Code, InfoSec and Server Stuff

Views are my own and not my employer's

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

"If you're not still learning, you're already dying."
- Ryan Holiday - Ego is the Enemy

Follow me on Twitter: @FearbySoftware

View All Posts.

security

Set up Feature-Policy, Referrer-Policy and Content Security Policy headers in Nginx

by

This is a quick post that shows how I set up the “Feature-Policy”, “Referrer-Policy” and “Content Security Policy” headers in Nginx to tighter security and privacy.

Advertisement:



Aside

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

Buy a domain name here

Domain names for just 88 cents!

Now on with the post.

Add a Feature Policy Header

Upon visiting https://securityheaders.com/ I found references to a Feature-Policy header (WC3 internet standard) that allows you to define what browse features you webpage can use along with other headers.

Google mentions the Feature-Policy header here.

Browser features that we can enable or block with feature-policy headers.

  • geolocation
  • midi
  • notifications
  • push
  • sync-xhr
  • microphone
  • camera
  • magnetometer
  • gyroscope
  • speaker
  • vibrate
  • fullscreen
  • payment

Feature Policy Values

  • * = The feature is allowed in documents in top-level browsing contexts by default, and when allowed, is allowed by default to documents in nested browsing contexts.
  • self = The feature is allowed in documents in top-level browsing contexts by default, and when allowed, is allowed by default to same-origin domain documents in nested browsing contexts, but is disallowed by default in cross-origin documents in nested browsing contexts.
  • none = The feature is disallowed in documents in top-level browsing contexts by default and is also disallowed by default to documents in nested browsing contexts.

My Final Feature Policy Header

I added this header to Nginx

This essentially disables all browser features when visitors access my site

I reloaded Nginx config and restart Nginx

Feature-Policy Results

I verified my feature-policy header with https://securityheaders.com/

Feature Policy score from https://securityheaders.com/?q=fearby.com&followRedirects=on

Nice, Feature -Policy is now enabled.

Now I need to enable the following headers

Add a Referrer Policy Header

I added this header configuration in Nginx to prevent referrers being leaked over insecure protocols.

Referrer-Policy Results

Again, I verified my referrer policy header with https://securityheaders.com/

Referrer Policy resu;ts from https://securityheaders.com/?q=fearby.com&followRedirects=on

Done, now I just need to setup Content Security Policy.

Advertisement:



Add a Content Security Policy header

I read my old guide on Beyond SSL with Content Security Policy, Public Key Pinning etc before setting up a Content Security policy again (I had disabled it a while ago). Setting a fully working CSP is very complex and if you don’t want to review CSP errors and modify the CSP over time this may not be for you.

Read more about Content Security Policy here: https://content-security-policy.com/

I added my old CSP to Nginx

I then imported the CSP into https://report-uri.com/home/generate and enabled more recent CSP values.

I restarted Nginx

I loaded the Google Developer Console to see any CSP errors when loading my site.

CPS Errors

I enabled reporting of CSP errors to https://fearby.report-uri.com/r/d/csp/enforce

Fyi: Content Security Policy OWASP Cheat Sheet.

You can validate CSP with https://cspvalidator.org

Now I won’t have to check my Chrome Developer Console and visitors to my site will report errors. I can see my site’s visitors CSP errors at https://report-uri.com/

report-cri.com Report

Content Security Policy Results

I reviewed the reported errors and made some more CSP changes. I will continue to lock down my CSP and make more changes before making this CSP policy live.

I verified my header with https://securityheaders.com/

Security Headers report from https://securityheaders.com/?q=https%3A%2F%2Ffearby.com&followRedirects=on

Advertisement:



Testing Policies

TIP: Use the header name of “Content-Security-Policy-Report-Only” instead of “Content-Security-Policy” to report errors before making CSP changes live.

I did not want to go live too soon, I had issues with some WordPress plugins not working in the WordPress admins screens.

Reviewing Errors

Do check your reported errors and update your CSP often, I had a post with a load of Twitter related errors.

Do check report-uri errors.

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

Revision History

V1.3 https://cspvalidator.org

v1.2 OWASP Cheat Sheet.

v1.1 added info on WordPress errors.

v1.0 Initial Post

Using OWASP ZAP GUI to scan your Applications for security issues

by

OWASP is a non-profit that lists the Top Ten Most Critical Web Application Security Risks, they also have a GUI Java tool called OWASP Zap that you can use to check your apps for security issue.

Advertisement:



I have a number of guides on moving hosting away form CPanel , Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. It is important that you always update your site and software and test your sites and software for vulnerabilities. Zap is free and completely open source.

Disclaimer, I am not an expert (this Zap post and my past Kali Linux guide will be updated as I learn more).

OWASP Top 10

OWASP has a top 10 list of things to review.

OWASP Top 10

Download the OWASP 10 10 Application security risks PDF here form here.

Using the free OWASP Zap Tool

Snip from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.

Zap Overview

Here is a quick demo of Zap in action.

Do check out the official Zap videos on youtube: https://www.youtube.com/user/OWASPGLOBAL/videos if you want to learn more.

Installing Zap

Download Zap from here.

Download Zap

Download Options

Download

Download contents

Run Install

Copy to the app to the OSX Application folder

Installing

App Installed

App Insatalled

Open OSX’s Privacy and Security screen and click Open Anyway

Open Anwway

OWASP Zap is now Installed

Insallled

Ready for a Scan

Blind Scan

But before we do let’s check out the Options

Options

OWASP Zap allows you to label reports to ad from anyone you want.

Report Label Options

Now let’s update the program and plugins, Click Manage Add-ons

Manage Adons

Click Update All to Update addons

Updates

I clicked Update All

Plugins

Installed some plugins

Marketplace

Zap is Ready

Zap

Add a site and right click on the site and you can perform an active scan or port scan.

Right click Zap

First Scan (https failed)

https failed

I enabled unsafe SSL/TLS Renegotiation.

Allow Unsafe HTTPS

This did not work and this guide said I needed to install the “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files” from here.

Cryptography Files OSX

The extract files to /Library/Java/JavaVirtualMachines/%your_jdk%/Contents/Home/jre/lib/security

Extract

I restarted OWASP Zap and tried to scan my site buy it appears Cloudflare (that I recently set up) was blocking my scans and reported error 403. I decided to scan another site of mine that was not on Cloudflare but had the same Lets Encrypt style SSL cert.

fyi: I own and set up the site I queried below.

Zap Results

OWASP Zap scan performed over 800 requests and tried traversal exploits and many other checks. Do repair any major failures you find.

Zan Scan

Generating a Report

To generate a report click Report then the appropriate generation menu of choice.

Generate Report

FYI: The High Priority Alert is a false positive with an HTML item being mistaken for a CC number.

I hope this guide helps someone. Happy software/server hardening and good luck.

More Reading

Check out my Kali Linux guide.

Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

Revision History

V1.3 fixed hasting typo.

v1.2 False Positive

v1.1 updated main features

v1.0 Initial post

Ubuntu 16.04: Spectre, Meltdown Security Vulnerabilities (and how to patch).

by

Below is a post about the Spectre and Meltdown Security vulnerabilities and mostly how it relates to Ubuntu.

Advertisement:



Spectre and Meltdown Background

Google Project Zero found a server-side hardware bug (undocumented feature) that allows reading of privileged memory by leveraging a CPU (and possibly any GPU and SOC) feature to execute code ahead of time in “if” code branches before the result of the “if” case is known. This execute code ahead of demand feature was added to speed up processors to assists the FETCH, DECODE, EXECUTE and WRITE-BACK stages in the execution pipeline preparation.

Processors hate reading from main memory (it is too slow) so if data can be PREFETCHED or CACHED before being executed in the CPU allowing the CPU can do more work. This bug/flaw is not really a bug/flaw IMHO but an insecure efficiency feature.

Read more on the Spectre and Meltdown bug here at Wired.

CPU History

Aside: Check out the Red Hill Hardware guide and the evolution (documentation) of early CPU’s.

You can read more about the Pentium 4’s cache, rapid execution engine and instruction set additions to learn more about the evolution of CPU efficiency here.

Making processors faster (adding more MHZ) may be futile if the cache is too small or slow, and simply adding more cache can increase costs. Branch prediction was a way to increase performance (by using idle clock cycles or saving clock cycles) without adding extra cache or silicone (extra cost). I suspect in the future branch prediction and read ahead features may be locked down or processor manufacturers may swing back to adding more MHZ/Cores/Cache.

Anandtech https://www.anandtech.com have a great article on branch prediction (I can’t find the article now but will add it when I find it later) but this guide gives the gist.

CPU 101

A CPU is much like a checkout area at a grocery store, and a multi-core CPU is like a grocery store with multiple checkouts.

  • Things (processing and reading to/from memory) happen sequentially (per core).
  • Only one item can be scanned (processed) at a time (per core).
  • Customers trolleys and items are like program threads and items to scan (to be calculated in the CPU).
  • Customers trolleys (programs with things to calculate) line up and wait for the CPU (attendant) to scan (execute) items. PRE-FETCH and other CPU tasks help organize data related to instructions.
  • One checkout line (core) cannot read or affect items at another checkout (thread safety).

When a price check is called on an item (causing huge delays while the price is being checked by a runner (reading from main memory)) the checkout attendant (CPU core) processes the next items at the checkout (items in the processor execution pipeline). Branch predicting will read ahead in idle times to prevent idle delays or cache-misses to prevent slowdown. Processors usually make sure things are in the processors L3, L2 or L1 memory before they are executed but some commands with pre-requisite data cannot be pre-cached.

CPU instruction information

Here is a list of x86 instructions

Troy Hunt in Weekly Update 68 https://www.troyhunt.com/weekly-update-68/ mentioned a twitter thread by Graham Sutherland (@gsuberland) https://twitter.com/gsuberland/status/948907452786933762 that summaries speculative execution more succinctly. Meltdown and Spectre bugs are due to the speculative execution in the processor.

Official Information on Spectre and Meltdown

Spectre (Security Vulnerability Wikipedia Article)

Meltdown (Security Vulnerability Wikipedia Article)

Proof of concepts exploits in the wide

Proof of concept and exploits are no doubt in the wild (as reported by Michael Schwarz@misc0110)

Ubuntu Impact

I have a number of Ubuntu servers and I have updated them to fix Spectre and Meltdown issues.

UpCloud is my favourite cloud provider.

    Ubuntu said here that is has been notified by Intel of this issue since November 09 2017.

    Ubuntu Timeline (16.04 related snip from here)

      • 2017 Nov 09: the Ubuntu Security team is notified by Intel under NDA.
      • 2017 Nov 20: the CRD is established as 2018-01-09.
      • 2017 Dec: the Ubuntu Security team receives notifications from additional silicon vendors about the impact to their products.
      • 2018 Jan 03: issue becomes public a few days before the CRD.
      • 2018 Jan 04: Canonical publicly communicates the planned update schedule.
      • 2018 Jan 04: Mozilla releases timing attack mitigations.
      • 2018 Jan 05: Ubuntu Firefox updates are made available in USN 3516-1.
      • 2018 Jan 07: Candidate kernels are beginning to be made available for testing at ppa:canonical-kernel-team/pti. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds. Kernels currently available are as follows. We will continue to update this table as more become available:
      • Package: linux, Version: 4.4.0-108.131, Series: Xenial 16.04
      • -2018 Jan 09: NVIDIA driver updates published, see USN-3521-1.
      • Cloud image updates.
      • Core image updates.

      At this time it looks like this has been fixed on Ubuntu 16.04 LTS (Xenial Xerus) with released (57.0.4+build1-0ubuntu0.16.04.1). Consider updating your Ubuntu servers.

      You can follow the Ubuntu CVE listing here to be ahead of future security issues.
      https://people.canonical.com/~ubuntu-security/cve/main.html

      Spectre and Meltdown related Ubuntu CVE’s

      Spectre – CVE-2017-5715

      Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

      Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html

      Spectre – CVE-2017-5753

      Description: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

      Ubuntu-Description: Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory.

      Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html

      Meltdown – CVE-2017-5754

      Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

      Ubuntu-Description: Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory.

      Link: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html

      Links

      Ubuntu Security News https://usn.ubuntu.com/usn/

      Subscribe to the Ubuntu Security Announcement Distribution List https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

      Ubuntu CVE Tracker (Main) http://people.canonical.com/~ubuntu-security/cve/main.html

      Links from CVE articles

      https://spectreattack.com/
      https://meltdownattack.com/
      https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
      https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
      https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
      https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
      http://www.amd.com/en/corporate/speculative-execution
      https://developer.arm.com/support/security-update
      https://www.qemu.org/2018/01/04/spectre/
      https://usn.ubuntu.com/usn/usn-3516-1
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
      http://nvidia.custhelp.com/app/answers/detail/a_id/4611
      https://usn.ubuntu.com/usn/usn-3521-1
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
      https://github.com/IAIK/KAISER
      https://gruss.cc/files/kaiser.pdf
      https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
      https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html

      FYI: Ubuntu 17.04 will not be getting the Spectre and Meltdown fixes, this is a good reason why not to use a non-LTS (long time support) release of Ubuntu (abandoned after 9 months):
      https://lists.ubuntu.com/archives/ubuntu-announce/2018-January/000227.html

      How to update Ubuntu

      As always backup your server and configuration first (consider taking a snapshot). I run the following command to update my system and reboot.

      Warning: Some packages may overwrite in-production configuration files (or break production servers) so take your time updating, use test servers (green and blue or dev, test and prod) and only upgrade production when you are ready.

      fyi: AWS related Speculative Execution post: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

      Impact on Future Program Build Times

      Twitter user Peter Czanik (@PCzanik https://twitter.com/PCzanik) reports that compile times that fix speculative execution have increased his build times from 4 minutes to 21 minutes.

      Windows Impacts

      Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

      https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

      OSX Impacts
      Report: Intel CPUs suffer from major security flaw, fix could bring notable performance hit to macOS

      Web Browser and JavaScript Impacts

      General

      Here’s what every Chrome user should do in the wake of #Spectre

      http://mashable.com/2018/01/04/google-chrome-spectre-precaution-meltdown/

      Microsoft reveals how Spectre updates can slow your PC down

      https://www.theverge.com/2018/1/9/16868290/microsoft-meltdown-spectre-firmware-updates-pc-slowdown

      Microsoft halts AMD Meltdown and Spectre patches after reports of unbootable PCs

      Review: https://twitter.com/search?q=spectre%20meltdown

      Viewing the Change log of updatable packages

      View the change log of updatable packages for a certain Cve.

      sudo apt-get update

      sudo apt-get changelog ntp | grep CVE-2017-5715

      The output will show matches of updatable packages that match.

      Ubuntu Cloud Tips

      Read my guide on Useful Linux Terminal Commands https://fearby.com/article/useful-linux-terminal-commands/

      Read my guide on how to setting up a Vultr VM (Ubuntu) and configuring it https://fearby.com/article/setting-vultr-vm-configuring/

      Good luck.

      Scott Manleys breakdown of Spectre and Meltdown

      More Reading

      Anandtech – Understanding Meltdown & Spectre: What To Know About New Exploits That Affect Virtually All CPUs.

      More Fearby.com Reading

      Donate and make this blog better

      Ask a question or recommend an article

      Your Name (required)

      Your Email (required)

      Your Question

      Revision History

      v1.4 Scott Manleys link

      v1.3 Added Anandtech article.

      v1.2 Wired link.

      v1.1 view the changelog of updatable packages.

      v1.0 Initial Copy.

      Hope this helps someone.

      Security checklist for securing a self-managed Ubuntu server in the cloud

      by

      Below is a (perpetually updated) security checklist for securing a self-managed Ubuntu server. Recently WordPress released patch v4.8.3  that fixed some SQL injection issues.  Is your OS, Database, Web Server, OS and software up to date?

      Advertisement:



      Although I have recently blogged about securing Ubuntu in the cloud, and running a server Audit with Lynus,  this new post is really about obtaining a mindset change and allocating time (each week) to ensure your self-managed servers and software is kept up to date. You can easily list down the actions you need to follow but keeping a system up to date is hard work. Sites like www.shodan.io will reveal what servers or services are vulnerable, let software updates lapse long enough and an open exploit may open a hole to your system.  It only takes minutes to set up a $2.5  a month Ubuntu server with Vultr, $5 a month Digital Ocean Server or AWS server but you need to maintain it.

      I highly recommend that you watch the following video that highlights the need for even minor vulnerabilities to be patched asap. If you leave one minor vulnerability open you will give hackers a foothold into your system.

      Follow @jawache on twitter.

      Troy Hunt has a great post about the simplicity of hacking. Hacking is child’s play.

      General Security Checklist

      Find log files on your system:

      Output (handy logs to review):

      • Enable brute force detection and banning (fail2ban etc) Read more here.
      • Secure folders with service accounts.
      • Do secure software (e.g WordPress Wordfence)
      • Do use SSL Certificates (and use modern cyphers and test with https://www.ssllabs.com/ssltest/)
      • Monitor SSL vulnerabilities.
      • Do a Lynis security report.
      • Install a Virus scanner (read here).
      • Secure MySQL/Databases.

      First, find the version of MySQL

      Read the official MySQL manual here and security guidelines here.

      Read this Digital Ocean guide on securing MySQL.

      • Other: _______

      Application (coding) checklist

      Retain and protect information.

      Infrastructure

      Plan for the worst, hope for the best.

      • Use the latest Long Term Support (LTS) version or Ubuntu
      • Update packages

      View app packages (Ubuntu 16.04) with updates

      View app packages (Ubuntu 16.04) with updates

      To update packages type (remember to backup data and config files first)

      Among other things, you will see the following information

      Show available updates

      • Only work on code checked into GitHub or BitBucket (You will thank me when data or servers disappear).
      • Backup configuration files or backup to remote servers (my rsync guide here)
      • Use snapshots of VM’s.
      • Use Green/Blue server deployments (toggle one server a Prod and the other and Dev/Test and have one ready for a hot spare). Digital Ocean has a good guide here.
      • Consider forcing Content Security Polic and Public Key Pinning or at least using LetsEncrypt SSL certificates.
      • Take Snapshots of VM’s (automate)
      • Backup MySQL databases:

      Other Useful Linus Terminal Commands.

      Mindset/Culture

      Dedicate time to securing your site.

      1. Spend one day a week (or automate) the updating of the OS/Software (no excuses).
      2. Follow people on twitter and subscribe to newsletters of those that are security conscious

      Don’t forget to read securing Ubuntu in the cloud blog post here.

      And check out the extensive Hardening a Linux Server guide at thecloud.org.uk: https://thecloud.org.uk/wiki/index.php?title=Hardening_a_Linux_Server

      More to come..

      Donate and make this blog better


      Ask a question or recommend an article

      Your Name (required)

      Your Email (required)

      Your Question

      v1.2 added link to Hardening Linux Server link

      v1.1 added @jawache link

      Short (Article):

      Flaw in WPA2 protocol (KRACK) is a reminder of the limited life of all technology.

      by

      The recent KRACK flaw in the WPA2 protocol is a reminder of the limited life of all technology. All technology has a finite lifespan (intended or not) and you should not bet on a piece of technology being around long.

      Advertisement:



      Wireless Broken (Again)

      WEP wireless security was launched in 1997 and lasted until 2004, WPA and WPA2 replaced WEP but the recent flaw in WPA2 (originated from WEP) will forge an update to WPA2 or launch a WPA3. WPA2 was just a certified WPA.

      WPA wireless encryption uses TKIP and AES encryption subsets, TKIP is similar to WEP and should not be used. AES subset is a more rigorous encryption subset available in WPA2 (and is used by the US Government. AES’s main weakness is a brute force attack to find the wireless password so ALL of your passwords must be unique and strong. Do not use common or shared passwords and make sure passwords are as strong as allowed.  I personally use the 1Password Password Manager to generate strong passwords and if you are feeling nerdy you can use the GRC Password Generatorhttps://howsecureismypassword.net/ is a good site that allows you to see how secure a password is (how long a brute force attack would take to obtain your password by brute force).

      What can you do to fix wifi

      1. If you are using TKIP in WPA use AES instead.
      2. Check your WiFi routers manufacturer and ask for a new firmware that will fix the KRACK attack.

      @TPLINK @TPLINKHelp When will new firmware be available for the TD-W8961N fo fix krackattacks.com ?

      It is up to you to know the rick for each technology you use and when you stop using it.

      Support Windows

      Most operating systems and web browsers have support windows but security protocols, encryption and cyphers do not? why?

      Not just Wifi is Broken

      As a developer always assume things are insecure and always prepare for the worst, you should ensure brute force attacks are blocked by setting up a firewall on your serves, run a security audit and install software level plugins to ban IP’s when brute force attacks happen.  Don’t forget to set up an SSL certificate (read my Lets Encrypt guide here) and if you want extra security read here on SSL certificate Public Key Pinning.

      You can deploy a server in the cloud for as low as $2.5 a month (guide here) on Vultr or set up a server on Digital Ocean (first 2 months are free) read my setup guide here.

      Depreciation of libraries and code

      Software developers are all too familiar with the depreciation of libraries and code, recently I had to switch from mysql_connect routines that was deprecated in PHP 5.5, luckily a mysqli_connect was available so not a real problem.

      Having to switch technology to a faster and or more secure version is a win-win IMHO.

       

      Backup

      Whats your backup plan? Don’t forget you can easily backup with RSync. There is no excuse for backing up your data.

      Git

      You should also use source code repositories like GitHub or BitBucket to manage code versions and restore environments when things go bad.

      Social Media

      Security-related twitter followers I personally follow to keep up to date with security news.
       
      GFDI Foundation:
       
      0xDUDE
       
      Security Now Podcaster:
       
      Australian Security Researcher Troy Hunt:

      Hashtags are also a great way to stay up to date on exploits (#KRACK, #vuln, #CVE etc).

      Handy links

      Read more on hackers Tactics, Techniques & Common Knowledge.

      Read the OWASP guide to pick up software security best practices.

      Stay safe: Research, Secure and Backup.

      More Soon..

       

      Donate and make this blog better




      Ask a question or recommend an article

      Your Name (required)

      Your Email (required)

      Your Question

      Revision History

      v1.1 Added support windows..

      etc

      Wordfence Security Plugin for WordPress

      by

      WordFence is a great security plugin for WordPress that allows you to secure your WordPress installation and prevent brute force attacks, rate-limit visitors (or Bots), block banned IP’s that are accessing your site and more.

      Advertisement:



      Fyi

      20th Dec 2017: Wordfence report Backdoor in Captcha Plugin Affects 300K WordPress Sites

      Backup

      Before I started I performed a quick mysql backup from the command line to ensure my WordPress is backed up. Read my guide on installing WordPress from the command line (here) and securin Ubuntu (here).

      Don’t forget to backup your WordPress files.

      Download and extract WordFence

      I downloaded and installed the Wordfence plugin via command line. I visited https://wordpress.org/plugins/wordfence/ and got the plugin URL for the latest version (e.g https://downloads.wordpress.org/plugin/wordfence.6.3.19.zip).

      I downloaded the plugin zip file from the command line to my WordPress plugins folder. Read my guide (here) on managing WordPress from the command line.

      Now the Wordfence plugin can be activated in WordPress.

      Activate Wordfence

      Enter your email to receive Wordfence alerts.

      WordFence EmmiL Alerts

      Your Wordfence Dashboard will show local and global issues and statistics.

      WordFence Dashboard

      I set these default Wordfence options.

      ON

      More Wordfence Options

      More Options

      Set Permissions (for Firewall)

      You may need to create a log folder (e.g /www/wp-content/wflogs/)  and set permissions to allow Wordfence to work.

      Now I can enable the Wordfence firewall via the WordFence plugin at /wp-admin/admin.php?page=WordfenceWAF

      Wordfence Firewall

      Don’t forget to configure the Wordfence firewall.

      WordFence Firewall

      Firewall Install Options

      I do not have FTP setup so I’ll do a manual install based on these instructions.

       

      WordPress Install Options

      I manually added this to my ~/nxinx/sites-available/default config.

      I added this to my nginx config.

      This did not work as specified in the official Wordfence docs (https://docs.wordfence.com/en/Web_Application_Firewall_FAQ#NGINX) so I added the following.

      Accessing a test /test.user.ini file in a web browser returns a 403  (always test access)

      I added this to my active php.ini configuration file.

      I restart PHP.

      I added my IP to the Wordfence whitelist textbox to ensure I am not blocked: /wp-admin/admin.php?page=WordfenceSecOpt 

      Tip: Grab your IPV4 address from https://ipv4.icanhazip.com/

      Recent Wordfence Scan Summary (1st Scan)

      Wordfence Dashboard allows you to see local and global stats.

      Recent Scan

      Wordfence (In Progress) Scan summary.

      Scan Summary

      My Issues

      Wordfence alerted me that I needed to update WordPress and some plugins  (see my guide on installing and managing your WordPress via the Command Line here).

      I updated my WordPress core files (via the command line).

      I updated my  WordPress plugins (via the command line).

      Output:

      I manually updated my WordPress theme (from my.studiopress.com website) and uploaded via SSH

      I could then SSH into my server and extract the theme.

      Wordfence Dashboard

      Wordfence allows you to see worldwide Blocked IP’s by the Wordfence network.

      IPs

      You can also see local successful or failed login attempts. The Ukraine IP 91.200.12.49 tried to log in to my WordPress installation but was banned globally as it was seen unsuccessfully logging into 900 other global servers, good work Wordfence.

      Failed Logins

      Attacks blocked locally.

      Stats

      View global WordPress attacks by countries

      Global Attack Stats

      Wordfence Features I like

      • Finding abandoned plugins
      • See Globally banned IP’s
      • See local failed login attempts
      • Brute force protection.
      • Stats on local blocked events.
      • Identification of old files.
      • Simple reports.

      Wordfence Features I don’t like

      • Your mouse must be active in the window for scans to complete/seen.
      • Setup firewall almost requires FTP.

      Wordfence: 7.02 updated (listed here)

      Revised Dashboard looks nice

      Wordfence 702

      More to come, I will update this guide over time.

      Donate and make this blog better




      Ask a question or recommend an article

      Your Name (required)

      Your Email (required)

      Your Question

      Revision Historyv1.2 added info on Wordfence 7.0.2

      v1.1 added info on Captcha plugin backdoor detected by Wordfence

      v1.0 Initial Post

      etc

      Run an Ubuntu VM system audit with Lynis

      by

      Following on from my Securing Ubuntu in the cloud blog post I have installed Lynis open source security audit tool to check out to the security of my server in the cloud.

      Advertisement:


      Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defences of their Linux and Unix-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners. https://cisofy.com/lynis and https://github.com/CISOfy/lynis.

      It is easy to setup a server in the cloud (create a server on Vultr or Digital Ocean here). Guides on setting up servers exist ( setup up a Vultr VM and configure it and digital ocean server) but how about securing it? You can install a LetsEncrypt SSL certificate in minutes or setup Content Security Policy and Public Key Pinning but don’t forget to get an external in-depth review of the security of your server(s).

      Lynis Security Auditing Tool

      Preparing install location (for Lynis)

      Install Lynis

      Running a Lynus system scan

      ./lynis audit system -Q

      Lynis Results 1/3 Output (removed sensitive output)

      Lynis Results 2/3 – Warnings

      I resolved the only warning by typing

      After updating the Lynis system scan I re ran the text and got

      Lynis Results 3/3 – Suggestions

      Installing a Malware Scanner

      Install ClamAV

      Download virus and malware definitions (this takes about 30 min)

      Output:

      I had an issue on some boxes with clamav reporting I could not run freshclam

      This was fixed by typing

      Troubleshooting clamav

      Clam AV does not like low ram boxes and may produce this error

      It looks like the solution is to increase your total ram.

      fyi: Scan with ClamAV

      Re-running Lynis gave me the following malware status

      Lynis Security rating

      Installed

      After re-running the test I got this Lynis security rating score (an improvement of 1)

      Installed and configured debsums and auditd

      Now I get the following Lynis security rating score.

      Conclusion

      Lynis is great great at performing an audit and reccomending areas of work to allow you to harden your system (brute force protection, firewall, etc)

      Security Don’ts

      • Never think you are done securing a system.

      Security Do’s

      • Update Software (and remove software you do not use.)
      • Check Lynis Suggestions and try and resolve.
      • Security is an ongoing process, Do install a firewall, do ban bad IP’s, Do whitelist good IP’s, Do review Logs,
      • Do limit port access, make backups and keep on securing.

      I will keep on securing and try and get remove all issues.

      Read my past post on Securing Ubuntu in the cloud.

      Scheduling a auto system updates is not enough in Ubuntu (as it is not recommended as the administrator should make decisions, not a scheduled job).

      fyi: CISOFY/Lynis do have paid subscriptions to have external scans of your servers: https://cisofy.com/pricing. (why upgrade?)

      Lynis Plans

      I will look into this feature soon.

      Updating Lynis

      I checked the official documentation and ran an update check

      Not sure how to update?

      I opened an issue about updating v2.5.5 here. I asked Twiter for help.

      Twitter

      Official Response: https://packages.cisofy.com/community/#debian-ubuntu

      Git Response

      Waiting..

      I ended up deleting Lynis 2.5.5

      Updated

      And reinstalled to v2.5.8

      Output:

      More actions post upgrade to 2.5.8

      • Added a legal notice to “/etc/issues”, “/etc/issues.net” file’s.

      Installing Lynis via apt-get instead of git clone

      The official steps can be located here: https://packages.cisofy.com/community/#debian-ubuntu

      Unfortunately, I had an error with “apt update

      Error:

      Complete install output

      I reopened Github issue 491. A quick reply revealed that I did not put a space before “xenial” (oops)

      fyi: I removed the dead keystore from apt by typing…

      I can now install and update other packages with apt and not have the following error

      I will remove the git clone and re-run the apt version later and put in more steps to get to a High 90’s Lynis score.

      More

      Read the official documentation https://cisofy.com/documentation/lynis/

      Next: This guide will investigate the enterprise version of https://cisofy.com/pricing/ soon.

      Hope this helps. If I have missed something please let me know on Twitter at @FearbySoftware

      Donate and make this blog better



      Ask a question or recommend an article

      Your Name (required)

      Your Email (required)

      Your Question

      v1.46 Git hub response.

      Raspberry Pi 2/B Security Webcam

      by

      The Raspberry Pi is an inexpensive ARM based computer that is ideal for use as a home security camera.

      Advertisement:



      What will you need?

      Remote Web server

      Install and configure FTP on the remote web server. This is where the Raspberry Pi’s will upload new images. It is important that you setup a folder for images (e.g/webcam/1/ and configure a new dedicated FTP account to log into that location by default.

      Raspberry Pi

      Wifi dongle (TP-link TL-WN821N), 2500ma power supply, Raspberry Pi 8MP Camera.

      Other

      You should have booted into your Pi and configured it, connected it to your wireless network and obtained it’s Mac network address (use terminal: ifconfig), enabled remote ssh access, changed the default password, set a static IP address on your local LAN/router and configured the date. If you did not want to stratx and use the GUI to setup the Pi you van use raspi-config command.

      Previously I had a working security camera using a bash and a python script but this time decided to use Perl (thanks to Marc Fearby already writing a Perl script. and my old python script failing).

      Install Packages and Pre-Requisites.

      Type the following to install Perl and ImageMagick

      ImageMagick is used to add images and text on to an image.

      Also installed wput (to download an image) and ftp and other tools. You can skip this step if you don’t need Python, local ftp or wput.

      I made a scripts and images folder on the raspberry pi

      I did set permissions on the local folders

      I made image folders on the remote web server

      I placed an empty index.php in each folder.

      A reboot is a good idea here

      Raspberry Pi Script.

      Make the sync image Perl script.

      Here is my final Perl script. Hopefully, it is self-explanatory and debug information is clear. Printf if debug information and system is where Perl runs a command in the background.

      Multiple Pi’s

      You can duplicate this setup on other pic and just change the /1/ path to /2/ or a higher number.

      Security

      You should have A+ rated SSL as a minimum (guide here). you should not be using the default Pi password.

      index.php Viewer on the web server 

      displaying the latest uploaded image in a web server folder as an HTML image tag. This PHP code chunk can be inseRted into your own PHP files and it will show the latest uploaded image file.

      More code will be added to this article on displaying all server site images as [5m][10m][15m][420M] (minutes ago) etc

      Automating the syncing of images

      Open the terminal and type

      Enter this into the last line of the crontab and save (this will call the script every 5 mins automatically). Change the 5 to a 1 to have the Perl file called every 1 minute. 

      Manual syncing images

      output:

      Misc

      • Make sure the Ppi has a 2500+ ma power pack minimum
      • Ensure the Pi lens of protected from the sun.
      • Test

      Images

      IMG_9206

      IMG_9213

      IMG_9211

      Device Choices

      Using a full Raspberry Pi has the benefits of using full-size USD Devices while debugging but it may draw more power (still 5v but more amps/watts).

      A Raspberry Pi Zero W is a good choice if you have micro USB devices (I did not and the bits I ordered were not compatible with older Rasbian installations, read my setup guide here). A raspberry Pi Zeo W is a  single core device and used a tiny bit of power.

      I would like to setup a  camera on a NodeMSU ESP8266 (read my setup guide here ) device or an ESP32 sometime soon for using even less power.

      Misc

      downloading an image with wget.

      Todo:

      • Only capture in set hours (exit Perl script)
      • Show last images (server)
      • Auto remove images older than xx hours (server).
      • Local web interface.
      • SMS alerts
      • Raspberry Pi zero

       

      Donate and make this blog better




      Ask a question or recommend an article

      Your Name (required)

      Your Email (required)

      Your Question

      v1.7 fixed typo, checking guide (Jan 2018)

      v1.6 add info on device choices.