Featured Articles

Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
Introducing BusKill: A Kill Cord for your Laptop
WordPress Multisite on the Darknet (Mercator .onion alias)
Hardening Guide for phpList
previous arrow
next arrow

Hardening Guide for phpList

phpList Hardening Guide Featured Image

This post will outline recommended steps to harden phpList after install to make it reasonably secure.

phpList is the most popular open-source software for managing mailing lists. Like wordpress, they have a phplist.com for paid hosting services and phplist.org for free self-hosting.

Earlier this week, it was announced that phpList had a critical security vulnerability permitting an attacker to bypass authentication and login as an administrator using an incorrect & carefully-crafted password in some cases. This bug is a result of the fact that [a] PHP is a loosely typed language and [b] the phpList team was using the '==' operator to test for equality of the user's hashed password against the DB. This security pitfall has been known in PHP since at least 2010 (a decade ago!), but I'm sure the same mistake will be made again..

Indeed, security is porous. There's no such thing as 100% vulnerability-free code, and phpList is no exception. But if we're careful in adding layers of security to our infrastructure, then we might be able to protect ourselves from certain 0-days.

That said, here's my recommended steps to making your phpList install reasonably secure.

Michael Altfield

Hi, I’m Michael Altfield. I write articles
. . . → Read More: Hardening Guide for phpList

HPKP Best Practices for Let's Encrypt

This post describes how to generate a few backup public key hashes to add to your HTTP Public Key Pinning (HPKP) config that might save you from bricking your domain if Let's Encrypt ever gets untrusted like StartCom did.

If you have a healthy distrust of the X.509 PKI trust model, then you've probably heard of HPKP (and probably also HSTS & CAA). Website certificate pinning was a trend first started by google, who hard-coded a pin of their certificates in their Chrome browser. Eventually, google helped build a more standardized pinning method under RFC 7469. And today, it's supported by Chrome, Firefox, and Opera.

Pinning is a great TOFU improvement to https, but--if misconfigured--you could "brick" your domain--making it so that your client's browsers will refuse to let them access your site for months or years (interestingly, this has also caused some security experts to think of how HPKP could be abused in ransom-ware). Therefore, it's a good idea to follow a few HPKP Best Practices.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: HPKP Best Practices for Let's Encrypt

Package Manager Search Commands

In a given week, I touch maybe a half dozen different Operating Systems/Distributions. Some are similar to others (centos, rhel), some--not so much (solaris). The common commands are easy enough to remember ( @ls@ vs @dir@ ), but I always forget how to search through each OS's package manager for a software package. For my reference (and perhaps yours?) here's a list for each of the OSs' package managers I use frequently:

yum - RHEL/CentOS

yum list

apt - Debian/Ubuntu

apt-cache search

pacman - Arch

pacman --sync --search pacman -Ss

portage - Gentoo

emerge --search # pkg names only emerge --searchdesc # pkg names & descriptions emerge -S # alias of --searchdesc  

See Also: "Install 'build-essential' on RHEL/CentOS and OpenSolaris":/wp/?p=231

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael

tech.michaelaltfield.net/

xen hung at "Checking for hardware changes"

So, xen is really beginning to piss me off. I turned off all my machines to do a snapshot, and when I tried to bring them back up, they were all in the 'blocked' state. Upon further investigation (using virt-manager/xm console), I found that they were hung at the "Checking for hardware changes" item in their boot process. This could be a CentOS/RHEL 5 issue, but I'm putting my money on xen.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: xen hung at "Checking for hardware changes"

Enabling SELinux strict on RHEL5

I've been playing around with SELinux at work recently. Not surprisingly, I was struggling to get SELINUXTYPE=strict to work properly. Unfortunately, all "google results for 'enabling selinux strict' would return were dead ends. People would enable selinux strict, kernel panic, and 'fix' it by disabling selinux.

Well, a co-worker of mine *was* able to successfully enable selinux's strict policy on RHEL5 (CentOS 5). He gave me this guide to post to the world for others to see how (thanks Mykola):

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Enabling SELinux strict on RHEL5

Install "build-essential" on RHEL/CentOS and OpenSolaris

Debian

If you want to be able to compile packages in debain/ubunutu, you can issue the following command:

apt-get install build-essential

 

Red Hat

If you want to be able to compile packages in red hat/centos, you can issue the following command:

yum install make gcc gcc-c++ kernel-devel

...or, if you don't care about maintaining a small footprint, you can get *all* of the development packages (including X devs--eww):

yum groupinstall "Development Tools"

 

Open Solaris

If you want to be able to compile packages in open solaris, you can issue the following command:

pkg install SUNWgcc Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael

tech.michaelaltfield.net/

Clone Xen RHEL5 (CentOS 5.2) VM

Hello world! I just updated my whole server environment and, my, things are looking good. Anyway, I had to run through these steps a half dozen times, so I thought I would post it here for myself and (maybe even) others.

Here's the commands I ran to turn a clone of my base RHEL5 (CentOS 5.2) Xen image into another working virtual machine on my RHEL5 (CentoOS 5.2) Xen Host:

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael

tech.michaelaltfield.net/