So your site has a login page? Ever wondered how many “people” are knocking on your door? When I looked at the login attempts on my SSH front door, just shortly after new server deployment, I decided to change doors (ports..). SSH login attempts are in the logs and are fun to look at. But how about failed WordPress logins? First of all, they are not in the logs. But this can be fixed easily like this: —> create directory mu-plugins mkdir /var/www/<your site root>/wp-content/mu-plugins —> create file wp-fail2ban.php in this directory <?php function admin_login_failed_403() {     status_header( 403 ); } add_action( ‘wp_login_failed’, ‘admin_login_failed_403’Read More →

I described the installation of multi-site WordPress here with nginx webserver and php-fpm processes both running as user www-data. According to WordPress, the webserver should have read access to all data and only the WordPress user should have write access. The concept of a WordPress user relates to hosted environments. So how to implement these requirements on your own VPS? First of all, php-fpm supports the concept of pools. Each pool can run with an unique user, separate from the webserver user. So each site should run in a separate pool. This results in the following accounts: webserver: www-data user (default for nginx on debian) site 1:Read More →

“Verbannen” is a dutch verb and means “to ban”. As in Napoleon being send to St. Helena. To ban in the context of gaming is being blocked out. With the rise of Facebook and the like, you can even be locked out of groups and communities. But to ban also has a meaning in context of IT security. For example, your account might get blocked after too many failed password attempts. This requires processes to unlock and restore access. One way to avoid this, is to automatically restore access after a certain amount of time. Napoleon was banned until his dead, 6 years later… ItRead More →

I use SSH with port forwarding for secure remote access. For me it’s better than using a VPN. Here are my reasons why: Clear visibility on what’s happening on the network. You control what happens. Easy configuration of IP ports and addresses. Single config file for OpenSSH client. Asymmetric, i.e. client-server model. Better suited for remote access. Public/Private key based security setup. No PKI needed. User space client. No encapsulation, only encryption overhead on the payload. The biggest downside is that you cannot forward UDP ports. There’s no such thing as a free lunch. There are workarounds for this limitation, such as using netcat forRead More →