Author: Admin

Secure your WordPress admin access

Standard

This is done with another plugin:

All In One WP Security & Firewall

by Tips and Tricks HQ, Peter, Ruhul, Ivy

It has a wonderful set of all sorts of security features. Go to the plugin homepage for more information and details.

I have only activated 4 features:

  1. I changed the default admin login username to something different. Thus making it harder for potential attacks to get the first half of the access details by guessing.
  2. I am locking them out if they use a wrong username. So to reduce the opportunity to get in.
  3. I locked down the login. So after 3 wrong login attempts (with the existing username) the IP address is locked out for a long time. Thus slowing down any brute force attacks.
  4. I require Captcha (from the Brute Force section) for all logins. This makes Brute force and script kiddy attempts a thing of the past, because they need to solve a simple calculation (eg. 1+2=)

All other options are well documented in the plugin.

Well done 5 Stars from me.

Backup WordPress installation from admin panel

Standard

This is the most simple WordPress backup solution. It automatically backs up your entire WordPress installation. Files and Database.

Yes it is not backed up off-site, but it stays on the server. So it is no good for when your server gets lost. You will need to look for another solution to automate it. Perhaps you can backup the resulting file from this solution offsite with a directory syncing plugin.

You would use this to backup and have a way to restore, if you made a mistake or got hacked.

This is the plugin to install

BackUpWordPress from humanmade

https://wordpress.org/plugins/backupwordpress/

After install and activation you will need to go into Backups and add a schedule of the desired frequency. Make sure you select Backup:  Both Database & Files

It then will generate a backup, which you can install into another server (same PHP and MySQL version seems to work best)

Installing WordPress on new server

Standard

On new server setup

  1. domain container (addon domain)
  2. FTP user
  3. MySQL DB
  4. MySQL user

Download WordPress zip file (http://wordpress.org/download/) to web server and unzip or download locally, unzip and upload unzipped files to web server.

Go to the web site (eg. http://example.com/blog/) and follow the instructions there. FTP and MySQL details from above are needed here.

Give the resulting admin details to the WordPress operator to fill with content.

RPiTC2 Raspberry Pi rDesktop RDP Terminal Client locked up.

Standard

When RPiTC2 Raspberry Pi Terminal Client looses connection to the Terminal RDP server it locks up and there is no way to close the rDesktop client.

A button combination brings up a top bar with an X on the right. Clicking the X will close the rDesktop client. So it can be restarted when the connection is restored.

You can use this button combination also to close a live RDP window and leave it running to connect to it later or get to the RPiTC2 desktop to shut the local RPiTC2 OS down or reboot.

The button combination is:

Alt+Crtl+Backspace

Sophos UTM restore config backup on machine with different IP address

Standard

In order to restore a Sophos UTM configuration backup on a machine with similar specs, but a different IP address once the backup is installed the IP address of the old machine is on the new machine, which will not work.

NOTE:
I noticed when I was doing this on a Sophos UTM Manager, that somehow this resets itself every 10-30 seconds and I had trouble logging in and making the changes in the GUI. So I ping’d the new IP address and every time the ping stopped responding I repeated the steps below before I clicked anything on the GUI. I had to attempt it a couple of times, but got it done eventually.  And once you have saved the IP address change in the GUI it is permanent.

So log in from the console of the new machine and as root do this:

hostname -v ***
ip addr add dev eth0 X.x.x.x
ip link set up dev eth0
route add -net x.x.x.x netmask 255.255.255.0 dev eth0
route add default gw x.x.x.x dev eth0

this is only temporary until the next reboot. However you can now log in via the correct IP address to the admin interface of the new machine and make the necessary changes in the network settings and whatever else relevant.

Rate limit ssh port 22 access

Standard

These iptables rules will limit the exposure to brute force and dictionary attacks on port 22 SSH.

iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j DROP
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP

# And remember to save the new set of iptables:
/usr/libexec/iptables/iptables.init save
service iptables save

rDesktop options

Standard

NAME

rdesktop – Remote Desktop Protocol client

SYNOPSIS

rdesktop [options] server[:port]

DESCRIPTION

rdesktop  is  a  client  for  Remote  Desktop Protocol (RDP), used in a
number of Microsoft products  including  Windows  NT  Terminal  Server,
Windows 2000 Server, Windows XP and Windows 2003 Server.

OPTIONS

-u <username>
Username for authentication on the server.

-d <domain>
Domain for authentication.

-s <shell>
Startup  shell  for  the  user  –  starts a specific application
instead of Explorer.

-c <directory>
The initial working directory  for  the  user.   Often  used  in
combination with -s to set up a fixed login environment.

-p <password>
The  password  to authenticate with.  Note that this may have no
effect if “Always prompt for password” is enabled on the server.
WARNING: if you specify a password on the command line it may be
visible to other users when they use tools like ps.  Use -p – to
make  rdesktop  request  a  password  at  startup (from standard
input).

-n <hostname>
Client hostname.  Normally rdesktop  automatically  obtains  the
hostname of the client.

-k <keyboard-map>
Keyboard  layout  to  emulate.   This  requires  a corresponding
keymap file to be installed.  The standard keymaps provided with
rdesktop  follow  the  RFC1766  naming  scheme:  a language code
followed by a country code if necessary –  e.g.   en-us,  en-gb,
de, fr, sv, etc.

The default keyboard map depends on the current locale (LC_* and
LANG environment variables). If the current locale  is  unknown,
the default keyboard map is en-us (a US English keyboard).

The keyboard maps are file names, which means that they are case
sensitive. The standard keymaps are all in lowercase.

The keyboard maps  are  searched  relative  to  the  directories
$HOME/.rdesktop/keymaps,  KEYMAP_PATH (specified at build time),
and $CWD/keymaps, in this order. The keyboard-map  argument  can
also be an absolute filename.

The  special value ‘none’ can be used instead of a keyboard map.
In this case, rdesktop will guess the  scancodes  from  the  X11
event  key  codes  using an internal mapping method. This method
only supports the basic  alphanumeric  keys  and  may  not  work
properly on all platforms so its use is discouraged.

-g <geometry>
Desktop   geometry  (WxH).  If  geometry  is  the  special  word
“workarea”, the geometry  will  be  fetched  from  the  extended
window  manager  hints  property  _NET_WORKAREA,  from  the root
window. The geometry can also be specified as  a  percentage  of
the whole screen, e.g. “-g 80%”.

-f     Enable  fullscreen  mode.  This overrides the window manager and
causes the rdesktop window to fully cover  the  current  screen.
Fullscreen mode can be toggled at any time using Ctrl-Alt-Enter.

-b     Force the server to send screen updates as bitmaps  rather  than
using higher-level drawing operations.

-A     Enable  SeamlessRDP. In this mode, rdesktop creates a X11 window
for each window on the  server  side.  This  mode  requires  the
SeamlessRDP  server  side  component,  which  is  available from
http://www.cendio.com/seamlessrdp/.  When using this option, you
should  specify  a  startup  shell  which  launches  the desired
application through SeamlessRDP.

Example: rdesktop -A -s ’seamlessrdpshell notepad’.

-B     Use the BackingStore of the Xserver instead  of  the  integrated
one in rdesktop.

-e     Disable  encryption.   This option is only needed (and will only
work) if you have a French version of NT TSE.

-E     Disable  encryption  from  client  to  server.   This  sends  an
encrypted login packet, but everything after this is unencrypted
(including interactive logins).

-m     Do not send mouse motion events.  This saves bandwidth, although
some Windows applications may rely on receiving mouse motion.

-C     Use  private colourmap.  This will improve colour accuracy on an
8-bit display, but rdesktop will appear in false colour when not
focused.

-D     Hide window manager decorations, by using MWM hints.

-K     Do  not  override  window  manager  key  bindings.   By  default
rdesktop attempts to grab all  keyboard  input  when  it  is  in
focus.

-S <button size>
Enable  single  application  mode.  This option can be used when
running a single,  maximized  application  (via  -s).  When  the
minimize  button  of  the  windows  application  is pressed, the
rdesktop window is minimized instead of the remote  application.
The  maximize/restore  button is disabled. For this to work, you
must specify the correct button size,  in  pixels.  The  special
word “standard” means 18 pixels.

-T <title>
Sets  the  window  title.  The  title must be specified using an
UTF-8 string.

-N     Enable numlock syncronization between the Xserver and the remote
RDP session.  This is useful with applications that looks at the
numlock state, but might cause problems with some Xservers  like
Xvnc.

-X <windowid>
Embed   rdesktop-window  in  another  window.  The  windowid  is
expected to be decimal or hexadecimal (prefixed by 0x).

-a <bpp>
Sets the colour depth for the connection  (8,  15,  16  or  24).
More than 8 bpp are only supported when connecting to Windows XP
(up to 16 bpp) or newer.  Note that the colour depth may also be
limited  by  the  server configuration. The default value is the
depth of the root window.

-z     Enable compression of the RDP datastream.

-x <experience>
Changes default bandwidth performance  behaviour  for  RDP5.  By
default  only  theming  is  enabled,  and  all other options are
disabled (corresponding to modem (56 Kbps)). Setting  experience
to b[roadband] enables menu animations and full window dragging.
Setting  experience  to  l[an]  will  also  enable  the  desktop
wallpaper. Setting experience to m[odem] disables all (including
themes). Experience can also be a hexidecimal number  containing
the flags.

-P     Enable  caching  of bitmaps to disk (persistent bitmap caching).
This generally improves performance (especially on low bandwidth
connections) and reduces network traffic at the cost of slightly
longer startup and some disk space.   (10MB  for  8-bit  colour,
20MB for 15/16-bit colour and 30MB for 24-bit colour sessions)

-r <device>
Enable  redirection  of the specified device on the client, such
that  it  appears  on  the  server.  Note   that   the   allowed
redirections may be restricted by the server configuration.

Following devices are currently supported:

-r comport:<comport>=<device>,…
Redirects serial devices on your client to the server. Note that
if you need to change any settings on the serial  device(s),  do
so  with  an  appropriate tool before starting rdesktop. In most
OSes you would use  stty.  Bidirectional/Read  support  requires
Windows XP or newer.  In Windows 2000 it will create a port, but
it’s not seamless, most shell programs will not work with it.

-r disk:<sharename>=<path>,…
Redirects a path to  the  share  \\tsclient\<sharename>  on  the
server (requires Windows XP or newer). The share name is limited
to 8 characters.

-r lptport:<lptport>=<device>,…
Redirects  parallel  devices  on  your  client  to  the  server.
Bidirectional/Read  support  requires  Windows  XP  or newer. In
Windows 2000 it will create a port, but it’s not seamless,  most
shell programs will not work with it.

-r printer:<printername>[=<driver>],…
Redirects  a  printer  queue  on  the  client to the server. The
<printername> is the name of the queue  in  your  local  system.
<driver>  defaults to a simple PS-driver unless you specify one.
Keep  in  mind  that  you  need  a  100%  match  in  the  server
environment,  or  the driver will fail. The first printer on the
command line will be set as your default printer.

-r sound:[local|off|remote]
Redirects sound generated on the server to the client.  “remote”
only  has any effect when you connect to the console with the -0
option. (Requires Windows XP or newer).

-r lspci
Activates  the  lspci  channel,  which  allows  the  server   to
enumerate   the   clients  PCI  devices.  See  the  file  lspci-
channel.txt in the documentation for more information.

-r scard[:<Scard Name>=<Alias Name>[;<Vendor Name>][,…]]
Enables redirection of one or more smart-cards. You can  provide
static  name  binding  between linux and windows. To do this you
can use optional parameters as described: <Scard Name> –  device
name  in Linux/Unix enviroment, <Alias Name> – device name shown
in Windows enviroment <Vendor Name>  –  optional  device  vendor
name. For list of examples run rdesktop without parameters.

-0     Attach  to  the  console  of the server (requires Windows Server
2003 or newer).

-4     Use RDP version 4.

-5     Use RDP version 5 (default).

User profile service failed the logon User profile cannot be loaded NO BAK file

Standard

Came across a weird issue.

All of a sudden I couldn’t log into a windows machine, that was properly joined into a DOMAIN with a new user name. Domain administrator worked, but that could have been a coincidence.

The error I got was:

User profile service failed the logon User profile cannot be loaded

I searched the web and came across the one solution, which talks about BAK files in the registry, but I had no BAK files.

Then later I found in one of the posts:

I discovered it was caused by a security problem on a few files/folders in the C:\Users\Default folder. I was able to easily fix it by going into the Advanced Security Settings for the C:\Users\Default folder and checking the box to “Replace all childobject permission with inheritable permissions from this object”.

This solved my problem on the workstation.

Sophos uninstall with command line access

Standard

Gather the uninstall commands

On an endpoint computer open the registry editor (Start | Run | Type: regedit.exe | Press return).
Expand the left hand tree to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Note: On a 64-bit computer you will need to check both the key above and the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Click through the list and locate the first Sophos component you need to uninstall.
In the list of values find the ‘UninstallString’, right-click it and select ‘Modify’.
Copy the string into a text editor.
Repeat steps three to five for all other component you need to remove.

Windows installer parameters

The uninstall strings copied from the registry may contain MSIEXEC.exe parameters or you may want to add your own parameters to control what the end user sees on screen and how the computer behaves. For example the uninstall string for Sophos Anti-Virus v10 is:

MsiExec.exe /X {9ACB414D-9347-40B6-A453-5EFB2DB59DFA}

But can be modified so that the uninstall is silent:

MsiExec.exe /X {9ACB414D-9347-40B6-A453-5EFB2DB59DFA} /qn

Or to suppress a reboot (A restart is normally required for Sophos Client Firewall and Sophos Anti-Virus) so that you may perform it at a later time:

MsiExec.exe /X{9ACB414D-9347-40B6-A453-5EFB2DB59DFA} /qn REBOOT=SUPPRESS

It is advisable to create a log file (a separate file is needed for each component) as part of this process for each component being removed to help facilitate troubleshooting should an issue arise:

MsiExec.exe /X{9ACB414D-9347-40B6-A453-5EFB2DB59DFA} /qn REBOOT=SUPPRESS /L*v %windir%\Temp\Uninstall_SAV9-10_Log.txt

If you need further information on Windows Installer (MSIEXEC.exe) and associated parameters we recommend you consult up to date Microsoft documentation.

 

Prior to uninstalling the endpoint components, you should stop the Sophos AutoUpdate Service to prevent a potential update of the endpoint software during the removal.  A command line such as the following can be used.

net stop "Sophos AutoUpdate Service"

The order in which the endpoint components are removed is important.  Therefore reorder your uninstall strings (that you extracted from the registry editor) as shown below.

  1. Sophos Patch Agent
  2. Sophos Compliance Agent
  3. Sophos Remote Management System
  4. Sophos Client Firewall
  5. Sophos Anti-Virus
  6. Sophos AutoUpdate

 

Microsoft server products affected by TIFF vulnerability

Standard

Exchange and Lync, plus other Microsoft products. (Click here for a full list: https://technet.microsoft.com/en-us/security/advisory/2896666)

Microsoft has identified a “zero-day” vulnerability involving .TIFF files. This means that neither Microsoft nor the antivirus companies have been able to develop tools to address this vulnerability. Because this is a zero-day vulnerability, the only way to protect yourself is to exercise extreme caution when opening .TIFF files, no matter how they reach you—whether via Exchange or Lync or through unknown websites. We advise all users to be very careful with .TIFF files. Anti-virus and firewall protection applications may not stop this threat. Do not open any files with a filename ending in .tiff – either through your personal mail or Exchangemail. There are a number of news articles discussing the specific details of the vulnerability. You can read them here: https://news.google.com/news?ncl=d-A1C6SaxJzq77M7R5cmrPtUUtToM&q=zero+day+microsoft&lr=English&hl=en

Here are some answers to questions you may have:

Q: Won’t Blue Net’s Mail Filter catch any viruses that are trying to get through?
A: No. The very definition of zero-day means that as of today, there are no signatures that let us detect any attachments containing malware. Your best defense is user awareness until Microsoft delivers a patch, and until signatures can be developed.

Q: Can I block .TIFF files from being delivered to my end users mailboxes?
A: Unfortunately, that functionality is not available.

Q: When is Microsoft anticipated to deliver a patch?
A: Microsoft has stated that it will “take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update”. Rest assured that we’ll apply the updates as soon as they’re made available to us.

From Wikipedia:

“A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on “day zero” of awareness of the vulnerability. This means that the developers have had zero days to address and patch the vulnerability.” The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.