Just another WordPress site

There are serveral solutions to gather passwords with PHP CLI on Windows. But usually they do not work with Windows 7.
So this is my solution using Powershell:

// please set the path to your powershell, here it is: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
$pwd=shell_exec('C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Command "$Password=Read-Host -assecurestring \"Please enter your password\" ; $PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password)) ; echo $PlainPassword;"');
$pwd=explode("\n", $pwd); $pwd=$pwd[0];
echo "You have entered the following password: $pwd\n";

Disabled Comments

Spammers have created 500 comments. Since this feature has been used rarely, i’ve decided to disable comments from unregistered users.

SFTP upload Tool

Introduction

The linux sftp client does not support to read the file from stdin. This is especially annoying when you want to do backup your file system, but you do not have enough free disk space to put your tar prior to uploading it to the sftp server.

So we need another client, that does this for us:

  1. sftp_stdin_upload (GPL v3 Licensed)
  2. sftp_stdout_download (GPL v3 Licensed)

You can download the archive with libssh2 from here: marcos_sftp.tar.gz

Build instructions

Requirements:

  1. libssh2 >= 1.2.9
  2. libopenssl >= 1.0 or libgcrypt >= 1.4.5
  3. gcc, standard build tools and libraries ;-)
# extract the archive
tar -xzf marcos_sftp.tgz
export PATH_TO_TAR=`pwd`'/marcos_sftp'
 
# you can skip this if you have at least 1.2.9
# we will build libssh2 1.4.2 (consider to download the latest version):
cd $PATH_TO_TAR/lib_self_compiled/libssh2-1.4.2
./configure --enable-static --with-openssl    # ALTERNATIVE: ./configure --enable-static --with-openssl --with-libgcrypt
make
 
cd $PATH_TO_TAR/marcos_sftp
# in case you use another libssh2 library,
# you might need to change the path LIBSSH2_dir in the Makefile
make ALL    # ALTERNATIVE: make Libcrypt

Known Problems

libssh2 1.4. can hash the known_hosts. To enable this feature you need to comment line 143 and uncomment line 145 in the file $PATH_TO_TAR/marcos_sftp
( Basically you replace LIBSSH2_KNOWNHOST_TYPE_PLAIN by LIBSSH2_KNOWNHOST_TYPE_SAH1 and LIBSSH2_KNOWNHOST_KEYENC_RAW by LIBSSH2_KNOWNHOST_KEYENC_BASE64 in the function libssh2_knownhost_checkp in the file $PATH_TO_TAR/marcos_sftp )

Usage

There is a binary to upload and another to download:

sftp_stdin_openssl
  - Uploads everthing from stdin to a file on the sftp server
      -h sftp hostname 
      -l sftp username
      -p path to public key file    (just key authentication is supported)
      -i path to private key file   (just key authentication is supported)
      -k path to known hosts file
      -f path to the remote file on the sftp server

sftp_stdout_openssl
  - Downloads everthing from a file on the sftp server to stdout
      -h sftp hostname 
      -l sftp username
      -p path to public key file    (just key authentication is supported)
      -i path to private key file   (just key authentication is supported)
      -k path to known hosts file
      -f path to the remote file on the sftp server

Here are some basic commands, so that you can get all information out of an RPM file:

# show information
rpm -qpi "$1"
# show all included files
rpm -qp --dump "$1"
rpm -qplv "$1"
 
# show all included scripts
rpm -qp --scripts "$1"
 
# show all included triggers
rpm -qp --triggers "$1"
 
# show all included requirements
rpm -qpR "$1"

FOR security reasons, ICMP timestamp-request and timestamp-response must be turned off. Those ICMP packets allow any attacker to calculate your server’s local time (and therefore exploit weak random number generators). Additionally they also allow OS fingerprinting.

So in case your internal security scanner tells you to turn off ICMP, just execute the following commands:

1
2
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp --icmp-type timestamp-reply -j DROP

If you offer HTTPS to your customers, you should not use weak encryption keys. This is a recommended setup:

1
2
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:-MEDIUM

You can also test whether you server supports weak encryption or not:

1
2
# this command should fail
openssl s_client -no_tls1 -no_ssl3 -connect www.your-server.tld:443

In case you want to check, what protocols and ciphers your webserver supports i suggest you to use SSLscan.

According to Wikipedia, click hijacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

To prevent this you can simply add the following to your apache configuration:

1
Header always append X-Frame-Options SAMEORIGIN

Or in case you want to add it to your PHP application, just use this code:

1
2
3
<?php
header("X-Frame-Options: SAMEORIGIN");
?>

For the full documentation just click here.

Today i was writing a little bash script. As i was just interested in the return code of an executed command, i wanted to surpress all output. Usually i always do it like this: cmd 1> /dev/null 2>&1, but today i accidentally did it like this: cmd 2>&1 1> /dev/null. And guess what: suddenly error messages began to appear. I was puzzled.

So it’s time for a litte stdout/stderr redirection tutorial:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# redirects stdout (1) and stderr (2) to /dev/null
cmd &> /dev/null
 
# redirects stdout (1) and stderr (2) to /dev/null
cmd 1> /dev/null 2> /dev/null
 
# redirects stdout (1) and stderr (2) to /dev/null
cmd 1> /dev/null 2>&1
 
# redirects stderr (2) to stdout (1) and redirects stdout (1) to /dev/null 
# it will NOT redirect stderr (2) to /dev/null
# This is beceause the stdout was still pointing to itself
# at the time the stderr redirection has been set up.
cmd 2>&1 1> /dev/null

Wake on lan script

Here is a tiny wakeup script that i wrote:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/bin/bash
DEST_MAC="12:34:56:78:9A:BC"
DEST_HOST="192.168.10.10"
 
 
echo -n "Waking up $DEST_HOST ..."
ether-wake "$DEST_MAC"
if [ "$?" -ne 0 ]; then
        echo " failed!"
        exit 1
fi
 
reachable=0;
while [ $reachable -eq 0 ]; do
        ping -q -c 1 "$DEST_HOST" 1> /dev/null 2>&1
        if [ "$?" -eq 0 ]; then
                reachable=1
        else
                echo -n "."
                sleep 1
        fi
done
echo " OK"

To dump the content of a postfix .db file just type:

# you have to ommit the file's .db extension:
postmap -s virtual_aliases