Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 23:08:24

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - MRatWork

Pages: 1 [2] 3 4 5
16
Many information about 'Kloxo-MR 6.5.0 - CSRF Vulnerability'. One of report is http://www.exploit-db.com/exploits/32666/.

The question is real or 'false positive'?.

In my test (using Kloxo-MR 6.5.1.b-2014041104):

1. Open firefox and then login with admin as user
2. Open new tab and then execute their code --> success
3. Open Chrome and then execute their code --> fail and page redirect to login page

Conclusion:
1. Their code not work without login (or remote execute will be fail and automatically redirect to login page)
2. With login mean page for their code will have the same session.
2. Not testing for 6.5.0.f but I think the same situation

Action:
1. Above fact still importance for security issue
2. Since 6.5.0.f and 6.5.1.b 2014041602, add 'csrf token' validation.
3. Effect of #2, every process via 'post' (like add domain) always verified with 'csrf token' with/without login

17
Kloxo-MR Releases / [UPDATE] PHP issues.
« on: 2014-04-10, 13:43:24 »
Many issues related to php52s (in Kloxo-MR 6.5.0.f) and php53s (in Kloxo-MR 6.5.1.b).

To fix this issue:

1. For Kloxo-MR 6.5.0.f
Code: [Select]
cd /
rm -f *.rpm
yum replace mysql --replace-with=mysql55
chkconfig mysqld on
yum clean all
yum update php52s
sh /script/restart

2. For Kloxo-MR 6.5.1.b
Code: [Select]
cd /
rm -f *.rpm
yum clean all
yum replace mratwork-release --replace-with=mratwork-testing
yum update kloxomr
sh /script/php53s-installer
sh /script/fixlxphpexe php53s
sh /script/restart

sh /script/cleanup
and then go to 'switch program' to re-update web and go to 'webserver configure' to re-update php-type.

18
Kloxo-MR Releases / [UPDATE] Kloxo 6.5.1.b to 2014040601
« on: 2014-04-06, 16:22:30 »
Kloxo-MR 6.5.1.b-2014040601 already release. Fix and features:

1. Back to use multiple declare httpd modules --> need fixweb if change php-type manually
2. Fix permalink issue in httpd --> because no declare 'directory' related to no. 1
3. Fix mod_fcgid --> issue related to php code appear
4. Add validate in 'Server Alias'
5. Implementing for protect to 'remote post' --> will be change to CSRF mechanism
6. Fix hiawatha related to directory protect
7. etcetera

And then, how to update?.

Run 'yum update' and if not work try 'yum update --enablerepo=mratwork-testing*'.

19
Kloxo-MR Releases / [UPDATE] Kloxo 6.5.1.b to 2014040405
« on: 2014-04-04, 20:48:41 »
I have a trouble a couple of days related to upload for update since release 2014040201. Any trouble with github itself beside something wrong with repo itself. To fix this issue, I must re-create branch and submit/upload rpms around 2GB with speed 20kBps.

To fix issue from previous update:
Code: [Select]
yum clean all
## will be include Kloxo-MR 6.5.1.b-2014040405
yum update
## need convert to 'new' php53s
sh /script/php53s-installer
## must run cleanup where cleanup-simple may not work
sh /script/cleanup

Depend on Centos version (5 or 6), you can install another version of phpXYm series like php52m, php53m, php 5.4m and php55m (only ready for Centos 6). This phpXYm series for using next 'multiple php' but we can use for 'single php'.

Example, in our system already exists of php53u but we want using php54 without change php-branch from panel or 'yum replace' and then run:
Code: [Select]
## install php54m
sh /script/php54m-install
## switch php for website to php54m; only work for php-fpm
sh /script/switch-php-fpm php54m

If still found error when running 'yum update', modified '/etc/yum.repos.d/mratwork.repo':

from:
Code: [Select]
[mratwork-release-neutral-arch]
name=MRatWork - release-neutral-arch
baseurl=https://github.com/mustafaramadhan/kloxo/raw/rpms/release/neutral/$basearch/
#mirrorlist=http://rpms.mratwork.com/repo/mirrors/mratwork-release-neutral-$basearch-mirrors.txt
enabled=1
gpgcheck=0

[mratwork-release-version-noarch]
name=MRatWork - release-version-noarch
baseurl=https://github.com/mustafaramadhan/kloxo/raw/rpms/release/centos$releasever/noarch/
#mirrorlist=http://rpms.mratwork.com/repo/mirrors/mratwork-release-centos$releasever-noarch-mirrors.txt
enabled=1
gpgcheck=0

to:
Code: [Select]
[mratwork-release-neutral-arch]
name=MRatWork - release-neutral-arch
baseurl=https://github.com/mustafaramadhan/kloxo/raw/rpms/release/neutral/$basearch/
#mirrorlist=http://rpms.mratwork.com/repo/mirrors/mratwork-release-neutral-$basearch-mirrors.txt
enabled=0
gpgcheck=0

[mratwork-release-version-noarch]
name=MRatWork - release-version-noarch
baseurl=https://github.com/mustafaramadhan/kloxo/raw/rpms/release/centos$releasever/noarch/
#mirrorlist=http://rpms.mratwork.com/repo/mirrors/mratwork-release-centos$releasever-noarch-mirrors.txt
enabled=0
gpgcheck=0

and then run 'yum clean all; yum update kloxomr --enablerepo=mratwork-testing-*'

20
Any change between 2014032301 and previous.

In 2014032301, php able to set per-user. That mean you can not see 'php configure' in domain but in client.

With user-level php, we can set 'pm.max_children' (how many php threads allocate per-user) in 'Limit'  (see 'Number Of FastCGI Children'). If we see 'Unlimited', Kloxo-MR will think as 'default' (6; six) threads.

If you found error after update, follow this step:

1. Run 'sh /script/fixlxphpexe php53s' and check with 'lxphp -v'
2. If found error, run 'sh /script/fixlxphpexe php52s' and check with 'lxphp -v'
3. And then run 'sh /script/restart; sh /script/cleanup'

NOTE:
- We can see many script like 'php53s-installer' in /script directory
- Purpose for many php branches installer are for 'multi-php' (not ready yet)

21
Any trouble if someone update to 6.5.1.b-201403160x.

To fix this issue, run from ssh:
Code: [Select]
cd /
yum clean all
yum update
yum remove php53s*
rpm -e php53s-fpm --noscripts
sh /script/php53s-installer
sh /script/fixlxphpexe

and then, better:
Code: [Select]
sh /script/cleanup
reboot

22
Many peoples still using IPTables or CSF as firewall in their Kloxo-MR server. Need it?.

Look at the fact:

1. Try running 'nmap YOURPUBLICIP' or 'nmap localhost' (need install nmap with 'yum install nmap'). Possible we will see:
Code: [Select]
[root@dev /]# nmap localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2014-03-12 03:34 UTC
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1666 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
110/tcp   open  pop3
143/tcp   open  imap
443/tcp   open  https
465/tcp   open  smtps
587/tcp   open  submission
993/tcp   open  imaps
995/tcp   open  pop3s
3306/tcp  open  mysql
7777/tcp  open  cbt
7778/tcp  open  interwise


Nmap finished: 1 IP address (1 host up) scanned in 0.256 seconds

2. Explanation:
  • Port 21/22 already 'protect' by lxguard (built-in firewall in Kloxo/Kloxo-MR)
  • Port 25/110/143/465/597/993/995 is not open-port (need login) and use/handle by qmail-toaster
  • - Port 53 is DNS port and use/handle by DNS server
  • Port 80/443 is http/https ports and use/handle web server. Nginx/hiawatha (that mean include in their -proxy) have 'ban' mechanism for prevent DDOS attack. For Apache alone need mod_security (or similar modules; need remove/disable if using nginx-/hiawatha-proxy)
  • Port 336 is mysql port and better disable network with add 'skip-networking' or pointing to certain IP with'bind-address  = 127.0.0.1'
  • Port 7777/7778 is Kloxo/Kloxo-MR panel ports and not open-port (need login). Because using hiawatha for running also have 'ban' mechanism

3. In my decision:
  • Always disable IPtables (except for routing purpose)
  • Not install another firewall (like CSF)

23
In version qmail-toaster-1.03-1.3.36 and .37 have a big trouble. Need update to .38.

Step for update:
Code: [Select]
cd /
yum clean all
yum update
sh /script/fixmail-all
sh /script/restart-mail

24
Latest centalt.repo (taken by Kloxo-MR and declare inside mratwork.repo) including php55 for replacing php. Because of it, we have a trouble when running 'yum update' because conflict between centalt's php55 with installed php in server.

To handling this issue, update mratwork.repo with 'yum clean all; yum update mratwork-release'. With this update, php55 will 'exclude' from centalt repo.

25
Still have a problem with kloxomr-webmail-roundcube-1.0.rc. So, this version already removed and change to 0.9.5.

For downgrade:

1. Check version with:
Code: [Select]
yum list installed kloxomr-webmail-roundcube
2. If see Version 1.0.rc, need downgrade with:
Code: [Select]
yum clean all
yum downgrade kloxomr-webmail-roundcube
sh /script/fixwebmail

26
If you found trouble when running 'yum update':
Code: [Select]
Error: Package: webalizer-2.23_05-5.mr.el6.x86_64 (@mratwork-release-version-arc                                                                             h)
           Requires: libgd.so.2()(64bit)
           Removing: gd-2.0.35-11.el6.x86_64 (@base)
               libgd.so.2()(64bit)
           Updated By: gd-2.1.0-1.el6.x86_64 (mratwork-centalt)
               Not found
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

follow this step:
Code: [Select]
rpm -e gd --nodeps
yum install gd
yum update

27
At this moment, mysql database name no more then 16 chars with format AAA_BBB (AAA = client name and no more than 12 chars; BBB = additional chars; no more than 3 chars). Database username is the same same as database name (if dataname is tester_wp and username is tester_wp too).

The fact related to mysql naming:
1. database name possible UNTIL 64 chars
2. database username limiting to 16 chars

Propose for mysql database name and username:
1. Database name possible until 64 chars ( lowercase alphanumeric and '_') with format CCC_BBB (CCC = 4 chars for random lowercase alphanumeric; example: a1sd; BBB = lowercase alphanumeric; example: wordpress or wp123)
2. Database username as the same as client name -> all databases under 'tester' client always using 'tester' database username.

28
Kloxo-MR Development / [TEST] PHP53s for Kloxo-MR panel
« on: 2014-02-15, 04:54:18 »
As we know, Kloxo-MR still using php52s (special php 5.2) for running their panel.

Since Kloxo-MR 6.5.1.a-2014021501, we are able using php53s (special php 5.3) for running panel.

Need action for enable it:

1. update Kloxo-MR with 'yum clean all; yum update'
2. Run cleanup with 'sh /script/cleanup'
3. install php53s with 'sh /script/php53s-install'
4. Stop kloxo service with 'killall -u lxlabs'
5. Start kloxo service with 'sh /script/restart' or 'service kloxo restart'

For back to use php52s, just change step 1 with 'yum remove php53s*'.

Yes, different with Kloxo official (6.1.15) approach, KLoxo-MR still 'dual-php' compatible. Many reason why using this approach:

1. Php53s still testing and need report from users where this php have a problem or not
2. Still found 'memory leaks' when install Kloxo-MR using php53s. Look like the code need optimize
3. Php53s using php-fpm (with 'ondemand' pm) instead spawn-fcgi for php and make less memory usage, especially in idle situation.

Beside implementing php53s, any other changes/features:
1. Add '+SymLinksIfOwnerMatch' in apache/httpd and similar function for other webserver. Again, It's make more secure for Kloxo-MR rather than Kloxo official
2. Use 'ondemand' instead 'dynamic' for php-fpm. It's make more efficient memory usage (but little bit slow). In many cases, less memory usage when website/panel idle.

NOTE:
- For fresh install, just follow step 3-5

29
Kloxo-MR Development / [INFO] Jailkit for Kloxo-MR
« on: 2014-02-03, 06:26:33 »
To make Kloxo-MR very secure, possible implementing Jailkit in Kloxo-MR.

Two options for Jailkit:

1. Always use Jailkit, or
2. Jailkit as options - enable/disable in panel

Implementing Jailkit will be ready in next release and I will inform if ready in this thread.

I hope in 2-3 days will be ready!.

Becuase very importance, other options/bugfixes temporary pending.

30
There are something problem for fresh install of Kloxo-MR in timestamp 2013013001. When install Kloxo-MR, kloxo database or php52s (symlink to lxphp) may not create and install. It's related to mysql. FIXED IN 2014020201

At this moment, until fix this bug release, install in Centos 5 not work.

Install in Centos 6 work if follow this steps:

Code: [Select]
    yum clean all
    yum update

    cd /tmp
    wget https://github.com/mustafaramadhan/kloxo/raw/rpms/release/neutral/noarch/mratwork-release-0.0.1-1.noarch.rpm --no-check-certificate
    rpm -ivh mratwork-release-0.0.1-1.noarch.rpm
    yum update mratwork-release -y

    # use mariadb instead mysql
    sed -i 's|exclude\=openssh\* perl\* mariadb\*|exclude\=openssh\* perl\*|g' /etc/yum.repos.d/mratwork.repo

    yum clean all

    # install (and then run 'setup.sh')
    yum install kloxomr -y

Pages: 1 [2] 3 4 5

MRatWork Affiliates:    BIGRAF(R) Inc.    House of LMAR    EFARgrafix
Click Here

Page created in 0.074 seconds with 15 queries.

web stats analysis