Enabling a bare minimum of WordPress Security

Running a CMS on any website can be cumbersome, constantly checking for updates, manually updating and securing the configuration, if it’s not secure-by-default. A big help is the auto-updating feature of WordPress and the plugins helping administering this. Also the security plugins, minimizing bot attacks and evil doers is also comforting and needed in a hostile environment, such as the internet.

Disabling comments and creation of users is recommended, if not needed. Exploits has been seen that elevates privileges.

So my recommendation is to follow these steps as a bare minimum:

Plugins to install and configure:

404 To Homepage

Disable XML-RPC

Easy Updates Manager

Force HTTPS

Force Strong Hashing

Limit Login attempts Reloaded

Meta Generator and Version Info Remover

Wordfence Security

WP Statistics

UpdraftPlus(if you need backup, due to your host providers lack thereof)

Use WPScan and Nikto2 from a kali VM, regularly, to test your website for vulnerabilites, misconfiguration, etc. Follow the recommendations and secure your website as much as you feel adequate. removing obvious readme files, using .htaccess, etc.

CISSP study course

If security has any interest and you live in the United States, the CISSP course is a worthy Human Resource stamp on broad IT understanding & Security. Unfortunately, Europe doesn’t have an equivalent course focusing more on European legislation such as the GDPR as opposed to major focus on American legislation and regulations, such as HIPAA, COPPA, Privacy and Fraud related material.

I took a course 12 years ago, but was too inexperienced to pass the exam back then. I decided that now, more experienced in the security domains and wiser ;), was the time to push through and get the certification, so I bought a few books, and studied hard, taking a week off work cramming, provisionally passing the exam, giving them 6 weeks to check up on my endorsements, etc.

I purchased the following books:

  • (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide, 8e & CISSP Official (ISC)2 Practice Tests, 2e
  • Official (ISC)2 Guide to the CISSP CBK, Fourth Edition
  • CISSP For Dummies

The CBK, I bought to use as a reference manual after advice from a colleague.

The dummies book lacked a few things, so after a few chapters and some answers to questions in a prep test, not present in the book (regarding security models), I decided to solely focus on the official study guide. I did look up stuff I didn’t understand properly in the Official Study Guide, to see if it was explained better in the Dummies.

Happy studying, if you think it’s worth a shot. No matter what, it’s a great way to catch up on stuff you don’t work on on a daily basis.

And when completing the exam, a great way to get CPE credits for your program is to connect ISC2’s brighttalk channel to your CISSP ID , and all the ISC2 webinars you watch, will automatically be registered.  See support article here

Next step in privacy is NextCloud – Have your cloud@Home

in action

I have never felt comfortable with having my phone pictures in the cloud and preferring only Dropbox(supporting Linux properly), since Google retired picasa and Apple only really worth while if you ONLY use apple products despite what fanboys might say, I decided to avoid vendor lock-in. I have exchanged my iMac and MacBook with Lenovo Yoga 2 Pro(Qubes 3.2) and a Purism Librem 13v2(Qubes 4.0).

I want my data to be @home, without being accessible from the internet. No unnecessary risks of breaches, if avoidable and no access from a giant attack vector(The whole internet if it is in the public cloud). Private cloud it is. And NextCloud seems to be best of breed.

I tried to buy a NextCloud Box, but all sold out in Europe and I was too tired to buy in the US, again.

Bought a CubieTruck and enjoyed the easy install of NextCloud, easy updating automatically, easy setting up the iPhone part, etc.)

Not a usual guide, but a simple heartfelt recommend from here. Try it out. You won’t regret it.

Whonix-14 available in Qubes-OS

As advertised in qubes-users mailing list, the templates of whonix version 14 is now available and flawlessly installed on my Qubes 4.0, without much effort.

I had no issues, so after deleting all existing whonix templates and AppVM‘s, the steps to follow were:

sudo dnf remove qubes-template-whonix-ws

sudo dnf remove qubes-template-whonix-gw

sudo qubesctl state.sls qvm.anon-whonix

sudo qubesctl state.sls qvm.whonix-ws-dvm

And then use Chris Laprise’s script to update them:

./qubes4-multi-update whonix-gw-14 whonix-ws-14

I rarely use whonix, but nonetheless, I encourage anyone using it for good, to donate, supporting the project.

Kali on Qubes 4 (with katoolin)

To use the great benefits derived from Qubes VM’s, Micah Lee recommended the use of Katoolin, instead of HVM based Kali, I normally use, so let’s try it out:

Clone your fully updated debian-9:

In the “Basic” tab, resize the partition:

Enhance the memory size, if your setup allows it:

Start the terminal to run the commands described on the Qubes Katoolin setup page point 1-6:

When you come to point #6, and have to run

“sudo apt-get dist-upgrade”, don’t…..

I have tried both yes and no to “restarting services automatically”, but the terminal crashes and remains unresponsive. i cannot get in contact with the VM. The latest screenshot was:

It seems the install is running, since my fan speeds up and down continuously.

I tried following this tutorial, and found out that you can install some stuff from the menus, but you have to remove the sources before updating or it will crash. That means no software from Kali will be updated?

For now, I’m continuing to work with my Kali rolling standalone HVM.

10.137.0.23,255.0.0.0,10.137.0.6,10.139.1.1,10.139.1.2

Basic hardening Apache 2.4.6 on Red Hat Enterprise Linux Server release 7.5 (Maipo)

Notes to self:

Installing packages and EPEL:

rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install php php-gd php-mbstring httpd mod_security mod_evasive mod_ssl mariadb-server mariadb
sudo systemctl start httpd.service
sudo systemctl enable httpd.service
sudo systemctl start mariadb.service
sudo systemctl enable mariadb.service
sudo /usr/bin/mysql_secure_installation

Edit httpd.conf or .htaccess file to avoid hidden directories to be shown and redirect to https:

#avoid hidden directories to be shown
RedirectMatch 404 (?i)/\..+

#Redirect http to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

harden /etc/httpd/conf/httpd.conf and php.ini

sed -i -e 's/expose_php = On/expose_php = Off/' /etc/php.ini
ServerTokens Prod
ServerSignature Off
TraceEnable Off
FileEtag None
Header always unset X-Powered-By
Timeout 45

Options -Indexes -Includes

add services to the firewall:

firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent

edit  /etc/httpd/conf.d/ssl.conf

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
    SSLCertificateKeyFile   /path/to/private/key

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>

# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off


# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000
sudo systemctl start httpd.service

KeePassXC on Qubes

Until 1Password takes the Linux community seriously, KeepassXC is the preferred choice for me.

1Password offer a cloud based solution with only chrome-integration, almost like KeePassXC has for Firefox, Chrome, Vivaldi and Chromium, but Chrome wont be my preferred choice just yet. And also since Cloud solutions has a broader attack vector, there is no need to put the crown jewels on display, when sensitive hacks are almost happening daily on the internet.

If I get a trojan on my active computer, or buy a chinese keyboard, AND have my password database in the cloud, they can login and download it and harvest all my precious passwords without effort and without any fancy cracking efforts. Therefore if you enjoy cloud services, you might consider to use MFA to access the cloud (and hope your 2nd factor device is not pwned too 😉 Remember that SMS might be in clear text through airwaves that anybody might listen to or abuse in other ways.

Keeping an offline password manager is what I feel comfortable with, so that is what my current needs are.

And here, KeePassXC seems to be the best multiplatform solution around. And an important thing to remember is that if you have an offline password manager(or password manager installed in an “air-gapped” VM in Qubes, the risks of breaches are smaller even with bugs in the Password Manager software, since nothing directly enters a VM without network connection. So you need bugs in the underlying OS to get breached. Not impossible, but more rare in hypervisors with an offline vault than a traditional OS without.

Air-gapped VMs are also used as Split-GPG and Bitcoin wallets, so I guess its a bit more secure. Enhance your setup with a copy of your database on a PIN-enabled secure USB and sync it to your vault VM regularly.

P.S. Yubikey supports KeePassXC, but not as traditional 2FA

In Fedora 27 and later a newer and better version of KeePassXC is available. Remember to enable recommended security settings:

sudo yum install keepassxc

– Database settings – encryption – Argon2.

– General – Basic settings – Automatically save after every change.

– lock the database after use (time, immediately, etc)

If you use Qubes, you can have the password manager in the “vault” VM and ctrl-c, ctrl-shift-c in the vaultVM and ctrl-shift-v and ctrl-v in the destination VM to feel safer. You can also have a secure password file in vault and a less secure in another vm with internet access.

If safety is not the biggest issue for you and you use multiple computers, then install firefox addon, dropbox and sync selectively :

In Firefox addon:

yum install dropbox.rpm (otherwise dependencies are left out)

Point your KeePassXC to the synced folder .kdbx file.

Enable 2factor authentication to dropbox to prevent ease of access for bad people.

Configuring Cisco ASA VPN on Qubes 4.0 with openconnect

I have rewritten my VPN guide for Qubes 4.0, since my old post from 3.2, didn’t work out of the box and some supposed solutions on the web, didn’t sit well with me. The above link was too much hassle for me, so I chose to investigate how I can make a guide like the last one, just for Qubes 4.0.

Here it is, although the changes are few:

Create your vpn appVM, based on your preferred fedora template:

Add the ‘network-manager’  as a service :

Tur on the AppVM, and when the network icon appears, add the vpn connection:

Select the OpenConnect type:

Insert FQDN in the gateway section and save.

Start the VPN connection:

Type yur password and the connection will be established and your icon look like this:

Issue connecting automatically to hidden wifi in Qubes 3.2

Qubes 3.2, installed new wifi router, created hidden wifi and connected to the network. Everything works, until I reboot and log in.

When logging in, my network is offline and I can’t select my hidden network:

When clicking the network icon, disabling the network and reenabling it, gives me my options so I can select my hidden network, and the connection comes online:

When enabling SSID broadcast, everything works perfectly again, disabling SSID recreates the problem.

Here are the logs from when logging in with visible wifi (sys-net’s guest-sys-net-log):

With hidden wifi:

disabling, reenabling hidden wifi:

The not so great solution provided, was enable SSID broadcast. Problem fixed but solution not preferred 🙂