Encryption everywhere!

Wow, it has been some time since I made any posts.  I was recently having some issues with the site and it got me on a security kick as of late.  On my server that I host this site out of I run a script that parses through the access logs on my Debian box and looks for invalid login attempts, which appear to be dictionary attacks, checking for default logins and common passwords based on the login names they are trying to use.  There are tools out there that already do this for you, but I wanted a project a couple years back and ran with it.  So it just finds attempted connections and if someone tries enough times and fails it will add their IP to a blacklist, and prevent the connection from happening via iptables, in conjunction with an ipset, I do need to update it to look for v6 IPs too…

Anyway, as I was saying before that rant, my site kept going down, the server was just fine, and Apache appeared to be running, but running out of available connections, and my mpm_prefork settings are already pretty liberal, being on a 2x4-core(plus hyper-threading) box with 32GB of memory, so I was confident that that simply raising the amount of available connections would only stall the problem and not prevent it.  So I setup the Apache server-status page and took a look, after a couple of hours I started to notice several connections from one source that were not closing, as it turns out you can do something with the RSS feed on a Wordpress site that holds open the connection, which over time would fill up all of the threads and prevent the site from being accessed until they were cleared out.  I can check for these in the logs so I might modify my script to block people who are opening several of these as well, but luckily this time it was only from a single source, who has now been blocked!

So after this I was already looking into ways to make this site a bit more awesome, and if you are a regular visitor (hah I think like 3 people read these) you’ll notice that the site now defaults to HTTPS!  I had recalled reading about a site, letsencrypt, that was trying to make things easier to put SSL/TLS on sites, and they sure did.  If you run a Debian/Apache box you can download their git repo, run one command, and it will generate 90-day certs for you, and set Apache to be HTTPS only.  Pretty awesome IMO.

Anyway, hope everyone is having a nice holiday week!  Until next time!

comments powered by Disqus