If you have a website and you are not implementing some custom headers you may want to look into it. These are not set by default and can help in protecting your site from all types of attacks.
To start with go to https://securityheaders.io/ and scan your site. If you have none of these headers implemented your site will score very poorly. Don’t forget with these headers we aren’y only protecting our site, but also our site visitors as well.
The ones we are going to look at are for protecting against Cross-Site-Scripting, malicious content, drive-by downloads, and stop your site being viewed in an iframe. We will also stop the site advertising Server and software details, for example the Server build, and php version. The reason for this is not covered here but if you are intersted you can go here and read this brilliant article by @Scott_Helme.
For today we will be concetrating on WordPress installed on LEMP stack. Firstly we need to backup our config, and then go to our active config file. (yours may be different depending on your setup). Also note that the Strict Transport Security header is for https sites only.
sudo nano /etc/nginx/sites-enabled/wordpress
Then in our http server block we add the following. ( if using https on your site then put the headers in both blocks.
We save the changes then run the following to test for typo’s.
I’ve been meaning to try this out for a while but I get carried away with Red Team fun that I neglect my Blue Team skills! I heard alot about about Security Onion so I set about setting up a server.
To get full functionality out of it you will need to setup a mirrored port on your switch or router to ensure you are seeing all the network traffic, but that won’t be covered here. The Security Onion Machine needs 2 adapters, one for remote connection to administer it and also to enable you to download updates frommthe internet etc, and the second is the monitoring adapter which connects to your mirrored port.
Initially I wanted to run Security Onion in HyperV however after hours of banging my head against a brick wall I gave up and installed on a physical machine.
The main issue is the way that HyperV uses it’s virtual switches in 2008R2 it seems impossible to be able to run one in full promiscuous mode. I tried numerous powershell scripts but when checking Wireshark there was still traffic missing. Virtualbox allows a real bridged connection to a NIC and is simple to configure for network monitoring, the fact the fact you can’t do this in HyperV infuriates me! If anyone knows how to do it please let me know, but in the end I got bored fighting HyperV and installed on a physical machine.
The official guide is here:
I use Ubuntu quite a bit so wanted to install the Security Onion tools on one of my templated server images rather than download the ISO.
On an Ubuntu Server we Clear the apt repository, and then update:
sudo rm -rf /var/lib/apt/lists/*
sudo apt-get update
Then we add the stable repos, (Also found here) and update again.
sudo apt-get -y install software-properties-common
sudo add-apt-repository -y ppa:securityonion/stable
sudo apt-get update
You then need to configure MySql to NOT prompt for root password.
echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
Now we can use apt to install the Security Onion Package.
sudo apt-get -y install securityonion-all syslog-ng-core
Before running setup we should have both network adapters connected.
Run setup for the first time
Follow the prompts and make sure you choose the correct interface when asked which one will be monitored.
Before completing setup we need to check we are seeing all trafiic, fire up wireshark
Recently I did a test install of Exchange 2016 and ran into a few problems which drove me mad for a while as the issues and symptoms did not give any clue as to how they were eventually resolved!
I did a fresh install on a stand alone Hyper-V Virtual Server with 4000 GB of static RAM, 4 processor cores and a 40GB VHD.
Microsoft recommends a minimum of 8GB for mailbox role, (see here) but I couldn’t believe it would actually need this much on a test Server, and I’ve always used way less than the recommended for initial test installs as they will be under no stress at all.
The install seemed to go fine, all the prerequestites were installed by the downloaded media, and the server restarted. On trying the open the webpanel I was continually told that there was a memory error, and to try again later. I ramped up the RAM 1GB at a time but I couldn’t login to the panel until the Server had the full 8GB assigned.
After creating my first test mailbox whenever I tried to send an email I received the below error:
“You don’t have permission”? WTF after going round and round in circles looking at users permissions believing that I needed to assign user permissions I found an obscure forum post which pointed me in the right direction. The solution was to remove the secondary DNS entry from the Exchange Servers network adapter! After removing this and then restarting the server the error disappeared.
I was now able to login and send emails internally and externally, however I was not able to receive emails either internal or external. I wasn’t getting any bouncebacks which could have given me some information on what was going on, I double checked my external DNS and MX records but all were correct.
In the end I used the Microsoft Connectivity Tool and this pointed out my issue immediately, and the issue was disk space. Even though the Exchange server had only 1 mailbox and nothing else installed, 40GB wasn’t enough! I checked disk space and there was plenty of room, but after digging a bit deeper it turns out that Exchange needs a percentage of free disk space and so the VHD had to be expanded. Once this was increased I finally had a working Exchange Server. Hope this helps out someone else as this drove me crazy for a few hours and the errors were not pointing me in the right direction.
It seems barely a week goes by without having to resolve a WordPress Issue. I needed to update to version 4.8, so I went to my update panel ready to use the “one click” update, but instead of opening up the update page informing me that the site is in update mode it opened to a blank page. After refreshing and returning to the update panel, I disabled all pluggins and tried again, now whenever clicking the update button I was greeted with a message telling me an update was in progress, I therefore it left it expecting that it would just eventually complete. However 12 hours later and WordPress was still not updated and clicking the update buttomn gave the same message that an update was already in process! Restarted the server no change, a bit of googling led me to https://wordpress.stackexchange.com/questions/224989/get-rid-of-another-update-is-currently-in-progress I therefore installed wp-cli using this guide https://www.sitepoint.com/wp-cli/ and tried in vain to carry out these steps. However I was continually told by wp-cli that wp-config.php did not exist! I checked and this was not the case, so another brick wall! I had already wasted an hour by this point on what should have been a ten minute job. Therefore I simply downloaded the latest WordPress version by running
then (from the same dir)
tar xzvf latest.tar.gz
sudo rsync -avP ~/wordpress/ /var/www/html/
As I had manually created an uploads directory I had to reassign group ownership to allow me to upload content to that directory using the following.
sudo chown -R :www-data /var/www/html/wp-content/uploads
Hey presto! we are now running on the latest version, with all existing pluggins and content still working. (I double-checked by running wpscan from my kali box just to be sure I was on the latest version) Hope this helps someone else out. Don’t forget to backup before running these steps.
I recently had to change the internal IP range of my network and that included my WordPress hosting server. I thought that I could just update the database and config file and the site would work, wrong!! The home page would display but every page and link was broken and there was no formatting and the uploaded content no longer displayed. Also when trying to login the site was still trying to access the old url as I was accessing the site by IP as it was only a testing site. I never did manage to fix the error despite an hour of my time, in the end I just had to create the a new site on the new IP and then copy the content over.If anyone else has come across this and knows how to resolve it please let me know!
Well, been talking about it for a while, but finally got around to building an NGINX/LEMP stack. Only took a couple of hours with help from this site https://digitalocean.com/community/tutorials , including the basic hardening config. Will post a tutorial soon!