Your own personal VPN Server

Vultr.com offers cloud-based virtual private servers for as little as $2.50 a month. Decided to spin up one of their VPS machines with 1GB of RAM for $5 a month. That was very reasonable for a publicly accessible machine that can allow some desirable privacy capabilities dedicated for my own use.

Spun the server up with Ubuntu Server 17.10. The process was very simple and fast. The web-based console worked well. That was easy.

Performed the SSH setup from the console. Again, very easy.

Set up the firewall rules to allow the SSH connection and installed the usual fail2ban configuration. All goes well.

Hardened the SSH service as a matter of practice. No defaults to become script-kiddie targets.

The long process was installing OpenVPN and configuring the server for specific settings. No basic defaults and stricter encryption. Generated the client files and downloaded them to the client machines.

Configured the client locally and connected to the VPN server. Connected on the first try. Awesome!

Ran a speed test for my connection. No loss in network speed as provided by the ISP. There goes another positive aspect of the setup.

So, for $5 a month, you can get your own VPN server for accessing the Internet. You can configure your phones, laptops, tablets and computers to use the VPN connection. It's not free VPN, but it's fast and it's private.

Technical Notes:
OpenVPN uses SSL/TLS certificates to provide encryption. You can connect your device to a public WiFi and your connection is encrypted, so that your traffic isn't easy to eavesdrop on when you are out and about.

Configuring OpenVPN had a few caveats that required some Google lookups to find corrections on. The setup of the certificates is what was kinda funny. To surmise, use KEY_ALTNAMES instead of KEY_ALTNAME for openssl to not give you the error on line 198.

Another caveat is to use the udp protocol on the OpenVPN server service. Proto tcp causes it to fail.

Overall, the VPS cloud servers from Vultr.com are a good deal. I would recommend their services if you're looking to setup your own server.

Azure and MySql in App for PHP connections

Microsoft Azure will provide an instance of MySql with a web application without the need to use ClearDB nor a dedicated MySql server. It's one database instance that is not really meant for high production needs.

This is great for using it with Joomla or WordPress. It's also good for developing or deploying PHP-based applications that utilize MySql.

The issue is with setting your PHP application to connect to the database. You do not create a database when using this option, you use the database that is provided and you have to connect to that database.

Here is some code to establish that database connection:

<?php

// Azure MySql Connection Strings

$connectstr_dbhost = '';
$connectstr_dbname = '';
$connectstr_dbusername = '';
$connectstr_dbpassword = '';

foreach ($_SERVER as $key => $value) {
    if (strpos($key, "MYSQLCONNSTR_localdb") !== 0) {
        continue;
    }
   
    $connectstr_dbhost = preg_replace("/^.*Data Source=(.+?);.*$/", "\\1", $value);
    $connectstr_dbname = preg_replace("/^.*Database=(.+?);.*$/", "\\1", $value);
    $connectstr_dbusername = preg_replace("/^.*User Id=(.+?);.*$/", "\\1", $value);
    $connectstr_dbpassword = preg_replace("/^.*Password=(.+?)$/", "\\1", $value);
}

// DB connection info
$host = $connectstr_dbhost;
$user = $connectstr_dbusername;
$pwd = $connectstr_dbpassword;
$db = $connectstr_dbname;

....
?>

If you are configuring WordPress, you would setup like this:

define('DB_NAME', $connectstr_dbname);
define('DB_USER', $connectstr_dbusername);
define('DB_PASSWORD', $connectstr_dbpassword);
define('DB_HOST', $connectstr_dbhost);


You run the first part of the code to define the connection strings for the db_host, database, username, and password. You then use those variables to assign them to the variables of your PHP code, or use them directly.

You can alter this to define the variables with the names that your PHP code uses and use them in the for foreach statement, eliminating the 'DB Connection' section of this code.

Firefox 40.1 and WordPress attacks

There are many attempts to brute force the WordPress login page against websites that are not running WordPress.

Looking at an Apache access log, there seem to be many of these entries:

187.108.232.211 - - [15/Feb/2017:10:12:44 -0700] "GET /wp-login.php HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
187.108.232.211 - - [15/Feb/2017:10:12:44 -0700] "GET / HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

All of these probes to find the WordPress login page share the same thing in common: they all indicate Firefox 40.1 as the User Agent.

This makes them an easy target for blocking in an .htaccess file.

Here is an example of an .htaccess file to block many of these tools and robots:


## No directory listings
IndexIgnore *

## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
Options -Indexes

## Mod_rewrite in use.
RewriteEngine On
RewriteBase /

## Block Hacking Tools and Miscreant bots by User-Agent
SetEnvIfNoCase User-Agent "^-?$" scum
# wp-login User-Agent
SetEnvIfNoCase User-Agent "Firefox/40.1" tool
# ZED User-Agent (39.0) and others
# All versions of Firefox prior to 40.0 are blocked
SetEnvIfNoCase User-Agent Firefox\/[1-3]?[0-9]\.[0-9] tool
# BurpSuite spider User-Agent
SetEnvIfNoCase User-Agent "Trident/5.0" tool
SetEnvIfNoCase User-Agent "Arachni" tool
# Ruby-based web scraper
SetEnvIfNoCase User-Agent "Mechanize" tool
SetEnvIfNoCase User-Agent "Nikto" tool
SetEnvIfNoCase User-Agent "scrapy-redis" tool
SetEnvIfNoCase User-Agent "SQLmap" tool
SetEnvIfNoCase User-Agent "Vega" tool
SetEnvIfNoCase User-Agent "Wget" tool
SetEnvIfNoCase User-Agent "wpscan" tool

SetEnvIfNoCase User-Agent "360Spider" scum
SetEnvIfNoCase User-Agent "AhrefsBot" scum
SetEnvIfNoCase User-Agent "ADmantX" scum
SetEnvIfNoCase User-Agent "Blexbot" scum
SetEnvIfNoCase User-Agent "Buzzbot" scum
SetEnvIfNoCase User-Agent "CRAZYWEBCRAWLER" scum
SetEnvIfNoCase User-Agent "DomainCrawler" scum
SetEnvIfNoCase User-Agent "Ezooms" scum
SetEnvIfNoCase User-Agent "GetIntent" scum
SetEnvIfNoCase User-Agent "GrapeshotCrawler" scum
SetEnvIfNoCase User-Agent "ias_crawler" scum
SetEnvIfNoCase User-Agent "James Bot" scum
SetEnvIfNoCase User-Agent "linkdexbot" scum
SetEnvIfNoCase User-Agent "ltx71" scum
SetEnvIfNoCase User-Agent "MaxPointCrawler" scum
SetEnvIfNoCase User-Agent "MJ12bot" scum
SetEnvIfNoCase User-Agent "proximic" scum
SetEnvIfNoCase User-Agent "Qwantify" scum
SetEnvIfNoCase User-Agent "RU_Bot" scum
SetEnvIfNoCase User-Agent "SEOkicks" scum
SetEnvIfNoCase User-Agent "SemrushBot" scum
SetEnvIfNoCase User-Agent "seoscanner" scum
SetEnvIfNoCase User-Agent "SiteExplorer" scum
SetEnvIfNoCase User-Agent "SISTRIX" scum
SetEnvIfNoCase User-Agent "SurdotlyBot" scum
SetEnvIfNoCase User-Agent "TestiTest1" scum
SetEnvIfNoCase User-Agent "UptimeRobot" scum
SetEnvIfNoCase User-Agent "XoviBot" scum
SetEnvIfNoCase User-Agent "YFF35" scum

Deny from env=tool
Deny from env=scum
## End - Hacking and Miscreant block


Update 9 Mar 2017:
Further research indicates that these machines are all part of a botnet and that is why they all share the same characteristics. Firefox 40.1 has never existed.
 

Hackers who hit your website for wp-login.php

Ever noticed hackers trying to break in to WordPress websites, even though your site isn't on the WordPress platform?

Here is a little fun for those hackers who blindly go after WordPress on every website they can find.

This script is from GitHub in reference to the crashsafari.com website. It reloads the page continuously, overwhelming the browser history. It really slows down your computer.

Copy this entire script to  a document and name it secret-login.php. The title on the webpage adds a distraction for when the page loads.


<!DOCTYPE html>
<html>
<head>
<title>Setting up secret login page... Please wait</title>
</head>
<body>

<?PHP
echo "<br />";
echo "Setting up secret login page... Please wait<p />";
echo "<br />";
?>

<script>
  var total = "";
  for( var i = 0; i < 100000; i++ ) {
      total = total + i.toString();
      history.pushState(0,0, total );
  }
</script>
</body>
</html>

Save this php file to the root of your website, or wherever you like.

In your .htaccess file, add the following lines. Make sure you have the RewriteEngine on:

RewriteEngine On

Here is the good part:

# Swat them suckers away
# Usage: RedirectMatch (pattern) (location of script file)
# Shows up as 302 in the access log and is not case-sensitive
RedirectMatch (?i)wp-(login\.php|admin|content|includes) http://example.com/secret-login.php
RedirectMatch (?i)logo_img\.php http://example.com/secret-login.php
RedirectMatch (?i)xmlrpc\.php http://example.com/secret-login.php
RedirectMatch (?i)admin\.php http://example.com/secret-login.php


The pattern is matched on the the entire page request. So, http://example.com/wp-admin/ will work the same as http://example.com/something/wp-admin/.

The (?i) eliminates case sensitivity in the pattern match. So, WP-LOGIN matches as well as Wp-LOgin or whatever.

The first line matches all wp-login.php, wp-admin, or wp-content requests to your website.

The rest of the lines are more requests from hackers seen in the logs for logo_img.php, xmlrpc.php and admin.php. Add your own file names to the list as you see fit.

They get sent to http://example.com/secret-login.php to suffer the from the above script.


Obviously, don't use the wp-xxxxxx pattern if you are using WordPress.