Code, InfoSec and Server Stuff
Views are personal and not my employers.
I recently had an issue where I set up a website for a friend. I invested 6 hours into setting up, the server and backups were automatically deleted after 7 days while I was away from my keyboard because I assumed the account was valid and had credits.
Read Full Article:
No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider
Advertisement:
Aside
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
Buy a domain name here
Now on with the post.
Murphy’s Law
I recently had an issue where I set up a website for a friend. I invested 6 hours into setting up..
I setup…
I had tested GTMetrix scores = less than 1 second. Security headers were tested and I was happy with the site.
The server and backups were automatically deleted after 7 days while I was away from my keyboard because I assumed the account was valid and had credits.
Lesson Learned
I have guides on setting up a server on UpCloud, AWS, Vultr, Digital Ocean but setting up can be rather repetitive so how can you prevent resetting up servers?
Why Plan for the Worst
How I will prevent this in future
I hope this guide helps someone.
Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.
https://www.upcloud.com/register/?promo=D84793
Ask a question or recommend an article
Revision History
v1.0 Initial Post
This is quick guide explaining how I created my first JavaFX application using the Gluon Scene Builder in the IntelliJ IDEA IDE.
Read the full article here: https://fearby.com/article/creating-your-first-java-fx-app-and-using-scene-builder-in-the-intellij-idea-ide
This is quick guide explaining how I created my first JavaFX application using the Gluon Scene Builder in the IntelliJ IDEA IDE.
Advertisement:
I have a number of guides on moving away from CPanel, Setting up VM’s on UpCloud, AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. I created this blog post on creating a Java GUI app with the older Swing technology (Java FX replaces Swing). I now want to create a JavaFX app to control my UpCloud VM’s.
If you have not read my previous posts I have now moved my blog etc to the awesome UpCloud host. Sign up using this link to get $25 free credit.
Do read: Preparing for JavaFX Application Development: https://wiki.openjdk.java.net/display/OpenJFX/Building+OpenJFX#BuildingOpenJFX-Mac
Downloading Java
Download and install Java SE 8 or higher from http://www.oracle.com/technetwork/java/javase/downloads/index.html
Download Intelli J IDEA IDE
Goto https://www.jetbrains.com/idea/
Click Download
Download the community edition
Install Intelli J IDEA IDE
Install Scenebuilder
I downloaded the Java Scene Builder (1.1 or 2.0) from here.
Install the Scene Builder (open the installer and drag it to your applications folder).
Configure the Scene Builder in IntelliJ IDEA IDE
You can now create a JavaFX project an have a workign scene builder GUI.
After you create a JavaFX project open your JavaFX fxml file in Scene Builder (right click on the .fxml file and select Open in Scene Builder)
Extended Scene Builder from Gluon
I read that there is a better Scene builder GUI available from https://gluonhq.com/products/scene-builder/
Read some of the Java Scene Builder v Gluon Scene Builder history here at Reddit for the latest on why.
I am going to download the Gluon Scene Builder from http://gluonhq.com/products/scene-builder/
Download and install the Gluon Scene builder (at the time of writing requires Java 9 or higher).
Now open IntelliJ IDEA IDE and open the preferences and change the scene builder path from “/Applications/JavaFX Scene Builder 2.0.app/” to “/Applications/SceneBuilder.app/“.
Save the IntelliJ IDEA preferences and Right click on your projects “fxml” file again and click “Open In Scene Builder” , do verify it is indeed the Gluon Scene builder by opening the about menu.
Designing your first JavaFX app
Now you can design and code a JavaFX application with Gluon Scene Builder.
I am not an expert at java apps so i’d highly recommend you follow this guide to learn how to build a well-structured JavaFX panel layout (just ignore that it is using the standard Scene Builder, it works with the gluon one).
You should now have a working Java FX App
The scene builder will save changes to your fxml file
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 | <?xml version="1.0" encoding="UTF-8"?> <?import javafx.geometry.Insets?> <?import javafx.scene.control.Button?> <?import javafx.scene.control.Label?> <?import javafx.scene.control.Menu?> <?import javafx.scene.control.MenuBar?> <?import javafx.scene.control.MenuItem?> <?import javafx.scene.control.TextArea?> <?import javafx.scene.control.TextField?> <?import javafx.scene.control.TreeView?> <?import javafx.scene.layout.BorderPane?> <?import javafx.scene.layout.HBox?> <?import javafx.scene.layout.Region?> <?import javafx.scene.layout.VBox?> <BorderPane maxHeight="-Infinity" maxWidth="-Infinity" minHeight="-Infinity" minWidth="-Infinity" prefHeight="400.0" prefWidth="600.0" xmlns="http://javafx.com/javafx/9.0.4" xmlns:fx="http://javafx.com/fxml/1" fx:controller="sample.Controller"> <top> <VBox BorderPane.alignment="CENTER"> <children> <MenuBar> <menus> <Menu mnemonicParsing="false" text="File"> <items> <MenuItem mnemonicParsing="false" text="Close" /> </items> </Menu> <Menu mnemonicParsing="false" text="Edit"> <items> <MenuItem mnemonicParsing="false" text="Delete" /> </items> </Menu> <Menu mnemonicParsing="false" text="Help"> <items> <MenuItem mnemonicParsing="false" text="About" /> </items> </Menu> </menus> </MenuBar> <HBox spacing="8.0"> <children> <TextField promptText="ip" /> <TextField promptText="Username" /> <TextField promptText="Password" /> <Button mnemonicParsing="false" onMouseClicked="#loginButtonClicked" prefHeight="27.0" prefWidth="68.0" text="Login" /> <Region HBox.hgrow="ALWAYS" /> <Button mnemonicParsing="false" onMouseClicked="#settingsButtonClicked" text="Settings" /> </children> <padding> <Insets bottom="8.0" left="8.0" right="8.0" top="8.0" /> </padding> </HBox> </children> </VBox> </top> <left> <TreeView prefHeight="200.0" prefWidth="200.0" BorderPane.alignment="CENTER" /> </left> <center> <TextArea prefHeight="200.0" prefWidth="200.0" BorderPane.alignment="CENTER" /> </center> <bottom> <HBox BorderPane.alignment="CENTER"> <children> <Label text="Label" /> </children> <padding> <Insets bottom="2.0" left="2.0" right="2.0" top="2.0" /> </padding> </HBox> </bottom> </BorderPane> |
Advertisement:
You can add functions into your controller class
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | package sample; public class Controller { public void loginButtonClicked(){ System.out.println("Login"); } public void settingsButtonClicked(){ System.out.println("Settings"); } } |
Instaling Gluon JavaFX Templates
Close your test project and create a new project, but before you do click Configure then Plugins
Now lets open In the following screen click Browse Repositories.
Search the repository for and install the “Gluon” plugin
Restart IntelliJ IDEA IDE then you can use templates when creating a project.
Get your own VM
If you have not read my previous posts I have now moved my blog etc to the awesome UpCloud host. Sign up using this link to get $25 free credit.
Packaging a Java app for distribution on OSX
I will show how you can package your app to run on a Mac by using this.
Coming Soon
I will add more guides soon on using a custom JavaFx app to allow you to manage your own UpCloud server and perform Deploy/Init/Setup/Configure/Operate actions. Running CLI commands to deploy and manage a server is fun but is very tedious.
I blogged recently about using the UpCloud API and setting up a subdomain recently (I will use this server to test and prove the Javmanagementnt app).
Advertisement:
Links
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
V1.6 Jenkov Tutorials
V1.5 Reddit java help
V1.4 added java widgets link
V1.3 added javafx examples link.
V1.2 added Java learning paths
V1.1 added offical Javafx examples
v1.0 Initial post
This guide will show you how to enable the latest Transport Layer Security (TLS) 1.3 protocol with it’s predecessor Secure Sockets Layer (SSL) with NGINX and OpenSSL for better website security on an Ubuntu 16.04 server
Advertisement:
I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. Making sure your server is up to date and running the latest SSL software is important. I have updated Open SSL before and blogged about this here. Do backup your server before changing settings and if you use Cloudflare (if you don’t do it now) enable Development Mode (and disable caching until changes are made).
For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).
TLS 1.3 is the latest SSL security protocol that can be used between clients and servers to encrypt connections on the web.
TLS 1.3 uptake is only 60% according to https://caniuse.com/#search=TLS%201.3
Read why TLS 1.3 is important and news on TLS 1.3 can be found here: https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/
The Good and Bad
Done be like this commercial site with very poor security (tested with SSL labs and asafaweb)
Here is what the top 1 million sites do
Here it is!! Alexa Top 1 Million Analysis – February 2018 https://t.co/TjBHNX7zTi
— Scott Helme (@Scott_Helme) February 26, 2018
Installing Open SSL on Ubuntu
Connect to your Ubuntu 16.04 server via SSH (I connected to my Vultr server)
Check what version of OpenSSL you have? My OpenSSL is out of date.
1 2 | # openssl version OpenSSL 1.1.0g 2 Nov 2017 |
Tip: What Ciphers does your Open SSL Support?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | openssl ciphers -s -v ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 |
Time to update Open SSL
OpenSSL 1.1.1 beta is available and supports TLS 1.3 but it is n BETA form. OpenSSL code is available here.
I did the following to download and build the latest version of OpenSSL.
1 2 3 4 5 6 7 | mkdir /openssltemp cd /openssltemp sudo git clone git://git.openssl.org/openssl.git cd openssl/ ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl -Wl,-rpath,/usr/local/ssl/lib make sudo make install |
I tried to check the open SSL version but had an error?
1 2 3 | openssl version openssl: /usr/lib/x86_64-linux-gnu/libssl.so.1.1: version `OPENSSL_1_1_1' not found (required by openssl) openssl: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1: version `OPENSSL_1_1_1' not found (required by openssl) |
A quick GitHub ticket revealed I needed to set a path variable.
1 2 | export LD_LIBRARY_PATH=/usr/local/lib echo "export LD_LIBRARY_PATH=/usr/local/bin/openssl" >> ~/.bashrc |
Open SSL now reports it’s version.
1 2 | openssl version OpenSSL 1.1.1-pre3 (beta) 20 Mar 2018 |
What version NGINX do you have (1.13 supports TLS 1.3) read here
1 2 | # nginx -v nginx version: nginx/1.13.9 |
Backup your NGINX
Do backup your server files and take a snapshot if need be. I am not responsible;e for a broken server,
1 | sudo cp -R /etc/nginx/ /nginx-backup-26thMar-2018 |
Edit NGINX Configuration
Update NGINX configuration: /etc/nginx/sites-available/default
1 2 3 4 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ecdh_curve secp384r1; |
tip: Review other NGINX hardening settings here. Also remove TLSv1.0
I tested my NGINX config loaded them and restarted NGINX
1 2 3 | nginx -t nginx -s reload /etc/init.d/nginx restrat |
Check the status of NGINX
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | # /etc/init.d/nginx status [ ok ] Restarting nginx (via systemctl): nginx.service. ● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Active: active (running) Docs: man:nginx(8) Process: 15154 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS) Process: 15162 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Process: 15159 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Main PID: 15166 (nginx) Tasks: 4 Memory: 2.3M CPU: 27ms CGroup: /system.slice/nginx.service ├─15166 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; ├─15170 nginx: worker process ├─15171 nginx: cache manager process └─15172 nginx: cache loader process |
If you have configured Cloudflare then log in and enable TLS support.
Enable TLS 1.3 in Chrome by visiting chrome://flags/#tls13-variant This should be automatic in later versions of Chrome and other browsers.
Verify TLS
I used the developer tools in Chrome to confirm the page was verified in TLS 1.3.
Updated to 1.1.1-pre6-dev
1 2 3 4 5 6 7 8 9 10 11 | mkdir /temp cd /temp sudo git clone https://github.com/openssl/openssl.git cd openssl/ ./config --prefix=/usr/local --openssldir=/usr/local -Wl,-rpath,/usr/local make sudo make install openssl OpenSSL> version OpenSSL 1.1.1-pre6-dev xx XXX xxxx OpenSSL> exit |
Don’t forget to test your SSL strength with https://dev.ssllabs.com/ssltest/
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.3 added bad ssl cert.
v1.2 ssl test v1.1 updated to 1.1.1-pre6-dev
v1.0 Initial post
Below is how I setup my OSX to use Cloudflare’s new DNS servers to speed up internet browsing and add privacy on OSX
Advertisement:
Cloudflare has launched a DNS service: https://blog.cloudflare.com/announcing-1111/
DNS Performance
You can view worldwide DNS performance by viewing https://www.dnsperf.com/#!dns-providers
I check the DNS at my router, I am using ISP provided DNS servers.
Cloudflare DNS
On April Fools 2018 Cloudflare Released a DNS server service.
Snip from here: “DNS: Internet’s Directory Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email and the first thing your device does is ask the directory: Where can I find this? Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.”
Set Cloudflare Nameservers using OSX
Open the Apple System Preferences, click Network, click on your Network (Wifi or ethernet), Click Advanced then DNS and add 1.1.1.1 and 1.0.0.1
Alternatively, you can manually set your DNS servers in OSX by editing the /etc/resolv.conf, by default SX will inherit DNS settings from our router.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | cat /etc/resolv.conf # # macOS Notice # # This file is not consulted for DNS hostname resolution, address # resolution, or the DNS query routing mechanism used by most # processes on this system. # # To view the DNS configuration used by this system, use: # scutil --dns # # SEE ALSO # dns-sd(1), scutil(8) # # This file is automatically generated. # domain home nameserver 1.1.1.1 nameserver 1.0.0.1 |
Troubleshooting: Clear DNS Cache
1 | sudo killall -HUP mDNSResponder |
Debug DNS Data
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 | scutil --dns DNS configuration resolver #1 search domain[0] : home nameserver[0] : 1.1.1.1 nameserver[1] : 1.0.0.1 flags : Request A records reach : 0x00000002 (Reachable) resolver #2 domain : local options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 300000 resolver #3 domain : 254.169.in-addr.arpa options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 300200 resolver #4 domain : 8.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 300400 resolver #5 domain : 9.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 300600 resolver #6 domain : a.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 300800 resolver #7 domain : b.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 301000 DNS configuration (for scoped queries) resolver #1 search domain[0] : home nameserver[0] : 1.1.1.1 nameserver[1] : 1.0.0.1 if_index : 7 (en0) flags : Scoped, Request A records reach : 0x00000002 (Reachable) |
Confirm Cloudflare DNS from the OSX Comand line
1 2 3 4 5 6 7 8 9 | nslookup www.fearby.com Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: Name: www.fearby.com Address: 104.27.154.69 Name: www.fearby.com Address: 104.27.155.69 |
Privacy
I am not sure if Cloudflare is any more private than using ISP DNS but I’ll happily use it.
Several people have asked me about Cloudflare’s new 1.1.1.1 privacy DNS service. To be clear: it DOES NOT stop your ISPs from collecting your browsing history. ISPs can still see the sites you’re connecting to — even if the site is over HTTPS. You will still send a hostname.
— Zack Whittaker (@zackwhittaker) April 2, 2018
Speed
I can’t tell if DNS is faster, I did ping my ISP DNS before switching and it was about the same (sub 25ms), time will tell.
Conclusion
I have used https://www.opendns.com/ before and loved the dashboards, I hope Cloudflare add dashboard options too.
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.0 Initial post
It is possible to deploy a server in minutes to hours but it can take days to secure. What tools can you use to help identify what to secure on your website?
Advertisement:
I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line, installing a Free SSL certificate and setting up SSL security.
Security Tools
Qualys SSL Labs SSL Tester is the best tool for checking an SSL certificate strength
Most people don’t know Qualys also has another free (limited to 10 scans) vulnerability scanner for websites.
Goto https://freescan.qualys.com/ and click Start your free account.
Complete the signup form
Now check your email to login and confirm your email account
Login now from the email.
Create a password (why the 25 char max Qualys?)
Enter your website URL and click Scan
The scan can take hours
While the scan was being performed I noticed that Qualys offers alerts (I’ll check this out later): https://www.qualys.com/research/security-alerts/
Yes, the scan can take hours, take a walk or read other posts here.
The scan is almost complete
Yay, my latest scan revealed 0 High, 0 Medium and 0 Low-risk vulnerabilities.
It did report 23 informational alerts like “Firewall Detected“.
Threat Report Results
Patch Report Results
This report was empty (probably because I don’t run Windows)
Threat Report Results
The OWASP report contained partial scan results (maybe the full report is available to pro users)
Previous Scan Results
The Qualys dashboard will show all past scans.
My first scan showed a Low priority issue with the /wp-login.php page as the input fields did not have “autocomplete=”off””, I fixed this by adding “autocomplete=”off”” the removing the page (safer).
The second scan found two issues with cookies (possibly ad banner cookies) and 2 subfolders that I created in past development exercises. I deleted the two sub-folders that were not needed.
The third scan was clean.
Here is a scan of a static website of a friends server (static can be less secure if the server underneath is old or unpatched).
Happy scanning. I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.1 Static Web Server Scan
v1.0 Initial post
OWASP is a non-profit that lists the Top Ten Most Critical Web Application Security Risks, they also have a GUI Java tool called OWASP Zap that you can use to check your apps for security issue.
Advertisement:
I have a number of guides on moving hosting away form CPanel , Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. It is important that you always update your site and software and test your sites and software for vulnerabilities. Zap is free and completely open source.
Disclaimer, I am not an expert (this Zap post and my past Kali Linux guide will be updated as I learn more).
OWASP Top 10
OWASP has a top 10 list of things to review.
Download the OWASP 10 10 Application security risks PDF here form here.
Using the free OWASP Zap Tool
Snip from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
“The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.”
Zap Overview
Here is a quick demo of Zap in action.
Do check out the official Zap videos on youtube: https://www.youtube.com/user/OWASPGLOBAL/videos if you want to learn more.
Installing Zap
Download Zap from here.
Download Options
Download contents
Copy to the app to the OSX Application folder
App Installed
Open OSX’s Privacy and Security screen and click Open Anyway
OWASP Zap is now Installed
Ready for a Scan
But before we do let’s check out the Options
OWASP Zap allows you to label reports to ad from anyone you want.
Now let’s update the program and plugins, Click Manage Add-ons
Click Update All to Update addons
I clicked Update All
Installed some plugins
Zap is Ready
Add a site and right click on the site and you can perform an active scan or port scan.
First Scan (https failed)
I enabled unsafe SSL/TLS Renegotiation.
This did not work and this guide said I needed to install the “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files” from here.
The extract files to /Library/Java/JavaVirtualMachines/%your_jdk%/Contents/Home/jre/lib/security
I restarted OWASP Zap and tried to scan my site buy it appears Cloudflare (that I recently set up) was blocking my scans and reported error 403. I decided to scan another site of mine that was not on Cloudflare but had the same Lets Encrypt style SSL cert.
fyi: I own and set up the site I queried below.
OWASP Zap scan performed over 800 requests and tried traversal exploits and many other checks. Do repair any major failures you find.
Generating a Report
To generate a report click Report then the appropriate generation menu of choice.
FYI: The High Priority Alert is a false positive with an HTML item being mistaken for a CC number.
I hope this guide helps someone. Happy software/server hardening and good luck.
More Reading
Check out my Kali Linux guide.
Ask a question or recommend an article
Revision History
V1.3 fixed hasting typo.
v1.2 False Positive
v1.1 updated main features
v1.0 Initial post
Chrome 65 beta has added SEO to audits in the Developer Tools Audit tab.
Advertisement:
I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line.
When you develop any site you need to perform regular audits to ensure it is up-to-date and compliant. Google Chrome has audit tools built right in (Chrome 65 has SEO audit tools (yay)
Chrome 64Developer Tools – Audit tool.
Chrome 64 Audit Scan options
Chrome 64 Audit Results
The performance results seem off given I have set up a CDN, optimized WordPress.
Time to download Chrome 65 beta and get new audit tools.
Chrome version confirmed
Audit Options
Chrome 65 Audit Results
Hmmm, results are different (same website, network and time)
Chrome 64 Audit Results:
Chrome 65 BETA Audit Results:
Google recommends you load pages in under 1s, I would suggest using multiple tools to indicate site speed.
https://gtmetrix.com is a great site for testing your sites speed. I used GT Metrix to move my site from 26s to 6 by setting up a WordPress CDN, moving away from CPanel to a self-managed server on Vultr then to 4s with optimising PHP by setting up child workers.
https://www.webpagetest.org is also good for testing websites.
I will continue to use Chrome Audit Tools for other results like SEO
That’s weird Chrome Audit Tools, I thought I did not have meta tags?
I downloaded the WP Meta SEO plugin, I use the wp command from the SLI (setup guide here)
1 2 3 4 | cd /www/wp-content/plugins/ wget https://downloads.wordpress.org/plugin/wp-meta-seo.3.6.6.zip unzip wp-meta-seo.3.6.6.zip rm -R wp-meta-seo.3.6.6.zip |
I activated the plugin in WordPress the loaded the dashboard. WP Meta SEO asked to import data from the Yoast plugin.
Now I can see my metadata is falling behind.
With WP Meta SEO I was able to apply individual page Meta tags.
I added the following meta tags with WP Meta SEO plugin for each page (the metadata below was for this page)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | <meta name="viewport" content="width=device-width, initial-scale=1" /> <meta name="twitter:image" content="https://fearby-com.exactdn.com/wp-content/uploads/2018/02/php_pool_featured.jpg" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@FearbySoftware" /> <meta name="twitter:domain" content="Programming, IoT and Server Stuff" /> <meta name="twitter:description" content="How to setup PHP FPM on demand child workers in PHP 7.x to increase website traffic" /> <meta name="twitter:title" content="Setup PHP FPM on demand child workers in PHP 7.x" /> <meta property="og:image" content="https://fearby-com.exactdn.com/wp-content/uploads/2018/02/php_pool_featured.jpg" /> <meta property="og:site_name" content="Programming, IoT and Server Stuff" /> <meta property="og:description" content="How to setup PHP FPM on demand child workers in PHP 7.x to increase website traffic" /> <meta property="og:url" content="https://fearby.com/article/how-to-setup-php-fpm-on-demand-child-workers-in-php-7-x-to-increase-website-traffic/" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Setup PHP FPM on demand child workers in PHP 7.x" /> <meta name="description" content="How to setup PHP FPM on demand child workers in PHP 7.x to increase website traffic" /> <meta name="keywords" content="Setup PHP FPM on demand child workers in PHP 7.x" /> <meta name="title" content="Setup PHP FPM on demand child workers in PHP 7.x" /> |
fyi
I use the free version of the Yoast for SEO plugin in WordPress. The premium version has a lot more to offer, I might have to check Premium out.
I am now on the hunt for meta plugins for WordPress
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.2 WP-Meta SEO
v1.1 Added webpagetest.org link and results
v1.0 Initial post
This guide will show how you can create an electronics schematic to represent elements of a circuit for Arduino, Raspberry Pi and ESP8266 micro-controllers.
Advertisement:
Todo: Content
Wikipedia states here: “A schematic, or schematic diagram, is a representation of the elements of a system using abstract, graphic symbols rather than realistic pictures. A schematic usually omits all details that are not relevant to the information the schematic is intended to convey, and may add unrealistic elements that aid comprehension.” This guide will help you create schematics using Fritzing on OSX, you may still want to document your system requirements etc in Github or Bitbucket.
I am creating some small personal weather station on Arduino, Raspberry Pi and ESP8266 to submit data to cloud servers on Vutr (or AWS or Digital Ocean), read my guide on using Adminer to create and manage MySQL databases.
What are sensors
A sensor could detect temperature, humidity, barometric pressure, light and just about anything else.
Temperature, Humidity and Barometric sensor (bme280)
Most sensors work on low voltage have analogue or digital outputs (I2C or SPI) and require minimal wires. The real problem is having multiple sensors and wiring gets out of hand.
What is Arduino
Arduino is a low power 8bit and 32bit hardware/software product that you can rapidly wire up circuits and sensors. Sites like Adafruit sell loads of sensors and develop a lot of software libraries to drive sensors.
Non-genuine Arduino boards age mega cheap on eBay.
Arduino has slide-on shields that can be pushed onto an Arduino board to expand them.
Pros
Cons
Sensors or expansions can come in shields or be connected to pins with wires.
What is Raspberry Pi
Raspberry Pi is also a single board computer but with a more powerful ARM processor that runs a Linux operating system from an SD card. Raspberry Pi’s are essentially small desktop computers. Raspberry Pi’s have USB, can plug into a monitor, have a bootable desktop have Arduino like GPIO pins that can talk to sensors (but not as many analogue sensors).
Pros
Cons
What is ESP8266
Pros
Cons
ss
Installing Fritzing
Fritzing is a software package that can allow you to design and learn electronic schematics (filter by kid level, amateurs, master or higher).
Goto: http://fritzing.org/
Click Download and Donate
Click Download and choose the right version for your Operating System
Copy the app to your Application folder
Open the app a few times (open, wait, proceed, close, open wait proceed etc) to ensure parts updates are installed.
Fritzing Introduction on YouTube
Watch the Introduction video for Fritzing here
Fritzing Killer Tips Series on YouTube
Watch Fritzing Killer Tips 001 The generic IC
Extending Fritzing
Fritzing allows you to import new parts and design your own parts or ask Fritzing to design a part for you.
I was able to import a bme280 sensor within seconds.
If a part does not exist in the forums search google for “partname” and “.fzpz”
I was able to find an ESP8266 Node MCU from https://github.com/squix78/esp8266-fritzing-parts/tree/master/nodemcu-v1.0
It looks like Fritzing has all the parts I need to work with (Pi, Arduino and Node MCU’s).
Fritzing Views
Coming soon (Views: Breadboard, schematic, PCB, code).
Designing and Ordering a PCB
Coming soon.
Find Fritzing Projects
You can find all community created Raspberry Pi Fritzing Projects below.
http://fritzing.org/projects/by-tag/raspberry%20pi/
Arduino Fritzing Projets:
http://fritzing.org/projects/by-tag/arduino/
ESP8266 Fritzing Projets:
http://fritzing.org/projects/by-tag/esp8266/
Happy coding and I hope this helps someone.
More to come.
Making a PCB
Bonus: It is possible to order your own physical PCB from say
https://easyeda.com but you will need to export your schematic from Fritzing to Eagle (or manually create your PCB in Easy EDA online IDE).
Download Eagle:
https://www.autodesk.com/products/eagle/free-download
Easy EDA guides here:
How to make a custom PCB in Easy EDA (Part 1):
How to make a custom PCB in Easy EDA (Part 2):
I will try and find a PCB manufacturer that accepts orders from Fritzing exports.
More Reading
https://www.raspberrypi.org/magpi/
Donate and make this blog better
Ask a question or recommend an article
Revision History
V1.1 Making a PCB info
v1.0 Initial Draft