Forum

Correct way to call toolkit

Fred
5 April 2015, 23:26
Hi Hugo,

I use the following toolkit to protect the server again remote exploit vulnerability
UrlToolkit {
	ToolkitID = scannerblocker
	Header User-Agent ^w3af.sourceforge.net DenyAccess
	Header User-Agent ^dirbuster DenyAccess
	Header User-Agent ^nikto DenyAccess
	Header User-Agent ^sqlmap DenyAccess
	Header User-Agent ^fimap DenyAccess
	Header User-Agent ^nessus DenyAccess
	Header User-Agent ^whatweb DenyAccess
	Header User-Agent ^Openvas DenyAccess
	Header User-Agent ^jbrofuzz DenyAccess
	Header User-Agent ^libwhisker DenyAccess
	Header User-Agent ^webshag DenyAccess
	Header User-Agent ^WVS DenyAccess
	Header User-Agent ^Morfeus DenyAccess
	Header User-Agent ^Fucking DenyAccess
	Header User-Agent ^Scanner DenyAccess
	Header User-Agent ^Aboundex DenyAccess
	Header User-Agent ^AlphaServer DenyAccess
	Header User-Agent ^Indy DenyAccess
	Header User-Agent ^ZmEu DenyAccess
	Header User-Agent ^social DenyAccess
	Header User-Agent ^Zollard DenyAccess
	Header User-Agent ^CLR DenyAccess
	Header User-Agent ^Camino DenyAccess
	Header User-Agent ^Nmap DenyAccess
	Header HTTP:Acunetix-Product ^WVS DenyAccess
}


My question what this the correct way to call this toolkit inside my wordpress toolkit block
Should I be using Call <toolkit_id> or UseToolkit = <toolkit_id>
UrlToolkit {
	ToolkitID = wordpress
	#Call scannerblocker
	#or 
	#UseToolkit = scannerblocker
	RequestURI exists Return
	Match .*\?(.*) Rewrite /index.php?$1
	Match .* Rewrite /index.php
}


Hiawatha version: 9.12
Operating System: FreeBSD 10
Hugo Leisink
6 April 2015, 08:34
The answer is in the manual page. You could also try them both and see if you get an error message for one of them.
Fred
6 April 2015, 21:41
Hi Hugo,

Believe me I am trying to understand as much as the manual as I can...
I have tried both way before posted this tread and I get an error message in both cases.
sudo service hiawatha start
Starting hiawatha.
Syntax error in hiawatha.conf on line 112.


All I have in the system.log is:
Sat 04 Apr 2015 21:55:42 +0100|Hiawatha v9.12 stopped.
Sat 04 Apr 2015 21:55:46 +0100|Hiawatha v9.12 started.
91.195.122.75|Sat 04 Apr 2015 21:56:46 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:56:46 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:56:59 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:56:59 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:56:59 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:57:09 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:57:09 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:57:24 +0100|Maximum request size reached
91.195.122.75|Sat 04 Apr 2015 21:57:43 +0100|Maximum request size reached
91.195.122.75|Sat 04 Apr 2015 21:57:47 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:58:18 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:58:29 +0100|Client kicked
91.195.122.75|Sat 04 Apr 2015 21:58:29 +0100|Client kicked
91.195.122.75|Sat 04 Apr 2015 21:58:30 +0100|Client kicked
91.195.122.75|Sat 04 Apr 2015 21:58:30 +0100|Client kicked
91.195.122.75|Sat 04 Apr 2015 21:58:30 +0100|Client kicked

# GENERAL SETTINGS
#
ServerId = www
ConnectionsTotal = 1000
ConnectionsPerIP = 10 
SystemLogfile  = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log
MonitorServer = 192.168.1.125
LogFormat = extended
ServerString = Apache
CGIwrapper = /usr/local/sbin/cgi-wrapper

# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
	Port = 80
	Interface = 192.168.1.125
	MaxKeepAlive = 30
	TimeForRequest = 3,20
}

# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 10/1:15
BanOnInvalidURL = 300
BanOnWrongPassword = 3:300
BanlistMask = deny 91.195.122.75, deny 273.126.109.264, deny 192.168.1.0/24, deny 127.0.0.1
ReconnectDelay = 3

# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
CGIhandler = /usr/local/bin/php-cgi:php

FastCGIserver {
	FastCGIid = php5-fpm 
    ConnectTo = /var/run/php-fpm.sock
	Extension = php
	SessionTimeout = 30
}

UrlToolkit {
	ToolkitID = scannerblocker
        Header User-Agent ^w3af.sourceforge.net DenyAccess
        Header User-Agent ^dirbuster DenyAccess
        Header User-Agent ^nikto DenyAccess
        Header User-Agent ^sqlmap DenyAccess
        Header User-Agent ^fimap DenyAccess
        Header User-Agent ^nessus DenyAccess
        Header User-Agent ^whatweb DenyAccess
        Header User-Agent ^Openvas DenyAccess
        Header User-Agent ^jbrofuzz DenyAccess
        Header User-Agent ^libwhisker DenyAccess
        Header User-Agent ^webshag DenyAccess
        Header User-Agent ^WVS DenyAccess
        Header User-Agent ^Morfeus DenyAccess
        Header User-Agent ^Fucking DenyAccess
        Header User-Agent ^Scanner DenyAccess
        Header User-Agent ^Aboundex DenyAccess
        Header User-Agent ^AlphaServer DenyAccess
        Header User-Agent ^Indy DenyAccess
        Header User-Agent ^ZmEu DenyAccess
        Header User-Agent ^social DenyAccess
        Header User-Agent ^Zollard DenyAccess
        Header User-Agent ^CLR DenyAccess
        Header User-Agent ^Camino DenyAccess
        Header User-Agent ^Nmap DenyAccess
        Header HTTP:Acunetix-Product ^WVS DenyAccess
}

UrlToolkit {
	ToolkitID = monitor
    Call scannerblocker
	RequestURI isfile Return
	Match ^/(css|images|js)/ Return
	Match ^/(favicon.ico|robots.txt)$ Return
    Match .*\?(.*) Rewrite /index.php?$1
	Match .* Rewrite /index.php
}

UrlToolkit {
	ToolkitID = wordpress
	#Call scannerblocker
	#UseToolkit = scannerblocker
    RequestURI exists Return
    Match .*\?(.*) Rewrite /index.php?$1
    Match .* Rewrite /index.php
}

# DEFAULT WEBSITE
Hostname = 192.1xx.1.1xx
WebsiteRoot = /usr/local/www/webs/default
StartFile = index.html
AccessLogfile = /var/log/hiawatha/default.access.log
ErrorLogfile = /var/log/hiawatha/default.error.log

Include enable-sites/*.sites


This is mydomain.site
VirtualHost {
   Hostname = www.mydomain.co.uk, mydomain.co.uk 
   WebsiteRoot = /usr/local/www/webs/mydomain/httpdocs
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/bollenbergLive.access.log
   ErrorLogfile = /var/log/hiawatha/bollenbergLive.error.log
   TimeForCGI = 15
   UseFastCGI = php5-fpm
   UseToolkit = wordpress
}



This problem only started when I moved from Hiawatha v9.8 to v9.12

I also have problem to start the server if I leave the following setting uncommented
MonitorServer = 192.168.1.125


Fred
Hugo Leisink
6 April 2015, 22:16
The error is at line 112: Include enable-sites/*.sites

Use a file name or a directory name only:
Include enable-sites


About the error for MonitorServer, did you include support for the Hiawatha Monitor? What is the output of 'hiawatha -v'?
Fred
6 April 2015, 22:33
Hi Hugo,

I just tried your suggestion 
Include enable-sites

but the problem is exactly the same

Is this a FreeBSD specific issue?
Why my setup work before I updated the version?
Fred
7 April 2015, 00:14
Sorry I forgot to mention that I have removed all the comment on the code I pasted on the forum...
In real life line 112 is 
Call scannerblocker
Hugo Leisink
7 April 2015, 07:51
Change that line to
Do Call scannerblocker

Has been mentioned in the changelog.
Fred
7 April 2015, 11:02
Thank You Hugo

Problem solved. Sorry for being a pain
Hugo Leisink
7 April 2015, 11:06
Don't worry, glad to hear it all works again!
This topic has been closed.
Back
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.