• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Create a VM ($25 Credit)
  • Buy a Domain
  • 1 Month free Back Blaze Backup
  • Other Deals
    • Domain Email
    • Nixstats Server Monitoring
    • ewww.io Auto WordPress Image Resizing and Acceleration
  • About
  • Links

IoT, Code, Security, Server Stuff etc

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

  • Cloud
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.
    • Setting up a Vultr VM and configuring it
    • All Cloud Articles
  • Dev
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • How to setup pooled MySQL connections in Node JS that don’t disconnect
    • NodeJS code to handle App logins via API (using MySQL connection pools (1000 connections) and query parameters)
    • Infographic: So you have an idea for an app
    • All Development Articles
  • MySQL
    • Using the free Adminer GUI for MySQL on your website
    • All MySQL Articles
  • Perf
    • PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • Measuring VM performance (CPU, Disk, Latency, Concurrent Users etc) on Ubuntu and comparing Vultr, Digital Ocean and UpCloud – Part 1 of 4
    • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
    • Setting up a website to use Cloudflare on a VM hosted on Vultr and Namecheap
    • All Performance Articles
  • Sec
    • Using the Qualys FreeScan Scanner to test your website for online vulnerabilities
    • Using OWASP ZAP GUI to scan your Applications for security issues
    • Setting up the Debian Kali Linux distro to perform penetration testing of your systems
    • Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare
    • PHP implementation to check a password exposure level with Troy Hunt’s pwnedpasswords API
    • Setting strong SSL cryptographic protocols and ciphers on Ubuntu and NGINX
    • Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
    • All Security Articles
  • Server
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • All Server Articles
  • Ubuntu
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • Useful Linux Terminal Commands
    • All Ubuntu Articles
  • VM
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • All VM Articles
  • WordPress
    • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
    • Installing and managing WordPress with WP-CLI from the command line on Ubuntu
    • How to backup WordPress on a host that has CPanel
    • Moving WordPress to a new self managed server away from CPanel
    • Moving a CPanel domain with email to a self managed VPS and Gmail
    • All WordPress Articles
  • All

Setting

Setting strong SSL cryptographic protocols and ciphers on Ubuntu and NGINX

May 15, 2018 by Simon

This guide will aim to inform you of strong cryptographic protocols and ciphers to use on a web server on Ubuntu 16.04 and NGINX.

Secure encryption protocols are used to secure communications between a server and client. Older SSL protocols like Netscape’s Secure Sockets Layer (SSL) are flagged as DO NOT USE use by the Internet Engineering Task Force (IETF). Newer protocols like Transport Layer Security (TLS) are the newer recommended SSL protocols to use.

Wikipedia Article on Cryptographic Protocol’s

A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describes how the algorithms should be used. A sufficiently detailed protocol includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program.

Wikipedia on Ciphers

In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In common parlance, “cipher” is synonymous with “code,” as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography.

Wikipedia article on Elliptic-curve cryptography

Wikipedia article on Diffie–Hellman key exchange

Bad SSL Assumptions I have heard for not using HTTPS

  • I am not a bank so I don’t need HTTPS
  • SSL overhead is was too high on servers.
  • My site only has static content, I don’t need HTTPS
  • I don’t need SSL to secure my site I just need to be less of a target than others
  • I don’t hold confidential information (Wrong)

Don’t be Lazy and secure a site poorly

A local business that wanted me to buy their goods is not convincing me.

Bad SSL

(tested with SSL labs and asafaweb)

Why SSL

If you are unsure of why you need SSL visit https://doesmysiteneedhttps.com/, Avoiding the Not Secure Warning in Chrome, Why HTTPS matters and securing your site with HTTPS.

Google has an HTTPS usage graph for all communications to its services (hint it’s growing): https://transparencyreport.google.com/https/overview?hl=en

SSL Usage

SSL Future

SSL is here to stay, Non-SSL sites will soon be labelled insecure, Non-SSL sites will have Search Engine Optimization (SEO) adversely affected.

http insecure

Also, secure pages will be treated as normal (not flagged as secure)

In October, Chrome will remove the “secure” indicator on all HTTPS pages and mark pages that do no use the secure version of the HTTP protocol with a red “not secure” warning. This change will make the web safer to use by default. https://t.co/ar3lwB9aRt

— J-François Lavigne (@jflavigne) May 25, 2018

History of Protocol’s – Launch Dates

  • SSL 1.0 (never launched)
  • SSL 2.0 1995
  • SSL 3.0 1996
  • TLS 1.0 1999
  • TLS 1.1 2006
  • TLS 1.2 2008
  • TLS 1.3 2018

Sites like https://caniuse.com can show you if our browser can use new protocols like TLS (e.g TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3)

  • TLS 1.0 is supported by All Browsers
  • TLS 1.1 is supported on IE11+, Edge, Firefox 24+, Chrome 22+, Safari 7+, Opera 12.1+, iOS Safari 5.1+, Chrome 62 on Android 5+ etc
  • TLS 1.2 is supported on IE11+, Edge, Firefox 27, Chrome 30+, Safari 7+, Opera 17+, iOS Safari 5.1, Chrome 62 on Android 5+ etc
  • TLS 1.3 is not supported by IE, Edge, Safari, iOS Safari, Android but is supported by Firefox 52, Chrome 56, Opera 43.

TLS 1.3

I have a guide here on setting up TLS 1.3 on Ubuntu 16.05 and Chrome, I use the draft build of OpenSSL but Open SSL 1.1.1 will support TLS 1.3. I am still figuring our TLS 1.3 on Ubuntu 18.04.

At the time of writing, you need to opt into TLS 1.3 draft specification in Chrome.

Enable TLS in Chrome

Cypher or Cypher

Read this page to see the history of the word Cipher or Cypher?

Buying an SSL certificate

Opening your wallet may not buy you the best certificate either, this was an SSL Labs review of a $150 SSL certificate Ii purchased a few years ago from a CPanel web host.

Bad CPanel SSL Certificate

I don’t buy commercial certificates anymore, I prefer free SSL certificates from Lets Encrypt

SSL Strength

I prefer to set up my own (free) SSL certificate with Lest Encrypt and tets those certificated with https://dev.ssllabs.com/ssltest/

You can configure your web server to only use certain protocols.

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;

And define preferred ciphers

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;

SSL Test 2018

Don’t forget to renew your SSL certificates ahead of time.

Also run a modern browser like Google Chrome Canary as some old browsers thnk expired SSL certificates are Secure

Ciphers

OpenSSL has implemented support for five TLS v1.3 cipher suites:

  • TLS13-AES-256-GCM-SHA384
  • TLS13-CHACHA20-POLY1305-SHA256
  • TLS13-AES-128-GCM-SHA256
  • TLS13-AES-128-CCM-8-SHA256
  • TLS13-AES-128-CCM-SHA256

Test OpenSSL Cipher Suites

openssl ciphers -s -v
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

A handy guide about using ciphers

SSL/TLS: How to choose your cipher suite

Testing a remote host’s ciphers and protocols with cipherscan

Clone this repository: https://github.com/mozilla/cipherscan

Scan a site

./cipherscan fearby.com

Result

Target: fearby.com:443

prio  ciphersuite                        protocols  pfs                 curves
1     ECDHE-ECDSA-CHACHA20-POLY1305-OLD  TLSv1.2    ECDH,P-256,256bits  prime256v1
2     ECDHE-ECDSA-AES128-GCM-SHA256      TLSv1.2    ECDH,P-256,256bits  prime256v1
3     ECDHE-ECDSA-AES128-SHA             TLSv1.2    ECDH,P-256,256bits  prime256v1
4     ECDHE-ECDSA-AES128-SHA256          TLSv1.2    ECDH,P-256,256bits  prime256v1
5     ECDHE-ECDSA-AES256-GCM-SHA384      TLSv1.2    ECDH,P-256,256bits  prime256v1
6     ECDHE-ECDSA-AES256-SHA             TLSv1.2    ECDH,P-256,256bits  prime256v1
7     ECDHE-ECDSA-AES256-SHA384          TLSv1.2    ECDH,P-256,256bits  prime256v1

Certificate: trusted, 256 bits, ecdsa-with-SHA256 signature
TLS ticket lifetime hint: 64800
NPN protocols: h2,http/1.1
OCSP stapling: supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes

Intolerance to:
 SSL 3.254           : absent
 TLS 1.0             : PRESENT
 TLS 1.1             : PRESENT
 TLS 1.2             : absent
 TLS 1.3             : absent
 TLS 1.4             : absent

Cipher scan can also recommend settings to change to help you harden a server (based on https://wiki.mozilla.org/Security/Server_Side_TLS)

Analyze Command

./analyze.py -t fearby.com

Results

fearby.com:443 has bad ssl/tls

Things that are bad:
* remove cipher ECDHE-ECDSA-CHACHA20-POLY1305-OLD

Changes needed to match the old level:
* remove cipher ECDHE-ECDSA-CHACHA20-POLY1305-OLD
* enable TLSv1.1
* enable TLSv1
* enable SSLv3
* add cipher DES-CBC3-SHA
* use a certificate with sha1WithRSAEncryption signature
* use DHE of 1024bits and ECC of 160bits

Changes needed to match the intermediate level:
* remove cipher ECDHE-ECDSA-CHACHA20-POLY1305-OLD
* consider enabling TLSv1.1
* consider enabling TLSv1
* add cipher AES128-SHA
* use a certificate signed with sha256WithRSAEncryption

Changes needed to match the modern level:
* remove cipher ECDHE-ECDSA-CHACHA20-POLY1305-OLD
* remove cipher ECDHE-ECDSA-AES128-SHA
* remove cipher ECDHE-ECDSA-AES256-SHA

More info on hardening here.

TLS 1.3 Information

More Reading

SSLLabs Grading of certificates

Read about SSL Labs grading here

snip from here

  • A+ – exceptional configuration
  • A – strong commercial security
  • B – adequate security with modern clients, with older and potentially obsolete crypto used with older clients; potentially smaller configuration problems
  • C – obsolete configuration, uses obsolete crypto with modern clients; potentially bigger configuration problems
  • D – configuration with security issues that are typically difficult or unlikely to be exploited, but can and should be addressed
  • E – unused
  • F – exploitable and/or patchable problems, misconfigured server, insecure protocols, etc.

We wish to make clear that, while A+ is clearly the desired grade, both A and B grades are acceptable and result in adequate commercial security. The B grade, in particular, may be applied to configurations designed to support very wide audiences, many of whom use very old programs to connect. The C grade is generally used for configurations that don’t follow best practices. Grades D and F are used for servers with serious configuration and security issues.

REady to go SSL configuration: https://cipherli.st/

Download ready to go Diffie–Hellman primes. https://2ton.com.au/dhtool/

We have dedicated 48 CPU cores to the task of continuously generating 2048, 3072, 4096 and 8192 bit DH parameters, and the public service we present here allows access to the most-recent 128 of each.

Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as originally conceptualized by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography.

Traditionally, secure encrypted communication between two parties required that they first exchange keys by some secure physical channel, such as paper key lists transported by a trusted courier. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher.

Diffie–Hellman is used to secure a variety of Internet services. However, research published in October 2015 suggests that the parameters in use for many DH Internet applications at that time are not strong enough to prevent compromise by very well-funded attackers, such as the security services of large governments.

More to come, I hope this guide helps someone.

fyi:

Windows Protocol/Cipher installer: https://www.nartac.com/

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

V1.2 expired and use a modern browser

v1.1 bad SSL

v1.0 Initial post

Filed Under: HTTPS, Security, SEO, TLS Tagged With: and ciphers, cryptographic, on Ubuntu and NGINX, protocols, Setting, ssl, strong

Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare

April 14, 2018 by Simon

This post will show you how you can setup Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures and Domain-based Message Authentication, Reporting, and Conformance (DMARC) on your GMail (G Suite) email to limit spam and increase security.

I have a number of guides on moving away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. I use Google G Suite to send and receive emails that are linked to my domain (even via the command line) using multiple domains (with aliases).

For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).

Buy a domain name from Namecheap here.

Domain names for just 88 cents!

Buy how can you extend your email security and limit spam?

Enter..

Sender Policy Framework (SPF) for Authorizing Use of Domains in Email

Background: SPF summary from the RFC document from the Internet Engineering Task Force (IETF).

“Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the “MAIL FROM” of a message or the domain given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby ADministrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization.”

Google has a guide in setting up SPF records for your G Suite account.

Scan your site for SPF, DKIM and DMARC configuration(s).

Gmail has a test site where you can check your site SPF, DKIM and DMARC etc: https://toolbox.googleapps.com/apps/checkmx/

Secure GSuite

How to set up an SPF Record

I followed this guide to set up an SPF record on my G Suite account. I use Cloudflare for my DNS provider so I’ll make my DNS changes there.

Add SPF Record

Update: Google instructions were wrong, use a TXT record and not a SPF record.

Read more on SPF at Wikipedia here.

DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.

Now let’s set up DomainKeys Identified Mail (DKIM) Signatures

Read more on DKIM at Wikipedia here.

Background: The DKIM RFC form the Internet Engineering Task Force (IETF) states…

“DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author’s organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer’s domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.”

Google has a DKIM FAQ: https://support.google.com/a/answer/174124

Login to your G Suite account and load this FAQ.

The FAQ page states..

“You can help prevent spoofing by adding a digital signature to outgoing message headers using the DKIM standard. This involves using a private domain key to encrypt your domain’s outgoing mail headers, and adding a public version of the key to the domain’s DNS records. Recipient servers can then retrieve the public key to decrypt incoming headers and verify that the message really comes from your domain and hasn’t been changed along the way.”

Click Generate the Domain Key

Generate Domain Key

Follow the steps and generate a key

Generate Key

Generate a new record

Generate key

Add the DKIM key to your DNS record

Add DNS record

DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Read more on DMARC at Wikipedia here. Read the official page here https://dmarc.org/.

Background: The DMARC RFC form the Internet Engineering Task Force (IETF) states…

DMARC Flow

DMARC Flow

“Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.

Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.

DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.”

Google G Suite has a guide to setting up a DMARC record here

Snip from the Google guide here..

“Spammers can sometimes forge the “From” address on email messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google is participating in DMARC.org, which gives domain owners more control over what Gmail does with spam email messages from their domain.

G Suite follows the DMARC.org standard and allows you to decide how Gmail treats unauthenticated emails coming from your domain. Domain owners can publish a policy telling Gmail and other participating email providers how to handle unauthenticated messages sent from their domain. By defining a policy, you can help combat phishing to protect users and your reputation.“

Login to your G Suite account and load this FAQ

Click Add A DMARC Record

Add DMARC

You will then need to set up a DKIM Domain Key (if you have not done so yet)

When you are done you need to choose your DMARC rules, I would suggest you go to https://mxtoolbox.com/DMARCRecordGenerator.aspx to generate a record

I generated these rules

Dmarc Rules

Warning: Setting a DMARC policy that is too strict may block mail from being delivered. Tighten rules over time.

Login to your DNS provider and add your TXT record.

DMARC Record

You should now have an SPF, DKIM and DMARC record in DNS.

DNS

Update: The SPD record above should be a TXT (Google led me astray)

DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.

Now go to bed and wait for DNS to replicate.

Troubleshooting SPF

My TXT record would not validate with https://toolbox.googleapps.com/apps/checkmx/check

Google Toolbox

The MX Toolbox SPF checker reports that SPF records are deprecated and to use TXT records instead.

SPF TXT Record

Fix (remove the SPF record and add a TXT record with the same contents). Don’t forget to delete the old SPF record.

TXT Record

Results

SPF Setup

Reports

SPF/DKIM reports will let me know when unauthorized people send email from my domain.

This is a spf/dkim authentication-failure report for an email message received from IP 125.105.176.155 on Sat, 14 Apr 2018 13:14:09 +0800.
Below is some detail information about this message:
 1. SPF-authenticated Identifiers: none;
 2. DKIM-authenticated Identifiers: none;
 3. DMARC Mechanism Check Result: Identifier non-aligned, DMARC mechanism check failures;

For more information please check Aggregate Reports or mail to [email protected]



Feedback-Type: auth-failure
User-Agent: NtesDmarcReporter/1.0
Version: 1
Original-Mail-From: <[email protected]>
Arrival-Date: Sat, 14 Apr 2018 13:14:09 +0800
Source-IP: 125.105.176.155
Reported-Domain: fearby.com
Original-Envelope-Id: VcCowECJ7EIejtFanCHFLg--.51187S2
Authentication-Results: 163.com; dkim=none; spf=softfail [email protected]
Delivery-Result: delivered
Identity-Alignment: none



Received: from mitai (unknown [208.136.26.72])
	by fearby.com with SMTP id LyDKBHx6xsr7XZkf.1
	for <[email protected]>; Sat, 14 Apr 2018 13:14:03 +0800
Message-ID: <[email protected]>
From: =?utf-8?B?5rip5a6D?= <[email protected]>
To: <[email protected]>
Subject: =?utf-8?B?UmXvvJrlm57lpI3vvJrovazlj5HvvJrml7bpl7Q05pyIMjAtMjHml6XkuIo=?=
	=?utf-8?B?5rW3IOWcsOeCuSDnvo7oh6PljJblpoblk4Hlhazlj7jln7norq3ln7rlnLA=?=
Date: Sat, 14 Apr 2018 13:13:56 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_08FE_016CD6FE.1A359D20"
X-mailer: Bagf 2

Also, DMARC will alert me to unauthorized activity

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>4329490063964523747</report_id>
    <date_range>
      <begin>1523750400</begin>
      <end>1523836799</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>fearby.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>none</sp>
    <pct>5</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>2001:19f0:5801:5fa:5400:ff:fe80:ec7a</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
        <reason>
          <type>sampled_out</type>
          <comment></comment>
        </reason>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>fearby.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>unknown</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>
</feedback>

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.4 Reports

v1.3 DMARC Flow image

V1.2 Updated wording

V1.1 Fixed typos (they were free)

v1.0 Initial post

Filed Under: Cloudflare, DKIM, DMARC, DNS, Domain, Email, GSuite, Security, SPF Tagged With: and, by, Cloudflare, DKIM, DMARC, email, G Suite, google, securing, Setting, SPF, up, with

Setting up a website to use Cloudflare on a VM hosted on Vultr and Namecheap

March 13, 2018 by Simon

This guide will show how you can set up a website to use Cloudflare on a VM hosted on Vultr and Namecheap

I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. This post will show how to let Cloudflare handle the DNS for the domain.

Update 2018: For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).

Snip from here “Cloudflare’s enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.”

Buy a Domain 

Buy a domain name from Namecheap here.

Domain names for just 88 cents!

Cloudflare Benefits (Free Plan)

  • DDoS Attack Protection (Huge network to absorb attacks DDoS attacks over 600Gbps are no problem for our 15 Tbps networks)
  • Global CDN
  • Shared SSL certificate (I disabled this and opted to use my own)
  • Access to audit logs
  • 3 page rules (maximum)

View paid plan options here.

Cloudflare CDN map

Cloudflare CDN says it can load assets up to 2x faster, 60% less bandwidth from your servers by delivering assets from 127 data centres.

Cloudflare Global Network

Setup

You will need to sign up at cloudflare.com

Cloudflare

After you create an account you will be prompted to add a siteAdd SiteCloudflare will pull your public DNS records to import.

Query DNS

You will be prompted to select a plan (I selected free)

Plan Select

Verify DNS settings to import.

DNS Import

You will now be asked to change your DNS nameservers with your domain reseller

DNS Nameservers

TIP: If you have an SSL cert (e.g Lets Encrypt) already setup head to the crypto section and select ” Full (Strict)” to prevent ERR_TOO_MANY_REDIRECTS errors.

Strict SSL

Cloudflare UI

I asked Twitter if they could kindly load my site so I could see if Cloudflare dashboard/stats were loading.

Could I kindly ask if you are reading this that you visit https://t.co/9x5TFARLCt, I am writing a @Cloudflare blog post and need to screenshot stats. Thanks in advance

— Simon Fearby (Developer) (@FearbySoftware) March 13, 2018

The Cloudflare CTO responded.  🙂

Sure thing 🙂

— John Graham-Cumming (@jgrahamc) March 13, 2018

Confirm Cloudflare link to a domain from the OSX Comand line

host -t NS fearby.com
fearby.com name server dane.ns.cloudflare.com.
fearby.com name server nora.ns.cloudflare.com.

Caching Rule

I set up the following caching rule to cache everything for 8 hours instead of WordPress pages

Page Rules

“fearby.com.com/wp-*” Cache level: Bypass

“fearby.com.com/wp-admin/post.php*” Cache level: Bypass

“fearby.com/*” Cache Everything, Edge Cache TTL: 8 Hours

Cache Results

Cache appears to be sitting at 50% after 12 hours.  having cache os dynamic pages out there is ok unless I need to fix a typo, then I need to login to Cloudflare and clear the cache manually (or wait 8 hours)

Performance after a few hours

DNS times in gtmetrix have now fallen to a sub 200ms (Y Slow is now a respectable A, it was a C before).  I just need to wait for caching and minification to kick in.

DNS Improved

webpagetest.org results are awesome

See here: https://www.webpagetest.org/result/180314_PB_7660dfbe65d56b94a60d7a604ca250b3/

  • Load Time: 1.80s
  • First Byte 0.176s
  • Start Render 1.200s

webpagetest

Google Page Speed Insights Report

Mobile: 78/100

Desktop: 87/100

Check with https://developers.google.com/speed/pagespeed/insights/

Update 24th March 2018 Attacked?

I noticed a spike in and traffic (incoming and threats) on the 24th of March 2018.

I logged into Cloudflare on my mobile device and turned on Under Attack Mode.

Under Attack Flow

Cloudflare was now adding a delay screen in the middle of my initial page load. Read more here.  A few hours after the Attach started it was over.

After the Attack

I looked at the bandwidth and found no increase in traffic from my initial host VM. Nice.

cloudflare-attack-001

Thanks, Cloudflare.

Cloudflare Pros

  • Enabling Attack mode was simple.
  • Soaked up an attack.
  • Free Tier
  • Many Reports
  • Option to force HTTPS over HTTP
  • Option to ban/challenge suspicious IP’s and set challenge timeframes.
  • Ability to setup IP firewall rules and Application Firewalls.
  • User-agent blocking
  • Lockdown URL’s to IP’s (pro feature)
  • Option to minify Javascript, CSS and HTML
  • Option to accelerate mobile links
  • Brotli compression on assets served.
  • Optio to enable BETA Rocket loader for Javascript performance tweaks.
  • Run Javascript service workers from the 120+ CDN’s
  • Page/URL rules o perform custom actions (redirects, skip cache, Encryption etc)
  • HTTP/2 on, IPV6 ON
  • Option to setup load balancing/failover
  • CTO of Cloudflare responded in Twitter 🙂
  • Option to enable rate limiting (charged at 10,000 hits for $0.05c)
  • Option to block countries (pro feature)
  • Option to install apps in Cloudflare like(Goole Analytics,

Cloudflare Cons

  • No more logging into NameCheap to perform DNS management (I now goto Cloudflare, Namecheap are awesome).
  • Cloudflare Support was slow/confusing (I ended up figuring out the redirect problem myself).
  • Some sort of verify Cloudflare Setup/DNS/CDN access would be nice. After I set this up my gtmetrix load times were the same and I was not sure if DNS needs to replicate? Changing minify settings in Cloudflare did not seem to happen.
  • WordPress draft posts are being cached even though page riles block wp-admin page caching.
  • Would be nice to have ad automatic Under Attack mode
  • Now all sub-domains were transferred in the setup ( id did not know for weeks)

Cloudflare status

Check out https://www.cloudflarestatus.com/ for status updates.

Don’t forget to install the CloudFlare Plugin for WordPress if you use WordPress.

More Reading

Check out my OWASP Zap and Kali Linux self-application Penetration testing posts.

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.8 host Command from the OSX CLI

v1.7 Subdomain error

v1.6 Cloudflare Attack

v1.5 WordPress Plugin

v1.4 More Reading

v1.3 added WAF snip

v1.2 Added Google Page Speed Insights and webpage rest results

v1.1 Added Y-Slow

v1.0 Initial post

Filed Under: Analytics, App, Cache, CDN, Cloud, Cloudflare, DNS, Domain, Hosting, LetsEncrypt, Marketing, Secure, Security, SEO, Server, VM, Vultr, Website, Wordpress Tagged With: a, and, Cloudflare, hosted, namecheap, on, Setting, to, up, use, vm, vultr, website

Setting up the Debian Kali Linux distro to perform penetration testing of your systems

March 7, 2018 by Simon

This post will show you how to setup the Kali Linux distro to perform penetration testing of your systems

I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. Securing your systems is very important (don’t stop) and keep learning (securing ubuntu in the cloud, securing checklist, run a Lynis system audit etc)

snip from: https://www.kali.org/about-us/

“Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed.”

Download Kali

I downloaded the torrent version (as the HTTP version kept stopping (even on 50/20 NBN).

Download Kali

After the download finished I checked the SHA sum to verify it’a integrity

cd /Users/username/Downloads/kali-linux-2018.1-amd64
shasum -a 256 ./kali-linux-2018.1-amd64.iso 
ed88466834ceeba65f426235ec191fb3580f71d50364ac5131daec1bf976b317  ./kali-linux-2018.1-amd64.iso

A least it matched the known (or hacked) hash here.

Installing Parallels in a VM on OSX

I use Parallels 11 on OSX to set up a VM os Demina Kali, you can use VirtualBox, VMWare etc.

VM Setup in Parallels

Hardware: 2x CPU, 2048MB Ram, 32MB Graphics, 64GB Disk.

I selected Graphical Install (English, Australia, American English, host: kali, network: hyrule, New South Wales, Partition: Guided – entire disk, Default, Default, Default, Continue, Yes, Network Mirror: Yes, No Proxy, Installed GRUB bootloader on VM HD.

Post Install

Install Parallel Tools

Official Guide: https://kb.parallels.com/en/123968

I opened the VM then selected the Actions then Install Parallels Tools, this mounted /media/cdrom/, I copied all contents to /temp/

As recommended by the Parallels instal bash script I updated headers.

apt install linux-headers-4.14.0-kali1-amd64

Then the following from https://kb.parallels.com/en/123968

apt-get clean
apt-get update
apt-get upgrade -y
apt-get dist-upgrade -y
apt-get install dkms kpartx printer-driver-postscript-hp

Parallels will not install, I think I need to upgrade to parallel 12 or 12 as the printer driver detection is not detecting (even though it is installed).

Installing Google Chrome

I used the video below

I have to run chrome with

/usr/bin/gogole-chrome-stable %U --no-sandbox --user-data=dir &

It works.

Chrome

Running your first remote vulnerability scan in Kali

I found this video useful in helping me scan and check my systems for exploits

Simple exploit search in Armitage (metasploit)

Armitage Scan

A quick scan of my server revealed three ports open and (22, 80 and 443). Port 80 redirects to 443 and port 22 is firewalled.  I have WordPress and exploits I rued failed to work thanks to patching (always stay ahead of patching and updating of software and the OS.

k006-ports

Without knowing what I was doing I was able to check my WordPress against known exploits. 

If you open the Check Exploits menu at the end of the Attacks menu you can do a bulk exploit check.

kali_bulk

WP Scan

Kali also comes with a WordPress scanner

wpscan --url https://fearby.com

This will try and output everything from your web server and WordPress plugins.

/xmlrpc.php was found and I was advised to deny access to that file in NGINX. xmlrpc.php is ok but can be used in denial of service attacks.

location = /xmlrpc.php {
	deny all;
	access_log off;
	log_not_found off;
}

I had a hit for a vulnerability in a Youtube Embed plugin but I had a patched version.

k007-wpscan

TIP: Check your WordPress often.

More to come (Draft Post).

  • OWASP scanner
  • WPSCAN
  • Ethical Hacker modules
  • Cybrary training
  • Sent tips to @FearbySoftware

Tips

Don’t have unwanted ports open, securely installed software, Use unattended security updates in Ubuntu, update WordPress frequently and limit plugins and also consider running more verbose audit tools like Lynis.

More Reading

Read my OWASP Zap guide on application testing and Cloudflare guide.

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.2 added More Reading links.

v1.1 Added bulk exploit check.

v1.0 Initial post

Filed Under: Exploit, Linux, Malware, Security, Server, SSH, Vulnerability Tagged With: debian, distro, Kali, Linux, of, penetration, perform, Setting, systems, testing, the, to, up, your

Setting up additional server storage on cloud servers (block storage on Vultr)

October 7, 2017 by Simon

Vultr has a generous disk quota with the cloud servers you can set up. But what do you do when you want more space than the default allocation (for backup or application data)?

I have blogged before about setting up an Ubuntu server on the cloud on Vultr and configuring it if you do not already have a cloud server.

Vultr allows you to set up a server in minutes.

Server

A Vultr $2.5 a month server comes with 20GB storage, a $20 a month server comes with 60GB of SSD storage.

Vultr does offer more storage for about 0.10c per GB. At this time or writing Vultr allows you to add more storage to serves in NY/NJ (only). Read my guide on moving data between servers with RSync. And cond forget yo secure your server with a free SSL certificate and secure it (read more here and here).

An additional 10GB of storage would cost $1/m.

10GB

An additional 50GB of storage would cost $5/m.

50GB

An additional 100GB of storage would cost $10/m.

100GB

An additional 250 GB of storage would cost $25/m

250GB

View the Vultr pricing calculator here. Vultr does say that you can resize your block storage volume but there are manual actions and risks involved so get the space you need early on and prevent resizing later.

Read the Vultr Block Storage FAQ here: https://www.vultr.com/docs/block-storage

Vultr did offer early customers in (limited location’s) a free 50GB storage (read more on these limits here).

I am going to spin up a Block storage and attach to my server in Sydney.

fyi: Read the official guide on Attacking Block Storage to a Vultr server.

1. Login to your Vultr admin panel ( https://my.vultr.com/ ) and click Block Storage (  https://my.vultr.com/blockstorage/ ).

2. Click Add Block Storage

Add Block Storage

3. Choose the size of your block storage volume.

New Block Storage

Darn, I can’t choose Syndey yet as a location to create a block storage volume (I have asked Vultr when we can) so I’ll continue this guide with my existing (free) 50GB volume in New Jersey) and mount it in a server in NY/NJ (and also Syndey).

It appears I can’t connect to a  Block Storage volume outside the block storages location (data centre).

Manage Block Storage

You will need to attach the block storage volume to the server at that data centre location or you will get this error when you try and connect to it later.

Error

In my case, the server did not automatically restart so I manually restarted it.

Connecting the Block Storage to your VM

From the Vultr admin panel ( https://my.vultr.com ), Block Storage ( https://my.vultr.com/blockstorage/ ) you can manage individual Block Storage volumes and see the mounting information.

e.g

(Linux Example) Create partitions:
# parted -s /dev/vdb mklabel gpt
# parted -s /dev/vdb unit mib mkpart primary 0% 100%

(Linux Example) Create filesystem:
# mkfs.ext4 /dev/vdb1

(Linux Example) Mount block storage:
# mkdir /mnt/blockstorage
# echo >> /etc/fstab
# echo /dev/vdb1               /mnt/blockstorage       ext4    defaults,noatime 0 0 >> /etc/fstab
# mount /mnt/blockstorage

FYI: You can only connect to block storage from the same location (one server at a time I’d imagine).

4. From the Vultr Admin panel SSH into the server (in the same location).  See my guide here on setting up a Vultr server and configuring it.

Vultr say’s “Block storage is connected to your server as /dev/vdb. We do not create any filesystems on it by default.” Official Block storage documentation is located here.

5. Run the commands listed in the Block Storage screen (above)

Mount

Error: In my case, the echo command failed to add to configuration to the /etc/fstab file (even with sudo) and the mount command failed?

mount: can't find /mnt/blockstorage in /etc/fstab

I checked the /etc/fstab file contents

sudo cat /etc/fstab
# ..missing mount commands from Vultr..

I manually edited the /etc/fstab file and added the mount point configuration as suggested by Vultr.

sudo nano ./etc/fstab

Contents

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/vda1 during installation
UUID=removedGUID /               ext4    errors=remount-ro 0       1
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0
/dev/vdb1       /mnt/blockstorage       ext4    defaults,noatime 0 0 >> /etc/fstab

6. I re-ran the mount command

sudo mount /mnt/blockstorage
#

Success

I can now directory list in the block storage volume.

ls /dev/vdb1 -al
brw-rw---- 1 username disk 253, 17 Nov  7 21:18 /dev/vdb1

Now let’s attach it to another folder in the root folder (e.g /data)

First, unmount the volume

sudo umount /mnt/blockstorage

Edit the /etc/fstab file with sudo nano

sudo nano /etc/fstab

Change the mount point somewhere else (e.g /data)

/dev/vdb1               /data       ext4    defaults,noatime 0 0 >> /etc/fstab

Make a folder in the new path (/data), If you don’t do this the mount will fail.

sudo mkdir /data

Remount the volume (but use the new path)

sudo mount /data

You can now use the path and new storage.

cd /data
mkdir /data/test
cd /data/test
pwd
# /data/test/
sudo nano /data/test/test.txt

Nice

Disposing of Block Storage

TIP: Move or backup any data before you destroy or detach the volume.

First, you will need to unmount the volume (SSH session with your server).

sudo umount /data

Then remove the entry from the /etc/fstab file

Then you can navigate to the https://my.vultr.com/blockstorage/ and edit the said block storage volume and detach the volume (this will cause the server to reboot).

Detatch

After a few minutes you can delete the volume from the edited Block Storage Volume page  (click the Trashcan up the upper right).

Detatch

Done, You can now add and remove Block Storage volumes on Vultr.

How to check the disk usage of the block storage volume

You may need to remind yourself of the block storage volume (cat the /etc/fstab file and view the drive information on the mount line).

cat /etc/fstab
# .. /dev/vdb1 ..

How much space is used/free

df -h /dev/vdb1
Filesystem      Size  Used Avail Use% Mounted on
/dev/vdb1        50G   52M   47G   1% /data

You can also show the usage information in that mounted folder

du -xsch /data
10G     /folder1
10G     /folder2
20G     total

Use the pydf tool to view mounted partitions

Install pydf

sudo apt-get install pydf

Use pydf

pydf
Filesystem Size  Used Avail Use%                                                             Mounted on
/dev/vda1   20G 3496M   15G 17.4 [##########...............................................] /
/dev/vdb1   49G   52M   47G  0.1 [.........................................................] /data

Troubleshooting

  • You need to attach the block storage volume and reboot in the Vultr admin panel before mounting.
  • The echo command (as documented by Vultr) may not add information to the /etc/fstab file (a manual edit will work).

How to Resize a Block Storage Volume on Vultr.

Coming soon (if requested below).

Donate and make this blog better


Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.2 added disk usage information

Filed Under: Storage, VM, Vultr Tagged With: additional, Block, cloud, on, server, servers, Setting, storage, up, vultr

Primary Sidebar

Poll

What would you like to see more posts about?
Results

Support this Blog

Create your own server today (support me by using these links

Create your own server on UpCloud here ($25 free credit).

Create your own server on Vultr here.

Create your own server on Digital Ocean here ($10 free credit).

Remember you can install the Runcloud server management dashboard here if you need DevOps help.

Advertisement:

Tags

2FA (9) Advice (17) Analytics (9) App (9) Apple (10) AWS (9) Backup (21) Business (8) CDN (8) Cloud (49) Cloudflare (8) Code (8) Development (26) Digital Ocean (13) DNS (11) Domain (27) Firewall (12) Git (7) Hosting (18) IoT (9) LetsEncrypt (7) Linux (21) Marketing (11) MySQL (24) NGINX (11) NodeJS (11) OS (10) Performance (6) PHP (13) Scalability (12) Scalable (14) Security (45) SEO (7) Server (26) Software (7) SSH (7) ssl (17) Tech Advice (9) Ubuntu (39) Uncategorized (23) UpCloud (12) VM (45) Vultr (24) Website (14) Wordpress (25)

Disclaimer

Terms And Conditions Of Use All content provided on this "www.fearby.com" blog is for informational purposes only. Views are his own and not his employers. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. Never make changes to a live site without backing it up first.

Advertisement:

Footer

Popular

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Add Google AdWords to your WordPress blog

Security

  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • Setting up DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare
  • Set up Feature-Policy, Referrer-Policy and Content Security Policy headers in Nginx
  • Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
  • Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare
  • Using the Qualys FreeScan Scanner to test your website for online vulnerabilities
  • Beyond SSL with Content Security Policy, Public Key Pinning etc
  • Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins
  • Run an Ubuntu VM system audit with Lynis
  • Securing Ubuntu in the cloud
  • No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider

Code

  • How to code PHP on your localhost and deploy to the cloud via SFTP with PHPStorm by Jet Brains
  • Useful Java FX Code I use in a project using IntelliJ IDEA and jdk1.8.0_161.jdk
  • No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider
  • How to setup PHP FPM on demand child workers in PHP 7.x to increase website traffic
  • Installing Android Studio 3 and creating your first Kotlin Android App
  • PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database
  • How to use Sublime Text editor locally to edit code files on a remote server via SSH
  • Creating your first Java FX app and using the Gluon Scene Builder in the IntelliJ IDEA IDE
  • Deploying nodejs apps in the background and monitoring them with PM2 from keymetrics.io

Tech

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • US v Huawei: The battle for 5G
  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Is OSX Mojave on a 2014 MacBook Pro slower or faster than High Sierra
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..
  • The case of the overheating Mac Book Pro and Occam’s Razor
  • Useful Linux Terminal Commands
  • Useful OSX Terminal Commands
  • Useful Linux Terminal Commands
  • What is the difference between 2D, 3D, 360 Video, AR, AR2D, AR3D, MR, VR and HR?
  • Application scalability on a budget (my journey)
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.

Wordpress

  • Replacing Google Analytics with Piwik/Matomo for a locally hosted privacy focused open source analytics solution
  • Setting web push notifications in WordPress with OneSignal
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..
  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins
  • Wordfence Security Plugin for WordPress
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Installing and managing WordPress with WP-CLI from the command line on Ubuntu
  • Moving WordPress to a new self managed server away from CPanel
  • Moving WordPress to a new self managed server away from CPanel

General

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • US v Huawei: The battle for 5G
  • Using the WinSCP Client on Windows to transfer files to and from a Linux server over SFTP
  • Connecting to a server via SSH with Putty
  • Setting web push notifications in WordPress with OneSignal
  • Infographic: So you have an idea for an app
  • Restoring lost files on a Windows FAT, FAT32, NTFS or Linux EXT, Linux XFS volume with iRecover from diydatarecovery.nl
  • Building faster web apps with google tools and exceed user expectations
  • Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..

Copyright © 2023 · News Pro on Genesis Framework · WordPress · Log in

Some ads on this site use cookies. You can opt-out if of local analytics tracking by scrolling to the bottom of the front page or any article and clicking "You are not opted out. Click here to opt out.". Accept Reject Read More
GDPR, Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT