Simple Method for Checking for Order With Behat

While needing to write a test to check the order of 2 items (within a given CSS query) in Behat, I did a little googling and came across this website here.

The tutorial is great and i just wanted to give a shout out to the author for their great content. I also made a slight change to include testing for the existing of the 2 items.

Here is my slightly updated version:

    /**
     * 
     * @Then /^"([^"]*)" should precede "([^"]*)" for the query "([^"]*)"$/
     */
    public function shouldPrecedeForTheQuery($textBefore, $textAfter, $cssQuery)
    {
		// http://neverstopbuilding.net/simple-method-for-checking-for-order-with-behat/
        $items = array_map(
            function ($element) {
                return $element->getText();
            },
            $this->getPage()->findAll('css', $cssQuery)
        );

		WebTestCase::assertTrue(in_array($textBefore, $items), 'The before text was not found!');
		WebTestCase::assertTrue(in_array($textAfter,  $items), 'The after text was not found!');
			
        WebTestCase::assertGreaterThan(
            array_search($textBefore, $items),
            array_search($textAfter, $items),
            "$textBefore does not proceed $textAfter"
        );
    }

/**

* @Then /^"([^"]*)" should precede "([^"]*)" for the query "([^"]*)"$/

public function shouldPrecedeForTheQuery($textBefore, $textAfter, $cssQuery)

{

// http://neverstopbuilding.net/simple-method-for-checking-for-order-with-behat/

$items = array_map(

function ($element) {

return $element->getText();

$this->getPage()->findAll('css', $cssQuery)

);

WebTestCase::assertTrue(in_array($textBefore, $items), 'The before text was not found!');

WebTestCase::assertTrue(in_array($textAfter, $items), 'The after text was not found!');

WebTestCase::assertGreaterThan(

array_search($textBefore, $items),

array_search($textAfter, $items),

"$textBefore does not proceed $textAfter"

);

}

You can see an example of the test i wrote using this method here.

Hardening LAMP / Plesk VPS / DDoS Mitigation.

If you want to harden the security of your Plesk VPS, there are a couple of things you can do from disabling non-essential apache modules to reduce attack vectors and from adding/activating some apache modules that can help in the department of security. In this article i will share with you what i have found after a couple of days of research and give you some practical tips, apache modules to install/enable/disable and some 3rd party services i have found to be of use.

What we will cover:
1) Disclaimer.
2) DNS / Proxy services (like CloudFlare).
3) Installing mod_evasive.
4) Installing mod_security.
5) Adding a rule set to mod_security courtesy of OWASP.
6) Enabling/Disabling useful Apache Modules.
7) Plesk Firewall Changes.
8) Configuring ‘httpd.conf’.
9) Disabling Directory Browsing.
10) Prevent PHP exposing itself in HTTP Headers.
11) Further Reading.

Disclaimer.

I am not a security expert by any measure, and make no guarantees that any of this will work for you! Please test your setup on a test bed before deploying and backing up your server (scripts/assets/database/configs etc) should be standard practice as i cannot be held responsible for any damages caused.

Further more, i use yum on CentOS and will not translate these instructions for use on other platforms or other package managers. If you are using apt-get, rpm, dpkg or anything else you will need to go to the original sites; the links for which i have provided and find alternative install instructions there.

CloudFlare and CDN’s.

Where DDoS attacks are concerned, there are some things you can do to help mitigate the attack but overall your options will be severely limited on any VPS. VPS’s generally mean you are already sharing your hardware with several other virtual servers, which could scale in any quantity depending on your provider and their policies.

The more virtual machines running side by side with your own VPS on the same hardware the lesser chance of successfully mitigating a DDoS attack. This is due to the limitations of bandwidth from the switch to that hardware combined with how much traffic your site and the other VPS’s on the same hardware are using.

Further more, the switch itself could have already peaked its limit, meaning nothing you do on your server will help to mitigate the attack.

If that is the case, then you have 2 options:
1) Migrate your DNS to CloudFlare or any other DNS/proxy/CDN services out there (there are lots to choose from, though CloudFlare is one of the most up and coming out there).
2) Contact your VPS provider and enquire as to any DDoS protection they are using at the switch/router level and wether they have any additional more dedicated filters that can be used. If they do provide such a service though it will likely come at a premium. Some ISPs/hosting companies will allow you to use your own hardware if you own it to filter out such attacks though will still likely charge you to use it (for the electricity and rack-space being used). Even then, such filtering boxes can be fallible.

From my own experience so far, i highly recommend trying out CloudFlare

Also, once setup on CloudFlare, considering installing their apache module from the downloads section mod_cloudflare.

Note that using CloudFlare comes with some added advantages, being a CDN, scripts/css/images and so fourth are cached, and further more, additional features can be enabled for blocking scrapers and spambots. Lastly as a really nice addition are the statistics that CloudFlare provide for you on bandwidth, and hits/visitors etc.

Now moving on to some more important tricks we can use to help mitigate weaker attacks on our system such as single DoS scripts and content scrapers etc.

Apache Modules.

Before we go ahead and do anything here, i highly recommend you back up your entire system setup, including your site contents and database and keep a copy of the backup on your local machine. I cannot be held responsible for data loss because something went wrong, so please, just backup your stuff, ok?

For this we will want 2 apache modules, mod_evasive and mod_security.

Mod_evasive will attempt to monitor connections looking for excessive repeat requests to the same resources from the same source and block out what it deems to be either DoS, DDoS, content scrapers or some other brute force attack. You can read more about that here.

Mod_security will employ a number of tactics to cover a large range of security implications from brute force attacks, xss attacks and also work to patch exploits in the OS once discovered by the community prior to the release of updates from the software providers. This is a much more sophisticated module and the original site for the project can do its description much greater justice than i can, so you can read more about it here. Though i will provide you with an extract from the site:

Real-Time Monitoring and Attack Detection

In addition to providing logging facilities, ModSecurity can monitor the HTTP traffic in real time in order to detect attacks. In this case ModSecurity operates as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems.

Attack Prevention and Just-in-time Patching

ModSecurity can also act immediately to prevent attacks from reaching your web applications. There are three commonly used approaches:

Negative security model. Negative security model monitors requests for anomalies, unusual behaviour, and common web application attacks. It keeps anomaly scores for each request, IP addresses, application sessions, and user accounts. Requests with high anomaly scores are either logged or rejected altogether.
Known weaknesses and vulnerabilities. Its rule language makes ModSecurity an ideal external patching tool. External patching is all about reducing the window of opportunity. Time needed to patch application vulnerabilities often runs to weeks in many organisations. With ModSecurity, applications can be patched from the outside, without touching the application source code (and even without any access to it), making your systems secure until a proper patch is produced.
Positive security model. When positive security model is deployed, only requests that are known to be valid are accepted, with everything else rejected. This approach works best with applications that are heavily used but rarely updated.

Real-Time Monitoring and Attack Detection

In addition to providing logging facilities, ModSecurity can monitor the HTTP traffic in real time in order to detect attacks. In this case ModSecurity operates as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems.

Attack Prevention and Just-in-time Patching

ModSecurity can also act immediately to prevent attacks from reaching your web applications. There are three commonly used approaches:

Negative security model. Negative security model monitors requests for anomalies, unusual behaviour, and common web application attacks. It keeps anomaly scores for each request, IP addresses, application sessions, and user accounts. Requests with high anomaly scores are either logged or rejected altogether.

Known weaknesses and vulnerabilities. Its rule language makes ModSecurity an ideal external patching tool. External patching is all about reducing the window of opportunity. Time needed to patch application vulnerabilities often runs to weeks in many organisations. With ModSecurity, applications can be patched from the outside, without touching the application source code (and even without any access to it), making your systems secure until a proper patch is produced.

Positive security model. When positive security model is deployed, only requests that are known to be valid are accepted, with everything else rejected. This approach works best with applications that are heavily used but rarely updated.

Just as a note here, i am using Plesk 11, HTTPD 2.2 on a CentOS setup. You may wish to tweak the install steps according to your own setup. If you do not have/use yum, you may want to use apt-get instead which is fine.

Apache Module mod_evasive.

$ cd /usr/src/
$ wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
$ mkdir mod_evasive/
$ tar xvzf mod_evasive_1.10.1.tar.gz mod_evasive/
$ cd mod_evasive/
$ ls -al
$ /usr/sbin/apxs -i -a -c /usr/src/mod_evasive/mod_evasive20.c

$ cd /usr/src/

$ wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz

$ mkdir mod_evasive/

$ tar xvzf mod_evasive_1.10.1.tar.gz mod_evasive/

$ cd mod_evasive/

$ ls -al

$ /usr/sbin/apxs -i -a -c /usr/src/mod_evasive/mod_evasive20.c

Some of the older install instructions use the wrong download link which is no longer active, i have provided the more up to date link in the instructions for you. You will also need wget, which if you do not have on your Plesk install i suggest you install.

That should be mod_evasive installed. It is best to ensure you have not broken anything so do a restart of the HTTP Daemon.

$ service httpd restart

1	$ service httpd restart

Apache Module mod_security.

Next up, in order to install Mod_Security we need to ensure we have the following dependencies:

$ yum install libxml2
$ yum install libxml2-devel
$ yum install libcurl
$ yum install libcurl-devel

$ yum install libxml2

$ yum install libxml2-devel

$ yum install libcurl

$ yum install libcurl-devel

I am using mod_security_2.6.7 (there was a 2.7.0 prelease candidate but i don’t recommend using pre-release candidates as they may have bugs etc and 2.6.7 is considered stable).

$ cd /usr/src/
$ mkdir mod_security/
$ wget http://www.modsecurity.org/download/modsecurity-apache_2.6.7.tar.gz
$ tar xvzf modsecurity-apache_2.6.7.tar.gz
$ cd /modsecurity-apache_2.6.7
$ ./configure
$ ./configure --with-apxs=/usr/sbin/apxs
$ make
$ make mlogc
$ make install

$ cd /usr/src/

$ mkdir mod_security/

$ wget http://www.modsecurity.org/download/modsecurity-apache_2.6.7.tar.gz

$ tar xvzf modsecurity-apache_2.6.7.tar.gz

$ cd /modsecurity-apache_2.6.7

$ ./configure

$ ./configure --with-apxs=/usr/sbin/apxs

$ make

$ make mlogc

$ make install

I am also using apxs, which if you do not have/use, you may want to consult the original install instructions.

Before we can use this however, we have to edit the httpd.conf file to ensure that it is including the libxml and lua libs, use your preferred text editor to add the following at the top of the list of LoadModule section labelled (Dynamic Shared Object (DSO) Support).

#LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib64/libxml2.so.2
#LoadFile /usr/lib/liblua5.1.so
LoadFile /usr/lib64/liblua-5.1.so

LoadModule security2_module modules/mod_security2.so

#LoadFile /usr/lib/libxml2.so

LoadFile /usr/lib64/libxml2.so.2

#LoadFile /usr/lib/liblua5.1.so

LoadFile /usr/lib64/liblua-5.1.so

LoadModule security2_module modules/mod_security2.so

If the server fails to load the httpd server, then swap the commented out LoadFile lines with the uncommented ones.

As before, it is best to ensure you have not broken anything so do a restart of the HTTP Daemon.

$ service httpd restart

1	$ service httpd restart

Adding the OWASP Rule Set.

The Open Web Application Security Project (OWASP) is a set of predefined rules to harden your mod_security setup. According to OWASP, mod_security does not do a great deal on its own, while it will by default add some protection, it will need a decent rule set to really put this thing to task. Many of the rule sets are commercial and will cost you money, however OWASP provide a nice set of rules for free to harden any server.

You can check out the project on their homepage.

Installation was a little tricky as their docs seems slightly inconsistent and poorly explained a few things. However assuming you are running Plesk 11, i will run you through the necessary steps to get this setup easily.

One of the things in the official docs was that the install directories were all wrong, or at least wrong for Apache 2.2 on a Plesk 11 setup. If this does not work for you then go ahead and follow the original docs, otherwise give this a go.

$ cd /etc/httpd/conf/
$ wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
$ mv master owasp.tar.gz
$ tar xvzf owasp.tar.gz
$ mv SpiderLabs-owasp-modsecurity-crs-618ff50/ crs/

$ cd /etc/httpd/conf/

$ wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

$ mv master owasp.tar.gz

$ tar xvzf owasp.tar.gz

$ mv SpiderLabs-owasp-modsecurity-crs-618ff50/ crs/

The filename extracted from the tarball may be different depending on the build/revision from the git repository.

Also, in this next section, i tried the newer 2.2.6 configuration but it seemed incompatible with the current stable build of mod_security, i could not find very good documentation explaining all the necessary steps or the difference, but my guess is that 2.2.6 is meant for the new mod_security 2.7.0 pre-release. So i went with 2.2.5 which worked. Version 2.2.6 will give you issues! (namely the httpd won’t start due to misconfigurations).

$ cd 2.2.5/
$ cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf

1 2	$ cd 2.2.5/ $ cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf

In that last step not only do we need to rename the copy to remove the “.example”, but also to change “_setup” to “_config”, this is an issue as the docs only say to remove example, and cite a wrongly named file. Just an error in their docs which i am sure will be addressed at some point but don’t let that trip you up.

Next up we need to make some changes to the file, we need to change the deny option on secDefaultAction to pass, according to the doc, (which actually will cause an error).

What they meant to say was set it the following:

SecDefaultAction "phase:2,deny,log"

1	SecDefaultAction "phase:2,deny,log"

To look like:

SecDefaultAction "phase:2,pass"

1	SecDefaultAction "phase:2,pass"

Use whatever text editor you prefer. I used vi, but feel free to use nano or pico etc.

Next up, we want to set up all the symlinks, linking the rules we wish to use into the ‘activated_rules’ directory.

I have corrected the following again from the docs to match the directories that are being used for httpd configurations in Plesk 11, which were invalid in the original docs but thats fixed in the steps i have given you below:

$ sudo ln -s /etc/httpd/conf/crs/2.2.5/modsecurity_crs_10_config.conf activated_rules/modsecurity_crs_10_config.conf
$ for f in `ls base_rules/` ; do sudo ln -s /etc/httpd/conf/crs/2.2.5/base_rules/$f activated_rules/$f ; done
$ for f in `ls optional_rules/ | grep comment_spam` ; do sudo ln -s /etc/httpd/conf/crs/2.2.5/optional_rules/$f activated_rules/$f ; done

$ sudo ln -s /etc/httpd/conf/crs/2.2.5/modsecurity_crs_10_config.conf activated_rules/modsecurity_crs_10_config.conf

$ for f in `ls base_rules/` ; do sudo ln -s /etc/httpd/conf/crs/2.2.5/base_rules/$f activated_rules/$f ; done

$ for f in `ls optional_rules/ | grep comment_spam` ; do sudo ln -s /etc/httpd/conf/crs/2.2.5/optional_rules/$f activated_rules/$f ; done

Now, if we peak inside the activated_rules, what we should have is a list of symlinks:

$ ls -al activated_rules/
total 112K
drwxr-xr-x 2 root root 4.0K Sep 19 13:27 .
drwxr-xr-x 9 root root 4.0K Sep 19 13:25 ..
lrwxrwxrwx 1 root root   67 Sep 19 13:26 modsecurity_35_bad_robots.data -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_35_bad_robots.data
lrwxrwxrwx 1 root root   65 Sep 19 13:26 modsecurity_35_scanners.data -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_35_scanners.data
lrwxrwxrwx 1 root root   72 Sep 19 13:26 modsecurity_40_generic_attacks.data -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_40_generic_attacks.data
lrwxrwxrwx 1 root root   78 Sep 19 13:26 modsecurity_41_sql_injection_attacks.data -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_41_sql_injection_attacks.data
lrwxrwxrwx 1 root root   73 Sep 19 13:27 modsecurity_42_comment_spam.data -> /etc/httpd/conf/crs/2.2.5/optional_rules/modsecurity_42_comment_spam.data
lrwxrwxrwx 1 root root   65 Sep 19 13:26 modsecurity_50_outbound.data -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_50_outbound.data
lrwxrwxrwx 1 root root   73 Sep 19 13:26 modsecurity_50_outbound_malware.data -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_50_outbound_malware.data
lrwxrwxrwx 1 root root   56 Sep 19 13:26 modsecurity_crs_10_config.conf -> /etc/httpd/conf/crs/2.2.5/modsecurity_crs_10_config.conf
lrwxrwxrwx 1 root root   80 Sep 19 13:26 modsecurity_crs_20_protocol_violations.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_20_protocol_violations.conf
lrwxrwxrwx 1 root root   79 Sep 19 13:26 modsecurity_crs_21_protocol_anomalies.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_21_protocol_anomalies.conf
lrwxrwxrwx 1 root root   75 Sep 19 13:26 modsecurity_crs_23_request_limits.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_23_request_limits.conf
lrwxrwxrwx 1 root root   72 Sep 19 13:26 modsecurity_crs_30_http_policy.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_30_http_policy.conf
lrwxrwxrwx 1 root root   71 Sep 19 13:26 modsecurity_crs_35_bad_robots.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_35_bad_robots.conf
lrwxrwxrwx 1 root root   76 Sep 19 13:26 modsecurity_crs_40_generic_attacks.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_40_generic_attacks.conf
lrwxrwxrwx 1 root root   82 Sep 19 13:26 modsecurity_crs_41_sql_injection_attacks.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
lrwxrwxrwx 1 root root   72 Sep 19 13:26 modsecurity_crs_41_xss_attacks.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_41_xss_attacks.conf
lrwxrwxrwx 1 root root   77 Sep 19 13:27 modsecurity_crs_42_comment_spam.conf -> /etc/httpd/conf/crs/2.2.5/optional_rules/modsecurity_crs_42_comment_spam.conf
lrwxrwxrwx 1 root root   75 Sep 19 13:26 modsecurity_crs_42_tight_security.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_42_tight_security.conf
lrwxrwxrwx 1 root root   68 Sep 19 13:26 modsecurity_crs_45_trojans.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_45_trojans.conf
lrwxrwxrwx 1 root root   78 Sep 19 13:26 modsecurity_crs_47_common_exceptions.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_47_common_exceptions.conf
lrwxrwxrwx 1 root root   85 Sep 19 13:26 modsecurity_crs_48_local_exceptions.conf.example -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_48_local_exceptions.conf.example
lrwxrwxrwx 1 root root   77 Sep 19 13:26 modsecurity_crs_49_inbound_blocking.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_49_inbound_blocking.conf
lrwxrwxrwx 1 root root   69 Sep 19 13:26 modsecurity_crs_50_outbound.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_50_outbound.conf
lrwxrwxrwx 1 root root   78 Sep 19 13:26 modsecurity_crs_59_outbound_blocking.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_59_outbound_blocking.conf
lrwxrwxrwx 1 root root   72 Sep 19 13:26 modsecurity_crs_60_correlation.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_60_correlation.conf

$ ls -al activated_rules/

total 112K

drwxr-xr-x 2 root root 4.0K Sep 19 13:27 .

drwxr-xr-x 9 root root 4.0K Sep 19 13:25 ..

lrwxrwxrwx 1 root root 67 Sep 19 13:26 modsecurity_35_bad_robots.data -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_35_bad_robots.data

lrwxrwxrwx 1 root root 65 Sep 19 13:26 modsecurity_35_scanners.data -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_35_scanners.data

lrwxrwxrwx 1 root root 72 Sep 19 13:26 modsecurity_40_generic_attacks.data -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_40_generic_attacks.data

lrwxrwxrwx 1 root root 78 Sep 19 13:26 modsecurity_41_sql_injection_attacks.data -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_41_sql_injection_attacks.data

lrwxrwxrwx 1 root root 73 Sep 19 13:27 modsecurity_42_comment_spam.data -> /etc/httpd/conf/crs/2.2.5/optional_rules/modsecurity_42_comment_spam.data

lrwxrwxrwx 1 root root 65 Sep 19 13:26 modsecurity_50_outbound.data -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_50_outbound.data

lrwxrwxrwx 1 root root 73 Sep 19 13:26 modsecurity_50_outbound_malware.data -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_50_outbound_malware.data

lrwxrwxrwx 1 root root 56 Sep 19 13:26 modsecurity_crs_10_config.conf -> /etc/httpd/conf/crs/2.2.5/modsecurity_crs_10_config.conf

lrwxrwxrwx 1 root root 80 Sep 19 13:26 modsecurity_crs_20_protocol_violations.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_20_protocol_violations.conf

lrwxrwxrwx 1 root root 79 Sep 19 13:26 modsecurity_crs_21_protocol_anomalies.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_21_protocol_anomalies.conf

lrwxrwxrwx 1 root root 75 Sep 19 13:26 modsecurity_crs_23_request_limits.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_23_request_limits.conf

lrwxrwxrwx 1 root root 72 Sep 19 13:26 modsecurity_crs_30_http_policy.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_30_http_policy.conf

lrwxrwxrwx 1 root root 71 Sep 19 13:26 modsecurity_crs_35_bad_robots.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_35_bad_robots.conf

lrwxrwxrwx 1 root root 76 Sep 19 13:26 modsecurity_crs_40_generic_attacks.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_40_generic_attacks.conf

lrwxrwxrwx 1 root root 82 Sep 19 13:26 modsecurity_crs_41_sql_injection_attacks.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

lrwxrwxrwx 1 root root 72 Sep 19 13:26 modsecurity_crs_41_xss_attacks.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_41_xss_attacks.conf

lrwxrwxrwx 1 root root 77 Sep 19 13:27 modsecurity_crs_42_comment_spam.conf -> /etc/httpd/conf/crs/2.2.5/optional_rules/modsecurity_crs_42_comment_spam.conf

lrwxrwxrwx 1 root root 75 Sep 19 13:26 modsecurity_crs_42_tight_security.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_42_tight_security.conf

lrwxrwxrwx 1 root root 68 Sep 19 13:26 modsecurity_crs_45_trojans.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_45_trojans.conf

lrwxrwxrwx 1 root root 78 Sep 19 13:26 modsecurity_crs_47_common_exceptions.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_47_common_exceptions.conf

lrwxrwxrwx 1 root root 85 Sep 19 13:26 modsecurity_crs_48_local_exceptions.conf.example -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_48_local_exceptions.conf.example

lrwxrwxrwx 1 root root 77 Sep 19 13:26 modsecurity_crs_49_inbound_blocking.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_49_inbound_blocking.conf

lrwxrwxrwx 1 root root 69 Sep 19 13:26 modsecurity_crs_50_outbound.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_50_outbound.conf

lrwxrwxrwx 1 root root 78 Sep 19 13:26 modsecurity_crs_59_outbound_blocking.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_59_outbound_blocking.conf

lrwxrwxrwx 1 root root 72 Sep 19 13:26 modsecurity_crs_60_correlation.conf -> /etc/httpd/conf/crs/2.2.5/base_rules/modsecurity_crs_60_correlation.conf

If you have something similar to that, then you are good so far.

Next up we need to edit our httpd.conf file to include the rules. This is what i added, and i added mine below the ‘extendedStatus on’ section which is only a bit below the LoadModule section. I would recommend doing the same so that it follows after the loading of mod_security.

#
# mod_security setup
#
<IfModule security2_module>
    Include conf/crs/2.2.5/modsecurity_crs_10_config.conf
    Include conf/crs/2.2.5/activated_rules/*.conf
</IfModule>

# mod_security setup

Include conf/crs/2.2.5/modsecurity_crs_10_config.conf

Include conf/crs/2.2.5/activated_rules/*.conf

</IfModule>

That should load all the symlinked rule files into mod_security, and thus you should be done.

Now to restart the httpd server once again and check that everything is ok.

$ service httpd restart

1	$ service httpd restart

Enabling/Disabling Apache Modules.

With a complex server that is exposing itself in so many ways to the outside world, the least number of modules you can have running will help in reducing possible attack vectors that can be exploited by malicious hackers. Plesk makes enabling and disabling apache_modules super easy so we should not need to fire up the CLI/SSH any further at this point. Log into your Plesk panel and go to the “Tools & Settings” tab. There click on ‘Apache Modules’ which should be under ‘General Settings’ group.

Please check carefully the function of each apache module before turning it off, although i do not need them myself, you may depending on what your doing with your server. I have gone and made it easy by grouping them into some useful groups to explain what they are roughly about, and also provided a link for each module so you can get the official story on what its about before you go ahead and turn it off.

Here are a list of modules you should turn ON:

mod_cloudflare
evasive20
security2
mod_expires
mod_headers (necessary if we want to later add some restrictions on revealing server setup host/OS etc).
mod_reqtimeout
mod_unique_id
mod_cache (necessary for mod_disk_cache).
mod_disk_cache (Will improve performance of URI lookups).
mod_rewrite (You will want this if you need access to rewrite rules in your .htaccess files).

So, the evasive20 and the security2 modules correspond to the modules we installed earlier, if they are not on already turn them on now!

If you are running Plesk and not something else like CPanel, you will still need to be running mod_perl and mod_python even if you do not use perl or python scripts yourself on your server Plesk depends on these scripting engines (sucks i know, would love to disable them both, i just don’t use them).

Here are some modules you should turn OFF:

Filtering and substitution modules you likely will never use. (each one refiltering the same content and with potentially multiple rules being applied to each. Madness!)

Modules for remote management of database, mostly using really peculiar and obscure methods not suitable for average Plesk VPS users.

Chances are you won’t be using LDAP.

Mostly things you won’t need or care about.

With regards to deflate, please bear in mind that firstly, most browsers will cache images, css and scripts, so deflating them is pointless. Secondly as for html output, use a decent framework with template optimisation and caching for your code. For example, in php there is the Symfony framework which automatically optimises your html (strips whitespace from your html [to some limited extent, but can be optimised further with some understanding of the template engine]). Also, minify your assets manually prior to upload or during the process of building a local cache for your sites assets, this will have the same affect as using deflate except it only need be done once, where as deflate does it every single request (not good for performance!). You get extra points for using CloudFlare which acts as a CDN and will cache all your assets for you.

Next up, if you are not using SHTML SSI, CGI scripts, Tomcat/Server side Java Applets, then disable all of the following:

These are mostly tracking and logging, from a security stand point that can be a good thing, however chances are most of these logs won’t ever be checked, and all bloat your servers load time. If you need them, just pick a few but don’t enable them all. Remember that CloudFlare will block some of the damage and also log a lot of the activity for you, further more mod_evasive and mod_security will also block quite a lot of varying attacks now. I would only be activating them if i have an issue that needs a closer look, otherwise its just more crud running in the background.

You likely won’t need rpaf, if you don’t know what it is, you likely do not need it, same for mod_aclr for nginx.

Chances are you can also disable most of the authn_ and authz_ modules, unless you have specific use cases for them. The same also applies to all the proxy modules.

By disabling most/all of the above not only do we reduce the number of attack vectors but actually save a lot of memory and your website will generally load much faster. Since making these changes i have noticed nearly more than half the load time on my site. Thats nearly twice as fast. (site being CodeConsortium).

Sometimes performance is a benefit when mitigating DDoS (depending on the level of the attack), where if your site is being reduced to a crawl, at least if the content is served a bit quicker and the assets are cached on some CDN, the site may still be usable (potentially).

There may be more modules you can disable, however it is your responsibility to work that out for yourself, see what you need and don’t need. Also try them out few at a time rather than doing all of them and then finding you broke something, much easier to eliminate the potential causes from the list if you only do a few or 1 at a time.

If you want to know what modules are loaded, try ‘$ httpd -M’ to list them.

Plesk Firewall Changes.

By default, plesk leaves quite a few services exposed that you probably won’t need access to from the outside, particularly when access is already being provided through an html interface via the Plesk Panel.

Change the following to “deny incoming from all” for the following at your own discretion:

MySQL Server (this can be administrated through PHPMyAdmin, no need to allow direct access to this).
PostGreSQL Server (same as above).
Tomcat Administrative Interface (if your not using java on the server that is, otherwise you *might* need it).
Samba (Just not likely to need it, FTP will do fine).
Ping Service

With regard to the ping service, i choose to deny all traffic for the simple reason that, if your using CloudFlare, then your servers original IP address should be hidden behind CloudFlare. However if some malicious hacker does find your IP address, they should not be able to view the website as the traffic did not originate from cloudflare (thanks to the mod_cloudflare) so there browser should not receive any html or valid responses. So the last thing we want to do is validate their suspicions that the IP they have uncovered is legit by returning a ping request. In-fact what we want is to tell any potential hackers the least amount of useful information we can get away with; without crippling our own network.

The other thing to remember is, some of the older attacks still use ping for DDoS, denying inbound ping requests will lighten the load on the server if an attacker should choose to use this method. That said, the switch, router and even servers NIC can still be overloaded if the packet size and quantity is very large, and while we cannot really stop inbound ping based DoS attacks, at least we are not wasting outbound traffic by responding to it.

Configuring ‘httpd.conf’.

We can add some more fine grain refinements to our httpd.conf file for a little bit extra security.

1) Set, ServerSignature to Off. This will reveal less info in the http headers about your server setup.
2) Set ServerTokens to Prod. Also works to reveal less info in the http headers.
3) Add Header unset X-Powered-By.
4) Limit request body.
5) Limit XML request body.
6) Lower the timeout to 45 seconds.

I recommend only setting 1 or 2 of these at a time and then testing them before changing more. You can do this incrementally by testing each config by running ‘httpd -t’ on the CLI.

# Disable features with known stability issues.
EnableMMAP Off
EnableSendfile Off

# Reduce exposure.
ServerSignature to Off
ServerTokens to Prod
Header unset X-Powered-By

# Impose limits on Request/Responses.
LimitInternalRecursion 5
LimitRequestBody 5242880
LimitXMLRequestBody 5242880
LimitRequestFields 50

Timeout 45

KeepAlive On
KeepAliveTimeout 15
MaxKeepAliveRequests 45

# Disable features with known stability issues.

EnableMMAP Off

EnableSendfile Off

# Reduce exposure.

ServerSignature to Off

ServerTokens to Prod

Header unset X-Powered-By

# Impose limits on Request/Responses.

LimitInternalRecursion 5

LimitRequestBody 5242880

LimitXMLRequestBody 5242880

LimitRequestFields 50

Timeout 45

KeepAlive On

KeepAliveTimeout 15

MaxKeepAliveRequests 45

If you have already setup your CloudFlare, or any other CDN for that matter, and are using some tool to monitor your HTTP Headers. Then you may notice that most of the resources still say X-Powered-By etc while the main page html does not. This is because you need to log into your CloudFlare/CDN and purge your cache after you have saved the above settings and restarted your HTTPD server. After restarting your server and purging your CDN cache, you will notice the X-Powered-By header strings disappear.

Disabling NMAP and SendFile, is more for the instability issues that can occur. Both are designed to allegedly improve performance of serving static content, however i did not notice any decrease in performance by disabling them. This is likely because my site is entirely dynamic with the exception of assets that are already being cached on the CDN. Therefor if you use a CDN and most of your site is dynamically generated via PHP, Ruby or likewise then just turn these both off as they won’t do much for improving performance but could reduce stability issues for your OS (which is good).

Setup a sensible default for public directories that apache has access to.

# Limit access to default directories, block altogether if possible.
# If you do not use them, just deny from all!
<Directory />
    Options -Indexes +FollowSymLinks -ExecCGI -Includes
    AllowOverride None
</Directory>

# Limit access to default directories, block altogether if possible.

# If you do not use them, just deny from all!

Options -Indexes +FollowSymLinks -ExecCGI -Includes

AllowOverride None

</Directory>

<Directory "/var/www/html">
    #Options -Indexes +FollowSymLinks -ExecCGI -Includes
    Options None
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

#Options -Indexes +FollowSymLinks -ExecCGI -Includes

Options None

AllowOverride None

Order allow,deny

Allow from all

</Directory>

<Directory /home/*/public_html>
    AllowOverride FileInfo AuthConfig Limit
    #Options -MultiViews -Indexes -FollowSymlinks -SymLinksIfOwnerMatch -IncludesNoExec -Includes -ExecCGI
    Options None
    <Limit GET POST OPTIONS>
        Order allow,deny
        #Allow from all
        Deny from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

AllowOverride FileInfo AuthConfig Limit

#Options -MultiViews -Indexes -FollowSymlinks -SymLinksIfOwnerMatch -IncludesNoExec -Includes -ExecCGI

Options None

Order allow,deny

#Allow from all

Deny from all

</Limit>

Order deny,allow

Deny from all

</LimitExcept>

</Directory>

Any other instances for the setup of vhosts/alias and directories etc, use -Indexes to prevent browsing of directories everywhere.

Some default apache/Plesk installs will setup an alias to /icons/, make sure that you disable this by commenting out the alias line. You can also keep the remaining setup for this by once again negating the Indexes and lastly, change the last bit to ‘Deny from all’.

#Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">
    #Options -Indexes -MultiViews -FollowSymLinks -ExecCGI -Includes
    Options None
    AllowOverride None
    Order allow,deny
    Deny from all
</Directory>

#Alias /icons/ "/var/www/icons/"

#Options -Indexes -MultiViews -FollowSymLinks -ExecCGI -Includes

Options None

AllowOverride None

Order allow,deny

Deny from all

</Directory>

Do the same again for the CGI scripts directory.

#ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Deny from all
</Directory>

#ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased

# CGI directory exists, if you have that configured.

AllowOverride None

Options None

Order allow,deny

Deny from all

</Directory>

Though i added the header unset directive for the X-Powered-By, the same does not work for MS-Authored-By header string, in order to remove this, comment out the LoadModule lines for:

#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_module modules/mod_dav.so

Some of the above tricks were found here.

Disabling Directory Browsing.

Also, you can edit your vhost.conf so that the line for Options disables indexes and allows symlinks. By doing this symlinks being active means the OS treats symlinks like regularly directories and takes less time to by passing checks on wether the folder is a symlink or not and checking if the directory it points to exists or not. This way we don’t check if it exists before trying to follow it, so it speeds things up a little. Disabling indexes will turn off directory browsing, which just adds a little extra onto our security.

Options -Indexes +FollowSymLinks

1	Options -Indexes +FollowSymLinks

Prevent PHP exposing itself in HTTP Headers.

In your php.ini turn expose_php to Off.

Remember, you will likely have quite a few versions of php.ini all over your file system, you have the default one, then sometimes another default for the CLI (which can differ), also you may have one for the Plesk system, and again another for each individual vhost.

Here is a nice script to tell you which php.ini files are exposing your server.

$ for f in `locate php.ini` ; do echo $f; cat $f | grep expose_ ; done

1	$ for f in `locate php.ini` ; do echo $f; cat $f \| grep expose_ ; done

Output should be something like:

/etc/php.ini
expose_php = Off
/etc/php.ini.saved_by_psa
expose_php = On
/etc/php.ini.saved_by_psa.07.07;04:13
expose_php = Off
/usr/local/psa/admin/conf/php.ini
expose_php = Off
/usr/share/doc/php-common-5.3.3/php.ini-development
expose_php = On
/usr/share/doc/php-common-5.3.3/php.ini-production
expose_php = Off

/etc/php.ini

expose_php = Off

/etc/php.ini.saved_by_psa

expose_php = On

/etc/php.ini.saved_by_psa.07.07;04:13

expose_php = Off

/usr/local/psa/admin/conf/php.ini

expose_php = Off

/usr/share/doc/php-common-5.3.3/php.ini-development

expose_php = On

/usr/share/doc/php-common-5.3.3/php.ini-production

expose_php = Off

If you have a very short list, or none at all, then you may need to update your locate database.

$ updatedb

1	$ updatedb

Summary.

These are the steps i have taken so far, though i am continuing the search to harden the Plesk / LAMP stack. As i find new techniques that are particularly profound i will follow up with more articles. If you have any suggestions, please leave a comment below or head over to the forum. Some of the links below in the further reading section cover topics i am yet to fully investigate, and i will write more articles about other new techniques soon.

Setting up LAMP and PHPUnit on CentOS for staging.

I needing to setup a staging environment that more or less emulates the platform of your deployment system, i needed to setup a LAMP stack with PHPUnit for testing on the target platform.

Using CentOS and help from my good friend Cordoval (you can check out his cutting edge blog at http://www.craftitonline.com) we setup using Apache, PHP and MySQL.

We used the yum package manager to get things up and running:

First we needed to setup php :

$ yum install php

1	$ yum install php

$ yum install php-dom

1	$ yum install php-dom

and mysql:

$ yum install mysql

1	$ yum install mysql

$ yum install mysql-server

1	$ yum install mysql-server

$ yum install mysql-devel

1	$ yum install mysql-devel

$ chgrp -R mysql /var/lib/mysql

1	$ chgrp -R mysql /var/lib/mysql

$ chmod -R 770 /var/lib/mysql

1	$ chmod -R 770 /var/lib/mysql

$ service mysqld start

1	$ service mysqld start

With that done, we needed to then setup PEAR:

$ yum install php-pear

1	$ yum install php-pear

Then i followed the guides found here: (http://ulaptech.blogspot.co.uk/2011/07/install-phpunit-in-rhel-centos-or.html)

I will copy the instructions but all credit goes to the link above:

1. Make sure that you’re PEAR is version 1.9.2 or above.

$ pear upgrade pear

1	$ pear upgrade pear

2. Discover all channels required.

$ pear channel-discover pear.phpunit.de

1	$ pear channel-discover pear.phpunit.de

$ pear channel-discover pear.symfony-project.com

1	$ pear channel-discover pear.symfony-project.com

$ pear channel-discover components.ez.no

1	$ pear channel-discover components.ez.no

3. Install PHPUnit with all the dependencies

$ pear install --force --alldeps channel://pear.php.net/HTTP_Request2-2.0.0RC1

1	$ pear install --force --alldeps channel://pear.php.net/HTTP_Request2-2.0.0RC1

<–

optional, at the time of writing this is beta so I had to force install it

$ pear install --alldeps phpunit/PHPUnit

1	$ pear install --alldeps phpunit/PHPUnit

4. Done. Test PHPUNIT.

$ phpunit

$ phpunit

Symfony2 CLI does not connect to MySQL while browser works fine.

So i had an issue that i am still somewhat unsure of the cause, though i suspect the culprit was an upgrade to a newer version of MAMP.

So when using the Symfony2 project in the browser, everything works fine, however on the CLI i get the following:

[PDOException]
SQLSTATE[HY000] [2002] No such file or directory

[ErrorException]
Warning: PDO::__construct(): [2002] No such file or directory (trying to connect via unix:///var/mysql/mysql.sock) in …htdocs/Symfony/vendor/doctrine-dbal/lib/Doctrine/DBAL/Driver/PDOConnection.php line 36

So i thought it was pretty odd that the CLI would not connect when the browser did just fine. I tried adding this to my parameters.ini:

database_socket= "/Applications/MAMP/tmp/mysql/mysql.sock"

1	database_socket= "/Applications/MAMP/tmp/mysql/mysql.sock"

Though this seems to have made no difference what so ever. It seems SF2 CLI would ignore the sock file location and was only interested in the sock file located in the /private/var/mysql directory. So the solution is to make a symlink to the sock file thus resolving the issue. Do the following to resolve it:

$ sudo mkdir /private/var/mysql/

1	$ sudo mkdir /private/var/mysql/

$ sudo ln -s /Applications/MAMP/tmp/mysql/mysql.sock /private/var/mysql/mysql.sock

1	$ sudo ln -s /Applications/MAMP/tmp/mysql/mysql.sock /private/var/mysql/mysql.sock

This should resolve the issue.

Redirecting on login/logout in Symfony2 using LoginHandlers.

Using login handlers or even logout handlers, we can do a number of last minute things before the user is redirected to where they need to go. Being able to intercept the redirect at the last minute and make the user get redirected elsewhere is relatively simple.

Firstly though, i notice a lot of people now who are using Symfony 2 are cheating somewhat by using an EventListener and registering it with the security.interactive_login event listener. This is not the best way to go about this, namely because this event listener is not intended for this purpose. Sometimes event listeners are not the best way to go because they were defined for a specific purpose other than your intention and using them may have undesirable side effects you may not notice right away. Using handlers however allows a little more flexibility in that in all likelihood regardless of changes to Symfony in future revisions, they should still work and were designed specifically for the purposes we will need them for.

Firstly, we need to define our services, personally, i am a fan of YAML, so i define my services as such but feel free to do the same in XML:

parameters:
    ccdn_user_security.component.authentication.handler.login_failure_handler.class: CCDNUser\SecurityBundle\Component\Authentication\Handler\LoginFailureHandler
    ccdn_user_security.component.authentication.handler.logout_success_handler.class: CCDNUser\SecurityBundle\Component\Authentication\Handler\LogoutSuccessHandler
    
services:
    ccdn_user_security.component.authentication.handler.login_failure_handler:
        class:  %ccdn_user_security.component.authentication.handler.login_failure_handler.class%
        arguments:  [@service_container, @router, @security.context]
        tags:
            - { name: 'monolog.logger', channel: 'security' } 
    ccdn_user_security.component.authentication.handler.logout_success_handler:
        class:  %ccdn_user_security.component.authentication.handler.logout_success_handler.class%
        arguments:  [@service_container, @router]
        tags:
            - { name: 'monolog.logger', channel: 'security' }

parameters:

ccdn_user_security.component.authentication.handler.login_failure_handler.class: CCDNUser\SecurityBundle\Component\Authentication\Handler\LoginFailureHandler

ccdn_user_security.component.authentication.handler.logout_success_handler.class: CCDNUser\SecurityBundle\Component\Authentication\Handler\LogoutSuccessHandler

services:

ccdn_user_security.component.authentication.handler.login_failure_handler:

class: %ccdn_user_security.component.authentication.handler.login_failure_handler.class%

arguments: [@service_container, @router, @security.context]

tags:

- { name: 'monolog.logger', channel: 'security' }

ccdn_user_security.component.authentication.handler.logout_success_handler:

class: %ccdn_user_security.component.authentication.handler.logout_success_handler.class%

arguments: [@service_container, @router]

tags:

- { name: 'monolog.logger', channel: 'security' }

Now our services are defined, we need to define the handlers themselves. I like to create a directory named Services in my user bundle for this purpose, then create 2 files. The first file is LoginSuccessHandler, the second is LogoutSuccessHandler. Our handlers will implement the appropriate interface for either our login or logout handlers, which require usually only one method in these instances.

Here is what the login handler should look like:

<?php

namespace CCDNUser\SecurityBundle\Component\Authentication\Handler;

use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\SecurityContext;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\Routing\Router;

class LoginSuccessHandler implements AuthenticationSuccessHandlerInterface
{
	
	protected $router;
	protected $security;
	
	public function __construct(Router $router, SecurityContext $security)
	{
		$this->router = $router;
		$this->security = $security;
	}
	
	public function onAuthenticationSuccess(Request $request, TokenInterface $token)
	{
		
		if ($this->security->isGranted('ROLE_SUPER_ADMIN'))
		{
			$response = new RedirectResponse($this->router->generate('category_index'));			
		}
		elseif ($this->security->isGranted('ROLE_ADMIN'))
		{
			$response = new RedirectResponse($this->router->generate('category_index'));
		} 
		elseif ($this->security->isGranted('ROLE_USER'))
		{
			// redirect the user to where they were before the login process begun.
			$referer_url = $request->headers->get('referer');
						
			$response = new RedirectResponse($referer_url);
		}
			
		return $response;
	}
	
}

<?php

namespace CCDNUser\SecurityBundle\Component\Authentication\Handler;

use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;

use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;

use Symfony\Component\Security\Core\SecurityContext;

use Symfony\Component\HttpFoundation\Request;

use Symfony\Component\HttpFoundation\RedirectResponse;

use Symfony\Component\Routing\Router;

class LoginSuccessHandler implements AuthenticationSuccessHandlerInterface

{

protected $router;

protected $security;

public function __construct(Router $router, SecurityContext $security)

{

$this->router = $router;

$this->security = $security;

}

public function onAuthenticationSuccess(Request $request, TokenInterface $token)

{

if ($this->security->isGranted('ROLE_SUPER_ADMIN'))

{

$response = new RedirectResponse($this->router->generate('category_index'));

}

elseif ($this->security->isGranted('ROLE_ADMIN'))

{

$response = new RedirectResponse($this->router->generate('category_index'));

}

elseif ($this->security->isGranted('ROLE_USER'))

{

// redirect the user to where they were before the login process begun.

$referer_url = $request->headers->get('referer');

$response = new RedirectResponse($referer_url);

}

return $response;

}

Note my namespace is CCDNUser, and my bundle is called SecurityBundle, so our service is named ccdn_user_security.component.authentication.handler.login_failure_handler. Change this to your own namespace and bundle name accordingly but ensure to use the same format as used here, underscore your namespace and append the bundle name with an additional underscore without the term ‘bundle’ in it. Failure to get this part correct will mean your namespace will not be loaded and you will get problems later on in this tutorial as exceptions will be thrown regarding the service not existing.

Here is what the logout handler should look like:

<?php

namespace CCDNUser\SecurityBundle\Component\Authentication\Handler;

use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Bundle\FrameworkBundle\Routing\Router;

class LogoutSuccessHandler implements LogoutSuccessHandlerInterface
{
	
	protected $router;
	
	public function __construct(Router $router)
	{
		$this->router = $router;
	}
	
	public function onLogoutSuccess(Request $request)
	{
		// redirect the user to where they were before the login process begun.
		$referer_url = $request->headers->get('referer');
					
		$response = new RedirectResponse($referer_url);		
		return $response;
	}
	
}

<?php

namespace CCDNUser\SecurityBundle\Component\Authentication\Handler;

use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface;

use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;

use Symfony\Component\HttpFoundation\Request;

use Symfony\Component\HttpFoundation\RedirectResponse;

use Symfony\Bundle\FrameworkBundle\Routing\Router;

class LogoutSuccessHandler implements LogoutSuccessHandlerInterface

{

protected $router;

public function __construct(Router $router)

{

$this->router = $router;

}

public function onLogoutSuccess(Request $request)

{

// redirect the user to where they were before the login process begun.

$referer_url = $request->headers->get('referer');

$response = new RedirectResponse($referer_url);

return $response;

}

Our service definitions inject some of the classes we need to make use of our handlers, namely a Router object and the SecurityContext object, we can store these in member variables for later use. Then we wait for the onAuthenticationSuccess method to be called in our LoginSuccessHandler, once this has happened, we have a request and token interface object at our disposal. Using the security context object we can determine what role they have (i.e; ROLE_USER, ROLE_ADMIN etc) and appropriately redirect them as needed.

I like to redirect members of ROLE_USER role to where they came from prior to logging in. This is achieved by passing the ‘referer’ header into the redirect response object we return. I took this step both in the login and logout handlers.

Last thing we now need to do, is inform our security config that it needs to use these handlers by doing the following:

# App/config/security.yml
security:
    providers:
        fos_userbundle:
            id: fos_user.user_manager

    firewalls:
        main:
            #pattern:    .*
            form_login:
                provider:       fos_userbundle
                login_path:     /login
                use_forward:    false
                check_path:     /login_check
                success_handler: ccdn_user_security.component.authentication.handler.login_success_handler
                failure_path:   null
            logout:
                path:   /logout
                target: /
                success_handler: ccdn_user_security.component.authentication.handler.logout_success_handler
            anonymous:  true

# App/config/security.yml

security:

providers:

fos_userbundle:

id: fos_user.user_manager

firewalls:

main:

#pattern: .*

form_login:

provider: fos_userbundle

login_path: /login

use_forward: false

check_path: /login_check

success_handler: ccdn_user_security.component.authentication.handler.login_success_handler

failure_path: null

logout:

path: /logout

target: /

success_handler: ccdn_user_security.component.authentication.handler.logout_success_handler

anonymous: true

In this instance i am using FOSUserBundle and extending it in my own UserBundle, though this code is contained in the SecurityBundle. Which is probably the best way to do this. As the handlers used here work in any bundle because they plugin to Symfony2 core and implement their login handlers, and should not be dependant on any user bundle.

You can see a complete implementation of this in my security bundle found on github

Once this is implemented your on your way to a better login/logout system. Enjoy.

Symfony Embedded Forms ‘take 2′

Learnt some new things while working with symfony’s embedded forms, as we know, when they are have relations in the entities that the form is modelled after you want to ensure that when including the other form type that you create an instance of the formType representing the many in the manyToOne relationship. For example in the forum i am working on (which you can find on github here though currently still in development as of the date of this blog entry) a Topic has MANY Posts, as a result, we build our form by instantiating the PostType first and then adding the TopicType to it as a field because the PostType has a related Topic in the database schema.

But following up from the last post, what about when we have unique use cases for our form Types? What if we want to use a PostType without including the TopicType or we wish to conditionally decide wether for the purposes of editing we need to populate the form before presenting it?

To make this easier, in my FormHandlers what i choose to do is pass an array with some options we can use, namely a mode key specifies wether we are to ‘insert’ or ‘update’ an entity, and other keys for holding the entity to populate the form if mode is ‘update’

Here is an example from the top half of my TopicFormHandler:

class TopicFormHandler
{
	protected $factory;
	protected $request;
	protected $options;
	protected $form;

	public function __construct($factory, Request $request, array $options = null )
	{
		$this->factory = $factory;
		$this->request = $request;
		$this->options = $options;
		
		if ($this->options['mode'] == 'update')
		{
			$this->form = $factory->create(new PostType(), $this->options['post']);
			$this->form->add($factory->create(new TopicType(), $this->options['post']->getTopic()));
		}
		else
		{
			$this->form = $factory->create(new PostType());
			$this->form->add($factory->create(new TopicType()));
		}
	}
}

class TopicFormHandler

{

protected $factory;

protected $request;

protected $options;

protected $form;

public function __construct($factory, Request $request, array $options = null )

{

$this->factory = $factory;

$this->request = $request;

$this->options = $options;

if ($this->options['mode'] == 'update')

{

$this->form = $factory->create(new PostType(), $this->options['post']);

$this->form->add($factory->create(new TopicType(), $this->options['post']->getTopic()));

}

else

{

$this->form = $factory->create(new PostType());

$this->form->add($factory->create(new TopicType()));

}

To view the full source in greater context, explore the source on github here.

‘cd ..’, ‘cd ./‘ when updating directories in Max OS X.

So a strange thing happened while doing some coding in symfony2. At first i thought it was symfony2, but realised i was using the wrong version, so no problem. I got the latest version, renamed the old one by appending an underscore and put the updated one in the same place with the name of the old directory.

So ‘symfony’ became ‘symfony_’ then the new folder could be called ‘symfony’ without getting an error about trying to name a directory the same as an existing one. This part was done in the finder.

No problem’o, now when i try to use the command line, which might i mention was already being used prior to shuffling the directories and i try to do ‘pwd’ it tells me i am in ‘symfony’. Great, however i still get the same errors as before, which i thought odd. When i did ‘cd ..’ then ‘cd symfony’, it fixed it, even though prior to that ‘pwd’ told me i was in the symfony folder, in reality, the command line thought i was in the now defunct directory ‘symfony_’.

So it seems when renaming a directory to put another of the same name in its place, if the command line was already ‘cd’d’ in there, then it will still point to the old directory regardless of the change of name. And to resolve this, you need to cd back then forward again.

I am just guessing here, but perhaps the cmd points to nodes on the filesystem and thusly does not care much about the directory name.

Not sure if this is a mac issue or a inherent problem with the unix/posix standard. Interesting and annoying though non-the-less.

HP Pavilion dv6-3119sa Entertainment Notebook PC (XU644EA) Review

New laptop! YAY. So i decided i wanted a new machine to run linux on as its a bit tiresome running Linux in a VM, and on my Macbook Pro the EFI is often problematic for linux installs; that said there are work arounds but i preferred to avoid that grief and go for the simpler option. So i bought a new laptop for my Linux installs so i could take it out and share what i am working on with friends with anything *nix related.

I had planned in the future to learn a bit about hypervisors and how to effectively run and manage linux machines on a hypervisor and this is great for that. Now i can take it out and work with friends in person with it.

So for the review; i had looked around pretty hard to find a decent laptop that wouldn’t break the bank but that also had good hardware and a design that does not compromise. Which incidently is very difficult to find. Most laptops out there in my humble opinion are just ugly; though for those of us who prefer something with a bit more taste the HP Pavilion DV6-4119SA is a beautiful machine. If your a fan of Mac’s; much like myself, then you will love this machine for running Windows. The typical install of Windows it ships with (Windows 7) works great on the Core i5 processor in it, though like most new machines you will need to decrapify it (URL: http://www.pcdecrapifier.com/) to make it run at its best.

The streamline shape and slim profile along with its black chick keys and multi touch trackpad this machine is quite reminiscent of the aluminium Macbook’s. Of course this is discounting the fact that the case design is not a unibody design and it comes with a drive trey instead of slot loading optical drive. That said overall its a really nice machine, specially for windows users who desire a better looking machine that delivers results.

Things of note however are that you don’t get a recovery dvd as seems to be customary in so many modern PC manufacturers these days and that for running Linux you may encounter a few hick-ups.

I find the trackpad to be somewhat annoying in Linux distro’s, namely because HP decided to emulate the Macbook to the degree that the trackpad has only one click button under its surface which maps wether you have a right or left click on the basis of which side of the touchpad your finger is pressed on. This is very annoying on the typical Linux desktop environment because Synaptic’s don’t seem to offer any linux drivers or software to support this; or least not that i have found yet and so i am left without a right click option as a result because Linux considers clicking anywhere a left click even on the right hand portion of the trackpad.

Also in my experience thus far i find the Wireless to be sketchy but this may not be the fault of the machine or Linux. To clarify on this Windows 7 runs on Wifi just fine with no problems; setup was quick and pane-less and i was on the web in no time. In Linux however it has been a different story, Linux Mint 10 LXDE and XFCE seem to connect to the wireless router just fine, though Mint 10 KDE and Gnome seem to not want to connect at all and i have tried playing around with the settings but am yet to find the problem, it could be a configuration issue. Xubuntu is also facing similar problems. Kubuntu and Ubuntu are yet to be tested on this issue.

On the plus side however i consider the boot up of most Linux distro’s on this machine to be very fast.

In terms of price, i find ordering directly from HP to offer the best price on this laptop and was not able to find it cheaper elsewhere so i would recommend buying direct. I did do a froogle search and also checked amazon and ebuyer directly but they could not beat HP’s own price.

http://h40059.www4.hp.com/uk/homelaptops/product.php?id=XU644EA&experience=direct

In conclusion i highly recommend this laptop from my usage of it thus far, it has great design, works well, boots fast and looks great.

Reece Fowells Blog

The home of a lot of crapola…

Tag: technology

Simple Method for Checking for Order With Behat

Hardening LAMP / Plesk VPS / DDoS Mitigation.

Disclaimer.

CloudFlare and CDN’s.

Apache Modules.

Apache Module mod_evasive.

Apache Module mod_security.

Adding the OWASP Rule Set.

Enabling/Disabling Apache Modules.

Here are a list of modules you should turn ON:

Here are some modules you should turn OFF:

Plesk Firewall Changes.

Configuring ‘httpd.conf’.

Disabling Directory Browsing.

Prevent PHP exposing itself in HTTP Headers.

Summary.

Further Reading.

Setting up LAMP and PHPUnit on CentOS for staging.

Symfony2 CLI does not connect to MySQL while browser works fine.

Redirecting on login/logout in Symfony2 using LoginHandlers.

Symfony Embedded Forms ‘take 2′

‘cd ..’, ‘cd ./‘ when updating directories in Max OS X.

HP Pavilion dv6-3119sa Entertainment Notebook PC (XU644EA) Review