Currently observing a lot of brute force attacks trying to get access to my WordPress installation. Fortunately, I’ve been aware of such cranks when I installed WordPress, and now I want to share my technique to prevent such attacks.
What's the problem?
There are some guys who try to get access to your website’s content to distribute even more spam and malware. Since they don’t have your credentials they need to guess them. Usually they randomly choose common login names (like
martin ) and popular passwords (like
martin ) and try to log in to your web site. However, there are lot’s of possibilities and only a few will work, so they usually need a lot of attempts. To prevent an intrusion you should choose an uncommon user name and a strong password (not only for your WordPress installation!). Nevertheless, there is still a chance to guess the credentials, so you’ll sleep much better if you make sure that there’s no chance for an attacker to break into your site.
Deny access to wp-login.php
This piece of code, included in a vhost or in an .htaccess file, will only allow connections from
220.127.116.11 to your
wp-login.php . All other requests will be forwarded to
/ . You need to have the module
mod_access installed. For more information take a look at the documentation of the
mod_access . Other web servers like nginx or lighttpd have similar solutions. (And I
think hope even the microsoft crap is able to do such basic stuff without much configuration overhead, but I’m too busy to read microsoft documentations…)
Workaround for dynamic IPs
As long as you’re editing your articles using static IP everything is fine. But what if you’re cursed with an NAT? Indeed, it will be very annoying if you always have to adjust this config in order to log into your WordPress management interface! Fortunately, there is a small workaround if you have SSH access to that server. Simply restrict the access to the file to connections from the server’s own IP. Thus, only connections from the server itself are able to log in. In order to get access you need to setup a tunnel to your server using SSH providing a socks proxy:
This command will create a tunnel from your local system to
your.web.server . Connections to port
8765 at your systems will be forwarded to your server, hence, connections to your
wp-login.php through the tunnel will be allowed. From now on only users having access to the server (physically or via SSH) are allowed to access you
There’s only one restriction left: you need to SSH to your server and you have to configure your browser to use this socks proxy before you can access WordPress. I recommend to use FoxyProxy.
Ok, let’s ensure that our config works. Try to access
wp-login.php from an IP which is not allowed to access this file, e.g. using
Since I’m not allowed to access this page I got a 302 and am redirected to
Ok, what happens if I connect from an allowed host?
Excellent, 200 == allowed!
If you want to verify your proxy connections using curl pass another parameter
-x socks5://127.0.0.1:PORT to the command:
Great, everything’s fine :D
Of course you can add similar rules for other web sites or scripts. For example to restrict the access to the whole admin interface of WordPress add another restriction to the
I’m sure you’ll find even more reasonable rules.
KDE maintains a central config defining what to do with certain file types. Unfortunately, in my case the default application for HTML files was an editor (kwrite/kate). I don’t know who or what defined this stupid behavior, but there is a tool called
kcmshell4 to edit the KDE configuration. That said, to edit the filetype-application-mapping hand it the parameter
You’ll get a dialog to define a mapping for each known file type. In my case I had to configure okular to open links to HTML pages with konqueror. Hope that helps you to save some time ;-)
encfs is a cryptographic file system (encfs-website). The principle is very easy, you “bind-mount” one directory (containing the crypt stuff) to another directory (where it’s unencrypted). Thus, you can share the encrypted stuff and nobody but you can read your data. So this system is excellent applicable for cloud services like Dropbox, which trap you with some space in the cloud “for free”, but want you to share your private data with them. In some <p>’s we’ll see how to setup
encfs for Dropbox, but let’s first take a look at
First of all you have to install encfs. Assuming you’re sitting in front of a Debian-based os:
encfs is fuse-based the user who wants to use
encfs has to be member of the group
fuse . You may use the
groups command to make sure you belong to
That’s it, now the way to use encfs is parved. Let’s say we want to work with our data in
/dir/clear , while the whole stuff is stored encrypted in
/dir/crypt . It’s quite simple to setup this environment, just call
encfs [crypt-dir] [decrypt-dir] :
Give it a
p and choose a password. This command will install an encrypted container in
/dir/crypt and immediately mount it to
/dir/clear . Feel free to create some files in
/dir/clear (you’re new working directory) and compare this directory with
/dir/crypt . You’ll see that you are not able to understand the files in
/dir/crypt , unless you’re a genius or the setup failed. Thus, it’s no issue if anyone might have access to the content in
To unmount the clear data use
fusermount -u /dir/clear . To remount it just call again
encfs /dir/crypt /dir/clear , it will just ask you for the password to decrypt the data.
Of course it’s not very convenient to mount the directory every time manually, hence there is a workaround to automount your
encfs directories on login. You need to install
To automatically mount an
encfs on login the password for the crypt-fs has to be the same as the password for your user account! If that’s the case, add a line like the following to
On your next login this directory will automatically be mounted. Very smart!
Using encfs for the cloud
Ok, let’s get to the main reason for this article, winking towards Norway ;) .
As you might have heard, there are some file hosting services out there, like Dropbox or Ubuntu One. They provide some space in the cloud which can be mounted to different devices, so that your data is sync’ed between your systems.
Unfortunately, most of these services want to read your data. E.g. the Dropbox system wants to store a file used by multiple users only once. Even if they pretend to assure that nobody’s able to read your private data, you all know that this is
bullshit nearly impossible! However, I strongly recommend to not push critical/private files to these kind of providers.
But, thada, you’ve just learned how to sync your files using the cloud while keeping them private! Let’s assume the directory
/home/martin/Dropbox is monitored by Dropbox, you just need to create two more directories, like
/home/martin/Dropbox/private (for encrypted files to be sync’ed) and
/home/martin/Dropbox-decrypt (for decryption). Mount
encfs and work in
/home/martin/Dropbox-decrypt . As explained above, feel free to setup an automount using pam ;-)
/home/martin/Dropbox but not in the
private directory will be sync’ed unencrypted, so you won’t loose the opportunity to share some open data with [whoever] e.g. via web browser.
Of course, this method comes with some drawbacks:
- It is a bit more work to setup every client, before you can start working with your private data (fortunately the overhead is kept in reasonable limits)
- You cannot access these files through the web browser, or using your mobile phone (unless your phone comes with encfs-support)
All in all, you need to decide on your own, how much you trust Dropbox (and alike) and which kind of data you commit to Dropbox unencrypted.
The network time protocol (NTP) is a really smart and useful protocol to synchronize the time of your systems, but even if we are in two-thousand-whatever there are reasons why you need to seek for alternatives...
You may now have some kind of »what the [cussword of your choice]« in mind, but I have just been in an ugly situation. All UDP traffic is dropped and I don't have permissions to adjust the firewall.. And you might have heard about the consequences of time differences between servers. Long story short, there is a good solution to sync the time via TCP, using the Time Protocol and a tool called `rdate` .
First off all you need another server having a correct time (e.g. NTP sync'ed), which can be reached at port 37. Let's call this server `$MASTER` . To enable the Time Protocol on `$MASTER` you have to enable the time service in (x)inetd. For instance to enable the TCP service for a current `xinetd` you could create a file in `/etc/xinetd.d/time` with the following contents:
Such a file may already exist, so you just have to change the value of the `disable` -key to `no` . Still using inetd? I'm sure you'll find your way to enable the time server on your system :)
On the client, which is not allowed to use NTP (wtfh!?), you need to install `rdate` :
Just call the following command to synchronize the time of the client with `$MASTER` :
Since `rdate` immediately corrects the time of your system you need to be root to run this command.
Finally, to readjust the time periodically you might want to install a cronjob. Beeing root call `crontab -e` to edit root's crontab and append a line like the following:
Last but not least I want you to be aware that this workaround just keeps the difference in time between both systems less than 0.5 secs. Beyond all doubt, looking at NTP that's very poor. Nevertheless, 0.5 secs delay is much better than several minutes or even hours!
If it is also not permitted to speak to port 37 you need to tunnel your connections or you have to tell the time server to listen to another, more common port (e.g. 80, 443, or 993), as long as they are not already allocated by other services..
I wanted to publish this summary about wildcards in the bash (and similar shells) some time ago, but didn’t finish it. But finally it gets published.
The shell handles words or patterns containing a wildcard as a template. Available filenames are tested to see if they fit this template. This evaluation is also called globbing. Let’s have a look at a small example:
In this example
* is replaced by appropriate characters, and the list of matching files are passed to the
ls command. This set of files will be used in the following examples.
Encode for a single character: `?`
The question mark can be replaced by a single character. So if you want to get the files
aaab you can use the following pattern:
So you see, the
? is replaced by exactly one character. That is, both
aaaa1 won’t match.
Encode for a an arbitrary number of characters: `*`
To match any number of characters you can use the asterix
* . It can replace
n is limited by the max length of the file name and depends on the file system you’re using. Adapting the previous snippet you’ll now also get
Encode for a set of characters: `[...]`
Most of the common tasks can be done with the previous templates, but there are cases when you need to define the characters that should be replaced. You can specify this set of characters using brackets, e.g.
 can be replaced by
1 and is the same as
As you can see aaaa5 doesn’t match
 , and btw. the order of the specified characters doesn’t matter. And because it would be very annoying if you want to match against any alphabetic character (you would need to type all 26 characters), you can specify character ranges using a hyphen (
a-z ). Here are some exmaples:
|`[xyz1]`||`x` , `y` , `z` or `1`|
|`[C-Fc-f]`||`C` , `D` , `E` , `F` , `c` , `d` , `e` or `f`|
|`[a-z0-9]`||Any small character or digit|
|`[^b-d]`||Any character except `b` , `c` , `d`|
|`[Yy][Ee][Ss]`||Case-insensitive matching of yes|
|`[[:alnum:]]`||Alphanumeric characters, same as `A-Za-z0-9`|
|`[[:alpha:]]`||Alphabetic characters, same as `A-Za-z`|
|`[[:digit:]]`||Digits, same as `0-9`|
|`[[:lower:]]`||Lowercase alphabetic characters, same as `a-z`|
|`[[:upper:]]`||Uowercase alphabetic characters, same as `A-Z`|
|`[[:space:]]`||Whitespace characters (space, tab etc.)|
Btw. the files that match such a template are sorted before they are passed to the command.