grsecurity forums

[mlnzigzag]

first of all hi ppl, this is my first post on that forum.
i'm getting this kind of output from the syslog either by internal ip addresses (wich i'm sure they are SECURE) and external ones. The output is as follows:

Code: Select all

Mar  8 18:51:33 host1 grsec: From 64.29.13.3: signal 11 sent to /usr/sbin/apache2.prefork[apache2:2122] uid/euid:65534/65534 gid/egid:-1/-1, parent /usr/sbin/apache2.prefork[apache2:14856] uid/euid:0/0 gid/egid:0/0
Mar  8 18:51:33 host1 grsec: more alerts, logging disabled for 10 seconds
Mar  9 08:26:45 host1 grsec: From 192.168.0.3: signal 11 sent to /usr/sbin/apache2.prefork[apache2:14329] uid/euid:65534/65534 gid/egid:-1/-1, parent /usr/sbin/apache2.prefork[apache2:14856] uid/euid:0/0 gid/egid:0/0


i've managed to search those lines around the internet but i've found NO matches, BUT one in this link: http://llistes.bulma.net/pipermail/bulmailing/Week-of-Mon-20040726/049540.html

I sincerly didn't found any useful information from that post, and from apache2 forums too.

The fact that internal ip addresses also produces those lines, let me think that this output is produced by "normal use" of the apache server, and not from an abuse. I can say this because there are no signs at all in the local network of the presence of any kind of intrusion, and there aren't people in the office that can do more hacking than my grandmother

Anyway i didn't find any particular advisory on the apache version i have.

Following, i'm gonna list all the detailed informations about the system.

Code: Select all

host1 Linux version 2.4.29-grsec

gcc version 3.3.5 (Gentoo Hardened Linux 3.3.5-r1, ssp-3.3.2-3, pie-8.7.7.1))


grsecurity version is 2.1.3 (i've found no fixes for this issue in the changelog to 2.1.4 so i didn't tried to upgrade)

grsecurity configuration as follows:

Code: Select all

* Grsecurity
*
Grsecurity (CONFIG_GRKERNSEC) [Y/n/?]
Security level (Low, Medium, High, Customized) [Customized]
  defined CONFIG_GRKERNSEC_CUSTOM
*
* PaX Control
*
Support soft mode (CONFIG_GRKERNSEC_PAX_SOFTMODE) [N/y/?]
Use legacy ELF header marking (CONFIG_GRKERNSEC_PAX_EI_PAX) [N/y/?]
Use ELF program header marking (CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS) [N/y/?]
MAC system integration (none, direct, hook) [direct]
  defined CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS
*
* Address Space Protection
*
Enforce Non-executable pages (CONFIG_GRKERNSEC_PAX_NOEXEC) [N/y/?]
Address Space Layout Randomization (CONFIG_GRKERNSEC_PAX_ASLR) [N/y/?]
Deny writing to /dev/kmem, /dev/mem, and /dev/port (CONFIG_GRKERNSEC_KMEM) [Y/n/?]
Disable privileged I/O (CONFIG_GRKERNSEC_IO) [Y/n/?]
Remove addresses from /proc/pid/[maps|stat] (CONFIG_GRKERNSEC_PROC_MEMMAP) [N/y/?]
Deter exploit bruteforcing (CONFIG_GRKERNSEC_BRUTE) [Y/n/?]
Hide kernel symbols (CONFIG_GRKERNSEC_HIDESYM) [N/y/?]
*
* Role Based Access Control Options
*
Hide kernel processes (CONFIG_GRKERNSEC_ACL_HIDEKERN) [N/y/?]
Maximum tries before password lockout (CONFIG_GRKERNSEC_ACL_MAXTRIES) [3]
Time to wait after max password tries, in seconds (CONFIG_GRKERNSEC_ACL_TIMEOUT) [30]
*
* Filesystem Protections
*
Proc restrictions (CONFIG_GRKERNSEC_PROC) [Y/n/?]
   Restrict to user only (CONFIG_GRKERNSEC_PROC_USER) [Y/n/?]
   Additional restrictions (CONFIG_GRKERNSEC_PROC_ADD) [Y/n/?]
Linking restrictions (CONFIG_GRKERNSEC_LINK) [Y/n/?]
FIFO restrictions (CONFIG_GRKERNSEC_FIFO) [Y/n/?]
Chroot jail restrictions (CONFIG_GRKERNSEC_CHROOT) [Y/n/?]
   Deny mounts (CONFIG_GRKERNSEC_CHROOT_MOUNT) [Y/n/?]
   Deny double-chroots (CONFIG_GRKERNSEC_CHROOT_DOUBLE) [Y/n/?]
   Deny pivot_root in chroot (CONFIG_GRKERNSEC_CHROOT_PIVOT) [Y/n/?]
   Enforce chdir("/") on all chroots (CONFIG_GRKERNSEC_CHROOT_CHDIR) [Y/n/?]
   Deny (f)chmod +s (CONFIG_GRKERNSEC_CHROOT_CHMOD) [Y/n/?]
   Deny fchdir out of chroot (CONFIG_GRKERNSEC_CHROOT_FCHDIR) [Y/n/?]
   Deny mknod (CONFIG_GRKERNSEC_CHROOT_MKNOD) [Y/n/?]
   Deny shmat() out of chroot (CONFIG_GRKERNSEC_CHROOT_SHMAT) [Y/n/?]
   Deny access to abstract AF_UNIX sockets out of chroot (CONFIG_GRKERNSEC_CHROOT_UNIX) [Y/n/?]
   Protect outside processes (CONFIG_GRKERNSEC_CHROOT_FINDTASK) [Y/n/?]
   Restrict priority changes (CONFIG_GRKERNSEC_CHROOT_NICE) [Y/n/?]
   Deny sysctl writes in chroot (CONFIG_GRKERNSEC_CHROOT_SYSCTL) [Y/n/?]
   Capability restrictions within chroot (CONFIG_GRKERNSEC_CHROOT_CAPS) [Y/n/?]
*
* Kernel Auditing
*
Single group for auditing (CONFIG_GRKERNSEC_AUDIT_GROUP) [Y/n/?]
   GID for auditing (CONFIG_GRKERNSEC_AUDIT_GID) [1010]
Exec logging (CONFIG_GRKERNSEC_EXECLOG) [Y/n/?]
Resource logging (CONFIG_GRKERNSEC_RESLOG) [Y/n/?]
Log execs within chroot (CONFIG_GRKERNSEC_CHROOT_EXECLOG) [Y/n/?]
Chdir logging (CONFIG_GRKERNSEC_AUDIT_CHDIR) [Y/n/?]
(Un)Mount logging (CONFIG_GRKERNSEC_AUDIT_MOUNT) [Y/n/?]
IPC logging (CONFIG_GRKERNSEC_AUDIT_IPC) [Y/n/?]
Signal logging (CONFIG_GRKERNSEC_SIGNAL) [Y/n/?]
Fork failure logging (CONFIG_GRKERNSEC_FORKFAIL) [Y/n/?]
Time change logging (CONFIG_GRKERNSEC_TIME) [Y/n/?]
/proc/<pid>/ipaddr support (CONFIG_GRKERNSEC_PROC_IPADDR) [Y/n/?]
ELF text relocations logging (READ HELP) (CONFIG_GRKERNSEC_AUDIT_TEXTREL) [N/y/?]
*
* Executable Protections
*
Enforce RLIMIT_NPROC on execs (CONFIG_GRKERNSEC_EXECVE) [Y/n/?]
Destroy unused shared memory (CONFIG_GRKERNSEC_SHM) [Y/n/?]
Dmesg(8) restriction (CONFIG_GRKERNSEC_DMESG) [Y/n/?]
Randomized PIDs (CONFIG_GRKERNSEC_RANDPID) [Y/n/?]
Trusted path execution (CONFIG_GRKERNSEC_TPE) [Y/n/?]
   Partially restrict non-root users (CONFIG_GRKERNSEC_TPE_ALL) [Y/n/?]
   GID for untrusted users: (CONFIG_GRKERNSEC_TPE_GID) [1010]
*
* Network Protections
*
Larger entropy pools (CONFIG_GRKERNSEC_RANDNET) [Y/n/?]
Randomized TCP source ports (CONFIG_GRKERNSEC_RANDSRC) [Y/n/?]
Socket restrictions (CONFIG_GRKERNSEC_SOCKET) [N/y/?]
*
* Sysctl support
*
Sysctl support (CONFIG_GRKERNSEC_SYSCTL) [N/y/?]
*
* Logging options
*
Seconds in between log messages (minimum) (CONFIG_GRKERNSEC_FLOODTIME) [10]
Number of messages in a burst (maximum) (CONFIG_GRKERNSEC_FLOODBURST) [4]


Apache version as follows:

Code: Select all

host1 linux # apache2 -V
Server version: Apache/2.0.52
Server built:   Mar  9 2005 09:46:34
Server's Module Magic Number: 20020903:9
Architecture:   32-bit
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D HTTPD_ROOT="/usr"
 -D SUEXEC_BIN="/usr/sbin/suexec2"
 -D DEFAULT_PIDLOG="/var/run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="/var/run/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="/etc/apache2/conf/mime.types"
 -D SERVER_CONFIG_FILE="/etc/apache2/conf/apache2.conf"


Really wish to find explainations, and maybe to have been useful too.

thanks a lot, and pls be patient with my bad english

[PaX Team]

Code: Select all

Mar  8 18:51:33 host1 grsec: From 64.29.13.3: signal 11 sent to /usr/sbin/apache2.prefork[apache2:2122 uid/euid:65534/65534 gid/egid:-1/-1, parent /usr/sbin/apache2.prefork[apache2:14856] uid/euid:0/0 gid/egid:0/0

this just means that apache crashed (SIGSEGV), in this case it's probably due to an apache bug (you may be low on memory, etc and apache doesn't cope with it properly), not intrusion attempts. if you want to investigate (provided you can reproduce these at will), you should enable coredumps on apache and analyze them.

grsecurity configuration as follows:

for the future, it's better to grep GRKERNSEC .config

[mlnzigzag]

tnx a lot for suggestions!

best regards

Marco Longoni