Norton ConnectSafe

Not many people realise but Norton ConnectSafe is a free service (even if you don't use Norton Security) which works at the DNS level and acts as a first line of defence against cyber threats. It is not a replacement for end point protection but compliments it well. Full details here: https://dns.norton.com/

Norton ConnectSafe

Expanding Varnish to Serve Mutiple Languages

Varnish is often used with PHP or NodeJS. On my server I run both applications simultaneously. Its possible to run NodeJS and PHP applications through Nginx, send them to the same varnish instance by setting different backends. This is done by working with the Varnish configuration language (VCL) and is surprisingly simple. Its also not really talked about much so here is an example. My setup also serves SSL content taking into account not to cache the management interface which includes authentication tokens and the like. I also realise I should call it TLS not SSL. To keep it simple here is a diagram:

Diagram of Nginx, Varnish, PHP and NodeJS on different ports

To make the changes open the following file:

nano /etc/varnish/default.vcl

Below the default backend definition add the following:

backend ghost {
  .host = "127.0.0.1";
  .port = "2368";
}

The above creates a second backend that is getting its content from our Ghost NodeJS app running on port 2363. Our PHP application is served by Nginx which would still be on the default backend.

Finally in the sub_vcl_recv section we need to tell Varnish which backend to use. Many advanced methods can be used but here is a simple example that sends the domain howson.me to the ghost cache and any other sites to the PHP cache:

if (req.http.host ~ "howson.me") {
    set req.backend_hint = ghost;
} else {
    set req.backend_hint = default;
}

There we have it. An easy way to use one varnish instance with multiple languages.

VMware Windows 2000 Virtualisation

I have been virtualising an application that only runs on Windows 2000. I hit a number of problems including missing files when try to install VMware Tools. I tried the VMware KB article but found the links were dead due to Microsoft ending support over 4 years ago. Thankfully I managed to get hold of Windows 2000 SP4 and the KB835732. I have provided individual downloads below. I have also created a premade ISO which can be loaded into the VM. This is handy if you like myself you don't allow any network or file access to keep the unsupported platform segregated.

Download Links:

Download Windows 2000 Professional Service Pack 4 Standalone Installer

Download KB835732 Update Standalone Installer

Prebuilt ISO image containing the files above


Method:

I first realised I had a issue when I tried to install and got the following error:

Screen shot showing it was unable to upgrade the installer

I managed to dig out a copy of SP4 so first installed it as below. See links at the bottom for a copy.

Install of SP4 setup Wizard After trying that I then discovered KB835732, which relates to security vulnerability MS04-011.
Missing install of KB835732 shot I simply installed this update (again link included at the bottom) and then rebooted.
Shot showing KB installed Finally I could install VMware Tools.
Shot showing VMware install starting

Once I had completed the installation the drivers kicked in and I the OS was in true colour.
Shot showing Vmware finished and in true colour

Moving a Nessus 6.x Installation

Nessus Logo Today I had to move a Debian based Nessus installation on a physical Machine to a virtual one. After a bit of head scratching I came up with a method. I could not find much on the internet so here is a guide:

1.Connect to the server you want to copy from. I used Filezilla with secure copy
2. Install Nessus on the new machine but don't start the service
3. Ensure the Nessus instance is stopped
3. Copy the entire /opt/nessus directory and overwrite it
4. Start Nessus
5. If you get a error about global.db being corrupted follow the on screen instructions to fix it
6. Release your activation number if applicable in the Nessus Support Portal.
7. Run the following: /opt/nessus/sbin/nessuscli fix --reset
8. Run the following: /opt/nessus/sbin/nessuscli fix --register activation key here
9. Finally start the Nessus Service
10. Login like normal with the same username and password as you had set previously.

You will find your entire installation will have been copied over and your license restored.

Fixing Disqus comments when using Cloudflare

Most people when they find Disqus does not work with Cloudflare due to rocket loader just turn it off. By default its on automatic. There is a solution though.

Image of Cloudflare Rocket loader

I have managed to get it working by using the handy parameter data-cfasync="false" This tells Rocket loader not to touch these scripts. This allows the rest of the site to get the rocket loader benefit without breaking Disqus. Here is an snipet of the Disqus code with the parameter added:

<div id="disqus_thread"></div> <script data-cfasync="false" type="text/javascript">
/* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */ var disqus_config = function () {
this.page.url = '{{@blog.url}}{{url}}'; this.page.identifier = '{{post.id}}'; };

This method should work for any script that causes issues. Flush your cloudflare cache and problem solved!

Mail in a box Setup

I have setup nearly every type of server in my time from cold fusion to a simple LAMP stack. However one I have always ran a mile from is e-mail. Don't get me wrong I like the idea of hosting my own e-mail but never really taken the time to learn about it. I suppose when you can go with something like Google Apps, or Office 365 its a hard offering to beat. You get a lot of features for very little money. When you consider that hosting costs £10 a month then backup servers another £11. Its far cheaper.

The story is starting to change though, iRedMail has been around for a number of years that makes mail server setup easier, there is a new kid of the block called Mail-in-abox which gives you a fully working setup in one command. There is no way I could mess with my production domain so I setup a test one to mess around with. I'm still playing but check back soon for a guide.

Ensuring Cloudflare SSL / TLS is secure

You may have seen online some articles talking about if its secure. Scott Helme wrote a really good article. Here is a easy to follow method to ensure its as secure as possible. We will go through each one but in summary

  • Use SSL in strict mode
  • Use HTTP Strict Transport Security (where full SSL is required)
  • Use TLS 1.2 only (requires business plan)
  • Use TLS origin authentication

When you use SSL / TLS in strict mode you require a valid certificate between the server and cloudflare. There are a number of free certificate authorities including lets encrypt and startcom.

strict ssl

For times when you need full SSL / TLS support use strict transport security.

Strict Transport Security

If you have a business plan its worth turning on the PCI compliant TLS 1.2 ciphers.

Finally use TLS origin authentication. In simple terms this works by Cloudflare presenting a certificate to the back end server which is then validated. This prevents attackers sidestepping the cloudflare protection.

TLS origin Before you turn it on you need to setup your webserver so it will work. There is a very simple guide on setting it up using Nginx here:

https://support.cloudflare.com/hc/en-us/articles/204494148-Setting-up-NGINX-to-use-TLS-Authenticated-Origin-Pulls

Recovering D-Link 868L Firmware

I previously had DD-WRT running on my router however I wanted to roll it back. There is a little known trick built into most modern D-Link routers that allow you to recover the firmware. This method would also likely recover you from a bad flash.

dd-wrt being run

To change the firmware back to factory you can't just load it in the DD-WRT interface. Instead you need to link your computer to the port 1 on your router using the Ethernet cable. It is also wise to turn off your wifi. From there you need to set the following settings:

192.168.0.2
255.255.255.0
192.168.0.1

Here is a screen shot from a mac as an example:
network settings on mac

Turn the router upside down, turn the router off and then on holding down the reset button using a pin. The power light will then flash slowly / pulsate.

Next open your web browser and go to 192.168.0.1. The flash recovery page will appear:
firmware recovery

Click browse to select the firmware image from D-Link and press upload.
The router will then restart.

The router will be fully set to factory defaults. You can now change your computer wifi back on if you wish and remove the network cable. Follow the setup guide using the d-link instructions.

finished d-link restore

Postfix Smarthost with Debian Jessie

After running a mail server for a number of years I got fed up of managing spam and unreliable delivery for system mail. Expanding my recent of use mailgun for web applications I have now set it up to handle system mail. I have previously written this guide for Ubuntu Here, its very similar on Debian 8 but there are some differences:

For simplicity I will assume you don't have an existing mailserver. If you do it may be easier to remove it using the purge option and start again.

  • Install the mail server by running: apt-get install postfix libsasl2-modules
  • Now you need to configure postfix edit the file in nano: nano /etc/postfix/main.cf
  • Add the following lines to the main.cf file:

smtp_sasl_auth_enable = yes
relayhost = [smtp.mailgun.org]:587

smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd

  • Create the sasl__passwd file in nano: sudo nano /etc/postfix/sasl_passwd
  • Enter the following line: [smtp.mailgun.org]:587 username@domain.com:secretpassword
  • Set the permissions for the sasl_passwd file: sudo chmod 600 /etc/postfix/sasl_passwd
  • Postmap the file: sudo postmap /etc/postfix/sasl_passwd
  • Restart postfix sudo service postfix restart

Finished! A easy way of routing all your system mail through postfix. You will need to ensure you have added your custom domain into mailgun. For example if your server is called: box.howson.me then add this as a custom domain to mailgun. If some mail is sent as root@howson.me from the server don't worry this configuration will still work and is simple as it does not interfere with the mail provider serving your domain. Even DKIM and SPF work without any changes.