Category Archives: Security

Switching a WordPress site over to HTTPS/SSL

WordPress.com, the official hosted version of WordPress have switched over to enforcing SSL, while this is mostly a political statement, there is some merit, firstly you might actually have some forms which should be secure, allowing users to communicate using the secure channel https provides, secondly there Google have started giving a slight boost to your PageRank when they see SSL in place.

ssl

But if you host your own server, you need to enable and provide a certificate yourself.

First check Apache is listening on 443

netstat -ntpl | grep 443

Create a Certificate Request

If all you need is secure forms and a green padlock as I have used here you can use a Rapid SSL Certificate @ $12.99 a year here.

You can also get a suitable free certificate from StartSSL, I have a walk through here for that. If you are able to use LetsEncrypt, they have a great free certificate thats generated from your server.

Here is a great walk through on enabling SSL and copying the certificate and key over to your server.

To redirect http URLs to https, do the following:

 ServerName www.example.com
 Redirect / https://www.example.com/
ServerName www.example.com
 # ... SSL configuration goes here

Enable SSL for apache

a2enmod ssl

Enable the new SSL config

a2ensite example.com-ssl

Test the new config

apachectl configtest

Restart

sudo /etc/init.d/apache2 restart

Quite often we see that while everything else is working, a firewall might be blocking port 443, check to see if IPTables is blocking

iptables -L -n

If not add the rule

iptables -I INPUT -p tcp --dport 443 -j ACCEPT
/etc/init.d/iptables-persistent save

check to see if UFW is blocking

ufw status

If you don’t see HTTPS or SSL listed

UFW allow https

If your padlock is broken, likely you have some non-ssl content that manually needs having it’s url altered. To check for non HTTPS content use this Why no Padlock tool.

This of course is another one of my reminder walkthroughs, that I will update as I find better instructions, and welcome any improvements.

Critical Vulnerability in Windows IIS – HTTP.sys PoC (MS15-034)

From Microsoft’s warning is not clear what the vulnerability is, but you can see that this is critical, and the vulnerability must be patched, especially on public facing Windows IIS Servers:

A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.

To exploit this vulnerability, an attacker would have to send a specially crafted HTTP request to the affected system. The update addresses the vulnerability by modifying how the Windows HTTP stack handles requests.

You can see a prototype test for the vulnerability here at Exploit-DB

This security update is rated Critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. For more information and patch download, see the Affected Software section here at Microsoft.

Update 28th April 2015:
Awesome analysis of this vulnerability by Mike Czumak here.

Setting up a Simple VPN Server

VPN offer far more security than the proxy servers which most people are used to using, when using commercial paid for services proxy server accounts are normally much cheaper and simpler to set-up for the client which is their only benefits over VPNs.

vpnIf you are just wanting to view content or media in other regions, and will likely have high bandwidth usage, you are better off staying with a proxy service.

I have set-up VPN accounts for clients, mostly because nearly all of my projects have used IP address identification as part of the systems security, it really is a great way to identify users beyond a username/password, but what about the “road warriors”, in their hotel rooms, in the air, clients offices etc. who don’t have a fixed IP.

Of course VPNs themselves are very secure, no-one can see into the tunnel they create, and its not just HTTP (web browser) but all other internet services that are protected from snooping.

Sending single users to VPN/Proxy suppliers such as VPN-S, who if you previously asked nicely would provide you with a fixed IP address which addresses the IP whitelisting access requirement on their VPN accounts, but they have recently started charging $10 a month extra, making it over $20 a month per user account.

Apart from the cost, there is a security issue, do you trust the VPN supplier? much better to have control over your own server if confidentiality and  security are a concern.

I have set up up a couple VPN servers, but that was never simple, either for the initial installation or on going management. This is a well written example of an “manual” VPN Server installation walk through on an Ubuntu 14.04, I have never managed to do this without spending 50% of the time debugging errors.

But that has changed, a VPN can be set-up and configured by running a single “road warrior” script supplied by Nyr. Just run this on the (debian, Ubuntu or Centos) server and follow the assistant.

wget git.io/vpn --no-check-certificate -O openvpn-install.sh; bash openvpn-install.sh

When finished, just re-run the script to add extra users and devices, the required .ovpn configuration files to distribute to the users are dumped by default into /root. It should take no more than 5 minutes, and in the two I have recently set-up on $10 Droplets at DigitalOcean, they can easily handle more than a single concurrent user, and while I have only tested heavily with a single user on one of those VPN instances, I can say it is far better performance than any commercial product I have seen.

You may want to lock down all the unused ports now on your VPN server, run:

ufw allow ssh
ufw allow 1194/udp
ufw allow 53/udp

where 1194 is the chosen VPN port, and 53 is the optional port to be used where VPN ports might be restricted.

To connect, you need some client software as well as your .ovpn files. VPN Client software available for Windows, OS X, iOS and Android. I haven’t found a working Ubuntu Linux client, but installing Open VPN, running:

sudo apt-get install openvpn

Then connecting with:

sudo openvpn --config /somefolder/yourname.ovpn

Works fine, off course I have primarily written this to jog my memory next time I need to set-up a VPN server in 5 mins, but I really welcome any comments and suggestions.

I have a backup of the Nyr’s road warrior script here