Forum

Correct way to call toolkit

Fred
5 April 2015, 23:26
Hi Hugo,

I use the following toolkit to protect the server again remote exploit vulnerability
UrlToolkit {
ToolkitID = scannerblocker
Header User-Agent ^w3af.sourceforge.net DenyAccess
Header User-Agent ^dirbuster DenyAccess
Header User-Agent ^nikto DenyAccess
Header User-Agent ^sqlmap DenyAccess
Header User-Agent ^fimap DenyAccess
Header User-Agent ^nessus DenyAccess
Header User-Agent ^whatweb DenyAccess
Header User-Agent ^Openvas DenyAccess
Header User-Agent ^jbrofuzz DenyAccess
Header User-Agent ^libwhisker DenyAccess
Header User-Agent ^webshag DenyAccess
Header User-Agent ^WVS DenyAccess
Header User-Agent ^Morfeus DenyAccess
Header User-Agent ^Fucking DenyAccess
Header User-Agent ^Scanner DenyAccess
Header User-Agent ^Aboundex DenyAccess
Header User-Agent ^AlphaServer DenyAccess
Header User-Agent ^Indy DenyAccess
Header User-Agent ^ZmEu DenyAccess
Header User-Agent ^social DenyAccess
Header User-Agent ^Zollard DenyAccess
Header User-Agent ^CLR DenyAccess
Header User-Agent ^Camino DenyAccess
Header User-Agent ^Nmap DenyAccess
Header HTTP:Acunetix-Product ^WVS DenyAccess
}


My question what this the correct way to call this toolkit inside my wordpress toolkit block
Should I be using Call <toolkit_id> or UseToolkit = <toolkit_id>
UrlToolkit {
ToolkitID = wordpress
#Call scannerblocker
#or
#UseToolkit = scannerblocker
RequestURI exists Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}


Hiawatha version: 9.12
Operating System: FreeBSD 10
Hugo Leisink
6 April 2015, 08:34
The answer is in the manual page. You could also try them both and see if you get an error message for one of them.
Fred
6 April 2015, 21:41
Hi Hugo,

Believe me I am trying to understand as much as the manual as I can...
I have tried both way before posted this tread and I get an error message in both cases.
sudo service hiawatha start
Starting hiawatha.
Syntax error in hiawatha.conf on line 112.


All I have in the system.log is:
Sat 04 Apr 2015 21:55:42 +0100|Hiawatha v9.12 stopped.
Sat 04 Apr 2015 21:55:46 +0100|Hiawatha v9.12 started.
91.195.122.75|Sat 04 Apr 2015 21:56:46 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:56:46 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:56:59 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:56:59 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:56:59 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:57:09 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:57:09 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:57:24 +0100|Maximum request size reached
91.195.122.75|Sat 04 Apr 2015 21:57:43 +0100|Maximum request size reached
91.195.122.75|Sat 04 Apr 2015 21:57:47 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:58:18 +0100|Timeout while waiting for first request
91.195.122.75|Sat 04 Apr 2015 21:58:29 +0100|Client kicked
91.195.122.75|Sat 04 Apr 2015 21:58:29 +0100|Client kicked
91.195.122.75|Sat 04 Apr 2015 21:58:30 +0100|Client kicked
91.195.122.75|Sat 04 Apr 2015 21:58:30 +0100|Client kicked
91.195.122.75|Sat 04 Apr 2015 21:58:30 +0100|Client kicked

# GENERAL SETTINGS
#
ServerId = www
ConnectionsTotal = 1000
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log
MonitorServer = 192.168.1.125
LogFormat = extended
ServerString = Apache
CGIwrapper = /usr/local/sbin/cgi-wrapper

# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
Port = 80
Interface = 192.168.1.125
MaxKeepAlive = 30
TimeForRequest = 3,20
}

# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 10/1:15
BanOnInvalidURL = 300
BanOnWrongPassword = 3:300
BanlistMask = deny 91.195.122.75, deny 273.126.109.264, deny 192.168.1.0/24, deny 127.0.0.1
ReconnectDelay = 3

# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
CGIhandler = /usr/local/bin/php-cgi:php

FastCGIserver {
FastCGIid = php5-fpm
ConnectTo = /var/run/php-fpm.sock
Extension = php
SessionTimeout = 30
}

UrlToolkit {
ToolkitID = scannerblocker
Header User-Agent ^w3af.sourceforge.net DenyAccess
Header User-Agent ^dirbuster DenyAccess
Header User-Agent ^nikto DenyAccess
Header User-Agent ^sqlmap DenyAccess
Header User-Agent ^fimap DenyAccess
Header User-Agent ^nessus DenyAccess
Header User-Agent ^whatweb DenyAccess
Header User-Agent ^Openvas DenyAccess
Header User-Agent ^jbrofuzz DenyAccess
Header User-Agent ^libwhisker DenyAccess
Header User-Agent ^webshag DenyAccess
Header User-Agent ^WVS DenyAccess
Header User-Agent ^Morfeus DenyAccess
Header User-Agent ^Fucking DenyAccess
Header User-Agent ^Scanner DenyAccess
Header User-Agent ^Aboundex DenyAccess
Header User-Agent ^AlphaServer DenyAccess
Header User-Agent ^Indy DenyAccess
Header User-Agent ^ZmEu DenyAccess
Header User-Agent ^social DenyAccess
Header User-Agent ^Zollard DenyAccess
Header User-Agent ^CLR DenyAccess
Header User-Agent ^Camino DenyAccess
Header User-Agent ^Nmap DenyAccess
Header HTTP:Acunetix-Product ^WVS DenyAccess
}

UrlToolkit {
ToolkitID = monitor
Call scannerblocker
RequestURI isfile Return
Match ^/(css|images|js)/ Return
Match ^/(favicon.ico|robots.txt)$ Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}

UrlToolkit {
ToolkitID = wordpress
#Call scannerblocker
#UseToolkit = scannerblocker
RequestURI exists Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}

# DEFAULT WEBSITE
Hostname = 192.1xx.1.1xx
WebsiteRoot = /usr/local/www/webs/default
StartFile = index.html
AccessLogfile = /var/log/hiawatha/default.access.log
ErrorLogfile = /var/log/hiawatha/default.error.log

Include enable-sites/*.sites


This is mydomain.site
VirtualHost {
Hostname = www.mydomain.co.uk, mydomain.co.uk
WebsiteRoot = /usr/local/www/webs/mydomain/httpdocs
StartFile = index.php
AccessLogfile = /var/log/hiawatha/bollenbergLive.access.log
ErrorLogfile = /var/log/hiawatha/bollenbergLive.error.log
TimeForCGI = 15
UseFastCGI = php5-fpm
UseToolkit = wordpress
}



This problem only started when I moved from Hiawatha v9.8 to v9.12

I also have problem to start the server if I leave the following setting uncommented
MonitorServer = 192.168.1.125


Fred
Hugo Leisink
6 April 2015, 22:16
The error is at line 112: Include enable-sites/*.sites

Use a file name or a directory name only:
Include enable-sites


About the error for MonitorServer, did you include support for the Hiawatha Monitor? What is the output of 'hiawatha -v'?
Fred
6 April 2015, 22:33
Hi Hugo,

I just tried your suggestion
Include enable-sites

but the problem is exactly the same

Is this a FreeBSD specific issue?
Why my setup work before I updated the version?
Fred
7 April 2015, 00:14
Sorry I forgot to mention that I have removed all the comment on the code I pasted on the forum...
In real life line 112 is
Call scannerblocker
Hugo Leisink
7 April 2015, 07:51
Change that line to
Do Call scannerblocker

Has been mentioned in the changelog.
Fred
7 April 2015, 11:02
Thank You Hugo

Problem solved. Sorry for being a pain
Hugo Leisink
7 April 2015, 11:06
Don't worry, glad to hear it all works again!
This topic has been closed.