Blog

Welcome to my new Framework DIABLOS

DIABLOS is the Anagram for “Does It All By Leveraging Open Source“. The name came from my wife, who also started it by Does it all by learning objectives, but after some discussion and working through what this Framework does, we agreed on adding an “S” to DIABLO, and changing it to leveraging open source.

This Framework, is the beginning work of several functions, and scripts I have compiled over several years of coding and placed into one easy to use call. This framework is one of the simplest systems you’ll ever use. Imagine this system as an extension to PHP. It allows you to have several new reusable code snippets just as easily as typing and sending the parameters. This system allows you to build a complete system with one call on your index page.

Take a look at the Functions wiki of this Framework. If this is a framework you would like to add to your project, take a look at the Installation wiki of this Framework.

Please see the Wiki for more information.

Read More

Let’sEncrypt SSL Certificates Tutorial – Free SSL Certificates For Websites & Apps

LetsEncrypt.org is a “Certificate Authority” – meaning it has license to dispense SSL (TLS) certificates for websites. Because its “free” price would undercut many legitimate businesses, they limited its certificates to a 90 day (3 month) lifespan. This means unless you’re using CPanel etc, you will have to refresh the certificate every 90 days.

Source: Let’sEncrypt SSL Certificates Tutorial – Free SSL Certificates For Websites & Apps

Read More

Quick and Painless AWS Setup

 

Amazon Web Service is actually a great tool to use for testing before you jump into a tangled mess of twisted command line arguments and snagging the core functionality of your root user’s over zealous freedom of commands. Following the basic steps for a web server, then moving into the detailed intricacies will prevent you from having hair pulling and drama inducing levels of hormonal rage outbursts. In this article, I will give the basic step by step procedures to enable a fully functional PHP 7.x web server running nGinX, MariaDB 10.2.x and smoothing everything out with a FREE SSL from LetsEncrypt. In this example, I am demonstrating this setup on an Ubuntu 16.04 LTS server from Amazon.

Specifications

Server Configuration

There are several ways to setup and install a server. This method is one of my favorites, it makes things simple to manage, and it allows for scripting by giving the ability to quickly enable and disable the server.

Ubuntu’s Proper Editor

By default, Ubuntu uses Nano for its text editor. Although there are many alternatives available, you can change the default editor by running this command. This will make configuring things much easier if you are familiar with the editor you use.

sudo update-alternatives --config editor
There are 4 choices for the alternative editor (providing /usr/bin/editor).
  Selection          Path        Priority      Status
------------------------------------------------------------
* 0          /bin/nano        40        auto mode
 1          /bin/ed        -100      manual mode
 2          /bin/nano        40      manual mode
 3          /usr/bin/vim.basic    30      manual mode
 4          /usr/bin/vim.tiny     10      manual mode
Press <enter> to keep the current choice[*], or type selection number:

Change Hostname

First we need to make sure that our domain name on this server is pointing to the localhost.

sudo nano /etc/hosts

Add the following: 127.0.0.1 <name><fqdn>.<tld> to the hosts file, here is an example of using example.com

Finally, add the host to the hostname, with this

sudo hostname <name><fqdn>.<tld>

Installing PHP and other Common Packages

No matter which PHP you wish to install, always make sure your server is up to date. With this setup, I am using the 5.6 PPA which is the current LTS system out at this time.

sudo apt update && sudo apt upgrade -y
sudo add-apt-repository ppa:ondrej/php -y
sudo apt install build-essential nginx auto-apt checkinstall libssl-dev zlib1g-dev python python-dev python-pip mailutils ruby ruby-dev mariadb-client-core-10.0 mariadb-client-10.0 letsencrypt apparmor-utils build-essential checkinstall automake libbz2-1.0 libbz2-dev libbz2-ocaml libbz2-ocaml-dev libreadline-dev clamav -y

Update OpenSSH for PCI Compliance

Check for the new version with "ssh -V" once the follow has been completed.

sudo wget http://www.mirrorservice.org/pub/OpenBSD/OpenSSH/portable/openssh-7.3p1.tar.gz && sudo tar -zxvf openssh-7.3p1.tar.gz && cd openssh-7.3p1 && ./configure && sudo make && sudo checkinstall make install
sudo service ssh restart
sudo reboot

Create a NON ROOT user

If you want to avoid the easiest way to hack a website, then do not use the root to serve all of your files, for this reason we need to create a user with non super user privileges. This user must be part of www-data group so nGinX and PHP will server the files with the non privileged user.

sudo adduser <username>
sudo usermod -a -G www-data <username>

Create the SSH key for the non privileged user

First we need to switch to the new user by sudo’ing into the user. Then by using ssh <some address>, this will automatically create the .ssh folder in the user’s /home/ folder with the correct permissions automatically.

sudo su – <username>
ssh <some address>

Some Setting up PIP, SASS and Compass

sudo -H pip install virtualenv
sudo -H pip install –upgrade pip
sudo su -c "gem install sass"
sudo su -c "gem install compass"

LetsEncrypt Configuration

As a superuser, it is time to start the SSL installation. If you are following this from start to finish, you need to exit the web users account by hitting CTRL-D or typing exit. Now you are back to the superuser "e;ubuntu"e;.

sudo letsencrypt certonly –webroot -w /var/www/html -d $(hostname);

See nginx configuration vis /etc/letsencrypt/live/production.nsixtymedia.com/fullchain.pem
**note:** if you are moving servers or otherwise fiddling with an existing set of ssl credentials, it would be in your interest to use
letsencrypt to revoke your existing creds before running the above, otherwise you’ll not be able to renew!

## nginx_ensite/dissite Configuration
Install from git as sudo member

git clone https://github.com/perusio/nginx_ensite.git
cd nginx_ensite
sudo checkinstall

### Create Unique DH Group
#### Important! Prevent LogJam SSL Attack!
# requires root permissions

cd /etc/ssl/private
openssl dhparam -out dhparams.pem 2048
chmod 600 dhparams.pem

### Nginx Configuration

Magento 1.x Nginx configuration: https://gist.github.com/gwillem/cd5ae6845fa33aa0d481

One will most likely be able to replace with the actual subdomain and it will “just work”.

[Production Nginx Configuration](Production-Nginx-Configuration) file differs!

#### Enable gzip compression for CSS, JS and Icons in /etc/nginx/nginx.conf

#### Generate dhparams.pem File

This can take up to 20 minutes depending on your host’s horsepower

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Add the following under your ssl keys in your enginx config:

ssl_dhparam /etc/ssl/certs/dhparam.pem;
cd /home/<username>
chown -R :www-data .
find ./ -type d -exec chmod 755 {} \;
find ./ -type f -exec chmod 644 {} \;

php-fpm Configuration

TODO production chroot

Create log directory:

sudo mkdir /home/spectrum/spectrum-labs/logs
sudo chown -R spectrum:www-data /home/spectrum/spectrum-labs/logs
sudo chmod -R 775 /home/spectrum/spectrum-labs/html/media/catalog/product

Assure that logrotate is properly configured to use correct file permissions for logging in /etc/logrotate.d/php5.6-fpm.

Up the max_execution_time value in /etc/php/5.6/cgi/php.ini

Change the following in /etc/php/5.6/fpm/pool.d/www.conf
change pm to “ondemand”
everything with a leading “;” is to be commented out.

Note: bumped max_children up from 5 to 8. Getting “server reached max_children setting” errors in log.

mcrypt Configuration

sudo phpenmod mcrypt
sudo service php5.6-fpm restart
sudo service nginx restart

Permissions for <username> User

Use sudo visudo and add the following:
# allow <username> to restart php-fpm and nginx

<username> ALL=(ALL) NOPASSWD: /usr/sbin/service php5.6-fpm restart
<username> ALL=(ALL) NOPASSWD: /usr/sbin/service nginx restart

Anti-Virus

PCI compliance requires we have anti-virus installed. On our unix system. That does not receive emails. It’s a process, you see.

See https://help.ubuntu.com/community/PostfixAmavisNew for the gory details also https://help.ubuntu.com/community/PostfixVirtualMailBoxClamSmtpHowto
may have good information, for future reference

A quick “paste it in” version is [here](anti-virus-web-server-xenial)

Stupid Server Tricks

If kswapd0 is eating up your processor after a bulk import: # as root!

echo 1 > /proc/sys/vm/drop_caches

Revoke Existing LetsEncrypt Certificate

sudo letsencrypt revoke -d subdomain.domain.tld –cert-path /etc/letsencrypt/live/subdomain.domain.tld/fullchain.pem

LetsEncrypt Auto Update Script

Letsencrypt requires that you have a vanilla http connection for auto-renew script to work. This means that since we redirect **everything** to ssl, that auto-renew will fail. This script switches to the default nginx setup, runs the renewal script, then restarts the service.

Name this script update-ssl and make it executable.

Update your root crontab like so:

@daily /home/ubuntu/update-ssl

Add ip blocking

cd /etc/nginx
cp nginx.conf ./nginx.conf.bak
sudo nano nginx.conf

## Add the following under the http {

include blockips.conf;

Save your file

Create a new blockips.conf file

sudo nano blockips.conf

Save your file

Add the following

Save your file

Test nGinx

sudo nginx -t # if comes back as tests OK then
sudo nginx -s reload # Test your site to make sure it still loads
sudo rm nginx.conf.bak

Read More

This month’s Android and IOS Malware “Judy”

 

Researchers at Check Point discovered a malware campaign on Google Play. This malware dubbed “Judy” has been found to auto-click adware. This malware was found on 41 apps developed by a Korean company. The auto-click feature of this malware allows a background process to search for iframes that contain advertisements and will click them providing them with your basic information. There are reports of this malware spreading on 4.5 million to 18.5 million devices, both Android and IOS phones, tables and other devices. Some of the apps they discovered resided on Google and IOS stores for years, but were recently updated. Now, it is unclear as to how long the malicious code existed inside the apps, and the actual spread of the malware.

Cited: Check Point

Read More

Removing Unwanted Admin Menus in WordPress

 

WordPress is one of the leading content management systems in the world today, in fact it serves millions of websites everyday. From hundreds of page multisites, to single landing pages and from large corporate entities to personal pages, WordPress has made a name for itself in every way. Sometimes the standard WordPress installation is all a webmaster needs, but many times there is just too much and may cause confusion when a non web programmer tries to add a new post, or make changes. Removing some of the menus in the admin section will help with this confusion and make things easier on the web programmer when some of the items are not used.

To get started we will need to get into the theme folder. Each theme should have a functions.php in their installed folder, if your theme does not have a functions.php, we will get to that a little later. For now, if your theme does have the functions.php a little bit of code needs to be added.

  1. In the admin back end, hover over the Appearance and click on Editor
  2. On the right, look for the Theme Functions on the right hand side of the screen, it may also be called functions.php
  3. Add the following code above the ?> at the end of this file, then Update the file and watch the menu items disappear.

If your theme doesn’t already have a functions file, you’ll need to create one. Create a new file in the theme’s main directory and call it functions.php.

You’ll have to add an opening PHP tag to the file but you don’t need a closing one and then add the code above.

Read More

How to consider a move while a contractor?

Being from Ohio, moving around the country to an area with a more exciting and faster pace career just doesn’t seem to be in the budget at the moment. Although finding a position in a larger city; statistically should result in a more energizing and rewarding career. So how do you get a company to be so impressed that they could assist you with the financial burden of the relocation.

Although I haven’t successfully achieved this, some logical reasoning may assist others with this query.

  1. Start with Focusing on Your Interests, start out by determining your real needs, then work on negotiating these needs. Do not limit your needs from your financial expenses. Once you identify your needs, work on a benefits package to meet those specific needs.
  2. Research what assistance is typical, be prepared for the negotiating. Most companies vary on the packages they offer. Needs of the type of employer may vastly change what they may offer, as well as your yearly salary may reflect some of this assistance.
  3. Try to make the benefit valuable to both sides. Although the assistance may be the help you need to make this new journey, the company needs to be able to use some type of leverage to help generate this expense.

Read More

Articles will be coming soon…

Thank you for stopping by, currently I am in the process of converting my site to a WordPress site. Once I get everything setup correctly, I will be posting all of my books, articles and comments here. I hope you will continue to follow me to learn about great ideas and tips with Server Admin and PHP scripts.

Read More