Monthly Archives: December 2012

Using Regular Expressions to Reduce Exposure

Posted on by .
Leave a reply

The Internet is filled with bots (zombie machines working to the master’s bid), spiders and etc. Recently, I saw a large number of attempts gaining access to my WordPress Login page (and only the wp-login.php, obviously attempts from some scripts). Okay, I believe I have good password and username hygiene which did deterred the bots but then why not prevent non-public addresses from accessing it?

Such configuration I believe can be easily done by .htaccess in Apache, but I’m using nginx and it’s slightly different so here’s my method. nginx allows the user to put rules into config so look into the your nginx configuration.

One way to do this is to do a regular expression matching for the remote IP address ($remote_addr) or if you are like me who puts the Web Server behind a HAProxy, look at the IP address forwarded for ($http_x_forwarded_for). You can generate your IP range using Google IP Address Range Rules (IP regular expression generator). And here is my additional configuration, this is to be inserted below the basic web root config.

location ~ /wp-login.php {
 if ($remote_addr !~ ^(192.168.([0-7]).([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))$ ) { 
  //Only allow my private addresses to have access
  return 403;
 } 

 if ($http_x_forwarded_for != "" ) { 
  //Any proxy-ed access will be denied too
  return 403;
 }

 root html;
 fastcgi_pass unix:/tmp/php-fpm.sock;
 fastcgi_index index.php;
 fastcgi_param SCRIPT_FILENAME /var/www/html/wordpress$fastcgi_script_name;
 include fastcgi_params;
}

Setting up a FreeBSD9.1 Server

Posted on by .
Leave a reply

It’s been a while since I last posted something here.

Recently got interested in the “beastie” aka BSD one flavor of UNIX, not say I’m no longer loving the penguin but then it’s good to know more systems out there and FreeBSD is one of the most well know systems for stability and uptime of like 5 years without restarting. So here is how to get it up with Nginx, PHP and MySQL, running inside a VMware environment.

The first thing to do is to get portsnap to do a update from the port tree.

portsnap fetch extract update

Most of the popular applications will be in the ports tree so most of these installation can be automated without much issues.

Installing VMware Tools

Installing Perl5.16

/usr/ports/lang/perl5.16/
make config-recursive
make install clean

Install compat6x

/usr/ports/misc/compat6x/
make config-recursive
make install clean

Manual installation of 2 VMware modules

“Insert” the vmware tools disc, and mount using type cd9660 as such

mount -t cd9600 /dev/cd0 /mnt

then access the mounted disc and copy the tool file to somewhere locally for extraction.

<DIR>vmware-tools-distrib/lib/modules/source/

Untar the following, make and make install them before installing the main perl script

vmmemctl.tar
vmblock.tar

Installing Bash-completion

Firstly will be the installation of  “bash-completion” as I find “csh” not that friendly, plus tab-ing is the way to go… 🙂

cd /usr/ports/shells/bash-completion
make config-recursive

No additional selections is necessary (defaults are alright)

make install clean

Then you have to change the default shell of the user by using

chpass

and change the Shell to

/usr/local/bin/bash

Installing VIM

And how can we go about a Unix/Linux system without VIM? vi is just quite painful to use. And since I’m using this machine as a server, I don’t need gvim so vim-lite is suffice.

cd /usr/ports/editors/vim-lite
make config-recursive
make install clean

Do remember to configure your own ~/.vimrc

syntax on
set background=dark
set shiftwidth=2
set tabstop=2
set nocompatible
set expandtab
set autoindent
set ruler
if has("autocmd")
 filetype plugin indent on
endif
set showcmd " Show (partial) command in status line.
set showmatch " Show matching brackets.
set ignorecase " Do case insensitive matching
set smartcase " Do smart case matching
set incsearch " Incremental search
set hidden " Hide buffers when they are abandoned
set backspace=indent,eol,start
set mouse=

Installing wget

cd /usr/ports/ftp/wget
make config-recursive
make install clean

Installing PHP

cd /usr/ports/lang/php5
make config-recursive
make install clean

You will also have to install php extenstions for things like session, mbstring, mycrypt, mysql, mysqli and etc.

cd /usr/ports/lang/php5-extensions
make config-recursive
make install clean

Configuring PHP-FPM

vim /usr/local/etc/php-fpm.conf
events.mechanism = kqueue
listen = /var/run/php-fpm.sock

listen.owner = www
listen.group = www
listen.mode = 0666

You will also have to configure the php.ini for your needs, I need to set my local timezone

cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
vim /usr/local/etc/php.ini
date.timezone = Asia/Singapore

You will have to add the following line into the rc.conf.

vim /etc/rc.conf
php_fpm_enable="YES"

Installing nginx

cd /usr/ports/www/nginx
make config-recursive
make install clean

Configuring nginx

vim /usr/local/etc/nginx/nginx.conf

Some things that needs to be included are the use of kqueue which is used in BSD.

events {
 worker_connections 1024;
 use kqueue;
}
location ~ .php$ {
 #root html;
 #fastcgi_pass 127.0.0.1:9000;
 fastcgi_pass unix:/var/run/php-fpm.sock;
 #fastcgi_index index.php;
 fastcgi_param SCRIPT_FILENAME /usr/local/www$fastcgi_script_name;
 fastcgi_param PATH_INFO $fastcgi_script_name;
 include fastcgi_params;
}

You will have to add the following line into the rc.conf.

vim /etc/rc.conf
nginx_enable="YES"

Installing MySQL

Depending on requirements, the choice of MySQL configuration will be different, pick the most suitable one and copy it.

cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf

Manually start MySQL server to install and configure it.

/usr/local/etc/rc.d/mysql-server start

Follow the guide from the secure installation script.

mysql_secure_installation

You will have to add the following line into the rc.conf.

vim /etc/rc.conf
mysql_enable="YES"

Installing Web-apps

After completing the above installation, it should be a breeze to install the rest of the web-apps like phpMyAdmin and WordPress, just place them at the correct place /usr/local/www 🙂