ExpressVPN Review

My experience with ExpressVPN has been pleasant for the past 7 days. I share the account with my wife and daughter primarily for consuming media. But one pleasant surprise is that you get Youtube Picture-In-Picture functionality when connected to US servers, atleast on Android. This is a YouTube premium features as far as I known, but I am finding it pretty convenient that I have access to it without paying extra.

I paid $99uSD for a 15 month month subscription, and I feel I am getting my money’s worth. There are cheaper alternatives but the reality is you do get what you oay for, so I opted for ExpressVPN which has reasonable pricing with reasonable ly good service.

You can use my link here to signup so both you and I get an additional 30 days for free. You’d want to use the Opera browser with their free VPN service to signup since ExpressVPN has different offers depending on your location.

Live desktop summer feels

It’s been years since I last played with my desktop. Since PC hardware has grown by leaps and bounds since I last tried, I figured to give it a shot. Inspired by the Google Pixel live wallpaper I use this Ocean weather theme for Rain Wallpaper, an app you can find on Steam. Another theme on my rotation is this Elegant weather theme I found on DeviantArt.

Deploying a WordPress plugin repo on github to WordPress on WIndows

I never learned how to use Subversion which is why publishing my work on WordPress becomes such a chore. Thankfully, I found a script that can deploy a local Git repository to WordPress.org. This script assumes you have the following setup and working in your Windows environment already:

  • SVN, in this case I use TortoiseSVN
  • GIT, I use the GIT-SCM and Github Windows client
  • Already have a WordPress.org account and existing repository for your project

The script is originally from GaryJones from github which I modified to suit my needs. Simply put the script in the repository folder and change out the CHANGE_ME values before running the script.

You have the option to set the path of the local repository within the script or in the prompt, what I prefer to do is to just drop the script in the working directory and run the script there.

 

 

S2W Payments plugin for WordPress

After developing on WordPress, I decided to contribute back to the community by creating a free plugin for WooCommerce and Square users. You can download the plug on WordPress.org or fork the source on Github. It’s basically allows you to filter fulfilled payments made to your Square account within WordPress and import them into WooCommerce as orders. This is usefull if you want to sync your sales on Square made via their Point of Sales App (POS) and your online store on WooCommerce. The only caveat  is that the SKU’s on both your WooCommerce and Square products must match so we can get the price. I didn’t bother with a create product feature since there’s a product sync feature already in the Square payment gateway plugin for WooCommerce already.

I hope to make more plugins in the future if any good and worth while ideas come to mind. In the mean time, I do hope this plugin helps a few small business owners out there.

HorribleSubs batch downloads

HorribleSubs took down their batch torrent section after their site update last year. Which made it cumbersome to manually download each and every magnet link for the shows I want to get. Thankfully, there’s this Chorme extensions: HorribleSubs Downloader which lets you copy all the magnet links to your clipboard for a particular resurrection e.g. 1080p, 720p, or 480p on each series page. After that, it’s just a matter of adding the magnet links to your torrent client, qBitorrent in my case.

Now, it’s time to catch up on my Anime shows 🙂

Securing my Linode server

Thanks to a hackers and/or bots trying to inject malware into my WordPress installation, I am forced to learn how to administrate my host better. Surprisingly enough, I find myself enjoying learning how to manage and secure a production server; A skill which will definitely help me become a better developer moving forward. So far here’s what I’ve done to deter and hopefully mitigate the hacking attempts on my site.

This guide assumes you are running an Ununtu 14.x up.

Set the proper timezone

This will make log files easier to understand and keep track of SSL certificates

Setup a hostname

You can name this anything you want, I used “livehost”

Now verify the hostname change

Now setup a Fully Qualified Domain Name (FQDN) in your /etc/hosts file

Now you can set an A Record to your domain name pointing to your hostname livehost.example.com to access your server.

Disabled remote root login and changed the SSH port

I changed my SSH port to something lower than 1024 but not 22 (learn why here) then set PermitRootLogin to no.

Installed Fail2Ban

installed it with the following command

We’ll copy the default config  and jail settings and modify the copies we made.

SSH is already enabled by default in Ubuntu, so you’ll just need to enable the services you want to watch over. Do note that Fail2Ban won’t start if you enable a filter on a service that’s not installed/running.In this instance I just added a custom filter and changed the destemail setting so I can get notifications. You will need to install sendmail to get this feature working, see below.

I also made a custom wordpress filter in /etc/fail2ban/filter.d/wordpress.conf , you can read more about it here. This basically checks the access log of my site and filters it using regular expressions.

after saving the changes, restart the service.

Installed and Setup IPTables

IPTables is already installed with Ubuntu so I just needed to setup a new configuration file

I used the following configuration which I Googled to allow SSH, HTTP/HTTPS and a few other ports for testing then closed everything else for security Note that the port setting should be the same as with setting in the /etc/fail2ban/jail.local and /etc/ssh/sshd_config values.

Activate the new firewall rules now

Then make sure to run the firewall rules on startup by editing this file

Insert the following script

Save the changes then set the permissions

Install Let’s Encrypt

Let’s encrypt is a free SSL certificate supported by a lot of popular browsers. I use this to encrypt traffic on my sites at no extra cost. Before installing the package make sure you have set your timezone and hostname already. If you’ve done that already you can update everything first.

Once everything has updated, install GIT so we can clone the repository on Gtihub later

Now clone the official GitHub repository to /opt/letsencrypt

Then navigate to /opt/letsencrypt

Now make sure nothing is using port 80. I had trouble with this even after closing Apache which was the only application I though was using port 80. So to keep it simple I just killed all processes using port 80

Now we are ready to create a certificate that will auto renew. Just change the domain name to the domain name you’re creating a certificate for.

If everything worked properly you should see something like this. Take note of the Certificate and key paths, we will need this later when configuring the SSL certificate for Apache.


Now we will set a cron job to automatically renew the certificate and update Let’s Encrypt. Open crontab

Then append the following lines

Now we need configure apache for the SSL certificate. Appenbd this to your sites config file typically found in /etc/apache2/sites-available/example.com.conf. The SSLCertificateFile and SSLCertificateKeyFile paths were echoed after you created your certificate earlier. This will also set TLSv1.2 to be used instead of the default TLSv1

Ensure that the Apache SSL module is enabled, and enable the virtualhost configuration:

Then restart the Apache service

You can visit WhyNoPadlock to troubleshoot any insecure content you may have on your page. If you’re using WordPress you can use Really Simple SSL to force HTTPS to any visitors visitors to your site.

Get alerts when someone uses sudo

For that extra touch to paranoia, I also setup an email notification to let me know if someone uses the sudo command.  I start off by making a new file

pasting in the following content, you’ll need to change the email address to the one you wish to use.

Save the changes then set the file permissions

If you don’t have a mail server setup yet you will need to install one. I used sendmail.

The install script hanged on me and I found that the following commands worked to finished the installation.

When you’re done installing sendmail, configure it:

Reboot server on OOM (Out Of Memory)

This will reboot the server if the system panics, literally.

the append this to the config

 

How I secured my WordPress site

I recently came across malware in my WordPress installation even though I am running the latest version of WordPress and not running any other plugin apart from JetPack. I tried removing the malware and updating all the WordPress files only to get infected again a few days after. So Far these steps have mitigated the malware from infecting  and/or penetrating my site.

.htaccess conditions

I added these rules to my .htaccess file. This will append or replace the existing rules of WordPress as well as the WordFence Plugin if you use it,

Installed WordFence and Really Simple SSL Plug-in

I installed WordFence to scan and replace WordPress core files. I only use the free version, though there is a premium version available with more automation features. I also installed a SSL certificate on my server and installed Really Simple SSL to force HTTPS on my main site.

Updated passwords and changed DB table prefix

If you haven’t already, I updated all database and user passwords in my current WordPress installation as well as changing the default database table prefix (wp_) to something obscure.

Set file and directory permissions

Set directories to 755 and files to 644. I simply run these commands via SSH

Limit or disable access to XML-RPC

I use .htaccess to limit access to the xmlrpc.php file since I use the WordPress app. You can opt to simply deny access to the file all together if you don’t plan on using it.

 

Gulp Pipeline update

I encountered some errors compiling old projects using my old node workflow which turned out to be the result of a lot of the packages being deprecated.

Luckily it was an easy fix, I simple had to install the Windows build tools, then I was back on track.

Cooling & Storage upgrades

Updated my shoe box for the coming summer heat:

  • Replaced stock AMD cooler with a Noctua L9i with AM4 mounting kit
  • Added a 92mmx25mm Noctua fan on the side
  • Added a 120mm Noctua fan in the front
  • Added a Seagate 2tb SSHD drive for my media and games.

Temperatures seems to be nominal, everything considered.

Also updated my BIOS to v4.40 and AMD Chipset drivers to 17.40, hopefully that sorts out the Spectre/Meltdown vulnerabilities

SSD cloud hosting for cheap

image

I decided to try Linode
Cloud hosting

for 10USD (500PHP) a month. You get a high performance VPS which can run several sites for cheap, the only catch is you have to set it up and maintain it yourself. Here’s what I did to get mine up and running in a couple of minutes:

I started by creating an Ubuntu 16.04 LTS node,
then secured my server with their Securing Your Server guide. I also created another user group to make uploading files later easier, then add the non-root user to that group:

I installed Apache next with their guide: Hosting a Website.  I then change some settings in my Apache config but adding some mods I use like mod_rewrite:

I then install mySQL and lock it down using the following commands, which are also found in the Linode Guide:

The I optimize my my.cnf for my puny 2GB server (/etc/mysql/my.cnf):

Ubuntu 16.04 LTS does not have support for PHP5 anymore so I used PHP7, so I installed that with the following commands:

then I install some extensions I need like mySQL, curl etc. THe first commands list the available PHP extensions, then second installs the ones I use.

We’ll need to install postfix also so PHP’s mail() function will work.

Be sure to set “Internet Site: in the configuration dialog. The sendmail_path should be pre-configured correctly already, if not simply set it to:
/usr/sbin/sendmail -t -i

I now Install my FTP server, I use FileZilla since I use the client on my machine natively, then simply connect via SSH/SFTP

Once that is done, I simply point my domains to my server IP. Linode offers a DNS Manager but I prefer to use GoDaddy’s for simplicity. Hen the IP resolves, I test all my settings then I am off!

UPDATE:

When adding new sites or downloading scripts via wget you’ll need to set permissions again to be able to modify them via FTP:  So I add my FTP user to the www-data group so I do not have permission errors.