Press "Enter" to skip to content

Category: Life: Work and Techy

Windows: What ports does application/program X have open?

I recently had to help somebody with a Windows 10 based application which offered a “connection” facility (i.e. enter your computer’s IP address and port and the 3rd party system would connect to it), but the application failed to say which port(s) it had open.

Whilst there are a number of ways to view open ports – such as Microsoft’s Sysinternal’s TCPView and NirSoft’s CurrPorts – I wanted to suggest a way which neither required an additional piece of software to be installed and didn’t require administrator access.

Here are the steps to find out what ports application “AppName” has open:

Google Domains closing – current .com domain name prices

I’ve spent a while migrating all of our non-.uk domain names to Google Domains – only for Google to announce that as of September 7th 2023 they are stopping all new domain registrations and moving the public domain registrations over to Squarespace (Google domains managed 9 years before being killed by Google).

We were paying £10/year for .com (and .net and .dev) domain name purchases/renewals with Google – but what are the “current market prices”?

(I was starting to migrate domains over to WordPress (mainly for the free year of renewal), but finding out that they don’t support DNSSEC and that there isn’t an ETA for its implementation means I might have to look elsewhere.)

Domain provider.com price (one year)NotesThanks to
Cloudflare£7.47Price converted from $9.15 USD.
Does support DNSEC.
Domains must use Cloudflare’s authoritative DNS provider.
WordPress£10.00Currently offering free transfer+1 year renewal for domains currently with Google Domains.
Does not support DNSSEC.
ResellerClub£10.44Price converted from $12.79.
Available to resellers only.
Amazon Route 53£10.63Price converted from $13.00
ClouDNS£10.93Price converted from $13.39 USD.
Does support DNSSEC.
Dynadot£10.99
OpenSRS£11.23Price converted from $13.75 USD.
Available to resellers only.
Namecheap£11.40New customer pricing of £4.87. Neil Turner via Mastodon
DNSimple£11.86Price converted from $14.50 USD.
Requires a free subscription.
Does support DNSSEC.
Shopify£12.28Price converted from $15.00 USD.
Might be limited to using Shopify’s platform.
20i£12.49Does support DNSSEC.
Reseller pricing £10.49 (reseller package costs £47.99/month)
OpenProvider£12.76Price converted from $15.58 USD.
Members pricing £8.00 (membership costs $49.99/year)
OVHCloud£12.95First year registration: £10.19
Does support DNSSEC
Hetzner£13.55Price converted from €15.60 EUR.
Hover£14.73Price converted from $17.99 USD
First year registration £13.10.
EasyDNS£15.51Price converted from $19.00 USD.
Squarespace£16.00New provider for Google Domains customers.
First year registration £9.60
Hostgator£16.37Price converted from $19.99 USD
First year registration £10.61.
Joker£16.62
HeartInternet£16.78Advertised prices exclude VAT.
First year registration £11.98
Mythic Beasts£17.40Advertised prices exclude VAT.
Does support DNSSEC.
Jonathan Matthews via Mastodon
Bluehost£18.00Price converted from $21.99.
First year registration £10.91
Ionos£18.00First year registration £1.20.Howard Cheng via Mastodon
Domain.com£18.00Price converted from $21.99.
Network Solutions£20.48Price converted from $25.
I brought my first domain from them in 1998 – NS has been sold 4 times since!
Easily£20.89Advertised prices exclude VAT
123-Reg£20.38Advertised prices exclude VAT.
First year registration £5.99
GoDaddy£21.56Advertised prices exclude VAT.
First year registration £10.78.
Glauca£22.65
Namesco£23.98Advertised prices exclude VAT.
First year registration £11.98
Gandi£23.99First year registration £16.54.Philip John via Mastodon

Disclaimer:

Prices shown in £ GBP/Pound Sterling and are based on publicly available “single year renewal” prices at the date I added them to the table (with any different registration pricing noted).

Where possible, all prices include UK VAT/Tax and have been converted from any other currencies to GBP using Xe.com where the site itself did not provide currency conversion.

I can’t be held responsible for any errors, omissions, out of date information etc etc – I did my best! 😀

Edited 25th September 2023:

  • Add “Thanks” to people who reminded me of certain registries
  • Added Ionos, Mythic Beasts, DNSimple, Amazon Route 53, Easily, Hetzner, Network Solutions, Shopfiy, Domain.com, OVHCloud, Glauca, Joker, Hostgator, OpenProvider, Dynadot and Hover.
  • Added note of DNSSec support and reseller pricing to 20i
  • Corrected ordering placement of Heartinternet
  • Clarified Disclaimer.

ActivityPub for WordPress – How to fix ModSecurity to make it work

Like many people at the moment (due to Elon Musk’s purchase of Twitter), I’m moving from my nearly 14 year old Twitter account @rbairwell to Mastodon where I’m currently at @rbairwell@mastodon.org.uk . I was also pointed towards @pfefferle@mastodon.social‘s WordPress plugin ActivityPub For WordPress which allows me to put my blog directly “on the Fediverse” and allow you to follow it at @richyb@blog.rac.me.uk .

Symptoms / stuck on “Withdraw follow request”

However, after installing it the plugin and then trying to follow my blog, I just got a “Withdraw follow request” prompt in Mastodon – and, even after giving it a few minutes to account for server lag, my follow didn’t show up in WordPress->Users->Followers (Fediverse). If you want, you can just skip to the solution for root users .

Investigation / Mod Security Logs

My initial thought was that it was mod_security (a web-application firewall for the web site) which might be intercepting and blocking the request for security purposes. Turns out I was correct first time! Looking at my cPanel WHM's Security Center->ModSecurity Tools->Hits List, I found out that the requests were being blocked by rule 920420 of the OWASP Core Ruleset which was causing the following messages:

FieldData
Rule id920420: Request content type is not allowed by policy
SeverityCritical
Status403
RequestPOST /wp-json/activitypub/1.0/users/3/inbox
Action DescriptionWarning.
JustificationMatch of “within %{tx.allowed_request_content_type}” against “TX:content_type” required.
Details of the mod_security hit

Searching the mod security audit log for the request URL using grep /wp-json/activitypub/ /var/log/apache2/modsec_audit.log gave me the “incident id/file location”:

blog.rac.me.uk xxx.xxx.xxx.xxx - - [xx/xxx/xxxx:xx:xx:xx +0000] "POST /wp-json/activitypub/1.0/users/3/inbox HTTP/1.1" 403 4077 "-" "-" Y2z65HnPJZ2EEJpVH6GcggAAAA8 "-" /xxxxx/20221110/20221110-1321/20221110-132140-Y2z65HnPJZ2EEJpVH6GcggAAAA8 0 5109 md5:39bb07d5be0cc904943570b3a39fddbc

looking at /var/log/apache2/modsec_audit/xxxxx/20221110/20221110-1321/20221110-132140-Y2z65HnPJZ2EEJpVH6GcggAAAA8 showed me

...
--daee5752-B--
POST /wp-json/activitypub/1.0/users/3/inbox HTTP/1.1
Host: blog.rac.me.uk
...
Content-Type: application/activity+json
...
--daee5752-H--
...
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "956"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|application/activity+json|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "blog.rac.me.uk"] [uri "/wp-json/activitypub/1.0/users/3/inbox"] [unique_id "Y2z65HnPJZ2EEJpVH6GcggAAAA8"]

Showing me that the ActivityPub protocol makes requests using the Content-type of application/activity+json which isn’t normally allowed with the OWASP Core Ruleset (OWASP CRS/3.3.2).

So how to fix this?

If you do not have root accessto your server, you might just have the option to turn off mod_security totally for your domain which will restore access.

If you do have root access, you’ll be able to view rule 92040in either your control panel (WHM users->Security Center->ModSecurity Tools->Rules List) or in your server at the listed path ( /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf ). However, you’ll find that it lists:

# In case Content-Type header can be parsed, check the mime-type against
# the policy defined in the 'allowed_request_content_type' variable.
# To change your policy, edit crs-setup.conf and activate rule 900220.
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
    "id:1,\
    phase:2,\
    block,\
    capture,\
    t:none,\
    msg:'Request content type is not allowed by policy',\
    logdata:'%{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/255/153',\
    tag:'PCI/12.1',\
    ver:'OWASP_CRS/3.3.2',\
    severity:'CRITICAL',\
    setvar:'tx.content_type=|%{tx.0}|',\
    chain"
    SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \
        "t:lowercase,\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

But not the list of actually content-types allowed. Whilst these are defined in rule 901162 (found by searching for “tx.allowed_request_content_type“), you shouldn’t really modify the “vendor supplied rules”.

it’s best to add your own rule 900220 which is within crs-setup.conf. But it’s not advisable to change that file (in /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/crs-setup.conf on my cPanel server) on cPanel servers as it might get updated/changed by cPanel itself.

Adding the new mod security rule to allow application/activity+json

Therefore, I’ve just created a new rule within mod_security (again WHM->Security Center->ModSecurity Tools->Rules List->Add Rule ) to match it with the additional content type listed:

SecAction \
 "id:900220,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/activity+json|'"

Note that the list of content types are separated by spaces, but are actually each enclosed by the pipe symbol – the pipe ( | ) isn’t the separator!

I deployed and restarted Apache and tried to follow myself again, and it all started working (and about 2 minutes after I posted this, it showed up in my timeline)

Hope it helps somebody else!

DNSSec signed Google Apps/G Suite Email

I’ve been using Google Apps, aka Google Workspace aka Google Suite (or just G Suite) for a while now and it’s annoyed me that I was getting “marked down” on e-mail security testers such as Internet.nl and the UK Government’s National Cyber Security Centre (NCSC) Check Your Email Security Service because Gmail for Business (G Suite) didn’t support DNSSEC (Domain Name System Security Extensions) signed MX hosts.

However, I’ve managed to find Google’s DNS Sec settings which – combined with other setups on my main domains – mean I get 4 green ticks from the NCSC, 97% from Internet.nl (I’m let down by Google’s support of old TLS and Ciphers settings and no DANE TLSA records) and all green (apart from DANE) on Hardenize : so nice strong secure email!

Read more: DNSSec signed Google Apps/G Suite Email

Google normally suggest you use the following MX (Mail Exchanger) records in your DNS settings if you use G Suite:

PriorityMail Server (MX Entry)
1ASPMX.L.GOOGLE.COM
5ALT1.ASPMX.L.GOOGLE.COM
5ALT2.ASPMX.L.GOOGLE.COM
10ALT3.ASPMX.L.GOOGLE.COM
10ALT4.ASPMX.L.GOOGLE.COM
The normal suggest Google Suite Email Servers for Businesses

(The records can actually be in any order and the priority can be anything – but Google do recommend that aspmx.l.google.com is set as the “highest priority” which is actually 1)

However, after a bit of searching (using DuckDuckGo and not Google 😉 ), led me to a blog post by Nis Bornoe and Kura the following G Suite DNSSEC signed MX records:

Google’s DNSSEC Signed Mail Servers (MX Entry)
mx1.smtp.goog
mx2.smtp.goog
mx3.smtp.goog
mx4.smtp.goog
Google’s “hidden” DNS SEC Signed MX Records

These domains are hosted on Google owned Charleston Road Registry (CRR)’s .goog top level domain (not to be confused with their .google and .gle brand top-level domains: or the 98 other ones they applied for) and .goog domains can “only be registered to Google Inc and its affiliates” so you’ve got some confidence they are legitimate.

However, whilst myself and Nis and Kura do not seem to have had any problems using these IPv4 and IPv6 supported DNSSEC signed nameservers (and according to DNSlytics and WhoisXMLAPI there are over 930 domains currently using them), they are not officially supported or documented (from what we can find) and have been running since at least 2019 – so they should be reasonably safe to use.

The only “catch” may may be that, for some reason, they do NOT have a reverse DNS (Pointer aka PTR) record setup – which is actually only a problem if those mail servers are use for sending OUT email (not just receiving it) – however, many only testers do assume that your inbound and outbound mail servers are the same. I can confirm, via a test email, that outbound mail goes out via servers such as mail-wr1-f52.google.com which are correctly configured.