Category: Uncategorized

New Server Checklist for Digital Ocean (6CPU, 16gb, SSD, New York)

   |   By  |  No comments

JMeter Testing the Server

jmeter for stress testing the connections (requires java jdk @ https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html).

SlowLoris and Slow Body Attacks

slowhttptest @https://github.com/shekyan/slowhttptest install using “pip install slowhttptest”

slowhttptest -c 1000 -H -g -o my_header_stats -i 10 -r 200 -t GET -u https://www.siteurl.com -x 24 -p 3

Wapiti for App Owasp Testing

*Requires Python 3 for app testing.

Download the distribution and unzip. CD into the directory. Then run ./wapiti -u https://www.siteurl.com/ -v 1 -d 2….

Counting/Viewing Connections

All Connections
netstat -nalt | grep :443

Open Connections
netstat -nalt | grep :80 | grep ESTA

Count Open Connections
netstat -nalt | grep :80 | grep ESTA -c

Find Number of Processors

grep processor /proc/cpuinfo | wc -l

Find the number of open files allowed by ulimit: ulimit -a

max clients = worker_processes * worker_connections (* =multiply) and worker_processes = number of processors

Actually with reverse proxy: max_clients = (worker_processes * worker_connections ) / (X * 2) where X is however many concurrent connections these clients make to you.

*A single process can open as may connection as the ulimits allow. num_workers * max_connections is the formula but outside loadbalancer/proxy max connections and ulimits need to be taken into account for a reasonable values. Setting max_connection to a really high value may backfire as ulimits will be a limiting factor.

Resources

Slowloris DoS Attack and Mitigation on NGINX Web Server


https://fralef.me/nginx-hardening-some-good-security-practices.html

Fine tuning Nginx

Adjust worker_connections 100000; and worker_processes 6; See the resource links for more information.

In /etc/nginx/nginx.conf


http {
...
        # Optimize and prevent slow body/header slowloris attacks.
        # limit the number of connections per single IP. 10m is a queue of 10000
        limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
        # limit the number of requests for a given session. 10m is a queue of 10000
        limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=25r/s;
        client_body_buffer_size 10K;
        client_header_buffer_size 1K;
        client_max_body_size 22m;
        large_client_header_buffers 2 1k;
        client_header_timeout 12s;
        client_body_timeout 12s;
        send_timeout 10s;
...
}

Then in sites-available/siteurl.conf Virtual Hosts config


server {
...
       server_name siturl.com www.siteurl.com;

       root /var/www/default/htdocs;
       index index.php index.html;

        # conn_limit_per_ip is set in nginx.conf
        limit_conn conn_limit_per_ip 10;
        limit_req zone=req_limit_per_ip burst=40 nodelay;
...
}

Connecting to MySQL Remotely Using AutoSSH and SSH Tunneling

   |   By  |  No comments

This is the second part of an evaluation into connecting to MySQL remotely and securely. There are some helpful links in my first post referencing speed over SSL versus ssh tunneling. TLDR; tunneling is far more efficient then MySQL over SSL. Part 1: Examples of Remote MySQL SSL Connections Using PHP: MySQLi and PDO

The intent of this post is to jog my memory, share my process, and offer some helpful code snippets and resources.

THE QUOTATION MARKS IN THIS DOCUMENT WILL BREAK THESE COMMANDS ON THE COMMAND LINE

This post assumes you have an understanding of ssh-keygen and setting up passwordless SSH access to your MySQL remote server. See here for a good post on getting this setup: Digital Ocean

This post also assumes you have autossh setup on the server that will have remote client access to the MySQL server. Here is a good post on how to install autossh: http://ask.xmodulo.com/install-autossh-linux.html

I would also recommend creating a script to run the command at boot time. This would prevent a loss of connection in the event of a server reboot.

MY USE CASE

I am using this as a means to query my database from another server. This database connection is not used for production, and I would recommend against using it in this way. The connection tunnel cannot accommodate the typical production needs of a database connection. Proximity between the servers has a large effect on the latency when querying too.

THE IMPLEMENTATION

Here is a layout for these who like to visualize what the setup.

Remote MySQL Connection Using authssh and tunneling.

FIRST – SSH TUNNEL SETUP


# Setup the ssh tunnel w/o autossh
ssh -N <server name from ~/.ssh/config > -L 6666:localhost:3306


# Example using the connection (on Mac using MySQL shell client)
mysqlsh -u<user> -p "<password>" -P 6666 -h127.0.0.1 --sql --nw

SECOND – AUTOSSH TUNNEL SETUP


# DEBUGGING - YOU SHOULD SEE autossh sending a request every ServerAliveInterval seconds.
AUTOSSH_DEBUG=1 autossh -M 0 -N <server name from ~/.ssh/config > -o "ServerAliveInterval 10" -o "ServerAliveCountMax 3" -L 6666:localhost:3306 -vvv


# For testing without debugging information
autossh -M 0 -N <server name from ~/.ssh/config > -o "ServerAliveInterval 10" -o "ServerAliveCountMax 3" -L 6666:localhost:3306


# Once the connection is validated add the -f flag to have it run in the background.
autossh -f -M 0 -N <server name from ~/.ssh/config > -o "ServerAliveInterval 10" -o "ServerAliveCountMax 3" -L 6666:localhost:3306


# Enable compression using the -C flag.
autossh -f -M 0 -N <server name from ~/.ssh/config > -o "ServerAliveInterval 10" -o "ServerAliveCountMax 3" -C -L 6666:localhost:3306


# Limit to ipv4 or ipv6 using -4 or -6 respectively.
autossh -f -M 0 -N <server name from ~/.ssh/config > -o "ServerAliveInterval 10" -o "ServerAliveCountMax 3" -4 -L 6666:localhost:3306

# Killing the autossh process
ps aux | grep ssh

ps aux | grep autossh

Kill the ssh process that autossh created. Autossh will recognize that you have killed the process and end its process too.


# Testing on server
autossh -M 0 -N <server name from ~/.ssh/config > -o "ServerAliveInterval 10” -o "ServerAliveCountMax 3” -L 6666:localhost:3306

– Uses mysql shell on Mac

mysqlsh -u<mysql user> -p -h 127.0.0.1 -P 6666

Sample PHP Connection


<?php

$link = mysqli_connect("localhost:<tunnel port 6666>", "my_user", "my_password", "my_db");

if (!$link) {
echo "Error: Unable to connect to MySQL." . PHP_EOL;
echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
exit;
}

echo "Success: A proper connection to MySQL was made! The my_db database is great." . PHP_EOL;
echo "Host information: " . mysqli_get_host_info($link) . PHP_EOL;

mysqli_close($link);

Comments and Information from the Man Page:

ServerAliveCountMax
Sets the number of server alive messages (see below) which may be
sent without ssh(1) receiving any messages back from the server.
If this threshold is reached while server alive messages are
being sent, ssh will disconnect from the server, terminating the
session. It is important to note that the use of server alive
messages is very different from TCPKeepAlive (below). The server
alive messages are sent through the encrypted channel and there‐
fore will not be spoofable. The TCP keepalive option enabled by
TCPKeepAlive is spoofable. The server alive mechanism is valu‐
able when the client or server depend on knowing when a connec‐
tion has become inactive.

The default value is 3. If, for example, ServerAliveInterval
(see below) is set to 15 and ServerAliveCountMax is left at the
default, if the server becomes unresponsive, ssh will disconnect
after approximately 45 seconds. This option applies to protocol
version 2 only.

ServerAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the server, ssh(1) will send a message through
the encrypted channel to request a response from the server. The
default is 0, indicating that these messages will not be sent to
the server. This option applies to protocol version 2 only.

Simple PHP Dependency Injection with Interfaces Example

   |   By  |  No comments

I created this graphic as a simple way to visualize dependency injection, unit testing and the use of php interfaces. The interface provides the “agreement/contract” between the implementations and  class \ControllerForExample. You can see that $httpClient can be any one of the implementations. \ControllerForExample doesn’t need to know the details of each implementation, only that the contract/implementation is valid.

View Full Size Graphic
php dependency injection and interfaces

Culligan 2014

   |   By  |  No comments

Project Highlights:

  • Worked with Kennedy Communications to develop the project requirements: telephony, architecture and software.
  • Used Symfony Components to migrate from legacy template engine.
  • Twitter Bootstrap for responsive templates.
  • Custom API and Framework Development for multi-site Content Management System.
  • Integrated version control into work-flow to benefit team development.

Animate WordPress wp_nav_menu

  |   By  |  No comments

I spent the last couple of days working on a solution to animating WordPress’ wp_nav_menu output. I thought I would take a moment to jot it down and share it with anyone else looking to do the same.

Once I got it started I couldn’t give in, and came up with pretty simple solution. The document ready should work in most situations. In some cases you can remove it.  You may need to alter the selector, but I tried it on both TwentyEleven and TwentyTen.

jQuery(document).ready(function($){
$(“#access .menu li”).mouseleave(function() {
$(this).children(“ul”).stop(true, true).css(‘display’,’block’).fadeOut(100);
});
$(“#access .menu li”).mouseenter(function() {
$(this).children(“ul”).stop(true, true).css(‘display’,’none’).fadeIn(400);
});
});

Enjoy!

FeLion Studios

   |   By  |  No comments

Amplitude Design worked with FeLion Studios to develop a site that was both social and functional.

FeLion Studios, a Madison base art studio, was interested in selling their cast-iron art, and creating a social following for their regional events.

The success of the site led to top listings on Pinterest.com, Awesomer.com, Thrillist.com, WhyImBroke.com and other top blogging sites. To top it all off FeLion Studios was invited to participate on the Martha Stewart Show.

If you are interested in speaking with a web development or design expert click here.