Forgot my password and spam

On the topic this month about security and password, the discussion of lost passwords come to mind today. When you need to reset your password on your website, the most common thing it asks you for is your password.

pass1

Seems simple and harmless enough, but can it be a gateway for spam? You might thing not, but depending on how the website responds to the email address you put in, it might!

Some systems will reply in a clear way on if that account exists or not. For example, it might reply that the password will be emailed to you, or that the account doesn’t exist.

Think about that, what is the implication?

Simply that a malicious person can write a very basic script that will attempt to “password reset” random email addresses, and your response will verify if that email actually exists.

The threat here is a couple:

  1. First it gives a hacker specific knowledge that your account exists so it can try to brute force their way into your account;
  2. Instead of attempting to figure out your account, now I can simply send you a spoofed email saying you need to change your password at your-bank.com because, well I know you have an account there and it makes the attack that much more legitimate-sounding;
  3. Finally, it lets them sell your email address as a known good address, since obviously, you use it to access some online service.

 

For the end-user/consumer/professional, take a moment, see which websites leak your private email address. If they do, direct them to read this article so they can protect your privacy better.

For developers, this is a call to action to stop leaking this data accidentally. The preferred method is to simply say “if your account exists, we’ll send you a reset password”. That stops it dead in its tracks because that message goes to every email attempt. Also, be sure to check out this article about account security overall.

 

Scotch Box – Dead simple Web Development

In this series, I’ll demonstrate some of the web development tools I use. Today we’ll cover Scotch Box — a virtual development environment for your local machine.

Many people begin development by working directly on live, production web servers. Sometimes they’ll work in a sub-directory or a different URL. However, there are several drawbacks to this approach.

  1. Performance: Every update of your files requires them to be sent over the internet, and equally your tests also need to come back over the internet. While each of these is probably only an extra second of latency for each file, it can quickly add up over the lifetime of development.
  2. Security: Let’s face it, development code isn’t the most secure out of the gate. I recently was developing a custom framework and in the process of writing the code for the display of images, introduced a bug which would dump any file to the browser, even php code or environment variables.
  3. Debugging: Debugging tools such as Xdebug shouldn’t be installed on production servers as it can accidentally expose sensitive data.
  4. Connectivity: You must be connected to the internet to develop, so internet connection, no development.

So for most of my projects, I develop first on my laptop. But instead of installing a full LAMP stack on my desktop (where I’ve got a database and web server running full time in the background), I use a Virtual Machine through Oracles Free VirtualBox Hypervisor.  And instead of having one virtual machine host multiple projects, which might have different development needs (specific PHP versions, databases, etc), I spin up a new virtual instance for each project. This is made super easy through a tool called Vagrant. As they say:

Development Environments Made Easy

This post assumed you already have both Oracles VirtualBox and Vagrant installed on your local machine.

My favorite development stack is Scotch Box — perhaps this is because I love scotch, but more likely because it’s (in their own words): THE PERFECT AND DEAD SIMPLE LAMP/LEMP STACK FOR LOCAL DEVELOPMENT

It’s three simple command line entries and you get access to:

  • Ubuntu 16.04.2 LTS (Xenial Xerus) OS
  • Apache Web Server
  • PHP v7.0
  • Databases: MySql, PostgresSQL, MongoDB, SQLite
  • NoSQL/Cache: MemCashed, Redis
  • Local Email Testing: MailHog
  • Python v2.7
  • Node.js
  • Go
  • Ruby
  • Vim
  • Git
  • Beanstalkd
  • And much more.

Within PHP it includes tools like Composer, PHPUnit, WP-CLI. Also since this is designed for development PHP Errors are turned on by default. It works with most frameworks outside of the box, with the exception of Laravel which needs just a bit of tweaking. All major CMS are supposed like WordPress, Drupal and Joomla.

And if you want access to more updated versions, such as PHP 7.2 or Ubuntu 17.10.x, you can pay just $15 for their pro version which comes with so much more!

So how to do install it?

  • From the command line, go to your desired root directory, such as Documents
  • git clone https://github.com/scotchio/scotchbox myproject
  • cd myproject
  • vagrant up                    (learn how to install vagrant)

You can replace “my-project” with whatever you want to name this specific development project.

After you run “vagrant up” it will take several minutes to download the code from the internet. Then you’ll be all set. You can browse http://192.168.33.10/

For shell access SSH to 127.0.0.1:2222 with the username of vagrant, and password of vagrant.

You’re all set.

Configuring a basic Road Warrior OpenVPN Virtual Private Network Tunnel

If you’re a road warrior like me, you’re often accessing the internet from insecure hotspots. All traffic that traverses an open wireless connection is subject to inspection, but furthermore even on untrusted secured wirelesses, you’re activity is subject to monitoring by those providing the internet (trusted or otherwise), as well as ISP providers, etc.

To help keep what you’re doing private, I suggest always using a secure VPN tunnel for all your roaming activity. This guide will show you how to setup your own VPN tunnel using Linode for only $5 per month! That’s right, why pay a third party company money for your privacy which costs more, and you get unlimited usage for yourself and whoever else you decide to provide access for.

Now to be clear upfront, the purpose of this setup is to provide secure tunneling when you’re on the road with untrusted networks such as hotels or coffee shops. Some of the reasons people use VPNs is to provide general internet privacy, which this setup will NOT provide. It does, however, allow you to appear to be connecting to the internet from another geographical location. They have 8 datacenters, spanning the US, Europe, and Asia Pacific. So when you’re on the internet you can configure it so that it appears your connecting from a different location then you’re actually located.  There are other benefits available such as giving you an always fixed WAN IP address, so when you’re configuring security for your services, you can now lock down access to a specific remote IP. Think of only allowing remote connections to your server/services/etc from a single IP address. That provides much stronger security instead of just leaving remote access open.

 

Let’s get started with the configuration:

This post is going to assume you already have a basic Linode setup. Here is how to install the OpenVPN Server in a very simple way. That way, these instructions will work with any Ubuntu Linux Server. Leave comments if you’d like a full setup guide and I’ll throw it together for you.

  1. Remotely connect to your server (such as SSH)
  2. Login as root (or someone with sudo rights)
  3. Run the following from the command prompt:wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
  4. When prompted I suggest the following configuration:
    1. UDP (default)
    2. Port 1194 (default)
    3. DNS of 1.1.1.1 (see this link for more info)
    4. Enter a name for your first client name – this is unique for each client. So for example, I’ll call my first one Laptop
  5. The file is now available at /root/ under the filename equal to the client name you specified in step 4.4 — in our example /root/Laptop.ovpn
  6. Download that file to your local computer using the transfer method best for your system:
    1. Linux/MacOS use SCP
    2. Windows use Windows SCP
  7. You’ll want to download the OpenVPN client from https://openvpn.net/community-downloads/
  8. Install the Laptop.ovpn file you downloaded into OpenVPN client – for Windows, right click on the systray icon, choose import – from file. Choose the Laptop.ovpn file you copied from the server. After you choose the file it might take a minute or so, and you should see a notice that the file was imported successfully. Then check the systray icon again and you’ll now see the server WAN IP address listed. Then you simply click that IP address then connect, and you’re all set.
    1. The first time you initiate a connection you may be prompted to trust this unverified connection, this is because you’re using a self-signed certificate. For basic road warriors, this is sufficient. If you’re a corporate IT department, you might want to consider using your own certificate, either trusted or enterprise certs.

You can simply repeat steps 1-3 above, and at step 4 you’ll only be prompted for the client name. Do this for every device and/or user that needs to remotely access this server. For me, I use a separate key for my laptop, phone, and tablet. If they’ll be connected at the same time, you’ll need separate keys. You can also run through the same steps to revoke certificates – so you want to make sure you name them something logical, such as myAndroid, kidsiPhone, wifesLaptop, etc.

Enjoy!

 

 

 

 

 

Configure Plesk as OpenVPN Server with Windows 10 as Client

Plesk is a powerful web server management tool. Among the included features is an OpenVPN Server, so when you’re working remotely you can connect directly to your server remotely. This can be very helpful if you’re a developer who works remotely from insecure locations like a Starbucks Coffeeshop or other remote location. The instructions provided by Plesk are not really clear on this topic, nor at least not fully up-to-date and the included client download package is a legacy version of the OpenVPN client.

TLDR (in summary) if you’re the only person who manages both the Plesk Server and uploads files, and you want a really secure setup, read on. Otherwise, you can just stop here, because this is NOT going to give you any real-world benefits.

As of the writing of this post, Plesk only supports a single remote host at a given time. And if you configure multiple devices they all use the same encryption key. Additionally, you’re limited to traffic intended for the Plesk server directly, and it does not route traffic more broadly within either the server LAN or to the WAN. This results in a network configuration known as split-tunneling. Meaning only traffic for the remote server is sent over the tunnel and all other traffic still goes out your internet connection. So the net result is a secure connection just to your Plesk server, but nothing else. If you’re already using FTPS and SSH, then this really provides NO benefit for you. There are feature requests to extend the Virtual Private Network features of Plesk, but as of this writing, it has not been implemented yet.

Also, because technology changes quickly, please note the following – this documentation is based on the following software versions:

  • Plesk Onyx Version 17.8.11 Update #38
  • OpenVPN Windows Client 2.5.0.136 (link)
  • Windows 10 Enterprise, Version 10.0.17134.523

Let’s get started on how to configure the OpenVPN Server.

  1. Start by installing the Plesk Extension: Virtual Private Networking
  2. Then open the Extensions shortcut via the navigation pane > Virtual Private Networking.
  3. On the Preferences page that opens, specify the following parameters:
    1. Remote Address: Leave this blank as you’re intending to remotely connect TO the Plesk server.
    2. Remote UDP port: You can leave this field blank if you have not specified the remote address above.
    3. Local UDP port, your server will listen for incoming VPN traffic on this local UDP port. The default port is 1194.
    4. Local peer address and Remote peer address: Usually leave the default. This needs to be a separate address space from either your existing WAN or LAN of the server, as well as ideally not overlapping with the local IP address that you’ll be connecting from as well.
    5. Click OK.
  4. The Plesk VPN component is initially disabled. To use the VPN functionality, enable the component by clicking the “Switch On” button.
  5. Click on “For a Windows Client” button to download the package. BUT DO NOT use the OpenVPN client included.
  6. Extract the package to any location.
  7. Open the extracted files and copy the vpn-key to you c: directory
  8. Then open the openvpn.conf file using any text editor, such as Notepad, or my preferred editor, Notepad++
    1. Change the line: secret system/vpn-key
      To read: secret c://vpn-key
    2. Save the file as openvpn.ovpn
  9. Then move the file from its current location to c:\ — in Windows 10 usually the security permissions will prohibit you from directly saving-as to the c: directory.
  10. From the start menu, run OpenVPN Client — not the OpenVPN GUI.
  11. Right-click on the sys-tray icon and select Import > From File. Point it to your c:\openvpn.ovpn file
  12. In a few seconds (but not immediately), it will show the VPN in the listing when you right-click on the OpenVPN Client sys-tray icon. Click on the Plesk Server, then select Connect.

You should be all set, and you can test your connection by trying to ping your server from the command line to the IP address selected above, typically 172.16.0.1 — if this resolves then your VPN is setup properly. You can also go to a http://www.WhatIsMyIP.com and verify that all other web traffic is routing through your local internet connection and not your server.

You’re now configured to access your server over the VPN tunnel.

 

Now, you’ll need to access your Plesk server using that IP address, which can itself be problematic. Sure FTP/FTPS to 172.16.0.1 will work just fine, but if you try to navigate to the Plesk Web Console, at https://172.16.0.1 you’ll get a certificate error because the certificate is signed for the FQDN (Fully Qualified Domain Name) such as Plesk.example.com

You could modify you hosts file, but then you’ll have all sorts of problems connecting if your not connected via the VPN tunnel.

 

So this begs the question, why even bother with this? The only reason I can think of is if you’re using Plesk as a GUI management for your web servers, and you want to really keep the sever closed off. With the VPN setup, you can close down FTP/FTPS ports, as well as the Plesk ports like 8443 to the outside world. It creates a much more secure setup and is a good ideal if you’re the only one who is going to manage this server. But otherwise, if other people need to use FTP or the console, then there is no reason to implement this.

 

 

PuTTY – Accessing a Linode Server

PuTTY is a free and open source SSH client for Windows and UNIX systems. It provides easy connectivity to any server running an SSH daemon, so you can work as if you were logged into a console session on the remote system.

  1. Download and run the PuTTY installer from here.
  2. When you open PuTTY, you’ll be shown the configuration menu. Enter the hostname or IP address of your Linode. PuTTY’s default TCP port is 22, the IANA assigned port for for SSH traffic. Change it if your server is listening on a different port. Name the session in the Saved Sessions text bar if you choose, and click Save:

    Saving your connection information.

  3. Click Open to start an SSH session. If you have never previously logged into this system with PuTTY, you will see a message alerting you that the server’s SSH key fingerprint is new, and asking if you want to proceed.

    Do not click anything yet! Verify the fingerprint first.

    PuTTY verify SSH fingerprint

  4. Use Lish to log in to your Linode. Use the command below to query OpenSSH for your Linode’s SSH fingerprint:
    ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ed25519_key.pub
    

    The output will look similar to:

    
    256 MD5:58:72:65:6d:3a:39:44:26:25:59:0e:bc:eb:b4:aa:f7 root@localhost (ED25519)
    

    Note

    For the fingerprint of an RSA key instead of elliptical curve, use: ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub.
  5. Compare the output from Step 4 above to what PuTTY is showing in the alert message in Step 3. The two fingerprints should match.
  6. If the fingerprints match, then click Yes on the PuTTY message to connect to your Linode and cache the host fingerprint.

    If the fingerprints do not match, do not connect to the server! You won’t receive further warnings unless the key presented to PuTTY changes for some reason. Typically, this should only happen if you reinstall the remote server’s operating system. If you receive this warning again from a system you already have the host key cached on, you should not trust the connection and investigate matters further.

How to compress files and directories on Ubuntu

One of the most common ways to quickly and effectively compress files on a Linx server such as Ubuntu us the combination of TAR GZIP. When moving directories between servers this is far faster to compress, transfer and expand — compared to raw transfer of files.

Here is an example of how I used the command recently to move some files between web hosting servers.

Source server:

tar -czvf name-of-archive.tar.gz /path/to/directory-or-file

Then using normal FTP I copied this file to my local machine before uploading it to my destination server.

tar -xzvf archive.tar.gz

Some mail server networking best practices

I was reminded this week about the importance of some good best practices when handling the networking portion of a mail server. While a server or exchange administrator will do a great job handling all of the best practices of configuring the software itself, it is not uncommon for the networking portion to be overlooked. Here is a summary of a couple of networking or firewall related best practices…

  • Your Mail Server should be NAT’ed to an IP address different than your general internet traffic. This ensures that malicious activity taking place on your general internet traffic, or an infected pc, or even a guest system does not impact your ability to send email. If I guest laptop on your wireless network has a virus and is sending out spam, it might result in your IP address being blacklisted, and it will cascade onto your mail server. With a public IP address dedicated to your mail server, you can be assured that if you’re blacklisted, it is because of traffic through your mail server, and not from another source.
  • Block outbound port 25 from everything except your mail server. In general, the only device that should be sending mail outside of your network is your mail server, and if another device needs to send email, such as your MFP or other device, it should relay off your mail server, and not send out directly.
  • If you are using some form of hosted inbound spam or mail filtering, such as MXLogic or Reflexion, you should source IP filter your inbound port 25 traffic, or better yet, consider using an alternate port. If you don’t lock this down, it permits people to bypass your hosted mail hosting, and directly send spam to your mail server.
  • Ensure that your firewall has application aware protection in place for SMTP traffic, however if you have an older Cisco PIX firewall and an Exchange mail server, consider turning FIXUP off for SMTP since there is a long history of documented problems.
  • Be on the lookout for a mail administrator who assigns a public IP address on their mail server directly, thereby bypassing the firewall or other edge protection. If they really want to dual home the mail server, have them place it on a DMZ instead.

Enjoy

 

DHCP Server Logs

There have been several instances where I have been trying to troubleshoot DHCP Issues live, or other cases when I needed to know what computer had a specific IP address in the past…. A useful way to find out this information is to use/view the DHCP server logs. The log keeps only the past 7 days of logs, but through backups, you can actually go back to any point in time.

The log it located at C:\Windows\System32\dhcp

The logs are named dhcpsrvlog-mon; dhcpsrvlog-tues, etc… you get the idea. There is also a separate log to DHCPv6 (IPv6) addreseses.

 

dhcplog

Also, along that lines, don’t specifically trust the DHCP Lease active/inactive status as indicated in the DHCP console. Sometimes a reservation is used for a device that is set statically, so DHCP will show inactive, while the address is actually in use. Also it might show active even though the device isn’t properly receiving an IP address.

Enjoy!

Cisco terminal length 0 and –more–

From time to time I just need to perform a simple dump of a configuration file from a Cisco IOS device for backup or review purposes, such as a from a router or switch. However, for switch stacks or complex configurations the configuration file can be long, and when using something like Putty to log all the terminal/ssh actions to a file, there is no need to constantly press any key at the –more– prompt. To avoid this, you can simply enter:
terminal length 0
at the enable (#) prompt. From there you will no longer see page breaks but rather have the data scroll out to you the entire configuration file. This also avoids the needs to go back and find/replace the –more– elements from a dump.

Enjoy!

Powered by WordPress.com.

Up ↑