for

Using the Qualys FreeScan Scanner to test your website for online vulnerabilities

March 23, 2018 by Simon Leave a Comment

It is possible to deploy a server in minutes to hours but it can take days to secure. What tools can you use to help identify what to secure on your website?

I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line, installing a Free SSL certificate and setting up SSL security.

Security Tools

https://asafaweb.com/ is a good tool for quick scanning
Kali Linux has a number of security tools you can use.
You can run a system audit Lynis Audit.
Checking your site for vulnerabilities with Zap.
Run a Gravity Scan malware and supply chain scan
Use Qualys SSL scan to test your SSL certificate: https://www.ssllabs.com/ssltest/

Qualys SSL Labs SSL Tester is the best tool for checking an SSL certificate strength

Most people don’t know Qualys also has another free (limited to 10 scans) vulnerability scanner for websites.

Goto https://freescan.qualys.com/ and click Start your free account.

Complete the signup form

Now check your email to login and confirm your email account

Login now from the email.

Create a password (why the 25 char max Qualys?)

Enter your website URL and click Scan

The scan can take hours

While the scan was being performed I noticed that Qualys offers alerts (I’ll check this out later): https://www.qualys.com/research/security-alerts/

Yes, the scan can take hours, take a walk or read other posts here.

The scan is almost complete

Yay, my latest scan revealed 0 High, 0 Medium and 0 Low-risk vulnerabilities.

It did report 23 informational alerts like “Firewall Detected“.

Threat Report Results

Patch Report Results

This report was empty (probably because I don’t run Windows)

Threat Report Results

The OWASP report contained partial scan results (maybe the full report is available to pro users)

Previous Scan Results

The Qualys dashboard will show all past scans.

My first scan showed a Low priority issue with the /wp-login.php page as the input fields did not have “autocomplete=”off””, I fixed this by adding “autocomplete=”off”” the removing the page (safer).

The second scan found two issues with cookies (possibly ad banner cookies) and 2 subfolders that I created in past development exercises. I deleted the two sub-folders that were not needed.

The third scan was clean.

Here is a scan of a static website of a friends server (static can be less secure if the server underneath is old or unpatched).

Happy scanning. I hope this guide helps someone.

Ask a question or recommend an article

Revision History

v1.1 Static Web Server Scan

v1.0 Initial post

Using OWASP ZAP GUI to scan your Applications for security issues

March 17, 2018 by Simon 1 Comment

OWASP is a non-profit that lists the Top Ten Most Critical Web Application Security Risks, they also have a GUI Java tool called OWASP Zap that you can use to check your apps for security issue.

I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. It is important that you always update your site and software and test your sites and software for vulnerabilities. Zap is free and completely open source.

Disclaimer, I am not an expert (this Zap post and my past Kali Linux guide will be updated as I learn more).

OWASP Top 10

OWASP has a top 10 list of things to review.

Download the OWASP 10 10 Application security risks PDF here form here.

Using the free OWASP Zap Tool

Snip from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

“The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.”

Zap Overview

Here is a quick demo of Zap in action.

Do check out the official Zap videos on youtube: https://www.youtube.com/user/OWASPGLOBAL/videos if you want to learn more.

Installing Zap

Download Zap from here.

Download Options

Download contents

Copy to the app to the OSX Application folder

App Installed

Open OSX’s Privacy and Security screen and click Open Anyway

OWASP Zap is now Installed

Ready for a Scan

But before we do let’s check out the Options

OWASP Zap allows you to label reports to ad from anyone you want.

Now let’s update the program and plugins, Click Manage Add-ons

Click Update All to Update addons

I clicked Update All

Installed some plugins

Zap is Ready

Add a site and right click on the site and you can perform an active scan or port scan.

First Scan (https failed)

I enabled unsafe SSL/TLS Renegotiation.

This did not work and this guide said I needed to install the “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files” from here.

The extract files to /Library/Java/JavaVirtualMachines/%your_jdk%/Contents/Home/jre/lib/security

I restarted OWASP Zap and tried to scan my site buy it appears Cloudflare (that I recently set up) was blocking my scans and reported error 403. I decided to scan another site of mine that was not on Cloudflare but had the same Lets Encrypt style SSL cert.

fyi: I own and set up the site I queried below.

OWASP Zap scan performed over 800 requests and tried traversal exploits and many other checks. Do repair any major failures you find.

Generating a Report

To generate a report click Report then the appropriate generation menu of choice.

FYI: The High Priority Alert is a false positive with an HTML item being mistaken for a CC number.

I hope this guide helps someone. Happy software/server hardening and good luck.

More Reading

Check out my Kali Linux guide.

Ask a question or recommend an article

Revision History

v1.2 False Positive

v1.1 updated main features

v1.0 Initial post

Using Fritzing to draw electronic schematics for Arduino, Raspberry Pi and ESP8266

February 10, 2018 by Simon Leave a Comment

This guide will show how you can create an electronics schematic to represent elements of a circuit for Arduino, Raspberry Pi and ESP8266 micro-controllers.

Todo: Content
Wikipedia states here: “A schematic, or schematic diagram, is a representation of the elements of a system using abstract, graphic symbols rather than realistic pictures. A schematic usually omits all details that are not relevant to the information the schematic is intended to convey, and may add unrealistic elements that aid comprehension.” This guide will help you create schematics using Fritzing on OSX, you may still want to document your system requirements etc in Github or Bitbucket.

I am creating some small personal weather station on Arduino, Raspberry Pi and ESP8266 to submit data to cloud servers on Vutr (or AWS or Digital Ocean), read my guide on using Adminer to create and manage MySQL databases.

What are sensors

A sensor could detect temperature, humidity, barometric pressure, light and just about anything else.

Temperature, Humidity and Barometric sensor (bme280)

Most sensors work on low voltage have analogue or digital outputs (I2C or SPI) and require minimal wires. The real problem is having multiple sensors and wiring gets out of hand.

What is Arduino

Arduino is a low power 8bit and 32bit hardware/software product that you can rapidly wire up circuits and sensors. Sites like Adafruit sell loads of sensors and develop a lot of software libraries to drive sensors.

Non-genuine Arduino boards age mega cheap on eBay.

Arduino has slide-on shields that can be pushed onto an Arduino board to expand them.

Pros

Cheap
Loads of support
Good analogue sensor support

Cons

Limited monitor support

Sensors or expansions can come in shields or be connected to pins with wires.

What is Raspberry Pi

Raspberry Pi is also a single board computer but with a more powerful ARM processor that runs a Linux operating system from an SD card. Raspberry Pi’s are essentially small desktop computers. Raspberry Pi’s have USB, can plug into a monitor, have a bootable desktop have Arduino like GPIO pins that can talk to sensors (but not as many analogue sensors).

Pros

Very Powerful.
Desktop Operating System included.
Can talk to sensors.
Good GPIO pins for controlling the real world.
Has HDMI monitor output.

Cons

Full kits are expensive.
Low analogue read pins.
Failure to shut down correctly can corrupt the OS.

What is ESP8266

Pros

Cheap
Good Analog and digital puns
Code in Arduino IDE
Has WiFi

Cons

Limited monitor support

Installing Fritzing

Fritzing is a software package that can allow you to design and learn electronic schematics (filter by kid level, amateurs, master or higher).

Goto: http://fritzing.org/

Click Download and Donate

Click Download and choose the right version for your Operating System

Copy the app to your Application folder

Open the app a few times (open, wait, proceed, close, open wait proceed etc) to ensure parts updates are installed.

Fritzing Introduction on YouTube

Watch the Introduction video for Fritzing here

Fritzing Killer Tips Series on YouTube

Watch Fritzing Killer Tips 001 The generic IC

Extending Fritzing

Fritzing allows you to import new parts and design your own parts or ask Fritzing to design a part for you.

I was able to import a bme280 sensor within seconds.

If a part does not exist in the forums search google for “partname” and “.fzpz”

I was able to find an ESP8266 Node MCU from https://github.com/squix78/esp8266-fritzing-parts/tree/master/nodemcu-v1.0

It looks like Fritzing has all the parts I need to work with (Pi, Arduino and Node MCU’s).

Fritzing Views

Coming soon (Views: Breadboard, schematic, PCB, code).

Designing and Ordering a PCB

Coming soon.

Find Fritzing Projects

You can find all community created Raspberry Pi Fritzing Projects below.

http://fritzing.org/projects/by-tag/raspberry%20pi/

Arduino Fritzing Projets:

http://fritzing.org/projects/by-tag/arduino/

ESP8266 Fritzing Projets:

http://fritzing.org/projects/by-tag/esp8266/

Happy coding and I hope this helps someone.

More to come.

Making a PCB

Bonus: It is possible to order your own physical PCB from say
https://easyeda.com but you will need to export your schematic from Fritzing to Eagle (or manually create your PCB in Easy EDA online IDE).

Download Eagle:
https://www.autodesk.com/products/eagle/free-download

Easy EDA guides here:

How to make a custom PCB in Easy EDA (Part 1):

How to make a custom PCB in Easy EDA (Part 2):

I will try and find a PCB manufacturer that accepts orders from Fritzing exports.

More Reading

https://www.raspberrypi.org/magpi/

Free MagPi magazine Issues.

Donate and make this blog better

Ask a question or recommend an article

Revision History

V1.1 Making a PCB info

v1.0 Initial Draft

Using the free Adminer GUI for MySQL on your website

February 8, 2018 by Simon 2 Comments

Adminer is a free GUI tool that can you can easily install on a PHP web server. Adminer allows you to easily connect to your MySQL instance, create databases/tables/indexes/rows and backup/import databases and much more.

You can read my other posts on Useful Linux Terminal Commands and Useful OSX Terminal Commands.

I used to use phpMyAdmin to manage MySQL databases on AWS, Digital Ocean and Vultr but switched to Adminer due to forgotten issues. You can always manage MySQL via command line but that is quite boring.

The below screenshots were taken on my local Development Mac Laptop (with optional OSX Apache SSL Setup (that reports “Not Secure” (but it is good enough to use locally)). I prefer to code in SSL and warn when SSL is not detected.

Downloading and Installing Adminer

Navigate to https://www.adminer.org/ and click Download.

Click English only (.php file)

Save the Adminder for MySQL (.php) file to your web server and give it a random name and put in a folder also with a random name (I use https://www.grc.com/passwords.htm to generate strong password).

Tip: Uploading this file to a live serve offers hackers and unauthorized people potential access to your MySQL server. I would remove this file from live serves when you are not using it not to be sure.

Tip: Read my guide here on setting up NGINX, MySQL and PHP here. Basically I did this to setup MySQL on Ubuntu 16.04.

sudo apt-get install mysql-common
sudo apt-get install mysql-server
mysql --version
>mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64) using EditLine wrapper
sudo mysql_secure_installation
>Y (Valitate plugin)
>2 (Strong passwords)
>N (Don't chnage root password)
>Y (Remove anon accounts)
>Y (No remote root login)
>Y (Remove test DB)
>Y (Reload)
service mysql status
> mysql.service - MySQL Community Server

sudo apt-get install mysql-common

sudo apt-get install mysql-server

mysql --version

>mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64) using EditLine wrapper

sudo mysql_secure_installation

>Y (Valitate plugin)

>2 (Strong passwords)

>N (Don't chnage root password)

>Y (Remove anon accounts)

>Y (No remote root login)

>Y (Remove test DB)

>Y (Reload)

service mysql status

> mysql.service - MySQL Community Server

TIP: Ensure MySQL is secure and has a good root password, also consider setting up Ubuntu Firewalls and Securing Ubuntu. Also ensure the Server is patched and does not have exploits like Spectre and meltdown.

Now you can access your Admirer php file on your Web Server (hopefully with an obfiscated name).

Click Create databaase

Give the database a name and choose the character coding standard (e.g UTF8 ceneral ci). Different standards have different performance impacts too.

Now that you have a database you can create a table.

Consider adding an auto-incrementing ID and say a Key and Value varchar column.

When the table is created you can add a row to the table.

I created one with a “TestKey” and “TestValue” row.

The row was inserted.

The final thing to do is add a database user that code can connect to the database with. Click Privileges.

Click Create user

Tick All privileges and click Save

Now the user is added to the database

Let’s create a PHP file and talk to the database. Let’s use parameterized queries

<?php

date_default_timezone_set('Australia/Sydney');
echo "Last modified: " . date ("F d Y H:i:s.", getlastmod()) . "<br /><br />";

// Turn on if you need to see errors
// error_reporting(E_ALL);
// ini_set('display_errors', 0);

$dbhost = '127.0.0.1';
$dbname = 'dbtest';
$dbusername = 'dbtestuser';
$dbpassword = '*****************************************'';

$con = mysqli_connect($dbhost, $dbusername, $dbpassword, $dbname);
 
// Turn on debug stuff if you need it
// echo var_dump($con);
// printf(" - Error: %s.n", $stmt->error);
 
if($con->connect_errno > 0){

    printf(" - Error: %s.n", $stmt->error);
    die("Error: Unable to connect to MySQL");

} else {

    echo "Charset set to utf8<br />";
    mysqli_set_charset($con,"utf8");
}
 
if (!$con) {

    echo "Error: Unable to connect to MySQL (E002)" . PHP_EOL;
    echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
    echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
    exit;

} else {

    echo "Database Connection OK<br />";
 
    echo "&nbsp; Success: A proper connection to MySQL was made! The $dbname database is great." . PHP_EOL . "<br />";
    echo "&nbsp; &nbsp;- Host information: " . mysqli_get_host_info($con) . PHP_EOL . "<br />";
    echo "&nbsp; &nbsp;- Server Info: '" . mysqli_get_server_info($con) . "'<br />";
    echo "&nbsp; &nbsp;- Server Protocol Info : ". mysqli_get_proto_info($con) . "<br />";
    echo "&nbsp; &nbsp;- Server Version: " . mysqli_get_server_version($con) . "<br />";
    //echo " - Server Connection Stats: " . print_r(vmysqli_get_connection_stats($con)) . "<br />";
    echo "&nbsp; &nbsp;- Client Version: " . mysqli_get_client_version($con) . "<br />";
    echo "&nbsp; &nbsp;- Client Info: '" . mysqli_get_client_info() . "'<br />";
 
    echo "Ready to Query the database '$dbname'.<br />";
 
    // Input Var's that are parameterized/bound into the query statement
    $in_key = mysqli_real_escape_string($con, 'TestKey');
 
    // Output Var's that the query fills after querying the database
    // These variables will be filled with data from the current returned row
    $out_id = "";
    $out_key = "";
    $out_value = "";
 
    echo "1. About to query the database: '$dbname'<br />";
    $stmt = mysqli_stmt_init($con);

    $sql = "SELECT testid, testkey, testvalue FROM tbtest WHERE testkey = ?";
    echo "SQL: $sql (In = $in_key)<br /";

    if (mysqli_stmt_prepare($stmt, $sql)) {

            echo "2. Query Returned<br />";
            /*
                Type specification chars
                Character   Description
                i   corresponding variable has type integer
                d   corresponding variable has type double
                s   corresponding variable has type string
                b   corresponding variable is a blob and will be sent in packets
            */
            mysqli_stmt_bind_param($stmt, 's', $in_key);
            mysqli_stmt_execute($stmt);
            mysqli_stmt_bind_result($stmt, $out_id, $out_key, $out_value);
            mysqli_stmt_fetch($stmt);
     
            // Do something with the 1st returned row        
            echo " - Row: ID: $out_id, KEY: $out_key, VAL: $out_value <br />";//

            // Do we have more rows to process
            while($stmt->fetch()) { 
                
                    // Output returned values
                    echo " - Row: ID: $out_id, KEY: $out_key, VAL: $out_value <br />";//
            
            }
            mysqli_stmt_close($stmt);
            
            echo "Done<br />";
        
        } else {
        
            echo "3. Error Querying<br/>";
            printf(" - Error: %s.n", $stmt->error);
        
        }
}    
?>

100

101

102

103

104

105

106

<?php

date_default_timezone_set('Australia/Sydney');

echo "Last modified: " . date ("F d Y H:i:s.", getlastmod()) . " ";

// Turn on if you need to see errors

// error_reporting(E_ALL);

// ini_set('display_errors', 0);

$dbhost = '127.0.0.1';

$dbname = 'dbtest';

$dbusername = 'dbtestuser';

$dbpassword = '*****************************************'';

$con = mysqli_connect($dbhost, $dbusername, $dbpassword, $dbname);

// Turn on debug stuff if you need it

// echo var_dump($con);

// printf(" - Error: %s.n", $stmt->error);

if($con->connect_errno > 0){

printf(" - Error: %s.n", $stmt->error);

die("Error: Unable to connect to MySQL");

} else {

echo "Charset set to utf8 ";

mysqli_set_charset($con,"utf8");

}

if (!$con) {

echo "Error: Unable to connect to MySQL (E002)" . PHP_EOL;

echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;

echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;

exit;

} else {

echo "Database Connection OK ";

echo "  Success: A proper connection to MySQL was made! The $dbname database is great." . PHP_EOL . " ";

echo "   - Host information: " . mysqli_get_host_info($con) . PHP_EOL . " ";

echo "   - Server Info: '" . mysqli_get_server_info($con) . "' ";

echo "   - Server Protocol Info : ". mysqli_get_proto_info($con) . " ";

echo "   - Server Version: " . mysqli_get_server_version($con) . " ";

//echo " - Server Connection Stats: " . print_r(vmysqli_get_connection_stats($con)) . " ";

echo "   - Client Version: " . mysqli_get_client_version($con) . " ";

echo "   - Client Info: '" . mysqli_get_client_info() . "' ";

echo "Ready to Query the database '$dbname'. ";

// Input Var's that are parameterized/bound into the query statement

$in_key = mysqli_real_escape_string($con, 'TestKey');

// Output Var's that the query fills after querying the database

// These variables will be filled with data from the current returned row

$out_id = "";

$out_key = "";

$out_value = "";

echo "1. About to query the database: '$dbname' ";

$stmt = mysqli_stmt_init($con);

$sql = "SELECT testid, testkey, testvalue FROM tbtest WHERE testkey = ?";

echo "SQL: $sql (In = $in_key)<br /";

if (mysqli_stmt_prepare($stmt, $sql)) {

echo "2. Query Returned ";

Type specification chars

Character Description

i corresponding variable has type integer

d corresponding variable has type double

s corresponding variable has type string

b corresponding variable is a blob and will be sent in packets

mysqli_stmt_bind_param($stmt, 's', $in_key);

mysqli_stmt_execute($stmt);

mysqli_stmt_bind_result($stmt, $out_id, $out_key, $out_value);

mysqli_stmt_fetch($stmt);

// Do something with the 1st returned row

echo " - Row: ID: $out_id, KEY: $out_key, VAL: $out_value ";//

// Do we have more rows to process

while($stmt->fetch()) {

// Output returned values

echo " - Row: ID: $out_id, KEY: $out_key, VAL: $out_value ";//

}

mysqli_stmt_close($stmt);

echo "Done ";

} else {

echo "3. Error Querying ";

printf(" - Error: %s.n", $stmt->error);

}

Result

If you don’t have a server check out my guides on AWS, Digital Ocean and Vultr.

Happy coding and I hope this helps someone.

Donate and make this blog better

Ask a question or recommend an article

Revision History

v1.0 Initial Version

Scanning WordPress with Gravity scan for free to detect Supply Chain Attacks and WordPress malware

January 5, 2018 by Simon 1 Comment

A recent trend with some WordPress Plugins (and Google Chrome Extensions) is malicious parties will purchase existing plugins (extensions) and inject malicious code into new versions to infect sites and software, this is called “Supply Chain Attacks”. This is a personal unpaid review of Gravity Scan.

Update Feb 2018: Gravity Scan is shutting down 🙁

Recently WordFence wrote a blog post about Supply Chain Attacks found cases where older plugins are being purchased by malicious people in order to infect WordPress sites. WordPress CMS apparently runs 29% of the websites on the internet. Wordfence is a firewall and Gravity Scan is vulnerability scanner, they complement each other.

I have blogged here about setting up WordPress via Command line and setting up an Ubuntu server for as low as 42.5 a month on Vultr.

What can you do to protect your WordPress sites from “Supply Chain Attacks”? First, install the WordFence plugin (I blogged about it here). Wordfence gives you a great set of security settings and reports to keep your site safe. The Wordfence dashboard page on your site is a good place to stay up to date.

WordFence is a Firewall, Gravity scan is a vulnerability and malware scanner. Read more here.

Gravity Scan

Gravity scan is also made by the WordFence people to enable external audits and reports.

At login, you will be prompted to add a domain.

Scan

tip: You may want to whitelist Gravity scan servers. Read my guide about securing Ubuntu in the cloud.

sudo ufw allow from 68.64.48.0/27 to any port 443

1	sudo ufw allow from 68.64.48.0/27 to any port 443

A site scan will automatically be started.

Scan Results

Post Scan Actions

Speed Up future scans by downloading the Install Gravity Scan Accelerator (by clicking “Not instaled” under “Accelerator” in scan results) and follow the instructions to download, upload and verify the accelerator.

Read the Gravity Scan Accelerator Install Instructions here.

tip: I had to run the following command to make the

sudo chown www-data.www-data /www/gravityscan-agent-#############################################.php

1	sudo chown www-data.www-data /www/gravityscan-agent-#############################################.php

I also clicked “Trust Badge” link and added the script code to my site and verified it.

I now have a scan badge in my site footer.

Future scans are all good to go.

New Scan Options

It looks as if the accelerator gives more server-side verifications of checks of WordPress and PHP versions etc.

Go Pro

Gravity Scan also offers a non-free (paid) version where you can enable more options, enable scan schedules and set up SMS alerts and more for $4.95 a month per site.

To be honest I am happy with performing manual scans and I’d rather pay for a premium WordFence subscription first.

The Catch

Hang on Gravity scan requires a Pro membership to see High and Critical issues 🙁

I decided not to go pro to reveal issues.

A few months later

I started receiving scan results with severity Critical (but I can’t see results until I start a trail (and enter payment details)).

Time to start a trial

I started a trial and full details were shown, the critical error was my fault

Critical Issue

This was my fault, I left a previous version of WordPress in a subfolder from when I moved the site to a self-managed server. A quick few Linux commands later (removed) and this was fixed.

High Issue

Publically accessible file (fixed with a chmod command)

Current Scan Results

Remote Scan Options

Daily Scans, Alter levels, Malware, Vulnerability and status checks. Definitely, install the Accelerator as it found my local backup of WordPress.

Pros

Found a publically readable file
Found a past copy of my WordPress site (and all known issues with the old WordPress backup).
Can setup daily remote scans.

Cons

You have to go pro.
Cant read my NGINX version (“Nginx version not detected, Gravityscan is unable to detect any associated vulnerabilities.“). I logged a ticket. Surely they can add a shell to”nginx -v” to the scan accelerator.
No word fence discount bundle?
Gravity scan and Word fence on twitter are slow to respond.

More to come.

More Reading

Hope this helps someone.

Donate and make this blog better

Ask a question or recommend an article

Revision History

V.1.5 Gravity Scan shutting down

v1.4 Added remote scan options

v1.3 Pros and Cons and current results.

v1.2 Added more

v1.1 Fixed a few issues

v1.0 Initial Version

Security checklist for securing a self-managed Ubuntu server in the cloud

November 2, 2017 by Simon 4 Comments

Below is a (perpetually updated) security checklist for securing a self-managed Ubuntu server. Recently WordPress released patch v4.8.3 that fixed some SQL injection issues. Is your OS, Database, Web Server, OS and software up to date?

Although I have recently blogged about securing Ubuntu in the cloud, and running a server Audit with Lynus, this new post is really about obtaining a mindset change and allocating time (each week) to ensure your self-managed servers and software is kept up to date. You can easily list down the actions you need to follow but keeping a system up to date is hard work. Sites like www.shodan.io will reveal what servers or services are vulnerable, let software updates lapse long enough and an open exploit may open a hole to your system. It only takes minutes to set up a $2.5 a month Ubuntu server with Vultr, $5 a month Digital Ocean Server or AWS server but you need to maintain it.

I highly recommend that you watch the following video that highlights the need for even minor vulnerabilities to be patched asap. If you leave one minor vulnerability open you will give hackers a foothold into your system.

Follow @jawache on twitter.

Troy Hunt has a great post about the simplicity of hacking. Hacking is child’s play.

General Security Checklist

Do Setup a Firewall and only allow needed ports to accept data (use tools like Portscan and Shodan.io to find open ports).
Use least access permissions (on NGINX, PHP and MySQL processes).
Use strong unique passwords for every service (1Password and sites like Gibson Research Corp have password generators, use www.howsecureismypassword.net to check tour passwords strength)
Enable logging.

Find log files on your system:

cd /
find -iname "*.log"

1 2	cd / find -iname "*.log"

Output (handy logs to review):

./var/log/mongodb/mongod.log
./var/log/fail2ban.log
./var/log/mysql/error.log
./var/log/ufw.log
./var/log/lynis.log
./var/log/dpkg.log
./var/log/nginx/error.log
./var/log/nginx/nginxcriterror.log
./var/log/nginx/access.log
./var/log/audit/audit.log
./var/log/php7.0-fpm.log
./var/log/mail.log
./backup/backup.log
./scripts/boot.log
etc

./var/log/mongodb/mongod.log

./var/log/fail2ban.log

./var/log/mysql/error.log

./var/log/ufw.log

./var/log/lynis.log

./var/log/dpkg.log

./var/log/nginx/error.log

./var/log/nginx/nginxcriterror.log

./var/log/nginx/access.log

./var/log/audit/audit.log

./var/log/php7.0-fpm.log

./var/log/mail.log

./backup/backup.log

./scripts/boot.log

etc

Enable brute force detection and banning (fail2ban etc) Read more here.
Secure folders with service accounts.
Do secure software (e.g WordPress Wordfence)
Do use SSL Certificates (and use modern cyphers and test with https://www.ssllabs.com/ssltest/)
Monitor SSL vulnerabilities.
Do a Lynis security report.
Install a Virus scanner (read here).
Secure MySQL/Databases.

First, find the version of MySQL

mysql --version
mysql  Ver 14.14 Distrib 5.7.19, for Linux (x86_64)

1 2	mysql --version mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64)

Read the official MySQL manual here and security guidelines here.

Read this Digital Ocean guide on securing MySQL.

Other: _______

Application (coding) checklist

Retain and protect information.

Disable errors (PHP: turn off or here)
Enable logging (web server, PHP and or node)
Sanitize data (never trust uses data) in code (see how to do this in PHP 7)
Do no develop on production boxes (use parameterised queries and follow OWASP application security procedures.
Read the OWASP Secure Coding Practices – Quick Reference Guide

Infrastructure

Plan for the worst, hope for the best.

Use the latest Long Term Support (LTS) version or Ubuntu
Update packages

View app packages (Ubuntu 16.04) with updates

sudo /usr/lib/update-notifier/apt-check -p

1	sudo /usr/lib/update-notifier/apt-check -p

View app packages (Ubuntu 16.04) with updates

apt list --upgradable

1	apt list --upgradable

To update packages type (remember to backup data and config files first)

sudo apt-get update && sudo apt-get upgrade

1	sudo apt-get update && sudo apt-get upgrade

Among other things, you will see the following information

The following packages will be upgraded:
  binutils certbot cracklib-runtime curl distro-info-data grub-common grub-pc grub-pc-bin grub2-common initramfs-tools initramfs-tools-bin initramfs-tools-core libapache2-mod-php7.0
  libcrack2 libcurl3 libcurl3-gnutls libgnutls-openssl27 libgnutls30 libicu55 libpam-systemd libsystemd0 libudev1 linux-firmware linux-libc-dev lshw mdadm mysql-client-5.7
  mysql-client-core-5.7 mysql-common mysql-server mysql-server-5.7 mysql-server-core-5.7 nodejs php7.0 php7.0-cli php7.0-common php7.0-curl php7.0-dev php7.0-fpm php7.0-gd php7.0-imap
  php7.0-intl php7.0-json php7.0-ldap php7.0-mbstring php7.0-mysql php7.0-opcache php7.0-pgsql php7.0-phpdbg php7.0-pspell php7.0-readline php7.0-recode php7.0-snmp php7.0-tidy
  php7.0-xml php7.0-zip python-acme python-certbot python-certbot-nginx python-cffi-backend python-chardet python-idna python-six python3-chardet python3-distupgrade python3-six
  python3-update-manager systemd systemd-sysv ubuntu-release-upgrader-core udev update-manager-core wget

The following packages will be upgraded:

binutils certbot cracklib-runtime curl distro-info-data grub-common grub-pc grub-pc-bin grub2-common initramfs-tools initramfs-tools-bin initramfs-tools-core libapache2-mod-php7.0

libcrack2 libcurl3 libcurl3-gnutls libgnutls-openssl27 libgnutls30 libicu55 libpam-systemd libsystemd0 libudev1 linux-firmware linux-libc-dev lshw mdadm mysql-client-5.7

mysql-client-core-5.7 mysql-common mysql-server mysql-server-5.7 mysql-server-core-5.7 nodejs php7.0 php7.0-cli php7.0-common php7.0-curl php7.0-dev php7.0-fpm php7.0-gd php7.0-imap

php7.0-intl php7.0-json php7.0-ldap php7.0-mbstring php7.0-mysql php7.0-opcache php7.0-pgsql php7.0-phpdbg php7.0-pspell php7.0-readline php7.0-recode php7.0-snmp php7.0-tidy

php7.0-xml php7.0-zip python-acme python-certbot python-certbot-nginx python-cffi-backend python-chardet python-idna python-six python3-chardet python3-distupgrade python3-six

python3-update-manager systemd systemd-sysv ubuntu-release-upgrader-core udev update-manager-core wget

Show available updates

/usr/lib/update-notifier/apt-check --human-readable
0 packages can be updated.
0 updates are security updates.

/usr/lib/update-notifier/apt-check --human-readable

0 packages can be updated.

0 updates are security updates.

Only work on code checked into GitHub or BitBucket (You will thank me when data or servers disappear).
Backup configuration files or backup to remote servers (my rsync guide here)
Use snapshots of VM’s.
Use Green/Blue server deployments (toggle one server a Prod and the other and Dev/Test and have one ready for a hot spare). Digital Ocean has a good guide here.
Consider forcing Content Security Polic and Public Key Pinning or at least using LetsEncrypt SSL certificates.
Take Snapshots of VM’s (automate)
Backup MySQL databases:

sudo mysqldump --all-databases > /backup/dump-$( date '+%Y-%m-%d_%H-%M-%S' ).sql -u root -p

1	sudo mysqldump --all-databases > /backup/dump-$( date '+%Y-%m-%d_%H-%M-%S' ).sql -u root -p

Other Useful Linus Terminal Commands.

Mindset/Culture

Dedicate time to securing your site.

Spend one day a week (or automate) the updating of the OS/Software (no excuses).
Follow people on twitter and subscribe to newsletters of those that are security conscious

Don’t forget to read securing Ubuntu in the cloud blog post here.

And check out the extensive Hardening a Linux Server guide at thecloud.org.uk: https://thecloud.org.uk/wiki/index.php?title=Hardening_a_Linux_Server

More to come..

Donate and make this blog better

Ask a question or recommend an article

v1.2 added link to Hardening Linux Server link

v1.1 added @jawache link

Short (Article):

Infographic: So you have an idea for an app

October 31, 2017 by Simon 2 Comments

I created this graphic as I was asked by multiple people how to develop an app. This does not include tips on coding but many people with the non-technical prerequisites to building an app.

I hope this graphic helps someone (It’s my first infographic/decision flow image, feedback welcome).

So You Have an Idea For An App: Graphic

Click for larger version.

Standalone Image URL’s

v1.3 (22nd November 2017)
  https://fearby.com/wp-content/uploads/2017/10/Infographic-So-you-have-an-idea-for-an-app-v1-3.jpg
v1.2 (4th Nov 2017, Added requirements and MoSCoW): 
  https://fearby.com/wp-content/uploads/2017/10/Infographic-So-you-have-an-idea-for-an-app-v1-2.jpg
v1.1 (1st Nov 2017, Fixed Typos): 
  https://fearby.com/wp-content/uploads/2017/10/Infographic-So-you-have-an-idea-for-an-app-v1-1.jpg

todo: Things to add Issues to fix in 1.4:
 - Add user personas and Epic, Story and Task stages.
 - How to capture good stories (and validated ideas (landing pages/interviews/problems/value/painpoints)

v1.3 (22nd November 2017)

https://fearby.com/wp-content/uploads/2017/10/Infographic-So-you-have-an-idea-for-an-app-v1-3.jpg

v1.2 (4th Nov 2017, Added requirements and MoSCoW):

https://fearby.com/wp-content/uploads/2017/10/Infographic-So-you-have-an-idea-for-an-app-v1-2.jpg

v1.1 (1st Nov 2017, Fixed Typos):

https://fearby.com/wp-content/uploads/2017/10/Infographic-So-you-have-an-idea-for-an-app-v1-1.jpg

todo: Things to add Issues to fix in 1.4:

- Add user personas and Epic, Story and Task stages.

- How to capture good stories (and validated ideas (landing pages/interviews/problems/value/painpoints)

Define the problem(s) (pain points)

Before you start coding, do list your app requirements (problem’s to solve (pain points)).

Atlassian JIRA or Trello can help with this. I personally use (and like) Atlaz.io (now Hygger), I reviewed the BETA here).

Using Trello lists are also a simple way to capture tasks/ideas.

More on these Read more here also read my Atlaz.io BETA Preview here.

Nothing beats pen and paper too.

Moscow Prioritization

Must-Have Should-Have, Could-Have and Won’t-have are buckets you should sort ideas into. If you have trouble moving items away from Must to Should, Could or Won’t then assign a fictitious monetary value to spend on each item and that will help you decide what is more important.

Read this MoSCoW article at Wikipedia: https://en.wikipedia.org/wiki/Moscow

Managing MoSCoW tasks on paper is OK if you do not want to use planning software.

More

Read my guide on how to prototype apps with Adobe XD guide here. You can also Prototype a Web app with Platforma (review here).

Read my post on how to develop software and stay on track.

Research

Do research your idea for market fit/need, competition, complexity, legal and validate ideas early. It’s best to find out early that Google will quote $60,000+ TAX a year to allow you to use Google map’s in your app early, then you can use https://www.mapbox.com for $499 a year.

Do you have competition?

Some people say “don’t develop an app that already exists”. Why would you develop a new Uber app? Henry Ford did make a new transportation mode when people were happy with horses, other car manufacturers like Tesla are moving in on the space so don’t be discouraged.

Landing Page

A landing page with a signup form (Newsletter and Register Interest) form is a good way to validate ideas and get feedback early (I would suggest you use a free Mainchimp signup form, a generated website with Platforma on a $5/m server for quick results). There is no point coding and launching to crickets.

Do you have an app Prototype or Mock-Up?

This is very important and easy step. Programs like Adobe XD CC (read my guide here) and Balsamiq can help you prototype an app, Platforma can help you prototype web apps.

Have you validated your idea (app) with end users?

If you don’t do this you are mad. Watch this video to see lessons learned from Trades Cloud.

Is this app idea a hobby (passion)?

This can help you limit costs and expectations. Cheap serves exist (read here and here).

Do you have time to develop/manage this?

Developing and managing an app and planning (paying for) development cycle can be time-consuming and mentally draining.

Can you code?

Do you need to hire developers or learn to code? Blog post coming soon on how to hire coders.

Do you have funds?

Having funds on hand to set up and build an app is very important.

Do you want to hide developers (or get Venture Capital)?

This can help you get moving but you will have to give away a slice of the profits and or IP, managing mentors and VC’s can be tiresome.

Have you set failure criteria (post-mortem)?

Read this page on lessons learned from over 200 startup failures, save your favourites. Having realistic goals and limits is a wise idea, do stop when you reach preset limits.

Do you have a business case?

There are plenty of business case generator template, you will want to document some of the following.

What is your apps Purpose – App X will be..
What is your Mission Statement – App X will..
Who are your Target Customers – Retail..
Who are the Early Adopters – Retail..
What Problems does your app solve – App X will..
What Milestones will your app go through – iOS, Android, Apple TV, Web etc..
What Existing solutions exist – App: A, B and C..
How does your app Solve your customer’s problems (pain points) – App X will..
How will your app Find customers – Word of Mouth, Referrals, Advertisements?
What is your Revenue model – Sales, Ad’s, Subscriptions?
What is your apps Goal statement – App X will hit X users in X?
What are your apps Failure points – If app X does not reach X or monthly costs reach Y….
What is your Marketing message – App X will..
What is your apps Metrics – iOS, Android, Apple TV apps..
What is your Unfair Advantage – Why will you succeed over others?

Are you using a project management methodology?

Proven Methodology can help you develop software and stay on track, software like Atlaz, JIRA or Trello are highly recommended tools. Capturing ideas and processing feedback in tools is very important.

Before you code (or hire coders) use source code versioning software like GitHub and Bitbucket (guides here and here). You want to retain the code and insist on owning it.

Product Goal

Simon Sinek has a good video on companies (or Products) being in a finite or infinite game.

Are you in full control of your development stack?

If you are not a developer you may not care if you are in control, but you will if there are issues with hired developers or issues with service providers. I moved from CPanel to self-managed servers, moved from IBM Cloudant to Digital Ocean to AWS then Vultr servers where I can have full control or scalability, features, security and costs.

Can you forecast the costs?

Lowering cost and boosting performance is important and having spare money is a good thing.

I read recently that Telsla is burning through $6,000 a minute and is forecast to need something like 2 billion dollars in the next 2 years. Software as Service platforms will drain your budget quick (they do take on some risk and maintenance tasks), is this worth it?

Mark Fedin (CEO and Co-founder at Atlaz) has a great post on the topic of viability Stop Dabbling At Startups .

Are you using the right tech?

Don’t be afraid of changing tech along the way, you may start with MySQL and move to MongoDB, Redis, Oracle ot MSSQL database servers etc.

Do you have systems to capture customer feedback?

Self-explanatory, you are solving customer problems, right? You will pivot in the first year (trust me).

What is your revenue/sales model?

If you don’t know how to make money then don’t make an app (apps are expensive to code and maintain).

Are you prioritizing task?

I have blogged about this before, do use the tools to stay on track.

Funny Bit

Donate and make this blog better

Ask a question or recommend an article

v1.5 Fixed typos and fixed CDN link issue.

v1.4 Updated the graphic to version v1.3.

Short (Article): https://fearby.com/go2/so/

Short (Image): https://fearby.com/go2/so-img/

Development Blog

Coding for fun since 1996, Learn by doing and sharing.

for

Using the Qualys FreeScan Scanner to test your website for online vulnerabilities

Using OWASP ZAP GUI to scan your Applications for security issues

Using Fritzing to draw electronic schematics for Arduino, Raspberry Pi and ESP8266

Using the free Adminer GUI for MySQL on your website

Scanning WordPress with Gravity scan for free to detect Supply Chain Attacks and WordPress malware

Infographic: So you have an idea for an app

Popular

Security

Code

Tech

Wordpress

General

Main navigation

for

Footer

Popular

Security

Code

Tech

Wordpress

General