IoT, Code, Security and Server Stuff

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

the

Updating NGINX to the development branch to get more frequent updates and features over the stable branch

by

Updating NGINX to the development branch (on Ubuntu) to get more frequent updates and features over the stable branch

Aside

I have a number of guides on moving away from CPanel, Setting up VM’s on UpCloud, AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. View all recent posts here https://fearby.com/all/

Now on with the post

Warning

Backup your Nginx and Server before making any changes. The Nginx development branch is quite stable but anything can happen. If your site is mission-critical then stay on the stable branch.

Nginx Branches

By default, you will most likely get the stable branch of Nginx when instaling and updating Nginx.  I have been running the stable version for the last few years but was made aware of a DDoS vulnerability in Nginx.

Here is a good write-up on development merges into the stable branch.

Nginx Updates

I was aware recently of a DDoS bug affecting Nginx and the recommendation was to update ot Nginx 1.15.6 development branch (or 1.14.1 stable branch).

A few days ago no 1.14.1 update was available but a 1.15.6 was, should I switch to the development branch to get updates earlier?

Recent Nginx Changes

Here are the recent changes to Nginx: http://nginx.org/en/CHANGES

Changes with nginx 1.15.6                                        06 Nov 2018

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).

    *) Security: processing of a specially crafted mp4 file with the
       ngx_http_mp4_module might result in worker process memory disclosure
       (CVE-2018-16845).

    *) Feature: the "proxy_socket_keepalive", "fastcgi_socket_keepalive",
       "grpc_socket_keepalive", "memcached_socket_keepalive",
       "scgi_socket_keepalive", and "uwsgi_socket_keepalive" directives.

    *) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
       1.1.1, the TLS 1.3 protocol was always enabled.

    *) Bugfix: working with gRPC backends might result in excessive memory
       consumption.


Changes with nginx 1.15.5                                        02 Oct 2018

    *) Bugfix: a segmentation fault might occur in a worker process when
       using OpenSSL 1.1.0h or newer; the bug had appeared in 1.15.4.

    *) Bugfix: of minor potential bugs.


Changes with nginx 1.15.4                                        25 Sep 2018

    *) Feature: now the "ssl_early_data" directive can be used with OpenSSL.

    *) Bugfix: in the ngx_http_uwsgi_module.
       Thanks to Chris Caputo.

    *) Bugfix: connections with some gRPC backends might not be cached when
       using the "keepalive" directive.

    *) Bugfix: a socket leak might occur when using the "error_page"
       directive to redirect early request processing errors, notably errors
       with code 400.

    *) Bugfix: the "return" directive did not change the response code when
       returning errors if the request was redirected by the "error_page"
       directive.

    *) Bugfix: standard error pages and responses of the
       ngx_http_autoindex_module module used the "bgcolor" attribute, and
       might be displayed incorrectly when using custom color settings in
       browsers.
       Thanks to Nova DasSarma.

    *) Change: the logging level of the "no suitable key share" and "no
       suitable signature algorithm" SSL errors has been lowered from "crit"
       to "info".


Changes with nginx 1.15.3                                        28 Aug 2018

    *) Feature: now TLSv1.3 can be used with BoringSSL.

    *) Feature: the "ssl_early_data" directive, currently available with
       BoringSSL.

    *) Feature: the "keepalive_timeout" and "keepalive_requests" directives
       in the "upstream" block.

    *) Bugfix: the ngx_http_dav_module did not truncate destination file
       when copying a file over an existing one with the COPY method.

    *) Bugfix: the ngx_http_dav_module used zero access rights on the
       destination file and did not preserve file modification time when
       moving a file between different file systems with the MOVE method.

    *) Bugfix: the ngx_http_dav_module used default access rights when
       copying a file with the COPY method.

    *) Workaround: some clients might not work when using HTTP/2; the bug
       had appeared in 1.13.5.

    *) Bugfix: nginx could not be built with LibreSSL 2.8.0.


Changes with nginx 1.15.2                                        24 Jul 2018

    *) Feature: the $ssl_preread_protocol variable in the
       ngx_stream_ssl_preread_module.

    *) Feature: now when using the "reset_timedout_connection" directive
       nginx will reset connections being closed with the 444 code.

    *) Change: a logging level of the "http request", "https proxy request",
       "unsupported protocol", and "version too low" SSL errors has been
       lowered from "crit" to "info".

    *) Bugfix: DNS requests were not resent if initial sending of a request
       failed.

    *) Bugfix: the "reuseport" parameter of the "listen" directive was
       ignored if the number of worker processes was specified after the
       "listen" directive.

    *) Bugfix: when using OpenSSL 1.1.0 or newer it was not possible to
       switch off "ssl_prefer_server_ciphers" in a virtual server if it was
       switched on in the default server.

    *) Bugfix: SSL session reuse with upstream servers did not work with the
       TLS 1.3 protocol.


Changes with nginx 1.15.1                                        03 Jul 2018

    *) Feature: the "random" directive inside the "upstream" block.

    *) Feature: improved performance when using the "hash" and "ip_hash"
       directives with the "zone" directive.

    *) Feature: the "reuseport" parameter of the "listen" directive now uses
       SO_REUSEPORT_LB on FreeBSD 12.

    *) Bugfix: HTTP/2 server push did not work if SSL was terminated by a
       proxy server in front of nginx.

    *) Bugfix: the "tcp_nopush" directive was always used on backend
       connections.

    *) Bugfix: sending a disk-buffered request body to a gRPC backend might
       fail.


Changes with nginx 1.15.0                                        05 Jun 2018

    *) Change: the "ssl" directive is deprecated; the "ssl" parameter of the
       "listen" directive should be used instead.

    *) Change: now nginx detects missing SSL certificates during
       configuration testing when using the "ssl" parameter of the "listen"
       directive.

    *) Feature: now the stream module can handle multiple incoming UDP
       datagrams from a client within a single session.

    *) Bugfix: it was possible to specify an incorrect response code in the
       "proxy_cache_valid" directive.

    *) Bugfix: nginx could not be built by gcc 8.1.

    *) Bugfix: logging to syslog stopped on local IP address changes.

    *) Bugfix: nginx could not be built by clang with CUDA SDK installed;
       the bug had appeared in 1.13.8.

    *) Bugfix: "getsockopt(TCP_FASTOPEN) ... failed" messages might appear
       in logs during binary upgrade when using unix domain listen sockets
       on FreeBSD.

    *) Bugfix: nginx could not be built on Fedora 28 Linux.

    *) Bugfix: request processing rate might exceed configured rate when
       using the "limit_req" directive.

    *) Bugfix: in handling of client addresses when using unix domain listen
       sockets to work with datagrams on Linux.

    *) Bugfix: in memory allocation error handling.

Development branch changes are made every few weeks and stable branch changes are made less often.

Updating Nginx

Normally you update Nginx bu running an update and upgrade

Restart Nginx for good measure

Checking NGINX Version

Changing your repository to the development branch

I changed ot the development branch by running

Update and upgrade Nginx

Restart Nginx for good measure

Checking NGINX Version

Removing the stable Nginx repository

Run this command to remove the stable branch of Nginx

Check to see if the development branch is listed

Good luck and I hope this guide helps someone

Ask a question or recommend an article

[contact-form-7 404 "Not Found"]

Revision History

v1.0 Initial post

Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker

by

This is how I checked the compatibility of my WordPress theme and plugin (code) with PHP Compatibility Checker

Aside

I have a number of guides on moving away from CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. PHP is my programming language of choice.

Now on with the post

Snip from: https://wordpress.org/plugins/php-compatibility-checker/

What is PHP Compatibility Checker

> The WP Engine PHP Compatibility Checker can be used by any WordPress website on any web host to check PHP version compatibility.

> This plugin will lint theme and plugin code inside your WordPress file system and give you back a report of compatibility issues for you to fix. Compatibility issues are categorized into errors and warnings and will list the file and line number of the offending code, as well as the info about why that line of code is incompatible with the chosen version of PHP. The plugin will also suggest updates to themes and plugins, as a new version may offer compatible code.

> This plugin does not execute your theme and plugin code, as such this plugin cannot detect runtime compatibility issues.
Please note that linting code is not perfect. This plugin cannot detect unused code-paths that might be used for backwards compatibility, and thus might show false positives. We maintain a whitelist of plugins that can cause false positives. We are continuously working to ensure the checker provides the most accurate results possible.
This plugin relies on WP-Cron to scan files in the background. The scan will get stuck if the site’s WP-Cron isn’t running correctly. Please see the FAQ for more information.

Install PHP Compatibility Checker

PHP Compatibility Checker

I instaled by SSH’ing to my server and opening my WP Plugins folder

I grabbed the latest download URL from here (hover over the download button), at the time of writing this was the latest version: https://downloads.wordpress.org/plugin/php-compatibility-checker.1.4.6.zip

I downloaded the plugin on my server (then unzipped it and deleted the zip)

Enable PHP Compatibility Checker Plugin

I enabled the plugin

Enable the Plugin

I clicked on the following message

> You have just activated the PHP Compatibility Checker. Start scanning your plugins and themes for compatibility with the latest PHP versions now!

Start Scan

I already have PHP 7.2 installed so let’s scan my site. PHP 7.3 will be available in December and it is already being tested in beta.

Scan PHP 7.2

PHP Versions

PHP Versions

Site Scanning

PHP Compatibility Checker site scanning is very business-like

Site Scan Progress

PHP Compatability Checker Scan Results

2 of 22 plugins I use were not PHP 7.2 compatible (WordFence and WP Meta SEO)?

PHP Compatibility Report

I read on twitter that Wordfence may be a false positive.

Clicking toggle details reveal why the scan failed. A Two Factor Auth plugin was all OK.

Scan Results

Your results will hopefully be…

> PHP 7.2 compatible

Of if errors exist it should explain why it did not pass.

FILE: /www-root/wp-content/plugins/wp-meta-seo/jutranslation/jutranslation.php
> —————————————————————————————-
> FOUND 1 ERROR AFFECTING 1 LINE
> —————————————————————————————-
> 251 | ERROR | The function is_countable() is not present in PHP version 7.2 or earlier
> —————————————————————————————-

I can’t wait for PHP 7.3 scanning.  I will update this post in December 2018 after PHP 7.3 is released.

Good luck and I hope this guide helps someone

Ask a question or recommend an article

[contact-form-7 404 "Not Found"]

Revision History

v1.0 Initial post

Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software

by

This post aims to show you how you can use a Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and other software and services.

Background

Although I am a developer I do like security related topics and I try and do as much as I can to secure my systems and applications. Reading the Multi-Factor Authentication Wikipedia page has all the details on Multi-Factor authentication.

I have been a big fan of 1Password to generate strong and unique passwords for separate accounts for a while now. Read my guide on upgrading from a standalone 1Password licence to a 1Password subscription. I love generating unique and complex passwords with 1Password.

Screenshot of the 1Password.com software generating a complex password with 63 chars

But what happens if someone gets access to my 1password vault? Yubico has a catalogue of support services that I can use Yubikeys with to have, 1password is one supported service 🙂

I want to add Yubico protections with these services.

  • macOS Logins (DONE)
  • macOS Screensavers (DONE)
  • 1Password (DONE)
  • Dropbox (DONE)
  • Twitter (DONE)
  • Google (DONE)
  • Google GSuite (DONE, WAITING TO VERIFY)
  • Google GMail (DONE)
  • Google Analytics and AdSense (DONE)
  • Github (DONE)
  • Thunderbird Email (DONE)
  • Debian servers in the cloud (SSH) (DONE)
  • Ubuntu servers in the cloud (SSH) (DONE)
  • Securing WordPress (DONE)

Etc

Final Warning

Do not attempt to activate Two Factor Authentication on a system unless you…

  • A) Have backups of your data
  • B) Have backup methods of getting into your account(s)

Murphy’s Law: “Anything that can go wrong will go wrong”

You never know when a Two Factor Authentication Key may die or an Authenticator app or a Mac/PC may stop working so always have a backup method just in case.

General

General Yubico YubiKey Setup guides https://www.yubico.com/setup/

Buying a Yubico YubiKey

International visitors can buy a YubiKey from the official store here. Australian readers can buy a key locally here. I grabbed 2x YubiKey YubiKey Neo 4 (with NFC) for $50 USD (about $75 AUD) each.

This blog post will aim to show how you can set up a primary key and backup key for use on macOS and other apps to add hardware-based two-factor authentication to logins.

Authenticator Apps

You can use Google Authenticator, Yubico Authenticator or freeOTP from https://freeotp.github.io

Plugging the YubiKey into macOS Mojave

First I read this guide: https://www.yubico.com/works-with-yubikey/catalog/macos/

1) I plugged in my Yubico Neo key into my USB slot.
2) I closed the Keyboard setup window that appeared (I guess the YubiKey is a kind of a keyboard to allow inserting of challenge-response character streams into apps and websites).

Picture of macOS Mojave wrongly detecting the eYubiKey as a keyboard device type.

3) I followed the basic troubleshooting page and confirmed that the key was being detected (yes it was.)

macOS device list showing the Yubico YubiKey was detected

4) I followed this guide to test U2F functionality and this guide to test OTP functionality. Web pages and Google Chome can talk to the plugged-in YubiKey(s).

I was prompted to register a UTF deice (and create an account)

Register a Device

I was prompted to (insert) and touch my Yubico key.

picture of the browser asking me to insert my YubiKey

Google Chome asked for some permissions first.

FYI: Chrome 67 is recommended to securely allow the reading of UbiKey’s from web pages. Only allow sites you trust access to your USB devices and use a modern browser.

Picture of Google Chrome browser asking for permissions to read the inserted YubiKey

Success, Chrome could now see my YubiKey and my device was now verified.

Picture showing YubiKey registration success in a browser

Technical data is available to let you know what is going on in the background. I am not going to break down how this works but Yubico has in-depth whitepapers and documentation if you are interested.

Nice

Configuring OSX

I logged into my Mac with the account that I was going to secure.

I performed a complete time machine backup before proceeding. If you lock yourself out you will need to restore OSX from a Time Machine backup.

I Read the “Using Yubico Pluggable Authentication Module (PAM) with Challenge-Response” login guide: https://www.yubico.com/wp-content/uploads/2016/07/yubico_YubiKeyMacLoginGuide_en.pdf

I downloaded the Download the YubiKey Manager

I downloaded the yubikey-manager from here so I could configure the keys to use “HMAC-SHA1 Challenge-Response”.

Oops, I downloaded the wrong tool, good to know this one exists though.

Screenshot of the Yubikey Manager Software showing firmware update and OTP configuration settings

I will update what this tool does in future (update firmware?)

I Downloaded the Yubikey Personalization Tool

I went back to the Yubico download page and downloaded the Personalization tool.

Picture of the Yubico Personalisation tool showing it's available software options

Many options are available here.

It’s time to configure a primary and backup (duplicate YubiKey) for use with macOS etc.

Enable Challenge-Response

I opened the YubiKey Personalization Tool, Inserted my primary key, clicked the Settings tab, and in the Logging Settings group, selected Log configuration output and Yubico format.

I then clicked on the Challenge Response Tab, clicked the HMAC-SHA1 button, selected Configuration Slot 2, ticked “Program Multiple YubiKeys“, changed the “Parameter Generation Scheme = Same for all Keys“, Selected “Fixed 64 byte input” under “HMAC-SHA1 Parameters” and generated a new key (wrote it down).

Under “Configuration Protection” then I selected Enable Protection” I then visited here and generated a 6 digit string to convert to hex array (with spaces (e.g: “70 61 73 73 77 64”)).

Warning: If you set an access code and later forget it, you cannot make any programming changes to this YubiKey. You would need to buy another YubiKey.

I clicked on Write Configuration

If you chose Configuration Slot 1 you will receive a warning about not saving over Configuration Slot 1 due to Yubico VIP/Symantec, I personally do not trust Symantec or the https://vip.symantec.com/ service due to Symantec issuing non-compliant certificates for use on websites. Yubico allows you to swap configuration slots if want to keep the configuration data.

YubiCo Prompt asking for permissions to overwrite slot 1

On the output of the first write, I was prompted to save a file. I saved this to “secretkey.csv” onto the Desktop.

Screenshot of save configuration to CSV

When the write to my primary key was successful, I ejected it then inserted my backup key and wrote the same configuration data to it too (on Configuration Slot 2).

Screenshot of a list view showing the successful Write of information to two keys

Testing the HMAX-SHA1 Challenge

I open the YubiKey Personalization Tool, then click the Tools tab and click Challenge Response. Choose Configuration Slot 2, I selected HMAC-SHA1. I typed a sample input challenge (e.g “hello world”) and clicked Perform.

I noticed the Yubico key touch panel was flashing. I pressed the button, then a response appeared below the input textbox. I copied this response text then insert your second key and perform the same test so I could compare the responses (they should be the same). They were.

If the responses don’t match rewrite the configuration to your primary and secondary keys and ensure the same key and secret was used for both keys.

FYI: I rewrote configuration a few times until I got it right.

Installing the Pluggable Authentication Module (PAM) on macOS

I re-read the Mac login guide here as I don’t want to lock myself out of my Mac.

I opened the Yubico Software Download page here and clicked Computer Login Tools and downloaded the PAM for Mac.

Screenshot of the YubiCo PAM Module download page

I installed the PAM package and verified the package installation with this command.

Output:

Screenshot of the PAM Module Installed (ls on a folder)

Text Output:

> drwxr-xr-x 3 root wheel 96 9 Oct 10:29 .

> drwxrwxr-x 74 simon admin 2368 9 Oct 10:29 ..

> -rwxr-xr-x 1 root wheel 143172 20 Apr 21:13 pam_yubico.so

Backup macOS

Again I ensured my Mac was backed up with Time Machine.

Screenshot of backing up my Mac with Time Machine

I logged in to my Mac with the account I wanted to be protected with the Yubico YubiKeys.

I ran the following command in terminal

I double checked that my Yubico key(s) were set up for challenge response (above).

I inserted my Uubico key and ran this command

Feel free to read the “ykpamcfg” manual here. The yubico-pam source code is located here.

Output:

Screenshot of the output of ykpamcfg -2

The contents of “/Users/simon/.yubico/challenge-#######” looked like (I replaced 232 random chars with #’s below). The filename ended with my keys serial number.

v2:########################################################################################################################################################################################################################################:10000:2

Next, I was supposed to copy the challenge output from ykpamcfg to /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER] with this command..

But I had this error.

Weird as the source file existed?? macOS issues?

I Opened /Users/[USERNAME]/.yubico/challenge-[YUBIKEY SERIAL NUMBER] in the nano editor (sudo elevated process) and saved the file to /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER].

I reopened my terminal and verified the contents of /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER]. The file is now there.

Permissions on the file is “-rw——-“. Good.

I inserted my second backuP key and re-ran “ykpamcfg -2” and copied the file to “/Users/simon/.yubico

I verified the file contents

Output

ls -al output of /var/root/.yubico/

Text Output:

> drwxr-xr-x 4 root wheel 128 9 Oct 09:50 .
> drwxr-x— 12 root wheel 384 9 Oct 09:39 ..
> -rw-r–r– 1 root wheel 244 9 Oct 09:50 challenge-#######
> -rw-r–r– 1 root wheel 244 9 Oct 09:42 challenge-#######

Snip from: https://www.yubico.com/wp-content/uploads/2016/07/yubico_YubiKeyMacLoginGuide_en.pdf

“Program at least two YubiKeys when implementing a requirement for authentication with a YubiKey on your Mac. If you configure only one YubiKey and something happens to the YubiKey, you must restore the Mac from a Time Machine backup that you created before editing the authorization file before you can log back in to your account. ”

Reading the guide regarding multiple accounts (setting up a Key for each login). I have 5 logins on my Mac but when this works I will disable the other accounts from logging in.

Enable the use of the Yubico key when the screensaver is deactivated on macOS

I opened a terminal and edited “/etc/pam.d/screensaver ” (I use the easier nano editor)

I added this line

auth[7 spaces]required[7 spaces]/usr/local/lib/security/pam_yubico.so mode=challenge-response

editing /etc/pam.d/screensaver added auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response

I saved the file ( [CTRL+O], [CTRL+X] ) and exited nano.

I tested my screensaver and no extra protection was provided (the screensaver just exited).

I rebooted, still no change?

I reinstalled the PAM module.

Silly me, I needed to enable the password on the screensaver to then activate the /etc/pam.d/screensaver entries.

I enabled the screensaver passwordsEnable screensaver password in macOS

I am now prompted to enter my password and inset and tap my Yubico Key on screensaver exit (on both keys). Awesome.

Next, I need to enable this at macOS login.

Enable the use of the Yubico key at macOS Login

I edited /etc/pam.d/authorization file with nano in the terminal

I added the same line as was added to the file /etc/pam.d/screensaver

auth[7 spaces]required[7 spaces]/usr/local/lib/security/pam_yubico.so mode=challenge-response

/etc/pam.d/authorization

I saved the file ( [CTRL+O], [CTRL+X] ) and exited nano.

Now let’s log out and test this.

It’s working.

Excellent

Add Two Factor Authentication to 1Password

Here is a guide on using the Yubico YubiKey with 1Password. This directed me to https://support.1password.com/yubikey/

I downloaded the Yubico Authenticator app on macOS and installed it.

Authenticator app

After I inserted my primary Key I received a “No Credentials Found”message.

No Credentials Found

I logged into https://my.1password.com/signin and clicked My Profile.

I clicked More Actions then Turn On Two-Factor Authentication

Enable 1Password Two Factor Auth

I added the generated QR code details to the Android Authenticator and macOS Yubico Authenticator app. At first, I could not scan the QR code in macOS (was Mojave blocking this?), I manually entered the details (after confirming them from the Android app QR code scan).

Details:

  • Issuer: 1Password
  • Account Name: my.1password.com
  • Secret Key: ###################
  • Time: 30
  • Algorithm: SHA-1
  • Period: 30
  • Digits: 6

Add 2nd Factor Details

Now, 1Password web and the desktop app are asking for the 2-factor code (generated in the Yubico Authenticator app after I insert my YubioKey).

Nice

2 Factor Auth enabled on 1password

I logged off and I was not prompted for my Two Factor code?

Snip from: https://support.1password.com/two-factor-authentication/

Your 1Password account is now protected by two-factor authentication. From now on, you’ll need to enter a six-digit authentication code from your authenticator app when you sign in to 1Password on a new device.

I logged in to 1Password from Google Chrome on Android and indeed I was prompted for a two-factor auth code form the Yubico Authenticator app (with a KubiKey inserted).

2nd Factor prompted on new devices

Add Two Factor Authentication to Dropbox
I read https://www.yubico.com/works-with-yubikey/catalog/dropbox-personal/. Dropbox also has setup instructions here.

I logged into Dropbox and went to Settings then Security then clicked Add next to Security Keys

Dropbox 2 factor auth

I started the Wizard, entered my Dropbox password, then inserted my YubiKey.

Add YubiKey to Dropbox

Name the Key

Name the YubiKey

I added my Primary and Backup Key(s)

Added Two Keys

I logged out and back in and no Security Key prompt?

I am using Chrome and had cleared past browsers from the Dropbox list of web browsers at https://www.dropbox.com/account/security

I discovered that I need to set the primary authentication method to Use Mobile App (My Bad, it would be nice if Dropbox set this as default after I added the keys).

Set Primary Method of Two Factor Auth

I added the Dropbox QR code to the Yuboico Authenticator app

Add Dropbox Two Factor Auth to Authenticator

I was asked to enter a 6 digit code from my Yubico Authenticator app to verify the working link. I inserted my YubiKey into my machine to show the code.

Now Dropbox is configured 🙂

Dropbox is configured

Success

I now have to insert my primary key when logging into Dropbox

Dropbox now demands a YubiKey is inserted
I need to find a way to copy my Authenticator credentials to my Backup Key from my Primary key

Authenticator Credential not on both keys

Add Two Factor Authentication to Twitter

I read https://www.yubico.com/works-with-yubikey/catalog/twitter/ (Setup Instructions)

1) Login to Twitter

2) Open your Settings and Look For Security

Twitter Security

3) Click Start

Start Wizard

4) Enter Your Password

5) Accept and enter any SMS codes if you set up SMS Two Factor codes via SMS

6) Click “Review your login verification methods”

Review Login Methods

7) Click “Setup Key”

Setup Key

8) Insert Your YubiKey and follow the prompts to activate it.

Insert Key

9) Now the key will be requoted to log in to Twitter

Activated Key

Testing Two Factor Login to Twitter

I logged out of and back into Twitter but the SMS Two Factor Authentication method was still active?

SMS Two Factor Still Activated

I tried to disable the SMS method in Twitter but two factor was disabled altogether and the registered key was deleted. I re-added my key 🙁

I solved this by choosing “Choose a different verification method” when logging in then choosing “Use your security key“, Twitter then accessed my YubiKey and further login attempts used the key instead of SMS 🙂 I could use an Authenticator code but they YubiKey touch method is quicker.

Alternate Two Factor Options

Done

It would be nice if Twitter allowed multiple keys to be used to log in?

Add Two Factor Authentication to Google, Google cloud, Gsuite etc

I read https://www.yubico.com/works-with-yubikey/catalog/google-accounts (Instructions https://myaccount.google.com/).

Adding two Factor authentication details to Google was not easily accessible at Google so I Googled (lol) this https://support.yubico.com/support/solutions/articles/15000006418-using-your-yubikey-with-google

I loaded: https://myaccount.google.com/signinoptions/two-step-verification/enroll-welcome

I clicked Get Start

Add Two Factor to Google Get Started

I clicked Choose Another Option (not SMS Two factor)

Add Other Two Factor

Clicked Security Key

Add Security Key

As prompted I inserted my key and allowed access to it.

Insert Key

I named the Key

Name the key

I repeated the steps and added my 2nd key.

Add 2nd Key

Done

I logged out my https://myaccount.google.com and logged back in and I was prompted to insert my YubiKey

Insert YubiKey

Nice

I did try and login to my google GSuite account at https://admin.google.com but it did not prompt me to insert a key. I will do this next.

Add Two Factor Authentication to GSuite

I logged into the GSuite admin interface at https://admin.google.com/ I generated some backup codes in case I need them in the future.

I checked my main admin user account and I could see the 2 google security keys synced through from Google.

Check Securiy Keys

I then searched GSuite for “Two Factor” and loaded the “Enforcement” Page

I enabled “Turn On Enforcement Now

I enabled “Only Security Keys

I logged out and back into https://gsuite.google.com/ TWICE and no security key prompt.

Silly me: I forgot to click save at the bottom of the screen and it appears there is a 24-hour delay?

Don't forget to press save

Add Two Factor Authentication to GMail

This is already done (above), GSuite email takes up to 24 hours to become active, GMail is instant.

Gmail two factor auth working.

Add Two Factor Authentication to Google Analytics

I can’t see an option to turn Two Factor Auth on in Google Analytics 🙂

I did send feedback to the Google Analytics team.

Adsense Feedback

Add Two Factor Authentication to Google Adsense

I can’t see an option to turn Two Factor Auth on in Google Adsense either 🙂

I did send feedback to the Google AdSense team.

No AdSense 2FA

Add Two Factor Authentication to Github

I logged into Github, opened my Settings and clicked Security then Enable two-factor authentication

GitHub

Click Setup using an app save the recovery codes.

Open the Yubico Authenticator app (ensure you can see the QR Code in GitHub)

In the Yubico Authenticator, App click File then Scan QR Code

The GitHub details should be added to the Authenticator

Authenticator App

Two Factor via authenticator tokens is enabled and now I can see a Keys options,

Add Keys

I clicked Add next to security keys then Register New Device, I gave the key a name then clicked Add.

Add 2 Keys

I added both keys then I Logged out and back in and two factor was enabled by YubiKey 🙂

Two Factor Enabled

Add Two Factor Authentication to Debian servers in the cloud (SSH)

Read Setup two-factor authenticator protection at login on Ubuntu or Debian

Add Two Factor Authentication to Ubuntu servers in the cloud (SSH)

Read Setup two-factor authenticator protection at login on Ubuntu or Debian

YubiKey Support

There are loads of Yubico support articles here: https://support.1password.com/yubikey/

Yubico Developer Info

A GitHub repository of source code is located here: https://github.com/Yubico

Other developer related pages here

Securing WordPress

Read this guide on Securing WordPress with 2FA (YubiKey insertion or Authenticator app).

I found a good WordPress plugin to handle 2FA logn methods.

Set all desired 2FA login methods

I am prompted to insert my YubiKey after logging into WordPress.

Nice

Java Code to use the Yubico YubiKey in software (challenge mode)

todo: I will add this section soon.

Yubico has Java repository that contains a Java library with an accompanying demo server, as well as a JAAS module, to validate YubiKey OTP’s (One-Time Passwords).

https://developers.yubico.com/yubico-java-client/

PHP Code to use the Yubico YubiKey in software (challenge mode)

todo: I will add this section soon.

Yubico has PHP library ad source code but it has not been updated in 3 years. I cannot get this working on PHP 7.2.

https://github.com/Yubico/php-yubico

Using Yubico YubiKeys as 2fA with one-time Passwords.

The YubiKeys can be used to store and generate one time passwords.

Read more about 2fa here

Here is a good plugin to tell you what sites use 2fa as you browse: https://2fanotifier.org

I have used my YubuKeys to store dozens of 2fa One time password son sites

e.g Namecheap

Namecheap enable 2fa

I enabled 2fa OTP (over phone/SMS 2fa) at Namecheap

2fa enabled at namecheap

Recovery info and backup

Always setup, and obtain backup access codes (or set alternate two-factor login methods) to software and know how you can disable YubiKey 2FA logins if needed.

Read more on YubiKey data backup policy here.

Copy Yubico Authenticator credentials to my Backup Key from my Primary Key

My Primary and Secondary YubiKeys have different Authenticator credentials (I need to sync them)

Authenticator Credential not on both keys

Set a YubKey Password (Yubico Authenticator App)

You can set a YubiKey Password so limit access to Two Factor Linked Accounts in the Yubico Authenticator. Nice.

      1. Open the Yubico Authenticator App
      2. Insert your YubiKey
      3. Open the File then Set Password Menu
      4. Click Set Password

Now when you insert the YubiKey you will be prompted for a password Before Two Factor tokens are displayed.

Set Yubico Password

Find a YubiKey Device Quiz

Use this quiz to find the right YubiKey for you: https://www.yubico.com/quiz/

Final Warning

Do not attempt to activate Two Factor Authentication on a system unless you…

  • A) Have backups of your data
  • B) Have backup methods of getting into your account(s)

Murphy’s Law: “Anything that can go wrong will go wrong”

You never know when a Two Factor Authentication Key may die or an Authenticator app or a Mac/PC may stop working so always have a backup method just in case.

Issue(s)

Thunderbird email on Google Chrome (accessing GSuite) is not accepting the key.

It is prompting…

Thunderbird prompting for the key

But it is not recognising the key (no matter how many times I insert or press the key)?

Key not detecting in Thunderbird

It appears Thunderbird 52 may not support keys yet, May have to wait until release 60.

I installed Thunderbird 63 (BETA) from https://www.thunderbird.net/en-US/channel/

Installed Thunderbird 63 BETA

After I installed Thunderbird it asked for my Security Key, accepted it and asked for further permissions.

Thunderbord a63 beta asking for permissions

I can now read my email in Thunderbird with my YubiKey

Update: June 2019

1Password now allow you to setup 2FA (authenticator app or YuiKey leys (or both)) authentication on your 1Password login. Read the official post here.

Goto https://my.1password.com/profile/2fa to setup 2FA.

You can setup 2FA (authapp and or hardware keys)

1Password set 2fa

You will be notified by email if a 2FA method is setup.

Email alert about 2fa

You will need to sign out and back into your apps web, Desktop and Mobile.

Web Signin

desktop Signin

You will need to insert and press your hardwre key.

Press 2FA Key

And enter your 2FA code

Enter 2fa otp code

Mobile app login

Enter 2fa code on mobile app loginb]

I used my YubiCo Authentocator app to get the temporary OTP.

Get OTM from auth app

You can remove previous logged in devices from accessing your data or force them to reqire 2FA at next login

de Auth existing defices

Nice

Links

YubiCo Device Comparison Chart: https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/

Email Subscription form YubiCo: https://pages.yubico.com/email_subscription.html

Conclusion

Thunderbird issues (solved by installing a BETA).

Not all apps have the same method (some have Authenticator App only) and some have YubiKey Insert/Touch, some allow one key or multiple keys.

The only issue is my Huawei Mate 9 phone is a little flakey at reading NFC (fixed: I just have to tap for 5 seconds)

I have attached the YubiKeys to a dog chain’s and they live around my neck.

dog_clains

Version History

v1.1 Added authenticator/Namecheap 2fa info.
v1.0.1 YubiKey Backup Policy and comparison chart
v1.0.0 WordPress
v0.8.1 authenticator apps
v0.8.0 Draft: Debian/Ubuntu and many other changes
v0.7.0.1 Draft: Issue – Thunderbird Issue Solved
v0.7.0 Draft: Issue – Thunderbird Issue
v0.6.9 Draft: Protected GitHub
v0.6.9 Draft: Unable to Protect Google AdSense and Analytics
v0.6.8 Draft: Protected Google Gmail (https://gmail.com)
v0.6.7 Draft: Protected Google GSuite (https://gsuite.google.com/ and https://admin.google.com/)
v0.6.6 Draft: Protected Google (https://myaccount.google.com/)
v0.6.5 Draft: Protected Twitter
v0.6 Draft: Set a YubKey Password (Yubico Authenticator App)
v0.5 Draft: Sync Authenticator credentials?
v0.4 Draft: Protected Dropbox
v0.3 Draft: Protected 1Password
v0.2 Draft: Protected macOS Login
v0.1 Draft: Protected macOS Screensaver

Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..

by

This post is for Telstra (to help a 10+-week investigation into Telstra NBN issues).

This post has been split up to make this page load faster: Read [Part 1] [Part 2] [Part 3] [Part 4] [Part 5]

Unresolved Issues with Telstra

  1. Telstra promised Fibre to the premises but delivered fibre to the node (deceptive bait and switch?)
  2. Data stability issues remain.

Status

  • TIO deadline (16th of August) passed 7 days ago (no resolution). Still waiting for assistance for the TIO (at least 6-week wait from the TIO ticket creation)
  • Telstra deadline passed (23rd August) with no resolution.
  • Escalating Federally (Federal cannot help until the TIO case is closed, Telstra will not close TIO case)
  • Telstra added a 2-week deadline to transfer the phone line (phone line back).
  • Have I been blacklisted by Telstra 13 22 00 support number (and reps says talk to your case manager)
  • Data stability issues remain

I was already with NBN (FTTN, ISP Name redacted) on a 50/20 Megabit plan and Telstra promised fibre to the house (FTTP) instead of FTTN and this is what happened (still unfolding…).

Telstra NBN (FTTN)

You can read my change over from ADSL 2 to NBN posts here. I was paying for a 50 Megabit Down and 20 Megabit up plan and it was not very after 5 months. I am not into torrenting unless downloading essential Raspberry Pi images or Linux ISO images. I needed a faster and more reliable internet connection and phone line.

My landline was down for 30 days and because I had a stroke recently (all good touch wood) a working phone line is very important. My previous provider said they can’t escalate issues unless the data line is completely down. Some days the internet was fine other days it was terrible.

I was sent a number of routers from my previous ISP to try an diagnose the dead landline and bad NBN speeds.

Picture of 3 dead routers

I was sick of the poor speeds of FTTN NBN. I was frequently talking to my previous NBN provider and had to perform daily router reboots. Some days NBN 50 Megabit seemed like being on a modem on a good day or ADSL1 on a bad day.

Old Provider Scores

All support calls with my previous ISP support usually went one of two ways

  • We cannot escalate this issue (dead landline/slow data speeds) to NBN because your router is “syncing” (all be it slowly and with a dead landline).
  • We will send you a new router (mostly with experimental firmware?).

The landline stopped working and we got used to rebooting the router multiple times a day.

NBN is having troubles?

NBN woes signal boom in fixed wireless broadband internet (1 in l 6 NBN connections fail.

1st Telstra Inquiry

On the 30th June 2018, I chatted with Telstra to investigate Telstra NBN options.

General Info

Duration (actual chatting time)00:40:54
OperatorTelstraOperator (real name redacted)

Telstra Chat Transcript (*** = “*** removed delayed replies for readability ***”. Some numbers have been pre redated by Telstra?, Telstra Typo’s not corrected.)

P.S The real name provided by the Telstra Operator has been replaced with TelstraOperator (as I promised to hide names when asking for permission to post the conversation on my blog).

fyi: Alison and myself (Simon) are married.

> Info: Thank you for choosing Telstra 24×7 Live Chat. A representative will be with you shortly. At the conclusion of your chat please take a few moments to give us some feedback on your experience today.
> Info: All agents are currently assisting others. Thank you for your patience.
> Info: You are now chatting with TelstraOperator.
> TelstraOperator: Welcome to Telstra, this is TelstraOperator one of the sales representatives. How may I help you today?
> TelstraOperator: Hello Alison how are you?
> Alison: (***Asked about switching NBN to Telstra***)
> Alison: Do you we need to leave the current provider or can we transfer?
> TelstraOperator: Could you please provide me your account /home number with complete name and Date of birth? I will quickly have a look.
> …
> Alison: (*** I provided my addresss ***)
> Alison: (*** I provided my landline ***)
>TelstraOperator: I Thought you are existing Telstra customer
> Alison: Telstra mobile but (Previous ISP Name) phone
> Alison: We want the phone and nbn to be on Telstra with mobile number
> …
> TelstraOperator: Thank you for the address, and yes while palcing the order you will get a option to enter your deatails, so our team will cancel your current broadband plan and switch to Telstra.
> Alison: Nice
> TelstraOperator: Thank you, (Please allow me a moment while i check the same in our system.)
> Alison: Ok
> Alison: I have an optus phone I am willing to switch ove too
> Alison: Over
> TelstraOperator: Greta, yes you can switch your number as well with us.
> TelstraOperator: After running the serviceability check it was found that Telstra will be able to provide you service via NBN which is the fastest fiber optic based technology we offer, and with our NBN plan you will get 50 mbps speed .
> Alison: Are you sure it’s fibre optic?
> TelstraOperator: Great! Based on the information you have provided today, I would like to offer you _ our $79 plan for ***** gb data per month + new smart modem free , and pay as you go calls, however if you want the cals so you can add our calling pack any time for $10 unlimited loclam national ,Aus mobile calls .
> TelstraOperator: And yes its a fibre optic .
> Alison: Our nbn at present is copper vdsl
> Alison: sounds great
> Alison: Do we pay extra to upgrade our house line to fibre from copper?
> TelstraOperator: Thank you, and like to
> TelstraOperator: iNFORM*
> TelstraOperator: Like to inform*
> Alison: What deals can we get with a landline phone, nbn 50/20/***** and 1 or 2 mobiles a month?
> Alison: Sounds good, thanks
> TelstraOperator: After sign up our $79 plan our team will come to your place to set up our service for you,and there is only one time fee of $99 for activtion feeand this fee will be add on your firts bill , so no need to pay any thing right now , and this fee will cover all like set up , line connection technical team visiting etc.
> TelstraOperator: And yes on $79 plan you can add mobile plan as well any time .
> …
> Alison: Can you double check please the fibre optic, is this to the house or nbn cabinet?
> TelstraOperator: Sur
> TelstraOperator: sure*
> Alison: Can I share these awesome details on my blog? So sick of (*** Previous ISP Name ***) NBN
> TelstraOperator: Thank you for waiting, as I have checked and confirm with my team as well, so yes fibre optic its availabl.
> TelstraOperator: Order Processing You will have to place an order from the Telstra website itself, I will help you with the process whenever you are ready.
> Alison: fibre to the house?
> …
> TelstraOperator: Yes , You can connect to the nbn™ network via Fibre to the Curb technology.
> TelstraOperator: Fibre.
> Alison: Oh, so it’s not fibre to the house but copper from the house to the node then fibre the exchange from the node
> TelstraOperator: Yes, but do noty worry.
> TelstraOperator: As I have inform you
> Alison: yes fibre or copper from the house? Huge differences.
> TelstraOperator: That after signup the plan our team will come to your place to do all teh set up from your streret to your house
> TelstraOperator: With a fibre .
> Alison: Sorry to be a pain and ask for clarification but it’s copper from the house to the node not fibre. Answers being blogged here for other to read https://fearby.com/article/upgrade-adsl2-fttn-nbn-national-broadband-network-australia-journey/
> TelstraOperator: I understand it’s been an inconvenience and I’m sorry., but let me explain .
> Alison: Not sure it’s legal for you to say I can get fibre nbn when it’s copper to the node?
> TelstraOperator: As I have inform that our team will set up the service from your street to your home, it means our team will do the new cabling from your strtyee to your home, of fibre .
> Alison: FttN or FttC
> TelstraOperator: For thaat reason only there is one time fee of $99 .
> Alison: Awesome
> Alison: Do we pay for the fibre from our house to the street? Our driveway is 80m long
> …
> Alison: Nice, based on your advice of new fibre and price, we will signup ASAP, do you have a reference number we can use to lock this in?
> TelstraOperator: Thank you we can sign up the plan now as well
> TelstraOperator: And after sign u p the plan our team will call you with i 24 hours for the confirmatoin.
> TelstraOperator: Order Processing You will have to place an order from the Telstra website itself, I will help you with the process whenever you are ready.
> Alison: I need to confirm we can exit our nbn plan from the current provider first
> Alison: do you have a reference number for this chat?
> Info: The chat transcript will be sent to: [email protected] at the end of your chat.
> : ThatTelstraOperator’s fine , no worries please take your time,and once your ready so please feel free to chat back with us
> TelstraOperator: I hope I have replied all your queries successfully?
> Alison: It has, awesome news tekstea
> Alison: telstra
> TelstraOperator: Thank you,I have a small favour to ask.
> TelstraOperator: It has been a pleasure serving you, please take a few moments to give us some feedback on your experience today. Please Initiate the End Chat Session Now, by clicking the (+) sign, and Select the ‘End Chat Conversation’ and you can also get a copy of our chat transcript by selecting ‘Email Transcript’ button.
> TelstraOperator: Thank you,I am glad I was able to assist. Is there anything else I could help you with today?
> Alison: Yep, can I share this info on my personal blog? happy to blur out names.
> TelstraOperator: yes of cource you camn
> Info: The chat transcript will be sent to: [email protected] at the end of your chat.
> TelstraOperator: can*
> …

Summary

  • TelstraOperator: Great! Based on the information you have provided today, I would like to offer you _ our $79 plan for ***** gb data per month + new smart modem free , and pay as you go calls, however if you want the cals so you can add our calling pack any time for $10 unlimited loclam national ,Aus mobile calls .
  • TelstraOperator: And yes its a fibre optic .
  • Alison: Do we pay extra to upgrade our house line to fibre from copper?
  • Alison: Can you double check please the fibre optic, is this to the house or nbn cabinet?
  • TelstraOperator: Thank you for waiting, as I have checked and confirm with my team as well, so yes fibre optic its availabl.
  • Alison: fibre to the house?
  • TelstraOperator: As I have inform that our team will set up the service from your street to your home, it means our team will do the new cabling from your strtyee to your home, of fibre .
  • Alison: Do we pay for the fibre from our house to the street? Our driveway is 80m long
  • Alison: Nice, based on your advice of new fibre and price, we will signup ASAP, do you have a reference number we can use to lock this in?

I was left thinking that I was being offered fibre to the house (FTTP – fibre laid up my driveway).

Telstra promise of Fibre (FTTN)?

Telstra Fibre Promise?

Street to the house cabling (Fibre).

FTTP?

Fibre to the house sounds awesome.

Exiting my contact with my previous ISP

I asked my previous ISP to release me from the contract I was in (given the ongoing issues)

Request to leave my previous ISP

My previous ISP called and said that I can leave the contract 🙂

2nd Telstra Inquiry (and switchover to FTTN)

On the 3rd of July 2018, I contacted Telstra Chat to confirm fibre again and to switch over if it was fibre.

General Info

Duration (actual chatting time)00:47:30
OperatorTelstraOperator (real name redacted)

Telstra Chat Transcript (*** = “*** removed delayed replies for readability ***”. Some numbers have been pre redated by Telstra?, Telstra Typo’s not corrected.)

P.S The real name provided by the Telstra Operator has been replaced with TelstraOperator (as I promised to hide names when asking for permission to post the conversation on my blog).

> Info: Thank you for choosing Telstra 24×7 Live Chat. A representative will be with you shortly. At the conclusion of your chat please take a few moments to give us some feedback on your experience today.
> Info: You are now chatting with TelstraOperator.
> TelstraOperator: Welcome to Telstra, this is TelstraOperator one of the sales representatives. How may I help you today?
> TelstraOperator: Hello Simon , how are you?
> Simon Fearby: Hello, (Previous ISP Name Redacted) just said I can exit a 50/20 NBN contract early so I can switch to Telsta NBN (Connect Plus)
> Simon Fearby: Shall I cancel with (Previous ISP Name Redacted) then signup with Telstra to make things smoother or transfer and have Telstra pull the number etc?
> TelstraOperator: That’s good to know, and good choice of plan, Sure I Telstra sure provide teh service,and Telstra will cancel yourt current (Previous ISP Name Redacted) plan as well .
> TelstraOperator: While placing the order you will get a option to enter your (Previous ISP Name Redacted) details
> Simon Fearby: So I should signup with Telstra, enter address and number and then have Telstra pull services then call (Previous ISP Name Redacted) to ensure all is cancelled?
> Simon Fearby: Nice.
> TelstraOperator: Yes corret .
> TelstraOperator: Can I have your complete address to perform a serviceability check for you?
> Simon Fearby: I cant wait, Telstra’s service sounds great.
> Simon Fearby: (*** I provided my addresss ***)
> TelstraOperator: Thank you, in our $79 plan you will gte ***** gb data per month+ new smart modem free , no calls included , however if you want the calls so you can add our $10 calling pack for ulnimited local, natioanl ,Aus mobile calls .
> Simon Fearby: Thanks
> Simon Fearby: We dont make many calls. 🙂
> Simon Fearby: So we signup online?
> TelstraOperator: After running the serviceability check it was found that Telstra will be able to provide you service via NBN which is the fastest fiber optic based technology we offer, and with our NBN $79 plan you will gte 50 mbps speed.
> Simon Fearby: Do we pay extra for fibre to be installed?
> TelstraOperator: Once the order will be placed, soon you will receive an email and SMS about the package details. The plan/bundle will be activated in your account within 5 to 7 business working days based upon cabling work required . The necessary devices will be sent within 5-7 business working days, and if you want in urgent so while placing the order you can select connect me soon option.
> TelstraOperator: NO , There is only one time cost for $99 for activtion fee, and thsi fee will be add on your First bill so no need to pay any thing right now , and this fee will cover all like set up, line connectiojn , technical team visiting etc.
> Simon Fearby: Thanks for your information, this has made me decide switch 🙂
> TelstraOperator: Great, Order Processing You will have to place an order from the Telstra website itself, I will help you with the process whenever you are ready.
> Simon Fearby: Will do tonight.
> Simon Fearby: Thanks TelstraOperator
> TelstraOperator: Sure, but I like to suggest to go right now
> TelstraOperator: Because I will be there online for you
> Simon Fearby: go and get connected?
> TelstraOperator: So if you stuck in ay question so i can help you
> …
> TelstraOperator: So you can sign up the plan any time .
> Simon Fearby: Just to confirm we dont need to pay for the fibre optic trench form the cabinet to the house up our driveway?
> TelstraOperator: No need to pay any extra
> TelstraOperator: The $99 wil cover all.
> TelstraOperator: will *
> Simon Fearby: Im happy to switch now, just got the ok.
> TelstraOperator: Awesome, so shall we go a head to sign up the $79 plan ?
> Simon Fearby: Yep.
> TelstraOperator: Sure captain .
> TelstraOperator: https://www.telstra.com.au/broadband/plans-bundles
> Simon Fearby: Lets do this
> …
> TelstraOperator: please visit the above link to sign up the $79 p;lan
> Simon Fearby: done
> TelstraOperator: After visit the link, please enter your address.
> Simon Fearby: I can self install
> TelstraOperator: Yes
> : You have to select self install option.
> TelstraOperator: When you click ‘select’, it will take you to the online order form. You will have to fill the details and pass me the Order Reference Number that is generated after the order is placed successfully for further processing.
> Simon Fearby: doing now 🙂
> Simon Fearby: Whats “Registered Priority Assistance customer.”?
> TelstraOperator: Sure,please take your time, and once you done, please pass me the order id munnuimber for the further process, and Thank you. I am there online in case you need any help.
> TelstraOperator: We offer Priority Assistance which is a free service designed to help customers who have (or are living with someone who has) a diagnosed life threatening medical condition and whose life may be at risk without access to a fully operational phone service. Eligible customers can register for Priority Assistance and we will install a Priority Assistance customer’s first home phone line at their address as quickly as possible.
> Simon Fearby: just confirming phone bundle
> TelstraOperator: Yes
> Simon Fearby: can i select the $10 unlimited calls option later?
> TelstraOperator: yes of cource
> Simon Fearby: “Yes, with another service provider and I want to switch to Telstra” = (Previous ISP Name Redacted)?
> TelstraOperator: you can add the add on stuiff any time .
> TelstraOperator: Stuff*
> Simon Fearby: nice
> TelstraOperator: Yes correct ,and enter your (Previous ISP Name Redacted) details.
> Simon Fearby: “Connection Type” = Cable Other?
> TelstraOperator: please select other .
> TelstraOperator: As part of your service, your name, address and phone number will be published in the printed and online White Pages directories and available from Directory Assistance. If you don’t want your details published, we offer a private number service called Silent Line free per month. We’ll also block your number so that when you call others they won’t be able to see your number. It’s important to know that a Silent Line alone won’t stop all telemarketing or unwanted calls. Would you like a silent Line?
> TelstraOperator: As part of the Telstra family it’s important to know all the best ways you can make changes and view your account online. Your first stop for all things related to your account is My Account found at: https://www.my.telstra.com.au. Here you can view your accounts, current invoices and make change requests to your accoun
> TelstraOperator: The whole process takes anywhere from 5 to 7 business days to get you connected after you sign-up.
> TelstraOperator: You won’t be charged for any excess broadband usage, however your speed will be shaped to 256 kbps for that month or until you do a data top-up.
> TelstraOperator: Your Telstra Technician will call when they’re on their way. Please allow around 4 to 5 hours for your appointment. You must have : an authorised representative on your account on site and available during your appointment(s), access to all work areas (including any required work permits), access to any service configuration emails that we’ve sent you, access to any relevant usernames and passwords. If your installation requires any non-standard services or equipment, your technician will discuss your options and let you know any extra costs before commencing work.
> TelstraOperator: We offer the option to connect to the nbn network if you’re confident with installing your own devices and if your home set-up is fairly simple, this would be the ‘Self Install’ option. If a standard Professional Installation/ tech visit is required, there will be a charge of $240 (one off). The $240/standard Professional Installation/ tech visit fee is available on a 12 month service repayment option. Additional costs will apply if you have complex cabling requirement
> Simon Fearby: DONE.
> TelstraOperator: There must be a working phone line/cable in the property for Telstra to provide services. If cabling is required, additional charges may incur.
> TelstraOperator: https://www.telstra.com/content/dam/tcom/personal/help/pdf/cis-personal/bundles-c/personal-critical-information-summary-telstra-plans-bundles-MOSC2160.pdf
> TelstraOperator: The above link its for our $79 Critiacl info summary , so you can go throuigh it any time .
> Simon Fearby: how do i pay?
> TelstraOperator: you will get a bil after 30 days .
> Simon Fearby: What about $99 setup fee?
> TelstraOperator: It will add on your First bill.
> TelstraOperator: And from second montyh it will be $79 per month .
> Simon Fearby: Nice.
> Simon Fearby: When will the fibre be connected to the house and router turn up?
> TelstraOperator: After sig up the plan our team will come to your place to set up our service for you, and our team will call you with in 24 hours for the confirmation.
> Simon Fearby: Thanks
> TelstraOperator: Thank you, once you done please pass me the order number /
> Simon Fearby: Today?
> Simon Fearby: So I check email?
> Simon Fearby: ########
> Simon Fearby: What’s next? We’ll process your request within 24-48 hours and contact you to clarify details of your order if required. Your order Order reference number: NA########
> TelstraOperator: NO , OUR team will create a pass word them you can checked the email .
> Simon Fearby: thanks, so that is?
> TelstraOperator: Fantastic,thank you for the order id number, soon you will receive an email and SMS about the package details. and one call fro our team with in 24 hours for the confirmation.
> …
> TelstraOperator: Just to summarise what you have purchased today our $79 copnnet plus plan with NBN
> TelstraOperator: My account As part of the Telstra family it’s important to know all the best ways you can make changes and view your account online. Your first stop for all things related to your account is My Account found at: https://www.my.telstra.com.au. Here you can view your accounts, current invoices and make change requests to your account.
> TelstraOperator: CrowdSupport If you have further questions about your services in the future, I also recommend visiting our crowdsupport page at: https://crowdsupport.telstra.com.au/. This is a digital community providing support and answers to a list of commonly asked questions by our customers. Have a browse and ask a question, there are no bad questions.
> Simon Fearby: Yes, with pay as you go phone.
> TelstraOperator: I hope I have replied all your queries successfully?
> TelstraOperator: Yes correct .
> Simon Fearby: Thanks, can I tell my friends on blog how awesome Telstra are?
> Simon Fearby: https://fearby.com
> TelstraOperator: YES please .
> Simon Fearby: Thanks
> …
> TelstraOperator: It has been a pleasure serving you, please take a few moments to give us some feedback on your experience today. Please Initiate the End Chat Session Now, by clicking the (+) sign, and Select the ‘End Chat Conversation’ and you can also get a copy of our chat transcript by selecting ‘Email Transcript’ button.
> …
> TelstraOperator: Thank you for visiting Telstra, have a nice day.

Summary

> TelstraOperator: After running the serviceability check it was found that Telstra will be able to provide you service via NBN which is the fastest fiber optic based technology we offer, and with our NBN $79 plan you will gte 50 mbps speed.
> Simon Fearby: Do we pay extra for fibre to be installed?
> Simon Fearby: Just to confirm we dont need to pay for the fibre optic trench form the cabinet to the house up our driveway?
> Simon Fearby: When will the fibre be connected to the house and router turn up?

Again I was expecting Fibre to the house.

Continue onto Part 2

WiFi Research

I found this Telstra Wifi Page:
https://www.telstra.com.au/broadband/extras/getwifi

I Downloaded the Telstra Home Dashboard App https://play.google.com/store/apps/details?id=com.telstra.wifidiag

House Plan

Telstra Map House Wifi Speeds

My Wifi Speeds

Wifi Speeds

Related Links

Revision History

V8.2 TIO case closed.

V8.1 upload limit removed by Telstra Specialist.

V8.0 Telstra confirmed that NBN visited last week and fixed a fault. Also 14Mb upload OK ok.

V8.0 slow upload speeds remain

V7.9 slow upload speed

V7.8 unscheduled technician visit while I was out.

V7.7 third plan restart?

V7.6 remote fix scheduled.

V7.5 technician visit booked.

V7.4 Update 4th October 2018.

V7.3 the TIO called and asked that the remaining issue is? (I said dropouts, slow uploads and fluctuating speeds). New Telstra case manager will be assigned.

V7.2 slow speeds

V7.1 Upload speeds now 14Mb (20% lower)

V7.0 Created Part 5 (Part 4 was too slow to edit on mobile)

V6.9 the Internet is going down a lot tonight, 6x already.

V6.8 NBN went down, I called Telstra and the automated voice said they can’t find a NBN plan attached to our landline.

V6.7 data slow again?

V6.6 landline back, data stable, no FTTP. Case over?

V6.5 landline and data are back but no services are listed in our account.

V6.4 Telstra landline is still dead, data-poor. Talked to Teksta and they cancelled our contract and will reconnect in 6 days.

V6.5 silent case manager.

V6.5 reconnection date changed to 27/9/2018.

V6.4 reconnection date changed to 1/10/2018

V6.3 dead landline still.

V6.2 dead landline and unstable speeds again.

V6.1 router is working video, why send a tech.

V6.0 Local Telstra technician tried to visit (Telstra did not call him to cancel the call). Again Telstra need a working CRM.

V5.9 I requested a new case manager.

V5.8 Telstra cancelled todays technician visit (news to me), Telstra rescheduled to next month.

V5.7 Telstra CEO blocked me.

V5.6 I advised Telstra of the days I will be home for NBN to visit again. Waiting for confirmation.

V5.5 TIO said they cant help for a few more weeks, Telstra NBN visit appointment issues.

V5.4 Being booted of NBN so they can reconnect us with the old number.

V5.3 Mandatory Telstra visit required to port a landline.

V5.2 Telstra replied to the query about $40/mobthly landline BILL (needed to port our landline)

V5.1 TIO office and asked Telstra to send a bill.

V5.0 Re-adding advertisements to this blog post to help pay for my mobile data.

V4.9 Splitting the guide into 4 parts (it is too long and I can’t edit on my phone).

V4.8 CEO comments

V4.7 microchip details invalid.

V4.6 two more weeks to wait.

V4.5 two months on

V4.4 deadlines passed, escalating.

V4.3 FTTN running very slowly.

V4.2 my desire for FTTP is my fault?

V4.1 Error porting number.

V4.0 50/20 FTTN is back up.

V3.9 replacement router received.

V3.8 Donated $10 USD to the Electronic Frontier Foundation – The leading nonprofit defending digital privacy, free speech, and innovation (to cover any revenue gained from an ad’s in the post sidebar (no ads are in the header or content).

V3.7 Telstra CEO replied on Twitter.

V3.6 TIO added link to Complaint Handling Procedure.

V3.5 mobile quota update.

V3.4 Weekend with no Internet or phone.

V3.3 dead router, no internet or phone.

V3.2 todo factory reset router.

V3.1 No outages nearby

V3.0 No Internet.

V2.9 TIO resolution time expired.

V2.8 TIO complaint update.

V2.7 no reply from Telstra today, added profit fall link.

V2.6 early update on the final day of TIO complaint

V2.5 3pm speed test added.

V2.4 Telstra called.

v2.3 Added WiFi MAp and Telstra call details.

V2.2 added 100/40 FTTN 6am speed test

V2.1 added 100/40 FTTN night speeds.

V2.0 added 100 Mbit FTTN

V1.9 Telstra were in touch.

V1.8 added lunchtime speed test.

V1.7 added backflip link on 1gb speeds

v1.6 Instability and dropouts tonight

v1.5 Complaint is back to the Executive Customer Contact Team 🙁

v1.4 NBN Co to slow down heavy NBN users?

v1.3 added requested speed test

v1.2 speed test falling well below 50Mb.

v1.1 Telstra received my TIO complaint.

v1.0 Escalated to ACCC and Telecommunication Ombudsman

v0.99 update 2nd August 2018

v0.98 added Links section

v0.97 Escalated to Telstra “Escalated Complaints Group”

v0.96 Next update in 2 days.

v0.95 escalated to Executive Complaints Team

v0.94 added Telstra link

v0.93 added 2nd phone update.

v0.92 added update re phone line.

v0.91 added nbn issues article

v0.9 Draft Post

Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.

by

This post will explain why I will never buy a new Apple Laptop until they fix the hardware cooling issues.

Background

I used to work in retail selling computers and I would go to great lengths to open a desktop computer chassis and talk someone out of buying a cheaper/slower computer (usually when it had a Cyrix Media GX processor in it). I would do myself out of higher commission and burn time educating customers. I have blogged about what to look for when buying a computer (here).

2012

In 2012 I bought my first Apple Mac computer to write iOS apps (write your first OSX app). I would call myself an Apple fanboy (previously being a PC fanboy for 15 years). I have never rebuilt my OSX system in 6 years buy would rebuild Windows every 6 months. Some Apple things I like.

2017

My Mid 2012 Mac Book Pro i7 processor overheats like crazy. I have blogged about my Mid 2012 MPB overheating issues (read here). I have even gone and installed third party software to control the speeds of my Mac’s fans (read here).

Inside my Mid 2012 Mac Book Pro (heatsink and fans at the top)

Tiny Mac book pro heatsink

Stupidly thin heatsink (IMHO).

Heatsink is 3mm thick

Complete heatsink (CPU and GPU plate)

MBP Heatsink

I am certain this Mac Book heatsink is too small for the processor and graphics card.

As I type this my Mac Book Pro is Thermal throttling (slowing down the CPU) while typing a blog post (not gaming).

Apple 2012 overheating

My only option is to crank up the fans to 100% and overrise Apple silence first mantra.

TgPro fan speed rules

Intel Power Gadget showing thermal throttling (CPU dropping t0 almost 1Ghz to drop temps).

Thermal Throtelling

Move forward to 2018

Today I learned that Apple is putting an Intel i9 Procesor into a laptop, great? Hold onto your cash, that thing will run very hot and will never operate at its maximum potential.

Reviews are scathing.

I tweeted..

Apple’s Website: https://www.apple.com/macbook-pro/

Apples website saying it now has i9 macs

What a waste of a good processor.

Below you will see the fallout on YouTube from Apple putting an i9 Processor in the latest 15″ Mac Book Pros.

Dave Lee posted “MacBook Pro 15 (2018) – Beware the Core i9”

TechLinked posted “2018 Macbook ALREADY Overheating?”

AppleInsider – 2018 MacBook Pro i9 Thermal Throttling CONFIRMED!

Best of all, Louis Rossmann summed up the Apple situation perfectly.

 

 

Update 25th July

Apple is doubling down on the lack of cooling (calling it a “missing digital key”).

I will #BoycottAppleProMachines

That’s all.

Revision History

v1.4 Added update 25th July 2018 Missing Digital Key

v1.3 Gizmodo link

v1.2 Test new db server

v1.1 Added Apple Insider video

v1.0 Initial Post

Creating your first Java FX app and using the Gluon Scene Builder in the IntelliJ IDEA IDE

by

This is quick guide explaining how I created my first JavaFX application using the Gluon Scene Builder in the IntelliJ IDEA IDE.

I have a number of guides on moving away from CPanel, Setting up VM’s on UpCloud, AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. I created this blog post on creating a Java GUI app with the older Swing technology (Java FX replaces Swing). I now want to create a JavaFX app to control my UpCloud VM’s.

If you have not read my previous posts I have now moved my blog etc to the awesome UpCloud host. Sign up using this link to get $25 free credit.

Do read: Preparing for JavaFX Application Development: https://wiki.openjdk.java.net/display/OpenJFX/Building+OpenJFX#BuildingOpenJFX-Mac

Downloading Java

Download and install Java SE 8 or higher from http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java 10 install screenshot

Download Intelli J IDEA IDE

Goto https://www.jetbrains.com/idea/

Click Download

Intelli J IDEA from www.jetbrains.com

Download the community edition

IntelliJ Download Options (Ultimate or Community)

Install Intelli J IDEA IDE

Drag Intelli J to your applications folder

Install Scenebuilder

I downloaded the Java Scene Builder (1.1 or 2.0) from here.

Download Scene Scene Builder

Install the Scene Builder (open the installer and drag it to your applications folder).

Configure the Scene Builder in IntelliJ IDEA IDE

  1. Open Intelli J IDEA IDE (set the default’s you wish)
  2. Create a New Project
  3. Open Intelli J IDEA IDE Preferences
  4. Open Languages & Frameworks then JavaFX and set your Scene Builder path (e.g /Applications/JavaFX Scene Builder 2.0.app/)
  5. Exit Preferences

Set the Scene Builder Path in IntelliJ

You can now create a JavaFX project an have a workign scene builder GUI.

New Project

After you create a JavaFX project open your JavaFX fxml file in Scene Builder (right click on the .fxml file and select Open in Scene Builder)

Scene Builder

Extended Scene Builder from Gluon

I read that there is a better Scene builder GUI available from https://gluonhq.com/products/scene-builder/

Read some of the Java Scene Builder v Gluon Scene Builder history here at Reddit for the latest on why.

I am going to download the Gluon Scene Builder from http://gluonhq.com/products/scene-builder/

Gluon Scene Builder webpage screenshot of https://gluonhq.com/products/scene-builder/

Download and install the Gluon Scene builder (at the time of writing requires Java 9 or higher).

Drag the scene builder to your apps folder to install

Now open IntelliJ IDEA IDE and open the preferences and change the scene builder path from “/Applications/JavaFX Scene Builder 2.0.app/” to “/Applications/SceneBuilder.app/“.

Save the IntelliJ IDEA preferences and Right click on your projects “fxml” file again and click “Open In Scene Builder” , do verify it is indeed the Gluon Scene builder by opening the about menu.

Gluon Scene Builder Help Menu Screenshot

Designing your first JavaFX app

Now you can design and code a JavaFX application with Gluon Scene Builder.

I am not an expert at java apps so i’d highly recommend you follow this guide to learn how to build a well-structured JavaFX panel layout (just ignore that it is using the standard Scene Builder, it works with the gluon one).

You should now have a working Java FX App

Java FX App running

The scene builder will save changes to your fxml file

<?xml version="1.0" encoding="UTF-8"?>

<?import javafx.geometry.Insets?>
<?import javafx.scene.control.Button?>
<?import javafx.scene.control.Label?>
<?import javafx.scene.control.Menu?>
<?import javafx.scene.control.MenuBar?>
<?import javafx.scene.control.MenuItem?>
<?import javafx.scene.control.TextArea?>
<?import javafx.scene.control.TextField?>
<?import javafx.scene.control.TreeView?>
<?import javafx.scene.layout.BorderPane?>
<?import javafx.scene.layout.HBox?>
<?import javafx.scene.layout.Region?>
<?import javafx.scene.layout.VBox?>


<BorderPane maxHeight="-Infinity" maxWidth="-Infinity" minHeight="-Infinity" minWidth="-Infinity" prefHeight="400.0" prefWidth="600.0" xmlns="http://javafx.com/javafx/9.0.4" xmlns:fx="http://javafx.com/fxml/1" fx:controller="sample.Controller">
   <top>
      <VBox BorderPane.alignment="CENTER">
         <children>
            <MenuBar>
              <menus>
                <Menu mnemonicParsing="false" text="File">
                  <items>
                    <MenuItem mnemonicParsing="false" text="Close" />
                  </items>
                </Menu>
                <Menu mnemonicParsing="false" text="Edit">
                  <items>
                    <MenuItem mnemonicParsing="false" text="Delete" />
                  </items>
                </Menu>
                <Menu mnemonicParsing="false" text="Help">
                  <items>
                    <MenuItem mnemonicParsing="false" text="About" />
                  </items>
                </Menu>
              </menus>
            </MenuBar>
            <HBox spacing="8.0">
               <children>
                  <TextField promptText="ip" />
                  <TextField promptText="Username" />
                  <TextField promptText="Password" />
                  <Button mnemonicParsing="false" onMouseClicked="#loginButtonClicked" prefHeight="27.0" prefWidth="68.0" text="Login" />
                  <Region HBox.hgrow="ALWAYS" />
                  <Button mnemonicParsing="false" onMouseClicked="#settingsButtonClicked" text="Settings" />
               </children>
               <padding>
                  <Insets bottom="8.0" left="8.0" right="8.0" top="8.0" />
               </padding>
            </HBox>
         </children>
      </VBox>
   </top>
   <left>
      <TreeView prefHeight="200.0" prefWidth="200.0" BorderPane.alignment="CENTER" />
   </left>
   <center>
      <TextArea prefHeight="200.0" prefWidth="200.0" BorderPane.alignment="CENTER" />
   </center>
   <bottom>
      <HBox BorderPane.alignment="CENTER">
         <children>
            <Label text="Label" />
         </children>
         <padding>
            <Insets bottom="2.0" left="2.0" right="2.0" top="2.0" />
         </padding>
      </HBox>
   </bottom>
</BorderPane>

You can add functions into your controller class

package sample;

public class Controller {

    public void loginButtonClicked(){
        System.out.println("Login");

    }

    public void settingsButtonClicked(){
        System.out.println("Settings");

    }

}

Instaling Gluon JavaFX Templates

Close your test project and create a new project, but before you do click Configure then Plugins

Gluon has some nice templates

Now lets open In the following screen click Browse Repositories.

Search the repository for and install the “Gluon” plugin

Install Gluon Plugin

Restart IntelliJ IDEA IDE then you can use templates when creating a project.

Get your own VM

If you have not read my previous posts I have now moved my blog etc to the awesome UpCloud host. Sign up using this link to get $25 free credit.

Packaging a Java app for distribution on OSX

I will show how you can package your app to run on a Mac by using this.

Coming Soon

I will add more guides soon on using a custom JavaFx app to allow you to manage your own UpCloud server and perform Deploy/Init/Setup/Configure/Operate actions. Running CLI commands to deploy and manage a server is fun but is very tedious.

I blogged recently about using the UpCloud API and setting up a subdomain recently (I will use this server to test and prove the Javmanagementnt app).

Links

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 404 "Not Found"]

Revision History

V1.6 Jenkov Tutorials

V1.5 Reddit java help

V1.4 added java widgets link

V1.3 added javafx examples link.

V1.2 added Java learning paths

V1.1 added official Javafx examples

v1.0 Initial post

Adding two sub domains (one pointing to a new UpCloud VM and the other pointing to an NGINX subsite) on Ubuntu 18.04

by

Here is how I added two subdomains (one pointing to a new UpCloud VM and the other pointing to an NGINX subsite) on Ubuntu 18.04

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

UpCloud performance is great.

Upcloud Site Speed in GTMetrix

Buy a domain name from Namecheap here.

Domain names for just 88 cents!

Goal(s)

Setup 2x subdomains on https://fearby.com

– Sub Domain #1: https://test.fearby.com (pointing to a dedicated UpCloud VM in Singapore for testing).

– Sub Domain #2: https://audit.fearby.com (pointing to a sub-website on the NGINX/VM that runs https://fearby.com )

Let’s set up the first Sub Domain (dedicated VM) and SSL

Backup

Do back up your server first.

VM

I created a second server ($5 month or $0.07c hour 1,024MB Memory, 25GB Disk, 1024 GB Month Data Transfer) at UpCloud. If you don’t already have an account at UpCloud use this link to signup and get $25 free credit ( https://www.upcloud.com/register/?promo=D84793 ). Read my blog post on why UpCloud is awesome and how I moved my domain to UpCloud.

Once I spun up a second server I obtained the IPv4 and IPv6 IP addresses of the new “test” VM from the UpCloud dashboard.

DNS

These DNS records were already in place with my DNS provider (Cloudflare).

I added these DNS records for the subdomains.

I added a new A NAME record for the new shared NGINX subdomain (for https://audit.fearby.com), this subdomain will be a sub-website that is running off the same server as https://fearby.com

I added another set of records for the new dedicated VM  subdomain (for https://test.fearby.com)

I waited for DNS to replicate around the globe by watching https://www.whatsmydns.net/

Setup a Firewall

On the new dedicated https://test.fearby.com VM, I installed the ufw firewall.

I configured the firewall to allow minimum ports (and added whitelisted IP for port 22 and added UpCloud DNS servers). I will lock this down some more later.

TIP: If your ISP does not offer a dedicated IP try a VPN. I use https://cyberghostvpn.com on OSX and Android.

Firewall rules.

I enabled the firewall.

Install NGINX (on https://test.fearby.com)

On the new dedicated https://test.fearby.com VM I…

Created a new www root

Set permissions

Installed NGINX

I created a placeholder webpage

Configured the root value in /etc/nginx/sites-available/default

Created a symbolic link of the nginx config

Lets Encrypt SSL

I have previously setup Lets encrypt on Ubuntu 16.04 but not 18.04. Certbot had info on setting up Lets Encrypt for 14.x 16.x and 17.x but not 18.x

Full credit for the SSL steps goes to @Linuxize ( tips on setting up Lets Encrypt on Ubuntu 18.04 ). Check out https://linuxize.com/

I installed Lets Encrypt certbot

I created a new Diffie–Hellman key

Map requests to http://test.fearby.com/.well-known/acme-challenge to /var/lib/letsencrypt/.well-known ( Read the linuxize post for detailed steps ).

Create a /etc/nginx/snippets/letsencrypt.conf on http://test.fearby.com and enforce the redirect.

Create a /etc/nginx/snippets/ssl.conf file on http://test.fearby.com

Let’s get a certificate

Certificates have been created 🙂

Now lets edit “/etc/nginx/sites-available/default” on https://test.fearby.com VM and add the cert paths.

Reload NGINX

or

Now let’s setup the second subdomain (subsite off https://fearby.com) and SSL

VM

I already have NGINX on https://fearby.com set up a second site.

DNS

We have already set up a DNS record for https://audit.fearby.com (above)

Firewall

Already configured at https://fearby.com

SSL

Because I had an existing Comodo certificate on https://fearby.com I am going to repeat the steps above to generate a new certificate but save the NGINX config to /etc/nginx/sites-available/audit.fearby.com (this activates the second site)

TIP: Follow the Linuxize guide here (for creating ssl.conf, letsencrypt.conf etc config files), Do a backup and restore if need be.

I created a new Diffie–Hellman key

Let’s get a certificate

Configure NGINX

Map requests to http://audit.fearby.com/.well-known/acme-challenge to /var/lib/letsencrypt/.well-known ( Read the linuxize post for detailed steps ).

I created a new NGINX site ( /etc/nginx/sites-available/audit.fearby.com )

I created a symbolic link of the config file

Reload NGINX

or

How to test the certificate renewal

Automate the renewal in crontab (every 12 hours)

I set this crontab entry up on https://fearby.com and https://test.fearby.com

Conclusion

Yes, I haVe 2 subdomains (1x dedicated VM and the other is a sub-website off an existing server) with SSL certificates.

Ping Results

Webpage Results

Screenshow showing the main site and 2 subdomains in a web browser

Troubleshooting

If you are having troubles generating the initial certificate check that you have not blocked port 80 and don’t have “Strict-Transport-Security” heavers enabled.

I re-ran the certbot command but pointed to the real /www-root (not/var/lib/letsencrypt/)

Create a new

mkdir /www-root/.well-known/
mkdir /www-root/.well-known/acme-challenge/
sudo certbot certonly --agree-tos --email [email protected] --webroot -w /www-root -d yoursubdomain.domain.com

I hope this guide helps someone.

Please consider using my referral code and get $25 credit for free.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

[contact-form-7 404 "Not Found"]

Revision History

v1.1 Troubleshooting

v1.0 Initial Post

How to use the UpCloud API to manage your UpCloud servers

by

How to use the UpCloud API to manage your UpCloud servers.

If you have not read my previous posts I have now moved my blog etc to the awesome UpCloud host. Sign up using this link to get $25 free credit.

I recently compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here).

Here is my blog post on moving from Vultr to UpCloud.

Spoiler: UpCloud performance is great.

Upcloud Site Speed in GTMetrix

I have never had an UpCloud page load take longer than 2 seconds since moving.

UpCloud API

UpCloud has an API that we can opt into to using where we can manage servers. Read the official UpCloud API documentation here.

The API allows you to control:

  • Accounts
  • Pricing
  • Zones
  • Timezones
  • Plans
  • Servers
  • Storages
  • IP-Addresses
  • Firewall
  • Tags
  • etc

Create a sub-account to query the API

You should create a new user account (in the UpCloud dashboard) just for API access. I created two accounts for use on my server and on my home laptop and my server (and set a limiting IP(s) that can access it).

Create a Sub Account for API Access

Login to your UpCloud account (create an account here and get $25 free credit),

  1. Click My Accounts,
  2. Click User Accounts,
  3. Click Change on your user and enable API connections.
  4. TIP: Set up an IP rule to limit access to your API for security (I set up a VPN to get a static IP on my dynamic IP Internet host at home)).
  5. Save the changes

Enable API Connections

TIP: Lockdown the account to have the minimum permissions required.

e.g

  • Disable access to the control panel (Untick).
  • Allow API Connections (Tick) and specify an IP
  • Disable access to billing contact (Untick).
  • Disable access to billing section in the control panel (Untick).
  • Disable allowing of emails to billing contact (Untick).
  • Allow or Remove access to all server (or manually add access to desired servers)
  • Allow or Remove access to modify storage (or manually allow or remove access to desired storage)
  • etc

Lock down the account to the minimum needed

Save the account.

Now let’s make our first API call

I use OSX and I use the awesome Paw API testing tool from https://paw.cloud (This is not a plug, they are awesome). Postman is a popular API testing tool too. Any good programing language or CLI will allow you to send API requests.

First, let’s prepare the authorization string (this is a Base64 encoded combination of your username and password) read more here.

  1. Head over to https://www.base64encode.org/
  2. Click the Encode tab
  3. Add your “username:password” (without the quotes).
  4. Click Encode

A Base64 string will be outputted 🙂

e.g > eW91cmFwaXVzZXJuYW1lOnlvdXJzdXBlcnNlY3VyZXBhc3N3b3Jk

fyi

You can encode also Encode and Decode Base64 from the Ubuntu Command line

Encode Base64 from the CLI Sample

Decode Base64 from the CLI Sample

Now we can add an “Authorization Basic” token to the API request in Paw.

Authorization Header added with my base64 token.

A quick test of the UpCloud Prices API endpoint https://api.upcloud.com/1.2/price reveals the API is working.

Add Authorization Token

I can now see a full breakdown of my service prices in JSON 🙂

Query My Account

OK, Let’s see how much credit I have left by querying the https://api.upcloud.com/1.2/account, I duplicated the item in Paw and changed the URL to https://api.upcloud.com/1.2/account but no data returned?

I had to enable “Access to Billing section in Control Panel” for the user before this data returned from the API (make sense).

> HTTP/1.1 200 OK

Query (GET)

GET /1.2/account HTTP/1.1
Host: api.upcloud.com
User-Agent: Paw/3.1.7 (Macintosh; OS X/10.13.5) NSURLConnection/1452.23
Authorization: Basic *******************************************

Output

HTTP/1.1 200 OK
Date: Sun, 17 Jun 2018 04:23:32 GMT
Content-Type: application/json; charset=UTF-8
Connection: close
Content-Length: 91
Server: Apache

{
   "account" : {
      "credits" : 2500.00,
      "username" : "yourapiusername"
   }
}

“2500.00” = cents ($25)

Query All of Your Servers

Ok, Let’s get server information by querying https://api.upcloud.com/1.2/server

Query (GET)

GET /1.2/server HTTP/1.1
Host: api.upcloud.com
User-Agent: Paw/3.1.7 (Macintosh; OS X/10.13.5) NSURLConnection/1452.23
Authorization: Basic ##############base64hash##############

Output

HTTP/1.1 200 OK
Date: Sun, 17 Jun 2018 04:32:22 GMT
Content-Type: application/json; charset=UTF-8
Connection: close
Content-Length: 1154
Server: Apache

{
   "servers" : {
      "server" : [
         {
            "core_number" : "1",
            "hostname" : "server1nameredacted.com",
            "license" : 0,
            "memory_amount" : "2048",
            "plan" : "1xCPU-2GB",
            "plan_ipv4_bytes" : "3472464313",
            "plan_ipv6_bytes" : "166293599",
            "state" : "started",
            "tags" : {
               "tag" : [
                  "tag1"
               ]
            },
            "title" : "server1nameredacted.com",
            "uuid" : "########-####-####-####-############",
            "zone" : "us-chi1"
         },
         {
            "core_number" : "1",
            "hostname" : "server2nameredacted.com",
            "license" : 0,
            "memory_amount" : "1024",
            "plan" : "1xCPU-1GB",
            "plan_ipv4_bytes" : "198911",
            "plan_ipv6_bytes" : "19742",
            "state" : "started",
            "tags" : {
               "tag" : [
                  "tag2"
               ]
            },
            "title" : "server1nameredacted.com",
            "uuid" : "########-####-####-####-############",
            "zone" : "us-chi1"
         }
      ]
   }
}

Query Server Information

I have redated the UUID’s for my servers but once you know them you can query them by hitting https://api.upcloud.com/1.2/server/########-####-####-####-############

Query (GET)

Output

HTTP/1.1 200 OK
Date: Sun, 17 Jun 2018 04:45:14 GMT
Content-Type: application/json; charset=UTF-8
Connection: close
Content-Length: 1656
Server: Apache

{
   "server" : {
      "boot_order" : "cdrom,disk",
      "core_number" : "1",
      "firewall" : "on",
      "host" : redacted,
      "hostname" : "server1nameredacted.com",
      "ip_addresses" : {
         "ip_address" : [
            {
               "access" : "private",
               "address" : "##.#.#.###",
               "family" : "IPv4"
            },
            {
               "access" : "public",
               "address" : "###.###.###.###",
               "family" : "IPv4",
               "part_of_plan" : "yes"
            },
            {
               "access" : "public",
               "address" : "####:####:####:####:####:####:########",
               "family" : "IPv6"
            }
         ]
      },
      "license" : 0,
      "memory_amount" : "2048",
      "nic_model" : "virtio",
      "plan" : "1xCPU-2GB",
      "plan_ipv4_bytes" : "3519033266",
      "plan_ipv6_bytes" : "168200052",
      "state" : "started",
      "storage_devices" : {
         "storage_device" : [
            {
               "address" : "virtio:0",
               "boot_disk" : "0",
               "part_of_plan" : "yes",
               "storage" : "########-####-####-####-############",
               "storage_size" : 50,
               "storage_title" : "system",
               "type" : "disk"
            }
         ]
      },
      "tags" : {
         "tag" : [
            "fearby"
         ]
      },
      "timezone" : "Australia/Sydney",
      "title" : "server1nameredacted.com",
      "uuid" : "########-####-####-####-############",
      "video_model" : "cirrus",
      "vnc" : "off",
      "vnc_password" : "#########################",
      "zone" : "us-chi1"
   }
}

The servers name, IPv4 and IPV6 network adapters are listed, CPU(s), Memory, Disk Sized and UUID’s are all visible 🙂

Surprisingly the VNC password is visible (enabling access to the root console).

TIP: Ensure your API account is safe and secure.

Query Storage Information

Now, Let’s query the storage with the GUID from above by querying https://api.upcloud.com/1.2/storage/########-####-####-####-############

Query (GET)

GET /1.2/storage/########-####-####-####-############ HTTP/1.1
Host: api.upcloud.com
User-Agent: Paw/3.1.7 (Macintosh; OS X/10.13.5) NSURLConnection/1452.23
Authorization: Basic  ##############base64hash##############

Output

HTTP/1.1 200 OK
Date: Sun, 17 Jun 2018 04:53:36 GMT
Content-Type: application/json; charset=UTF-8
Connection: close
Content-Length: 559
Server: Apache

{
   "storage" : {
      "access" : "private",
      "backup_rule" : {},
      "backups" : {
         "backup" : [
            "########-####-####-####-############"
         ]
      },
      "license" : 0,
      "part_of_plan" : "yes",
      "servers" : {
         "server" : [
            "########-####-####-####-############"
         ]
      },
      "size" : 50,
      "state" : "online",
      "tier" : "maxiops",
      "title" : "system",
      "type" : "normal",
      "uuid" : "########-####-####-####-############",
      "zone" : "us-chi1"
   }
}

I can see information about the storage’s assigned server and backups 🙂

Query Backup Information

Backup storage can be queried with the same storge API endpoint https://api.upcloud.com/1.2/storage/########-####-####-####-############

Query (GET)

Output

HTTP/1.1 200 OK
Date: Sun, 17 Jun 2018 05:01:11 GMT
Content-Type: application/json; charset=UTF-8
Connection: close
Content-Length: 412
Server: Apache

{
   "storage" : {
      "access" : "private",
      "created" : "2018-06-16T04:47:56Z",
      "license" : 0,
      "origin" : "########-####-####-####-############",
      "servers" : {
         "server" : []
      },
      "size" : 50,
      "state" : "online",
      "title" : "On-Demand Backup",
      "type" : "backup",
      "uuid" : "########-####-####-####-############",
      "zone" : "us-chi1"
   }
}

Rename Backup

One thing that I would like to be able to do is to rename on-demand backups in the UpCloud dashboard (this is not a feature yet) but I can rename manual backup’s in the API though 🙂

Boring “On-Demand Backup” label.

Rename Backups Not possible in the GUI

I tried sending JSON to https://api.upcloud.com/1.2/storage/########-####-####-####-############ to rename a backup but kept getting an error?

JSON

{
> “storage”: {
> “title”: “Latest manual backup , Working NGINX, PHP, MySQL w Tweaks”,
> “size”: “50”
> }
> }

Result

> “error_code” : “CONTENT_TYPE_INVALID”,
> “error_message” : “The Content-Type header has an invalid value.”

I googled and found an old manual for UpClouds API (official support here).

I added these missing content-type headers (108 was the length in chars of the payload)

> Content-Type: application/json; Charset=UTF-8'
> Content-Length: 108

Still no go?

I think the content-length value is wrong, more here.

I fixed it, it turned out I had a semicolon in the Content-Type value. The JSON RFC always assumes that Content-Type is UTF8 encoded (more here).

This Fails

This Works

Content-Type: application/json

Now I can rename my Backup (storage). I manually calculated the length of the JSON payload and added a “Content-Length” header and value.

Query (PUT)

Output

HTTP/1.1 202 ACCEPTED
Date: Sun, 17 Jun 2018 05:47:02 GMT
Content-Type: application/json; charset=UTF-8
Connection: close
Content-Length: 453
Server: Apache

{
   "storage" : {
      "access" : "private",
      "created" : "2018-06-16T04:47:56Z",
      "license" : 0,
      "origin" : "########-####-####-####-############",
      "servers" : {
         "server" : []
      },
      "size" : 50,
      "state" : "online",
      "title" : "Latest manual backup , Working NGINX, PHP, MySQL w Tweaks",
      "type" : "backup",
      "uuid" : "########-####-####-####-############",
      "zone" : "us-chi1"
   }
}

Success 🙂

Backup Renamed

Create a Backup

Backups can be performed with a “/backup” added to the end of the query string.

Query (POST)

Output

Success (UpCloud GUI)

Conclusion

UpCloud does have great API docs.

I can easily integrate this into bash scripts to manage my servers via API and a future Java app for managing servers.

Paw does give CURL output to allow me to copy working API’s for use in BASH 🙂

More to come

  1. BASH Script to Deploy and configure a server on UpCloud via Initialization scripts (or manual) (1 week)
  2. JAVA App to manage your server (3 months)

If you are signing up for UpCloud please consider using my referral code and get $25 credit for free.

Read my setup guide here.

https://www.upcloud.com/register/?promo=D84793

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 404 "Not Found"]

Revision History

V1.1 updated typo

v1.0 Initial Post.

Deploying nodejs apps in the background and monitoring them with PM2 from keymetrics.io

by

This guide will help you install and setup the pm2 NodejJS process monitor PM2 from Keymetrics.io for free and manage your node apps performance and exceptions.

What is PM2?

PM2 is a production process manager for Node.js applications with a built-in load balancer. It allows you to keep applications alive forever, to reload them without downtime and to facilitate common system admin tasks. This is the steps I used on Ubuntu 16.04. This is NOT a paid endorsement (just self-documenting).

Key Features of PM2

PM2 offers web-based monitoring dashboard, exception reporting, load balancer, CPU and memory monitoring, transaction tracer and much more for NodeJS apps.

pm2-features

What is PM2?

Official page: http://pm2.keymetrics.io/

More info https://www.npmjs.com/package/pm2

Install PM2

Install Output

PM2 Pricing

PM2 appears to be for high-end apps but I am only using the free version or PM2 (thanks KeyMetrics)

pm2-pricing

Create a bucket for your node app

Login to keymetrics.io,

Click Generate New Bucket

Create New Bucket

Give the bucket a name etc.

Node Bucket Name

You can now link your bucket with your local pm2 installation (keep the keys private (this one no longer exists))

pm2-link

Linking your local pm2 installation with your keymetrics bucket

To add an existing node app to PM2 type the following.

You can view node apps that pm2 is managing by typing

I had a two CPU VM and I found that the app I added was added to each of the two CPU (I only needed one) so I needed to delete the second app on my second core

Restart the API

You can add a single node apps one 1, 3 or max available CPU’s

Again, to add an existing node app to PM2 type the following.

Now you can view node app data online. If you don’t have a node app ready you can use the test app.

monitor output

You can monitor your node app locally too from the CLI.

local monitoring

You can also view a demo bucket at keymetrix.io

pm2-demo-bucket

PM2’s one age documentation can be found here.

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 404 "Not Found"]

Revision History

v1.0 Initial post

Using Cloudflare DNS servers to speed up the internet and add privacy on OSX

by

Below is how I setup my OSX to use Cloudflare’s new DNS servers to speed up internet browsing and add privacy on OSX

Cloudflare has launched a DNS service: https://blog.cloudflare.com/announcing-1111/

DNS Performance

You can view worldwide DNS performance by viewing https://www.dnsperf.com/#!dns-providers

DNS Performance

I check the DNS at my router, I am using ISP provided DNS servers.

Review DNS

Cloudflare DNS

On April Fools 2018 Cloudflare Released a DNS server service.

Snip from here: “DNS: Internet’s Directory Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email and the first thing your device does is ask the directory: Where can I find this? Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.

https://1.1.1.1/

Set Cloudflare Nameservers using OSX

Open the Apple System Preferences, click Network, click on your Network (Wifi or ethernet), Click Advanced then DNS and add 1.1.1.1 and 1.0.0.1

Alternatively, you can manually set your DNS servers in OSX by editing the /etc/resolv.conf, by default SX will inherit DNS settings from our router.

Troubleshooting: Clear DNS Cache

Debug DNS Data

Confirm Cloudflare DNS from the OSX Comand line

Privacy

I am not sure if Cloudflare is any more private than using ISP DNS but I’ll happily use it.

Speed

I can’t tell if DNS is faster, I did ping my ISP DNS before switching and it was about the same (sub 25ms), time will tell.

Conclusion

I have used https://www.opendns.com/ before and loved the dashboards, I hope Cloudflare add dashboard options too.

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 404 "Not Found"]

Revision History

v1.0 Initial post