Mozilla Observatory - How safe is your site

Posted: 2017-04-14 22:41:29 by Alasdair Keyes

Direct Link | RSS feed


Someone on the Nottingham Linux User Group posted about Mozilla Observatory today.

If you're a developer/sysadmin for any website it's worth checking out. It checks the security HTTP headers that your site returns and grades it accordingly.

I was getting a B this afternoon and after a crash course in Referrer Policy and Content Security Policy I managed to get it up to an A+.

My site doesn't accept user posted content so the XSS security this provides isn't too important, however if your site does accept user submitted content, then it really is critical that you implement this. XSS is still one of the most common WebApp vulnerabilities, and if you can force the browser to help limit the damage it means you can worry less about any bugs that creep into your code.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Slimming down

Posted: 2017-03-24 20:24:16 by Alasdair Keyes

Direct Link | RSS feed


This evening the site has just been migrated from a mostly static using Template Toolkit's ttree with the occasional PHP/Perl script to provide dynamic content to a site built with..

The server is still running NGINX and PHP 5.6

The site is ready to run on PHP 7, however Debian still only provides 5.6. As soon as that's updated, I'll be running twice as fast.

If there's any odd behaviour 404/500/502 type errors, please let me know.

P.S. Whilst writing this, I noticed that Doctrin Project and Twig don't have an HTTPS site.... come on guys!


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Firejail

Posted: 2017-03-22 23:15:59 by Alasdair Keyes

Direct Link | RSS feed


I recently had some problems with some software on my laptop calling home and receiving an invalid response, this then caused the software to stop working correctly. Until this is resolved, I really want to keep on using the software. After testing in a VM with the network disabled, I realised that if it was unable to call home then it continued to work correctly.

A Virtualbox VM works fine and with the Vbox tools installed I have bi-directional copy/paste etc but it's not an elegant solution and the VM overhead is much greater than the native application.

From this I found out about the firejail tool. This is shipped in the standard Ubuntu repos and provides a great deal of sandboxing utilities that I was unaware of.

For me the --net=none argument was suitable. This creates a new unconnected network namespace before executing the app and restricting it's network access to localhost only.

$ firejail --net=none mytroublesomeapp

This is incredibly useful and a tool I will be making much more use of in future.

If you wish to test, try some of the following.

firejail --net=none firefox
firejail --net=none ping google.co.uk

The man pages show what other options are available too. It's well worth a look


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

bashfunc - Bash Function Library

Posted: 2017-03-08 15:27:11 by Alasdair Keyes

Direct Link | RSS feed


I've been doing some systems scripting in BASH the past couple of days and often find myself recoding the same functionality over and over, not just at work but home too. So I decided that I'd write a library to cover some common functionality I find myself needing.

All functions are explained in the README.md and working examples are in bashfunc_examples.sh in the repo.

It's designed for use with BASH 4 and up. Test it out and let me know if there's other common functionality that could be added. I'm currently adding to it quite frequently as my requirements grow so keep checking for new versions.

https://github.com/alasdairkeyes/bashfunc


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

RSS Feed

Posted: 2017-02-23 22:44:30 by Alasdair Keyes

Direct Link | RSS feed


I've finally got round to re-implementing RSS feed on the site again. Links are here ^^^. Or here RSS feed


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Trello all the things

Posted: 2017-02-11 23:36:51 by Alasdair Keyes

Direct Link | RSS feed


I've used Trello a number of times for work projects and I've always enjoyed using it. It's simplicity is the key to it's usefulness.

I've now moved onto using it personally too. Previously my todos were on a Memo app on my phone. Now I mainly use Trello on my laptop, but also the App on my phone for when I'm out and everything goes on there.

The act of moving cards from Todo to Done fills me with more pleasure than it really should.... but it keeps me productive! It's well worth looking to move to it if you're the kind of person that makes a lot of lists.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

MySQL encrypted client password storage

Posted: 2017-02-10 14:27:55 by Alasdair Keyes

Direct Link | RSS feed


For years I've been using MySQL's ~/.my.cnf file to automatically manage logins for databases. However it's never sat well with me due to the fact that the file is plain text and even though you can restrict access with 0600 permissions, it's never good to have a password stored in plaintext.

I've recently been working on a MySQL 5.7 cluster and needed access to the production slave database and this issue raised it's head again. However as of MySQL 5.6, there is the option to store login details encrypted using mysql_config_editor

This tool allows you to setup profiles to access servers and store the details encrypted.

For example my previous ~/.my.cnf/ file might have

[mysql]
username=al
password=ComplexPassword

I could then access mysql like so...

# mysql
mysql> 

Now you define a profile so for the above example use

# mysql_config_editor set --login-path=localhost --host=localhost --user=root --password
Enter Password: <enter password>

--login-path is just a name and can be anything you like.

I can now login by specifying the login path

# mysql --login-path=localhost

What's nice is that you don't need to specify all the details, if you had a production and beta environment both with multiple servers you could run the following with different passwords and then supply the hostname on the command line

# mysql_config_editor set --login-path=production --user=root --password
Enter Password: <enter password>
# mysql_config_editor set --login-path=beta --user=root --password
Enter Password: <enter password>
# mysql --login-path=production -h proddb3
mysql>

The data is now stored in ~/.mylogin.cnf and is not readable

# cat ~/.mylogin.conf
<<JUMBLEDMESS>>

If you want to make backups or see what profiles you have, you can use

# mysql_config_editor print --all
[production]
user = root
password = *****
[beta]
user = root
password = *****

Removing profiles is as easy as

# mysql_config_editor remove --login-path=production


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

TDD Deciphered

Posted: 2017-02-09 12:16:58 by Alasdair Keyes

Direct Link | RSS feed


I recently happened upon this website about how to use TDD when building a project. Although it's written for PHP and PHPUnit, the premise can be applied to any language. The great thing about this site over others is that it actually shows TDD on the lifecycle of a valid project, not just using trivial one off examples.

https://tdd-deciphered.com/


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

PHP Apigen

Posted: 2016-12-28 20:34:21 by Alasdair Keyes

Direct Link | RSS feed


After discussions at work on producing code documentation, I was introduced to http://www.apigen.org/.

I'm not quite sure how I've not seen it before, but it is very slick and certainly something I'm going to look at using int he future.

More information about what it does can be seen on their site, but it essentially reads the PHPdoc blocks in your code and outputs to a nice HTML page that you can publish.

The key part is just how easy it is, from the root of your project run

apigen generate --source src_folder --destination public/docs

You can easily add it into a script for jenkins or for local a development branch, add it into the post update/install commands of your composer.json.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Strengthen your PHP Composer dependencies

Posted: 2016-12-21 22:38:22 by Alasdair Keyes

Direct Link | RSS feed


For those of you that use Composer to install and manage dependencies in your PHP App, you may be interested in https://github.com/Roave/SecurityAdvisories.

When updating your dependencies, it will alert if the versions you are using contain known vulnerabilities. It's quite simple in it's operation, the composer.json file populates the conflict key with a list of package versions that are known to be insecure so composer will fail to update.

The list isn't exhaustive, but it contains a number of large packages such as Doctrine, Drupal, Zend, Symfony


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

IT Consultancy Services

I'm now available for IT consultancy and software development services - Cloudee LTD.