While diagnosing a potential unconfirmed problem with a certain popular WordPress plugin I did something that every good developer should do every once in a while, which is to humble themselves and read the most basic and obvious documentation for the simplest parts of a language or framework that you…
Category: Security
Check your server’s composer files for known PHP vulnerabilities
The Sensio people have made so cool stuff including the SensioLabs Security Checker. You can use it via composer but you can also download a PHAR file and scan your entire server. wget http://get.sensiolabs.org/security-checker.phar -O ~/security-checker.phar find /var/www -type f -name “composer.lock” -exec php ~/security-checker.phar security:check {} ; Symfony Security…
Let’s Encrypt – Nginx settings
Ubuntu 14.04 From https://certbot.eff.org/all-instructions/#ubuntu-14-04-trusty-nginx Download and install We’re going to use certbot and install it in /usr/local/bin sudo wget https://dl.eff.org/certbot-auto -O /usr/local/bin/certbot-auto sudo chmod +x /usr/local/bin/certbot-auto certbot-auto –os-packages-only First cert request sudo service nginx stop ./certbot-auto certonly –standalone -d www.example.com -d example.com sudo service nginx start Test renewal certbot-auto renew –dry-run Actual renewal…
Ticketbleed (CVE-2016-9244)
Ticketbleed is a software vulnerability in the TLS/SSL stack of F5 BIG-IP appliances allowing a remote attacker to extract up to 31 bytes of uninitialized memory at a time.https://filippo.io/Ticketbleed/ SSL Labs is adding tests for this. And I didn’t know that SSL Labs had a development server for people to…
How to test an HTTP TLS cert from the command line
If you want to look at a web server’s cert from the command line you can just do: openssl s_client -connect REPLACE_WITH_DOMAIN_OR_IP:443 -servername REPLACE_WITH_DOMAIN For instance: openssl s_client -connect microsoft.com:443 -servername microsoft.com If your DNS isn’t resolving to the host yet (maybe you have launched the site yet but you want…
Adding two-factor authentication to Drupal 8 using Google Authenticator
The instructions are based on Drupal 8.2.6. Parts, such as upgrade random_compat, might not be applicable in later versions. I can’t make any guarantees about running these in earlier versions. Install Christian Riesen’s OTP (One Time Password) From the drupal site root run: composer require christian-riesen/otp Upgrade random compat Drupal…