W3TC (W3 Total Cache) Minify 403 Forbidden Error

A quick fix when encountering the 403 forbidden error while updating minify settings with W3 Total Cache is to disable Apache’s ModSecurity, as it conflicts with W3TC when updating the minify settings.

ModSecurity/Apache will throw an error like the one below:

ModSecurity: Warning. Match of “rx ://%{SERVER_NAME}/” against “ARGS:minify__cache__files” required. [file “/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf“] [line “386”] [id “340465”] [rev “56”] [msg “Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)”] [severity “CRITICAL”] [hostname “youdomain.com”] [uri “/wp-admin/admin.php“] [unique_id “WbLrG38AAAECADaiJGUACCAB”]

VirtualBox Debian 8 guest installation

Installing

VirtualBox will fail to install the correct dependencies when running VboxLinuxAdditions.run… here is a quick fix. See the debian wiki for additional details. These specific instructions are tailored for Debian 8.

apt-get install virtualbox-guest-dkms build-essential linux-headers-$(uname -r)

Then you can run

sh VBoxLinuxAdditions.run

Reboot / Restart services and you’re good to go!

Checking installation

If you need to check that the guest additions are available,

systemctl status virtualbox-guest-utils.service && lsmod | grep vbox

Should check that the guest service is running, and also check for vbox modules.

 

 

Automated transmission web (Raspberry Pi)

This is a simple script I made when automating pi installs.

When run, it will

  • Install transmission
  • Create transmission settings.json to allow for web access
  • Set default username, password, address/port
  • Reload transmission for changes to take effect

You might need to adjust rpc-whitelist for your network. Also, it isn’t tied to the Pi in any way so you should be able to run it without changes under any Debian machine 🙂

https://gist.github.com/rickyhewitt/9885d24457a8a8cce059

Automated logwatch setup (with logwatch vnstat)

Wow, it’s been a while since I posted here! Over a year and three months!

I have been working on my workspace code a lot recently, and covering automation and other areas.

Logwatch is a small, simple mail-based system logging solution that I enable on all my servers, big or small. I typically then archive/delete any messages older than x days old.

Logwatch can be useful as a fallback solution for figuring out vaguely when things have changed, or packages installed, or simply to provide any other information (HTTP responses, fail2ban, vnstat, etc)

Adding vnstat support to logwatch

By default vnstat is not supported with logwatch, so here is an easy way to add support.

https://gist.github.com/rickyhewitt/ffdbf95c1bb393a7c936 (logwatch-enable-vnstat.sh)

Automating an entire logwatch install

If you are using ansible, chef, or some other configuration management software then you will of course need to either adapt, or interface with this script in your own way.

One thing that I do is have logwatch installed, configured, and additional logwatch services created from provisioning… the script below doesn’t handle apt-get install logwatch, so you’ll need to make sure that is done somewhere else.

https://gist.github.com/rickyhewitt/54317589fbbf44462bfe (install-logwatch.sh)

 

Disable Facebook videos from autoplaying

Facebook has recently integrated a new feature to automatically play video in your news stream — not only can this be an annoyance, but it can also potentially slow down older computers/devices, crash your browser, and waste your bandwidth.

 

Facebook video settings

 

You can disable it within the video settings page, and browse freely without having your bandwidth wasted, or your browser potentially crashing.

Scam Alert: 123systems.net

I am just letting the community know about 123systems, a subsiduary of ChicagoVPS, operated by a man named Chris Fabozzi.

123systems is a complete joke. See the attached screenshots which show my communications with them — the entire time my VPS has been unavailable, aside from some very short periods. Eventually they decided to just ignore my tickets and blacklist me from logging in.

Regardless of the amount of money paid for a product/service, said product/service should be delivered. 123systems.net is a scam service and I urge you all to avoid them if you are considering working with them.

Why you SHOULD buy a UEFI system

There is an incredible amount of FUD being spread around the internet that you shouldn’t buy UEFI systems or UEFI with SecureBoot systems. I figured I would take a minute to perhaps fix some of the nonsense that is being spread.

UEFI has been around for quite a while, and is intended as a replacement for the traditional BIOS. It’s actually based on EFI, which has been around for a very long time now, and was supported in Linux before it was even supported in Windows.

Many people believe that Linux isn’t supported on UEFI systems, when it is. Most of the distributions I have tried have worked flawlessly, with UEFI *enabled*. If UEFI doesn’t play well, then you can simply disable it. There is absolutely no reason, why someone wanting to run Linux should avoid buying UEFI hardware, yet people are constantly suggesting that it is a bad idea. It is completely fine.

The only issue that you *may* run into is running Linux on a UEFI enabled system that utilizes SecureBoot, which is found on machines that are sold with Windows 8 preinstalled. In this instance, you should be able to disable SecureBoot.

As for why you should buy a UEFI system, well, it’s a lot more modern, supports more features, faster boot times, larger hard disks, just to name a few things.

Yahoo hacked

A security group called d33d has recently obtained over 400,000+ accounts stored within Yahoo. The breach includes plaintext passwords — they were all unencrypted.

To check if you have been affected, you can use a small tool I developed to quickly check if your account is listed.

http://rickyhewitt.com/tools/2012/d33d-yahoo-disclosure/

You can read more about the breach on BBC News.

 

Why Amazon’s seller system is completely broken

I think Amazon is awesome. I really do. But after a nightmare of trying to sell with them, I don’t think I’ll be trying again and I certainly won’t be advising anyone else too — unless they sort their shit out.

Think of this as Amazon’s version of the Blue Screen of Death

I got my card information wrong? What’s the big deal?

The issue with the system isn’t just one issue. It’s a plethora of issues that are related to something that isn’t even technically incorrect. Let me explain.

My card details are completely correct. That’s why this is annoying. Am I missing some critical detail? Not exactly. Does reading the amazon help files solve the issue? If you can access them. While some help is available, a huge amount of functionality on the site, including accessing support information is unavailable when this error occurs. You’re also unable to remove any of the previous cards. You are left with a completely broken system, and you’re unable to contact support in order to resolve the issue.

After giving Amazon a quick call, they had a member of the sellers team get back in contact with me (the support team is A+, no issues there) and I proceeded to explain my numerous gripes with the system.

Allegedly this error occurs when Amazon is unable to reserve money from your account (specifically, £30…. quite why a free account would need to do this is completely beyond me, and they seem to have no idea either). This then prevents you from accessing large parts of the system, or even accessing support information in order to resolve the issue.

Also, there isn’t a single mention in the help documents I was able to access that mention ‘reserving’ £30 from my account. I asked the support team to refer me to them, but they were unable to do so.

I have ‘advised’ them to fix these issues and report them to the higher ups/technical teams, but I doubt that will actually happen — which is unfortunate as I generally think Amazon is a good company.

 

Fully replacing FTP with SFTP

Recently while setting up a new server, I realized that I really didn’t need to run FTP anymore. I typically use SFTP where possible, and it made sense to go the extra mile and migrate to using SFTP completely, while also allowing other users to access my server and use SFTP, without allowing them a shell.

What is SFTP?

SFTP is similar but not the same as FTP. Technically, SFTP isn’t just a secure FTP, but is a completely different protocol. For the ease of explaining things, however, SFTP is essentially like FTP running through SSH. It provides you with fully encrypted sessions, and brings other benefits that SSH provides such as key based authentication.

Not many commercial web hosts use SFTP. I’m not 100% sure why, but I have a feeling it’s just general misconception that SFTP is a risk as it requires the user having an account on the server and allowing them to potentially have shell access, although I’m sure it has a very slight performance impact too, which could potentially be a large performance impact when scaled to thousands of users.

The only qualm I have with this is that with the majority of setups I have seen, they already have a system account in order for FTP/Apache to run and for them to have a home directory and such.. so there isn’t a difference.

These accounts (lets call them members of the www-data group) should already have disabled shells anyway, so running SFTP isn’t going to compromise the security of the system in any way.

Configuring SFTP

The first step will be to ensure you have openssh installed. This guide assumes you are using Debian (Squeeze), and already have a running server with users on.

 

Install SSH

apt-get install openssh

 

Prepare chroot

You will need to modify the home directory permissions for each user in order for the SSH chroot to work correctly. Each users directory needs to be owned by root. We’ll use bobdole as an example.

chown root /home/bobdole
chmod 775 /home/bobdole

 

Modify users default shell

In order to prevent the user from gaining shell access, we set the default shell to /bin/false, and add bobdole to the www-data group.

usermod -s /bin/false bobdole
usermod -aG www-data bobdole

 

Modify sshd_config

You will need to modify the Subsystem option..

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

 

We will need to add a clause specifically for members of the www-data group (bobdole, etc..) in order to apply options to them, and enable the chroot specifically for them.

# Specific configuration for www-data
Match group www-data
ChrootDirectory /home/%u

 

You can also add other declarations to the Match directive. For instance, if you only allowed key based authentication to your server previously, but wanted to allow www-data members to log in without a key, you could set PasswordAuthentication to yes, only for those specific members…

# Specific configuration for www-data
Match group www-data
ChrootDirectory /home/%u
PasswordAuthentication yes