How to find cause of heavy usage on your Apache webserver

Here’s a quick and dirty tips on how to find cause of heavy CPU resources usage on your Apache webserver (especially when running php scripts).

First you need to locate the Apache 2 “access.log” file. By default in Ubuntu, this file is located in “/var/logs/apache2” directory.

Then you need to run this command to find out which IP address accesses your website the most in a short time.
[code]
tail -10000 access.log| awk ‘{print $1}’ | sort | uniq -c |sort -n
[/code]

The output of the command should contain a list of IP addresses along with the number of hits it made in the last 10,000 access of your website
[code]
47 117.58.252.98
81 202.124.242.186
84 202.124.245.26
182 194.164.101.217
220 208.101.22.146
225 72.167.131.144
3946 93.135.xxx.xxx
[/code]

From here you can easily locate the offending ip address and proceed to block it from accessing your website further using .htaccess file or other blocking method.

Here is an example to block certain ip address from accessing your website using .htaccess file
[code] order deny,allow
deny from 93.135.xxx.xxx
[/code]

Save .htaccess file in the root directory of your web server (example /var/www), and the ip address wont be available to access your site again.

Hope that would help you!

Ubuntu Hardy Heron 8.04.1 LTS Bugfix release

The Ubuntu project has released Hardy Heron 8.04.1, as the release number implies, it is a bugfix release which contains all the security updates and bug fixes for the last 2 months since the first release of 8.04. The release can be downloaded from Ubunty Hardy download page in the form of ISO files.

Current users need not to download the new CD as they are most likely have all the security patches applied via the built-in Automatic Update feature in Ubuntu.

As a bonus, the CD also includes the production release of Mozilla Firefox 3.0 compared to 3.0 Beta in 8.04.

ssh-vulkey : How to test weak SSH keys on your server

This might be stale news by most security alert people, but I felt compelled to write this post nevertheless. Byy this time most security alert people have realised that a serious security vulnerability has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems, and there are a lot of sites have published information about it. [1] [2] [3] [4] [5].

This vulnerability caused OpenSSL to generate “common” and predictable keys, which is easily crackable by using brute-force algorithm. In the extreme case, some of the keys are successfully cracked in 2 hours time. Longer keys 8192-bit RSA keyset might take as short as 129 days to generate as opposed to hundred of years if the keys were generated securely.

Which Ubuntu Linux system are affected ?
As Ubuntu linux operating system is based on Debian, it inherited Debian vulnerability problem. Users who has generated keys under (before updating to the new OpenSSL package via automatic updates, which is before May 13 2008) — Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS are all affected by this vulnerability

Other system which uses the keys generated by Debian and the above mentioned Ubuntu system is also affected as the keys might allow malicious 3rd party user to abuse the system. SSH login which uses these keys will not be considered secure anymore, and are advised to update their SSH keys immediately.

How to check against weak SSH keys ?
A system is as strong as its security measures (in this case, the key) to protect it. By using ssh-vulkey as detailed in Ubuntu Security Notice 612-2, you can detect weak keys in your system, and updates them accordingly.

Run “sudo ssh-vulnkey -a” command to check against weak keys :

ssh-vulnkey -a

ssh-vulnkey -a
Not blacklisted: 2048 fa:2e:1d:a6:84:64:a1:80:c4:31:68:5a:b0:1a:cb:fe /etc/ssh/ssh_host_rsa_key.pub
Not blacklisted: 1024 f4:34:04:85:58:a0:6b:0a:a1:b9:2d:3b:e6:19:5a:76 /etc/ssh/ssh_host_dsa_key.pub
COMPROMISED: 2048 5c:10:8a:c0:55:8c:1f:d9:4b:05:f0:35:0a:0d:2f:5c /home/someuser/.ssh/authorized_keys
Not blacklisted: 2048 a7:b4:3e:41:18:cb:f7:68:5e:4f:ae:30:14:d2:17:fd /home/someuser/.ssh/authorized_keys

More information about OpenSSL in Debian / Ubuntu security vulnerability :

AVTech CCTV DVR Motion Detector Settings

Couple of days ago I was given a task to configure CCTV DVR device (AVTech 4 Channel MPEG 4 recorder). I prefer the embedded device approach as opposed to the cheap PC CCTV cards as the latter requires a full blown PC and it depends on Windows operating system (which naturally incur additional costs).

AVTEch CCTV Security DVR

The AVTech CCTV DVR is priced slightly higher, but you get the perks of having a dedicated and compact device for your CCTV solution. It has a network interface which lets you configure and view your CCTV security camera over the internet.

Motion Detector Settings
Generally I’ve no trouble at all in using AVTech, the only thing that I’ve hard time figuring is the motion detector settings, which allows the camera to record the video only if it detects movement on one of its cameras.

Fortunally I found a source which reveals the meaning of each configurable settings on the AVtech CCTV device :

Continue reading “AVTech CCTV DVR Motion Detector Settings”

Secure your WordPress installation now, avoid from being compromised

Following recent announcement from Technorati about WordPress security vulnerability issue and the fact that there are a lot of WordPress sites that has been compromised. It is recommended those who are running WordPress blog to upgrade and tightens their WordPress site security to prevent it from being injected with malicious or spammy code.

Here are few pointers that might help you secure your WordPress installation to prevent it from being cracked into :

Remember you will be responsible for all the damage caused by the crackers should your site been cracked into

403 Forbidden during Ubuntu Gutsy Security Update

Some of you may encounter the message 403 Forbidden during Ubuntu Gutsy Security update, especially when you does your update using “sudo apt-get upgrade”.

The message was displayed because the Ubuntu team deliberately block security updates from the server side following reports that the updates are breaking xorg-server package (this very same incident also happened last year, during Dapper release).

Thankfully the issue has been handled by the Ubuntu team, and now you can continue updating your computer without any interruption or side effects from installing the security updates.

Was Ubuntu the only distro affected by this problem?
Credit to enforcer, now I know there are several other distro (OpenSuSE, Gentoo, Debian) besides Ubuntu that experienced this problem.

Should I install any security updates ?
It highly advisable to install security updates whenever they are available from the update server. Failure of doing so may expose your system to various security holes and vulnerability which can lead to your system being compromised by malicious party.