to

How to backup and restore a MySQL database on Windows and Linux

April 21, 2019 by Simon

Why backup and restore

This is a quick guide demonstrating how you can backup and restore a MySQL database on Windows and Linux using Adminer.

You may need to know how to backup a restore a database for a number of reasons..

e.g

Send the database to someone to debug or give feedback while learning.
Move the database from a local machine to the cloud
Move the database from cloud vendor A to cloud vendor B
etc.

Having a backup of the VM is good but having a backup of the database too is better. I use UpCloud for hosting my VM’s and setting backups is easy. But I cannot download those backups.

Murphy’s Law

“If anything can go wrong, it will”

The most important reason for taking a backup and knowing how to restore it is for disaster recovery reasons.

Backup (the easiest way) with Adminer

Adminer is a free PHP based IDE for MySQL and other databases. Simply install Adminer and save the file on your local computer or remote web server directory.

FYI: The Adminer author Jakub Vrana has a patron page, I am a patron of this awesome software.

Snip from Adminers website. “Adminer (formerly phpMinAdmin) is a full-featured database management tool written in PHP. Conversely to phpMyAdmin, it consist of a single file ready to deploy to the target server. Adminer is available for MySQL, MariaDB, PostgreSQL, SQLite, MS SQL, Oracle, Firebird, SimpleDB, Elasticsearch andMongoDB.”

TIP: The file would be publicly accessible to anyone so don’t save it to a common area, obfuscate the file, protect it of delete the file when you are done using it.

Once Adminer is installed load it in a web browser, login with your MySQL credentials. Once you login you will see all databases and an Import and Export menu.

Adminer main screen, all databases and import and export menu.

tbtest is a simple database with one table and 4 fields (ID, Key, Value and Modified)

.Click Export to open the export screen.

Export screen showing a list of databases and export options

Click Export, a SQL file will be generated (this is the export of the database).

Here is a save of the file:
https://fearby.com/wp-content/uploads/export.txt

Exported view of https://dev.mysql.com/doc/workbench/en/wb-admin-export-import-management.html

Its that simple.

If I add a binary blob file to the table and upload a PNG file lets see how the export looks.

Screenshot o the new table with a blog field in Adminer UI

Let export the database again in Adminer and check out the output. I used Sublime Text editor to view the export file.

New Export shows the binary file in the Backup SQL file

Restore (the easiest way) with Adminer

OK lets delete the tbtest database and then restore it with Adminer. I used Adminer to delete (DROP) the database.

Database “dbtest” deleted.

Now lets create a blank database to restore to (same name).

Database created.

Now lets import the database backup using Adminer.

Click Import, select the backup file and un-tick Stop on errors.

Import screenshot, dxtest selectded, Restore file selected, stop on errors disabled

TIP: The 2MB next the the choose file button is defined by your web server and PHP configuration. If you are trying to import a larger database (e.g 80MB) first increase the limits in your web server and PHP (via php.ini).

The Import (restore should take seconds)

The database was imported from a backup, all tables and records imported just fine.

Bonus methods.

On Ubuntu use this guide to backup from the command line. If you use the Oracle MySQL Workbench read this.

I hope this helps someone.

Setup a Certification Authority Authorization (CAA) DNS record(s) to prevent https cert issue/misuse

March 18, 2019 by Simon

This is how I setup Certification Authority Authorization (CAA) DNS record(s) to prevent https cert issue/misuse on my domain and 1 sub domain.

Read the full article here: https://fearby.com/article/setup-a-certification-authority-authorization-caa-dns-records-to-prevent-https-cert-issue-misuse/

Setup a Certification Authority Authorization (CAA) DNS record(s) to prevent https cert issue/misuse

March 18, 2019 by Simon

On February 22nd 2017 CAA’s that issue https certificates are required to check what CAA’s are allowed to issue HTTP’s certificates for a website. To limit who can create HTTP’s certificates for your site all you need to do is specify a number of DNS records.

DNSSEC

Before adding DNS CAA records ensure you have enabled DNSSEC for extra security, this is not needed to setup CAA records but it’s a good idea.

DNSSEC Explained

Read my post here on setting up DNSSEC with Cloudflare here.

Namecheap allows you do set DNSSEC with 1 click (making the above guide not required unless you use Cloudflare).

Testing DNSSEC

First, test DNSSEC on your website here: https://dnssec-analyzer.verisignlabs.com/ (I already have DNSSEC enabled)

I use Namecheap for buying domains and HTTP’s certs (you can buy a new domain here). Namecheap allow you to easily enable DNSSEC and CAA DNS records.

Read Namecheap’s CAA guide here.

Scott Helme tagged a great write up on CAA here.

CAA is probably the best bang for buck you’re going to get! https://t.co/pvThaQ8qFl
— Scott Helme (@Scott_Helme) March 14, 2019

Testing CAA (on your website)

Go to https://dev.ssllabs.com/ssltest / and scan your website

https://dev.ssllabs.com screenshot showing a domain input box

You will see if CAA is enabled after the https test is complete (scroll past the rating)

In my case CAA records were not detected.

Adding DNS CAA records at Namecheap

I logged into Namecheap, clicked Manage domain and clicked the Advanced DNS tab

Screenshot showing Namecheap Advanced DNS screen.

I click Add New Record (DNS), then I selected CAA

Screenshot of add NDS CAA record at Namecheap

Here are records for my main domain (allowing Comodo/Sectigo HTTP’s certificates only)

Type, Host, Value, TTL

CAA Record @ 0 issue "comodoca.com" Automatic
CAA Record @ 0 issue "comodo.com" Automatic
CAA Record @ 0 issue "usertrust.com" Automatic
CAA Record @ 0 issue "trust-provider.com" Automatic
CAA Record @ 0 issue "sectigo.com" Automatic

Here is my record allowing a sub domain (allowing Lets Encrypt HTTP’s certificates only)

Type, Host, Value, TTL

CAA Record audit.fearby.com 0 issue "letsencrypt.org" Automatic

It is also possible to setup email alerts of CAA violations where CAA’s support it. I setup a [email protected] email alias.

Type, Host, Value, TTL

CAA Record audit.fearby.com 0 iodef "mailto:[email protected]" Automatic
CAA [email protected] 0 iodef "mailto:[email protected]" Automatic

Image of my final Namecheap DNS config.

Screenshot os Namecheap DNS entries (table below)

Test CAA Records

I visited https://dev.ssllabs.com/ssltest / and performed a final scan.

Pass 🙂

I do have real time remote server monitoring reporting on https presence and uptime, read the post here.

Plug(s)

Warning

I had an issue where I failed to update my DNS (and define a CAA record) for the sub domain used for Nixstat reporting. I was receiving this error.

dev.ssllabs.com was reporting the cert expired?

The awesome chat support (Vincent) over at Nixstats found out it was because I did not have CAA record for the sub domain allowing “letsencrypt.org” to generate certs.

Created CAA record for status.feabry.com (CAA 0 issue "letsencrypt.org"

If you manually renew a Lets Encrypt cert with the following command without a CAA record you will see an error

> certbot -q renew

Error Output

Attempting to renew cert (subdomain.fearby.com) from /etc/letsencrypt/renewal/
subdomain.fearby.com.conf produced an unexpected error: Failed authorization procedure.
subdomain.fearby.com (http-01): urn:acme:error:caa :: CAA record for
subdomain.fearby.com prevents issuance. Skipping.
All renewal attempts failed.

DNS additions and changes take a while to propagate so monitor Whats My DNS for change status

https://www.whatsmydns.net/#CAA/status.fearby.com

Thanks for reading.

For simplicity I have removed all sub domain CAA settings for records and only set global ones

Revision History

v1.2 Troubleshooting

v1.1 Plugs

v1.0 initial Post

Updating NGINX to the development branch to get more frequent updates and features over the stable branch

November 20, 2018 by Simon

Here is how I set NGINX to the development branch to get more frequent updates and features over the stable branch

Read the full article here: https://fearby.com/article/updating-nginx-to-the-development-branch-to-get-more-frequent-updates-and-features-over-the-stable-branch/

Updating NGINX to the development branch to get more frequent updates and features over the stable branch

November 20, 2018 by Simon

Updating NGINX to the development branch (on Ubuntu) to get more frequent updates and features over the stable branch

Aside

I have a number of guides on moving away from CPanel, Setting up VM’s on UpCloud, AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. View all recent posts here https://fearby.com/all/

Now on with the post

Warning

Backup your Nginx and Server before making any changes. The Nginx development branch is quite stable but anything can happen. If your site is mission critical then stay on the stable branch.

Nginx Branches

By default, you will most likely get the stable branch of Nginx when instaling and updating Nginx. I have been running the stable version for the last few years but was made aware of a DDoS vulnerability in Nginx.

Here is a good write-up on development merges into the stable branch.

Nginx Updates

Widely-used #Nginx server releases versions 1.15.6 and 1.14.1 to patch two HTTP/2 implementation vulnerabilities that might cause excessive memory consumption (CVE-2018-16843) & CPU usage (CVE-2018-16844), allowing a remote attacker to perform #DoS attackhttps://t.co/1Z3JoghoBr pic.twitter.com/qQ3pOFD1Lk
— The Hacker News (@TheHackersNews) November 9, 2018

I was aware recently of a DDoS bug affecting Nginx and the recommendation was to update ot Nginx 1.15.6 development branch (or 1.14.1 stable branch).

A few days ago no 1.14.1 update was available but a 1.15.6 was, should I switch to the development branch to get updates earlier?

Reminder to update your #nginx installations to the 1.14.1 stable or the 1.15.6 mainline versions for critical security patches released this week. #NGINXPlus customers, see instructions for updating based on the patch released 10/30 https://t.co/KitsOWIJkb
— NGINX, Inc. (@nginx) November 8, 2018

Recent Nginx Changes

Here are the recent changes to Nginx: http://nginx.org/en/CHANGES

Changes with nginx 1.15.6                                        06 Nov 2018

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).

    *) Security: processing of a specially crafted mp4 file with the
       ngx_http_mp4_module might result in worker process memory disclosure
       (CVE-2018-16845).

    *) Feature: the "proxy_socket_keepalive", "fastcgi_socket_keepalive",
       "grpc_socket_keepalive", "memcached_socket_keepalive",
       "scgi_socket_keepalive", and "uwsgi_socket_keepalive" directives.

    *) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
       1.1.1, the TLS 1.3 protocol was always enabled.

    *) Bugfix: working with gRPC backends might result in excessive memory
       consumption.


Changes with nginx 1.15.5                                        02 Oct 2018

    *) Bugfix: a segmentation fault might occur in a worker process when
       using OpenSSL 1.1.0h or newer; the bug had appeared in 1.15.4.

    *) Bugfix: of minor potential bugs.


Changes with nginx 1.15.4                                        25 Sep 2018

    *) Feature: now the "ssl_early_data" directive can be used with OpenSSL.

    *) Bugfix: in the ngx_http_uwsgi_module.
       Thanks to Chris Caputo.

    *) Bugfix: connections with some gRPC backends might not be cached when
       using the "keepalive" directive.

    *) Bugfix: a socket leak might occur when using the "error_page"
       directive to redirect early request processing errors, notably errors
       with code 400.

    *) Bugfix: the "return" directive did not change the response code when
       returning errors if the request was redirected by the "error_page"
       directive.

    *) Bugfix: standard error pages and responses of the
       ngx_http_autoindex_module module used the "bgcolor" attribute, and
       might be displayed incorrectly when using custom color settings in
       browsers.
       Thanks to Nova DasSarma.

    *) Change: the logging level of the "no suitable key share" and "no
       suitable signature algorithm" SSL errors has been lowered from "crit"
       to "info".


Changes with nginx 1.15.3                                        28 Aug 2018

    *) Feature: now TLSv1.3 can be used with BoringSSL.

    *) Feature: the "ssl_early_data" directive, currently available with
       BoringSSL.

    *) Feature: the "keepalive_timeout" and "keepalive_requests" directives
       in the "upstream" block.

    *) Bugfix: the ngx_http_dav_module did not truncate destination file
       when copying a file over an existing one with the COPY method.

    *) Bugfix: the ngx_http_dav_module used zero access rights on the
       destination file and did not preserve file modification time when
       moving a file between different file systems with the MOVE method.

    *) Bugfix: the ngx_http_dav_module used default access rights when
       copying a file with the COPY method.

    *) Workaround: some clients might not work when using HTTP/2; the bug
       had appeared in 1.13.5.

    *) Bugfix: nginx could not be built with LibreSSL 2.8.0.


Changes with nginx 1.15.2                                        24 Jul 2018

    *) Feature: the $ssl_preread_protocol variable in the
       ngx_stream_ssl_preread_module.

    *) Feature: now when using the "reset_timedout_connection" directive
       nginx will reset connections being closed with the 444 code.

    *) Change: a logging level of the "http request", "https proxy request",
       "unsupported protocol", and "version too low" SSL errors has been
       lowered from "crit" to "info".

    *) Bugfix: DNS requests were not resent if initial sending of a request
       failed.

    *) Bugfix: the "reuseport" parameter of the "listen" directive was
       ignored if the number of worker processes was specified after the
       "listen" directive.

    *) Bugfix: when using OpenSSL 1.1.0 or newer it was not possible to
       switch off "ssl_prefer_server_ciphers" in a virtual server if it was
       switched on in the default server.

    *) Bugfix: SSL session reuse with upstream servers did not work with the
       TLS 1.3 protocol.


Changes with nginx 1.15.1                                        03 Jul 2018

    *) Feature: the "random" directive inside the "upstream" block.

    *) Feature: improved performance when using the "hash" and "ip_hash"
       directives with the "zone" directive.

    *) Feature: the "reuseport" parameter of the "listen" directive now uses
       SO_REUSEPORT_LB on FreeBSD 12.

    *) Bugfix: HTTP/2 server push did not work if SSL was terminated by a
       proxy server in front of nginx.

    *) Bugfix: the "tcp_nopush" directive was always used on backend
       connections.

    *) Bugfix: sending a disk-buffered request body to a gRPC backend might
       fail.


Changes with nginx 1.15.0                                        05 Jun 2018

    *) Change: the "ssl" directive is deprecated; the "ssl" parameter of the
       "listen" directive should be used instead.

    *) Change: now nginx detects missing SSL certificates during
       configuration testing when using the "ssl" parameter of the "listen"
       directive.

    *) Feature: now the stream module can handle multiple incoming UDP
       datagrams from a client within a single session.

    *) Bugfix: it was possible to specify an incorrect response code in the
       "proxy_cache_valid" directive.

    *) Bugfix: nginx could not be built by gcc 8.1.

    *) Bugfix: logging to syslog stopped on local IP address changes.

    *) Bugfix: nginx could not be built by clang with CUDA SDK installed;
       the bug had appeared in 1.13.8.

    *) Bugfix: "getsockopt(TCP_FASTOPEN) ... failed" messages might appear
       in logs during binary upgrade when using unix domain listen sockets
       on FreeBSD.

    *) Bugfix: nginx could not be built on Fedora 28 Linux.

    *) Bugfix: request processing rate might exceed configured rate when
       using the "limit_req" directive.

    *) Bugfix: in handling of client addresses when using unix domain listen
       sockets to work with datagrams on Linux.

    *) Bugfix: in memory allocation error handling.

Development branch changes are made every few weeks and stable branch changes are made less often.

Updating Nginx

Normally you update Nginx bu running an update and upgrade

apt-get update && apt-get upgrade

Restart Nginx for good measure

/etc/init.d/nginx restart

Checking NGINX Version

nginx -v
nginx version: nginx/1.14.1

Changing your repository to the development branch

I changed ot the development branch by running

sudo add-apt-repository ppa:nginx/development

Update and upgrade Nginx

apt-get update && apt-get upgrade

Restart Nginx for good measure

/etc/init.d/nginx restart

Checking NGINX Version

nginx -v
nginx version: nginx/1.16.6

Removing the stable Nginx repository

Run this command to remove the stable branch of Nginx

sudo add-apt-repository -r ppa:nginx/stable

Check to see if the development branch is listed

grep -r --include '*.list' '^deb ' /etc/apt/sources.list* |grep nginx
/etc/apt/sources.list.d/nginx-ubuntu-development-bionic.list:deb http://ppa.launchpad.net/nginx/development/ubuntu bionic main

Good luck and I hope this guide helps someone

Ask a question or recommend an article

[contact-form-7 404 "Not Found"]

Revision History

v1.0 Initial post

How to install PHP 7.2.latest on Ubuntu

November 17, 2018 by Simon

Here is how you can update to PHP 7.2.12 on Ubuntu. PHP has a support page that declares the support date ranges and support types: http://php.net/supported-versions.php

How to install PHP 7.2.latest on Ubuntu 16.04

November 17, 2018 by Simon

How to install PHP 7.2.latest on Ubuntu 16.04/ Ubuntu 18.04/Debian etc/

I have a number of guides on moving away from CPanel, Setting up VM’s on UpCloud, AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. PHP is my programming language of choice.

PHP has a support page that declares the support date ranges and support types: http://php.net/supported-versions.php

A version of PHP is either actively supported, security fix supported or end of life. Read this post to check WordPress for PHP compatibility.

From time to time vulnerabilities come up that require PHP updates to be applied.

Multiple flaw found in #PHP, most severe of which could allow arbitrary code execution
Affected Versions:
PHP 7.2 —prior to 7.2.5
PHP 7.1 —prior to 7.1.17
PHP 7.0 —prior to 7.0.30
PHP 5.0 —prior to 5.6.36https://t.co/TtiqXePoHu
Upgrade to the latest version of PHP immediately
— The Hacker News (@TheHackersNews) May 1, 2018

#PHP 7.2.12 has been released https://t.co/iNXGYTs0PX
— Neustradamus (@neustradamus) November 9, 2018

Source Link here

I have guides on setting up PHP 7 here on Digital Ocean, here on AWS and here on Vultr. I have tried upgrading to PHP 7.1 in the past with no luck (I forgot to change something and rolled back to 7.0).

FYI: I have a guide on setting up PHP child workers so the output from some commands below may be different than yours. Here are the steps I performed to install PHP 7.2 alongside 7.0 then switch. to 7.2.

Backup your system

Do perform a Snapshot or Backup before proceeding. Nothing beats a quick restore if things fail.

Note: Use this information at your own risk.

Updating php 7.2.12 to 7.2.12

Update your Ubuntu systems

apt-get update && apt-get upgrade

Updating from an older php (e.g 5.x, 7.1, 7.1 to say 7.2.12)

Backup PHP

cd /etc/php
zip -r php7.0backup.zip 7.0/

Install Helper

This software provides an abstraction of the used apt repositories. It allows you to easily manage your distribution and independent software vendor software sources. More Info

apt-get install python-software-properties

Add the main PHP repo (more information)

add-apt-repository ppa:ondrej/php

Update the package lists

“In a nutshell, apt-get update doesn’t actually install new versions of the software. Instead, it updates the package lists for upgrades for packages that need upgrading, as well as new packages that have just come to the repositories.” from here

apt-get update

List Installed Packages (optional)

dpkg -l

Install PHP 7.2

apt-get install php7.2

Install common PHP modules

apt-get install php-pear php7.2-curl php7.2-dev php7.2-mbstring php7.2-zip php7.2-mysql php7.2-xml

Install PHP FPM

apt-get install php7.2-fpm

Update all packages (may be needed to update from php 7.2.4 to 7.2.5)

sudo apt-get upgrade

Edit your NGINX sites-available config

sudo nano /etc/nginx/sites-available/default
# I set: fastcgi_pass /run/php/php7.2-fpm.sock;

Edit your NGINX sites-enabled config

sudo nano /etc/nginx/sites-enabled/default
# I set: fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;

I edited these lines

location ~ \.php$ {
    ...
    fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    ...
}

Edit your PHP config (and make desired changes)

sudo nano /etc/php/7.2/fpm/php.ini

Edit your PHP pool config file (as required). See this guide here.

e.g.

> cgi.fix_pathinfo=0
> max_input_vars = 1000
> memory_limit = 1024M
> max_file_uploads = 8M
> post_max_size = 8M

sudo nano /etc/php/7.2/fpm/pool.d/www.conf

Make sure you set: listen = /run/php/php7.2-fpm.sock

Set PHP 7.2 as the default PHP

update-alternatives --set php /usr/bin/php7.2

Check your PHP version

php -v

Reload PHP

sudo service php7.2-fpm reload

Reload NGINX

nginx -t
nginx -s reload
/etc/init.d/nginx restart

Check the status of your PHP (and child workers)

sudo service php7.2-fpm status
● php7.2-fpm.service - The PHP 7.2 FastCGI Process Manager
   Loaded: loaded (/lib/systemd/system/php7.2-fpm.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2018-05-04 19:02:27 AEST;
     Docs: man:php-fpm7.2(8)
  Process: 123456 ExecReload=/bin/kill -USR2 $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 123456 (php-fpm7.2)
   Status: "Processes active: 0, idle: 10, Requests: 0, slow: 0, Traffic: 0req/sec"
    Tasks: 11
   Memory: 30.5M
      CPU: 10.678s
   CGroup: /system.slice/php7.2-fpm.service
           ├─16494 php-fpm: master process (/etc/php/7.2/fpm/php-fpm.conf)
           ├─16497 php-fpm: pool www
           ├─16498 php-fpm: pool www
           ├─16499 php-fpm: pool www
           ├─16500 php-fpm: pool www
           ├─16501 php-fpm: pool www
           ├─16502 php-fpm: pool www
           ├─16503 php-fpm: pool www
           ├─16504 php-fpm: pool www
           ├─16505 php-fpm: pool www
           └─16506 php-fpm: pool www

Check your website.

Troubleshooting

Guides that helped me.

https://thishosting.rocks/install-php-on-ubuntu/

https://websiteforstudents.com/wordpress-supports-php-7-2-heres-how-to-install-with-nginx-and-mariadb-support/

Check your log files

tail /var/log/nginx/error.log

Debug FPM Service

systemctl status php7.2-fpm.service
● php7.2-fpm.service - The PHP 7.2 FastCGI Process Manager
   Loaded: loaded (/lib/systemd/system/php7.2-fpm.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2018-05-06 00:18:55 AEST; 7min ago
     Docs: man:php-fpm7.2(8)
  Process: 123456 ExecReload=/bin/kill -USR2 $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 123 (php-fpm7.2)
   Status: "Processes active: 0, idle: 10, Requests: 44, slow: 0, Traffic: 0req/sec"
    Tasks: 11
   Memory: 212.6M
      CPU: 12.052s
   CGroup: /system.slice/php7.2-fpm.service
           ├─438 php-fpm: master process (/etc/php/7.2/fpm/php-fpm.conf)
           ├─441 php-fpm: pool www
           ├─442 php-fpm: pool www
           ├─443 php-fpm: pool www
           ├─444 php-fpm: pool www
           ├─445 php-fpm: pool www
           ├─446 php-fpm: pool www
           ├─447 php-fpm: pool www
           ├─449 php-fpm: pool www
           ├─450 php-fpm: pool www
           └─451 php-fpm: pool www

May 06 00:18:55 server systemd[1]: Stopped The PHP 7.2 FastCGI Process Manager.
May 06 00:18:55 server systemd[1]: Starting The PHP 7.2 FastCGI Process Manager...
May 06 00:18:55 server systemd[1]: Started The PHP 7.2 FastCGI Process Manager.

Remove PHP 7.0

sudo apt-get purge php7.0-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libaspell15 libauthen-pam-perl libc-client2007e libio-pty-perl libmcrypt4 librecode0 libtidy-0.99-0 libxmlrpc-epi0 linux-headers-4.4.0-109
  linux-headers-4.4.0-109-generic linux-headers-4.4.0-112 linux-headers-4.4.0-112-generic linux-headers-4.4.0-87
  linux-headers-4.4.0-87-generic linux-headers-4.4.0-96 linux-headers-4.4.0-96-generic linux-image-4.4.0-109-generic
  linux-image-4.4.0-112-generic linux-image-4.4.0-87-generic linux-image-4.4.0-96-generic linux-image-extra-4.4.0-109-generic
  linux-image-extra-4.4.0-112-generic linux-image-extra-4.4.0-87-generic linux-image-extra-4.4.0-96-generic mlock
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  php7.0-cli* php7.0-common* php7.0-curl* php7.0-fpm* php7.0-gd* php7.0-imap* php7.0-intl* php7.0-json* php7.0-mbstring* php7.0-mcrypt*
  php7.0-mysql* php7.0-opcache* php7.0-pspell* php7.0-readline* php7.0-recode* php7.0-sqlite3* php7.0-tidy* php7.0-xml* php7.0-xmlrpc*
  php7.0-xsl*

PHP 7.0 Removed 🙂

Remove other unused packages

sudo apt autoremove

At the time of writing (November the 18th 2018) PHP 7.2.12 is the latest version of PHP and PHP 7.3 will be out at the end of the year.

Good luck and I hope this guide helps someone

Ask a question or recommend an article

[contact-form-7 404 "Not Found"]

Revision History

v1.4 Updated the post to mention PHP 7.0 EOL

v1.3 Updated to add PHP 7.2.12 information

v1.2 PHP 7.2.9 and PHP 7.2 updates

v1.1 Remove PHP 7.0 steps

v1.0 Initial post

Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App

October 28, 2018 by Simon

Here is a quick guide to show you how to add two-factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA authenticator app

Read the full article here: https://fearby.com/article/add-two-factor-auth-login-protection-to-wordpress-with-yubico-hardware-yubikeys-and-or-2fa-authenticator-app/

Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App

October 28, 2018 by Simon

Here is a quick guide to show you how to add two-factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA authenticator app

Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software

October 4, 2018 by Simon

This post aims to show you how you can use a Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and other software and services.

Background

Although I am a developer I do like security related topics and I try and do as much as I can to secure my systems and applications. Reading the Multi-Factor Authentication Wikipedia page has all the details on Multi-Factor authentication.

I have been a big fan of 1Password to generate strong and unique passwords for separate accounts for a while now. Read my guide on upgrading from a standalone 1Password licence to a 1Password subscription. I love generating unique and complex passwords with 1Password.

But what happens if someone gets access to my 1password vault? Yubico has a catalogue of support services that I can use Yubikeys with to have, 1password is one supported service 🙂

I want to add Yubico protections with these services.

macOS Logins (DONE)
macOS Screensavers (DONE)
1Password (DONE)
Dropbox (DONE)
Twitter (DONE)
Google (DONE)
Google GSuite (DONE, WAITING TO VERIFY)
Google GMail (DONE)
Google Analytics and AdSense (DONE)
Github (DONE)
Thunderbird Email (DONE)
Debian servers in the cloud (SSH) (DONE)
Ubuntu servers in the cloud (SSH) (DONE)
Securing WordPress (DONE)

Etc

Final Warning

Do not attempt to activate Two Factor Authentication on a system unless you…

A) Have backups of your data
B) Have backup methods of getting into your account(s)

Murphy’s Law: “Anything that can go wrong will go wrong”

You never know when a Two Factor Authentication Key may die or an Authenticator app or a Mac/PC may stop working so always have a backup method just in case.

General

General Yubico YubiKey Setup guides https://www.yubico.com/setup/

Buying a Yubico YubiKey

International visitors can buy a YubiKey from the official store here. Australian readers can buy a key locally here. I grabbed 2x YubiKey YubiKey Neo 4 (with NFC) for $50 USD (about $75 AUD) each.

This blog post will aim to show how you can set up a primary key and backup key for use on macOS and other apps to add hardware-based two-factor authentication to logins.

Authenticator Apps

You can use Google Authenticator, Yubico Authenticator or freeOTP from https://freeotp.github.io

Plugging the YubiKey into macOS Mojave

First I read this guide: https://www.yubico.com/works-with-yubikey/catalog/macos/

1) I plugged in my Yubico Neo key into my USB slot.
2) I closed the Keyboard setup window that appeared (I guess the YubiKey is a kind of a keyboard to allow inserting of challenge-response character streams into apps and websites).

3) I followed the basic troubleshooting page and confirmed that the key was being detected (yes it was.)

4) I followed this guide to test U2F functionality and this guide to test OTP functionality. Web pages and Google Chome can talk to the plugged-in YubiKey(s).

I was prompted to register a UTF deice (and create an account)

I was prompted to (insert) and touch my Yubico key.

Google Chome asked for some permissions first.

FYI: Chrome 67 is recommended to securely allow the reading of UbiKey’s from web pages. Only allow sites you trust access to your USB devices and use a modern browser.

Success, Chrome could now see my YubiKey and my device was now verified.

Technical data is available to let you know what is going on in the background. I am not going to break down how this works but Yubico has in-depth whitepapers and documentation if you are interested.

Nice

Configuring OSX

I logged into my Mac with the account that I was going to secure.

I performed a complete time machine backup before proceeding. If you lock yourself out you will need to restore OSX from a Time Machine backup.

I Read the “Using Yubico Pluggable Authentication Module (PAM) with Challenge-Response” login guide: https://www.yubico.com/wp-content/uploads/2016/07/yubico_YubiKeyMacLoginGuide_en.pdf

I downloaded the Download the YubiKey Manager

I downloaded the yubikey-manager from here so I could configure the keys to use “HMAC-SHA1 Challenge-Response”.

Oops, I downloaded the wrong tool, good to know this one exists though.

I will update what this tool does in future (update firmware?)

I Downloaded the Yubikey Personalization Tool

I went back to the Yubico download page and downloaded the Personalization tool.

Many options are available here.

It’s time to configure a primary and backup (duplicate YubiKey) for use with macOS etc.

Enable Challenge Response

I opened the YubiKey Personalization Tool, Inserted my primary key, clicked the Settings tab, and in the Logging Settings group, selected Log configuration output and Yubico format.

I then clicked on the Challenge Response Tab, clicked the HMAC-SHA1 button, selected Configuration Slot 2, ticked “Program Multiple YubiKeys“, changed the “Parameter Generation Scheme = Same for all Keys“, Selected “Fixed 64 byte input” under “HMAC-SHA1 Parameters” and generated a new key (wrote it down).

Under “Configuration Protection” then I selected Enable Protection” I then visited here and generated a 6 digit string to convert to hex array (with spaces (e.g: “70 61 73 73 77 64”)).

Warning: If you set an access code and later forget it, you cannot make any programming changes to this YubiKey. You would need to buy another YubiKey.

I clicked on Write Configuration

If you chose Configuration Slot 1 you will receive a warning about not saving over Configuration Slot 1 due to Yubico VIP/Symantec, I personally do not trust Symantec or the https://vip.symantec.com/ service due to Symantec issuing non-compliant certificates for use on websites. Yubico allows you to swap configuration slots if want to keep the configuration data.

On the output of the first write, I was prompted to save a file. I saved this to “secretkey.csv” onto the Desktop.

When the write to my primary key was successful, I ejected it then inserted my backup key and wrote the same configuration data to it too (on Configuration Slot 2).

Testing the HMAX-SHA1 Challenge

I open the YubiKey Personalization Tool, then click the Tools tab and click Challenge Response. Choose Configuration Slot 2, I selected HMAC-SHA1. I typed a sample input challenge (e.g “hello world”) and clicked Perform.

I noticed the Yubico key touch panel was flashing. I pressed the button, then a response appeared below the input textbox. I copied this response text then insert your second key and perform the same test so I could compare the responses (they should be the same). They were.

If the responses don’t match rewrite the configuration to your primary and secondary keys and ensure the same key and secret was used for both keys.

FYI: I rewrote configuration a few times until I got it right.

Installing the Pluggable Authentication Module (PAM) on macOS

I re-read the Mac login guide here as I don’t want to lock myself out of my Mac.

I opened the Yubico Software Download page here and clicked Computer Login Tools and downloaded the PAM for Mac.

I installed the PAM package and verified the package installation with this command.

ls -al /usr/local/lib/security

Output:

Text Output:

> drwxr-xr-x 3 root wheel 96 9 Oct 10:29 .

> drwxrwxr-x 74 simon admin 2368 9 Oct 10:29 ..

> -rwxr-xr-x 1 root wheel 143172 20 Apr 21:13 pam_yubico.so

Backup macOS

Again I ensured my Mac was backed up with Time Machine.

I logged in to my Mac with the account I wanted to be protected with the Yubico YubiKeys.

I ran the following command in terminal

mkdir –m0700 –p ~/.yubico

I double checked that my Yubico key(s) were set up for challenge response (above).

I inserted my Uubico key and ran this command

ykpamcfg -2

Feel free to read the “ykpamcfg” manual here. The yubico-pam source code is located here.

Output:

The contents of “/Users/simon/.yubico/challenge-#######” looked like (I replaced 232 random chars with #’s below). The filename ended with my keys serial number.

v2:########################################################################################################################################################################################################################################:10000:2

Next, I was supposed to copy the challenge output from ykpamcfg to /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER] with this command..

sudo cp /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER] /Users/[USERNAME]/.yubico

But I had this error.

No such file or directory

Weird as the source file existed?? macOS issues?

I Opened /Users/[USERNAME]/.yubico/challenge-[YUBIKEY SERIAL NUMBER] in the nano editor (sudo elevated process) and saved the file to /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER].

I reopened my terminal and verified the contents of /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER]. The file is now there.

Permissions on the file is “-rw——-“. Good.

I inserted my second backuP key and re-ran “ykpamcfg -2” and copied the file to “/Users/simon/.yubico”

I verified the file contents

sudo cd /var/root/.yubico/
ls -al

Output

Text Output:

> drwxr-xr-x 4 root wheel 128 9 Oct 09:50 .
> drwxr-x— 12 root wheel 384 9 Oct 09:39 ..
> -rw-r–r– 1 root wheel 244 9 Oct 09:50 challenge-#######
> -rw-r–r– 1 root wheel 244 9 Oct 09:42 challenge-#######

Snip from: https://www.yubico.com/wp-content/uploads/2016/07/yubico_YubiKeyMacLoginGuide_en.pdf

“Program at least two YubiKeys when implementing a requirement for authentication with a YubiKey on your Mac. If you configure only one YubiKey and something happens to the YubiKey, you must restore the Mac from a Time Machine backup that you created before editing the authorization file before you can log back in to your account. ”

Reading the guide regarding multiple accounts (setting up a Key for each login). I have 5 logins on my Mac but when this works I will disable the other accounts from logging in.

Enable the use of the Yubico key when the screensaver is deactivated on macOS

I opened a terminal and edited “/etc/pam.d/screensaver ” (I use the easier nano editor)

sudo nano /etc/pam.d/screensaver

I added this line

auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response

auth[7 spaces]required[7 spaces]/usr/local/lib/security/pam_yubico.so mode=challenge-response

I saved the file ( [CTRL+O], [CTRL+X] ) and exited nano.

I tested my screensaver and no extra protection was provided (the screensaver just exited).

I rebooted, still no change?

I reinstalled the PAM module.

Silly me, I needed to enable the password on the screensaver to then activate the /etc/pam.d/screensaver entries.

I enabled the screensaver passwords

I am now prompted to enter my password and inset and tap my Yubico Key on screensaver exit (on both keys). Awesome.

Next, I need to enable this at macOS login.

Enable the use of the Yubico key at macOS Login

I edited /etc/pam.d/authorization file with nano in the terminal

sudo nano /etc/pam.d/authorization

I added the same line as was added to the file /etc/pam.d/screensaver

auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response

auth[7 spaces]required[7 spaces]/usr/local/lib/security/pam_yubico.so mode=challenge-response

I saved the file ( [CTRL+O], [CTRL+X] ) and exited nano.

Now let’s log out and test this.

It’s working.

Excellent

Add Two Factor Authentication to 1Password

Here is a guide on using the Yubico YubiKey with 1Password. This directed me to https://support.1password.com/yubikey/

I downloaded the Yubico Authenticator app on macOS and installed it.

After I inserted my primary Key I received a “No Credentials Found”message.

I logged into https://my.1password.com/signin and clicked My Profile.

I clicked More Actions then Turn On Two-Factor Authentication

I added the generated QR code details to the Android Authenticator and macOS Yubico Authenticator app. At first, I could not scan the QR code in macOS (was Mojave blocking this?), I manually entered the details (after confirming them from the Android app QR code scan).

Details:

Issuer: 1Password
Account Name: my.1password.com
Secret Key: ###################
Time: 30
Algorithm: SHA-1
Period: 30
Digits: 6

Now, 1Password web and the desktop app are asking for the 2-factor code (generated in the Yubico Authenticator app after I insert my YubioKey).

Nice

I logged off and I was not prompted for my Two Factor code?

Snip from: https://support.1password.com/two-factor-authentication/

“Your 1Password account is now protected by two-factor authentication. From now on, you’ll need to enter a six-digit authentication code from your authenticator app when you sign in to 1Password on a new device.”

I logged in to 1Password from Google Chrome on Android and indeed I was prompted for a two-factor auth code form the Yubico Authenticator app (with a KubiKey inserted).

Add Two Factor Authentication to Dropbox
I read https://www.yubico.com/works-with-yubikey/catalog/dropbox-personal/. Dropbox also has setup instructions here.

I logged into Dropbox and went to Settings then Security then clicked Add next to Security Keys

I started the Wizard, entered my Dropbox password, then inserted my YubiKey.

Name the Key

I added my Primary and Backup Key(s)

I logged out and back in and no Security Key prompt?

I am using Chrome and had cleared past browsers from the Dropbox list of web browsers at https://www.dropbox.com/account/security

I discovered that I need to set the primary authentication method to Use Mobile App (My Bad, it would be nice if Dropbox set this as default after I added the keys).

I added the Dropbox QR code to the Yuboico Authenticator app

I was asked to enter a 6 digit code from my Yubico Authenticator app to verify the working link. I inserted my YubiKey into my machine to show the code.

Now Dropbox is configured 🙂

Success

I now have to insert my primary key when logging into Dropbox

I need to find a way to copy my Authenticator credentials to my Backup Key from my Primary key

Add Two Factor Authentication to Twitter

I read https://www.yubico.com/works-with-yubikey/catalog/twitter/ (Setup Instructions)

1) Login to Twitter

2) Open your Settings and Look For Security

3) Click Start

4) Enter Your Password

5) Accept and enter any SMS codes if you set up SMS Two Factor codes via SMS

6) Click “Review your login verification methods”

7) Click “Setup Key”

8) Insert Your YubiKey and follow the prompts to activate it.

9) Now the key will be requoted to log in to Twitter

Testing Two Factor Login to Twitter

I logged out of and back into Twitter but the SMS Two Factor Authentication method was still active?

I tried to disable the SMS method in Twitter but two factor was disabled altogether and the registered key was deleted. I re-added my key 🙁

I solved this by choosing “Choose a different verification method” when logging in then choosing “Use your security key“, Twitter then accessed my YubiKey and further login attempts used the key instead of SMS 🙂 I could use an Authenticator code but they YubiKey touch method is quicker.

Done

It would be nice if Twitter allowed multiple keys to be used to log in?

Add Two Factor Authentication to Google, Google cloud, Gsuite etc

I read https://www.yubico.com/works-with-yubikey/catalog/google-accounts (Instructions https://myaccount.google.com/).

Adding two Factor authentication details to Google was not easily accessible at Google so I Googled (lol) this https://support.yubico.com/support/solutions/articles/15000006418-using-your-yubikey-with-google

I loaded: https://myaccount.google.com/signinoptions/two-step-verification/enroll-welcome

I clicked Get Start

I clicked Choose Another Option (not SMS Two factor)

Clicked Security Key

As prompted I inserted my key and allowed access to it.

I named the Key

I repeated the steps and added my 2nd key.

Done

I logged out my https://myaccount.google.com and logged back in and I was prompted to insert my YubiKey

Nice

I did try and login to my google GSuite account at https://admin.google.com but it did not prompt me to insert a key. I will do this next.

Add Two Factor Authentication to GSuite

I logged into the GSuite admin interface at https://admin.google.com/ I generated some backup codes in case I need them in the future.

I checked my main admin user account and I could see the 2 google security keys synced through from Google.

I then searched GSuite for “Two Factor” and loaded the “Enforcement” Page

I enabled “Turn On Enforcement Now”

I enabled “Only Security Keys”

I logged out and back into https://gsuite.google.com/ TWICE and no security key prompt.

Silly me: I forgot to click save at the bottom of the screen and it appears there is a 24-hour delay?

Add Two Factor Authentication to GMail

This is already done (above), GSuite email takes up to 24 hours to become active, GMail is instant.

Add Two Factor Authentication to Google Analytics

I can’t see an option to turn Two Factor Auth on in Google Analytics 🙂

I did send feedback to the Google Analytics team.

Add Two Factor Authentication to Google Adsense

I can’t see an option to turn Two Factor Auth on in Google Adsense either 🙂

I did send feedback to the Google AdSense team.

Add Two Factor Authentication to Github

I logged into Github, opened my Settings and clicked Security then Enable two-factor authentication

Click Setup using an app save the recovery codes.

Open the Yubico Authenticator app (ensure you can see the QR Code in GitHub)

In the Yubico Authenticator, App click File then Scan QR Code

The GitHub details should be added to the Authenticator

Two Factor via authenticator tokens is enabled and now I can see a Keys options,

I clicked Add next to security keys then Register New Device, I gave the key a name then clicked Add.

I added both keys then I Logged out and back in and two factor was enabled by YubiKey 🙂

Add Two Factor Authentication to Debian servers in the cloud (SSH)

Read Setup two-factor authenticator protection at login on Ubuntu or Debian

Add Two Factor Authentication to Ubuntu servers in the cloud (SSH)

Read Setup two-factor authenticator protection at login on Ubuntu or Debian

YubiKey Support

There are loads of Yubico support articles here: https://support.1password.com/yubikey/

Yubico Developer Info

A GitHub repository of source code is located here: https://github.com/Yubico

Other developer related pages here

Securing WordPress

Read this guide on Securing WordPress with 2FA (YubiKey insertion or Authenticator app).

I found a good WordPress plugin to handle 2FA logn methods.

I am prompted to insert my YubiKey after logging into WordPress.

Nice

Java Code to use the Yubico YubiKey in software (challenge mode)

todo: I will add this section soon.

Yubico has Java repository that contains a Java library with an accompanying demo server, as well as a JAAS module, to validate YubiKey OTP’s (One-Time Passwords).

https://developers.yubico.com/yubico-java-client/

PHP Code to use the Yubico YubiKey in software (challenge mode)

todo: I will add this section soon.

Yubico has PHP library ad source code but it has not been updated in 3 years. I cannot get this working on PHP 7.2.

https://github.com/Yubico/php-yubico

Using Yubico YubiKeys as 2fA with one-time Passwords.

The YubiKeys can be used to store and generate one time passwords.