Posts

How to secure my WordPress installation?

WordPress is a very widely-used blogging system and well known as entrance door. There ‘re tons of hacks, sources and tools trying to get access to the wordpress panel or the root system. There ‘re also tons of plugins trying to secure with changing the original wordpress code oder file names.

Why they doing this? Does it mean that the wordpress team is too stupid to develop secure code and blogging system? Or does it mean that the wordpress core as no secure? Anyway. I think it is a bad idea to let plugins or themes overwrite the original code. In an older blog entry I explained how I mount one wordpress installation from the port collection to all of my blogs. I’m using nullfs to mount it as read only directory. Plugins who try to overwrite or change original files will fail.

Back to the topic. First, a good idea is to secure the login attempts. I’m using https://de.wordpress.org/plugins/limit-login-attempts-reloaded/ and it works well. First step. I have to evaluate more plugins.

FreeBSD and the Hack88 – 88 characters for mount points

A good way to increase the security of a server is to separate the services, program and libraries in a own container. Today, the most would say “Docker, Docker, Docker”. Yeah, it’s a valid solution. U can use docker, virtualization like https://opennebula.org or the FreeBSD specific http://www.bhyve.org. FreeBSD offers simple way for that since nearly 20 years, JAILS. Please take a look to the wikipedia link https://en.wikipedia.org/wiki/FreeBSD_jail.

Okay, back to the origin topic. 88 characters for mount points and what it’s the relation to jails? I use http://iocage.readthedocs.io/en/latest/ for managing jails in my FreeBSD 11.1 system. U’ll get a directory structure like

/iocage/jails/shortnameOfJail/root/usr/home/myUser/www/blog.somenicedomain.com/html

Congratulation u have a directory with 83 characters, but what’s the problem?

  1. Let’s install in a new jail wordpress, separate this php code from the rest of the system.
  2. Install wordpress from the ports collection.
  3. DON’T copy the /usr/local/www/wordpress directory!
  4. Instead USE nullfs and union with nullfs to mount the wordpress files

U’re fstab for the jail looks like

/usr/home/someUser/www/blog.someNiceDomain.de /iocage/jails/www-wp/root/usr/local/www/blog.someNiceDomain.de nullfs rw 0 0

/iocage/jails/www-wp/root/usr/local/www/wordpress /iocage/jails/www-wp/root/usr/local/www/blog.someNiceDomain.de/wp nullfs ro 0 0

/usr/home/someUser/www/blog.someNiceDomain.de/wp-root /iocage/jails/www-wp/root/usr/local/www/blog.someNiceDomain.de/wp nullfs rw,union 0 0

/usr/home/someUser/www/blog.someNiceDomain.de/wp-content/plugins /iocage/jails/www-wp/root/usr/local/www/blog.someNiceDomain.de/wp/wp-content/plugins nullfs rw,union 0 0

/usr/home/someUser/www/blog.someNiceDomain.de/wp-content/uploads /iocage/jails/www-wp/root/usr/local/www/blog.someNiceDomain.de/wp/wp-content/uploads nullfs rw,union 0 0

/usr/home/someUser/www/blog.someNiceDomain.de/wp-content/themes /iocage/jails/www-wp/root/usr/local/www/blog.someNiceDomain.de/wp/wp-content/themes nullfs rw,union 0 0

Mount points with more than 88 character will cause an error. Really strange. Beliefe me in a jail environment it’s really easy to get mount points with more than 88 character. It’s like tetris that fits all in the existing 88 restriction. This behavior persists since FreeBSD 5 and will be solved around 16 years later in FreeBSD 12. Can anyone explain me why 88 characters? I live in a 2 high n world. 01011101 😉

Some useful links

http://iocage.readthedocs.io/en/latest/known-issues.html#character-mount-path-limitation

https://www.freebsd.org/cgi/man.cgi?query=statfs&sektion=2&manpath=freebsd-release-ports

statfs(2)

#define MFSNAMELEN	16	/*	length of type name including null */
#define MNAMELEN	88	/*	size of	on/from	name bufs */
#define STATFS_VERSION 0x20030518	/*	current	version	number */

struct statfs {
  ...
  char f_charspare[80]; /* spare string space */
  char f_fstypename[MFSNAMELEN]; /* filesystem type name */
  char f_mntfromname[MNAMELEN]; /* mounted filesystem */
  char f_mntonname[MNAMELEN]; /* directory on which mounted */
}