Author Archives: evan

Hacked By GeNErAL

~!Trolled By GeNErAL!~

Hacked By GeNErAL

 

Greetz : RxR – Kuroi’SH .. @nd all friends.

\!/Just For Fun\!/

#You Have Been Trolled !

Bots, passwords, short strings, and simple characters

About a month ago I got curious about bots that target WordPress sites. I use the Limit Login Attempts plugin and every time I got an alert that an IP had been limited it was always for the username ‘admin’. I had never thought much about it, but it makes sense as an attack vector given how many people probably do use that name. What I wondered was what sorts of attacks they were trying. In particular, the passwords they used seemed most interesting.

So I started writing a new plugin, Admin Login Notifier, which you can also fork it on Github if you’re into that kind of thing. Admin Login Notifier does pretty much what it sounds like — it grabs the password when someone tries to login as ‘admin’ and notifies you. Originally it sent an email for each attempt, now it saves them in a dashboard page and sends a daily email digest.

It’s been running on my site for a couple weeks and, as of this morning, has caught over 1,000 attempts. I decided it would be interesting to look at the list and see what these bots are up to. Until recently, the passwords were all in emails (and not saved elsewhere) so aggregating them was a bit of a pain. Because of some different formats I used in the emails, I ended up only exporting 920 of them, which you can see here.

I was especially curious about the strength of passwords used by bots, which I decided to break down into four really basic metrics:

  • Length — Just the number of characters in a password
  • Uniqueness — The number of unique characters in a password
  • Complexity — The number of character types in a password, like uppercase letters, or symbols
  • Repetition — How often bots tried the same passwords as other bots (or as themselves)

Here is the script I used.

And here are the results. You can do this yourself by saving the password list as sample.txt in the same directory as this script.

Average length: 6.2 characters
Average unique characters: 4.8 characters
Average character types: 1.2 types
Repetition: 17% of password attempts were repeats of other attempts

Hopefully you can learn a few things of this. First, you should learn not to use the username ‘admin’. Beyond there, here are a couple of conclusions. None of these are particularly noteworthy, and each ought to sound familiar if you’ve read any other password advice on the web.

  • Use long passwords. Bots try pretty short passwords, so you should use long passwords. There are mathematical reasons for doing this, too. But we’re sticking to empirical data for this post.
  • Use lots of characters. Although the average pasword attempt was just over 6 characters, they contained 25% fewer unique characters. Bots try a lot of repeated characters, likely because people repeat characters to make their passwords easier to remember. Don’t do that.
  • Use multiple character types. 80% of all attempts used only one character type.
  • Don’t use passwords found on things like “Most commonly used passwords” lists. 1 in 6 passwords that bots attempt are repeats. Don’t make their jobs easier.

Admin Login Notifier isn’t terribly useful, but it is kind of fun and I’m glad it helped me get a look at this data.

There should be a complete absence of the annoyance and irritation caused by the necessity of searching for lost balls.

Allister MacKenzie, The Spirit of St. Andrews

I’ve been playing lots of golf lately and it’s reinforced my long-held opinion that the design of most golf courses is just awful. That got me to thinking: what would go into my ideal golf course?

Easy first hole

The first tee is no time to ask a player to hit a great tee shot. No one is really warmed up at that point and the point of golf is to be fun — the way to make a round fun is not to require a 270 bomb with the first swing. That hole has its place, but it’s later in the round once you’re in a rhythm. Making a hole difficult because it’s first is like making it difficult by shouting during someone’s backswing; it’s certain to add strokes, but mostly unrelated to skill or quality of execution.

The first hole should be playable with a fairway wood or long iron from the tee and it shouldn’t have any water hazards. It should also be a par 4. Par 3’s will slow down play too much at the beginning of the round and should also require more accurate distance control than can be expected on the first hole. Par 5’s easy enough to qualify for a good first hole are just a waste of a potentially fun birdie hole later in the round.

No fescue (or other pseudo-hazards)

Three foot tall fescue looks great in the photo gallery on a golf course’s website, but is absolutely useless almost every time it’s planted on a golf course. Fescue is the worst kind of pseudo-hazard because you’re very likely to lose your ball in it and the rules of golf afford you only one solution: re-hit. Fescue tends to come into play in two places: not-so-great shots and really awful shots. Both are bad uses.

The “not-so-great shot” fescue is usually 5-10 yards off the fairway, after a relatively narrow line of normal rough. In this case you’ve hit a bad drive, but not one that would give you any trouble in approaching the green or at least laying up on most other holes. But the architect decided to drop some knee-high grass here, so now you’re searching for a lost ball after being 10 yards from a perfect approach. The “really awful shot” fescue is usually on parts of the coure that don’t even seem like they should be in play, those spots where it’s just filling the gap between the border of the property and the designed hole. In this case you’re usually in pretty bad shape and don’t have any shot to the green, so I’m not sure what the point is of punishing you with fescue here.

The result is that fescue usually feels like random punishment — maybe you’ll find it, maybe you won’t. That’s bad, lazy design.

Creative punishments

My first two points shouldn’t imply that I want to put bumpers on any hazardous part of a golf course. I am all for punishing bad shots, but yet-another-hazard is not the only way to do it. Instead of filling courses with ponds and fairway bunkers (and fescue) to combat any wayward shot, architects should use more interesting tactics. One of my favorites is slopes and blocked views. Give me a side hill lie to a hidden green when I hit a bad shot. It makes the course just as difficult if you’d plopped down another fairway bunker, but much more interesting.

Fewer tee boxes

When I started playing golf every course I knew of had the same three options for tees: blue, white, and red. Then came gold tees. Now choosing a tee box to play from can feel like shopping for laundry detergent. Fix or six tee boxes on a course is no longer uncommon, and it results in far too much artificial development. Building that many tee boxes means often half a hole is unnaturally-manufactured, and the rest of the hole is dulled down to accomodate shots from every conceivable distance. Three tee boxes means minimal disruption of the hole, and if a couple people play from tees that are slightly longer or shorter than they’re used to the game will be that much more interesting.

Mark every sprinkler head

There are few things more frustrating than walking in circles trying to find a marker when your ball is right in the middle of the fairway. Doubly so when you come across many unmarked sprinklers on the way. It baffles me when this happens because markings on the course are so useful and so easy to produce that the only thing that makes sense is marking everything out there.

This extends to sprinklers that are over 200 yards, by the way. I once saw a sprinkler marked “Don’t even think about it”. While this was cute and did make me laugh, it was still annoying because even distances I can’t reach are useful to measure. No one’s going for the green from 300 yards away, but knowing that it’s 300 and not 350 means I will hit a different club to layup. Measuring the distance costs almost nothing, so just do it and make it easy to find for the people playing your course.

“Good” places to miss

A sufficiently-hard golf hole should often give you very difficult shots. That’s great as long as you give me an option to hit an easier shot in exchange for lost (portions of) strokes. Your green tucked behind a row of bunkers is just lazy if you don’t give me a bailout area to aim for when I can’t make the approach, maybe because I’m in the rough vente de viagra sans ordonnance.

Usually when this is done it’s right in front of the green, where the fairway extends right up to the fringe. That’s boring and often pointless, as architects try to squeeze that area as much as possible between the green-side hazards. A great bailout area can still require a carry over hazards, but give me a more forgiving place to land to the side of the green. A very underused design feature is bailout areas behind greens, which I wish I saw more of. These make the player commit to going long and not missing short to be safe. Whatever you decide, just give the player more than one way to play the hole.

Obvious targets

Every time I stand on a tee and wonder where I’m supposed to hit it, a golf course architect has failed miserably. There are so many ways to give players a visual clue about where to play, that not doing it is unforgivable. The boring way to do it is the classic barber pole in the fairway on your target line. More creative architects use natural features of the land — a large tree in the distance, a boulder, a bunker you have to carry, etc. On any tee shot you should be able to tell me in a few words what to aim at so that I don’t have to wonder. I can’t count the number of times I’ve stood on a tee, unsure, hit it exactly where I was aiming and though, “I hope that’s good”. If you can’t give me an indication of where to hit it, you’re not allowed to make tee shots with obstructed views.

We’re making it less random to make it feel more random.

<a href="http://www pilule viagra achat.dailymail.co.uk/home/moslive/article-1334712/Humans-concept-randomness-hard-understand.html”>Steve Jobs, on the iPod “shuffle” feature

iPod customers complained that the shuffle feature wasn’t random. Noticing repeats in artists, albums, or genres, users concluded that the shuffle wasn’t properly shuffling. In response, Apple made the shuffle non-random by preventing repeats of similar songs in close proximity.

Faster WordPress: Multisite, nginx, and Batcache

A couple weeks ago I decided to move this site to a new server. With the help of Pete Mall and Mark Jaquith I settled on the following setup:

  • Linode 512 MB
  • Debian 6 32-bit
  • PHP-FPM
  • APC (for opcode and object cache)
  • nginx
  • WordPress Multisite
  • Batcache

I documented my setup and after testing it with another friend (it worked!) and mentioning it to a couple others, decided to post it here. I’m going to assume you’re familiar with the basics of administering a VPS, especially SSH.

Linode

I did this on Linode, but it will probably work fine on pretty much any VPS (or dedicated server). It won’t work on a shared host because it depends on installing specific software that requires root access. My server needs are not very extravagant so I chose Linode’s cheapest plan, a 512 MB VPS. You’ll need to choose a location for your server, and since I have no idea what the practical differences are, I went with Dallas based on a recommendation. For the purposes of this tutorial, it doesn’t matter which one you choose.

Go through the Linode setup, choose the Debian 6 32-bit distribution, get your ssh information, and login to your new server. If you use a larger VPS you might want the 64-bit distribution, but on a 512 MB server that’s going to cause problems.

Linux

Linode has a very good tutorial on the first few things you’ll want to setup with your new Linux install. Once you’re logged in you can skip to the security section in Linode’s “Getting Started” tutorial. That will walk you through:

  • Updating your package installer
  • Setting your server’s hostname
  • Setting the timezone

Your settings here can be unique to you. In my case I like to name computing devices after Yankees players (see my external hard drive named Mattingly) so I called my Linode server dimaggio. I like to use my local time, which is America/Los_Angeles in the Linux world. Some people like to use UTC, which we do at Automattic. Pick your poison.

Before you go any further, you should install sudo because you’ll need it soon and your server won’t have it by default. You can do it with this one liner:

apt-get install sudo

Now that you have the basics setup, it’s time to move onto the real stuff — users, permissions, firewalls, and software. Slicehost has two great tutorials on this: Debian part 1, and Debian part 2. We’ll go through these now.

You don’t want to be logged in as root any longer than you absolutely have to. The first thing Slicehost will walk you through doing is creating a new user account. They use the username demo but you’ll probably want to use your first name. In my case I skipped the additional group management steps; I don’t plan on managing a large number of users and it’s easier to have fewer moving parts. If you don’t assign your user to a group, it will be automatically put in a group with its own name — my user is in a group called evan. Slicehost will walk you through the details, but I’ll add one suggestion: do not log out of your root SSH session until you’ve successfully logged into your user account and confirmed that your sudo access works. Otherwise you’ll need to reset your whole server and start from the beginning. Once you’re setup, move onto part 2.

Part 2 mainly covers Bash and the Aptitude package installer. I am pretty particular about my bash prompt. You can grab the key parts of mine here. This does a few things:

  • Shorten long directory names by replacing the middle with an ellipse
  • Add the git branch name to the prompt (if you’re in a git repo)
  • Use up and down arrows to search your bash history using whatever you’ve already entered as a search prefix
  • Make tab cycle through available commands instead of listing them
  • Add tab-completion for git commands

The git pieces rely on this git auto-complete script.

Once you’ve got your .bashrc setup and your package repositories updated, it’s time to move onto the the next step: PHP-FPM.

The stack: PHP-FPM

Debian’s default package repository has an outdated version of PHP-FPM, so first we’re going to add a new repository to our list. Aptitude’s repository list is kept in /etc/apt/sources.list and we want to add a new line with this repo: deb http://packages.dotdeb.org stable all. You’ll need to use sudo to edit this file and save it. When you’re finished, it should look something like this. Now go back to your home directory and setup your new repository.

cd ~
wget http://www.dotdeb.org/dotdeb.gpg
cat dotdeb.gpg | sudo apt-key add -
rm dotdeb.gpg
sudo apt-get update
sudo apt-get upgrade

Now we can install PHP and its siblings:

sudo apt-get install php5 php5-fpm php-pear php5-common php5-mcrypt php5-mysql php5-cli php5-gd php5-apc

We’ll be using PHP-FPM to handle all of the PHP requests that come in through nginx. To do that, we’ll need to update the PHP-FPM config at /etc/php5/fpm/pool.d/www.conf. We will set PHP-FPM to decide how many processes it will run and how it will listen for requests from nginx. My config file is here. It will set PHP-FPM to spawn a reasonable number of children and servers for 512 MB VPS and configure it to listen over a Unix socket instead of a TCP port. These settings may not be perfect for you, but they should get you started.

Restart PHP to make sure your new settings are in effect.

sudo /etc/init.d/php5-fpm restart

The stack: nginx

We’re going to use nginx as our web server, so first we’ll install it.

sudo apt-get install nginx

Now we’ll setup our nginx config at /etc/nginx/nginx.conf to tell nginx how to serve our data. This file is pretty straightforward, but it does assume you’re using the 512 Linode server (or another one like it). You can grab mine here.

Once you have your config in place, restart nginx to use the new settings.

sudo /etc/init.d/nginx restart

The stack: MySQL

The last part of your stack is MySQL, which we will install now:

sudo apt-get install mysql-server php5-mysql

Once you complete the MySQL installer you can head over to Linode’s low memory settings tutorial to configure some settings for MySQL geared toward low memory servers (which a 512 MB VPS is). I followed their guidelines in my config, so I won’t copy it here. The last two items won’t be in your default my.cnf file, so you can add them at the bottom.

Email

One last thing you’ll want to install here, even though it’s not a part of the traditional L(A|E)MP stack, is an email server. Again, Linode has a great send-only mail server tutorial. If you want to configure a mail server to actually receive email, that’s outside the scope of this post. In my case my server’s only interaction with mail is to send it — for example, when you need to reset your WordPress password.

WordPress

There are lots of ways to get WordPress installed. In my case, I had a few requirements that guided my choices:

  • I’m using WordPress multisite
  • I’m using the multisite domain mapping plugin
  • WordPress will manage my whole site
  • My site will be version controlled with git

After experimenting with lots of different options, I decided on this setup:

  • My public directory will just be a copy of my git repository
  • WordPress will be installed in my git repository as an svn export
  • Local development will use Mark Jaquith’s local config setup

At this point, you’ll want to install git on your server so that you can pull in your repository. Again, a one-liner will do it for you:

sudo apt-get install git-core

I setup my git repository and exported WordPress trunk, then setup my local-config.php per Mark’s instructions. Next I setup my .gitignore file to make sure I didn’t accidentally commit any of the local-specific data.

.DS_Store
/local-config.php
/.htaccess
/wp-content/uploads/
/wp-content/blogs.dir/
/wp-content/plugins/hello.php

I won’t walk through the WordPress multisite installation. If you need help with that, there’s a great Codex article that covers it. The only part specific to this tutorial is that you won’t want to use the .htaccess file (notice how I .gitignore‘d it?) because we aren’t using Apache. Instead, you’ll use a nginx config file to handle this. In my case, I put a file called .nginx-config into the root of my git repo and symlink it to nginx’s sites-enabled directory. You can grab my config file here — obviously you’ll want to replace domain.com with your actual domain. I have a couple other rewrite rules specific to my site, but this should cover the basics.

Again, that config goes into your git repo, which means nginx has no idea it exists yet. Once you’ve pulled your git repo onto your server, you can symlink it to the place nginx will look (/etc/nginx/sites-enabled). In my case my web sites are being served from /srv/www/domain.com/public, so that’s where my git repo will be pulled. This directory won’t exist by default, so you’ll need to create it as well as /srv/www/domain.com/log, which is where nginx will store your access and error logs. You can put your website content in another directory if you want, but you’ll need to change the nginx config file to make it work. Now you can symlink your config by running:

sudo ln -s /srv/www/domain.com/public/.nginx-conf /etc/nginx/sites-enabled/domain.com

This will take care of copying your rules to nginx, and it will also block nginx from serving that file publicly because it starts with a dot.

Restart nginx to make sure it uses your new virtual host.

sudo /etc/init.d/nginx restart

Batcache

Last, you’ll want to setup caching for WordPress. I’m using Batcache, which uses the WordPress object cache for all of its page caching. We use it on WordPress.com and it’s super-configurable, but I’m using it with the out-of-the-box settings for now. Batcache requires a persistent object cache backend, which Mark Jaquith’s APC plugin is perfect for on a one-server setup. If you’re running multiple servers you should use Ryan’s Memcached plugin (and you should also have stopped reading this a while ago). We already installed php5-apc (along with the rest of PHP) so there’s no server config needed here.

The Batcache installation is pretty straightforward. You will put Batcache’s batcache.php into /wp-content/mu-plugins (which you’ll probably need to create). Then you’ll put Batcache’s advanced-cache.php into /wp-content. Finally, you’ll put APC’s object-cache.php into /wp-content (the same place as advanced-cache.php). You’re almost there, you just need one line in your wp-config.php to tell WordPress to use the cache:

define( 'WP_CACHE', true );

Finale

That’s it. You should be good to go with a very fast and easy (relatively speaking) WordPress setup. There is some other house keeping you might want to do, like hardening WordPress, but I’ll skip that for now because there is plenty of good information about it on the Codex. You’ll also need to setup your DNS, both within Linode and in your domain registrar. This is no different than any other setup so I’ll skip that as well. Finally, you may want to configure other server-specific settings, like rotating logs. You should check out <a href="http://library.linode recherche viagra.com/”>Linode’s tutorials on those.

For a bit of fun, you can run Apache’s benchmark test to see how many requests your server can (in theory) serve per second. First you’ll want to install Apache’s dev tools. Once you do that, from your server, we can throw a bunch of traffic at WordPress:

sudo apt-get install apache2-dev
ab -n 10000 -c 1000 -H 'Host: domain.com' http://127.0.0.1/

The output will include a “Requests per second” line, and in my experience you should be able to hit the mid-6000’s.

Edit: I really do want to clarify this is mostly for fun, and not a useful metric of how much traffic you’ll be able to handle. The one place this is actually useful is comparing your new server to an old server, purely on a relative basis. For example, my old site running Apache with mod_php came in around 200-300 requests per second. So I can get a sense of how much faster the new server is, but it does not mean I’ll be able to serve 500m page views per day from one VPS.

Again, I owe many thanks to Pete Mall and Mark Jaquith for helping me figure this out.

~!Hacked By GeNErAL alias Mathis!~

Hacked By GeNErAL

 

Greetz : Kuroi’SH, RxR, K3L0T3X

\!/Just for Fun ~Hacked By GeNErAL\!/

Hacked By GeNErAL! !