Category Archives: Security

How to setup Lets Encrypt with Apache on Ubuntu 16.10

This is going to explain how to setup Let’s Encrypt for a WordPress site using Apache on Ubuntu. This setup requires you to have root access to the web server.
Server Version: 16.10 (Yakkety Yak)
Apache Version: Apache/2.4.18 (Ubuntu)

First lets generate a Diffie-Helman Parameters file (This will take a while, can easily take 5+ minutes):

stupiderror@localhost:~$ sudo -i
[sudo] password for stupiderror:
stupiderror@localhost:~# openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
.....................................................................+..........

Now we will install certbot:

stupiderror@localhost:~# apt update
stupiderror@localhost:~# apt install python-certbot-apache
stupiderror@localhost:~# certbot --apache

Select the domain(s) that you want to enable HTTPS for.
Provide an email address.
Accept the Terms of Service.
Choose Easy or Secure. Easy will let your site be HTTP and HTTPS. Secure will make your site only HTTPS but will redirect anyone trying to use HTTP to HTTPS.

You can use a command like the following and avoid the menu, just substitute in your domain and email:

stupiderror@localhost:~# certbot --apache -d stupiderror.com -d www.stupiderror.com -m support@example.net --agree-tos

The last step is to add a cron entry to auto renew the certificate.

stupiderror@localhost:~# crontab -e
0 1 * * 0    /usr/bin/certbot renew >> /var/log/le-renew.log

Reset WordPress Password

This is going to explain how to reset a WordPress password utilizing MySQL.
This was performed on a server running the following:
Server Version: Ubuntu 16.04.1 LTS (Xenial Xerus)
Wordpress Version: 4.6.1
MySQL Version: 5.7.15
PHP Version: 7.0.8

First we will login to MySQL. If you don’t know your MySQL username, database, and/or password you can find that in wp-config.php at the root of your WordPress site.

/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'stupiderror');

/** MySQL database password */
define('DB_PASSWORD', 'WPpassword');

/** MySQL hostname */
define('DB_HOST', 'localhost');

Use this information to login to MySQL:

stupiderror@localhost:~/html$ mysql -u stupiderror -h localhost -p
Enter password:
mysql> use wordpress;
Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| ...                   |
| wp_users              |
| wp_wpeditor_settings  |
+-----------------------+
17 rows in set (0.00 sec)
mysql>

Most of the tables were truncated from the results. We are looking for a table ending in _users, in this case wp_users. Now lets find the user we want to reset the password for.

mysql> select id, user_login,user_pass,user_email from wp_users;
+----+------------+------------------------------------+-------------------+
| id | user_login | user_pass                          | user_email        |
+----+------------+------------------------------------+-------------------+
|  1 | Admin      | $P$B3pqWu6gdqNO/kzDB4ZtnDPntHIq8f. | adm@localhost.com |
+----+------------+------------------------------------+-------------------+
1 row in set (0.00 sec)
mysql>

If you have a modern version of PHP and WordPress your password hash should start with $P$
This means WordPress is using PHPass. We will use a small script to generate a new hash.
On the 6th line replace newPassword with the new password you want to use. Save this file to the root of your WordPress site.

<?php
  require( dirname(__FILE__) . '/wp-load.php' );
  require_once ABSPATH . WPINC . '/class-phpass.php';
  $hasher = new PasswordHash(8,TRUE);

  $hash = $hasher->HashPassword('newPassword');

  echo "Hash: $hash\r\n"
?>

Now generate a hash and then update the database with the new hash:

stupiderror@localhost:~/html$ php generateHash.php
Hash: $P$B3pqWu6gdqNO/kzDB4ZtnDPntHIq8f.

mysql> update wp_users set user_pass="$P$B3pqWu6gdqNO/kzDB4ZtnDPntHIq8f." where ID = 1;
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0
mysql>

Now you should be able to login to your WordPress site with the new password.

Installing Google Authenticator for SSH

This entry shows how to install Google Authenticator and set it up to provide ssh with two-factor authentication. This was done on Ubuntu Server 14.10. This is software that runs on your server and mobile device. It does not require a Gmail account or any third party service.

Install On Server
Install libpam-google-authenticator package:

stupiderror@localhost:~$ sudo -i
[sudo] password for stupiderror:
root@localhost:~# apt-get install libpam-google-authenticator
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libqrencode3
The following NEW packages will be installed:
  libpam-google-authenticator libqrencode3
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 59.3 kB of archives.
After this operation, 206 kB of additional disk space will be used.
Do you want to continue? [Y/n] y

Setup User
Now we will setup Google Authenticator for user stupiderror:

root@localhost:~# exit
logout
stupiderror@localhost:~$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y
Your new secret key is: BHBWGPOSWB6K19QY
Your verification code is 674538
Your emergency scratch codes are:
  16572244
  40474860
  4213D034
  55121160
  04767458

Do you want me to update your "/home/stupiderror/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

We choose to make the one time tokens time based. By default they are displayed for 30 seconds and have a 60 second grace period. Next it shows a QR code which was omitted above. This assists with getting it setup on your phone which we will get to next. If you don’t want to use the QR code you can enter the secret key on your phone instead. It then provides 5 emergency scratch codes. Write these down and they can be used when you need to login and your phone isn’t available. They are not time sensitive and each code can only be used once.

We choose yes to disallow the authentication token from being used more than once. If you want to log in to the server and you look to open two ssh sessions this means you can use the verification code displayed on your mobile device and then must wait for the next verification code to be displayed to complete the second login. If an attacker is able to sniff your keystrokes this means they cannot use the verification code you just used to log in.

We also enable rate limiting to slow down brute force attacks. Sshguard is installed and works fine with this enabled.

Setup Phone
On your phone search for Google Authenticator App in the app store and install it. It is made by Google, Inc. Open Google Authenticator on your phone and press the + in the top right to add an account. Choose Scan barcode or Manual entry. If you choose Scan barcode then point the camera on your phone at the QR code that was displayed when you ran google-authenticator on the server. Once it sees the code it adds it and names it after the user and hostname of the server google-authenticator was run as. In this example it named it: stupiderror@localhost. If you would like to rename the entry then click the pencil icon in the top right on your mobile device. Then the name will have a pencil icon next to it and you can click the name and edit it.

If you choose manual entry then fill in the information requested. Account is just a friendly name for you to identify the server. You can set this up on multiple servers and/or multiple users and add them all. The account name allows you to differentiate them. For key you need to enter the secret key that was displayed after the QR code when you ran google-authenticator. In the above example the key is BHBWGPOSWB6K19QY. Do not use this key, you need to use the one that was generated for your account. Then enable or disable the time restriction, we are leaving it enabled.

Enable Google Authenticator On Server
The time and date settings are important. If the time and date on the server is too far off from the phone the time based verification codes will fail. Make sure the time and date are set correctly. You may want to make a crontab entry to sync it daily:

0 0 * * *      /usr/sbin/ntpdate -s pool.ntp.org


We need root to edit these files:

stupiderror@localhost:~$ sudo -i
[sudo] password for stupiderror:
root@localhost:~# vi /etc/ssh/sshd_config


Find this line:

ChallengeResponseAuthentication no


and change the no to yes

ChallengeResponseAuthentication yes


Edit /etc/pam.d/sshd

root@localhost:~# vi /etc/pam.d/sshd


Add the following line and it should be before “@include common-auth”:

auth	required			pam_google_authenticator.so


To enable these changes restart SSHD:

root@localhost:~# service ssh restart

Test It
I would not disconnect your current session because if something goes wrong you will need to login as a different user or fix it from the console.

Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Password:
Last login: example.net
stupiderror@localhost:~$

If it isn't working properly the best place to look for error messages is probably the auth.log

root@localhost:~# tail -f /var/log/auth.log