Tag Archives: Security

WordPress: Allow Auto Updating

Posted on by
Reply

When WordPress is properly locked down on your server, you are often unable to automatically update the plugins or themes on your site. The problems comes in when WordPress looks to see if it is able to write to the file system. Since it can’t modify it’s own files, it requests access to the FTP server running on your web-server. My sites NEVER have a FTP server running on them for simple security reasons, so updating via FTP is not an option.

Each of my sites are locked down with the below commands. The first line modifies the file system to allow only the Owner & Group to have modify access to each file or directory. All other users only have read access. The second line changes all files and directories so to be owned by root and the root group. The 3rd line grants owner and group permissions to the user www-data; the Ubuntu default webserver user.

chmod -R ug=rwX,o=rX
chown -R root:root /var/www/example.com
chown -R www-data:www-data /var/www/example.com/wp-content/plugins \
/var/www/example.com/wp-content/themes /var/www/example.com/wp-content/upgrade \
/var/www/example.com/wp-content/uploads

So now that your site is locked down, you can’t update the plugins or themes, well; that’s where this next part comes in.

auto-update-fail

This is the error you will receive if your site is properly locked down, when you try to update a plugin or theme.

If you add the below lines to your wp-config.php file, it will tell WordPress to ignore checking it’s files to see if they are modifiable, and to just try updating the plugin or theme. This will allow you to update a plugin or theme by using the auto update method build directly into WordPress.

Add the following to your wp-config.php file, just above the /* That's all, stop editing! Happy blogging. */ line.

// Allow auto updating
define('FS_METHOD', 'direct');

This change will not allow you to update WordPress Core as the webserver still dose not have access to modify the core files. I suggest you update via SVN or GIT on a nightly bases to ensure you always have the latest version of WordPress running.

LDAP PHP Change Password Page

Posted on by
15

Here is my quick page to allow users to change their own passwords.  To use this page, the LDAP server should to be local (as I am not connecting via SSL) and the page should to be on a secure site (https://).

<?php
 
/**
 *   LDAP PHP Change Password Webpage
 *   @author:   Matt Rude <http://mattrude.com>
 *   @website:  http://technology.mattrude.com/2010/11/ldap-php-change-password-webpage/
 *
 *
 *              GNU GENERAL PUBLIC LICENSE
 *                 Version 2, June 1991
 *
 * Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 * Everyone is permitted to copy and distribute verbatim copies
 * of this license document, but changing it is not allowed.
 */
 
$message = array();
$message_css = "";
 
function changePassword($user,$oldPassword,$newPassword,$newPasswordCnf){
  global $message;
  global $message_css;
 
  $server = "localhost";
  $dn = "ou=People,dc=example";
    
  error_reporting(0);
  ldap_connect($server);
  $con = ldap_connect($server);
  ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
   
  // bind anon and find user by uid
  $user_search = ldap_search($con,$dn,"(|(uid=$user)(mail=$user))");
  $user_get = ldap_get_entries($con, $user_search);
  $user_entry = ldap_first_entry($con, $user_search);
  $user_dn = ldap_get_dn($con, $user_entry);
  $user_id = $user_get[0]["uid"][0];
  $user_givenName = $user_get[0]["givenName"][0];
  $user_search_arry = array( "*", "ou", "uid", "mail", "passwordRetryCount", "passwordhistory" );
  $user_search_filter = "(|(uid=$user_id)(mail=$user))";
  $user_search_opt = ldap_search($con,$user_dn,$user_search_filter,$user_search_arry);
  $user_get_opt = ldap_get_entries($con, $user_search_opt);
  $passwordRetryCount = $user_get_opt[0]["passwordRetryCount"][0];
  $passwordhistory = $user_get_opt[0]["passwordhistory"][0];
   
  //$message[] = "Username: " . $user_id;
  //$message[] = "DN: " . $user_dn;
  //$message[] = "Current Pass: " . $oldPassword;
  //$message[] = "New Pass: " . $newPassword;
   
  /* Start the testing */
  if ( $passwordRetryCount == 3 ) {
    $message[] = "Error E101 - Your Account is Locked Out!!!";
    return false;
  }
  if (ldap_bind($con, $user_dn, $oldPassword) === false) {
    $message[] = "Error E101 - Current Username or Password is wrong.";
    return false;
  }
  if ($newPassword != $newPasswordCnf ) {
    $message[] = "Error E102 - Your New passwords do not match!";
    return false;
  }
  $encoded_newPassword = "{SHA}" . base64_encode( pack( "H*", sha1( $newPassword ) ) );
  $history_arr = ldap_get_values($con,$user_dn,"passwordhistory");
  if ( $history_arr ) {
    $message[] = "Error E102 - Your new password matches one of the last 10 passwords that you used, you MUST come up with a new password.";
    return false;
  }
  if (strlen($newPassword) < 8 ) {
    $message[] = "Error E103 - Your new password is too short.<br/>Your password must be at least 8 characters long.";
    return false;
  }
  if (!preg_match("/[0-9]/",$newPassword)) {
    $message[] = "Error E104 - Your new password must contain at least one number.";
    return false;
  }
  if (!preg_match("/[a-zA-Z]/",$newPassword)) {
    $message[] = "Error E105 - Your new password must contain at least one letter.";
    return false;
  }
  if (!preg_match("/[A-Z]/",$newPassword)) {
    $message[] = "Error E106 - Your new password must contain at least one uppercase letter.";
    return false;
  }
  if (!preg_match("/[a-z]/",$newPassword)) {
    $message[] = "Error E107 - Your new password must contain at least one lowercase letter.";
    return false;
  }
  if (!$user_get) {
    $message[] = "Error E200 - Unable to connect to server, you may not change your password at this time, sorry.";
    return false;
  }
  
  $auth_entry = ldap_first_entry($con, $user_search);
  $mail_addresses = ldap_get_values($con, $auth_entry, "mail");
  $given_names = ldap_get_values($con, $auth_entry, "givenName");
  $password_history = ldap_get_values($con, $auth_entry, "passwordhistory");
  $mail_address = $mail_addresses[0];
  $first_name = $given_names[0];
   
  /* And Finally, Change the password */
  $entry = array();
  $entry["userPassword"] = "$encoded_newPassword";
   
  if (ldap_modify($con,$user_dn,$entry) === false){
    $error = ldap_error($con);
    $errno = ldap_errno($con);
    $message[] = "E201 - Your password cannot be change, please contact the administrator.";
    $message[] = "$errno - $error";
  } else {
    $message_css = "yes";
    mail($mail_address,"Password change notice","Dear $first_name,
Your password on http://support.example.com for account $user_id was just changed. If you did not make this change, please contact support@example.com.
If you were the one who changed your password, you may disregard this message.
 
Thanks
-Matt");
    $message[] = "The password for $user_id has been changed.<br/>An informational email as been sent to $mail_address.<br/>Your new password is now fully Active.";
  }
}
 
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Password Change Page</title>
<style type="text/css">
body { font-family: Verdana,Arial,Courier New; font-size: 0.7em; }
th { text-align: right; padding: 0.8em; }
#container { text-align: center; width: 500px; margin: 5% auto; }
.msg_yes { margin: 0 auto; text-align: center; color: green; background: #D4EAD4; border: 1px solid green; border-radius: 10px; margin: 2px; }
.msg_no { margin: 0 auto; text-align: center; color: red; background: #FFF0F0; border: 1px solid red; border-radius: 10px; margin: 2px; }
</style>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
</head>
<body>
<div id="container">
<h2>Password Change Page</h2>
<p>Your new password must be 8 characters long or longer and have at least:<br/>
one capital letter, one lowercase letter, &amp; one number.<br/>
You must use a new password, your current password<br/>can not be the same as your new password.</p>
<?php
      if (isset($_POST["submitted"])) {
        changePassword($_POST['username'],$_POST['oldPassword'],$_POST['newPassword1'],$_POST['newPassword2']);
        global $message_css;
        if ($message_css == "yes") {
          ?><div class="msg_yes"><?php
         } else {
          ?><div class="msg_no"><?php
          $message[] = "Your password was not changed.";
        }
        foreach ( $message as $one ) { echo "<p>$one</p>"; }
      ?></div><?php
      } ?>
<form action="<?php print $_SERVER['PHP_SELF']; ?>" name="passwordChange" method="post">
<table style="width: 400px; margin: 0 auto;">
<tr><th>Username or Email Address:</th><td><input name="username" type="text" size="20px" autocomplete="off" /></td></tr>
<tr><th>Current password:</th><td><input name="oldPassword" size="20px" type="password" /></td></tr>
<tr><th>New password:</th><td><input name="newPassword1" size="20px" type="password" /></td></tr>
<tr><th>New password (again):</th><td><input name="newPassword2" size="20px" type="password" /></td></tr>
<tr><td colspan="2" style="text-align: center;" >
<input name="submitted" type="submit" value="Change Password"/>
<button onclick="$('frm').action='changepassword.php';$('frm').submit();">Cancel</button>
</td></tr>
</table>
</form>
</div>
</body>
</html>
  • Also at: http://gist.github.com/657334

Creating a secure Git repository server

Posted on by
11

Creating a secure git repository server is a pretty simple process.  Basically we will be using SSH to transmit the data over an encrypted channel.  SSH will handle all the authentication and data encryption.  So the first set is creating a user for git to use and creating the git users ssh key.

On your server, from a privileged account, create a user (were going to use git).

adduser git
passwd git

The configuration we will be setting up will store the actual repositories in the git users home directory.  If you don’t like it’s current location, you may modify the /etc/passwd file for your user.

Once we have the user setup, in it’s home directory we need to create our first repository.  Start out by creating the folder, then well go into it and create the git repository files.

mkdir new-project.git
cd new-project.git
git init --bare

With the repository now setup go back to your desktop/laptop system (linux/unix).

From your desktop system, create a empty repository or go to an existing git repo. If you are going to be adding an existing repo, it may not be connected to any other remote repository. if you clone it from a remote source (a directory on the same system counts as a remote source) you will need to modify the repository’s config file and remove those entry’s, look in the config file under the .git (note the ‘dot’) directory.

To create an empty repository, create a directory for the repository, go into it and init the repo.

mkdir new-project.git
cd new-project.git
git init

Since you need something in your repo, and git likes having a readme file (or gitweb dose) let’s create a readme file and commit it.

touch README
git add README
git commit -m 'Added README file, first commit'

Now that we have a commit in our repo, we can add the newly created git repo server and push our new repo to it.

We will start by adding the server to the repo’s configuration.

git remote add origin git@new-git-server.example.com:new-project.git

The above example assumes you’re server’s name is “new-git-server.example.com” and your using a project named “new-project.git” for the user “git”. But it also assumes that your repo is directly in the user git’s home directory. If you store your repo’s in a different directory, you will need to add the list folders after the colon.

After you have successfully added the server, push your new repository to the server.

git push origin master

You may now be asked for the git user’s password, enter it, and your repository should be transferred.

Also check out how to setup a ssh public/private key where no password is required, only the private key on your client system.

The above may look like a lot, but it’s really pretty simple to setup. If you have any problems or questions abut this How-To, please leave a comment or contact me.