Disable SSLv3 on Nginx to prevent #POODLE vulnerability

In the wake of POODLE vulnerability discovered in SSLv3, surprising number of people are not sure how to disable SSLv3. So here is how to do it.

In your Nginx SSL configuration, find the line that shows the protocols. It will be something like this:

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

Remove the SSLv3 from it and make it

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

That is all.

This is not relevant if you aren’t using SSL, of course.

Google’s guessing games #privacy #humor

Imagine my surprise today when a google search result showed my location below the search results (nil).

Virar West, Virar, Maharashtra – From your Internet address – Use precise location
 – Learn more

I live in Virar East, so the guess was off by a few kilometers. Curious to see how accurate it gets, I allowed it to use “precise location”.

Result?

Friends Colony, Hallow Pul, Kurla West, Mumbai, Maharashtra – Reported by this computer – Update location
 – Learn more

That would be a few dozen kilometers away with an entire Lok Sabha Constituency lying in between mine and the stated target area’s :p

Moral of the story? If you live in an area barely covered by Google Maps, you’d probably do better activating snooping stuff to obfuscate your location :p

Note: this was funny and an obvious backfiring of “precision” if it added an error that put the location in another district altogether. Your mileage may vary. This is not a serious privacy tip :p

reset-the-net

Reset the net – Don’t ask for privacy, Take it back

A long overdue backlash against state spying (and NSA in particular) has some of the biggest websites on the internet joining forces with internet rights activists to unleash an unambiguous message. Don’t ask for privacy, take it back.

reset-the-net

Internet website and application owners are encouraged to adopt strong encryption based security measures to prevent spying and spread awareness to more people. Here is are resources for various security measures against spying. It doesn’t get easier than this. Do it. The 5th of June will see splash screens raising awareness on sites participating in the campaign.

While the protest is against NSA and US policies, the internet is a world without boundaries, and I do believe that Indians cannot afford to remain disinterested. As power concentrates in fewer and fewer hands, greater resources are spent protecting it from all threats, real and imagined with scant regard for individual and privacy rights.

So I have decided to support the campaign even if it doesn’t protest Indian government (yet). As some of you may have noticed, all my blogs are now ssl enabled. This will continue. I will be using more security features, and perhaps share how you can get them too (since my ideas are n00b and wallet friendly, I imagine they may help some).

Edward Snowden, whose leaks on government spying became a massive last straw for many, has endorsed the campaign in a must read letter.

“One year ago, we learned that the internet is under surveillance, and our activities are being monitored to create permanent records of our private lives — no matter how innocent or ordinary those lives might be.

Today, we can begin the work of effectively shutting down the collection of our online communications, even if the US Congress fails to do the same. That’s why I’m asking you to join me on June 5th for Reset the Net, when people and companies all over the world will come together to implement the technological solutions that can put an end to the mass surveillance programs of any government. This is the beginning of a moment where we the people begin to protect our universal human rights with the laws of nature rather than the laws of nations.

We have the technology, and adopting encryption is the first effective step that everyone can take to end mass surveillance. That’s why I am excited for Reset the Net — it will mark the moment when we turn political expression into practical action, and protect ourselves on a large scale.

Join us on June 5th, and don’t ask for your privacy. Take it back.”

-Edward Snowden

In other news, Google has released the code for its upcoming “End to End” Chrome plugin offering end to end encryption to prevent email spying. It is also intended to be an easy way to get secure communication for people at risk and thus will carry a burden of having to aim for usability as well as flawless security. The Chrome plugin is currently in the alpha state and Google has released it with an Apache 2.0 licence inviting hackers to find security flaws under its bug bounty programme.

Together with statistics released about the use of encryption in sent and received email via Gmail, Google’s message for today is powerful and straight.

Use encryption to communicate by email.

Other organizations supporting Reset the Net include Reddit, WordPress

WordPress All In One SEO Pack plugin users should upgrade NOW #vulnerability

The Scuri blog has posted that the All in One SEO plugin had two vulnerabilities they had pointed out earlier, and the just released update fixes both. AISEO users are advised to upgrade as soon as possible.

While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

Read more: Vulnerability found in the All In One SEO Pack WordPress plugin

Also, commenter Orun Bhuiyan brings up an important security point when he points out that the AISEO plugin echoes a generator tag with the version number, thus exposing both plugin and version number and making it easy for malicious entities to target vulnerabilities when such situations arise. This has been pointed out on several forums including several plugins containing settings to mute generator tags, but it continues to be a problematic default that is a major security risk leaving wide swathes of content vulnerable before updates can be applied.

Varnish config for wordpress with ngx_pagespeed and wp-touch

This is the Varnish config I am using currently. It is working with wp-touch, pagespeed and wordpress and (bonus) deals with the pagespeed not allowing pages to cache. No time for pretty comments and explanations, here’s the code. I will answer questions, or come back and explain the code in comments – but it is pretty self explanatory.

backend default {
.host = "127.0.0.1";
.port = "80";
.first_byte_timeout = 300s;
}

sub generate_user_agent_based_key {
set req.http.default_ps_capability_list_for_large_screens = "LargeScreen.SkipUADependentOptimizations:";
set req.http.default_ps_capability_list_for_small_screens = "TinyScreen.SkipUADependentOptimizations:";

set req.http.PS-CapabilityList = req.http.default_ps_capability_list_for_large_screens;

# Lazyload
if (req.http.User-Agent ~ “(?i)Chrome/|Firefox/|MSIE |Safari”) {
set req.http.PS-CapabilityList = “ll,ii,dj:”;
}
# lazyload_images (ll), inline_images (ii), defer_javascript (dj), webp (jw) and lossless_webp (ws).
if (req.http.User-Agent ~
“(?i)Chrome/[2][3-9]+\.|Chrome/[[3-9][0-9]+\.|Chrome/[0-9]{3,}\.”) {
set req.http.PS-CapabilityList = “ll,ii,dj,jw,ws:”;
}
# odd ones
if (req.http.User-Agent ~ “(?i)Firefox/[1-2]\.|MSIE [5-8]\.|bot|Yahoo!|Ruby|RPT-HTTPClient|(Google \(\+https\:\/\/developers\.google\.com\/\+\/web\/snippet\/\))|Android|iPad|TouchPad|Silk-Accelerated|Kindle Fire”) {
set req.http.PS-CapabilityList = req.http.default_ps_capability_list_for_large_screens;
}
# mobile
if (req.http.User-Agent ~ “(?i)Mozilla.*Android.*Mobile*|iPhone|BlackBerry|Opera Mobi|Opera Mini|SymbianOS|UP.Browser|J-PHONE|Profile/MIDP|portalmmm|DoCoMo|Obigo|Galaxy Nexus|GT-I9300|GT-N7100|HTC One|Nexus [4|7|S]|Xoom|XT907″) {
set req.http.PS-CapabilityList = req.http.default_ps_capability_list_for_small_screens;
}
# Remove placeholder header values.
remove req.http.default_ps_capability_list_for_large_screens;
remove req.http.default_ps_capability_list_for_large_screens;
}

sub vcl_hash {
# Block 3: Use the PS-CapabilityList value for computing the hash.
hash_data(req.http.PS-CapabilityList);
}
# Block 3a: Define ACL for purge requests
acl purge {
# Purge requests are only allowed from localhost.
“localhost”;
“127.0.0.1”;
#Add your server IP to this list
}
# Block 3b: Issue purge when there is a cache hit for the purge request.
sub vcl_hit {
if (req.request == “PURGE”) {
purge;
error 200 “Purged.”;
}
}

# Block 3c: Issue a no-op purge when there is a cache miss for the purge
# request.
sub vcl_miss {
if (req.request == “PURGE”) {
purge;
error 200 “Purged.”;
}
}

sub vcl_recv {
call generate_user_agent_based_key;

set req.http.X-Forwarded-For = client.ip;
set req.http.Host = regsub(req.http.Host, “:[0-9]+”, “”);

# Block 3d: Verify the ACL for an incoming purge request and handle it.
if (req.request == “PURGE”) {
if (!client.ip ~ purge) {
error 405 “Not allowed.”;
}
return (lookup);
}
# Blocks which decide whether cache should be bypassed or not go here.

# Did not cache the admin and login pages
if (req.url ~ “/wp-(login|admin)”) {
return (pass);
}
// server1 must handle file uploads
if (req.url ~ “media-upload.php” || req.url ~ “file.php” || req.url ~ “async-upload.php”) {
return(pass);
}

// do not cache xmlrpc.php
if (req.url ~ “xmlrpc.php”) {
return(pass);
}

// strip cookies from xmlrpc
if (req.request == “GET” && req.url ~ “xmlrpc.php”){
remove req.http.cookie;return(pass);
}

# Remove the “has_js” cookie
set req.http.Cookie = regsuball(req.http.Cookie, “has_js=[^;]+(; )?”, “”);

# Remove any Google Analytics based cookies
set req.http.Cookie = regsuball(req.http.Cookie, “__utm.=[^;]+(; )?”, “”);

# Remove the Quant Capital cookies (added by some plugin, all __qca)
set req.http.Cookie = regsuball(req.http.Cookie, “__qc.=[^;]+(; )?”, “”);

# Remove the wp-settings-1 cookie
set req.http.Cookie = regsuball(req.http.Cookie, “wp-settings-1=[^;]+(; )?”, “”);

# Remove the wp-settings-time-1 cookie
set req.http.Cookie = regsuball(req.http.Cookie, “wp-settings-time-1=[^;]+(; )?”, “”);

# Remove the wp test cookie
set req.http.Cookie = regsuball(req.http.Cookie, “wordpress_test_cookie=[^;]+(; )?”, “”);

# Are there cookies left with only spaces or that are empty?
if (req.http.cookie ~ “^ *$”) {
unset req.http.cookie;
}

if (req.http.Accept-Encoding) {
# Do no compress compressed files…
if (req.url ~ “\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$”) {
remove req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ “gzip”) {
set req.http.Accept-Encoding = “gzip”;
} elsif (req.http.Accept-Encoding ~ “deflate”) {
set req.http.Accept-Encoding = “deflate”;
} else {
remove req.http.Accept-Encoding;
}
}

# Cache the following files extensions
if (req.url ~ “\.(css|js|png|gif|jp(e)?g)”) {
unset req.http.cookie;
}

# Check the cookies for wordpress-specific items
if (req.http.Cookie ~ “wordpress_” || req.http.Cookie ~ “comment_”) {
return (pass);
}
if (!req.http.cookie) {
unset req.http.cookie;
}

# — End of WordPress specific configuration

# Did not cache HTTP authentication and HTTP Cookie
if (req.http.Authorization || req.http.Cookie) {
# Not cacheable by default
return (pass);
}

# Cache all others requests
return (lookup);

}

# Block 5b: Only cache responses to clients that support gzip. Most clients
# do, and the cache holds much more if it stores gzipped responses.
if (req.http.Accept-Encoding !~ “gzip”) {
return (pass);
}

# Block 6: Mark HTML uncacheable by caches beyond our control.
sub vcl_fetch {
# For static content related to the theme, strip all backend cookies
if (req.url ~ “\.(css|js|png|gif|jp(e?)g)”) {
unset beresp.http.cookie;
}

# A TTL of 30 minutes
set beresp.ttl = 1800s;

return (deliver);
}
# Block 7: Add a header for identifying cache hits/misses.
sub vcl_deliver {
if (obj.hits > 0) {
set resp.http.X-Cache = “HIT”;
} else {
set resp.http.X-Cache = “MISS”;
}
}

Ubuntu 13.10 internet very slow “nothing helps” fix

I installed Ubuntu 13.10 on my laptop and went nuts with the laggy laptop. I have 2gb memory on it, which shouldn’t be causing such a comatose experience. I installed drivers, tweaked memory, did a hundred things, nothing helped.

Digging around in the innards, I found that /etc/resolv.conf was very strange and was showing localhost as the name server. This couldn’t be right. Digging around, I found that any attempt to put working DNS servers was getting rewritten.

In the end, I found a strange fix. Network Manager configuration (sudo gedit /etc/NetworkManager/NetworkManager.conf)was using dns from dnsmasq. Guessing (rightly as it turns out) that I didn’t need dns served from my computer (and i have no idea how it would sync it), I commented out that line and restarted network manager. It looks like this.

<code>dns=dnsmasq</code>

Commented it out like so

<code>#dns=dnsmasq</code>

Now /etc/resolv.conf is showing the DNS servers it gets from the internet provider.

I have no idea if this is the “right answer”, but if your computer is slow and freezing on using internet, and your /etc/resolv.conf is showing 127.0.1.1 or 127.0.0.1 or something as your dns server instead of proper dns server IPs, it is worth a shot. You can always uncomment it if it doesn’t help.

My computer is running faster, freezing less and hasn’t yet exploded.

Ioncube with Nginx+php-fpm giving 502 gateway error SOLVED

Ubuntu 13.10 seems to be having trouble with ioncube and php-fpm. My earlier guide on loading ioncube may not work for you anymore.

This is really strange and I have no idea why no one seems to mention it, but if you are getting frustrated trying to install the ioncube loader on php-fpm, just ignore the instructions to create the 20-ioncube.ini file, and plug the line directly into the end of your php ini.

Steps to install ioncube loader with php5-fpm

cd /usr/local
sudo wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz
sudo tar xzf ioncube_loaders_lin_x86-64.tar.gz
mv /usr/local/ioncube/* /usr/lib/php5/20121212/

This is the same.

Now, instead of creating a file called 20-ioncube.ini or ioncube.ini directly add it to your php.ini file (On Ubuntu with a repository installed php5-fpm package, php.ini will be found at /etc/php5/fpm/php.ini)

At the very end add:

zend_extension = /usr/lib/php5/20121212/ioncube_loader_lin_5.5.so

Then restart php-fpm

service php5-fpm restart

If it still doesn’t work, try doing the same thing as root.

If you can’t find your php.ini, create a php file on your website with some random name. Open it in an editor and add the line:

Access the file on your site with a browser. It will have all kinds of info about php, including the configuration files (php.ini and others) locations.

Ubuntu network slow RTL8101E/RTL8102E PCI Realtek

I recently reinstalled Ubuntu, and found that my network was agonizingly slow. Installing the driver from the Realtek website fixed this. My card is RTL8101E/RTL8102E PCI Express Fast Ethernet controller, but I imagine this will work for other versions too.

The problem is that the default driver does not support this card well. Blacklist it.

sudo gedit /etc/modprobe.d/blacklist-network

and add

r8169.ko

to it

Download driver from the Realtek website.

Extract it. Compile it by going to the folder where you have extracted it (Downloads, for example) as root (your prompt will be something like this: root@vidyut-Compaq-435-Notebook-PC:~/Downloads/r8101-1.025.00#)and:

make

and

make install

The make install didn’t work for me, so I had to manually copy it into the folder.

cp src/r8101.ko /lib/modules/3.11.0-12-generic/kernel/drivers/net/ethernet/realtek/

Then run:

depmod -a
modprobe r8101
service network-manager restart

That should do it or try

ifconfig eth0 down
ifconfig eth0 up
service network-manager restart

Your network should be working normally now.

WordPress with MariaDB instead of MySQL

So I heard good things about MariaDB and decided to switch from MySQL to MariaDB. MariaDB is a fork of MySQL developed by the original developers of MySQL and it is intended to be a drop in replacement – meaning all your commands and databases from MySQL should continue to work seamlessly after the switch.

Tall claim, but with years of relationships with webservers, it isn’t too tough to know that even an upgrade can break things. Here, however seamlessly, the DATABASE management software was being replaced. Only a complete novice would believe “as advertized” to the point of not being worried.

My biggest fear was breaking my blogs. Backups are there, but…. it is unpleasant to see your precious sites not working, and I was apprehensive.

So anyway, I did it.

Added the repository (these are my instructions, but they helpfully provide a configurator for customized MariaDB repositories for your Operating System – version – MariaDB version, which you should totally use).

sudo apt-get install software-properties-common
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db
sudo add-apt-repository 'deb http://mirrors.hustunique.com/mariadb/repo/5.5/ubuntu saucy main'

I’d done paranoid backups to the nth degree before, as you should too, but I won’t bore you with the details. Suffice it to say that I had 3 of each database AND a snapshot of my VPS to restore with “one click” if I got itchy AND I copied the mysql directory anyway (I really love my blogs. Really). I think this was mostly of therapeutic value after the first backup, but hey, it was good for my blood pressure.

Updated and installed MariaDB.

sudo apt-get update
sudo apt-get install mariadb-server

The only pain here was that the repository I used was agonizingly slow to download from, which really did not help my anxiety levels, since I’m used to the more blazing fast ubuntu repositories. Or perhaps it was a temporary patch of bad network I hit.

Regardless, if you are superstitious, you may want to avoid this one.

After a wait that almost had me too old to care, the installation was done.

That is it. There was no noticeable difference to my site except seeming slightly faster. I noticed the configuration file got replaced, but the defaults are good enough that the blogs are completely normal. I expect once I get around to tweaking it, the performance may get even better, but this is good already.

The backups did not get used. A textbook “drop in”. Zero hassle.

Do it already. The only cure for your wondering is finding out.