Monday, January 10, 2011

Apache Upgrade Woes affecting Compress::Zlib perl libraries

In this post I will sink deep on a problem I had when I upgraded my CentOS 5.3 to the latest 5.5 release.  The problem surfaced when I started working on apache for some changes.  Here is the haunting log of that problem.

[Mon Jan 10 17:34:29 2011] [error] Can't load Perl module Compress::Zlib for server, exiting...
[Mon Jan 10 17:34:46 2011] [error] dualvar is only available with the XS version of Scalar::Util at /usr/lib/perl5/site_perl/5.8.8/Compress/ line 8\nBEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/Compress/ line 8.\nCompilation failed in require at (eval 7) line 3.\n

For the untrained eye this is a major disaster. Issuing the command $sudo package-clean --problem; $rpm -Va --nofiles --nodigest doesnt solve the problem worst you are even thinking of reverting back (rollback) changes to its original configuration.  Which is bad since you loose the availability of moving your box to a patch and security fixed version.

To solve the issue I did a "Hack" to the actual library that is causing the problem.

$sudo vi /usr/lib/perl5/site_perl/5.8.8/Compress/  and checked on the problematic line (8)

1. Remove the qw(dualvar) entry on that line. Which looks like this:  use Scalar::Util qw(dualvar);

2. Save the file

3. Re-start apache:  service httpd restart

Viola!  Problem Fixed.

Hardening Apache on CentOS 5 with mod_security

Apache can be configured to use "mod_security".  Installing it can be quite a daunting task if you are new to apache or to a certain extent has been working on apache but has used only firewall systems to secure it.  What better way to have it work with mod_security as an added defense.

By default especially on modern CentOS systems 5.  mod_security is not included in the repos, you will have to enable the EPEL (Extra Packages for Enterprise Linux) to install mod_security.


1.  Install the EPEL repos base
 # rpm -Uvh
2. Install the package
# yum install mod_security

3. Open /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf file, enter:
# vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf

4. Make sure SecRuleEngine set to "On" to protect webserver for the attacks:
SecRuleEngine On
5. Turn on other required options and policies as per your requirements. Finally, restart httpd:
# service httpd restart

6. Make sure everything is working:
# tail -f /var/log/httpd/error_log

[Thu Mar 31 03:27:07 2011] [notice] Digest: done
[Thu Mar 31 03:27:08 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Thu Mar 31 03:27:08 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
[Thu Mar 31 04:10:17 2011] [notice] caught SIGTERM, shutting down
[Thu Mar 31 04:10:18 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Mar 31 04:10:19 2011] [notice] ModSecurity for Apache/2.5.12 ( configured.
[Thu Mar 31 04:10:19 2011] [notice] Digest: generating secret for digest authentication ...
[Thu Mar 31 04:10:19 2011] [notice] Digest: done
[Thu Mar 31 04:10:20 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Thu Mar 31 04:10:20 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations

This tutorial is not limited to CentOS only distributions for Debian systems you can use apt-get to intall mod_security or check the site documentation for procedures.