Software – Mike Mamaril – Freelance Web Developer

ExpressVPN Review

My experience with ExpressVPN has been pleasant for the past 7 days. I share the account with my wife and daughter primarily for consuming media. But one pleasant surprise is that you get Youtube Picture-In-Picture functionality when connected to US servers, atleast on Android. This is a YouTube premium features as far as I known, but I am finding it pretty convenient that I have access to it without paying extra.

I paid $99uSD for a 15 month month subscription, and I feel I am getting my money’s worth. There are cheaper alternatives but the reality is you do get what you oay for, so I opted for ExpressVPN which has reasonable pricing with reasonable ly good service.

You can use my link here to signup so both you and I get an additional 30 days for free. You’d want to use the Opera browser with their free VPN service to signup since ExpressVPN has different offers depending on your location.

Live desktop summer feels

It’s been years since I last played with my desktop. Since PC hardware has grown by leaps and bounds since I last tried, I figured to give it a shot. Inspired by the Google Pixel live wallpaper I use this Ocean weather theme for Rain Wallpaper, an app you can find on Steam. Another theme on my rotation is this Elegant weather theme I found on DeviantArt.

Deploying a WordPress plugin repo on github to WordPress on WIndows

I never learned how to use Subversion which is why publishing my work on WordPress becomes such a chore. Thankfully, I found a script that can deploy a local Git repository to WordPress.org. This script assumes you have the following setup and working in your Windows environment already:

SVN, in this case I use TortoiseSVN
GIT, I use the GIT-SCM and Github Windows client
Already have a WordPress.org account and existing repository for your project

The script is originally from GaryJones from github which I modified to suit my needs. Simply put the script in the repository folder and change out the CHANGE_ME values before running the script.

You have the option to set the path of the local repository within the script or in the prompt, what I prefer to do is to just drop the script in the working directory and run the script there.

VAR_CURRENTDIR=$(pwd)
VAR_PLUGINSLUG="CHANGE_ME"
VAR_SVN_USERNAME="CHANGE_ME"

default_svnpath="$VAR_CURRENTDIR/tmp"
default_svnurl="https://plugins.svn.wordpress.org/$VAR_PLUGINSLUG"
default_plugindir="$VAR_CURRENTDIR"
default_mainfile="$VAR_PLUGINSLUG.php"

echo
echo "WordPress Plugin SVN Deploy v3.1.0"
echo
echo "Let's collect some information first. There are six questions."
echo
echo "Default values are in brackets - just hit enter to accept them."
echo

# Get some user input
# Can't use the -i flag for read, since that doesn't work for bash 3
printf "Q1. WordPress Repo Plugin Slug e.g. my-awesome-plugin: "
printf "($VAR_PLUGINSLUG): "
read -e input
input="${input%/}" # Strip trailing slash
echo

echo "Q2. Your local plugin root directory (the Git repo)."
printf "($default_plugindir): "
read -e  input
input="${input%/}" # Strip trailing slash
PLUGINDIR="${input:-$default_plugindir}" # Populate with default if empty
echo

# Check directory exists.
if [ ! -d "$PLUGINDIR" ]; then
  echo "Directory $PLUGINDIR not found. Aborting."
  exit 1;
fi

printf "Q3. Name of the main plugin file ($default_mainfile): "
read -e input
MAINFILE="${input:-$default_mainfile}" # Populate with default if empty
echo

# Check main plugin file exists.
if [ ! -f "$PLUGINDIR/$MAINFILE" ]; then
  echo "Plugin file $PLUGINDIR/$MAINFILE not found. Aborting."
  exit 1;
fi

echo "Checking version in main plugin file matches version in readme.txt file..."
echo

# Check version in readme.txt is the same as plugin file after translating both to Unix line breaks to work around grep's failure to identify Mac line breaks
PLUGINVERSION=$(grep -i "Version:" $PLUGINDIR/$MAINFILE | awk -F' ' '{print $NF}' | tr -d '\r')
echo "$MAINFILE version: $PLUGINVERSION"
READMEVERSION=$(grep -i "Stable tag:" $PLUGINDIR/readme.txt | awk -F' ' '{print $NF}' | tr -d '\r')
echo "readme.txt version: $READMEVERSION"

if [ "$READMEVERSION" = "trunk" ]; then
	echo "Version in readme.txt & $MAINFILE don't match, but Stable tag is trunk. Let's continue..."
elif [ "$PLUGINVERSION" != "$READMEVERSION" ]; then
	echo "Version in readme.txt & $MAINFILE don't match. Exiting...."
	exit 1;
elif [ "$PLUGINVERSION" = "$READMEVERSION" ]; then
	echo "Versions match in readme.txt and $MAINFILE. Let's continue..."
fi

echo

echo "Q4. Path to a local directory where a temporary SVN checkout can be made."
printf "Don't add trunk ($default_svnpath): "
read -e input
input="${input%/}" # Strip trailing slash
SVNPATH="${input:-$default_svnpath}" # Populate with default if empty
echo

echo "Q5. Remote SVN repo on WordPress.org."
printf "($default_svnurl): "
read -e input
input="${input%/}" # Strip trailing slash
SVNURL="${input:-$default_svnurl}" # Populate with default if empty
echo

printf "Q6. Your WordPress repo SVN username ($VAR_SVN_USERNAME): "
read -e input
SVNUSER="${input:-$VAR_SVN_USERNAME}" # Populate with default if empty
echo

echo "That's all of the data collected."
echo
echo "Slug: $VAR_PLUGINSLUG"
echo "Plugin directory: $PLUGINDIR"
echo "Main file: $MAINFILE"
echo "Temp checkout path: $SVNPATH"
echo "Remote SVN repo: $SVNURL"
echo "SVN username: $SVNUSER"
echo

printf "OK to proceed (Y|n)? "
read -e input
PROCEED="${input:-y}"
echo

# Allow user cancellation
if [ $(echo "$PROCEED" |tr [:upper:] [:lower:]) != "y" ]; then echo "Aborting..."; exit 1; fi

# Let's begin...
echo ".........................................."
echo
echo "Preparing to deploy WordPress plugin"
echo
echo ".........................................."
echo

echo

echo "Changing to $PLUGINDIR"
cd $PLUGINDIR

# Check for git tag (may need to allow for leading "v"?)
# if git show-ref --tags --quiet --verify -- "refs/tags/$PLUGINVERSION"
if git show-ref --tags --quiet --verify -- "refs/tags/$PLUGINVERSION"
	then
		echo "Git tag $PLUGINVERSION does exist. Let's continue..."
	else
		echo "$PLUGINVERSION does not exist as a git tag. Aborting.";
		exit 1;
fi

echo

echo "Creating local copy of SVN repo trunk..."
svn checkout $SVNURL $SVNPATH --depth immediates
svn update --quiet $SVNPATH/trunk --set-depth infinity

echo "Ignoring GitHub specific files"
# Use local .svnignore if present
if [ -f ".svnignore" ]; then
	echo "Using local .svnignore"
	SVNIGNORE=$( <.svnignore )
else
	echo "Using default .svnignore"
	SVNIGNORE="README.md
Thumbs.db
.github
.git
.gitattributes
.gitignore
composer.lock"
fi

svn propset svn:ignore \""$SVNIGNORE"\" "$SVNPATH/trunk/"

echo "Exporting the HEAD of master from git to the trunk of SVN"
git checkout-index -a -f --prefix=$SVNPATH/trunk/

# If submodule exist, recursively check out their indexes
if [ -f ".gitmodules" ]
	then
		echo "Exporting the HEAD of each submodule from git to the trunk of SVN"
		git submodule init
		git submodule update
		git config -f .gitmodules --get-regexp '^submodule\..*\.path$' |
			while read path_key path
			do
				#url_key=$(echo $path_key | sed 's/\.path/.url/')
				#url=$(git config -f .gitmodules --get "$url_key")
				#git submodule add $url $path
				echo "This is the submodule path: $path"
				echo "The following line is the command to checkout the submodule."
				echo "git submodule foreach --recursive 'git checkout-index -a -f --prefix=$SVNPATH/trunk/$path/'"
				git submodule foreach --recursive 'git checkout-index -a -f --prefix=$SVNPATH/trunk/$path/'
			done
fi

echo

# Support for the /assets folder on the .org repo.
echo "Moving assets."
# Make the directory if it doesn't already exist
mkdir -p $SVNPATH/assets/
mv $SVNPATH/trunk/assets/* $SVNPATH/assets/
svn add --force-interactive $SVNPATH/assets/
svn delete --force-interactive $SVNPATH/trunk/assets

echo

echo "Changing directory to SVN and committing to trunk."
cd $SVNPATH/trunk/
# Delete all files that should not now be added.
# Use $SVNIGNORE for `rm -rf`. Setting propset svn:ignore seems flaky.
echo "$SVNIGNORE" | awk '{print $0}' | xargs rm -rf
svn status | grep -v "^.[ \t]*\..*" | grep "^\!" | awk '{print $2"@"}' | xargs svn del
# Add all new files that are not set to be ignored
svn status | grep -v "^.[ \t]*\..*" | grep "^?" | awk '{print $2"@"}' | xargs svn add
svn commit --username=$SVNUSER -m "Preparing for $PLUGINVERSION release"

echo

echo "Updating WordPress plugin repo assets and committing."
cd $SVNPATH/assets/
# Delete all new files that are not set to be ignored
svn status | grep -v "^.[ \t]*\..*" | grep "^\!" | awk '{print $2"@"}' | xargs svn del
# Add all new files that are not set to be ignored
svn status | grep -v "^.[ \t]*\..*" | grep "^?" | awk '{print $2"@"}' | xargs svn add
svn update --quiet --accept working $SVNPATH/assets/*
svn resolve --accept working $SVNPATH/assets/*
svn commit --username=$SVNUSER -m "Updating assets"

echo

echo "Creating new SVN tag and committing it."
cd $SVNPATH
svn copy --quiet trunk/ tags/$PLUGINVERSION/
# Remove assets and trunk directories from tag directory
svn delete --force-interactive --quiet $SVNPATH/tags/$PLUGINVERSION/assets
svn delete --force-interactive --quiet $SVNPATH/tags/$PLUGINVERSION/trunk
svn update --force-interactive --accept working $SVNPATH/tags/$PLUGINVERSION
#svn resolve --accept working $SVNPATH/tags/$PLUGINVERSION/*
cd $SVNPATH/tags/$PLUGINVERSION
svn commit --username=$SVNUSER -m "Tagging version $PLUGINVERSION"

echo

echo "Removing temporary directory $SVNPATH."
cd $SVNPATH
cd ..
rm -fr $SVNPATH/

echo "*** FIN ***"

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

VAR_CURRENTDIR=$(pwd)

VAR_PLUGINSLUG="CHANGE_ME"

VAR_SVN_USERNAME="CHANGE_ME"

default_svnpath="$VAR_CURRENTDIR/tmp"

default_svnurl="https://plugins.svn.wordpress.org/$VAR_PLUGINSLUG"

default_plugindir="$VAR_CURRENTDIR"

default_mainfile="$VAR_PLUGINSLUG.php"

echo

echo "WordPress Plugin SVN Deploy v3.1.0"

echo

echo "Let's collect some information first. There are six questions."

echo

echo "Default values are in brackets - just hit enter to accept them."

echo

# Get some user input

# Can't use the -i flag for read, since that doesn't work for bash 3

printf "Q1. WordPress Repo Plugin Slug e.g. my-awesome-plugin: "

printf "($VAR_PLUGINSLUG): "

read -e input

input="${input%/}" # Strip trailing slash

echo

echo "Q2. Your local plugin root directory (the Git repo)."

printf "($default_plugindir): "

read -e input

input="${input%/}" # Strip trailing slash

PLUGINDIR="${input:-$default_plugindir}" # Populate with default if empty

echo

# Check directory exists.

if [ ! -d "$PLUGINDIR" ]; then

echo "Directory $PLUGINDIR not found. Aborting."

exit 1;

printf "Q3. Name of the main plugin file ($default_mainfile): "

read -e input

MAINFILE="${input:-$default_mainfile}" # Populate with default if empty

echo

# Check main plugin file exists.

if [ ! -f "$PLUGINDIR/$MAINFILE" ]; then

echo "Plugin file $PLUGINDIR/$MAINFILE not found. Aborting."

exit 1;

echo "Checking version in main plugin file matches version in readme.txt file..."

echo

# Check version in readme.txt is the same as plugin file after translating both to Unix line breaks to work around grep's failure to identify Mac line breaks

PLUGINVERSION=$(grep -i "Version:" $PLUGINDIR/$MAINFILE | awk -F' ' '{print $NF}' | tr -d '\r')

echo "$MAINFILE version: $PLUGINVERSION"

READMEVERSION=$(grep -i "Stable tag:" $PLUGINDIR/readme.txt | awk -F' ' '{print $NF}' | tr -d '\r')

echo "readme.txt version: $READMEVERSION"

if [ "$READMEVERSION" = "trunk" ]; then

echo "Version in readme.txt & $MAINFILE don't match, but Stable tag is trunk. Let's continue..."

elif [ "$PLUGINVERSION" != "$READMEVERSION" ]; then

echo "Version in readme.txt & $MAINFILE don't match. Exiting...."

exit 1;

elif [ "$PLUGINVERSION" = "$READMEVERSION" ]; then

echo "Versions match in readme.txt and $MAINFILE. Let's continue..."

echo

echo "Q4. Path to a local directory where a temporary SVN checkout can be made."

printf "Don't add trunk ($default_svnpath): "

read -e input

input="${input%/}" # Strip trailing slash

SVNPATH="${input:-$default_svnpath}" # Populate with default if empty

echo

echo "Q5. Remote SVN repo on WordPress.org."

printf "($default_svnurl): "

read -e input

input="${input%/}" # Strip trailing slash

SVNURL="${input:-$default_svnurl}" # Populate with default if empty

echo

printf "Q6. Your WordPress repo SVN username ($VAR_SVN_USERNAME): "

read -e input

SVNUSER="${input:-$VAR_SVN_USERNAME}" # Populate with default if empty

echo

echo "That's all of the data collected."

echo

echo "Slug: $VAR_PLUGINSLUG"

echo "Plugin directory: $PLUGINDIR"

echo "Main file: $MAINFILE"

echo "Temp checkout path: $SVNPATH"

echo "Remote SVN repo: $SVNURL"

echo "SVN username: $SVNUSER"

echo

printf "OK to proceed (Y|n)? "

read -e input

PROCEED="${input:-y}"

echo

# Allow user cancellation

if [ $(echo "$PROCEED" |tr [:upper:] [:lower:]) != "y" ]; then echo "Aborting..."; exit 1; fi

# Let's begin...

echo ".........................................."

echo

echo "Preparing to deploy WordPress plugin"

echo

echo ".........................................."

echo

echo "Changing to $PLUGINDIR"

cd $PLUGINDIR

# Check for git tag (may need to allow for leading "v"?)

# if git show-ref --tags --quiet --verify -- "refs/tags/$PLUGINVERSION"

if git show-ref --tags --quiet --verify -- "refs/tags/$PLUGINVERSION"

then

echo "Git tag $PLUGINVERSION does exist. Let's continue..."

else

echo "$PLUGINVERSION does not exist as a git tag. Aborting.";

exit 1;

echo

echo "Creating local copy of SVN repo trunk..."

svn checkout $SVNURL $SVNPATH --depth immediates

svn update --quiet $SVNPATH/trunk --set-depth infinity

echo "Ignoring GitHub specific files"

# Use local .svnignore if present

if [ -f ".svnignore" ]; then

echo "Using local .svnignore"

SVNIGNORE=$( <.svnignore )

else

echo "Using default .svnignore"

SVNIGNORE="README.md

Thumbs.db

.github

.git

.gitattributes

.gitignore

composer.lock"

svn propset svn:ignore \""$SVNIGNORE"\" "$SVNPATH/trunk/"

echo "Exporting the HEAD of master from git to the trunk of SVN"

git checkout-index -a -f --prefix=$SVNPATH/trunk/

# If submodule exist, recursively check out their indexes

if [ -f ".gitmodules" ]

then

echo "Exporting the HEAD of each submodule from git to the trunk of SVN"

git submodule init

git submodule update

git config -f .gitmodules --get-regexp '^submodule\..*\.path$' |

while read path_key path

#url_key=$(echo $path_key | sed 's/\.path/.url/')

#url=$(git config -f .gitmodules --get "$url_key")

#git submodule add $url $path

echo "This is the submodule path: $path"

echo "The following line is the command to checkout the submodule."

echo "git submodule foreach --recursive 'git checkout-index -a -f --prefix=$SVNPATH/trunk/$path/'"

git submodule foreach --recursive 'git checkout-index -a -f --prefix=$SVNPATH/trunk/$path/'

done

echo

# Support for the /assets folder on the .org repo.

echo "Moving assets."

# Make the directory if it doesn't already exist

mkdir -p $SVNPATH/assets/

mv $SVNPATH/trunk/assets/* $SVNPATH/assets/

svn add --force-interactive $SVNPATH/assets/

svn delete --force-interactive $SVNPATH/trunk/assets

echo

echo "Changing directory to SVN and committing to trunk."

cd $SVNPATH/trunk/

# Delete all files that should not now be added.

# Use $SVNIGNORE for `rm -rf`. Setting propset svn:ignore seems flaky.

echo "$SVNIGNORE" | awk '{print $0}' | xargs rm -rf

svn status | grep -v "^.[ \t]*\..*" | grep "^\!" | awk '{print $2"@"}' | xargs svn del

# Add all new files that are not set to be ignored

svn status | grep -v "^.[ \t]*\..*" | grep "^?" | awk '{print $2"@"}' | xargs svn add

svn commit --username=$SVNUSER -m "Preparing for $PLUGINVERSION release"

echo

echo "Updating WordPress plugin repo assets and committing."

cd $SVNPATH/assets/

# Delete all new files that are not set to be ignored

svn status | grep -v "^.[ \t]*\..*" | grep "^\!" | awk '{print $2"@"}' | xargs svn del

# Add all new files that are not set to be ignored

svn status | grep -v "^.[ \t]*\..*" | grep "^?" | awk '{print $2"@"}' | xargs svn add

svn update --quiet --accept working $SVNPATH/assets/*

svn resolve --accept working $SVNPATH/assets/*

svn commit --username=$SVNUSER -m "Updating assets"

echo

echo "Creating new SVN tag and committing it."

cd $SVNPATH

svn copy --quiet trunk/ tags/$PLUGINVERSION/

# Remove assets and trunk directories from tag directory

svn delete --force-interactive --quiet $SVNPATH/tags/$PLUGINVERSION/assets

svn delete --force-interactive --quiet $SVNPATH/tags/$PLUGINVERSION/trunk

svn update --force-interactive --accept working $SVNPATH/tags/$PLUGINVERSION

#svn resolve --accept working $SVNPATH/tags/$PLUGINVERSION/*

cd $SVNPATH/tags/$PLUGINVERSION

svn commit --username=$SVNUSER -m "Tagging version $PLUGINVERSION"

echo

echo "Removing temporary directory $SVNPATH."

cd $SVNPATH

cd ..

rm -fr $SVNPATH/

echo "*** FIN ***"

S2W Payments plugin for WordPress

After developing on WordPress, I decided to contribute back to the community by creating a free plugin for WooCommerce and Square users. You can download the plug on WordPress.org or fork the source on Github. It’s basically allows you to filter fulfilled payments made to your Square account within WordPress and import them into WooCommerce as orders. This is usefull if you want to sync your sales on Square made via their Point of Sales App (POS) and your online store on WooCommerce. The only caveat is that the SKU’s on both your WooCommerce and Square products must match so we can get the price. I didn’t bother with a create product feature since there’s a product sync feature already in the Square payment gateway plugin for WooCommerce already.

I hope to make more plugins in the future if any good and worth while ideas come to mind. In the mean time, I do hope this plugin helps a few small business owners out there.

HorribleSubs batch downloads

HorribleSubs took down their batch torrent section after their site update last year. Which made it cumbersome to manually download each and every magnet link for the shows I want to get. Thankfully, there’s this Chorme extensions: HorribleSubs Downloader which lets you copy all the magnet links to your clipboard for a particular resurrection e.g. 1080p, 720p, or 480p on each series page. After that, it’s just a matter of adding the magnet links to your torrent client, qBitorrent in my case.

Now, it’s time to catch up on my Anime shows 🙂

Securing my Linode server

Thanks to a hackers and/or bots trying to inject malware into my WordPress installation, I am forced to learn how to administrate my host better. Surprisingly enough, I find myself enjoying learning how to manage and secure a production server; A skill which will definitely help me become a better developer moving forward. So far here’s what I’ve done to deter and hopefully mitigate the hacking attempts on my site.

This guide assumes you are running an Ununtu 14.x up.

Set the proper timezone

This will make log files easier to understand and keep track of SSL certificates

dpkg-reconfigure tzdata

1	dpkg-reconfigure tzdata

Setup a hostname

You can name this anything you want, I used “livehost”

echo "livehost" > /etc/hostname
hostname -F /etc/hostname

1 2	echo "livehost" > /etc/hostname hostname -F /etc/hostname

Now verify the hostname change

hostname

hostname

Now setup a Fully Qualified Domain Name (FQDN) in your /etc/hosts file

127.0.0.1          localhost.localdomain   localhost
127.0.1.1          ubuntu
<your server ip>   livehost.example.com       livehost

127.0.0.1 localhost.localdomain localhost

127.0.1.1 ubuntu

<your server ip> livehost.example.com livehost

Now you can set an A Record to your domain name pointing to your hostname livehost.example.com to access your server.

Disabled remote root login and changed the SSH port

I changed my SSH port to something lower than 1024 but not 22 (learn why here) then set PermitRootLogin to no.

sudo nano /etc/ssh/sshd_config

1	sudo nano /etc/ssh/sshd_config

Installed Fail2Ban

installed it with the following command

sudo apt install fail2ban

1	sudo apt install fail2ban

We’ll copy the default config and jail settings and modify the copies we made.

sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

sudo nano /etc/fail2ban/jail.local

SSH is already enabled by default in Ubuntu, so you’ll just need to enable the services you want to watch over. Do note that Fail2Ban won’t start if you enable a filter on a service that’s not installed/running.In this instance I just added a custom filter and changed the destemail setting so I can get notifications. You will need to install sendmail to get this feature working, see below.

[DEFAULT]
destemail = email@example.com

[wordpress]
enabled  = true
filter   = wordpress
logpath  = /var/www/html/example.com/log/access.log
port     = 80,443

[DEFAULT]

destemail = email@example.com

[wordpress]

enabled = true

filter = wordpress

logpath = /var/www/html/example.com/log/access.log

port = 80,443

I also made a custom wordpress filter in /etc/fail2ban/filter.d/wordpress.conf , you can read more about it here. This basically checks the access log of my site and filters it using regular expressions.

# Fail2Ban filter for WordPress
#
#

[Definition]

failregex = <HOST> - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "POST /wp-login.php HTTP/1.1" 200
ignoreregex =

# Fail2Ban filter for WordPress

[Definition]

failregex = <HOST> - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "POST /wp-login.php HTTP/1.1" 200

ignoreregex =

after saving the changes, restart the service.

sudo service fail2ban restart

1	sudo service fail2ban restart

Installed and Setup IPTables

IPTables is already installed with Ubuntu so I just needed to setup a new configuration file

sudo nano /etc/iptables.firewall.rules

1	sudo nano /etc/iptables.firewall.rules

I used the following configuration which I Googled to allow SSH, HTTP/HTTPS and a few other ports for testing then closed everything else for security Note that the port setting should be the same as with setting in the /etc/fail2ban/jail.local and /etc/ssh/sshd_config values.

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow ports for webmin
-A INPUT -p tcp --dport 10000 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 321 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Allow sendmail
-A OUTPUT -p tcp --dport 25 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

*filter

# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0

-A INPUT -i lo -j ACCEPT

-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accept all established inbound connections

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all outbound traffic - you can modify this to only allow certain traffic

-A OUTPUT -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).

-A INPUT -p tcp --dport 80 -j ACCEPT

-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow ports for webmin

-A INPUT -p tcp --dport 10000 -j ACCEPT

# Allow SSH connections

# The -dport number should be the same port number you set in sshd_config

-A INPUT -p tcp -m state --state NEW --dport 321 -j ACCEPT

# Allow ping

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Allow sendmail

-A OUTPUT -p tcp --dport 25 -j ACCEPT

-A OUTPUT -p udp --dport 53 -j ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log iptables denied calls

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy

-A INPUT -j REJECT

-A FORWARD -j REJECT

COMMIT

Activate the new firewall rules now

sudo iptables-restore < /etc/iptables.firewall.rules

1	sudo iptables-restore < /etc/iptables.firewall.rules

Then make sure to run the firewall rules on startup by editing this file

sudo nano /etc/network/if-pre-up.d/firewall

1	sudo nano /etc/network/if-pre-up.d/firewall

Insert the following script

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

1 2	#!/bin/sh /sbin/iptables-restore < /etc/iptables.firewall.rules

Save the changes then set the permissions

sudo chmod +x /etc/network/if-pre-up.d/firewall

1	sudo chmod +x /etc/network/if-pre-up.d/firewall

Install Let’s Encrypt

Let’s encrypt is a free SSL certificate supported by a lot of popular browsers. I use this to encrypt traffic on my sites at no extra cost. Before installing the package make sure you have set your timezone and hostname already. If you’ve done that already you can update everything first.

sudo apt update && sudo apt upgrade

1	sudo apt update && sudo apt upgrade

Once everything has updated, install GIT so we can clone the repository on Gtihub later

sudo apt-get install git

1	sudo apt-get install git

Now clone the official GitHub repository to /opt/letsencrypt

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

1	sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Then navigate to /opt/letsencrypt

cd /opt/letsencrypt

1	cd /opt/letsencrypt

Now make sure nothing is using port 80. I had trouble with this even after closing Apache which was the only application I though was using port 80. So to keep it simple I just killed all processes using port 80

sudo lsof -t -i tcp:80 -s tcp:listen | sudo xargs kill

1	sudo lsof -t -i tcp:80 -s tcp:listen \| sudo xargs kill

Now we are ready to create a certificate that will auto renew. Just change the domain name to the domain name you’re creating a certificate for.

sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default -d example.com -d www.example.com

1	sudo -H ./letsencrypt-auto certonly --standalone --renew-by-default -d example.com -d www.example.com

If everything worked properly you should see something like this. Take note of the Certificate and key paths, we will need this later when configuring the SSL certificate for Apache.

Now we will set a cron job to automatically renew the certificate and update Let’s Encrypt. Open crontab

sudo crontab -e

1	sudo crontab -e

Then append the following lines

0 0 1 * * /opt/letsencrypt/letsencrypt-auto renew
0 0 1 * * cd /opt/letsencrypt && git pull

1 2	0 0 1 * * /opt/letsencrypt/letsencrypt-auto renew 0 0 1 * * cd /opt/letsencrypt && git pull

Now we need configure apache for the SSL certificate. Appenbd this to your sites config file typically found in /etc/apache2/sites-available/example.com.conf. The SSLCertificateFile and SSLCertificateKeyFile paths were echoed after you created your certificate earlier. This will also set TLSv1.2 to be used instead of the default TLSv1

<VirtualHost *:443>
	SSLEngine On
	SSLProtocol -all +TLSv1.2
	SSLCertificateFile /etc/letsencrypt/live/mikemamaril.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/mikemamaril.com/privkey.pem
	
	ServerAdmin root@mikemamaril.com
	ServerName  mikemamaril.com
	ServerAlias www.mikemamaril.com

	# Index file and Document Root (where the public files are located)
	DirectoryIndex index.html index.php
	DocumentRoot /var/www/html/mikemamaril.com/public_html
	# Log file locations
	LogLevel warn
	ErrorLog  /var/www/html/mikemamaril.com/log/error.log
	CustomLog /var/www/html/mikemamaril.com/log/access.log combined
</VirtualHost>

SSLEngine On

SSLProtocol -all +TLSv1.2

SSLCertificateFile /etc/letsencrypt/live/mikemamaril.com/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/mikemamaril.com/privkey.pem

ServerAdmin root@mikemamaril.com

ServerName mikemamaril.com

ServerAlias www.mikemamaril.com

# Index file and Document Root (where the public files are located)

DirectoryIndex index.html index.php

DocumentRoot /var/www/html/mikemamaril.com/public_html

# Log file locations

LogLevel warn

ErrorLog /var/www/html/mikemamaril.com/log/error.log

CustomLog /var/www/html/mikemamaril.com/log/access.log combined

</VirtualHost>

Ensure that the Apache SSL module is enabled, and enable the virtualhost configuration:

a2enmod ssl
a2ensite example.com

1 2	a2enmod ssl a2ensite example.com

Then restart the Apache service

service apache2 restart

1	service apache2 restart

You can visit WhyNoPadlock to troubleshoot any insecure content you may have on your page. If you’re using WordPress you can use Really Simple SSL to force HTTPS to any visitors visitors to your site.

Get alerts when someone uses sudo

For that extra touch to paranoia, I also setup an email notification to let me know if someone uses the sudo command. I start off by making a new file

sudo nano /etc/sudoers.d/my_sudoers

1	sudo nano /etc/sudoers.d/my_sudoers

pasting in the following content, you’ll need to change the email address to the one you wish to use.

Defaults    mail_always
Defaults    mailto="your@email.com"

1 2	Defaults mail_always Defaults mailto="your@email.com"

Save the changes then set the file permissions

sudo chmod 0440 /etc/sudoers.d/my_sudoer

1	sudo chmod 0440 /etc/sudoers.d/my_sudoer

If you don’t have a mail server setup yet you will need to install one. I used sendmail.

sudo apt install sendmail

1	sudo apt install sendmail

The install script hanged on me and I found that the following commands worked to finished the installation.

cd /etc/mail/tls
sudo openssl dsaparam -out sendmail-common.prm 2048
sudo chown root:smmsp sendmail-common.prm
sudo chmod 0640 sendmail-common.prm
sudo dpkg --configure -a

cd /etc/mail/tls

sudo openssl dsaparam -out sendmail-common.prm 2048

sudo chown root:smmsp sendmail-common.prm

sudo chmod 0640 sendmail-common.prm

sudo dpkg --configure -a

When you’re done installing sendmail, configure it:

sudo sendmailconfig

1	sudo sendmailconfig

Reboot server on OOM (Out Of Memory)

This will reboot the server if the system panics, literally.

sudo nano /etc/sysctl.conf

1	sudo nano /etc/sysctl.conf

the append this to the config

vm.panic_on_oom=1
kernel.panic=10

1 2	vm.panic_on_oom=1 kernel.panic=10

How I secured my WordPress site

I recently came across malware in my WordPress installation even though I am running the latest version of WordPress and not running any other plugin apart from JetPack. I tried removing the malware and updating all the WordPress files only to get infected again a few days after. So Far these steps have mitigated the malware from infecting and/or penetrating my site.

.htaccess conditions

I added these rules to my .htaccess file. This will append or replace the existing rules of WordPress as well as the WordFence Plugin if you use it,

# BEGIN WordPress
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]

	# protect wp-admin and wp-incluide
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]

	# Block suspicious request methods
	RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
	RewriteRule ^(.*)$ - [F,L]

	# Block WP timthumb hack
	RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
	RewriteRule . - [S=1]

	# Block suspicious user agents and requests
	RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
	RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
	RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
	RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
	RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
	RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

	# Block MySQL injections, RFI, base64, etc.
	RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
	RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
	RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
	RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
	RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
	RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
	RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
	RewriteCond %{QUERY_STRING} http\: [NC,OR]
	RewriteCond %{QUERY_STRING} https\: [NC,OR]
	RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
	RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
	RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
	RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
	RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
	RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
	RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
	RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
	RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
	RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
	RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
	RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
	RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

	# PHP-CGI Vulnerability
	RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC,OR]

	#proc/self/environ? no way!
	RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]

	RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
	RewriteRule ^(.*)$ - [F,L]
</IfModule>

<files wp-config.php>
	order allow,deny
	deny from all
</files>
# END WordPress

# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

# END Wordfence WAF

# BEGIN WordPress

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

# protect wp-admin and wp-incluide

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

# Block suspicious request methods

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]

RewriteRule ^(.*)$ - [F,L]

# Block WP timthumb hack

RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

RewriteRule . - [S=1]

# Block suspicious user agents and requests

RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]

RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]

RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]

RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]

RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]

RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

# Block MySQL injections, RFI, base64, etc.

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]

RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]

RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]

RewriteCond %{QUERY_STRING} ftp\: [NC,OR]

RewriteCond %{QUERY_STRING} http\: [NC,OR]

RewriteCond %{QUERY_STRING} https\: [NC,OR]

RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR]

RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*$[^)]*$ [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$|<|>).* [NC,OR]

RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]

RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]

RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]

RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]

RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]

RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]

RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

# PHP-CGI Vulnerability

RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC,OR]

#proc/self/environ? no way!

RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]

RewriteRule ^(.*)$ - [F,L]

</IfModule>

order allow,deny

deny from all

</files>

# END WordPress

# Wordfence WAF

Require all denied

</IfModule>

Order deny,allow

Deny from all

</IfModule>

</Files>

# END Wordfence WAF

Installed WordFence and Really Simple SSL Plug-in

I installed WordFence to scan and replace WordPress core files. I only use the free version, though there is a premium version available with more automation features. I also installed a SSL certificate on my server and installed Really Simple SSL to force HTTPS on my main site.

Updated passwords and changed DB table prefix

If you haven’t already, I updated all database and user passwords in my current WordPress installation as well as changing the default database table prefix (wp_) to something obscure.

Set file and directory permissions

Set directories to 755 and files to 644. I simply run these commands via SSH

cd /home/user/domains/domain.com/public_html
find . -type d -exec chmod 0755 {} \;
find . -type f -exec chmod 0644 {} \;

cd /home/user/domains/domain.com/public_html

find . -type d -exec chmod 0755 {} \;

find . -type f -exec chmod 0644 {} \;

Limit or disable access to XML-RPC

I use .htaccess to limit access to the xmlrpc.php file since I use the WordPress app. You can opt to simply deny access to the file all together if you don’t plan on using it.

# Block WordPress xmlrpc.php requests 
# Allow Jetpack IP's 
<Files xmlrpc.php>
	order deny,allow
	deny from all
	Allow from 192.0.64.0/18
	Satisfy All
</Files>

# Block WordPress xmlrpc.php requests

# Allow Jetpack IP's

order deny,allow

deny from all

Allow from 192.0.64.0/18

Satisfy All

</Files>

Gulp Pipeline update

I encountered some errors compiling old projects using my old node workflow which turned out to be the result of a lot of the packages being deprecated.

gyp ERR! stack Error: Can't find Python executable "python", you can set the PYTHON env variable.

1	gyp ERR! stack Error: Can't find Python executable "python", you can set the PYTHON env variable.

Luckily it was an easy fix, I simple had to install the Windows build tools, then I was back on track.

npm install --global --production windows-build-tools

1	npm install --global --production windows-build-tools

Cooling & Storage upgrades

Updated my shoe box for the coming summer heat:

Replaced stock AMD cooler with a Noctua L9i with AM4 mounting kit
Added a 92mmx25mm Noctua fan on the side
Added a 120mm Noctua fan in the front
Added a Seagate 2tb SSHD drive for my media and games.

Temperatures seems to be nominal, everything considered.

Also updated my BIOS to v4.40 and AMD Chipset drivers to 17.40, hopefully that sorts out the Spectre/Meltdown vulnerabilities

SSD cloud hosting for cheap

I decided to try Linode
Cloud hosting

for 10USD (500PHP) a month. You get a high performance VPS which can run several sites for cheap, the only catch is you have to set it up and maintain it yourself. Here’s what I did to get mine up and running in a couple of minutes:

I started by creating an Ubuntu 16.04 LTS node,
then secured my server with their Securing Your Server guide. I also created another user group to make uploading files later easier, then add the non-root user to that group:

sudo adduser <username> www-data
sudo chgrp -R www-data /var/www; sudo chmod -R g+rw /var/www
sudo find /var/www -type d -print0 | sudo xargs -0 chmod g+s

sudo adduser <username> www-data

sudo chgrp -R www-data /var/www; sudo chmod -R g+rw /var/www

sudo find /var/www -type d -print0 | sudo xargs -0 chmod g+s

I installed Apache next with their guide: Hosting a Website. I then change some settings in my Apache config but adding some mods I use like mod_rewrite:

sudo a2enmod rewrite

1	sudo a2enmod rewrite

I then install mySQL and lock it down using the following commands, which are also found in the Linode Guide:

sudo apt-get install mysql-server
sudo mysql_secure_installation

1 2	sudo apt-get install mysql-server sudo mysql_secure_installation

The I optimize my my.cnf for my puny 2GB server (/etc/mysql/my.cnf):

[mysqld]

max_allowed_packet = 1M
thread_stack = 128K
max_connections = 75

table_open_cache = 32M
key_buffer_size = 32

[mysqld]

max_allowed_packet = 1M

thread_stack = 128K

max_connections = 75

table_open_cache = 32M

key_buffer_size = 32

Ubuntu 16.04 LTS does not have support for PHP5 anymore so I used PHP7, so I installed that with the following commands:

sudo apt-get -y install php7.0 libapache2-mod-php7.0

1	sudo apt-get -y install php7.0 libapache2-mod-php7.0

then I install some extensions I need like mySQL, curl etc. THe first commands list the available PHP extensions, then second installs the ones I use.

sudo apt-cache search php7.0

sudo apt-get -y install php7.0-mysql php7.0-curl php7.0-gd php7.0-intl
php-pear php-imagick php7.0-imap php7.0-mcrypt php-memcache
php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc
php7.0-xsl php7.0-mbstring php-gettext

sudo apt-cache search php7.0

sudo apt-get -y install php7.0-mysql php7.0-curl php7.0-gd php7.0-intl

php-pear php-imagick php7.0-imap php7.0-mcrypt php-memcache

php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc

php7.0-xsl php7.0-mbstring php-gettext

We’ll need to install postfix also so PHP’s mail() function will work.

sudo
apt-get install postfix

1 2	sudo apt-get install postfix

Be sure to set “Internet Site: in the configuration dialog. The sendmail_path should be pre-configured correctly already, if not simply set it to:
/usr/sbin/sendmail -t -i

I now Install my FTP server, I use FileZilla since I use the client on my machine natively, then simply connect via SSH/SFTP

sudo apt-get install filezilla

1	sudo apt-get install filezilla

Once that is done, I simply point my domains to my server IP. Linode offers a DNS Manager but I prefer to use GoDaddy’s for simplicity. Hen the IP resolves, I test all my settings then I am off!

UPDATE:

When adding new sites or downloading scripts via wget you’ll need to set permissions again to be able to modify them via FTP: So I add my FTP user to the www-data group so I do not have permission errors.

sudo usermod -a -G www-data <username>
sudo chmod -R 775 /var/www
sudo chown -R www-data:www-data /var/www

sudo usermod -a -G www-data <username>

sudo chmod -R 775 /var/www

sudo chown -R www-data:www-data /var/www