IoT, Code, Security, Server Stuff etc

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

Web Design

Create your first Hello World Electron app on OSX

by

Electron allows you to build cross-platform desktop apps with JavaScript, HTML, and CSS based on NodeJS. Electron’s home is https://electron.atom.io

Electron will allow you to build a web app and package it up to run locally with HTML and bootstrap or more advanced widgets like https://www.jqwidgets.com/ or ExtJS. Marc Fearby is creating a Git starter project for Electron with Sencha here. You can happily develop a local web app and have back-end available by an APIs if need be (read my guide on setting up and configuring a server and securing it and installing an SSL certificate).

Nodejs

Electorn requires NodeJS, please confirm your node version (in my case I have an old version installed)

Run the node installer from https://nodejs.org/en/download/

Electron Hello

Now I have the newer version on OSX

Create a folder for you Electron project (e.g  ~/Documents/ElectronApps/HelloWorld ).

Project Home

Navigate to that folder in the terminal

Now type: npm init

Installing Electron

verbose was added to allow you to see as the install could take  a while

Create a  javascript file as specified in your package.json

Contents of app.js

Update the package.json to include a start command (electron .)

Create an index.html file

Contents

Now we can start the app.

App

Electron Package Manager

You can install the Electron Packager to make Apps for desktop OS’s. Read more at https://github.com/electron-userland/electron-packager

Install the electron-packager module into your existing project.

If you receive the error “-bash: electron-packager: command not found” try and install the packager globally

Now we will package the app for OSX

I can now uninstall the electron packager from my project as it is now installed globally

Building apps on OSX

Build an OSX App

Rebuild an OSX app

This will build an OSX app

OSX App

Building apps on Windows

1) Ensure nodejs is installed (reboot if required)

node win

2) Test your app (npm start)
NPM Start

3) Install Electron Packager Globally

4) Don’t forget to install Electron on Windows

5) You can now package a Windows executable (TIP: Run the command as an Administrator to prevent write errors).

Win EXE

Advanced electron-packager commands

Build and specify a build number

Build ap with icons

electron-packager . --overwrite --arch=x64 --platform=darwin --prune=true --out=release-builds --icon=assets/icons/mac/icon.icns

Building linux app

Use sites like https://iconverticons.com/online/to generate icns files and place them in “assets\icons\mac\icons.icns”

View electron-packager issues here: https://github.com/electron-userland/electron-packager/issues

More to come..

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.0 Initial Post (24th Sep 2017)

etc

How to use Sublime Text editor locally to edit code files on a remote server via SSH

by

This guide will show you how to use Sublime Text editor locally to edit code files on a remote server via SSH.

This guide assumes oy already have a working SSH connection between your Mac and your remote server (with no firewall issues) and have configured SSH keys via modifying to authorized_keys file to enable SSH access.

Need a server?

I now use UpCLoud for cloud servers as they are super fast (read the blog post here). Get $25 free credit by signing up at UpCloud using this link.

UpCloud is way faster than Vulr.

Upcloud Site Speed in GTMetrix

Setting up slower region-specific servers can be found here. Set up a Server on Vultr here for as low as $2.5 a month or set up a Server on Digital Ocean (and get the first 2 months free ($5/m server)). I have a guide on setting up a Vultr server here or Digital Ocean server here.  Don’t forget to add a free LetsEncrypt SSL Certificate and secure the server (read more here and here).

Buy a domain name from Namecheap here.

Domain names for just 88 cents!

Setting up your local machine

Open Sublime Text 3 and press COMMAND+SHIFT+P to bring up the command bar and type Install and click Package Control: Install    Package and click it.

Sublime instal package

Wait a  few seconds for the packages list to show and type “rsub

Sublime Install RSUB

Ok let’s make an SSH alias to your server on your Mac by typing “sudo nano ~/.ssh/config

SSH Alias

Make these changes

ssh alias

File contents:

Now we can connect to the server via SSH by typing “ssh mysrv

ssh connect

After typing the server’s password you will be connected to the ssh server

Now on your local Mac load the following page in a web browser (and review the code): https://raw.github.com/aurora/rmate/master/rmate  and copy the contents to the clipboard.

On the remote server (the SSH one) type:

Now paste the contents or this page into nano editor and save it and exit nano.

Now run this chmod command to make the rmate file executable.

Now on the server, we can open any text file with rmate and have it open locally in Sublime via SSH.  Yes, Open a  file on a server and have it automatically open in locally 🙂

SSH

If you have many files to open then create a bash file to open files with rmate

sudo nano openfilesonmac.sh

Contents:

#!/bin/bash

rmate index.html 
rmate index1.html 
rmate index2.html 
rmate index3.html 
rmate index4.html 
rmate index5.html 
rmate index6.html 
rmate index7.html 
rmate index8.html 
rmate index9.html 
rmate index10.html

File permissions:

chmod +x openfilesonmac.sh

Now we can open may remote files locally by running the bash script.

All saves in Sublime locally are sent to the server 🙂

e.g

Still here, read more articles here or use the form below to ask a question or recommend an article.

Port Forwarding with vSSH on OSX

If you use a third party ssh program like vSSH you will also need to setup port forwarding to avoid this error

How.

port forward

Now you can open remote files locally with SSH or vSSH too.

Donate and make this blog better



Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.4 Added UpCloud Info.

v1.3 vSSH Port forwarding.

Securing Ubuntu in the cloud

by

It is easy to deploy servers to the cloud within a few minutes, you can have a cloud-based server that you (or others can use). ubuntu has a great guide on setting up basic security issues but what do you need to do.

If you do not secure your server expects it to be hacked into. Below are tips on securing your cloud server.

First, read more on scanning your server with Lynis security scan.

Always use up to date software

Always use update software, malicious users can detect what software you use with sites like shodan.io (or use port scan tools) and then look for weaknesses from well-published lists (e.g WordPress, Windows, MySQL, node, LifeRay, Oracle etc). People can even use Google to search for login pages or sites with passwords in HTML (yes that simple).  Once a system is identified by a malicious user they can send automated bots to break into your site (trying millions of passwords a day) or use tools to bypass existing defences (Security researcher Troy Hunt found out it’s child’s play).

Portscan sites like https://mxtoolbox.com/SuperTool.aspx?action=scan are good for knowing what you have exposed.

You can also use local programs like nmap to view open ports

Instal nmap

Find open ports

Limit ssh connections

Read more here.

Use ufw to set limits on login attempts

Only allow known IP’s access to your valuable ports

sudo ufw allow from 123.123.123.123/32 to any port 22

Delete unwanted firewall rules

Only allow known IP’s to certain ports

Also, set outgoing traffic to known active servers and ports

Don’t use weak/common Diffie-Hellman key for SSL certificates, more information here.

More info on generating SSL certs here and setting here and setting up Public Key Pinning here.

Intrusion Prevention Software

Do run fail2ban: Guide here https://www.linode.com/docs/security/using-fail2ban-for-security

I use iThemes Security to secure my WordPress and block repeat failed logins from certain IP addresses.

iThemes Security can even lock down your WordPress.

You can set iThemes to auto lock out users on x failed logins

Remember to use allowed whitelists though (it is so easy to lock yourself out of servers).

Passwords

Do have strong passwords and change the root password provided by the hosts. https://howsecureismypassword.net/ is a good site to see how strong your password is from brute force password attempts. https://www.grc.com/passwords.htm is a good site to obtain a strong password.  Do follow Troy Hunt’s blog and twitter account to keep up to date with security issues.

Configure a Firewall Basics

You should install a firewall on your Ubuntu and configure it and also configure a firewall with your hosts (e.g AWS, Vultr, Digital Ocean).

Configure a Firewall on AWS

My AWS server setup guide here. AWS allow you to configure the firewall here in the Amazon Console.

Type Protocol Port Range Source Comment
HTTP TCP 80 0.0.0.0/0 Opens a web server port for later
All ICMP ALL N/A 0.0.0.0/0 Allows you to ping
All traffic ALL All 0.0.0.0/0 Not advisable long term but OK for testing today.
SSH TCP 22 0.0.0.0/0 Not advisable, try and limit this to known IP’s only.
HTTPS TCP 443 0.0.0.0/0 Opens a secure web server port for later

Configure a Firewall on Digital Ocean

Configuring a firewall on Digital Ocean (create a $5/m server here).  You can configure your Digital Ocean droplet firewall by clicking Droplet, Networking then Manage Firewall after logging into Digital Ocean.

Configure a Firewall on Vultr

Configuring a firewall on Vultr (create a $2.5/m server here).

Don’t forget to set IP rules for IPV4 and IPV6, Only set the post you need to allow and ensure applications have strong passwords.

Ubuntu has a firewall built in (documentation).

Enable the firewall

Adding common ports

sudo ufw allow ssh/tcp
sudo ufw logging on
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 53
sudo ufw allow 443
sudo ufw allow 873
sudo ufw enable
sudo ufw status
sudo ufw allow http
sudo ufw allow https

Add a whitelist for your IP (use http://icanhazip.com/ to get your IP) to ensure you won’t get kicked out of your server.

sudo ufw allow from 123.123.123.123/24 to any port 22

More help here.  Here is a  good guide on ufw commands. Info on port numbers here.

If you don’t have a  Digital Ocean server for $5 a month click here and if a $2.5 a month Vultr server here.

Backups

rsync is a good way to copy files to another server or use Bacula

Basics

Initial server setup guide (Digital Ocean).

Sudo (admin user)

Read this guide on the Linux sudo command (the equivalent if run as administrator on Windows).

Users

List users on an Ubuntu OS (or compgen -u)

Common output

Add User

e.g

Add user to a group

Show users in a group

This will show users in a group

Remove a user

Rename user

Change user password

Groups

Show all groups

compgen -ug

Common output

compgen -g
root
daemon
bin
sys
adm
tty
disk
lp
mail
proxy
sudo
www-data
backup
irc
etc

You can create your own groups but first, you must be aware of group ids

cat /etc/group

Then you can see your systems groups and ids.

Create a group

Permissions

Read this https://help.ubuntu.com/community/FilePermissions

How to list users on Ubuntu.

Read more on setting permissions here.

Chmod help can be found here.

Install Fail2Ban

I used this guide on installing Fail2Ban.

Check Fail2Ban often and add blocks to the firewall of known bad IPs

Best practices

Ubuntu has a guide on basic security setup here.

Startup Processes

It is a good idea to review startup processes from time to time.

Accounts

  • Read up on the concept of least privilege access for apps and services here.
  • Read up on chmod permissions.

Updates

Do update your operating system often.

Minimal software

Only install what software you need

Exploits and Keeping up to date

Do keep up to date with exploits and vulnerabilities

Secure your applications

  • NodeJS: Enable logging in applications you install or develop.

Ban repeat Login attempts with FailBan

Fail2Ban config

Hosts File Hardening

Add

Add a whitelist with your ip on /etc/fail2ban/jail.conf (see this)

Restart the service

sudo service fail2ban restart
sudo service fail2ban status

Intrusion detection (logging) systems

Tripwire will not block or prevent intrusions but it will log and give you a heads up with risks and things of concern

Install Tripwire.

Running Tripwire

This will scan your system for issues of note

My Output.

sudo nano /var/log/tiger/security.report.username.170809-18:42

Security scripts *** 3.2.3, 2008.09.10.09.30 ***
Wed Aug  9 18:42:24 AEST 2017
20:42> Beginning security report for username (x86_64 Linux 4.4.0-89-generic).

# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass014w] Login (bob) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (root) is disabled, but has a valid shell.
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync).
--WARN-- [pass012w] Home directory /nonexistent exists multiple times (3) in
         /etc/passwd.
--WARN-- [pass012w] Home directory /run/systemd exists multiple times (2) in
         /etc/passwd.
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck
         -r).

# Performing check of group files...

# Performing check of user accounts...
# Checking accounts from /etc/passwd.
--WARN-- [acc021w] Login ID dnsmasq appears to be a dormant account.
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not
         accessible.

# Performing check of /etc/hosts.equiv and .rhosts files...

# Checking accounts from /etc/passwd...

# Performing check of .netrc files...

# Checking accounts from /etc/passwd...

# Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab...
--WARN-- [root001w] Remote root login allowed in /etc/ssh/sshd_config

# Performing check of PATH components...
--WARN-- [path009w] /etc/profile does not export an initial setting for PATH.
# Only checking user 'root'

# Performing check of anonymous FTP...

# Performing checks of mail aliases...
# Checking aliases from /etc/aliases.

# Performing check of `cron' entries...
--WARN-- [cron005w] Use of cron is not restricted

# Performing check of 'services' ...
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service ssmtp is also assigned to service
         urd.
--WARN-- [inet003w] The port for service pipe-server is also assigned to
         service search.

# Performing NFS exports check...

# Performing check of system file permissions...
--ALERT-- [perm023a] /bin/su is setuid to `root'.
--ALERT-- [perm023a] /usr/bin/at is setuid to `daemon'.
--ALERT-- [perm024a] /usr/bin/at is setgid to `daemon'.
--WARN-- [perm001w] The owner of /usr/bin/at should be root (owned by daemon).
--WARN-- [perm002w] The group owner of /usr/bin/at should be root.
--ALERT-- [perm023a] /usr/bin/passwd is setuid to `root'.
--ALERT-- [perm024a] /usr/bin/wall is setgid to `tty'.

# Checking for known intrusion signs...
# Testing for promiscuous interfaces with /bin/ip
# Testing for backdoors in inetd.conf

# Performing check of files in system mail spool...

# Performing check for rookits...
# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
--WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit installation
Possible Linux/Ebury - Operation Windigo installetd

# Performing system specific checks...
# Performing checks for Linux/4...

# Checking boot loader file permissions...
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group
         permissions. Should be 0600
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world
         permissions. Should be 0600
--WARN-- [boot06] The Grub bootloader does not have a password configured.

# Checking for vulnerabilities in inittab configuration...

# Checking for correct umask settings for init scripts...
--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS

# Checking Logins not used on the system ...

# Checking network configuration
--FAIL-- [lin013f] The system is not protected against Syn flooding attacks
--WARN-- [lin017w] The system is not configured to log suspicious (martian)
         packets

# Verifying system specific password checks...

# Checking OS release...
--WARN-- [osv004w] Unreleased Debian GNU/Linux version `stretch/sid'

# Checking installed packages vs Debian Security Advisories...

# Checking md5sums of installed files

# Checking installed files against packages...
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.dep' does not
         belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.alias.bin' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.devname' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.softdep' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.alias' does not
         belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.symbols.bin'
         does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.builtin.bin'
         does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.symbols' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-87-generic/modules.dep.bin' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.dep' does not
         belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.alias.bin' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.devname' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.softdep' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.alias' does not
         belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.symbols.bin'
         does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.builtin.bin'
         does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.symbols' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/modules/4.4.0-89-generic/modules.dep.bin' does
         not belong to any package.
--WARN-- [lin001w] File `/lib/udev/hwdb.bin' does not belong to any package.

# Performing check of root directory...

# Checking device permissions...
--WARN-- [dev003w] The directory /dev/block resides in a device directory.
--WARN-- [dev003w] The directory /dev/char resides in a device directory.
--WARN-- [dev003w] The directory /dev/cpu resides in a device directory.
--FAIL-- [dev002f] /dev/fuse has world permissions
--WARN-- [dev003w] The directory /dev/hugepages resides in a device directory.
--FAIL-- [dev002f] /dev/kmsg has world permissions
--WARN-- [dev003w] The directory /dev/lightnvm resides in a device directory.
--WARN-- [dev003w] The directory /dev/mqueue resides in a device directory.
--FAIL-- [dev002f] /dev/rfkill has world permissions
--WARN-- [dev003w] The directory /dev/vfio resides in a device directory.

# Checking for existence of log files...
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660
--FAIL-- [logf007f] Log file /var/log/messages does not exist

# Checking for correct umask settings for user login shells...
--WARN-- [misc021w] There is no umask definition for the dash shell
--WARN-- [misc021w] There is no umask definition for the bash shell

# Checking symbolic links...

# Performing check of embedded pathnames...
20:47> Security report completed for username.

More on Tripwire here.

Hardening PHP

Hardening PHP config (and backing the PHP config it up), first create an info.php file in your website root folder with this info

Now look for what PHP file is loadingPHP Config

Back that your PHP config file

TIP: Delete the file with phpinfo() in it as it is a security risk to leave it there.

TIP: Read the OWASP cheat sheet on using PHP securely here and securing php.ini here.

Some common security changes

Don’t forget to review logs, more config changes here.

Antivirus

Yes, it is a good idea to run antivirus in Ubuntu, here is a good list of antivirus software

I am installing ClamAV as it can be installed on the command line and is open source.

ClamAV help here.

Scan a folder

Setup auto-update antivirus definitions

I set auto updates 24 times a day (every hour) via daemon updates.

tip: Download manual antivirus update definitions. If you only have a 512MB server your update may fail and you may want to stop fresh claim/php/nginx and mysql before you update to ensure the antivirus definitions update. You can move this to a con job and set this to update at set times over daemon to ensure updates happen.

Manual scan with a bash script

Create a bash script

Bash script contents to update antivirus definitions.

Edit the crontab to run the script every hour

Uninstalling Clam AV

You may need to uninstall Clamav if you don’t have a lot of memory or find updates are too big.

Setup Unattended Ubuntu Security updates

At login, you should receive

Other

  • Read this awesome guide.
  • install Fail2Ban
  • Do check your log files if you suspect suspicious activity.

Check out the extensive Hardening a Linux Server guide at thecloud.org.uk: https://thecloud.org.uk/wiki/index.php?title=Hardening_a_Linux_Server

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.92 added hardening a linux server link

4 Winning Tips for Online Startups

by

Are you trying to improve sales and visibility for your online startups? If you run a startup, you might have already realised by now that merely creating a stellar product or service isn’t enough. To sell your product or service in the digital world, you need to ensure the voice of your business reaches your target audience. When it comes to successfully running an online startup, the challenges are many and budget in most cases is limited. These four tips will help you improve the presence of your online startup and create a winning brand.

A Good Website Design

If you want to showcase the professionalism that your customers seek, you need to create a good website. A good website design can instantly win the heart of your prospects and make them browse through the pages of your website a little longer. The longer they stay on your website, the more are your chances of selling your products and services. So, invest in a good website design that will make your online startup look professional, reliable and trustable. A bad web design will immediately put your customer off and you definitely don’t want that to happen. See a professional web design company to create great website designs for your online startup.

Great content

As an online startup, you must have a solid web presence. Having a great web design is just one side of the coin. Think of your website as a vehicle and the content as passengers. So, you need to create great content to amplify your online presence. To start with, you can create a blog update it once a week and share those on social media platforms. By doing so, you will not only drive traffic but also boost your brand awareness. Make sure you load your product or service page with high-quality content that highlights the benefits of your products and answers customer’s questions. If you are running an e-commerce startup, paying attention to this aspect is imperative.

A Little Marketing

As a startup you can’t afford to spend big bucks on marketing. But, allocating a small portion of your budget towards digital marketing doesn’t sound too far-fetched, does it? In fact, with the help of inbound marketing, your return on investment could be tremendous. There are various agencies and individuals who provide such digital marketing services. If you don’t want to shell out a lot of money, these freelance internet marketers can help you out. So, don’t forget to tap into the power of digital marketing.

Attractive Discounts and Promotions

If you are selling products and services and you relatively new in the market, consider providing discounts and other promotional offers to improve sales. Through promotional offers, you can also improve the word of the mouth factor. Referrals can work well too. That way your existing customers will help you bring in new customers. In the past and even today, companies have leveraged promotional marketing techniques to transform their startups into market-leading businesses. A perfect example of this would be Uber.
With the help of this 4-point strategy, you can greatly improve the revenue and profit of your online startup.
Guest Post by www.webdesignperth.com.au

Guest Post by https://www.webdesignperth.com.au

webdesignperth

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]