Mostly Harmless

Mostly about my amusement

Screen Shot 2016-08-07 at 9.53.58 AM

Firefox and TLS

Firefox is weird. In a forum conversation (which went so off topic but that’s alright) the following was reported to me. When you visited my site in Firefox, you get a warning about being insecure.

Huh. That’s odd and a little embarrassing. I mean, I’m a network security professional so you can see how that would be awkward. ūüėČ

So I looked at my site on the Qualys SSL Labs page and got this result.

Screen Shot 2016-08-07 at 9.35.58 AM

Which is good but Firefox still didn’t like my site.

A few weeks ago I was playing with my nginx config and something I did made Firefox unhappy. I’m pretty sure I munged the cypher suite in my poking and prodding.

Fair enough, I used the configs from a site that does work in that browser and tonight I’ll play around to see what I broke. In the meanwhile my site is encrypted and viewable in Firefox.

gamer-kid

Confirmed: I’m not getting the PC back anytime soon

This¬†may fall under category of “bad parenting” but probably not. I hope not. Just don’t tell Lily, OK?

My daughter saw all of the fun her brother has playing Team Fortress 2 and wanted in on the action. The kitchen iMac doesn’t play games very well but my PC does. So I set her up on an account there, logged her into Steam and the rest was history.

She picked up TF2 quickly. Then she saw that she could play Borderlands 2, Torchlight II, Portal 2 (is there a “two” thing going on?) and spent hours on the PC.

Her normal activity is drawing on¬†the iPad. She’s really good and has developed a real skill. Video games are normally the domain of her brother. But they seem to like playing on the same TF2 server. When they’re on the same team she plays the medic and supplies health to the other players. When she’s on different teams she plays the scout.

She spent the whole evening playing and I had no clue. It wasn’t till I went to turn off the light in the office that I saw her. Her mother would¬†not be happy had she walked into the room.

There is hope that the has inherited Lily’s Adult Supervision‚ĄĘ genes. I told her that I’d get a third PC for her, probably from Costco. Her answer?

That’s wasteful. I can share yours when you are not using it.

I have no idea¬†where she picks that stuff up. I’ve certainly never encouraged that sort of behavior.

tf2-minecraft-map

I might be overthinking my son’s TF2 server

My son plays Team Fortress 2 a great deal and wanted to host his own server with mods for him and his friends to play on. Rather than using his PC for that I created an account for him on the Linux basement server.

I downloaded the Linux dedicated server, did a¬†little port forwarding, a few small scripts with screen and POOF! he can now run and manage his own TF2 server. I need to email him some troubleshooting steps but it’s pretty basic even with SourceMods. It works.

Except I’m using FIOS and my IP addresss changes from time to time. The basement server does update it’s DNS entry via Namecheap but TF2 favorites work by IP address.

When the address changes the port forwarding still works but my son’s friends can’t find the server. The IP address changed and their favorite is gone. That sucks.

IP Tables to the rescue

I happen to have a fixed IP address on the Internet. This web server. I don’t have to run the dedicated server on my VPS, I just have to port forward TCP and UPD ports 27015 to the FIOS router.

  1. My basement server keeps the dynamic DNS name updated with the external IP address.
  2. My web server runs script every hour to see if the IP address changed for that DNS entry.
  3. If it did change then it deletes just the old iptable rules and re-add them with the new IP address.

I found a useful bash script for targeting specific rules in named sections of iptables. Why re-invent the wheel? ūüėČ

Here’s the script.

I registered the server on Gametracker and the banner works fine.

It works and while the server’s actual IP address changes this will let others find my server. I only change my web server’s host once every few years so this will remain in place for a long time.

They like Minecraft maps. I don’t know why but that’s alright.

 

hg-zaku-ii-origin-02

HG Char’s Zaku II Origin Version

Last weekend I completed assembling a 1/144 scale Zaku II model and today I quickly detailed and applies some decals. Here’s some photos of the completed model.

It’s a nice Zaku II. I’ll build a Master Grade model next.

Another Char’s Zaku II model

I completed the assembly of the HG Char’s Zaku II (Origin version). It came out OK and the parts have a lot of detail. It’s a 1/144 scale version and didn’t take long to put together.

hg-zaku-ii-origin-ver

The next thing I’ll do is add detail lines and the decals.

caution-danger

How to use UpdraftPlus when The Bad Thing‚ĄĘ happens

I am in the process of handing over a site to someone who’s not used WordPress before and doesn’t necessarily know where what lives and how. I thought it would be a good idea for me to document how to use the free UpdraftPlus plugin.

I use the commercial version of this plugin because it is fire-and-forget for my multisite installation. But if you are running a standalone installation of WordPress then the free version is a good suitable option.

Read More

Wait a minute. Beyoncé is black?

Oh, Saturday Night Live. Sometimes you miss it¬†but this¬†you’re right on target.

I should start DVR’ing this season.

Did I mention I like WP-CLI?

I’ve written praise for wp-cli before but it’s a toy that will never get old for me.

I was working on this problem¬†for a friend and I needed to create a test multisite installation. I have a domain I can use aside¬†from my main one so I setup another nginx virtual host, setup the DNS entries and used Let’s Encrypt to obtain legitimate X.509 certificates.

For creating the DB and WordPress config I used CLI commands.

$ mysql -u root -p

create database leeloodallas;
grant all privileges on leeloodallas.* to 
"brucewillis"@"loc1alhost" identified by "5oM3U36ul$tringH3re";
flush privileges;
exit;

$ wp core download

$ wp core config --dbname=leeloodallas \
--dbuser=brucewillis \
--dbpass=5oM3U36ul$tringH3re \
--extra-php <<PHP
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );
PHP

$ wp core install --admin_user=yourlogin \
--admin_password=Y3a2n0tHaP3n1ng \
--admin_email=you@example.com \
--url=blog.dn7.me \
--title="Leeloo Dallas Multisite"

$ wp core multisite-convert --subdomains

Yes, all the passwords and IDs are changed.

When I get into deep water (and I did) I just rm * -rf in the virtual host’s directory and in mysql drop database leeloodallas; and do it all over again.

The only thing different from other times is the wp core multisite-convert --subdomains command. I already have cookie cutter nginx configs and DNS is fire and forget. Once I had the vhost setup the Let’s Encrypt commands (also scriptable) was trivial.

WP-CLI is cool and scripting this is such a time saver.

“I’m not Matt”

This is my new favorite thing today.

I would pay money to see the next State of The Word with stormtroopers on stage. ūüėČ

2FA should be built into WordPress core

Does email work with your WordPress installation? When someone leaves a comment on your blog or your WordPress installation automatically updates to a minor version number such as 4.4 to 4.4.1 do you get that email?

You did get those emails? Great! Now go,¬†install and activate the Two Factor Authentication plugin maintained by George Stephanis. I’ll wait.

Now that¬†you have done that, on the top right corner of your dashbaord is a “Howdy, User” link. Click that and select Edit My Profile. Scroll down on your profile page and enable the first two options. That’s “Email” and “Time Based One-Time Password (Google Authenticator)”.

2fa-setup-page

I made the Google Authenticator my primary means of logging in. I keep the app on my password protected iPhone, it’s a one-time password (OTP) generator and it doesn’t need access to Google to work. It’s time based after all.

What is two factor authentication (2FA)?

2FA is a means to increase the confidence when you log in that you are in fact who you say you are.

When you log into WordPress, you use an ID and password. The security is in the password and should be along the lines of “gHJjgbtjXa9FLyGkhaHR0o” which I got courtesy of my 1Password app. That password is one factor of authentication. Your password is something that you know.

The¬†second factor is what you have in your possession. In my case it’s my Google Authenticator app on my iPhone.

When I log into my WordPress site I am prompted for my username and password. Once that is successful I am then asked for my authentication code.

authentication-code

Which I get from my app. If that does not work then I click on the backup method and soon get a code via email. I enter that code and I am in, which is why I asked if mail works at the beginning of this post.

Mail needs to work. So does good time keeping.

My multisite installation is on a VPS and I run NTP. I have to because on a VPS the time will drift (on anything really) and if my server’s time is far enough out of sync then my OTP will not work. Or my phone could be dead but I still can access my email.

By configuring the email as a fallback I have another way to get into my installation. That email code is good till it’s used or is replaced and can get you out of a bind.

2FA needs to be built into core

Having 2FA in WordPress as a built-in¬†option moves the security bar farther. ¬†It increases the security posture for users and if it is an option, if it’s easy to setup then it will be adopted by users.

Yes, it will take some education for people to use it properly but that is not insurmountable.

In the past, users would install WordPress and forget to maintain them. The other day I came across a 3.5.2 installation. That was released in July 2013. In Internet years that’s ancient and there are several known exploits out there. The 3.5.x code isn’t maintained.

As of version 3.7 minor release updates are turned on automatically by default. If you installed 3.7 and did not do anything else then as of today you are or will be running 3.7.12 shortly. Major version upgrades are not automatic so 3.7.x will not update to 3.8 or even to the current 4.4.1. The major versions need to be updated by the user initiating that upgrade, although some forward thinking hosts will do it for you anyway.

Automatic updates are a result of the developers wanting the environment to become more secure. Unpatched WordPress installations were the cause of compromised sites that sent spam, spread spammy links and made the Internet neighborhood a worse place to be.

It also gave WordPress an unjustifiable reputation for being insecure because users did not maintain their code.

Having 2FA is similar to enabling TLS on your WordPress installation. If your server supports HTTPS just update your Site URL and WordPress Address, perform a little search and replace for the old http:// references to their TLS versions and you are done. More and more sites are defaulting to https because it’s easy.

2FA is like that, it’s a step in the direction of users taking their security into their own hands. It’s educational too, meaning that once it’s setup and working you’ve learned something new.

What about the Support Team’s concerns?

Mika Epstein, myself and others expressed reservations not about having 2FA built into WordPress. We like this idea. Our concerns were along the lines of “How can we walk the user through disabling 2FA if they bork it badly?”

The idea we expressed was that this should be enabled by editing the wp-config.php file by hand, just as you have to do when you enable multisite. If you can do that successfully then you are technical enough for 2FA. The words I used were “you need to be this tall to enable this feature”.

I don’t think that anymore. If someone’s email is working then they can get back into their installation with the emailed access code.

What I’d like to avoid is the situation that exists with password resets. If you look at the WordPress Codex article about resetting your password then you may understand.

For manual password resets I encourage users to add a line to their theme’s functions.php file but that¬†can be dicey. If they typo that file they can break their whole site. That’s still more appealing for me than trying to walk a user through using phpMyAdmin.

Manual password resets is difficult¬†for regular users. If they can enable 2FA¬†and have a not too difficult way to¬†disable it then any reservations I’ve had are gone. I know this is being worked on and I would really like to see this properly put into WordPress 4.5.

It’s something that can make the Internet neighborhood a more secure place to be.

Page 1 of 95

Powered by WordPress & Theme by Anders Norén