== Background Info ==

Okay so tldr the modsecurity project recently back in January of 2024 switched hands from Trustwave SpiderLabs to the OWASP Foundation. [https://coreruleset.org/20240115/welcome-the-newest-addition-to-the-owasp-family-modsecurity/ More info here].

This transfer of stewardship means continued development of [https://github.com/owasp-modsecurity/ModSecurity libmodsecurity3], is now under OWASP’s control. The new <code>libmodsecurity3</code> is a complete rewrite, allowing them to make it platform independent (not dependant on Apache). Tldr, [https://github.com/owasp-modsecurity/ModSecurity?tab=readme-ov-file#it-is-no-longer-just-a-module it is no longer just a module], it is its own library now, with the “Connectors” broken out into their own separate github repos.

[https://github.com/owasp-modsecurity/ModSecurity-nginx Nginx ModSecurity Connector]

Another thing, even though Nginx does have a connector and can use libmodsecurity3, the version of the package in apt its several years old already (default version in apt is v3.0.6 from 2021) and lack support for the newest features.

All of the guides I’ve found and even [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#user-content-Installation_for_NGINX the official install docs] say to just build the latest releases of the lib and connector from source. Trust me, its really not that hard.

== Nginx ModSecurity ==

I’m installing this on a burner VM running Ubuntu 22.04 and Nginx 1.18.0, just to learn and document the process before trying to integrate this further into my own systems.

[[File:fastfetch.png|thumb|none|alt=Fastfetch Img|Fastfetch Img]]

=== Overview ===

The server and Nginx are already setup stock with one Server Block (aka vhost) defined. I’m using the stock version of Nginx from apt.

What all needs setup?

* [https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.12 libmodsecurity3 - v3.0.12]
* [https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/tag/v1.0.3 ModSecurity Nginx Connector - v1.0.3]
* [https://owasp.org/www-project-modsecurity-core-rule-set/ OWASP ModSec CSR - v4.0.0]

As mentioned previously, the first two have to be compiled from source.

Mostly following their [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-2210 official docs]. I know that’s for 22.10 but I they don’t have one for 22.04 yet so assuming those are mostly the same apt reqs. Except our version of nginx needs to use libpcre3.

=== Apt Requirements ===

There are some requirements to build this package.

<pre>sudo apt-get install git g++ apt-utils autoconf automake build-essential libcurl4-openssl-dev libgeoip-dev liblmdb-dev libtool libxml2-dev libyajl-dev pkgconf zlib1g-dev libpcre3 libpcre3-dev</pre>
=== Building Libmodsecurity v3.0.12 from Source ===

Pretty straight forward, just clone the repo (master is v3.0.12) then update the git submodules and build with normal make cmds.

<pre>sudo su
cd /opt
git clone https://github.com/owasp-modsecurity/ModSecurity
cd ModSecurity/
git submodule init
git submodule update
sh build.sh
./configure --with-pcre
make
make install</pre>
=== Building Nginx Connector Module v1.0.3 ===

After installing the library you can build the connector.

'''NOTE''': The connector module has to be compiled against the source code version of Nginx you have installed.

Check Nginx version and build flags:

<pre>root@server:/opt# nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-zctdR4/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module</pre>
To quote [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ the guide I’m following].

<blockquote>We need to compile Nginx with ModSecurity module. We will not compile/install Nginx itself but compile the Nginx module only. For this, make sure that your Nginx package is compiled with “–with-compat” flag. The –with-compat flag will make the module binary-compatible with your existing Nginx binary.
</blockquote>
First clone the source for the version of nginx you’re running. In our case, <code>nginx/1.18.0</code>.

<pre>sudo su
cd /opt
wget http://nginx.org/download/nginx-1.18.0.tar.gz
tar -xzf nginx-1.18.0.tar.gz</pre>
Then clone the latest connector module repo. After that build the modules for Nginx and copy the .so file into <code>/usr/share/nginx/modules/</code>.

<pre>git clone https://github.com/owasp-modsecurity/ModSecurity-nginx
cd nginx-1.18.0
./configure --add-dynamic-module=/opt/ModSecurity-nginx --with-compat
make modules
cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/</pre>
=== Configuring Nginx ===

Cool, so now we’ve got <code>libmodsecurity3</code> build and installed, we’ve got the nginx connector module built and installed, and we just have to setup Nginx to work with them.

==== Installing OWASP CSR v4 ====

First we’ll install core ruleset version 4. These instructions are basically exactly the same as for Apache, just pulling in the ruleset files really.

To install the core ruleset version v4.0.0 (latest stable) you can pull them from github.

<pre>sudo su
cd /opt
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
wget https://github.com/coreruleset/coreruleset/releases/download/v4.0.0/coreruleset-4.0.0.tar.gz.asc</pre>
Then you can add their pgp key and verify the signature with it.

<pre># gpg --keyserver keys.openpgp.org --recv 0x38EEACA1AB8A6E72
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 38EEACA1AB8A6E72: public key "OWASP Core Rule Set <security@coreruleset.org>" imported
gpg: Total number processed: 1
gpg: imported: 1

# gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz
gpg: Signature made Wed 14 Feb 2024 05:48:48 PM UTC
gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72
gpg: issuer "security@coreruleset.org"
gpg: Good signature from "OWASP Core Rule Set <security@coreruleset.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72</pre>
Once you’ve verified the fingerprint is legit you’re all good to extract the ruleset.

<pre>mkdir /opt/crs4
tar -xzvf v4.0.0.tar.gz --strip-components 1 -C /opt/crs4</pre>
Lastly, copy the example crs-conf file into place.

<pre>cd /opt/crs4
mv crs-setup.conf.example crs-setup.conf</pre>
==== Setting Up Module & Nginx Conf ====

Add the <code>load_module</code> line to <code>50-mod-http-modsecurity.conf</code> and then create a symlink to enable the module.

<pre>echo 'load_module modules/ngx_http_modsecurity_module.so;' > /usr/share/nginx/modules-available/mod-http-modsecurity.conf
ln -s /usr/share/nginx/modules-available/mod-http-modsecurity.conf /etc/nginx/modules-enabled/50-mod-http-modsecurity.conf</pre>
Then copy the recommended mod sec conf into place. There’s also a <code>unicode.mapping</code> that should be copied over too.

<pre>mkdir /etc/nginx/modsec/
cp /opt/ModSecurity-nginx/.github/nginx/modsecurity.conf /etc/nginx/modsec/
cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec</pre>
Now we can create our main ModSec conf: <code>/etc/nginx/modsec/main.conf</code>.

Add these lines:

<pre>Include /etc/nginx/modsec/modsecurity.conf
Include /opt/crs4/crs-setup.conf
Include /opt/crs4/rules/*.conf</pre>
Finally, in our main site’s server block we can enable mod security for our site.

<pre>vim /etc/nginx/sites-available/example.com</pre>
Add these contents to the server block.

<pre>modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;</pre>
Finally, restart Nginx and enjoy the protections of libmodsecurity3 + the OWASP ruleset!

<pre>systemctl restart nginx</pre>
You can test your new mod security setup is working correctly by visiting <code>https://yourdomain.com/?test=/etc/passwd</code> in a browser. If everything is setup correctly you should now be greeted with a 403 forbidden.

[[File:testing_modsec.png|thumb|none|alt=testing mod security|testing mod security]]

=== Sources ===

* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#user-content-Installation_for_NGINX Official ModSecurity Lib Install Docs]
* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-1804 Official Compilation recipes for libmodsecurity v3.x]
* [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ Dev Blog on Compiling ModSecurity lib & connector module]
* [https://nagekar.com/2022/07/setting-modsecurity-core-rule-set.html Dev Blog on Setting Up OWASP CRS on Nginx]

Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx

2024-07-26T19:27:08Z

Admin:

= Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx =

[[File:logos.png|thumb|none|alt=Logos|Logos]]

== Background Info ==

Okay so tldr the modsecurity project recently back in January of 2024 switched hands from Trustwave SpiderLabs to the OWASP Foundation. [https://coreruleset.org/20240115/welcome-the-newest-addition-to-the-owasp-family-modsecurity/ More info here].

This transfer of stewardship means continued development of [https://github.com/owasp-modsecurity/ModSecurity libmodsecurity3], is now under OWASP’s control. The new <code>libmodsecurity3</code> is a complete rewrite, allowing them to make it platform independent (not dependant on Apache). Tldr, [https://github.com/owasp-modsecurity/ModSecurity?tab=readme-ov-file#it-is-no-longer-just-a-module it is no longer just a module], it is its own library now, with the “Connectors” broken out into their own separate github repos.

[https://github.com/owasp-modsecurity/ModSecurity-nginx Nginx ModSecurity Connector]

Another thing, even though Nginx does have a connector and can use libmodsecurity3, the version of the package in apt its several years old already (default version in apt is v3.0.6 from 2021) and lack support for the newest features.

All of the guides I’ve found and even [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#user-content-Installation_for_NGINX the official install docs] say to just build the latest releases of the lib and connector from source. Trust me, its really not that hard.

== Nginx ModSecurity ==

I’m installing this on a burner VM running Ubuntu 22.04 and Nginx 1.18.0, just to learn and document the process before trying to integrate this further into my own systems.

[[File:fastfetch.png|thumb|none|alt=Fastfetch Img|Fastfetch Img]]

=== Overview ===

The server and Nginx are already setup stock with one Server Block (aka vhost) defined. I’m using the stock version of Nginx from apt.

What all needs setup?

* [https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.12 libmodsecurity3 - v3.0.12]
* [https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/tag/v1.0.3 ModSecurity Nginx Connector - v1.0.3]
* [https://owasp.org/www-project-modsecurity-core-rule-set/ OWASP ModSec CSR - v4.0.0]

As mentioned previously, these have to be compiled from source.

Mostly following their [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-2210 official docs]. I know that’s for 22.10 but I they don’t have one for 22.04 yet so assuming those are mostly the same apt reqs. Except our version of nginx needs to use libpcre3.

=== Apt Requirements ===

There are some requirements to build this package.

<pre>sudo apt-get install git g++ apt-utils autoconf automake build-essential libcurl4-openssl-dev libgeoip-dev liblmdb-dev libtool libxml2-dev libyajl-dev pkgconf zlib1g-dev libpcre3 libpcre3-dev</pre>
=== Building Libmodsecurity v3.0.12 from Source ===

Pretty straight forward, just clone the repo (master is v3.0.12) then update the git submodules and build with normal make cmds.

<pre>sudo su
cd /opt
git clone https://github.com/owasp-modsecurity/ModSecurity
cd ModSecurity/
git submodule init
git submodule update
sh build.sh
./configure --with-pcre
make
make install</pre>
=== Building Nginx Connector Module v1.0.3 ===

After installing the library you can build the connector.

'''NOTE''': The connector module has to be compiled against the source code version of Nginx you have installed.

Check Nginx version and build flags:

<pre>root@server:/opt# nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-zctdR4/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module</pre>
To quote [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ the guide I’m following].

<blockquote>We need to compile Nginx with ModSecurity module. We will not compile/install Nginx itself but compile the Nginx module only. For this, make sure that your Nginx package is compiled with “–with-compat” flag. The –with-compat flag will make the module binary-compatible with your existing Nginx binary.
</blockquote>
First clone the source for the version of nginx you’re running. In our case, <code>nginx/1.18.0</code>.

<pre>sudo su
cd /opt
wget http://nginx.org/download/nginx-1.18.0.tar.gz
tar -xzf nginx-1.18.0.tar.gz</pre>
Then clone the latest connector module repo. After that build the modules for Nginx and copy the .so file into <code>/usr/share/nginx/modules/</code>.

<pre>git clone https://github.com/owasp-modsecurity/ModSecurity-nginx
cd nginx-1.18.0
./configure --add-dynamic-module=/opt/ModSecurity-nginx --with-compat
make modules
cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/</pre>
=== Configuring Nginx ===

Cool, so now we’ve got <code>libmodsecurity3</code> build and installed, we’ve got the nginx connector module built and installed, and we just have to setup Nginx to work with them.

==== Installing OWASP CSR v4 ====

First we’ll install core ruleset version 4. These instructions are basically exactly the same as for Apache, just pulling in the ruleset files really.

To install the core ruleset version v4.0.0 (latest stable) you can pull them from github.

<pre>sudo su
cd /opt
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
wget https://github.com/coreruleset/coreruleset/releases/download/v4.0.0/coreruleset-4.0.0.tar.gz.asc</pre>
Then you can add their pgp key and verify the signature with it.

<pre># gpg --keyserver keys.openpgp.org --recv 0x38EEACA1AB8A6E72
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 38EEACA1AB8A6E72: public key "OWASP Core Rule Set <security@coreruleset.org>" imported
gpg: Total number processed: 1
gpg: imported: 1

# gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz
gpg: Signature made Wed 14 Feb 2024 05:48:48 PM UTC
gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72
gpg: issuer "security@coreruleset.org"
gpg: Good signature from "OWASP Core Rule Set <security@coreruleset.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72</pre>
Once you’ve verified the fingerprint is legit you’re all good to extract the ruleset.

<pre>mkdir /opt/crs4
tar -xzvf v4.0.0.tar.gz --strip-components 1 -C /opt/crs4</pre>
Lastly, copy the example crs-conf file into place.

<pre>cd /opt/crs4
mv crs-setup.conf.example crs-setup.conf</pre>
==== Setting Up Module & Nginx Conf ====

Add the <code>load_module</code> line to <code>50-mod-http-modsecurity.conf</code> and then create a symlink to enable the module.

<pre>echo 'load_module modules/ngx_http_modsecurity_module.so;' > /usr/share/nginx/modules-available/mod-http-modsecurity.conf
ln -s /usr/share/nginx/modules-available/mod-http-modsecurity.conf /etc/nginx/modules-enabled/50-mod-http-modsecurity.conf</pre>
Then copy the recommended mod sec conf into place. There’s also a <code>unicode.mapping</code> that should be copied over too.

<pre>mkdir /etc/nginx/modsec/
cp /opt/ModSecurity-nginx/.github/nginx/modsecurity.conf /etc/nginx/modsec/
cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec</pre>
Now we can create our main ModSec conf: <code>/etc/nginx/modsec/main.conf</code>.

Add these lines:

<pre>Include /etc/nginx/modsec/modsecurity.conf
Include /opt/crs4/crs-setup.conf
Include /opt/crs4/rules/*.conf</pre>
Finally, in our main site’s server block we can enable mod security for our site.

<pre>vim /etc/nginx/sites-available/example.com</pre>
Add these contents to the server block.

<pre>modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;</pre>
Finally, restart Nginx and enjoy the protections of libmodsecurity3 + the OWASP ruleset!

<pre>systemctl restart nginx</pre>
You can test your new mod security setup is working correctly by visiting <code>https://yourdomain.com/?test=/etc/passwd</code> in a browser. If everything is setup correctly you should now be greeted with a 403 forbidden.

[[File:testing_modsec.png|thumb|none|alt=testing mod security|testing mod security]]

=== Sources ===

* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#user-content-Installation_for_NGINX Official ModSecurity Lib Install Docs]
* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-1804 Official Compilation recipes for libmodsecurity v3.x]
* [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ Dev Blog on Compiling ModSecurity lib & connector module]
* [https://nagekar.com/2022/07/setting-modsecurity-core-rule-set.html Dev Blog on Setting Up OWASP CRS on Nginx]

Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx

2024-07-26T19:25:51Z

Admin:

= Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx =

[[File:logos.png|thumb|none|alt=Logos|Logos]]

== Background Info ==

Okay so tldr the modsecurity project recently back in January of 2024 switched hands from Trustwave SpiderLabs to the OWASP Foundation. [https://coreruleset.org/20240115/welcome-the-newest-addition-to-the-owasp-family-modsecurity/ More info here].

This transfer of stewardship means continued development of [https://github.com/owasp-modsecurity/ModSecurity libmodsecurity3], is now under OWASP’s control. The new <code>libmodsecurity3</code> is a complete rewrite, allowing them to make it platform independent (not dependant on Apache). Tldr, [https://github.com/owasp-modsecurity/ModSecurity?tab=readme-ov-file#it-is-no-longer-just-a-module it is no longer just a module], it is its own library now, with the “Connectors” broken out into their own separate github repos.

[https://github.com/owasp-modsecurity/ModSecurity-nginx Nginx ModSecurity Connector]

Another thing, even though Nginx does have a connector and can use libmodsecurity3, the version of the package in apt its several years old already (default version in apt is v3.0.6 from 2021) and lack support for the newest features.

All of the guides I’ve found and even [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#user-content-Installation_for_NGINX the official install docs] say to just build the latest releases of the lib and connector from source. Trust me, its really not that hard.

== Nginx ModSecurity ==

I’m installing this on a burner VM running Ubuntu 22.04 and Nginx 1.18.0, just to learn and document the process before trying to integrate further into my own systems.

[[File:fastfetch.png|thumb|none|alt=Fastfetch Img|Fastfetch Img]]

=== Overview ===

The server and Nginx are already setup stock with one Server Block (aka vhost) defined. I’m using the stock version of Nginx from apt.

What all needs setup?

* [https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.12 libmodsecurity3 - v3.0.12]
* [https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/tag/v1.0.3 ModSecurity Nginx Connector - v1.0.3]
* [https://owasp.org/www-project-modsecurity-core-rule-set/ OWASP ModSec CSR - v4.0.0]

As mentioned previously, these have to be compiled from source.

Mostly following their [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-2210 official docs]. I know that’s for 22.10 but I they don’t have one for 22.04 yet so assuming those are mostly the same apt reqs. Except our version of nginx needs to use libpcre3.

=== Apt Requirements ===

There are some requirements to build this package.

<pre>sudo apt-get install git g++ apt-utils autoconf automake build-essential libcurl4-openssl-dev libgeoip-dev liblmdb-dev libtool libxml2-dev libyajl-dev pkgconf zlib1g-dev libpcre3 libpcre3-dev</pre>
=== Building Libmodsecurity v3.0.12 from Source ===

Pretty straight forward, just clone the repo (master is v3.0.12) then update the git submodules and build with normal make cmds.

<pre>sudo su
cd /opt
git clone https://github.com/owasp-modsecurity/ModSecurity
cd ModSecurity/
git submodule init
git submodule update
sh build.sh
./configure --with-pcre
make
make install</pre>
=== Building Nginx Connector Module v1.0.3 ===

After installing the library you can build the connector.

'''NOTE''': The connector module has to be compiled against the source code version of Nginx you have installed.

Check Nginx version and build flags:

<pre>root@server:/opt# nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-zctdR4/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module</pre>
To quote [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ the guide I’m following].

<blockquote>We need to compile Nginx with ModSecurity module. We will not compile/install Nginx itself but compile the Nginx module only. For this, make sure that your Nginx package is compiled with “–with-compat” flag. The –with-compat flag will make the module binary-compatible with your existing Nginx binary.
</blockquote>
First clone the source for the version of nginx you’re running. In our case, <code>nginx/1.18.0</code>.

<pre>sudo su
cd /opt
wget http://nginx.org/download/nginx-1.18.0.tar.gz
tar -xzf nginx-1.18.0.tar.gz</pre>
Then clone the latest connector module repo. After that build the modules for Nginx and copy the .so file into <code>/usr/share/nginx/modules/</code>.

<pre>git clone https://github.com/owasp-modsecurity/ModSecurity-nginx
cd nginx-1.18.0
./configure --add-dynamic-module=/opt/ModSecurity-nginx --with-compat
make modules
cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/</pre>
=== Configuring Nginx ===

Cool, so now we’ve got <code>libmodsecurity3</code> build and installed, we’ve got the nginx connector module built and installed, and we just have to setup Nginx to work with them.

==== Installing OWASP CSR v4 ====

First we’ll install core ruleset version 4. These instructions are basically exactly the same as for Apache, just pulling in the ruleset files really.

To install the core ruleset version v4.0.0 (latest stable) you can pull them from github.

<pre>sudo su
cd /opt
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
wget https://github.com/coreruleset/coreruleset/releases/download/v4.0.0/coreruleset-4.0.0.tar.gz.asc</pre>
Then you can add their pgp key and verify the signature with it.

<pre># gpg --keyserver keys.openpgp.org --recv 0x38EEACA1AB8A6E72
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 38EEACA1AB8A6E72: public key "OWASP Core Rule Set <security@coreruleset.org>" imported
gpg: Total number processed: 1
gpg: imported: 1

# gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz
gpg: Signature made Wed 14 Feb 2024 05:48:48 PM UTC
gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72
gpg: issuer "security@coreruleset.org"
gpg: Good signature from "OWASP Core Rule Set <security@coreruleset.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72</pre>
Once you’ve verified the fingerprint is legit you’re all good to extract the ruleset.

<pre>mkdir /opt/crs4
tar -xzvf v4.0.0.tar.gz --strip-components 1 -C /opt/crs4</pre>
Lastly, copy the example crs-conf file into place.

<pre>cd /opt/crs4
mv crs-setup.conf.example crs-setup.conf</pre>
==== Setting Up Module & Nginx Conf ====

Add the <code>load_module</code> line to <code>50-mod-http-modsecurity.conf</code> and then create a symlink to enable the module.

<pre>echo 'load_module modules/ngx_http_modsecurity_module.so;' > /usr/share/nginx/modules-available/mod-http-modsecurity.conf
ln -s /usr/share/nginx/modules-available/mod-http-modsecurity.conf /etc/nginx/modules-enabled/50-mod-http-modsecurity.conf</pre>
Then copy the recommended mod sec conf into place. There’s also a <code>unicode.mapping</code> that should be copied over too.

<pre>mkdir /etc/nginx/modsec/
cp /opt/ModSecurity-nginx/.github/nginx/modsecurity.conf /etc/nginx/modsec/
cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec</pre>
Now we can create our main ModSec conf: <code>/etc/nginx/modsec/main.conf</code>.

Add these lines:

<pre>Include /etc/nginx/modsec/modsecurity.conf
Include /opt/crs4/crs-setup.conf
Include /opt/crs4/rules/*.conf</pre>
Finally, in our main site’s server block we can enable mod security for our site.

<pre>vim /etc/nginx/sites-available/example.com</pre>
Add these contents to the server block.

<pre>modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;</pre>
Finally, restart Nginx and enjoy the protections of libmodsecurity3 + the OWASP ruleset!

<pre>systemctl restart nginx</pre>
You can test your new mod security setup is working correctly by visiting <code>https://yourdomain.com/?test=/etc/passwd</code> in a browser. If everything is setup correctly you should now be greeted with a 403 forbidden.

[[File:testing_modsec.png|thumb|none|alt=testing mod security|testing mod security]]

=== Sources ===

* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#user-content-Installation_for_NGINX Official ModSecurity Lib Install Docs]
* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-1804 Official Compilation recipes for libmodsecurity v3.x]
* [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ Dev Blog on Compiling ModSecurity lib & connector module]
* [https://nagekar.com/2022/07/setting-modsecurity-core-rule-set.html Dev Blog on Setting Up OWASP CRS on Nginx]

Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx

2024-07-26T19:22:20Z

Admin: Created page with "= Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx = Logos == Background Info == Okay so tldr the modsecurity project recently back in January of 2024 switched hands from Trustwave SpiderLabs to the OWASP Foundation. [https://coreruleset.org/20240115/welcome-the-newest-addition-to-the-owasp-family-modsecurity/ More info here]. This transfer of stewardship means continued development of [https://github.c..."

= Setting Up Libmodsecurity3, Nginx Connector, & OWASP Ruleset on Nginx =

[[File:logos.png|thumb|none|alt=Logos|Logos]]

== Background Info ==

Okay so tldr the modsecurity project recently back in January of 2024 switched hands from Trustwave SpiderLabs to the OWASP Foundation. [https://coreruleset.org/20240115/welcome-the-newest-addition-to-the-owasp-family-modsecurity/ More info here].

This transfer of stewardship means continued development of [https://github.com/owasp-modsecurity/ModSecurity libmodsecurity3], is now under OWASP’s control. The new <code>libmodsecurity3</code> is complete rewrite, allowing them to make it platform independent (not dependant on Apache). Tldr, [https://github.com/owasp-modsecurity/ModSecurity?tab=readme-ov-file#it-is-no-longer-just-a-module it is no longer just a module], it is its own library now, with the “Connectors” broken out into their own separate github repos.

[https://github.com/owasp-modsecurity/ModSecurity-nginx Nginx ModSecurity Connector]

Another thing, even though Nginx does have a connector and can use libmodsecurity3, the version of the package in apt its several years old already (default version in apt is v3.0.6 from 2021) and lack support for the newest features.

All of the guides I’ve found and even [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#user-content-Installation_for_NGINX the official install docs] say to just build the latest releases of the lib and connector from source. Trust me, its really not that hard.

== Nginx ModSecurity ==

I’m installing this on a burner VM running Ubuntu 22.04 and Nginx 1.18.0, just to learn and document the process before trying to integrate further into my own systems.

[[File:fastfetch.png|thumb|none|alt=Fastfetch Img|Fastfetch Img]]

=== Overview ===

The server and Nginx are already setup stock with one Server Block (aka vhost) defined. I’m using the stock version of Nginx from apt.

What all needs setup?

* [https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.12 libmodsecurity3 - v3.0.12]
* [https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/tag/v1.0.3 ModSecurity Nginx Connector - v1.0.3]
* [https://owasp.org/www-project-modsecurity-core-rule-set/ OWASP ModSec CSR - v4.0.0]

As mentioned previously, these have to be compiled from source.

Mostly following their [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-2210 official docs]. I know that’s for 22.10 but I they don’t have one for 22.04 yet so assuming those are mostly the same apt reqs. Except our version of nginx needs to use libpcre3.

=== Apt Requirements ===

There are some requirements to build this package.

<pre>sudo apt-get install git g++ apt-utils autoconf automake build-essential libcurl4-openssl-dev libgeoip-dev liblmdb-dev libtool libxml2-dev libyajl-dev pkgconf zlib1g-dev libpcre3 libpcre3-dev</pre>
=== Building Libmodsecurity v3.0.12 from Source ===

Pretty straight forward, just clone the repo (master is v3.0.12) then update the git submodules and build with normal make cmds.

<pre>sudo su
cd /opt
git clone https://github.com/owasp-modsecurity/ModSecurity
cd ModSecurity/
git submodule init
git submodule update
sh build.sh
./configure --with-pcre
make
make install</pre>
=== Building Nginx Connector Module v1.0.3 ===

After installing the library you can build the connector.

'''NOTE''': The connector module has to be compiled against the source code version of Nginx you have installed.

Check Nginx version and build flags:

<pre>root@server:/opt# nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-zctdR4/nginx-1.18.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module</pre>
To quote [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ the guide I’m following].

<blockquote>We need to compile Nginx with ModSecurity module. We will not compile/install Nginx itself but compile the Nginx module only. For this, make sure that your Nginx package is compiled with “–with-compat” flag. The –with-compat flag will make the module binary-compatible with your existing Nginx binary.
</blockquote>
First clone the source for the version of nginx you’re running. In our case, <code>nginx/1.18.0</code>.

<pre>sudo su
cd /opt
wget http://nginx.org/download/nginx-1.18.0.tar.gz
tar -xzf nginx-1.18.0.tar.gz</pre>
Then clone the latest connector module repo. After that build the modules for Nginx and copy the .so file into <code>/usr/share/nginx/modules/</code>.

<pre>git clone https://github.com/owasp-modsecurity/ModSecurity-nginx
cd nginx-1.18.0
./configure --add-dynamic-module=/opt/ModSecurity-nginx --with-compat
make modules
cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/</pre>
=== Configuring Nginx ===

Cool, so now we’ve got <code>libmodsecurity3</code> build and installed, we’ve got the nginx connector module built and installed, and we just have to setup Nginx to work with them.

==== Installing OWASP CSR v4 ====

First we’ll install core ruleset version 4. These instructions are basically exactly the same as for Apache, just pulling in the ruleset files really.

To install the core ruleset version v4.0.0 (latest stable) you can pull them from github.

<pre>sudo su
cd /opt
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
wget https://github.com/coreruleset/coreruleset/releases/download/v4.0.0/coreruleset-4.0.0.tar.gz.asc</pre>
Then you can add their pgp key and verify the signature with it.

<pre># gpg --keyserver keys.openpgp.org --recv 0x38EEACA1AB8A6E72
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 38EEACA1AB8A6E72: public key "OWASP Core Rule Set <security@coreruleset.org>" imported
gpg: Total number processed: 1
gpg: imported: 1

# gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz
gpg: Signature made Wed 14 Feb 2024 05:48:48 PM UTC
gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72
gpg: issuer "security@coreruleset.org"
gpg: Good signature from "OWASP Core Rule Set <security@coreruleset.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72</pre>
Once you’ve verified the fingerprint is legit you’re all good to extract the ruleset.

<pre>mkdir /opt/crs4
tar -xzvf v4.0.0.tar.gz --strip-components 1 -C /opt/crs4</pre>
Lastly, copy the example crs-conf file into place.

<pre>cd /opt/crs4
mv crs-setup.conf.example crs-setup.conf</pre>
==== Setting Up Module & Nginx Conf ====

Add the <code>load_module</code> line to <code>50-mod-http-modsecurity.conf</code> and then create a symlink to enable the module.

<pre>echo 'load_module modules/ngx_http_modsecurity_module.so;' > /usr/share/nginx/modules-available/mod-http-modsecurity.conf
ln -s /usr/share/nginx/modules-available/mod-http-modsecurity.conf /etc/nginx/modules-enabled/50-mod-http-modsecurity.conf</pre>
Then copy the recommended mod sec conf into place. There’s also a <code>unicode.mapping</code> that should be copied over too.

<pre>mkdir /etc/nginx/modsec/
cp /opt/ModSecurity-nginx/.github/nginx/modsecurity.conf /etc/nginx/modsec/
cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec</pre>
Now we can create our main ModSec conf: <code>/etc/nginx/modsec/main.conf</code>.

Add these lines:

<pre>Include /etc/nginx/modsec/modsecurity.conf
Include /opt/crs4/crs-setup.conf
Include /opt/crs4/rules/*.conf</pre>
Finally, in our main site’s server block we can enable mod security for our site.

<pre>vim /etc/nginx/sites-available/example.com</pre>
Add these contents to the server block.

<pre>modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;</pre>
Finally, restart Nginx and enjoy the protections of libmodsecurity3 + the OWASP ruleset!

<pre>systemctl restart nginx</pre>
You can test your new mod security setup is working correctly by visiting <code>https://yourdomain.com/?test=/etc/passwd</code> in a browser. If everything is setup correctly you should now be greeted with a 403 forbidden.

[[File:testing_modsec.png|thumb|none|alt=testing mod security|testing mod security]]

=== Sources ===

* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#user-content-Installation_for_NGINX Official ModSecurity Lib Install Docs]
* [https://github.com/owasp-modsecurity/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-1804 Official Compilation recipes for libmodsecurity v3.x]
* [https://www.webhi.com/how-to/how-to-install-modsecurity-in-nginx-on-ubuntu-18-04-20-4-22-04-debian/ Dev Blog on Compiling ModSecurity lib & connector module]
* [https://nagekar.com/2022/07/setting-modsecurity-core-rule-set.html Dev Blog on Setting Up OWASP CRS on Nginx]

File:Testing modsec.png

2024-07-26T19:22:09Z

Admin: testing mod security is configured properly and working by entering the query string ?test=/etc/passwd, should return a 403 if working!

== Summary ==
testing mod security is configured properly and working by entering the query string ?test=/etc/passwd, should return a 403 if working!

File:Fastfetch.png

2024-07-26T19:20:39Z

Admin: Image of neofetch (aka now fastfetch) out for burner vm for mod sec on nginx post. Might be useful to someone to see kernel version or something :shrug:

== Summary ==
Image of neofetch (aka now fastfetch) out for burner vm for mod sec on nginx post. Might be useful to someone to see kernel version or something :shrug:

File:Logos.png

2024-07-26T19:19:33Z

Admin: Image of mod security, OWASP, and Nginx Logos all together.

== Summary ==
Image of mod security, OWASP, and Nginx Logos all together.

MediaWiki:Citizen-footer-tagline

2024-07-26T19:16:25Z

Admin: Created page with " Don't forget your towel! "

Don't forget your towel!

MediaWiki:Citizen-footer-desc

2024-07-26T19:14:42Z

Admin: Created page with "A place for lost lovers... "

A place for lost lovers...

Apache2 Mod Security v2.9.7 Compilation Instructions

2024-07-17T21:45:10Z

Admin:

== Overview ==

Going to be compiling <code>mod_security2</code> (v2.9.7) for Apache2 on Ubuntu 22.04. This module is pretty straight forward to compile. However, there are some dependencies.

<pre>sudo apt install apache2-dev gcc libxml2 libxml2-dev libpcre3-dev</pre>

If you already have <code>libapache2-mod-security2</code> installed via apt then disable and uninstall it.

<pre>
sudo a2dismod security2
sudo apt purge libapache2-mod-security2
</pre>

Then fetch the latest tarball from their github releases page and compile it using normal make cmds. Finally, make sure to enable the module and restart Apache.

https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.7

<pre>sudo su
cd /opt
wget https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz
tar -xzvf modsecurity-2.9.7.tar.gz
cd modsecurity-2.9.7
./configure --with-apxs=/usr/bin/apxs
make
make install
echo 'LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so' > /etc/apache2/mods-available/security2.load
a2enmod security2
systemctl restart apache2</pre>
Then you should be able to see mod security enabled and working in the Apache error logs.

<pre>[Wed Jul 17 19:25:21.038359 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/) configured.
[Wed Jul 17 19:25:21.038434 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[Wed Jul 17 19:25:21.038447 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Wed Jul 17 19:25:21.038449 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: LIBXML compiled version="2.9.13"
[Wed Jul 17 19:25:21.038549 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: StatusEngine call: "2.9.7,Apache/2.4.52 (Ubuntu),1.7.0/1.7.0,8.39/8.39 2016-06-14,(null),2.9.13,e013612419474187e43b03a4f546e0736dc12934"</pre>
== Additional Resources ==

Please see their official handbook for more details on compiling this module.

[https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#installation-steps Reference-Manual-v2.x]

Also be sure to run <code>./configure --help</code> for more information about how to compile this for your system.

Apache2 Mod Security v2.9.7 Compilation Instructions

2024-07-17T21:43:30Z

Admin:

== Overview ==

Going to be compiling <code>mod_security2</code> (v2.9.7) for Apache2 on Ubuntu 22.04. This module is pretty straight forward to compile. However, there are some dependencies.

<pre>sudo apt install apache2-dev gcc libxml2 libxml2-dev libpcre3-dev</pre>

If you already have <code>libapache2-mod-security2</code> installed via apt then disable and uninstall it.

<pre>
sudo a2dismod security2
sudo apt purge libapache2-mod-security2
</pre>

Then fetch the latest tarball from their github releases page. Then compile it using normal make cmds.

https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.7

<pre>sudo su
cd /opt
wget https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz
tar -xzvf modsecurity-2.9.7.tar.gz
cd modsecurity-2.9.7
./configure --with-apxs=/usr/bin/apxs
make
make install
echo 'LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so' > /etc/apache2/mods-available/security2.load
a2enmod security2
systemctl restart apache2</pre>
Then you should be able to see mod security enabled and working in the Apache error logs.

<pre>[Wed Jul 17 19:25:21.038359 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/) configured.
[Wed Jul 17 19:25:21.038434 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[Wed Jul 17 19:25:21.038447 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Wed Jul 17 19:25:21.038449 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: LIBXML compiled version="2.9.13"
[Wed Jul 17 19:25:21.038549 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: StatusEngine call: "2.9.7,Apache/2.4.52 (Ubuntu),1.7.0/1.7.0,8.39/8.39 2016-06-14,(null),2.9.13,e013612419474187e43b03a4f546e0736dc12934"</pre>
== Additional Resources ==

Please see their official handbook for more details on compiling this module.

[https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#installation-steps Reference-Manual-v2.x]

Also be sure to run <code>./configure --help</code> for more information about how to compile this for your system.

Apache2 Mod Security v2.9.7 Compilation Instructions

2024-07-17T19:55:08Z

Admin:

== Overview ==

Going to be compiling <code>mod_security2</code> (v2.9.7) for Apache2 on Ubuntu 22.04. This module is pretty straight forward to compile. However, there are some dependencies.

<pre>sudo apt install apache2-dev gcc libxml2 libxml2-dev libpcre3-dev</pre>
Fetch the tarball from their github releases page. Then compile it using normal make cmds.

https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.7

<pre>sudo su
cd /opt
wget https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz
tar -xzvf modsecurity-2.9.7.tar.gz
cd modsecurity-2.9.7
./configure --with-apxs=/usr/bin/apxs
make
make install
echo 'LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so' > /etc/apache2/mods-available/security2.load
a2enmod security2
systemctl restart apache2</pre>
Then you should be able to see mod security enabled and working in the Apache error logs.

<pre>[Wed Jul 17 19:25:21.038359 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/) configured.
[Wed Jul 17 19:25:21.038434 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[Wed Jul 17 19:25:21.038447 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Wed Jul 17 19:25:21.038449 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: LIBXML compiled version="2.9.13"
[Wed Jul 17 19:25:21.038549 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: StatusEngine call: "2.9.7,Apache/2.4.52 (Ubuntu),1.7.0/1.7.0,8.39/8.39 2016-06-14,(null),2.9.13,e013612419474187e43b03a4f546e0736dc12934"</pre>
== Additional Resources ==

Please see their official handbook for more details on compiling this module.

[https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#installation-steps Reference-Manual-v2.x]

Also be sure to run <code>./configure --help</code> for more information about how to compile this for your system.

Apache2 Mod Security v2.9.7 Compilation Instructions

2024-07-17T19:52:37Z

Admin: Created page with "== Overview == Going to be compiling <code>mod_security2</code> (v2.9.7) for Apache2 on Ubuntu 22.04. This module is pretty straight forward to compile. However, there are some dependencies. <pre>sudo apt install apache2-dev gcc libxml2 libxml2-dev libpcre3-dev</pre> Fetch the tarball from their github releases page. https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.7 <pre>sudo su cd /opt wget https://github.com/owasp-modsecurity/ModSecurity/releases..."

== Overview ==

Going to be compiling <code>mod_security2</code> (v2.9.7) for Apache2 on Ubuntu 22.04. This module is pretty straight forward to compile. However, there are some dependencies.

<pre>sudo apt install apache2-dev gcc libxml2 libxml2-dev libpcre3-dev</pre>
Fetch the tarball from their github releases page.

https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.7

<pre>sudo su
cd /opt
wget https://github.com/owasp-modsecurity/ModSecurity/releases/download/v2.9.7/modsecurity-2.9.7.tar.gz
tar -xzvf modsecurity-2.9.7.tar.gz
cd modsecurity-2.9.7
./configure --with-apxs=/usr/bin/apxs
make
make install
echo 'LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so' > /etc/apache2/mods-available/security2.load
a2enmod security2
systemctl restart apache2</pre>
Then you should be able to see mod security enabled and working in the Apache error logs.

<pre>[Wed Jul 17 19:25:21.038359 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/) configured.
[Wed Jul 17 19:25:21.038434 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[Wed Jul 17 19:25:21.038447 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Wed Jul 17 19:25:21.038449 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: LIBXML compiled version="2.9.13"
[Wed Jul 17 19:25:21.038549 2024] [security2:notice] [pid 1929:tid 140275463350144] ModSecurity: StatusEngine call: "2.9.7,Apache/2.4.52 (Ubuntu),1.7.0/1.7.0,8.39/8.39 2016-06-14,(null),2.9.13,e013612419474187e43b03a4f546e0736dc12934"</pre>
== Additional Resources ==

Please see their official handbook for more details on compiling this module.

[https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#installation-steps Reference-Manual-v2.x]

Also be sure to run <code>./configure --help</code> for more information about how to compile this for your system.

Using Iperf3 for Speed Testing

2024-05-18T21:11:17Z

Admin:

Just found out about a cool little utility called <code>iperf3</code> for testing upload/download speeds between two hosts.

On the server make sure to open the testing port on your firewall. Then run the following iperf3 command to start the server in your terminal.

iperf3 -s -p 4000

I'm running it on port 4000.

Then from the client machine you can run the following to test upload speeds.

iperf3 -c SERVER_IP -p 4000 -t 10

If you stick a <code>-R</code> on there to reverse the direction (aka test download speeds).

iperf3 -c SERVER_IP -p 4000 -t 10 -R

Here's some example output:

<pre>
» iperf3 -c REDACTED -p 4000 -t 10 -R
Connecting to host REDACTED, port 4000
Reverse mode, remote host REDACTED is sending
[ 5] local 192.168.1.179 port 60750 connected to REDACTED port 4000
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.00 sec 33.7 MBytes 283 Mbits/sec
[ 5] 1.00-2.00 sec 31.3 MBytes 263 Mbits/sec
[ 5] 2.00-3.00 sec 35.9 MBytes 301 Mbits/sec
[ 5] 3.00-4.00 sec 32.1 MBytes 269 Mbits/sec
[ 5] 4.00-5.00 sec 31.6 MBytes 265 Mbits/sec
[ 5] 5.00-6.00 sec 30.3 MBytes 254 Mbits/sec
[ 5] 6.00-7.00 sec 37.3 MBytes 313 Mbits/sec
[ 5] 7.00-8.00 sec 34.0 MBytes 285 Mbits/sec
[ 5] 8.00-9.00 sec 28.5 MBytes 239 Mbits/sec
[ 5] 9.00-10.00 sec 29.1 MBytes 244 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.04 sec 326 MBytes 272 Mbits/sec 649 sender
[ 5] 0.00-10.00 sec 324 MBytes 272 Mbits/sec receiver

iperf Done.
</pre>

== Sources ==

[https://docs.oracle.com/cd/E88353_01/html/E37839/iperf3-1.html man iperf3 (1)]

Using Iperf3 for Speed Testing

2024-05-18T21:08:16Z

Admin: Created page with "Just found out about a cool little utility called <code>iperf3</code> for testing upload/download speeds between two hosts. On the server make sure to open the testing port on your firewall. Then run the following iperf3 command to start the server in your terminal. iperf3 -s -p 4000 I'm running it on port 4000. Then from the client machine you can run the following to test upload speeds. iperf3 -c SERVER_IP -p 4000 -t 10 If you stick a <code>-R</code> on there t..."

Keeping Sensitive Data Out of Your Shells History File

2024-05-17T17:40:15Z

Admin:

We've all been there before. <code>some_command</code> takes a flag for --password or --api_key. The lazy thing to do is just supply the password as part of your command. But there are two big downsides of doing that. First, it goes into your shell's history file and if you just leave it there someone could find it and use it to steal your bits! Second it goes into the process list and is potentially visible to other users on the system who are just viewing the process tree.

Luckily, there's a simple way to solve both of these problems and its called <code>read</code>. Technically, read is not a stand alone executable, but rather a bash builtin. But all the shell's have it or an equivalent. Bash, zsh, fish all have <code>read</code>. Csh/tcsh has <code>$<</code> (works basically the same).

Bash/Zsh Example:

read mypass
TYPE_SOME_PASSWORD_HERE
some_command --user username --password "$mypass"
mypass="" # Reset value after use or just logout

Csh/Tcsh Example:

setenv mypass $<
TYPE_SOME_PASSWORD_HERE
some_command --user username --password "$mypass"
setenv mypass "" # Reset value after use or just logout

With bash read you can even run <code>read -s mypass</code> to be extra super duper secure and hide your password when entering it.

Maybe people know about using read in a script but you can just use it on the CLI too to keep your sensitive credentials or other info out of your bash history & system process list.

Thanks for reading!

Keeping Sensitive Data Out of Your Shells History File

2024-05-17T17:37:45Z

Admin:

We've all been there before. <code>some_command</code> takes a flag for --password or --api_key. The lazy thing to do is just supply the password as part of your command. But there are two big downsides of doing that. First, it goes into your shell's history file and if you just leave it there someone could find it and use it to steal your bits! Second it goes into the process list and is potentially visible to other users on the system who are just viewing the process tree.

Luckily, there's a simple way to solve both of these problems and its called <code>read</code>. Technically, read is not a stand alone executable, but rather a bash builtin. But all the shell's have it or an equivalent. Bash, zsh, fish all have <code>read</code>. Csh/tcsh has <code>$<</code> (works basically the same).

Bash/Zsh Example:

read mypass
TYPE_SOME_PASSWORD_HERE
some_command --user username --password "$mypass"
mypass="" # Reset value after use or just logout

Csh/Tcsh Example:

setenv mypass $<
TYPE_SOME_PASSWORD_HERE
some_command --user username --password "$mypass"
setenv fart "" # Reset value after use or just logout

With bash read you can even run <code>read -s mypass</code> to be extra super duper secure and hide your password when entering it.

Maybe people know about using read in a script but you can just use it on the CLI too to keep your sensitive credentials or other info out of your bash history & system process list.

Thanks for reading!

Keeping Sensitive Data Out of Your Shells History File

2024-05-17T17:37:20Z

Admin:

We've all been there before. <code>some_command</code> takes a flag for --password or --api_key. The lazy thing to do is just supply the password as part of your command. But there are two big downsides of doing that. First, it goes into your shell's history file and if you just leave it there someone could find it and use it to steal your bits! Second it goes into the process list and is potentially visible to other users on the system who are just viewing the process tree.

Luckily, there's a simple way to solve both of these problems and its called <code>read</code>. Technically, read is not a stand alone executable, but rather a bash builtin. But all the shell's have it or an equivalent. Bash, zsh, fish all have <code>read</code>. Csh/tcsh has <code>$<</code> (works basically the same).

Bash/Zsh Example:

read mypass
TYPE_SOME_PASSWORD_HERE
some_command --user username --password "$mypass"
mypass='' # Reset value after use or just logout

Csh/Tcsh Example:

setenv mypass $<
TYPE_SOME_PASSWORD_HERE
some_command --user username --password "$mypass"
setenv fart '' # Reset value after use or just logout

With bash read you can even run <code>read -s mypass</code> to be extra super duper secure and hide your password when entering it.

Maybe people know about using read in a script but you can just use it on the CLI too to keep your sensitive credentials or other info out of your bash history & system process list.

Thanks for reading!

Keeping Sensitive Data Out of Your Shells History File

2024-05-17T17:31:51Z

Admin: Created page with "We've all been there before. <code>some_command</code> takes a flag for --password or --api_key. The lazy thing to do is just supply the password as part of your command. But there are two big downsides of doing that. First, it goes into your shell's history file and if you just leave it there someone could find it and use it to steal your bits! Second it goes into the process list and is potentially visible to other users on the system who are just viewing the process t..."

We've all been there before. <code>some_command</code> takes a flag for --password or --api_key. The lazy thing to do is just supply the password as part of your command. But there are two big downsides of doing that. First, it goes into your shell's history file and if you just leave it there someone could find it and use it to steal your bits! Second it goes into the process list and is potentially visible to other users on the system who are just viewing the process tree.

Luckily, there's a simple way to solve both of these problems and its called <code>read</code>. Technically, read is not a stand alone executable, but rather a bash builtin. But all the shell's have it or an equivalent. Bash, zsh, fish all have <code>read</code>. Csh/tcsh has <code>$<</code> (works basically the same).

Bash/Zsh Example:

read mypass
TYPE_SOME_PASSWORD_HERE
some_command --user username --password "$mypass"

Csh/Tcsh Example:

setenv mypass $<
TYPE_SOME_PASSWORD_HERE
some_command --user username --password "$mypass"

With bash read you can even run <code>read -s mypass</code> to be extra super duper secure and hide your password when entering it.

Maybe people know about using read in a script but you can just use it on the CLI too to keep your sensitive credentials or other info out of your bash history & system process list.

Thanks for reading!

Do cmd X times without a forloop

2024-04-30T01:09:31Z

Admin: Created page with "Say you're in a weird shell and you don't know how to do a forloop. No worries! You can use seq | xargs to run some command any number of times. seq 5 | xargs -I {} echo fart"

Say you're in a weird shell and you don't know how to do a forloop. No worries! You can use seq | xargs to run some command any number of times.

seq 5 | xargs -I {} echo fart

Japh

2024-04-13T10:41:33Z

Admin: Created page with "A perl japh is an obfuscated perl program that prints out the message <code>Just another Perl Hacker</code> or <code>Just another Perl Programmer</code>. Here's my first ever attempt at creating a japh. <pre> #!/usr/bin/env perl # John's first japh! use MIME::Base64;use Compress::Zlib;$s='blue23';$p='japh';@k=split '',crypt($p,$s);%h=('1'=>'CEgt','Y'=>'CNk=','0'=>'UUjM','Q'=>'Ti0C ','w'=>'SEzO','l'=>'Ki0u','2'=>'SC1S','3'=>'yy/J','U'=>undef,'7'=> undef,'x'=>'ylHw','N'..."

A perl japh is an obfuscated perl program that prints out the message <code>Just another Perl Hacker</code> or <code>Just another Perl Programmer</code>.

Here's my first ever attempt at creating a japh.

<pre>
#!/usr/bin/env perl
# John's first japh!
use MIME::Base64;use Compress::Zlib;$s='blue23';$p='japh';@k=split
'',crypt($p,$s);%h=('1'=>'CEgt','Y'=>'CNk=','0'=>'UUjM','Q'=>'Ti0C
','w'=>'SEzO','l'=>'Ki0u','2'=>'SC1S','3'=>'yy/J','U'=>undef,'7'=>
undef,'x'=>'ylHw','N'=>'AG8p','b'=>'eJzz');$japh;foreach (@k){next
unless $h{$_};$japh.=$h{$_};};print uncompress(decode_base64($japh
))."\n";
</pre>

When run it output:
./japh.pl
Just another Perl Hacker

[https://www.perlmonks.org/?node_id=412464 More info]

Encode.php

2024-04-11T04:08:12Z

Admin: Created page with "Encodes a file as base64 gzip compressed payload file. <pre> <?php $input_file = 'info.php'; $output_file = 'x.php'; function removePhpTags($content) { $content = preg_replace('/^<\?php\s*/', '', $content); $content = preg_replace('/\s*\?>$/', '', $content); return $content; } $file_content = file_get_contents($input_file); $file_content = removePhpTags($file_content); $encoded = base64_encode(gzcompress($file_content)); $payload = "<?php eval(gzuncompress(base..."

Encodes a file as base64 gzip compressed payload file.

<pre>
<?php
$input_file = 'info.php';
$output_file = 'x.php';

function removePhpTags($content) {
$content = preg_replace('/^<\?php\s*/', '', $content);
$content = preg_replace('/\s*\?>$/', '', $content);
return $content;
}

$file_content = file_get_contents($input_file);
$file_content = removePhpTags($file_content);

$encoded = base64_encode(gzcompress($file_content));
$payload = "<?php eval(gzuncompress(base64_decode('$encoded')));?>";
file_put_contents($output_file, $payload);
?>
</pre>

Virsh list all in json

2023-12-31T03:14:26Z

Admin: Created page with "The following <code>bash</code> command will list all virsh guests in json. echo "[ $(virsh list --all|grep -Ev 'Id|----'|awk '{print "{ \"id\": \""$1"\", \"name\": \""$2"\", \"state\": \""$3 $4"\"}," }'|head -n -1) {} ]"|jq -r Output example: <pre> [ { "id": "38", "name": "Mac", "state": "running" }, { "id": "39", "name": "Dennis", "state": "running" }, { "id": "40", "name": "Charlie", "state": "running" }, ... </pre>"

The following <code>bash</code> command will list all virsh guests in json.

echo "[ $(virsh list --all|grep -Ev 'Id|----'|awk '{print "{ \"id\": \""$1"\", \"name\": \""$2"\", \"state\": \""$3 $4"\"}," }'|head -n -1) {} ]"|jq -r

Output example:

<pre>
[
{
"id": "38",
"name": "Mac",
"state": "running"
},
{
"id": "39",
"name": "Dennis",
"state": "running"
},
{
"id": "40",
"name": "Charlie",
"state": "running"
},
...
</pre>

Loris.php

2023-12-14T04:00:31Z

Admin: Created page with "Useful little PHP script for holding a connection open for testing. <pre> <?php // John testing holding a connection open, will clean up. Although I guess if // you're reading this that was a lie, sorry... /* Debug */ ini_set('display_errors','1'); ini_set('display_startup_errors','1'); error_reporting (E_ALL); echo "Randomness Begin..."; function random_string($length) { $str = random_bytes($length); $str = base64_encode($str); $str = str_replace(["+", "/..."

Useful little PHP script for holding a connection open for testing.

<pre>
<?php
// John testing holding a connection open, will clean up. Although I guess if
// you're reading this that was a lie, sorry...
/* Debug
*/
ini_set('display_errors','1');
ini_set('display_startup_errors','1');
error_reporting (E_ALL);

echo "Randomness Begin...";

function random_string($length) {
$str = random_bytes($length);
$str = base64_encode($str);
$str = str_replace(["+", "/", "="], "", $str);
$str = substr($str, 0, $length);
return $str;
}

while (True) {
echo random_string(32) ."\n<br>\n";
}
?>
</pre>

Inotifywait Shenanigans

2023-12-02T05:34:11Z

Admin: /* Exec on Cat */

== Inotifywait ==

=== Description ===

From the [https://linux.die.net/man/1/inotifywait man page].

<pre>
NAME
inotifywait, fsnotifywait - wait for changes to files using inotify or fanotify

DESCRIPTION
inotifywait efficiently waits for changes to files using Linux's inotify(7) interface. It is
suitable for waiting for changes to files from shell scripts. It can either exit once an
event occurs, or continually execute and output events as they occur.
</pre>

== Examples ==

=== Cat on Write ===

* Term 1: inotifywait listener

» notifywait -qqe close_write fart.txt && cat fart.txt

Args are:

<pre>
-e <event>, --event <event>
Listen for specific event(s) only. The events which can be listened for are listed in
the EVENTS section. This option can be specified more than once. If omitted, all
events are listened for.

-q, --quiet
If specified once, the program will be less verbose. Specifically, it will not state
when it has completed establishing all inotify watches.

If specified twice, the program will output nothing at all, except in the case of fatal
errors.
</pre>

[https://linux.die.net/man/1/inotifywait Man inotifywait]

* Term 2: Write to fart.txt

» echo fart fart fart > fart.txt

* Term 1: fart.txt catt'ed

» notifywait -qqe close_write fart.txt && cat fart.txt
fart fart fart

Well now you might say "interesting but what good is that?" Well with a slight modification we can set a bit of a trap.

=== Exec on Cat 👨‍💼/🐱 ===

* Term 1: Set Tripwire

» inotifywait -qqe open fart.txt && ./run_hax.sh

* Term 2: Harmlessly Cat a File
» cat fart.txt

* Term 1: Hax Triggered!
» inotifywait -qqe open fart.txt && ./run_hax.sh
Running Hax...

== Sources ==

https://superuser.com/questions/181517/how-to-execute-a-command-whenever-a-file-changes

https://linux.die.net/man/1/inotifywait

Inotifywait Shenanigans

2023-12-02T03:06:09Z

Admin:

== Inotifywait ==

=== Description ===

From the [https://linux.die.net/man/1/inotifywait man page].

<pre>
NAME
inotifywait, fsnotifywait - wait for changes to files using inotify or fanotify

DESCRIPTION
inotifywait efficiently waits for changes to files using Linux's inotify(7) interface. It is
suitable for waiting for changes to files from shell scripts. It can either exit once an
event occurs, or continually execute and output events as they occur.
</pre>

== Examples ==

=== Cat on Write ===

* Term 1: inotifywait listener

» notifywait -qqe close_write fart.txt && cat fart.txt

Args are:

<pre>
-e <event>, --event <event>
Listen for specific event(s) only. The events which can be listened for are listed in
the EVENTS section. This option can be specified more than once. If omitted, all
events are listened for.

-q, --quiet
If specified once, the program will be less verbose. Specifically, it will not state
when it has completed establishing all inotify watches.

If specified twice, the program will output nothing at all, except in the case of fatal
errors.
</pre>

[https://linux.die.net/man/1/inotifywait Man inotifywait]

* Term 2: Write to fart.txt

» echo fart fart fart > fart.txt

* Term 1: fart.txt catt'ed

» notifywait -qqe close_write fart.txt && cat fart.txt
fart fart fart

Well now you might say "interesting but what good is that?" Well with a slight modification we can set a bit of a trap.

=== Exec on Cat ===

* Term 1: Set Tripwire

» inotifywait -qqe open fart.txt && ./run_hax.sh

* Term 2: Harmlessly Cat a File
» cat fart.txt

* Term 1: Hax Triggered!
» inotifywait -qqe open fart.txt && ./run_hax.sh
Running Hax...

== Sources ==

https://superuser.com/questions/181517/how-to-execute-a-command-whenever-a-file-changes

https://linux.die.net/man/1/inotifywait

Inotifywait Shenanigans

2023-12-02T03:04:39Z

Admin: Created page with "== Inotifywait == === Description === From the [https://linux.die.net/man/1/inotifywait man page]. <pre> NAME inotifywait, fsnotifywait - wait for changes to files using inotify or fanotify DESCRIPTION inotifywait efficiently waits for changes to files using Linux's inotify(7) interface. It is suitable for waiting for changes to files from shell scripts. It can either exit once an event occurs, or continually execute and output eve..."

== Inotifywait ==

=== Description ===

From the [https://linux.die.net/man/1/inotifywait man page].

<pre>
NAME
inotifywait, fsnotifywait - wait for changes to files using inotify or fanotify

DESCRIPTION
inotifywait efficiently waits for changes to files using Linux's inotify(7) interface. It is
suitable for waiting for changes to files from shell scripts. It can either exit once an
event occurs, or continually execute and output events as they occur.
</pre>

== Examples ==

=== Cat on Write ===

* Term 1: inotifywait listener

» notifywait -qqe close_write fart.txt && cat fart.txt

Args are:

<pre>
-e <event>, --event <event>
Listen for specific event(s) only. The events which can be listened for are listed in
the EVENTS section. This option can be specified more than once. If omitted, all
events are listened for.

-q, --quiet
If specified once, the program will be less verbose. Specifically, it will not state
when it has completed establishing all inotify watches.

If specified twice, the program will output nothing at all, except in the case of fatal
errors.
</pre>

[https://linux.die.net/man/1/inotifywait Man inotifywait]

* Term 2: Write to fart.txt

» echo fart fart fart > fart.txt

* Term 1: fart.txt catt'ed

» notifywait -qqe close_write fart.txt && cat fart.txt
fart fart fart

Well now you might say "interesting but what good is that?" Well with a slight modification we can set a bit of a trap.

=== Exec on Cat ===

* Term 1: Set Tripwire

» inotifywait -qqe open fart.txt

* Term 2: Harmlessly Cat a File
» cat fart.txt

* Term 1: Hax Triggered!
» inotifywait -qqe open fart.txt && ./run_hax.sh
Running Hax...

== Sources ==

https://superuser.com/questions/181517/how-to-execute-a-command-whenever-a-file-changes

https://linux.die.net/man/1/inotifywait

Using the FTP CLI Utility

2023-10-19T19:32:29Z

Admin:

To use the FTP command line utility run the command below.

ftp example.com

<pre>
Connected to example.com.
220 ProFTPD Server (example.com FTP server)
Name (example.com): YOUR_USERNAME
331 Password required for YOUR_USERNAME
Password:
230 User YOUR_USERNAME logged in
Remote system type is UNIX.
Using binary mode to transfer files.
</pre>

* Then enable passive mode:

<pre>
ftp> passive
Passive mode on.
</pre>

* You can list files with <code>ls</code> or <code>dir</code>:

<pre>ftp> ls
227 Entering Passive Mode.
150 Opening BINARY mode data connection for file list
app.js bin public_ftp
backup public_html www_logs
226 Transfer complete</pre>

* Pull a file down from the server with the <code>get</code> command:

<pre>ftp> get app.js
local: app.js remote: app.js
227 Entering Passive Mode (66,39,65,154,129,77).
150 Opening BINARY mode data connection for app.js (338 bytes)
226 Transfer complete
338 bytes received in 0.00 secs (1.2446 MB/s)</pre>

* Then disconnect and you can see you have the file on your client machine:

<pre>ftp> exit
221 Goodbye.

blue@Home:$~> cat app.js
const http = require('http');

const hostname = '127.0.0.1';
const port = 3000;
...</pre>

* You run commands on your local machine through the ftp shell by prefixing a ! char:

<pre>ftp> !cat blah.txt
blah blah blah</pre>

* To upload a file to a server use the <code>put</code> command:

<pre>ftp> put blah.txt
local: blah.txt remote: blah.txt
227 Entering Passive Mode (66,39,65,154,129,91).
150 Opening BINARY mode data connection for blah.txt
226 Transfer complete
5 bytes sent in 0.00 secs (256.9901 kB/s)</pre>

* And then if we check on the remote machine via ftp we can see:

<pre>john@server:$~> cat blah.txt
fart</pre>

* To see a help menu for ftp run help:

<pre>
ftp> help
Commands may be abbreviated. Commands are:

! edit lpage nlist rcvbuf struct
$ epsv lpwd nmap recv sunique
account epsv4 ls ntrans reget system
append epsv6 macdef open remopts tenex
ascii exit mdelete page rename throttle
bell features mdir passive reset trace
binary fget mget pdir restart type
bye form mkdir pls rhelp umask
case ftp mls pmlsd rmdir unset
cd gate mlsd preserve rstatus usage
cdup get mlst progress runique user
chmod glob mode prompt send verbose
close hash modtime proxy sendport xferbuf
cr help more put set ?
debug idle mput pwd site
delete image mreget quit size
dir lcd msend quote sndbuf
disconnect less newer rate status
</pre>

* Help for specific command:

<pre>ftp> help lcd
lcd change local working directory</pre>

Editing Bats - Bash Automated Testing System

2023-10-07T11:11:24Z

Admin: Admin moved page Editing Bats - Bash Automated Testing System to Bats - Bash Automated Testing System: Misspelled title: Goofed when copying source from og wiki.

#REDIRECT [[Bats - Bash Automated Testing System]]