Code, InfoSec and Server Stuff

Views are my own and not my employer's

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

"If you're not still learning, you're already dying."
- Ryan Holiday - Ego is the Enemy

Follow me on Twitter: @FearbySoftware

View All Posts.

Software

Infographic: So you have an idea for an app

by

I created this graphic as I was asked by multiple people how to develop an app. This does not include tips on coding but many people with the non-technical prerequisites to building an app.

Advertisement:



I hope this graphic helps someone (It’s my first infographic/decision flow image, feedback welcome).

So You Have an Idea For An App: Graphic

Click for larger version.

Infographic-So-you-have-an-idea-for-an-app-v1-3

 

Standalone Image URL’s

Define the problem(s) (pain points)

Before you start coding, do list your app requirements (problem’s to solve (pain points)).

Atlassian JIRA or Trello can help with this. I personally use (and likeAtlaz.io (now Hygger)I reviewed the BETA here).

Using Trello lists are also a simple way to capture tasks/ideas.

ListMore on these Read more here also read my Atlaz.io BETA Preview here.

Nothing beats pen and paper too.

Notepad

Moscow Prioritization

Must-Have Should-Have, Could-Have and Won’t-have are buckets you should sort ideas into. If you have trouble moving items away from Must to Should, Could or Won’t then assign a fictitious monetary value to spend on each item and that will help you decide what is more important.

Read this MoSCoW article at Wikipedia: https://en.wikipedia.org/wiki/Moscow

Managing MoSCoW tasks on paper is OK if you do not want to use planning software.

More

Read my guide on how to prototype apps with Adobe XD guide here.  You can also Prototype a Web app with Platforma (review here).

Read my post on how to develop software and stay on track.

Research

Do research your idea for market fit/need, competition, complexity, legal and validate ideas early. It’s best to find out early that Google will quote $60,000+ TAX a year to allow you to use Google map’s in your app early, then you can use https://www.mapbox.com for $499 a year.

Do you have competition?

Some people say “don’t develop an app that already exists”. Why would you develop a new Uber app? Henry Ford did make a new transportation mode when people were happy with horses, other car manufacturers like Tesla are moving in on the space so don’t be discouraged.

Landing Page

A landing page with a signup form (Newsletter and Register Interest) form is a good way to validate ideas and get feedback early (I would suggest you use a free Mainchimp signup form, a generated website with Platforma on a $5/m server for quick results). There is no point coding and launching to crickets.

Do you have an app Prototype or Mock-Up?

This is very important and easy step.  Programs like Adobe XD CC  (read my guide here) and Balsamiq can help you prototype an app, Platforma can help you prototype web apps.

Wire up a prototype

Drag and Drop

Have you validated your idea (app) with end users?

If you don’t do this you are mad.  Watch this video to see lessons learned from Trades Cloud.

Is this app idea a hobby (passion)?

This can help you limit costs and expectations.  Cheap serves exist (read here and here).

Do you have time to develop/manage this?

Developing and managing an app and planning (paying for) development cycle can be time-consuming and mentally draining.

Can you code?

Do you need to hire developers or learn to code?  Blog post coming soon on how to hire coders.

Do you have funds?

Having funds on hand to set up and build an app is very important.

Do you want to hide developers (or get Venture Capital)?

This can help you get moving but you will have to give away a slice of the profits and or IP, managing mentors and VC’s can be tiresome.

Have you set failure criteria (post-mortem)?

Read this page on lessons learned from over 200 startup failures, save your favourites.  Having realistic goals and limits is a wise idea, do stop when you reach preset limits.

Do you have a business case?

There are plenty of business case generator template,  you will want to document some of the following.

  • What is your apps PurposeApp X will be..
  • What is your Mission Statement – App X will..
  • Who are your Target Customers – Retail..
  • Who are the Early Adopters – Retail..
  • What Problems does your app solve – App X will..
  • What Milestones will your app go through – iOS, Android, Apple TV, Web etc..
  • What Existing solutions exist – App: A, B and C..
  • How does your app Solve your customer’s problems (pain points) – App X will..
  • How will your app Find customers – Word of Mouth, Referrals, Advertisements?
  • What is your Revenue model – Sales, Ad’s, Subscriptions?
  • What is your apps Goal statement – App X will hit X users in X?
  • What are your apps Failure points – If app X does not reach X or monthly costs reach Y….
  • What is your Marketing message – App X will..
  • What is your apps Metrics – iOS, Android, Apple TV apps..
  • What is your Unfair AdvantageWhy will you succeed over others?

Are you using a project management methodology?

Proven Methodology can help you develop software and stay on track, software like Atlaz, JIRA or Trello are highly recommended tools. Capturing ideas and processing feedback in tools is very important.

Before you code (or hire coders) use source code versioning software like GitHub and Bitbucket (guides here and here).  You want to retain the code and insist on owning it.

Product Goal

Simon Sinek has a good video on companies (or Products) being in a finite or infinite game.

Are you in full control of your development stack?

If you are not a developer you may not care if you are in control, but you will if there are issues with hired developers or issues with service providers.  I moved from CPanel to self-managed servers, moved from IBM Cloudant to Digital Ocean to AWS then Vultr servers where I can have full control or scalability, features, security and costs.

Can you forecast the costs?

Lowering cost and boosting performance is important and having spare money is a good thing.

I read recently that  Telsla is burning through $6,000 a minute and is forecast to need something like 2 billion dollars in the next 2 years. Software as Service platforms will drain your budget quick (they do take on some risk and maintenance tasks), is this worth it?

Mark Fedin (CEO and Co-founder at Atlaz) has a great post on the topic of viability Stop Dabbling At Startups .

Are you using the right tech?

Don’t be afraid of changing tech along the way, you may start with MySQL and move to MongoDBRedis, Oracle ot MSSQL database servers etc.

Do you have systems to capture customer feedback?

Self-explanatory, you are solving customer problems, right? You will pivot in the first year (trust me).

What is your revenue/sales model?

If you don’t know how to make money then don’t make an app (apps are expensive to code and maintain).

Are you prioritizing task?

I have blogged about this before, do use the tools to stay on track.

Funny Bit

Project Mangement LolProject Mangement Lol

 

 

Donate and make this blog better


Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

v1.5 Fixed typos and fixed CDN link issue.

v1.4 Updated the graphic to version v1.3.

Short (Article): https://fearby.com/go2/so/

Short (Image): https://fearby.com/go2/so-img/

Quick guide to using Adobe XD CC to design a prototype iOS app.

by

Adobe has introduced (v1.0.x) Adobe XD CC, Adobe claims you can turn your best ideas into beautiful experiences — fast. Let’s give it a try.

Advertisement:


Adobe Experience Design (Beta) is now Adobe XD CC. You can now design, prototype, and share amazing user experiences for websites, mobile apps, and more — all in the same app. Adobe XD CC is similar to Balsamic Mockup software.

Adobe XD Intro

Here is a great video demoing Adobe XD.

Install Adobe XD

If you don’t already have Adobe CC installed you can download a trial here. If you are wanting to install on Windows you will need Windows 10 (Anniversary Edition). Adobe has minimum system requirements listed here.

Install XD

Start a Project

Create a Project

After you start an iOS project you will be looking for controls to add to your prototype. Adobe XD CC offers where you can download UI Kits direct from vendors (a shame when you are used to XCode or Visual Studio having controls pre loaded).

Installing the Apple UI Design Resources

You will need to download the Apple UI Design resources for Design XD from the Apple site (use the menu in the screenshot below or click here), they do not come with Adobe XD CC.

Apple UI Design Resources

Here is more information on using Adobe XD CC UI Kits.

Download the iOS 11 UI resources for Adobe XD CC from the Apple site.

Download resources from Apple site

You can now extract the iOS resource files from Apple for use in Adobe XD projects.  When iOS 12 and Android 9 comes out you can download new UI Kits.

Extract Files

Once you extract the files from the zip file, run the ./iOS-11-AdobeXD/Fonts/San Francisco Pro.pkg file to install iOS 11 font on yoir system.

I could not find a way to install the UI Kits permanently into Adobe XD CC (Searching revealed you need to open templates (as a separate process or open file in Adobe XD (double-click on the file)) and paste elements into your project). This seems clunky.

Install UI Kits

Why use Adobe XD

You can use Adobe XD to prototype interfaces around the common activities a person may perform while using the apps you are prototyping. You can design an app’s onboarding, intro or user screens before actually developing the app.

http://bundle.greatsimple.io/

http://bundle.greatsimple.io/

http://bundle.greatsimple.io/

https://platforma.ws/ also has an extension for Adobe XD to allow you to get a  prototype fast with ready to go layout elements. I will write a new blog post using https://platforma.ws/ in Adobe XD.

iOS Prototype Project

Let’s create an iOS project. Start a new iPhone 6/7 Project AND open up a UI template file in a second Adobe XD program (e.g ./iOS-11-AdobeXD/UI Elements + Design Templates + Guides/UIElements+DesignTemplates+Guides.xd).

Now you can drag and drop elements from the UI template (from Apple) into an XD CC app prototype project

Prototype Project

TIP: Apple has a great site explaining how you can design and deliver apps (open the Apple Human Interfaces – iOS Design Themes page here). Apple also has assets and guidelines available for marketing your apps here.

To make buttons interactive you will need to click the Prototype tab and then drag the blue tabs to the right of interactive elements to the target screens.

Make Interactive

You can learn more on making interactive prototypes here.

Tip: Don’t forget to add interactive links back to the home screen.

You can then press the play button to preview the app prototype simulated in software.

Simulate

Export

You can now save and export your prototype app project to PNG, PDF, Web or other formats to others to send for reviewing.

Export

Adobe XD is big on saving to the Adobe Cloud allowing others to see changes in real time.  If you have linked assets in in your prototype project (say Photoshop files) anyone viewing an XD prototype on the Adobe Cloud can automatically see changes in real time (see then Adobe XD intro video above).

Running Prototypes on Real Devices

I was able to install Adobe XD app onto iOS, log in with my Adobe ID and the prototype popped up when I connected my iOS device to my Mac. More info here.

I was able to install the Android Adobe XD app and also sync a prototype app (Android was a bit slower to find the project but still the same process as iOS).

Android

More Help

Adobe XD CC Official User Guide

https://helpx.adobe.com/xd/user-guide.html

30 Adobe XD CC/Adobe Comp tablet app tips

 

Conclusion

Pros

  • Adobe XD comes with Adobe CC.
  • Ope to feature enhancements.
  • Loads or 3rd party tools and user forums.
  • Automatic detection of duplicate actions (copy and paste grid items) and suggestion of repeating grids by pressing Command+R.

Cons

  • Unable to import UI Kits permanently into Adobe XD (I have to run multiple XD apps and paste UI elements between). Why would I no just stick with Adobe Photoshop?
  • Placement of UI elements like fonts feels clunky when compared to XCode and Visual Studio.
  • Duplicating prototype forms was not an option in the right click (copy and Paste worked and so did ALT+Drag).

On the positive side, Adobe is openly allowing people to suggest and vote on features here https://adobexd.uservoice.com

But with Adobe XD you have the flexibility of having a design and prototyping product in one package with new monthly features.

More to come.

Donate and make this blog better

Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

Revision History

v1.2 added https://platforma.ws/ information.

etc

Short: https://fearby.com/go2/prototype/

Improving the speed of WordPress

by

This post shows my never ending quest to speed up WordPress for free.

Advertisement:



I have used to use WP Total Cache in the past but decided to check out what other recommended, I found this post 6 Best WordPress Caching Plugins Compared. Some WordPress Caching Plugins.

What plugin do I use?

Benchmark (No Caching Plugin)

I tested my site before installing a caching plugin with https://www.webpagetest.org/ and my site was loading in 21s (loading over 141 files).

My site loaded in a terrible 21.3 seconds. My blog is hosted on Jumba (Net Registry) on and Ultimate plan for $25 a month.

My site seems to deliver 70% images so I wonder if a page caching plugin can help?

I do run the EWWW Image Optimizer plugin to automatically compress images when I upload them to my site. Read my blog post on the EWWW Image Optimizer here.  I do keep images at a high quality to capture all details.

WP Fastest Cache Plugin

I have decided to try the WP Fastest Cache because it’s source was updated 4 hours ago compared to WP Super Cahches update 5 months ago. Both these plugins offer similar GT Metrix performance improvements and WP Fastest Cache has been tested on WordPress v4.8.

Installing WP Fastest Cache

I looked for the WP Fastest Cache Plugin on the WP plugin directory but it was not there.

I downloaded the latest version WP Fastest Cache from https://wordpress.org/plugins/wp-fastest-cache/

I upload the WP Faster Cache plugin to my site.

I Activated the plugin.

WP Fastest Cache plugin is now installed 🙂

It appears to have auto cached/indexed my site?

Now it’s time to run the same benchmark and see if the site is faster (with the same settings (Singapore chrome))?

1 of 3 test are under way.

WP Fastest Cache Results

Wow WP Fastest Cache loaded my site 2 seconds slower (Try 1 = 23 seconds, Try 2 =  21 seconds and Try 3 =  28 Seconds).

This could have been because of weekend traffic or hosting issues but this was not what I expected.

I disabled the WP Fastest Cache plugin and ran the benchmarks again and it was still 23 seconds (weekend traffic?). I re enabled WP Fastest Cache and re ran the test but no improvement.

My bad I think I needed to manually configure the WP Faster Cache plugin by opening the new WP Faster Cache menu on the left-hand side of the WP admin dashboard.

There I enabled caching options in the WP Faster Cache options.

I ran https://www.webpagetest.org tests again and got 16s, 18s and 16s seconds results in three tests and an A on compressed images. It appears you need to manually configure the WP Total Cache plugin after installing it (I missed this step).

I disable WP Fastest Cache and tried the WP Super Cache plugin and the test results were 29s, 24s, 24s (slower than WP Faster Cache). then tried W3 Total cache and the results were ()

I tried the W3 Total Cache plugin and the results were (30s, 16s 26s).

I Tried Autoptimize and it was tested at 45s.

It looks like WP Faster Cache is the fastest, ill turn it back on until try setup a CDN.

Fast Forward to Sept 2017

Since writing this post I have moved away from a shared C-Panel host and have moved my domain to a self-managed Vultr server closer to me, I have moved my email to Google G-Suite. I have learned how to deploy and manage WordPress by command line tools. I have set up servers on Digital Ocean before but the servers are located in Singapore and not Sydney and latency and scalability was poor. SSL will make sites slower and servers far away will just compound the issues.

Re enabling the WP Fastest Cache Plugin

I tried reinstalling the WP Fastest Cache plugin and for me, the plugin just slows down my site by 6 seconds.

I opened my NGINX config and got my NGINX user

My user is: www-data

I enabled the WP Fastest Cache plugin and ensured the WP Fastest Cache has ownership and access to the cache folder.

Below are the settings I use.

WP Fastest Cache

installing the WP-Optimize Plugin

I recommend setting up WP-Optimize plugin as it will optimize your database and keep things fast, it only saves me a second on my load times but this helps.

WP Optimize

WP-Optimize will allow for to review database optimizations

WP-Optimize database savings

Setting up Nginx GZip Compression

I set up my Nginx config to include

I set the minimum size to gzip too

Benchmark with G-Zip, Caching and WP Fastest Cache 

With WP Fastest Cache I now load my site in 13.9 seconds from Singapore. Time to disable WP Fastest cache plugin as it does not seem to be helping without linking to a CDN.

With Cache plugi

Setting up Browser Caching

I also setup browser caching by editing in NginX.

Added

Not sure if caching CSS and JS will cause problems in future?

Benchmark with G-Zip, Caching and without WP Fastest Cache (Singapore)

I re-ran the tests and got 10.9 seconds and got a B for cached content. When in Started on C-Panel I was getting near 30s

Benchmark

Benchmark with G-Zip, Caching and without WP Fastest Cache (Sydney)

I have always benchmarked from Singapore (as Sydney was not an option when I started) but now it is.  Out f curiosity is my website load time in Sydney?

8.2 seconds. Distance does affect performance.

Google Speed Insights

Google has an awesome tools to help you increase your benchmark mobile and desktop website speeds and reccomend focus areas to resolve problems: https://developers.google.com/speed/pagespeed/insights/

Mobile Speed Score

Desktop Speed Score

Tips

I was getting SVG files failing compassion tests so I added the following under allowed mime types under “http gzip_types” in /etc/nginx/nginx.conf

Minifying JS and CSS

This needs to be done and 50% of my site files appears to be CSS and JS related.

It looks like 30%~40 of your sites google speed index is related to minified/combined JS/CSS.

Google Speed Test

I installed the Fast Velocity Minify WordPress plugin.

I ran this to install it from the command line

Unzip

I activated the plugin and set some settings

Minify Settings

Verified minify logs

Logs

Google Page Insights can now see the minifies, css, js and html

Minified

Google Page Insights – Possible Optimizations

issues

And Google Ad Words and Google Analytics appear to be holding back Google Page Insight scores

Google adwords and Analytics

I am getting a few false positives with plugins javascript but that can be resolved another day.

Pingdom (Melbourne results)

3.2 seconds, a few false positives though.

Kingdom

I was going to test with https://www.webpagetest.org/ (from Singapore) but the service kept stalling and had too many tests before me (even from Sydney).

Wait

Address First Byte Time (todo)

If I look at the first-byte load results in the waterfall view my site is taking many seconds to deliver the first byte, this lowers the performance scores about 20%. I need to setup a CDN and or configure NGINX following this guide based on this manual configuration entry (I tried some of the Nginx settings but it appears I need to compile some performance settings into Nginx).

CDN (todo)

I am sure a Content Delivery Network (CDN) will help with the whole page deliver and first-byte times but I am trying to milk as much free as possible and limit future costs. A CDN will trigger higher monthly costs (any CDN providers want to donate a temporary pro plan for review purposes).

Misc Speed Articles

Configuring Ubuntu for Performance

Preventing applications swapping for disk (read more here)

I added this memory related setting.

This will all but prevent applications writing to disk (swap) when they are not active. I had free memory on my VM so I may as well use it.

I will monitor the free ram after reboot and play with php memory settings.

ram

Setup Lazyload for images in posts

Lazyload Plugin Settings

Lazyload

Placeholder Image ( Image: https://fearby-com.exactdn.com/wp-content/uploads/2017/09/placeholder.jpg )

Web Performance Test from Sydney

8.4 seconds ( Score Card F A A A C, was F F F A F ).  I was getting up to 28 second load times with Net Registry C Panel servers.

Static Content is cached but Googe Ad Sence, Google Analytics, and some plugins do block the score. The front page does have some features content that has to be loaded and can’t be minified or cached much.

Sydney Results

It is obvious I need to work in the initial websitee load (DNS, CDN or SSL), there sis  3 seconds I can save here.

3 sec

Configuring PHP for Performance

todo: PHP base config.

todo: PHP caching.

Conclusion

I was expecting WP Fastest Cache to deliver faster speeds but in reality but I am getting 4 seconds faster in WordPress. I was going to configure MaxCDN but they are to expensive. Fast Velocity Minify Plugin is working a treat 🙂

I ended up ditching the shared CPanel hosted domain and setup my own server for WordPress. My site seems a lot faster now. A friend set up CloudFlare with great success, more soon. I blogged about my server setup here.

Adding browser cache and compressing and moving away from CPanel to a self-managed server helped.

The only things to try now is to use a CDN and speed up the delivery of my site and improve the First Byte Time.

Donate and make this blog better




Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

Revision History

v1.932 added lazy load information (24th Sep 2017)

v1.952 added small changes (23rd Sep 2017)

etc

Run an Ubuntu VM system audit with Lynis

by

Following on from my Securing Ubuntu in the cloud blog post I have installed Lynis open source security audit tool to check out to the security of my server in the cloud.

Advertisement:


Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defences of their Linux and Unix-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners. https://cisofy.com/lynis and https://github.com/CISOfy/lynis.

It is easy to setup a server in the cloud (create a server on Vultr or Digital Ocean here). Guides on setting up servers exist ( setup up a Vultr VM and configure it and digital ocean server) but how about securing it? You can install a LetsEncrypt SSL certificate in minutes or setup Content Security Policy and Public Key Pinning but don’t forget to get an external in-depth review of the security of your server(s).

Lynis Security Auditing Tool

Preparing install location (for Lynis)

Install Lynis

Running a Lynus system scan

./lynis audit system -Q

Lynis Results 1/3 Output (removed sensitive output)

Lynis Results 2/3 – Warnings

I resolved the only warning by typing

After updating the Lynis system scan I re ran the text and got

Lynis Results 3/3 – Suggestions

Installing a Malware Scanner

Install ClamAV

Download virus and malware definitions (this takes about 30 min)

Output:

I had an issue on some boxes with clamav reporting I could not run freshclam

This was fixed by typing

Troubleshooting clamav

Clam AV does not like low ram boxes and may produce this error

It looks like the solution is to increase your total ram.

fyi: Scan with ClamAV

Re-running Lynis gave me the following malware status

Lynis Security rating

Installed

After re-running the test I got this Lynis security rating score (an improvement of 1)

Installed and configured debsums and auditd

Now I get the following Lynis security rating score.

Conclusion

Lynis is great great at performing an audit and reccomending areas of work to allow you to harden your system (brute force protection, firewall, etc)

Security Don’ts

  • Never think you are done securing a system.

Security Do’s

  • Update Software (and remove software you do not use.)
  • Check Lynis Suggestions and try and resolve.
  • Security is an ongoing process, Do install a firewall, do ban bad IP’s, Do whitelist good IP’s, Do review Logs,
  • Do limit port access, make backups and keep on securing.

I will keep on securing and try and get remove all issues.

Read my past post on Securing Ubuntu in the cloud.

Scheduling a auto system updates is not enough in Ubuntu (as it is not recommended as the administrator should make decisions, not a scheduled job).

fyi: CISOFY/Lynis do have paid subscriptions to have external scans of your servers: https://cisofy.com/pricing. (why upgrade?)

Lynis Plans

I will look into this feature soon.

Updating Lynis

I checked the official documentation and ran an update check

Not sure how to update?

I opened an issue about updating v2.5.5 here. I asked Twiter for help.

Twitter

Official Response: https://packages.cisofy.com/community/#debian-ubuntu

Git Response

Waiting..

I ended up deleting Lynis 2.5.5

Updated

And reinstalled to v2.5.8

Output:

More actions post upgrade to 2.5.8

  • Added a legal notice to “/etc/issues”, “/etc/issues.net” file’s.

Installing Lynis via apt-get instead of git clone

The official steps can be located here: https://packages.cisofy.com/community/#debian-ubuntu

Unfortunately, I had an error with “apt update

Error:

Complete install output

I reopened Github issue 491. A quick reply revealed that I did not put a space before “xenial” (oops)

fyi: I removed the dead keystore from apt by typing…

I can now install and update other packages with apt and not have the following error

I will remove the git clone and re-run the apt version later and put in more steps to get to a High 90’s Lynis score.

More

Read the official documentation https://cisofy.com/documentation/lynis/

Next: This guide will investigate the enterprise version of https://cisofy.com/pricing/ soon.

Hope this helps. If I have missed something please let me know on Twitter at @FearbySoftware

Donate and make this blog better



Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

v1.46 Git hub response.

Securing Ubuntu in the cloud

by

It is easy to deploy servers to the cloud within a few minutes, you can have a cloud-based server that you (or others can use). ubuntu has a great guide on setting up basic security issues but what do you need to do.

Advertisement:



If you do not secure your server expect it to be hacked into. Below are tips on securing your cloud server.

First, read more on scanning your server with Lynis security scan.

Always use up to date software

Always use update software, malicious users can detect what software you use with sites like shodan.io (or use port scan tools) and then look for weaknesses from well-published lists (e.g WordPress, Windows, MySQL, node, LifeRay, Oracle etc). People can even use Google to search for login pages or sites with passwords in HTML (yes that simple).  Once a system is identified by a malicious user they can send automated bots to break into your site (trying millions of passwords a day) or use tools to bypass existing defences (Security researcher Troy Hunt found out it’s child’s play).

Portscan sites like https://mxtoolbox.com/SuperTool.aspx?action=scan are good for knowing what you have exposed.

You can also use local programs like nmap to view open ports

Instal nmap

Find open ports

Limit ssh connections

Read more here.

Use ufw to set limits on login attempts

Only allow known IP’s access to your valuable ports

Delete unwanted firewall rules

Only allow known IP’s to certain ports

Also, set outgoing traffic to known active servers and ports

Don’t use weak/common Diffie-Hellman key for SSL certificates, more information here.

More info on generating SSL certs here and setting here and setting up Public Key Pinning here.

Intrusion Prevention Software

Do run fail2ban: Guide here https://www.linode.com/docs/security/using-fail2ban-for-security

I use iThemes Security to secure my WordPress and block repeat failed logins from certain IP addresses.

iThemes Security can even lock down your WordPress.

You can set iThemes to auto lock out users on x failed logins

Remember to use allowed whitelists though (it is so easy to lock yourself out of servers).

Passwords

Do have strong passwords and change the root password provided by the hosts. https://howsecureismypassword.net/ is a good site to see how strong your password is from brute force password attempts. https://www.grc.com/passwords.htm is a good site to obtain a strong password.  Do follow Troy Hunt’s blog and twitter account to keep up to date with security issues.

Configure a Firewall Basics

You should install a firewall on your Ubuntu and configure it and also configure a firewall with your hosts (e.g AWS, Vultr, Digital Ocean).

Configure a Firewall on AWS

My AWS server setup guide here. AWS allow you to configure the firewall here in the Amazon Console.

TypeProtocolPort RangeSourceComment
HTTPTCP800.0.0.0/0Opens a web server port for later
All ICMPALLN/A0.0.0.0/0Allows you to ping
All trafficALLAll0.0.0.0/0Not advisable long term but OK for testing today.
SSHTCP220.0.0.0/0Not advisable, try and limit this to known IP’s only.
HTTPSTCP4430.0.0.0/0Opens a secure web server port for later

Configure a Firewall on Digital Ocean

Configuring a firewall on Digital Ocean (create a $5/m server here).  You can configure your Digital Ocean droplet firewall by clicking Droplet, Networking then Manage Firewall after logging into Digital Ocean.

Configure a Firewall on Vultr

Configuring a firewall on Vultr (create a $2.5/m server here).

Don’t forget to set IP rules for IPV4 and IPV6, Only set the post you need to allow and ensure applications have strong passwords.

Ubuntu has a firewall built in (documentation).

Enable the firewall

Adding common ports

Add a whitelist for your IP (use http://icanhazip.com/ to get your IP) to ensure you won’t get kicked out of your server.

More help here.  Here is a  good guide on ufw commands. Info on port numbers here.

If you don’t have a  Digital Ocean server for $5 a month click here and if a $2.5 a month Vultr server here.

Backups

rsync is a good way to copy files to another server or use Bacula

Basics

Initial server setup guide (Digital Ocean).

Sudo (admin user)

Read this guide on the Linux sudo command (the equivalent if run as administrator on Windows).

Users

List users on an Ubuntu OS (or compgen -u)

Common output

Add User

e.g

Add user to a group

Show users in a group

This will show users in a group

Remove a user

Rename user

Change user password

Groups

Show all groups

Common output

You can create your own groups but first, you must be aware of group ids

Then you can see your systems groups and ids.

Create a group

Permissions

Read this https://help.ubuntu.com/community/FilePermissions

How to list users on Ubuntu.

Read more on setting permissions here.

Chmod help can be found here.

Install Fail2Ban

I used this guide on installing Fail2Ban.

Check Fail2Ban often and add blocks to the firewall of known bad IPs

Best practices

Ubuntu has a guide on basic security setup here.

Startup Processes

It is a good idea to review startup processes from time to time.

Accounts

  • Read up on the concept of least privilege access for apps and services here.
  • Read up on chmod permissions.

Updates

Do update your operating system often.

Minimal software

Only install what software you need

Exploits and Keeping up to date

Do keep up to date with exploits and vulnerabilities

Secure your applications

  • NodeJS: Enable logging in applications you install or develop.

Ban repeat Login attempts with FailBan

Fail2Ban config

Hosts File Hardening

Add

Add a whitelist with your ip on /etc/fail2ban/jail.conf (see this)

Restart the service

Intrusion detection (logging) systems

Tripwire will not block or prevent intrusions but it will log and give you a heads up with risks and things of concern

Install Tripwire.

Running Tripwire

This will scan your system for issues of note

My Output.

More on Tripwire here.

Hardening PHP

Hardening PHP config (and backing the PHP config it up), first create an info.php file in your website root folder with this info

Now look for what PHP file is loadingPHP Config

Back that your PHP config file

TIP: Delete the file with phpinfo() in it as it is a security risk to leave it there.

TIP: Read the OWASP cheat sheet on using PHP securely here and securing php.ini here.

Some common security changes

Don’t forget to review logs, more config changes here.

Antivirus

Yes, it is a good idea to run antivirus in Ubuntu, here is a good list of antivirus software

I am installing ClamAV as it can be installed on the command line and is open source.

ClamAV help here.

Scan a folder

Setup auto update antivirus definitions