Nov 202017
 

For the purpose of testing new stuff, it is always handy to have WordPress installation ready. And probably one of the cheapest ways to do so is to use one of virtual server providers – in my case it is Linode.

I won’t be going into specifics of creating server on Linode as it is trivial. Instead, this guide starts at moment your CentOS is installed are you are logged in.

First of all, Linode’s CentOS installation has firewall disabled. As this server will be open to public, enabling firewall is not the worst idea ever:

# systemctl start firewalld

# systemctl enable firewalld

# firewall-cmd --state
running

Next you need to install database:

# yum install -y mariadb-server

To have database running as a separate user, instead of root, you need to add user=mysql in /etc/my.cnf. You can do that either manually or use the following command to the same effect:

# sed -i "/\[mysqld\]/auser=mysql" /etc/my.cnf

Now you can start MariaDB and ensure it starts automatically upon reboot.

# systemctl start mariadb

# systemctl enable mariadb
Created symlink from 

I always highly advise securing database a bit. Luckily, there is a script for that. Going with defaults will ensure quite a secure setup.

# mysql_secure_installation

A good test for MariaDB setup is creating WordPress database:

# mysql -e "CREATE DATABASE wordpress;"

# mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO 'username'@'localhost' IDENTIFIED BY 'password';"

# mysql -e "FLUSH PRIVILEGES;"

With database sorted out, you can move onto installation of PHP:

# yum install -y php php-mysql php-gd

We can start Apache at this time and allow it to start automatically upon reboot:

# systemctl start httpd

# systemctl enable httpd
Created symlink from 

With all else installed and assuming you have firewall running, it is time to poke some holes through it:

# firewall-cmd --add-service http --permanent
success

# firewall-cmd --add-service https --permanent
success

# firewall-cmd --reload
success

If all went well, you can now see welcome page when you point your favorite browser to server IP address.

Now finally you get to install WordPress:

# yum install -y wget

# wget http://wordpress.org/latest.tar.gz -O /var/tmp/wordpress.tgz

# tar -xzvf /var/tmp/wordpress.tgz -C /var/www/html/ --strip 1

# chown -R apache:apache /var/www/html/

Of course, you will need to create initial file – sample is a good beginning:

# cp /var/www/html/wp-config-sample.php /var/www/html/wp-config.php

# sed -i "s/database_name_here/wordpress/" /var/www/html/wp-config.php

# sed -i "s/username_here/username/" /var/www/html/wp-config.php

# sed -i "s/password_here/password/" /var/www/html/wp-config.php

# while $(grep -q "put your unique phrase here" /var/www/html/wp-config.php); do
  sed -i "0,/put your unique phrase here/s//$(uuidgen -r)/" /var/www/html/wp-config.php; done

With wp-config.php fields fully filled, you can go to server’s IP address and follow remaining WordPress installation steps (e.g. site title and similar details).

PS: While this is guide for Linode and CentOS, it should also work with other Linux flavors provided you swap httpd for apache.

Nov 152017
 

Sometime you just wanna check how many packets and bytes are transferred via network interface. For my Linode NTP server I solved that need using the following script:

#!/bin/bash

INTERFACE=eth0

LINE_COUNT=`tput lines`
LINE=-1

while true
do
    if (( LINE % (LINE_COUNT-1) == 0 ))
    then
        echo "INTERFACE   RX bytes packets     TX bytes packets"
    fi
    LINE=$(( LINE+1 ))

    RX1_BYTES=$RX2_BYTES
    TX1_BYTES=$TX2_BYTES
    RX1_PACKETS=$RX2_PACKETS
    TX1_PACKETS=$TX2_PACKETS
    sleep 1
    RX2_BYTES=`cat /sys/class/net/$INTERFACE/statistics/rx_bytes`
    TX2_BYTES=`cat /sys/class/net/$INTERFACE/statistics/tx_bytes`
    RX2_PACKETS=`cat /sys/class/net/$INTERFACE/statistics/rx_packets`
    TX2_PACKETS=`cat /sys/class/net/$INTERFACE/statistics/tx_packets`

    if [[ "$RX1_BYTES" != "" ]]
    then
        RX_BYTES=$(( RX2_BYTES - RX1_BYTES ))
        TX_BYTES=$(( TX2_BYTES - TX1_BYTES ))
        RX_PACKETS=$(( RX2_PACKETS - RX1_PACKETS ))
        TX_PACKETS=$(( TX2_PACKETS - TX1_PACKETS ))

        printf "%-7s  %'11d %'7d  %'11d %'7d\n" $INTERFACE $RX_BYTES $RX_PACKETS $TX_BYTES $TX_PACKETS
    fi
done
Nov 102017
 

On my web server I wanted to use a separate directory for my logs. All I needed was to configure ErrorLog and CustomLog directives and that’s it. Well, I did that only to have following error: Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

And no, there weren’t any details worth mentioning in systemctl status httpd.service nor journalctl -xe.

To cut long story short, after a bit of investigation I narrowed the problem to SELinux that is enabled by default on CentOS. Armed with that knowledge, I simply transferred security from default log directory to my desired location:

# chcon -R --reference=/etc/httpd/logs/ /var/www/logs/

With that simple adjustment, my httpd daemon started and my logs lived happily ever after.

Nov 062017
 

This version is all about enabling you to quickly see which passwords suck. For this purpose a centralized weak password search has been implemented. Yes, you could see which password is weak even before but it required opening every single account – and that can take a while. This way you get the same information but after a single click.

Additionally, there is an option to check all accounts for breaches at Have I been pwned? site. While password for these accounts might not be compromised themselves, risk is quite increased and changing them is not necessarily the worst idea – let’s not even think about the sites using trivial hashes (like MD5) or no hashing at all. Search is smart enough to verify when exactly you changed your password last time to avoid false positives.

Moreover, if you go into Options, you can enable more thorough search. If selected, you can verify all your passwords (hashed and sent over TLS 1.2) against all exposed passwords. This is not enabled by default (even hidden a bit) because it requires quite a big leap of faith toward Troy and his website. I personally do trust him, but your mileage might vary.

As always, new version is available from Bimil’s page or you can update it through application.