List of Blog Posts

My Comment To: 10 Tips for Hardening your Linux Servers

(This post is a comment to a YouTube video: 10 Tips for Hardening your Linux Servers)

I can follow all 8 tips although the last 2 tips are for businesses. Plus, I’m using crontab to help me backup my ClassicPress website from my VPS server.

Crontab:

0 0 * * * /home/[REDACTED]/bin/backup-cp.sh

Script (~/bin/backup-cp.sh)

#!/bin/sh
ssh -p [REDACTED] [REDACTED]@graysonpeddie.com -i ~/.ssh/classicpress ~/bin/cpbackup.sh > ~/cpbackup/classicpress-$(date +%Y%m%d).sql
ssh -p [REDACTED] [REDACTED]@graysonpeddie.com -i ~/.ssh/classicpress tar czf - /var/www > ~/cpbackup/classicpress-$(date +%Y%m%d).tar.gz > /dev/null 2>&1
scp -P [REDACTED] -i ~/.ssh/classicpress [REDACTED]@graysonpeddie.com:/etc/apache2/sites-enabled/000-default.conf ~/cpbackup/classicpress-apache-$(date +%Y%m%d).conf

The “[REDACTED]” is for obscuring the port number and username. And yes, I have had problems with YouTube deleting my comment when I was going to edit it because I think YouTube’s algorithms thought I posted spam but I did not. So there are times when I have to outsmart computer algorithms.

How To Create a New User in pfSense and VyOS?

When you setup your new router, it’s always a good idea to create a new user other than admin for pfSense and vyos for VyOS in order to reduce the chance that bots and miscreants will gain access to your router.

VyOS

Here’s the completed configuration of my VyOS router and I will show you the commands.

Configuration
service {
    # ...
    ssh {
        access-control {
            allow {
                user <username>
                user vyos
            }
        }
        listen-address 10.249.0.1
    }
}
system {
    # ...
    login {
        banner {
            pre-login "Unauthorized access is strictly prohibited."
        }
        user <username> {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name "First and last name goes here."
            home-directory /home/<username>
        }
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
# ...
}
Commands
ssh vyos@10.249.0.1
configure
edit system login user <username>
set authentication plaintext-password <your-password-goes-here>
set full-name "First and last name goes here."
set home-directory /home/<username>
exit
edit service ssh access-control
set allow user <username>
set allow user vyos
commit
save

You want to allow vyos access using SSH to make sure it works. Also, there is encrypted-password in VyOS but VyOS gave me an error telling me that the encrypted password is invalid. I did try to discard, but VyOS told me there are not changes to be discarded, so I saved, started a new terminal window, and once I SSH into my VyOS router for 10.249.1.1, everything works fine.

Now don’t exit out of VyOS session just yet. You want to make sure SSH is working properly for a user you want to log into. Because otherwise editing and viewing the configuration will have to be done either through the use of a console cable or a monitor and keyboard hooked up to a monitor. SSH using your new username and password you’ve created. If you can successfully login to VyOS with a different username, you can simply remove the vyos user from the access control list in configuration mode.

delete service ssh access-control allow user vyos

Again, stay logged in to VyOS and use a different terminal to test and make sure you can log into VyOS through SSH. If everything is working as intended, you can safely log out of VyOS from all the terminals you’ve opened.

Also, you can configure a banner. Examine the configuration above and see if you can add a login banner. The pre-login is for when a user attempts to access the VyOS router using SSH. This will print out a banner before a user gets prompted for a password. After a user logs into VyOS, if the post-login is set, VyOS will print out the banner once the user logs in. This concludes the commands used for securing VyOS.

pfSense

The same can be done for pfSense. Open the web browser, point your browser to pfSense (in my case, http://10.249.2.1), and login to your pfSense web interface. Once you get to the main interface, follow instructions as follows.

  1. In the System menu, open the User Manager.
  2. Click in the + Add button below the list of users.
  3. Enter the Username, Password, and Full Name. No spaces in the username.
  4. In the Group Membership area, select admins and click in Move to “member of” list. This will move the admins group to the “member of” list.
  5. Save the changes, log out, and log back in as the new admin user you have created in step 4.
  6. In the user manager, click in the pencil icon (Edit) to edit the admin user.
  7. Check the checkbox for Disabled. An admin user cannot login once the checkbox is selected.
  8. When done, Save the changes.

Try to login as admin. If successful, you should not be able to log in as an admin user but instead log in as a new user. This concludes the step-by-step instructions for pfSense.

Conclusion

Preventing a root or admin user from logging into a router is one of the security’s best practices. You can help ensure that bots and miscreants won’t be able to gain access to your router without the correct username and password. Even when bots are performing a brute-force attack. Still, it’s important to restrict access to the router through the use of a management subnet and if using pfSense, setup a root and server certificate in the Cert. Manager within the System menu and add a root certificate to your web browser of your choice. Use a management subnet for any devices that have SSH access or a web interface and do not allow managers, sales, web developers, or any other non-IT departments access to the critical network infrastructure.

Update: I just hit “c” twice in my keyboard (ccode instead of code) even though I only typed “c” just once. Ugh… Maybe I just need a different keyboard that prevents double-types regardless of the operating system I’m using… (And yes, I’m using Arch Linux.)

IPv4 Subnetting Practice

If you understand computer networking and know how IPv4 subnetting works, why don’t you practice IPv4 subnetting here?

Given IP Address:

Solve for network, mask, start host, end host, and broadcast address.

If you would like an offline copy of a subnet practicing app, here’s a zip file which contains a self-contained HTML file. Double-click in the HTML file and you can begin practicing.

ipv4subnet.zip

Have fun!

Part 1: OSPF (IPv4) – Connecting 2 Instances of VyOS and pfSense Together

A network of routers each connected to the central router. Two monitors are connected to each router and there are six monitors.

This is part 1 of 2 of configuring multiple networks that can communicate with each other through OSPF.

Introduction

How much do you know computer networking? Do you know how subnetting works? What about IP addresses? Do you know how routers and switches work? Do you have a homelab and do you know what a homelab is? If you answer yes to all of the questions and you want to expand your knowledge of networking, this article is for you. Yes, I’m targeting audience that have a good knowledge in networking. This is even for those with lack of certificates such as CompTIA A+, Network+, and Security+, and even for those without a degree! Well, why don’t we delve right into it, shall we? If you are Network+ certified, you must know that OSPF is a dynamic link-state protocol that allows the two or more private networks to talk to each other. If you have a consumer router such as Netgear or Linksys, this article is only for the pros!

Also, my article covers the use of virtual machines and networking bridging, so I’m going to assume you know how to set them up. I’m using Ubuntu Server 20.10 as my Linux home server that runs KVM (Kernel-based Virtual Machine). Virtual machines are what enables a computer to run inside a computer and network bridging behaves similar to a network switch. And because of that, I’m also going to assume you are familiar with the Linux command line.

Now buckle your seatbelt because this article is going to be a very long one.

(more…)

ClassicPress and Custom CMS For My Website

Transitioning From Custom CMS To ClassicPress

I have rebuilt my website using ClassicPress instead of a custom-built Content Management System (CMS for short). The reason for why I chose ClassicPress is simplicity. However, simplicity comes with compromises regarding the security and underlying control of my website such as not being able to separate the administration panel from the core CMS. I have first built my website with my own theme in mind due to my experience with HTML, CSS, JavaScript, and PHP. I built my own admin panel from scratch as well, although it’s very tedious and it took me a lot of time. Even though building my admin panel is tedious, mine turned out pretty well–well, almost. I wanted to write PHP code that would synchronize my changes from hte local database to my production database, but I did not put my time into it. So, while building my CMS from scratch is fun, at the end of the day, ClassicPress simplifies the implementation of features for me such as search, categories, and archive for listing posts by month.

About my website that I built with a custom CMS, I focused in the paradigm called Model-View-Controller, or MVC for short. I will get into more detail at a later time as I want to keep my blog article short. However, I can show you the images for those who have eyesight.


My blog written with custom CMS in mind.
My blog written with custom CMS in mind.

My admin panel for my website.
An image showing my administration panel that shows a list of tags for each category.

I designed my administration panel in such a way that without a client certificate, I cannot login for security reasons. Plus, no one can log into my administration panel within my production website, but because I switched to ClassicPress, anyone with my username and password can or else do a brute-force attack against my website’s admin dashboard. And plus, remember when I mentioned that I can’t separate the ClassicPress Admin Dashboard from my website? That’s one of the compromises I have to make. Plus, I would also lose my ability to associate tags with one or more categories. I also can’t trust the security of underlying code that makes a connection to the database. I will have to update ClassicPress to ensure the vulnerabilities have been patched.

Custom CMS: Built With Security In Mind

I’m not going to show code or anything; however, I want to tell you the details regarding how I wrote my own CMS with security in mind. First, no website is secure, so there will always be vulnerabilities, including vulnerabilities in a web server. I do a lot of abstraction between PHP code and the database server. To do that, I make use of prepared statements in PHP that separates data (“testing123”) from the query (“‘; DROP myTable;–“). In the database side, I use stored procedures that execute a sequence of commands needed to perform tasks within the database server. Inside a stored procedure, I wrote a prepared statement, pass along values, and execute the command. In other words, I can put “CALL spShowBlogPosts” inside the PHP’s prepare() function, pass in the values as parameters, and call execute() in PHP. And the database server will do the rest and even return the result back to the PHP application! If you are interested, have a read about stored procedures.

And what about something like this for Twitter in ClassicPress that I used in my custom CMS? I have created fields for description and thumbnail in the database.

<head>
  <meta charset="utf-8" lang="en" />
  <meta name="viewport"
        content="width=device-width, initial-scale=1.0" />
  <meta name="author" content="Grayson Peddie" />
  <?php if($isHome) { ?>
  <title>Blog - Grayson Peddie</title>
  <meta name="description" content="My home page for my blog." />
  <meta name="twitter:title" content="Grayson Peddie's Blog Site" />
  <meta name="twitter:description" content="My home page for my blog." />
  <meta name="twitter:image" content="https://graysonpeddie.com/res/img/thumbnail/graysonpeddie.jpg" />
  <meta name="twitter:image:alt" content="A photo of Grayson Peddie." />
  <?php } else if($isCategory) { ?>
  <title>Category: <?=$data[1][0]["CategoryName"] ?> - Grayson Peddie</title>
  <meta name="description" content="List of blog articles for the category
    "<?=$data[1][0]['CategoryName'] ?>." <?=$data[1][0]['CategoryDescription'] ?>" />
  <meta name="twitter:title" content="Category: <?=$data[1][0]['CategoryName'] ?>" />
  <meta name="twitter:description" content="<?=$data[1][0]['CategoryDescription'] ?>" />
  <meta name="twitter:image" content="https://graysonpeddie.com/res/img/thumbnail/graysonpeddie.jpg" />
  <meta name="twitter:image:alt" content="A photo of Grayson Peddie." />
  <?php } else if($isTag) { ?>
  <title>Tag: <?=$data[1][0]["TagName"] ?> - Grayson Peddie</title>
  <meta name="description" content="List of blog articles for the tag
    "<?=$data[1][0]['TagName'] ?>"." />
  <meta name="twitter:title" content="Tag: <?=$data[1][0]['TagName'] ?>" />
  <meta name="twitter:description" content="List of blog articles for <?=$data[1][0]['TagName'] ?>" />
  <meta name="twitter:image" content="https://graysonpeddie.com/res/img/thumbnail/graysonpeddie.jpg" />
  <meta name="twitter:image:alt" content="A photo of Grayson Peddie." />
  <?php } else if($isSlug) { ?>
  <title><?=$data[1]['BlogTitle'] ?> - Grayson Peddie</title>
  <meta name="description" content="<?=$data[1]['BlogDescription'] ?>" />
  <meta name="twitter:title" content="<?=$data[1]['BlogTitle'] ?>" />
  <meta name="twitter:description" content="<?=$data[1]['BlogDescription'] ?>" />
  <?php if(isset($data[1]["BlogShowImage"]) && $data[1]['BlogShowImage']) { ?>
  <meta name="twitter:image" content="https://graysonpeddie.com<?=$data[1]['BlogImage'] ?>" />
  <meta name="twitter:image:alt" content="<?=$data[1]['BlogImageTitle'] ?>" />
  <?php } else { ?>
  <meta name="twitter:image" content="https://graysonpeddie.com/res/img/thumbnail/graysonpeddie.jpg" />
  <meta name="twitter:image:alt" content="A photo of Grayson Peddie." />
  <?php } ?>
  <?php } ?>
  <meta name="twitter:card" content="summary" />
  <meta name="twitter:site" content="@graysonpeddie" />
  <meta name="twitter:creator" content="@graysonpeddie" />
  <link rel="preload stylesheet" as="style" href="/res/css/site.css" />
  <link rel="icon" href="/favicon.ico" sizes="16x16 32x32 64x64" type="image/png">
</head>

The functions in PHP are quite similar to WordPress/ClassicPress’s functions such as is_single(), is_category(), etc. I even have a boolean variable for checking if the image for the thumbnail will be shown in Twitter. Maybe I might check out some Twitter plugins but I won’t install it unless it is absolutely necessary.

Why ClassicPress? Why not WordPress?

With new unwanted features comes new security vulnerabilities. Even though it’s important to keep WordPress up-to-date, that “up-to-date” means new features that I have no plans on using it. That’s why I’m happy that the developers of ClassicPress are taking a “security-first approach.” Plus, I applaud the ClassicPress team for keeping bloat minimal by removing features and plugins that I don’t care to use as part of my website. If you are interested, you can read the roadmap for ClassicPress 1 and 2. ClassicPress 2 is still in development and I’m very optimistic about what the ClassicPress 2 will bring. Hopefully I won’t have to modify the PHP code for my custom theme, but if I have to, I would hope the changes will be minimal.

As for enabling comments, you can @ me in Twitter. My Twitter handle is @graysonpeddie. I won’t enable comments unless I want comment spam in my website (and seriously, I don’t). I might enable comments in articles if I get a lot of traffic. But hey, thanks for checking out my website. Hopefully I won’t abandon my website just because I don’t have the time to write PHP code for synchronizing my development database with my production database. Writing PHP code is hard! 🙂

Hello, and Welcome to my Website

Hello! My name is Grayson Peddie and this is my first time writing my blog from scratch instead of using WordPress. I was born in Panama City and raised in Tallahassee, Florida throughout my entire life. I am CompTIA A+, Network+, and Security+ certified and I love to get into career in Information Technology. I want to get my feet wet in a little bit of cybersecurity and a lot of network engineering. Not only that, I would also like to setup a homelab with a couple of servers for running OpenStack.

Let’s talk about my hobbies. So what do I do for a living? I listen to music, play games, and watch YouTube videos. I even administer my own network and program my home automation system using Home Assistant. Specifically, Home Assistant Core, although I do have a tendency to refer “Home Assistant Core” as “Home Assistant” because I’ve been a user for about 4 years as of Home Assistant 0.17 and the latest version is 0.108.

So what music do I listen to? Because I’m an adventure type, I like to listen to new age and Celtic music from around the world. (“Celtic” is pronounced “keltic” but with a “c.”) I listen to music from David Arkenstone, Yanni, Cusco, Kitaro, Loreena McKennitt, Clannad, Enya, and so many artists that I could list, but could get rather long. Plus, I like to listen to smooth jazz, symphony orchestra, 40s instrumental jazz, and even 60s, 70s, 80s, and early 90s. Most of the time, I listen to instrumental music. Unlike vocals, musical instruments speak their own language.

(more…)