WordPress on amazon EC2

First you need to setup an Amazon EC2 server.

I needed to move my company home page to Amazon EC2 because I was doing a physical move and my server would be down for a couple of days before I would get internet going in the new address. So I moved the wordpress installation and the static home page to Amazon EC2.

First deploy wordpress in your amazon server. This is easiest done from the command line.

cd /var/www/vhost/

sudo mkdir freagesolution.se

cd freagesolution.se

sudo apt-get install wget unzip

sudo wget https://wordpress.org/latest.zip

sudo unzip latest.zip

sudo rm latest.zip

sudo find . -name ”*” -exec www-data.www-data {} \;

Then configure apache to answer requests from the new hostname. I normally test before launch by using a free name from for instance https://no-ip.net.

cd /etc/apache2/sites-available
sudo vi freagesolution.se.conf

ServerName freagesolution.se
ServerAdmin fredrik@agert.eu

<FilesMatch ”.+\.ph(p[345]?|t|tml)$”>
SetHandler php7-fcgi-se

AddHandler php7-fcgi-se .php
Action php7-fcgi-se /php7-fcgi-se
Alias /php7-fcgi-se /usr/lib/cgi-bin/php7-fcgi-se
FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-se -socket /var/run/php/php7.0-fpm.se.sock -pass-header Authorization

DocumentRoot /var/www/vhost/freagesolution.se/

# Redirect permanent / https://freagesolution.se/ # commented out until we have certificate.
AllowOverride None

LimitRequestBody 16384
Options Indexes MultiViews
AllowOverride AuthConfig FileInfo Limit Options=Indexes,MultiViews

Require all granted

AddType application/x-httpd-php .html .phtml .php

LimitRequestBody 65535 # the cookie can be large

LimitRequestBody 33554432 # allow admin to upload pictures and software

ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

It is time to link this site to the enabled sites directory.


cd /etc/apache2/sites-enabled
sudo ln -s ../sites-available/freagesolution.se.conf .
sudo service apache2 restart

Make sure file permissions is right for the site.

cd /var/www/vhost/freagesolution.se
sudo find . -name "*" -exec chown www-data.www-data {} \;
sudo find . -type f -exec chmod 664 {} \;
sudo find . -type d -exed chmod 775 {} \;

Protect yourself from bitcoin mining while browsing

The bad guys have started a new trend. That is bitcoin mining using your computer. While you pay for electricity they get rich. If you don’t care

about sponsoring villains, stop reading. If you want to do something about it continue reading on how to protect yourself.

More and more sites start the fan on your computer at full speed. It was first seen on https://thepiratebay.org  You may think it is time to vacuum clean the computer or that it’s age start to show. However odds are that you are contributing to villains fortune by letting your computer make their bitcoin mining.

So how do you stop it? First I must tell you that you need a modern web browser. Stop using the virus bait Internet Explorer. Go with any of Google Chrome or Firefox.  Sorry Microsoft, but Edge do not have any protection as we speak. There is a web store for applications but only games.

Install a blocker. I am using no coin. There are other blockers out there.

No coin seems to protect me enough.

 

Setting up a blog the lazy way.

I have got a couple of questions on how to setup a blog such as this.

I was selecting between three popular blog and CMS tools, WordPress, Drupal and Joomla. I made a test with drupal, and it felt like it was way too much CMS, and way too little blog. So I decided that it was sufficient with wordpress.

I already had a server on the net. Since 2006 it had been running Ubuntu. Before it had been running slackware as well as suse. It was serving a personal home page. I just went ahead and bought a new DNS name and setup a new virtual server in apache. This made all requests on the ”freagesolution” name go to a separate apache server in a separate directory. In this directory I installed WordPress and a start page.

Ubuntu is in a way very much easier to handle than windows. All packages are installed in the same way, no matter if it is a part of the operative system or if it a picture manipulation program.

But for a package like wordpress, it is dated, so the most secure way is to install wordpress directly from the source into the directory.

To make wordpress run, it needs a web server, a php interpreter and an sql database, a so called LAMP stack (LAMP=Linux Apache Mysql Php).

One prerequisite is that you have managed to secure your server.
Make sure the server is up to date. You need to use some command line usage on linux to make that work. You can either log in to the console, or connect remotely with putty.

$sudo apt-get update
$sudo apt-get upgrade

So just install LAMP from the command line. Select the new fast secure php-fpm.

$sudo apt-get install apache2 mysql-server php php-fpm php7.0 libapache2-mod-php7.0 php7.0-mysql

You might need some php modules as well to get the web page behave nice and be great looking.

$sudo apt-get install php-curl php-gd php-mbstring php-mcrypt php-xml php-xmlrpc

Be prepared of entering your root password for the database
This password must be remembered but never used on the web

$select password for mysql user root:

Log into mysql as root and create a database for wordpress

$mysql -u root -p
mysql>create database mywordpress

Do not actually use the word mywordpress
Do not forget to create the user

mysql>grant all privileges on mywordpress.* to 'mysecretwordpressuser'@'localhost' identified by password('mysecretpassword');
mysql>exit
$

Do not actually use the word mywordpressuser or mysecretpassword
Now I wanted mail from wordpress form submission to come to me. I am not actually happy with the solution, I wanted the mail to come from an unique account for each virtual server,
but I have not yet figured out if it is possible and if it is, how to set that up.

$cd /home/www-root2

Get wget and unzip to be able to get wordpress.

$sudo apt-get install wget unzip
$wget https://wordpress.org/latest.zip
$unzip latets.zip -d WordPress
$rm latest.zip

Now go to the web page of your server and make the rest of wordpress install. Use the wordpress user, not root user for the database. You also need to create a wordpress andministrator user and password. You are start to get a lot of password. I suggest you get a password manager like lastpass.com or 1password.com. There is a setting for security in WordPress that is not well explained. It is called database table prefix. Use something not too short, and not to easy to guess. I took a random character and number string from my password manager of length 6. With this it is much trickier for a hacker to get into your database with sql injection. The hacker do not even know the name of your tables.

Mail is a bit tricky. You do not want spammers to find it, and they scan all the time. So I opted for setting up the ubuntu package postfix to use a separate google account. You are only allowed to use this service if you have less than 400 mails a day. If you are closing this limit you need to merge mails together and send them as attachment in one large mail.


Octoprint

How to install octoprint on orange pi

start a command shell on the orange pi. You can do it in two ways.

  1. Connect a HDMI screen to the hdmi output and an USB keyboard and USB mouse to USB
  2. Connect to ssh with putty

If you don’t know the IP address of your  orange pi, you can use angry ip scanner to find it, or use your router that can have a list of clients

Angry IP scanner ip list

Asus router client list

Name differs a little between the two tool and that depends on which protocol they use.

in my case I start putty to 192.168.1.8 for orange pi prime or 192.168.1.9 to raspberry pi.

first time you log in to the command line you use root/1234 as user/pass, and have to set a new password for root. Then you have to create a new user with password. I use pi as user and a password with upper and lower letters, numbers and control characters. Length should be long enough.

In my case I have to start switch language to support my Swedish keyboard. You are supposed to use

sudo dpkg-reconfigure keyboard-configuration

for that, but sometimes it does not work as above. One command that always work is  to edit the /etc/default/keyboard directly

and then restart.

sudo reboot now.

In the command prompt install git, python, python development tools and pip

sudo apt-get install git python python-pip python-dev

Create a directory where you edit source.

mkdir ext-source

Change current directory to the new directory created above

cd ext-source

Clone the source code from github

git clone  https://github.com/foosel/OctoPrint.git

Install the tools (as root) that are used by OctoPrint

sudo -H pip install virtualenv setuptools pyyaml

Change to octoprint directory

cd octoprint

Setup octoprint

sudo -H python setup.py install

start the octoprint first time manually

sudo service octoprint start

check that octoprint is running

sudo service octoprint status

go to the website with your browser of choice. I have configured octoprint to use port 5000.

Orange Pi Prime

I wanted to tinker a little with Orange Pi Prime. I first read the specs and it looked promising. When the board arrived I tried to download the official software, but it was no longer available.

Armbian

https://www.armbian.com/orange-pi-prime/

So I googled around a little and found a sweed project ”Armbian”. However there were no stable builds so I had to resort to nightly. I selected Ubuntu-xenial-next-nightly.7z
Nightly was not very stable and I had a couple of grinding halts due to update process was not properly polished.
And also after a while (24h-ish) the Orange crashed.

If you have a Windows computer you can flash the SD card with rufus https://rufus.akeo.ie/. After flashing select safe eject, and you can plug in the sd-card to the Orange Pi Prime.

Armbian has root/1234 as first login, but you need to change at first login. I connected to my TV and started. It was very tricky since a big part of the screen to the left and bottom was outside rendering. but I managed to set a password that worked on american keyboard, and enable SSH.

Updates

The first thing I did was blocking linux updates. The updates are not tested on bleeding edge, and often the dtb-directory in /boot was empty, or /boot/Image did link to a non-existent file or /lib/modules was lacking the corresponding subdirectory.

There is a setting in armbian-config (System->Freeze)

However this setting is not enough.

I have further added some more packages to not get updates (and following freeze)

echo "<package-name> hold" | sudo dpkg --set-selections

armbian-firmware-full hold
linux-dtb-next-sunxi:armhf hold
linux-dtb-next-sunxi64 hold
linux-firmware hold
linux-headers-4.13.0-17 hold
linux-headers-4.13.0-17-generic hold
linux-headers-4.4.0-101 hold
linux-headers-4.4.0-101-generic hold
linux-headers-next-sunxi64 hold
linux-image-next-sunxi64 hold
linux-source hold
linux-source-4.4.0 hold
linux-u-boot-orangepiprime-dev hold
linux-xenial-root-next-orangepiprime hold

Wifi

Next was to enable wifi so I could place the unit wherever I want. This is done in armbian-config.

Resolv.conf

I must say I do not understand the new name resolving in linux. In the old days it was enough to add your favourite dns in /etc/resolv.conf, but that seems to be overwritten with garbage from time to time in newer distrubutions.

I have a favorite from opendns, but any one that is fast is good. Suggestion is to select the one with lowest ping time.

/etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND — YOUR CHANGES WILL BE OVERWRITTEN

temporary I added one nameserver just to get things going.

nameserver 127.0.1.1
nameserver 208.67.220.220 #opendns
nameserver 208.67.222.222 #opendns
nameserver 8.8.8.8 #google
nameserver 8.8.4.4 #google
nameserver 81.228.11.184 #telia in Sweden

According to documentation it should be replaced with things you place in /etc/resolvconf/resolv.conf.d/base but it does not seems to be 100% true, I get the first 2 first lines from /etc/resolvconf/resolv.conf.d/tail when linux decides it is time to update. Gah.

Update

sudo apt-get update

sudo apt-get upgrade

Crashes

It seems like too agressive memory timing made my board crash.  I found a u-boot update (apt-armbian.com/…/5.35) in armbian forum that helped me. https://forum.armbian.com/topic/6010-orange-pi-prime-crashes-when-compiling/. After this update my orange pi prime is actually more stable than the memory leaking orange pi pc+.

Octoprint

I want to control my Anet A8 with a web interface, so I opted for Octoprint.

Go to the compile directory (i am using ext-src)

cd /home/pi/ext-src

you need python, git and pip

python-dev python-setuptools python-virtualenv git libyaml-dev build-essential
git clone https://github.com/foosel/OctoPrint.git
cd OctoPrint
virtualenv venv
./venv/bin/pip install pip --upgrade
./venv/bin/python setup.py install
mkdir ~/.octoprint


You may need to add the pi user to the dialout, tty and video access the serial ports and video devices:

sudo usermod -a -G tty pi
sudo usermod -a -G dialout pi
sudo usermod -a -G video pi

pi@orangepiprime ~ $ ~/ext-src/OctoPrint/venv/bin/octoprint serve
 * Running on http://0.0.0.0:5000/

Nowadays (Jan 2018) octoprint updates itself from git, so no need to run git pull.

Security

I do not think octoprint should run unprotected on internet. Someone can set your house on fire. I am using an apache forward proxy on my linux server, and enforce ssl encryption, and a good password for the octoprint user.

 

Marlin firmware for Anet A8

How to setup new firmware for your 3d printer.

Marlin has a couple of pre-requisits

Step 1) You need arudino IDE. I used 1.8.5 as downloaded from  https://www.arduino.cc/en/Main/Software . Install it to your documents or something. I used OneDrive so I can reach the same configuration from all my PC:s.

Step 2) You also need Marlin firmware. Grab the Zip file for ”latest release” from http://marlinfw.org/meta/download/ and expand it inside Arduino install. Currently it is version 1.1.8.

Marlin has a very flat file structure (this is going to change). There are some sub directories.

Step 3) Change directory to Marlin\example_configurations\Anet\A8 copy both files. Place them in the same folder as the Marlin.ino file.

Step 4) Now you have some settings from Anet A8. But for the code to generate correctly you also need anet board configuration. Grab the zip file from https://github.com/SkyNet3D/anet-board.

Install it into the Arduino hardware sub folder.

 

 

Start your favorite editor. I use VIM 8.0. http://www.vim.org/

Now it is time to edit the configuration.h That is basically all I have touched for arduino changes.

I changed the following lines (since I have mounted the sensor behind the extruder)

#define STRING_CONFIG_H_AUTHOR "(Fredrik Agert 2018)"
#define STRING_SPLASH_LINE2 "build 2018-01-14"
#define CUSTOM_MACHINE_NAME "Anet A8"

#define X_PROBE_OFFSET_FROM_EXTRUDER 10 // X offset: -left +right [of the nozzle]
#define Y_PROBE_OFFSET_FROM_EXTRUDER 55 // Y offset: -front +behind [the nozzle]
#define Z_PROBE_OFFSET_FROM_EXTRUDER 0 // Z offset: -below +above [the nozzle]

#define AUTO_BED_LEVELING_BILINEAR
#define MULTIPLE_PROBING 2
#define FRONT_PROBE_BED_POSITION 85 /* 55 + 15 + margin where the probe is */
#define BACK_PROBE_BED_POSITION 185 /* 220 - margin where the probe is */
#define PRINTCOUNTER

Next you have to save the changes of your editing, double click marlin.ino and start the IDE. Make sure you have selected the correct flasher (Tools->Programmer->AVRISP mkII), unless of course you have a special USBasp, then you select the USBasp.

Next you have to select the right hardware. Tool->Board (Anet 1.0). It is only visible if you have selected the right directory for the download in Step 4).

Connect the computer to the Anet Motherboard via USB (AVRISP mkII) or USBasp (USBasp)

After that press download. I had problems on my newer machine (Asus ROG GL702), which I found out once I selected show verbose information during compile and download. Avrdude could not flash no matter what manual settings I tried.

Arduino always re-links, no matter what. So grab a cup of coffee. On my old Lenovo X1 Carbon gen 4 it took  a couple of minutes.

Enjoy.

 

Updates for Anet A8

Anet A8 is the cheapest 3d printer you can buy. I bought mine from gearsbest, but the customer service there may not be the best. I selected insurance during shipping and I am glad, since my printer got lost.

The printer frame itself is made of brittle and swaying acrylic plastic.

They did not think of security when constructing the printer.

Most of the stuff I have upgraded my Anet A8 has been printed things from thingiverse.com

So first things first. The connector for the heatbed is not great and I opted for a MOSFET update for the printer, just to be sure of not burning my motherboard.  I searched for ”3D Printer Hotbed MOSFET Expansion Module 2pin Lead For Anet A8” at ebay. Thus the high current for the heatbed is moved from the motherboard and it’s weak connectors to more suitable screw terminals on the mosfet daughterboard.

     

The PSU seems to be on the small side, and it got hot when the heatbed was turned on, so I added an old 80mm computer fan to cool the PSU. The fan placed on top of the PSU and connected to the output of the MOSFET to make sure it is running when needed.

The fan needed a fan guard so I tinkered with https://www.tinkercad.com/ and printed one.  https://www.thingiverse.com/thing:2742553

The button for changing filament did hurt my finger I printed a cap.

The cooling fan for the nozzle was whistling, I replaced it as one of the first upgrades to a half-circular fan.

I needed some hubs for my rolls of filament, I got filament with inner diameter of 49mm, 53mm (most common) and 57mm. https://www.tinkercad.com/things/3xKD85DauHp-filament-holder-53mm-v12 . To the hub I bought 806ZZ ball bearings.

To make the filament flow even better I printed a couple of filament guides.

 

I thought that the cables would be exhausted by being bent in one place all the time so I printed some cable chains. https://www.thingiverse.com/thing:1915486 and https://www.thingiverse.com/thing:2104821.

 

I wanted to have easy access to change filament so I made the extruder fan removable with magnets (5.1mmx5.1mm I had lying around).

https://www.thingiverse.com/thing:2742533

I moved the z-axis up from the motors, since I wanted support for the upper end of the axis. Here I also added two 608ZZ ball bearings.

I printed a motherboard cover from https://www.thingiverse.com/thing:2742882.

 

I added one Orange Pi Prime for octoprint (web interface to control the printer), and another Orange Pi PC+ for timelapse.

I added bed leveling, and updated firmware to Merlin 1.7.1 to be able to support bed levelling.

 

 

Today I lived without google search

A day without google search

Today i tried a day with bing and yahoo search instead of google search due to a DNS error at my service provider. The morning started with google.se was down for me.

google-is-down

So I checked if google search was down for anyone else

google-is-up-for-everone-else

And as expected google search was working for everybody else but not for me.

Checking (with wireshark and traceroute) what has gone wrong showed that my service provider had some serious DNS problems. So I decided to try a day without google, and what an experience.

tracert showing I cannnot reach google.se

My browser ”google chrome” is integrated with google search, I always write the first couple of letters of the site I am gong to in the search bar, then I press enter and select the top result. This behaviour works well with google search, i get spell correction if I misspell, and overall a google search is faster than I am typing.

Ok, today the the search in a new tab in my browser did not work at all as expected, since google search was not reachable.

Even though I should know it did not work, I used it all the time, it is hard for an old man to change a learned behaviour.

Then I pasted the results into a bing or yahoo search page and tried it. What I reached was a great collection of outdated and irrelevant results, I felt I had time-travelled to the altavista days the in 1990:th.

altavista_video

Instead of just clicking a top 3 result, I had to browse several pages and then think how I should re-phrase the search. To just go to a newspaper and double check, I had to spell it correctly instead of just search for the name in a new tab. Instead of gettting to sydsvenskan.se I got to ”syd” and nothing more, that is something that would work with google search.

Höganäs Municipality bad water

An example of something that would have taken five seconds with google search, and instead took one hour with inconclusive result with yahoo search and bing search

Things I found in social media such as facebook, twitter or linked in did not exist in the world outside. I found a warning that the tap water at my mums place had bacteria, and needed boiling, and searched for the official article Höganäs Municipality I knew existed, but I found nothing, only warning of bacteria in water from other places, or old warnings, and only from news media, not from the municipality itself.

What went wrong at Mossack Fonseca (Panama Leak)?

Summary

As you can see in the details below pretty much everything went wrong. It is astonishing that an economic advisor company can have such low it security awareness. Everyone that runs any type of software on the web should have regular security training. First line admin failed, the OS on the leaked server is still today 2016-04-12 Microsoft Server 2003.

First the leak begun at WordPress

They forgot to check if their add-ons was updated. They should have been using WordFence or similar tool, and also supervise WordFence. The mail leaked through WordFence. WordFence was running on the same server as email. Mossack Fonseca had two plugins for WordPress to read email. The email credentials for the WordPress plugins was stored in clear text.

According to Suddeutsche Zeitung the leak contained an enormous amount of data. They seems to lack network traffic analysis, for such a big leak to happen.

mossac_fon_2

(Copyright Suddeusche Zeitung)

Speculation on next step

This chapter is clear speculation but on a correctly setup server you can only read mail coming to the account that the web server runs, not other uses. So the intruders must have gotten root access. Root access can be achieved in several ways. It is very simple on a non-supported OS. You just read Microsoft’s security advisor from end of support to today and select the simplest one to exploit.

Access elevation in Windows

If you take the Microsoft monthly patch a couple of days late and your server is visible on internet you are at risk to be infected. However they seem to have used the now no more supported Windows 2003 Server and unencrypted mail. No further analysis needed. You should never use a non-supported OS on internet.

Below a screenshot from www.netcraft.com

mossfon1

microsoft

Microsoft concludes this article it the ad on the home page. I am not a Microsoft fan-boy but in this case Mossack Fonseca I agree with the following statement from Microsoft: ”Migration is worth it”.

Conclusion

I had written a long text here on authorization, because you can fail with security on a supported Microsoft as well as supported Linux platform as well. But In this case we do not need to dig deep. As an intruder you just read all the Microsoft security bulletin since end of support and select the easiest one to exploit..

 

Samba and IPTABLES.

Samba and IPTABLES.

Samba should drop all but local accesses. The default should be to drop all access to SMB, and make exception for local sites.

Preparation

Samba should log enough for you to be able to check sanity. First change in the /etc/smb.conf file to have debug level 2 (to log failed authentication attempts). Also set log name to IP Adress, if you do not know by heart all netbios names in your network.

#Debug level 2 means log failed attempts

Debug level = 2

#%m is netbios name, %M is dns name, %I is ip address

log file = /var/log/samba/log.%I

In my case the clients do not have any dnsnames of my clients and I can use %M as well.

The purpose of this change is to easier detect which computer that attempts to connects to your samba share.

Chains

127.0.0.1 is the ip address for home and in my case 192.168.1.0 is the local network

Chain input

#for UDP and TCP on port 137-139,445 allow local adress

iptables -A INPUT -p udp –dport 137,138,139,445 -s 127.0.0.1 -j ACCEPT

iptables -A INPUT -p tcp –dport 137,138,139,445 -s 127.0.0.1 -j ACCEPT

iptables -A INPUT -p udp –dport 137,138,139,445 -s 192.168.1.0/255.255.255.0 -j ACCEPT

iptables -A INPUT -p tcp –dport 137,138,139,445 -s 192.168.1.0/255.255.255.0 -j ACCEPT

#for UDP and TCP on port 137-139,445 drop the package

iptables –A INPUT –p tcp –-dport 137,138,139,445 –j DROP

iptables –A INPUT –p udp –-dport 137,138,139,445 –j DROP

test it from server

$sudo iptables -L –n

 

target     prot opt source               destination

ACCEPT     tcp  —  192.168.1.0/24       0.0.0.0/0            state NEW tcp dpt:137,138,139,445

ACCEPT     udp  —  192.168.1.0/24       0.0.0.0/0            state NEW udp dpt:137,138,139,445

ACCEPT     tcp  —  127.0.0.1            0.0.0.0/0            tcp dpt:137,138,139,445

ACCEPT     udp  —  127.0.0.1            0.0.0.0/0            udp dpt:137,138,139,445

Test from any client that you can connect.

Test with your phone that you can not connect from internet

Android: Download NetworkMapper. Before NetworkMapper can be useful it needs to download nmap binary.

Network MapperCheck Internetcheck lan

Success. On intranet I have all ports open for SAMBA (137,138,139 and 445), and on internet I have all those ports closed.

 

Persistent

 

See the old post

 

 

 

Afterwork

There is one weakness of this way of protecting the samba server and that is log files are only read by fail2ban at start. If an intruders tries to access my samba site I will not see it unless I restart the server. So I have added the following once a week in my crontab. So on Mondays I get a mail showing all the log files in the samba log directory, and I can see directly that only allowed ip addresses are logged, and no intruders.

sudo crontab -e

 

# at 01:01 on mondays

1 1 * * 1 /bin/ls /var/log/samba