Press "Enter" to skip to content

Tag: security

Techy: Nixstats And Cloudflare – Allowing IPs

What is NixStats?

I’m currently trying the NixStats (affiliate link) monitoring tool for servers and websites – mainly because it’s cheap (starts at $0/month for 5 monitors and 1 server, $9.95/month for 10 servers and 25 web monitors) and partially because it’s owned by WebPros. Not heard of WebPros? Me neither until I went digging and found out that not only do they now own NixStats but also cPanel Inc and Plesk (both “rivals” in the web hosting control panel world) – along with a few others(!)

The Problem – Cloudflare’s security being triggered

Anyway – one of the sites I am monitoring using Nixstats is under the Cloudflare system – and because of the frequent monitoring, it may “trip up” Cloudflare’s security features so I needed to “allow list” (aka “white list”) the IP addresses used by NixStats. Luckily, they do provide a list at https://nixstats.com/whitelist.php and https://nixstats.com/whitelist.php?v6 (I’ve got no idea how often these are updated though) – but you can’t simply import these into Cloudflare due to two issues:

  1. One of the IP addresses (in the first list) has a trailing tab character which Cloudflare just rejects as being an invalid IP address. Took me a while to find that!
  2. The IPv6 addresses are not in a format that Cloudflare accepts – they only accept CIDR’d IPv6 address on a /64 or smaller (and if you are not that techy, you are forgiven for not understanding that!).

The solution

So I’ve put together a downloadable CSV file listing all those IP addresses in the “correct format” for you to easily import into Cloudflare’s lists (Cloudflare don’t have an export option 🙁 ).

You can download the file from here but I give no guarantee of accuracy etc etc.

But where in Cloudflare do I use the file?

It’s a two stage operation – first you’ve got to create the list and then you’ve got to setup the firewall rules.

Creating the IP Address List in Cloudflare

  1. Log into your Cloudflare account and get onto the main account screen (i.e. where it lists your individual sites)
  2. On the left hand menu near the bottom, there is an option labelled “Manage Account” – expand that.
  3. Under “Manage Account”, select “Configurations”
  4. On the “Configurations” screen, select “Lists”
  5. Select “Create new list” (free Cloudflare accounts can only create a single list by the way)
  6. Create the list with a name such as “nixstats” and a “Content type” of “IP Addresses”
  7. Edit the list and select “Add items”
  8. Select “Upload CSV” and upload the CSV of IP addresses ,
  9. Click “Add to list” and it should load them into the list.

Setting Cloudflare to use the list

  1. Log into Cloudflare (or, if you are already logged in, click the Cloudflare logo in the top left to return to home)
  2. Select the account of the domain name you are monitoring
  3. In the left hand menu, expand “Security”
  4. Under “Security”, select “WAF” (Web Application Firewall)
  5. Under “Firewall rules” (free accounts get 5 active firewall rules), select “Create firewall rule”
  6. Set a “Rule name” of something like “nixstats”
  7. Under the “When incoming requests match…” heading use the following settings
    • Field: “IP Source Address”
    • Operator: “is in list”
    • Value: “nixstats” (i.e. the list you created above)
  8. Under “Then…” select “Allow”
  9. Click “Deploy firewall rule” and it should take affect.

You’ll need to do this for each account you are monitoring using nixstats.

Techy: How I investigated Counterpath Bria’s licensing issue

On Saturday the 12th of February 2010, myself and many other users of the popular Counterpath Bria VOIP Software started getting the message “The data received from the license server appears to be corrupted. Please try again and if the problem persists, contact Counterpath Support.”, but without any idea of what caused it. Many people contacted Counterpath’s support forums, but as of the time of posting the only official status we have is “It is being investigated”. However, I took it upon myself to try and figure out what had gone wrong and then if I could “work around” the issue.

I knew from the error message that Bria was trying to contact the licensing server to validate the license, so the first step was to investigate what was being transmitted. Luckily, I had the very handy Charles Proxy and after installing its CA Certificate (so Bria didn’t complain about an invalid certificate authority when retrieving the data via Charles), I could see the communicaitons.

Bria made a post to https://secure.counterpath.com/Service/LicensePool.sv/RegisterClientBinding with my license key, a hash of something on my machine, the type of product I’m checking the license for (Bria), the time my computer thinks it is, and identifying hashes of my machine (in particular, hard disk, motherboard and Mac address) – this data is sent to try and reduce “license sharing”. In return, Counterpath sent back the same information, including an expiration date and duration of the license (30 days), instructions to recheck the license after 24 hours and then every 4 hours (+/- 30%), confirmation the license if valid and then they signed the response using an X509 digital signature. Why have they signed it? Well, otherwise it would be reasonably simple for somebody of about my technical knowledge to be able to intercept the SSL stream and modify the data to always have approved licences (and, no, I’m not going to say how I would do this – but I can think of 2 ways straight way).

As all the other data looked correct (Counterpath used descriptive XML tags which did really help in this process: although since it’s just communicating between their servers and their products, I would have personally obfuscation it just for a little more ‘security’: yes, I know “security by obfuscation” isn’t good security practice, but sometimes “every little helps”), I then investigated the X509 certificate. I copied and pasted it into a new text document, called it “x509.crt” and just let Windows’ certificate explorer show be the details – and it was immediately obvious what the fault was. The expiration date on the certificate was dated 2 days ago.

So about 5-10 minutes of investigation and I knew to roll back my computer clock to pre 12th February 2010. Run Bria to get it to reacquire a new license and viola everything working (well, hopefully for 24 hours until the license starts revalidating). I just wish Counterpath had actually provided the “roll back your clock” workaround on their forum: Bria is an excellent product and I’m just disappointed that because somebody dropped the ball and forgot to renew a 2 year old X509 certificate (which would be easily done as that length of time people would have left and the details would have just been forgotten to be passed on), their reputation and good product range may be tainted. I’m guilty myself of letting the SSL certificate on my online dance wear site expire for a couple of days (mainly because the certificate provider wouldn’t let me renew the certificate until after it had expired!) so I know how easily it can be done – I now have a 3 year certificate so it might again happen to me in 3 years time.

What has this taught us: If you use a secure certificate (for your website or code), keep a note of the date it is due to expire and set reminders. Your certificate provider might send you emails to remind you – but don’t rely on them. Communicate with your customers and if a problem could take more than a couple of hours to fix, propose a workaround (such as rolling back your computer’s clock) – they might not like it, but at least you are doing “something”. And signing license files with your own digital signature is a good idea (yep, I bet you weren’t expecting that!) as it stops people easily bypassing it – but just remember to keep your digital signature up to date!

[n.b. might just be worth mentioning that I investigated this all on my own – Counterpath or any third party did not ask me to investigate it. However, within an hour of me posting on their forums with the information I had found, the problem was fixed. Coincidence or were they already waiting for the new certificate to be approved/installed? I don’t know, but I like to speculate 😉 )

Work: 10 Principles of the PHP Masters

I’ve just come across 10 Principles Of The PHP Masters which has the following points (with my commentry added):

1. Use PHP Only When You Need It (Rasmus Lerdorf, creator of PHP)
PHP, like Perl, Javascript, ASP, C, Ruby, Python, C++, C# etc has it’s limitations and is more suitable for some jobs than others. Whilst it’s possibly to run PHP in the web browser, you wouldn’t really want to (as you’ll need to get your visitors to install a PHP interpreter on your machine) – likewise, you wouldn’t use PHP on embedded systems due to its size. However, if you are writing a big web application, you’ll be a masochist if you were to use Perl nowadays (back when I was a Perl web developer creating web applications in Perl – PHP was still in its very early stages) and you’ll be hitting a large performance penalty if you were to get the server to interpret Javascript for each page.
2. Use Many Tables With PHP and MYSQL for Scalability (Matt Mullenweg, creator of WordPress)
If you store a lot of data in a single MySQL (or PostgreSQL) table, then it’s going to take a long time for the server to search through the data to pull up a single row: if you have multiple tables, it’s got a smaller data set to scan
3. Never, ever trust your users (Dave Child, the brains behind Added Bytes – previously ilovejackdaniels)
This isn’t just a PHP issue – never ever trust user input more than you really really need to: otherwise, that way leads to security exploits and it’s best to write secure code. If you’re expecting digits, use preg_replace to remove anything that isn’t a digit, if you’re only expecting letters A-z, then again strip out anything that isn’t a letter. Work on the premise “what do I want to keep” and disregard the rest: I’ve seen people go down the “what do I want to get rid of” route instead and then get most upset when I say “well, what about this character?” and they have to add it to the “get rid of” list
4. Invest in PHP Caching (Ben Balbo, writer on Site Point)
Database calls are more processor/hard drive “expensive” than reading flat files off the hard drive, fetching remote pages is more processor/network intensive than reading them out of a local database (or a hard drive), counting database rows is slow: but reading a “row count” table or flat file isn’t, parsing templates (especially using regular expressions) are slow – reading prepared/precompiled files isn’t. Spot a pattern?
5. Speed up PHP Development with an IDE, Templates and Snippets (Chad Kieffer, author 2 tablespoons)
Personally, I prefer hand coding than using IDEs (Integrated Development Environments) as most of them get in my way: things like auto-closing brackets (I’ve been programming so long that I automatically close them myself – and I don’t want two sets of closing brackets) and within editor debugging usually doesn’t take into account the different environments in use (it’s often I’m developing on Windows XP/Vista, saving the file which is then picked up by a Virtual Machine for testing running Linux and all the appropriate PHP modules before been sent live to a physical Linux machine). However, I may just read his getting started with Eclipse guide.
6. Make Better Use of PHP’s Filter Functions (Joey Sochacki, author Devolio)
Filters (as detailed by Joey) are new on PHP5: so if you’re still writing for PHP4 environments or you can’t guarantee that the server administrator has installed the necessary PECL module – then you’re a bit stuck. I prefer to “roll-my-own” validation/filtering routines anyway – at least I’ll know how they work and not be shocked when bugs in the filter affect my code.
7. Use a PHP Framework (Josh Sharp)
See point 8
8. Don’t use a PHP Framework (Rasmus Lerdorf, creator of PHP)
I prefer not using a framework myself as they tend to be overkill for most tasks, don’t do exactly what’s needed: and, over the years, I’ve got a collection of routines on my hard drives (and memorised!) which do most of the common options. As Rasmus shows in an article, frameworks are also quite slow compared to “pure PHP” – because, of course, it’s a “generic tool” and isn’t optimised for “this” particular scenario.
9. Use Batch Processing (Jack D. Herrington, author of PHP Hacks book)

Why process building stats and things “on the fly” which slows down the user experience – why not run them automatically at 2am? In my previous work, I had to produce a sales commission report of 60+ sales personnel out of a months sales figures (which was several hundred thousand “items” per month) and work out which items attract what commission and what each sales person should receive. Doing that sort of processing and data extraction is slooow (even with a perfectly tuned optimised database) – however, running a batch process overnight which just extracted the sales made in the last 24 hours by each sales person (ignoring ones sold online for example) and store that information in a separate table meant sales reports could be produced within a minute or two instead of an hour or two (it still took a little time as some of the commission data was “dynamic” and had to take certain other things into account).
10. Turn on Error Reporting Immediately (David Cummings, HannonHll)
If you have PHP error reporting turned to the maximum during development (so you get the tiniest little issues highlighted immediately), it’s a lot easier and quicker to find potential issues and resolve them – before it’s deployed to a client. Turning error reporting to just “ERRORS” means you’ll miss the vital warnings which could save your code!

Techy: Handy Security Tips

If you have a new box you want to use for web hosting etc, then here are just a few of the things you can do to help make the box secure. This list is not comprehensive, nor do I take any responsibility for any harm that may come to your server if you use any of these commands. These are mainly “quick reference” commands in case I need them in a rush (for example: we’ve put a box online and need it at least “semi-secured” – we’ll spend a bit more time securing a box then just these commands, but they’re a good starting point)

Run commands as root/su:

Disable telnet
Modify /etc/xinetd.d/telnet (could also be /etc/xinetd.d/telnet and change disable=no to disable=yes

Disable code compilation
Add compiler group: /usr/sbin/groupadd compiler
Move to correct directory: cd /usr/bin
Make most common compilers part of the compiler group chgrp compiler *cc*
chgrp compiler *++*
chgrp compiler ld
chgrp compiler as

Set access on mysqlaccess chgrp root mysqlaccess
Set permissions chmod 750 *cc*
chmod 750 *++*
chmod 750 ld
chmod 750 as
chmod 755 mysqlaccess

To add users to the group, modify /etc/group and change compiler:x:123: to compiler:x:123:username1,username2 (‘123’ will be different on your installation)