Thursday, 11 April 2013

Securing Wordpress - hardening the webserver

There are three main classes of attack against Wordpress:

  1. Obtaining access to a legitimate Wordpress user account. 
  2. By finding a vulnerability in the Wordpress codebase, including and plugins or themes your users may have loaded.
  3. Comment SPAM.
All of the above lead to the possibility of inserting SPAM links into your blog. 3 is easiest to deal with by comment moderation or installing antispam measures such as Akismet.

If Admin access is obtained in 1 above or via the second attack class, arbitrary PHP could be uploaded (directly or as plugins or themes) allowing effectively arbitrary code execution on the server as the webserver user. This of course may lead to root exploits against the underlying OS. Some danger also exists in allowing Wordpress admins to upload arbitrary unchecked themes and plugins - there are a huge number out there that contain malicious code.

I personally have been bitten by 2 (attacker uploaded phpshell then took over several blogs and used them to distribute a virus via a Windows Internet Explorer attack.

It seemed to me that the first and most general line of defence was to prevent the webserver being able to execute any uploaded files at all, except when the server admin says so.

The first thing is to tell the webserver, Apache 2.2 in my case, to not allow code execution in these directories. these are directories where the webserver and WP need to be able to write files. We only need to worry about paths that the webserver can subsequently serve (and potentially run an interpreter against).
  1. <BLOGBASE>/wp-content/uploads/
  2. <BLOGBASE>/wp-content/plugins/mm-forms/exports/
  3. <BLOGBASE>/wp-content/plugins/mm-forms/captcha/tmp/
1 should be common to all WP installs. 2&3 depend on the plugins running. There of course may be more if you are running different plugins to me.

For each directory above, add this to the apache conf.d/ directory for each path you need to protect (or ensure it is active for each WP site):

<DirectoryMatch /wp-content/uploads/ >
    php_flag engine off
    Options -ExecCGI
    AllowOverride None
</DirectoryMatch>

That may not be the complete solution - I'm checking other options - comments welcome!

Now make the entire WP tree read only to the webserver user (www-data in the case of Debian) and owned by root. Allow the webserver group (also www-data for Debian) write access to the paths above. The owner of these paths will still remain root.

Here's what one of my WP installs looks like to 2 levels deep:

root:root drwxr-xr-x .
root:root drwxr-xr-x ./wp-admin
root:root drwxr-xr-x ./wp-admin/css
...
root:www-data drwxrwxr-x ./wp-content/uploads
root:root drwxr-xr-x ./wp-content/themes-ai1ec
...
root:root drwxr-xr-x ./wp-includes/SimplePie

You get the idea...

Now if we need to unlock the blog to allow updates or adding plugins or themes, all we have to do is:

chown -R www-data <WP-path>

and to lock:

chown -R root <WP-path>

Just to be a little safer I run a few extra bits - which are enough to lock a default install down:

Lock:
chown -R root <WP-base>/
chgrp -R root <WP-base>/
chmod -R o=rX <WP-base>/
chgrp -R www-data <WP-base>/wp-content/uploads/
chmod -R g=rwX <WP-base>/wp-content/uploads/
# and any other paths that need to be webserver writable.

Unlock:
chown -R www-data <WP-base>/
chmod -R u=rwX <WP-base>/

For your convenience, my scripts are available here:
https://github.com/TimJWatts/ddh-blog-utils

Sunday, 10 February 2013

Android - Squiddy's best apps list


  • Now that Google Reader is having the plug pulled, I've switched to Taptu which is a nice RSS client - allows streams to be merged and has a pretty nice layout.
  • Email - K9 Mail The best I have tried, ever. Multiple accounts, reliable, good notification control, hide lesser used IMAP folders. Free.
  • Launcher - used to be a fan of Go Launcher Ex, which is very customisable and very active. Just switched to Nova Launcher Prime which is smooth, a little lighter and has an excellent App Drawer folder mode avoiding the need for external app sorters. £2.50
  • Car GPS - used to use Sygic, now switched to CoPilot Live which seems snappier. Sygic's paid for traffic addon was becoming unreliable and next to useless. I'm checking to see how CoPilot fares.
  • Walking GPS (UK) - Viewranger. Cannot find anything to beat it that has offline OS 1:25000 maps, purchasable by the tile. Utterly brilliant is the way you can edit a track on a PC or the phone, then share it and follow it in GPS mode. Makes night hikes simple...
  • Real Time GPS Tracker - does what it says. Hide the phone in your kid's bag and send them to the shops (first time out by themselves), knowing you can see where they are on any web enabled device... Could be useful for group outings where the group may want to split up for an hour or two...
  • Ocado shopping app. Assumes you want to buy Waitrose fare, but has an excellent offline mode with full catalogue. Not seen anything as good from the other supermarkets.
  • Mapping cellular signal coverage: Sensorly for reasons explained here.
  • Blogger.com editing: Google's own Blogger app. Does everything I want, so not really looked at the alternatives.
  • Wordpress updates: Wordpress app. Works pretty well unless you get custom with the HTML, then it can lose the plot a bit.

MPs, expenses and HM Queen

Well, isn't this interesting:

The Queen's finances to be investigated by powerful Westminster committee chaired by MP Margaret Hodge.

Maybe not particularly - until you find this other story:

Margaret Hodge's family company pays just 0.01pc tax on £2.1bn of business generated in the UK

I'm not sure what to think, but it probably rhymes with Squeaky Bough...

Credit to ARRSE for that one...

Open Signal vs Sensorly - Mapping 3G signal strength with a Samsung Galaxy S2

We all know that cellular operators' coverage maps leave something to be desired. Even if we assume that they are not overly imbibed with optimism <insert Sally Bercow's *innocent face*/> it seems unlikely that they drive every road and walk every footpath with signal meters and a GPS.

Well, the signal meter and GPS happen to be available to anyone with a suitable mobile phone (which seems to mean Android right now, with occasional support for iPhone) so that leaves a choice of which app to use and which data mapping service to use (the two choices are married, at least for now).

Open Signal looked interesting with their pretty heatmaps and slick application. I had been hindered in running this type of app before this weekend due to a bug in Samsung's GingerBread code for the I9100 Galaxy S2 phone.

Anyway, after loading JellyBean XWLS8 the apps seemed to be able to determine the current cellular signal strength on demand and the GPS was feeling snappy, I decided to trial a couple.

Looking at the various offerings, only two that I found seemed to cover the UK reasonably.

  1. Open Signal
  2. Sensorly
Open Signal do have pretty maps and a very sleek app. Only problem is that, after driving around last night with the app running and visually confirming that it was saving and uploading data, I find that data not present a whole 24 hours later on their maps.

Sensorly, whilst not being so flashy on the maps front, though the app is pretty swish, had my data up on the maps within an hour. I know this because I drove around some pretty obscure country lanes taking the long route back from the dump this afternoon. Those roads had no signal data before I went driving. None of the roads off the lanes I drove around currently have any data either, which is not surprising as we're pretty much in the styx here.

So that's it. Sorry Open Signal map guys - I know it's a free service and all (although you must be spinning it for some fame or ad revenue) but if you expect me to go out of my way and do some tracking, at least be bothered to process my data in a timely fashion.

Seems it's not just me - the forums are full of people wondering if their contribution will ever make it online.

So, in short, support Sensorly, at least if you're in the UK.

Is JellyBean really more buttery?

Project Butter is the effort made by Google to improve the user responsiveness of Android phones running the new JellyBean (4.1). JellyBean is the latest and current version of Android.

Does it work and is it worth the effort upgrading? Well, subjectively, I would say yes.

  • The GUI is very responsive. Certainly this is both subjective and could be easily be wishful thinking. All that said and done and making some mental allowances, it does seem to be very slick.
  • The music player is very nice and sports a built in equaliser.
  • Samsung's TouchWiz launcher is still weak. I replaced with with Nova Launcher Prime which gives the ability to organise the App Drawer into groups, hide unwanted apps (like the built in ones that cannot be uninstalled), have a scrollable Dock Bar and nice effects without being fat and slow.
  • Samsung's keyboard seems better than I remember of the GingerBread version so I have not bothered to replace with with Perfect Keyboard Pro like I usually do.
  • Finally the cellular signal strength metric is available to apps (Samsung broke the API in Gingerbread and ICS). This is of interest to people like me who like to participate in cell strength surveys like Sensorly.
  • GPS and 3G data connectivity seem to be better.
  • The phone is definitely not running hot like it used to when undertaking intensive tasks like being a car GPS.
  • Lots of things are more customisable, including the notification bar.

I'll add an update on battery life at the end of the week. I have reasonably constant and heavy usage patterns in the week to base opinion on.

A note of the actual upgrade procedure

My Samsung Galaxy S2 (I9100) was supplied with GingerBread (2.3.5 IIRC). After a few months I rooted and upgraded to Ice Cream Sandwich (CyanogenMod ( RC1). Getting fed up with video out over HDMI not working with a non Samsung firmware, I decided to reflash when JellyBean official became available.

For some reason, despite Samsung having done the first release for the I9100 on January 23rd 2013, there is still no (at the time of writing) official release for the UK. Having checked I decided to use the latest issue to Spain, XWLS8, which can be found at SamMobile. This has been superceded by a minor update. I may update later, but I see no immediate reason as I find no fault with XWLS8.

Flashing was easy with Odin and a virtual machine running Windows. Heimdall is a protocol compatible equivalent tool for Linux (but is not official software) and would almost certainly work as well.

That went well, and I used CWM Recovery (installed as a power on recovery option) to wipe the user data and cache - you could alternatively use the Factory Data Reset option inside Android Settings. This is not absolutely required, but personally I like to start afresh with a major upgrade and clear cruft.

One problem remained which did cause a moderate heart attack: I discovered some files on the internal SDCard were not deletable. Reading around, it seemed this was likely to be the result of bad blocks on the internal flash. The solution seems to be to plug the phone into a computer, switch the phone USB into "Storage Mode" and reformat the phone's USB storage. It is important to do a long format and not a quick format - we need every block tested and bad blocks potentially marked unusable. It was not clear whether the format operation found any bad blocks or whether the flash hardware remapped the bad block on write - but either way, the internal storage is now reliable.

Updates

Well, 3G reception is vastly improved over CyanogenMod and Samsung Gingerbread. 14% PING packet loss between Robertsbridge and Sevenoaks by railway (there are several tunnels on that line, one a mile long!). Now measuring packet loss between Sevenoaks and London Charing X. Signal recovery, including packets through WIFI tethering is extremely fast - again much better than previously and infinitely better that Huawei's dedicated MIFI device, the E585, which was completely useless coping with repeated lost signal.

5% packet loss between Sevenoaks and London Charing X - unheard of! I'll be measuring that over the rest of the week...