WordPress and Other Security Concerns

Security ShieldThere’s been a lot of press recently about increased attacks on WordPress sites, and I run WordPress. At first I considered it BS since it seemed ike a standard brute force attack. Not that I didn’t think attacks were going on, a view of logs on my own small servers shows attacks all the time. ┬áBut Brian Krebs published an article about it and I figure he has a better BS detector than me in these matters. So maybe there has been an increase. I figure I’m pretty safe, I don’t use the default accounts and I do use long, complex unique random passwords.

Some reading I did also indicated that the volume of logon attempts could cause resource problems on the server, so I decided I would try to specifically block them. After a few other attempts I decided to go the plugin route and used the plugin Limit Login Attempts. It’s a nice simple plugin that does what its name says. I dislike adding plugins to WordPress but I made a exception in this case. Eventually I hope to figure out a way to block this at the server level. But this will give me some protection and any easy way to get stats on whether or not my site is actually being attacked this way.

I’ve always been good about keeping WordPress and my web server updated with the latest patches, but I decided to reboot it this past Friday to make sure all those updates were really in the running software. Maybe it’s because I come from the windows world where patch reboots are a monthly reboot, but I figured it would be a good thing after having the server online for 220 days. So apologies to anyone trying to access the site this past Friday during a certain 9 minutes (I decided to do a full backup with everything shutdown for good measure).

It’s only been a day, but so far the only lookout has been from my testing

Apple (and other) 2-Step Verification

Apple added 2-step verification to their iCloud and iTunes accounts. I have to admit I like it. I especially like that they turn off any sort of password recovery that could be socially engineered. If I lose all the registered devices and the emergency recovery key then I’m screwed. But I’ve always wanted the option to tell these high-value vendors to disable password resets based on those stupid “pet name” security questions. I usually answer them with garbage, but the fact they exist worries me. Not necessarily for every little account, but for any that protects something of value.

I’ve also been going through and adding two-step verification to my other accounts that support it. Some places have apps that generate a token, or use the Google Authenticator App, but codes sent via SMS seem to be the most common. I guess SMS can be spoofed, but I suspect that doing so would have to be highly targeted and take more effort than I’d be worth.

Installing Ubuntu 7.10 Server Under Parallels

I wanted to install Ubuntu 7.10 (Gutsy Gibbon) Server as a virtual machine under Parallels on my iMac. Server has a couple of differences from the desktop version. The first is that the Graphical User Interface (GUI) isn’t installed which is my primary reason for wanting it over the desktop version. It’s all command line. The second, and the one I didn’t really consider until the troubles began is that there’s a different kernel. Really, the different kernel is the major difference since the GUI could be installed on the server, it’s just not part of the installer.

I made it through the first install just fine but on the first reboot there was a kernel panic with the message “the CPU is too old for this kernel“. Well, my CPU age shouldn’t be a problem. A quick Google search showed I wasn’t alone and that the problem was related to Parallels. I’m running the latest Parallels Desktop 3 which is build 5582. The kernel installed with Ubuntu 7.10 Server is 2.6.22-14-server.

The clearest solution I found was at Paul Annesley’s web site even though it was about installing Ubuntu Server 7.04 on Parallels. The key piece was how to replace the kernel before the initial startup. Since I’m using a newer version of Ubuntu Server there were some minor differences:

  1. I didn’t have to delay the Linux installation or switch the type to Solaris. It appears the CD-ROM detection problem was solved with either the latest Parallels or the latest Ubuntu. (I did have to do this when I installed Ubuntu 7.04.)
  2. I did have to follow the steps under “Start and Install”
  3. There were some changes in the “Roll Up Your Sleeves” section:
    When I ran the umount command there was nothing to unmount so there was an error which wasn’t a problem.
    Version 7.10 has a newer kernel so the remove command is:
    aptitude remove linux-server linux-image-server linux-image-2.6.22-14-server

I also had the same file system errors about time stamps being in the future that Paul mentioned.

The one annoying problem I have is that the system doesn’t completely power off. Even though it says the system is going to power down it ends with a “Unable to iterate IDE devices: No such file or directory” error then the System Halted message. Parallels thinks the VM is still active so warns me when I go to shut it down. This doesn’t seem to be causing any problems and the file system reports clean during the next startup.

I also noticed a ACPI error during boot up. I added acpi=off to the kernel line when booting and while that eliminated the acpi error it didn’t fix the shutdown problem.

The Parallels configuration screens are shown in the screen shots below in the order they appear:

As previously mentioned the OS type was changed to Linux – Other Linux kernel 2.6 post install but before the first startup. This is shown on the screen to the left.

While Parallels has put a lot of thought and effort into their Windows integration it appears Ubuntu support is still problematic and unofficial. While Ubuntu is listed in the OS drop down when creating a VM it’s not currently listed as a supported guest OS.

While I was working on the Ubuntu/Parallels problem I installed Ubuntu 7.10 Server on a VM under VMware Fusion and was surprised how easy and fast the installation was. But that’s another story and I haven’t used it enough to know if there are any non-obvious problems.

I’ll probably move forward running Ubuntu Server on VMware Fusion and leave this Parallels VM for experimentation. Anybody heavily using Ubuntu on Parallels? Is it stable post install?