Make a super fast and lightweight WordPress on Ubuntu 18.04 with PHP 7.2, Nginx, and MariaDB

I’ve been building servers for a long while based on the ideas I learned a few years ago from morphatic.com, however I wanted to move on PHP 7.2 and I also wanted to begin a server migration project to have Beinglibertarian.com, of which I am the CTO, also host our newest members think-liberty.com and rationalstandard.com since they really liked the speed of our WordPress stack. This is a wordpress stack we will build based on Ubuntu 18.04, Nginx, MariaDB, and PHP 7.2. We will even cover setting up lets encrypt. Just a note that I use Mailgun to deliver the emails, it’s free for up to 10,000 emails per month, and they have an easy to use WordPress plugin that makes it super easy to configure. There is of course far more that you can do to secure your server, and while we aren’t going to cover hosting multiple sites in this tutorial, you can understand how I made such a robust server stack on a Digital Ocean Virtual Private Server. You can use this referral code (https://m.do.co/c/0c6bfeff20b7)to get you a few dollars free with Digital Ocean when you sign up, and it also helps support the costs of my own hosting.

So first things first go to Digital Ocean, which we use, or any other VPS or dedicated server provider you use and get the OS setup and do the basics so we can even login to the box, and point your domain at your server. Once that is done I like to start setting up security, disabling root, and allowing a username to have sudo rights.

For those new to Linux administration you can use these tutorials as to how to add new sudo users and setup ssh keys for for even more security but once that is done let’s move on to the basic security I use.

We definitely want the firewall on our box, but IPtables can be a pain to manage. So let’s begin installing things on the box for security. Including Uncomplicated Firewall which can easily manage firewall rules for us.

Install UFW, Fail2Ban, Nginx, and MariaDB:

In order to use a WordPress plugin for purging the NGINX cache that I talk about below, you have to install a custom version of NGINX. MariaDB is a drop-in replacement for MySQL. You can read about why people think it’s better, but from what I have mostly noticed is that it is incredibly fast compared to MySQL. The MariaDB website has a convenient tool for configuring the correct repositories in your Ubuntu distro. From the command line:

sudo apt update 
sudo apt dist-upgrade -y 
sudo apt install ufw fail2ban
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3050AC3CD2AE6F03
sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/rtCamp:/EasyEngine/xUbuntu_18.04/ /' >> /etc/apt/sources.list.d/nginx.list"
sudo apt update
sudo apt install nginx-custom
sudo ufw limit ssh
sudo ufw allow 'Nginx Full'
sudo ufw enable
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 sudo add-apt-repository 'deb [arch=amd64,arm64,ppc64el] https://mirrors.evowise.com/mariadb/repo/10.3/ubuntu bionic main' 
sudo apt install mariadb-server

When the following screen comes up, make sure you provide a good secure password that is different from the password you used for your user account.

Next, lock down your MariaDB instance by running:

sudo mysql_secure_installation

Since you’ve already set up a secure password for your root user, you can safely answer “no” to the question asking you to create a new root password. Answer “Yes” to all of the other questions. Now we can set up a separate MariaDB account and database for our WordPress instance. At the command prompt type the following:

sudo mysql -u root -p

Type in your password when prompted. This will open up a MariaDB shell session. Everything you type here is treated as a SQL query, so make sure you end every line with a semicolon! This is very easy to forget. Here are the commands you need to type in to create a new database, user, and assign privileges to that user:

MariaDB [(none)]> CREATE DATABASE mywpdb DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
MariaDB [(none)]> GRANT ALL ON mywpdb.* TO 'mywpdbuser'@'localhost' IDENTIFIED BY 'securepassword';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> quit

Note that although it’s customary to use ALL CAPS to write SQL statements like this, it is not strictly necessary. Also, where I’ve used mywpdb, mywpdbuser, and securepassword make sure to put your own choices. The last thing you want is someone knowing you had an easy to guess database name and password.

Fail2Ban Installation and Setup:

Fail2Ban is an intrusion prevention software framework that protects servers from brute-force attacks. It’s probably one of my all time favorite security tools as it’s very robust and flexible. In order to make modifications to Fail2Ban we need to make a local copy that we can modify so we can preserve changes.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now open the newly made file so we can edit it

sudo nano /etc/fail2ban/jail.local

I recommend reading this guide from Digital Ocean on Fail2Ban with Nginx and follow the tutorial to setup and activate the following jails

  1. Change Defaults per tutorial
  2. nginx-http-auth
  3. nginx-badbots
  4. nginx-nohome
  5. nginx-noproxy

Also make sure the SSH and SSH-DDoS jails are enabled, and consider enabling the recidive filter. I also recommend adding a jail for WordPress via the WP Fail2ban plugin for wordpress, which can be easily installed and activated by following their instructions.

Installing and Configuring PHP 7.2:
Since we are using Ubuntu 18.04, PHP 7.2 is the default for PHP so simply run in terminal

sudo apt install -y zip unzip php-fpm php-mysql php-xml php-gd php-mbstring php-zip php-curl 

Just an FYI that this also installs the MySQL, XML, Curl and GD packages so that WordPress can interact with the database, support for XMLRPC (required for Jetpack), and also automatically cropping and resize images. It also installs zip/unzip because I use zip and unzip in some of my own backup plugins and tools.

I also like to tweak the php.ini settins to allow for more memory and larger file sizes. So let’s open /etc/php/7.2/fpm/php.ini.

sudo nano /etc/php/7.2/fpm/php.ini

You can make this faster by using the search function with CTRL + W and then typing what you’re looking for. I usually recommend increasing the post_max_size from the default 8MB, upload_max_filesize from the default 2MB, and memory_limit from it’s default. I generally set all of mine to 128MB and 256MB respectively

Now let’s restart PHP

sudo service php7.2-fpm restart

Now we need to tell Nginx to use PHP7.2-fpm, so let’s open up our configuration file for our default site.

sudo nano /etc/nginx/sites-available/default

We need to edit the file so that it looks like below, but change example.com and www.example.com to your TLD that you are using with your server.

server {
  listen 80 default_server;
  listen [::]:80 default_server;
 
  root /var/www/html;
  index index.php index.html;
 
  server_name example.com www.example.com;
 
  location / {
    try_files $uri $uri/ =404;
  }
 
  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.2-fpm.sock;
  }
 
  location ~ /\.ht {
    deny all;
  }
}

Save and exit, then restart Nginx to apply changes

 sudo service nginx restart

Now it’s time to test it all out and make sure this is all working properly. So let’s make a sample PHP file in your /var/www/html folder called index.php

echo "<?php phpinfo();" | sudo tee /var/www/html/index.php > /dev/null

Now open up your web browser and go to http://SERVER.IP.ADDRESS.HERE (e.g. http://192.168.1.1), and you should see something like this.

Awesome sauce, we’re starting to see it finally coming together! You officially have made a Linux, Nginx, MariaDB, and PHP stack aka a LEMP stack. Honestly at this point you can serve up just about any LEMP needs you have for any software such as NextCloud or more. Let’s move on, the goal line is within sight!

Encrypt! Encrypt! Encrypt! Let’s Encrypt, with TLS/SSL Certificates from letsencrypt.org

This is pretty straight forward but I recommend reading Digital Ocean’s tutorial on setting up and securing nginx, to fully grasp what we are doing here. So let’s install letsencrypt. Before you used to have to add a PPA, update, and install certbot, but it’s in the main Ubuntu repo these days so one command to install letsencrypt, and another to install the certificates to the domains defined in the /etc/nginx/sites-available config file as we have done earlier.

 sudo apt install -y letsencrypt
sudo certbot --nginx

Now just follow the instructions, and provided you entered your domains correctly into the Nginx config file, certbot should find and install certificates for all of the domains. Make sure to pick a reliable email for alerts from letsencrypt.

If for some reason certbot can’t find them or you want an SSL for another domain that is pointed at your server you can generate a certificate by using “-d domain.tld” for all the domains you want like so, and bare in mind www.example.tld and example.tld are considered two different domains, so you need to include both in the certificate you generate along with any other subdomains.

 sudo certbot -d example.tld -d www.example.tld

Now we need to edit the Nginx snippet created by certbot.

 sudo nano /etc/letsencrypt/options-ssl-nginx.conf

Edit it so it looks like below, althought the top few lines are created by certbot, so add the ones below to enhance our security profile.

 
# automatically added by Certbot
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA38$
 
# MANUALLY ADD THESE
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

Now save and exit.

It’s extremely important to renew your Letsencrypt certificates every couple months at least as they expire every 90 days. So we need to setup a cron job to check for renewals often, and renew the certificates automatically. So lets edit the crontab as root

sudo crontab -e

Add the following lines so we can have it check and autorenew certificates every Monday.

30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
35 2 * * 1 /bin/systemctl reload nginx

Now lets save that and run certbot in a dry run to see if renewals will work.

sudo certbot renew --dry-run

Now it’s time to install WordPress
Personally I like to install wp-cli and then finish it up in the WebUI. I love WP CLI as it is a command line interface to administrate wordpress. So if a worst case happens and you say lock yourself out and can’t reset the password, want to install or deactivate a plugin that isn’t allowing wordpress to work, or more it can do it. It’s extremely powerful and handy to have on a system regardless. So let’s install that, then have it download the WordPress files.

curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
sudo mv wp-cli.phar /usr/local/bin/wp
cd /var/www/html
sudo wp core download

Now go to your domain, and you can run the WordPress quick install, it’s straightforward just enter all the information that it asks for, once that is done hop back into terminal and let’s use WP CLI to install some plugins easily that I recommend with this setup to integrate with the caching on the OS, Fail2Ban, and more. If not planning to use mailgun I recommend gmail-smtp if you use gmail. But do not install both Mailgun and Gmail-Smtp, pick one. I also added Cloudflare because I use that, and it’s a free CDN as well as proxy to help avoid DDoS attacks. They have a free plan that is great.I also added WP-Sweep a great database cleaner tool, and Updraft plus, one of the best WordPress backup software. Plus iThemes Security which I really like for it’s many free security features.

sudo wp plugin delete hello --allow-root
sudo wp plugin install nginx-helper --allow-root
sudo wp plugin activate nginx-helper --allow-root
sudo wp plugin install mailgun --allow-root
sudo wp plugin activate mailgun --allow-root
sudo wp plugin install jetpack --allow-root
sudo wp plugin activate jetpack --allow-root
sudo wp plugin install gmail-smtp --allow-root
sudo wp plugin activate gmail-smtp --allow-root
sudo wp plugin install cloudflare --allow-root
sudo wp plugin activate cloudflare --allow-root
sudo wp plugin install wp-sweep --allow-root
sudo wp plugin activate wp-sweep --allow-root
sudo wp plugin install updraftplus --allow-root
sudo wp plugin activate updraftplus --allow-root
sudo wp plugin install wp-better-security --allow-root
sudo wp plugin activate wp-better-security --allow-root

Mailgun Setup
You’ll need to setup an account. I recommend despite their recommendation, making your domain the same as your regular domain, do not subdomain it. The reason why is you can up a forwarding rule so if say someone emails you at [email protected] it could look professional and forward to a gmail account per se. After you’ve set up your domain at Mailgun, go to Settings > Mailgun from the WP dashboard, copy and paste in your Mailgun domain name and API key, and then click “Save Changes” to get it set up. Click “Test Configuration” to make sure it is working. You may also want to use the Check Email plugin just to make sure that emails are being sent correctly.

GMail SMTP Setup
If you setup the GMail SMTP servers in your DNS according to this guide, you’ll want to have installed the GMail SMTP plugin for WP. The setup for this plugin is somewhat involved. I strongly urge you to follow the instructions on their documentation site.

Time to Optimize and Secure the WordPress

Here are some tips for securing and optimizing your wordpress. Simply replace the content of /etc/nginx/sites-available/default with the following and make sure any reference of “example.com” reflects your actual domain and tld.

fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
 
server {
  listen 80 default_server;
  listen [::]:80 default_server;
  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
  # force redirect to HTTPS from HTTP
  if ($scheme != "https") {
    return 301 https://$host$request_uri;
  }
 
  client_max_body_size 256M;
  root /var/www/html;
  index index.php index.html;
 
  server_name example.com www.example.com;
 
  set $skip_cache 0;
 
  if ($request_method = POST) {
    set $skip_cache 1;
  }
 
  if ($query_string != "") {
    set $skip_cache 1;
  }
 
  if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
    set $skip_cache 1;
  }
 
  if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
    set $skip_cache 1;
  }
 
  location ~ /purge(/.*) {
    fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
  }
 
  location / {
    try_files $uri $uri/ /index.php?$args;
    limit_req zone=one burst=50;
  }
 
  # Turn off directory indexing
  autoindex off;
 
  # Deny access to htaccess and other hidden files
  location ~ /\. {
    deny  all;
  }
 
  # Deny access to wp-config.php file
  location = /wp-config.php {
    deny all;
  }
 
  # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
  location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
    deny all;
  }
 
  # Stop php access except to needed files in wp-includes
  location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
    internal; #internal allows ms-files.php rewrite in multisite to work
  }
 
  # Specifically locks down upload directories in case full wp-content rule below is skipped
  location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
  }
 
  # Deny direct access to .php files in the /wp-content/ directory (including sub-folders).
  # Note this can break some poorly coded plugins/themes, replace the plugin or remove this block if it causes trouble
  location ~* ^/wp-content/.*\.php$ {
    deny all;
  }
 
  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }
 
  location = /robots.txt {
    access_log off;
    log_not_found off;
  }
 
  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    fastcgi_cache_bypass $skip_cache;
    fastcgi_no_cache $skip_cache;
    fastcgi_cache WORDPRESS;
    fastcgi_cache_valid 60m;
    include fastcgi_params;
  }
  ## Block file injections
    set $block_file_injections 0;
    if ($query_string ~ "[a-zA-Z0-9_]=http://") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
        set $block_file_injections 1;
    }
    if ($block_file_injections = 1) {
        return 403;
  }
  ## Block SQL injections
    set $block_sql_injections 0;
    if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "union.*all.*select.*") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "concat.*\(") {
        set $block_sql_injections 1;
    }
    if ($block_sql_injections = 1) {
        return 403;
  }
  ## Block common exploits
    set $block_common_exploits 0;
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "proc/self/environ") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_exploits 1;
    }
    if ($block_common_exploits = 1) {
        return 403;
  }
}

Then while we are at it let’s make sure /etc/nginx/nginx.conf has an additional parameter we set. So open up it up with nano

sudo nano /etc/nginx/nginx.conf

Then look to see if the following block is there under the http section, and make sure it refers to zone one.

http {
    limit_req_zone  $binary_remote_addr  zone=one:10m   rate=2r/s; 

This config file will take advantage of the advanced caching capabilities of our custom version of NGINX. It will also prevent visitors from accessing files that they shouldn’t be. This also adds some configurations to block SQL and file injection attacks, as well as blocking common exploits. Plus we also added some rate limiting so it can help prevent a Denial of Service attack. The combined effect will be to make your site faster and more secure.

Admin’s Have to get Alerts. Set those Admin Emails Up!

Sometimes things happen and you need to know when they happen. So we need to setup email alerts, and while there are a number of ways to do this, this is the best way I recommend to less advanced Linux users. The two ways here will either route through Mailgun, or Gmail depending on what you did earlier will determine what you will do right now. It is based on this tutorial from the EasyEngine folks. First, install the necessary packages. When prompted about your server type, select “Internet Site”, and for your FQDN, the default should be acceptable. Then open the config file for editing:

sudo apt install -y postfix mailutils libsasl2-2 ca-certificates libsasl2-modules
sudo nano /etc/postfix/main.cf

We’ll need to edit the “mydestination” property and add a few more, but we can leave the rest as their defaults.

mydestination = localhost.$myhostname, localhost
relayhost = [smtp.mailgun.org]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes

If you’re using Gmail as your SMTP server, edit it slightly to look like the following

mydestination = localhost.$myhostname, localhost
relayhost = [smtp.gmail.com]:465
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt

Now save that file and it’s time to make a file to store our SMTP credentials

 sudo nano /etc/postfix/sasl_passwd

Now add one of the following single lines, only use one of them, and only pick the one you need for Mailgun or Gmail. Where “PASSWORD” is, of course put your actual password”

[smtp.mailgun.org]:587 [email protected]:PASSWORD
OR
[smtp.gmail.com]:465 [email protected]:PASSWORD

You’ll have to get the password for the postmaster account from your Mailgun dashboard. The password for the GMail example should be the password for the email address used. Next we need to lock down this file and tell postfix to use it by running the following:

$ sudo chmod 400 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd
cat /etc/ssl/certs/thawte_Primary_Root_CA.pem | sudo tee -a /etc/postfix/cacert.pem

Now it’s testing time

  sudo /etc/init.d/postfix reload
echo "Test mail from postfix" | mail -s "Test Postfix" [email protected]

If everything went perfect, you’ll receive an email from the server at the address in the last line. Also you can check the mailgun logs to see if it routed through their servers.

FINISH HIM! Auto Updating the server
So we need to make sure our server it automatically applying security updates for obvious reasons. So now we need to enable auto updates for apt.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

After editing the file it should look like this

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}-security";
        "${distro_id}:${distro_codename}-updates";
        "${distro_id}ESM:${distro_codename}";
};
Unattended-Upgrade::Mail "[email protected]";
//Unattended-Upgrade::MailOnlyOnError "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

This will tell the server to automatically apply security and regular updates, email the admin when updates are done, automatically remove unused dependencies, automatically reboot if necessary, and reboot at 2AM if necessary. But now we need to edit the 10periodic to enable some options.

sudo nano /etc/apt/apt.conf.d/10periodic

Once done it should look like this

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

What that tells it to do is run “apt update” to pull new packages, download packages that are available for update, automatically clean package installers weekly, and enable the unattended upgrade we configured prior.

Finally lets do one last update and clean the server up for it’s maiden voyage.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get autoclean
sudo reboot

Another thing that maybe useful is adding a swapfile, I prefer to instead go to a larger server with more RAM as a Swap file isn’t as ideal as more RAM, but better than nothing if you absolutely need it. Digital Ocean has a great tutorial here.

Conclusion:
This was a bit of a longer tutorial, and there is a whole lot more you can do from additional wordpress plugins, to a CDN like Cloudflare which can really speed up the site, additional security from Port Scan Attack Detector (PSAD), additional blocklists, and more. I hope to cover an addition to this tutorial in the future to detail how I got multiple website on the same box using a slightly modified version of this stack

Announcing My New Project for Cryptocurrency: Liberty Wallet

So I am working on a project which I think will benefit all cryptocurrency users. I saw one of my friends trusted one of those third party wallets and basically had his life savings taken away because ultimately your money depends on how trustworthy they are. Which got me thinking about something.
Ok so here is the long and short of my idea:
I am looking to form a project I call, “Liberty Wallet.” So I’m going to work on a project soon to create a software package for a very secure easy to deploy setup for a laptop which will act as a dedicated cryptocurrency wallet to be used optionally in conjunction with a hardware wallet or merely by itself. It will be an easy set of tools already out there, and a way to lock down the whole OS for security.
All code will be free, Libre, and open source it will not cost any money but it will be funded by my own money and donations (you are free to donate if you like).
The concept is simple:
Not all cryptocurrency is able to be stored on a hardware wallet as it has to be coded into a hardware wallet and cryptocurrencies come out rather fast compared so new wallets are added all the time.
Unfortunately most people put a wallet on a third party service you have to trust or on a general purpose machine which is rather insecure as it has a wide attack surface. One wrong website visited with malware looking for crypto and it’s gone.
So my solution is to create a set of tools, and eventually a dedicated distribution of Linux based on Arch and/or Ubuntu which can run on a dedicated PC with an x86 CPU (AMD or Intel) which is encrypted and has tools to create an encrypted back up via Veracrypt and a cloud provider or external drive (HDD or thumb drive)
So imagine you have a small, low power machine, dedicated to managing your cryptocurrencies which can be backed up, that is encrypted, and has has a very small attack surface because it would be hardened.
Furthermore I will use the Ledger Nano S in ways to help lock my device and add additional security as an option.

The project will also include prior features I implemented in some prior mining projects which created bitcoin paper wallets and other things. So I will look at ways to create paper wallets within the system both online and offline. So you can offload crypto onto QR codes.

The project will utilize already existing wallets for many of the cryptocurrencies and allow users to add their own wallets for new cryptocurrencies as they come out.

This way you have ultimate control over your own cryptocurrency.

Eventually I would like to have a team of developers freely contributing code to improve the project and when I get it to a stable or at least decently feature filled state I will announce it via the proper channels to the world through Being Libertarian (which I am the CTO of)

All I would really need for development is two refurbished low power laptops (found a Dell 2120 on Newegg for $80) and a couple SSD upgrades (also $80 each). One laptop for Ubuntu development and other for Arch development. I’m going to save up money here and there over the next month towards this but if anyone wants to chip in message me. I will have ALL of the code released under GPL v3 to ensure it will be Free, Libre, and Open Source even if forked where applicable as well as have my progress be completely transparent on Github.

I want to do this as all current solutions that are ideal are usually hand built just by people like me who keep it to ourselves. I want to simplify the process so someone can grab a device off the shelf, have a walkthrough and guide, and easily set it up themselves on their own hardware whether it be a tiny netbook as I want, or a whole separate laptop or desktop.

The first step is to create scripts to deploy an Ubuntu or Ubuntu derivative of it to be locked down and install some wallets. Along with a walkthrough and guide to deploy an encrypted Ubuntu setup

The second step is to create a full distribution in Arch and even an Ubuntu format possibly which installs with LVM and LUKS for ultimate encryption to prevent unauthorized access in person.

The third step is to create a full setup for a Raspberry Pi to operate on something like Noodle Pi or Pi Laptop for an ultra portable and secure setup.

Thoughts? Comments? Concerns? Want to find out how to help out?

If anyone wants to help me get the hardware for the Liberty Wallet project you can send Ethereum and Litecoin to here. I’m only trying to raise a total of $320-400 shipping for all the hardware required to develop on for the Ubuntu and Arch side. Eventually I will develop a Raspberry Pi version as well once the x86 Arch and Ubuntu versions are developed and looking to build it on the Noodle Pi.
Bitcoin:
1zuecfedVxrmzWrEZAuBu8HeTd1MzDpme

Litecoin: LSXuvtb2qexMBWkf7GJXC5qdypLCsEKeC9

Ethereum: 0x8589aAa4A016402780Da6E7e5c958418e2e2b2f5

Moving to Xubuntu 16.04 for my personal items

Well my Home Theater PC is just about finished… I just installed samba, enabled openSSH via my SSH key, along with my other goodies. Just doing the final tweaks to smooth out video playback via xorg.conf hopefully all the settings will carry over perfectly as this the same exact GPU and such.
But my Nvidia driver is 361 instead of 358 which I was using when on 14.04.
I am just hoping I don’t have to recompile a kernel just for the “Intel Core 2 or Newer” CPU’s along with modifying the system timer from 250Hz to at least 300Hz to have a number more evenly divisible into 30FPS to equal US NTSC video vs European PAL at 25FPS, if that is the case I will bump it to a 1000Hz timer for faster responsiveness as it’s a desktop, as well as being divisible into 30 and 25 in case I take it over seas. If I have to recompile for the Home Theater I am merely going to recompile from the Ubuntu sources rather than directly from kernel.org. My laptop will be getting a custom kernel from kernel.org though as it doesn’t have the proprietary GPU for smoother video playback

I opted for fresh reinstalls for my laptop and HTPC as I ran into issues with the upgrade and then merely reinstalled all my applications and such through my scripts, as I always keep my /home on a separate partition just in case I have to reinstall things.

I am working on upgrading my servers from 14.04LTS to 16.04LTS as well by Q2 of 2017 after lots of testing. Some servers will probably be rebuilt from scratch. However I am in no rush as we all have until 2019 for the end of life of Ubuntu 14.04 LTS to end.

Introducing IPset-Assassin

Completed installation
completed installation

I recently wrote a nice little program to setup and maintain your firewall on Ubuntu GNU/Linux 14.04. This will install a cron job to run daily and pull lists from multiple sites to block malicious IP addresses. Adding around ~40,000 or more individual IP addresses as well as the top 20 malicious IP blocks per day, all voluntarily and freely contributed. All of the malicious individual addresses are managed with ipset, while the IP blocks are managed with IPTables. This leads to a very efficient way of managing the tables easily and automatically. This optionally allows you to enable or disable Tor Exit node connections. I have also created an optional weekly cron job that will block whatever countries you may wish. I hand typed all 233 countries codes into a dialog menu. I added a new iptables-persistent from another Github repository which also works with ipsets to keep it persistent upon reboot for both iptables.

Screenshot_2016-07-03_04-44-54
When installing it may get stuck here for a minute or two that’s fine. It’s setting a lot rules up

The lists that are regularly installed:

Project Honey Pot Directory of Dictionary Attacker IPs
TOR Exit Nodes this will block all access to Tor*
BruteForceBlocker
Spamhaus
C.I. Army
OpenBL.org
Autoshun
Blocklist.de
Malware Domain List
ZeusTracker
Malc0de IP blacklist
MaxMind GeoIP Anonymous Proxies
StopForumSpam
GreenSnow

 

*Tor exit node blocking is optional
*Tor exit node blocking is optional

It’s simple enough to install. Simply run the script as root and select if you want to block Tor exit nodes or if you want to block any countries. If there are any issues or suggestions please let me know on GitHub. I want to eventually make this also capable of running on CentOS for my PhonePBX.

https://github.com/ChiefGyk/ipset-assassin

Tested on Ubuntu 14.04 servers, and Xubuntu 14.04 running server applications. Test it on your own machine as well if you like

233 Countries to block if you choose to.
233 Countries to block if you choose to.

Nginx Filters for Fail2Ban

When making my other servers I was double checking fail2ban configurations and noticed there is no fail2ban settings for nginx seeing as the webmail runs on it. Not sure if it’s an issue, or anything but I was hoping some other could tell me if I am on the right track, or if it’s not even necessary.

I did this for my email server which runs nginx as the web server.

In the /etc/fail2ban/jail.local

[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /var/log/nginx/error.log
[nginx-badbots]
enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /var/log/nginx/access.log
maxretry = 2

thencd /etc/fail2ban/filter.d
sudo nano nginx-http-auth.conf

make sure it’s like below

[Definition]


failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$

ignoreregex =

copy badbots config from apache
sudo cp apache-badbots.conf nginx-badbots.conf

Free(dom) Software: Why Your PC should have Liberty

RYF-300x300

 

“Freedom” is the very word at the core of libertarianism: the ability for us to be able to do anything we believe in freely, so long as it does not infringe on the freedoms of another individual. When you think of freedom, what comes to your mind? Speech, religion, assembly, press, property, perhaps the right to bear arms, perhaps the ability for us to do whatever we please to our own bodies, and we can go on from there. So why do many not consider freedom to mean the ability to own our software in our own computers like we view our bodies or our vehicles? This is where Free, Libre, and Open Source Software (FLOSS aka Free or Libre) comes in. What exactly does Free and Open Source mean? Free and Open source software is software whose source code is available for modification or enhancement by anyone. But let us always remember, Free software came before Open Source.

“Source code” is the part of software that most computer users don’t ever see; it’s the code which computer programmers can manipulate to change how a piece of software—a “program” or “application”—works. Programmers who have access to a computer program’s source code can improve that program by adding features to it, or fixing parts that don’t always work correctly.

Source: https://opensource.com/resources/what-open-source

open source logo

 

The problems with Windows and Apple are that you can’t really trust them all that much in terms of privacy. They both have backdoors for the government. Now, while the government may have good intentions according to some, they are severely flawed. The problems with a backdoor in a system that I can’t close as a user, means that malicious hackers have another exploit to get into your system with and potentially monitor or steal information from you. Allowing software to be Free means that it is transparent and vetted by thousands of people all around the world, who are constantly working on the software.

Take for example Mozilla Firefox, formerly Netscape Navigator. It’s not maintained by some giant company like Google, Apple, or Microsoft that make their browsers and have parts that are completely closed. Firefox, being Free, is maintained by a large community who make one of the freest browsers, with a non-profit foundation maintaining all the thousands of additions to code that go on every day. We can ensure there are no intentional backdoors in the code, while making it as customizable as we want. In fact the GNU/Linux (often just called “Linux”) back door attempt of 2003 some suspected of being done by the NSA, is proof of that very fact that Free software is more secure.

“Free software” means software that respects users’ freedom and community. Roughly, it means that the users have the freedom to run, copy, distribute, study, change and improve the software. Thus, “free software” is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free speech,” not as in “free beer”. We sometimes call it “libre software” to show we do not mean it is gratis.

Source: https://gnu.org/philosophy/free-sw.html

Richard Stallman, founder of the Free Software Movement, said Windows and OS X are malware, even stated the observation Amazon’s Kindle has an Orwellian back door, and has said that only an idiot would trust the Internet of Things.

“Malware is the name for a program designed to mistreat its users,” Stallman wrote in The Guardian.

What kinds of programs constitute malware? Operating systems, first of all. Windows snoops on users, shackles users and, on mobiles, censors apps; it also has a universal backdoor that allows Microsoft to remotely impose software changes. Microsoft sabotages Windows users by showing security holes to the NSA before fixing them.

Apple systems are malware too: MacOS [OS X] snoops and shackles; iOS snoops, shackles, censors apps and has a backdoor. Even Android contains malware in a non-free component: a backdoor for remote forcible installation or de-installation of any app.

quote-to-have-the-choice-between-proprietary-software-packages-is-being-able-to-choose-your-master-richard-stallman-268889-768x361 (1)
Richard Stallman: Founder of the Free Software Movement. President of the Free Software Foundation

In fact the entire Free, Libre, and Open Software Software Movements are already unsung heroes of our most precious example of our freedom, the internet. People don’t recall, but many years ago the internet as a whole was very close to becoming proprietary in the software market. You had to buy a lot of closed source software to even connect to the internet. Once upon a time, you actually used to pay for an Internet browser. Microsoft was very close to choking off freedom on the internet when it had, at its peak, 95% of the market share on internet browsers. The internet stagnated for many years, and we were stuck with Internet Explorer, one of the worst browsers ever because it was so full of holes, for a very long time. Microsoft could have also done the same with Windows server,when in fact the majority of web servers and critical components that run the web today are run on GNU/Linux or FreeBSD which are both Free and Open Sourced. In fact GNU/Linux and FreeBSD were the first to have the components to even be able to connect to the internet. For years people were forced to pay for software to create documents, we had Open Office (now deprecated), and LibreOffice which has replaced Open Office. In fact I wrote this rough draft on my laptop running GNU/Linux using LibreOffice. The Being Libertarian site itself is run on GNU/Linux and WordPress, both are Free and Open Sourced software. In fact Bitcoin wouldn’t even exist were it not for FLOSS. I have actually been a member of the FOSS and FLOSS movements for 10 years now, starting when I was 14 years old. GNU/Linux and the FLOSS communities were the first to introduce many of the features now found common on Windows and Mac OS X, including, but not limited to, remote desktop, virtual desktops, and a TCP/IP stack so they can use the internet. In fact a lot of Mac OS X relies on Open Source software, but it’s not as Free as it actually should be, because there is no way I can have access to the complete source code and compile my own Mac OS X, like I can do with GNU/Linux or FreeBSD.

Use-of-Open-Source-Software-Is-Now-Mandatory-In-Indian-Government-Offices-477052-2-768x390 (1)

Now I know a lot of libertarians and conservatives would rather place their trust in businesses managing things. But this is where voluntarism come in, because no one is forcing you to contribute to the code. Far more people are using the software without contributing the software, but if you see a problem or feature that can be added you are more than welcome to do so. This is best explained in Eric Raymond’s “Cathedral and the Bazaar”, of why the FLOSS model of a bazaar with the community voluntarily working together is better than the cathedral approach of Apple or Microsoft. It’s also one of the most influential essays ever written in the IT world.

Eric S. Raymond: One of the key people in the Free, Libre, and Open Source Movement, and author of the “Cathedral and the Bazaar”
Eric S. Raymond: One of the key people in the Free, Libre, and Open Source Movement, and author of the “Cathedral and the Bazaar”

Linux overturned much of what I thought I knew. I had been preaching the Unix gospel of small tools, rapid prototyping and evolutionary programming for years. But I also believed there was a certain critical complexity above which a more centralized, a priori approach was required. I believed that the most important software (operating systems and really large tools like the Emacs programming editor) needed to be built like cathedrals, carefully crafted by individual wizards or small bands of mages working in splendid isolation, with no beta to be released before its time.

Linus Torvalds’s style of development—release early and often, delegate everything you can, be open to the point of promiscuity—came as a surprise. No quiet, reverent cathedral-building here—rather, the Linux community seemed to resemble a great babbling bazaar of differing agendas and approaches (aptly symbolized by the Linux archive sites, who’d take submissions from anyone) out of which a coherent and stable system could seemingly emerge only by a succession of miracles.

Source: http://www.catb.org/esr/writings/cathedral-bazaar/cathedral-bazaar/
*I highly recommend reading the entire essay (~36 Pages on paper)

 

Linux_Distro

I have mentioned LibreOffice and Mozilla Firefox as FLOSS software, but there are thousands of distributions of GNU/Linux to use, and thousands of Free, Libre, and Open Source Software out there. It’s all about freedom of choice. If you don’t like one part of the system or program you can change it. For example I used to be a Gentoo GNU/Linux user where I can completely build my own system the way I wanted, then I became a bit lazy and switched to Ubuntu a few years ago as I didn’t want to have to spend so much time on each installation. I, of course, still didn’t like Ubuntu on a few parts, so I modified a lot of the operating system, until eventually Ubuntu decided to add the Unity User Interface, which I hated with a passion. So I switched to Xubuntu as a day to day work OS, withKali GNU/Linux on the same laptop for all my tools to penetrate network security as part of my job. One GNU/Linux in particular a lot of people who love their privacy like is Tails, which leaves no trace of you on the host computer, and encrypts as well as anonymizes all of your data. The Condor intraoral scanner, which I previously covered inMarch of 2015, is running Manjaro GNU/Linux. I also have been looking into Trisquel GNU/Linux which is a completely Free version of GNU/Linux, which Richard Stallman himself uses. There are parts in a quite a few distributions of GNU/Linux that use “non-free” software meaning its use, redistribution or modification is prohibited, or requires you to ask for permission, or is restricted so much that you effectively can’t do it freely. There are a few classes of types of software which the Free Software Foundation does a good job of explaining to the average user.

But back to the main point. The beauty of GNU/Linux and FLOSS in general is freedom, as what works for some, doesn’t work for all. Linus Torvalds, the maker of the GNU/Linux kernel, himself didn’t like Ubuntu, whereas I kind of like the Ubuntu environment.

Linus Torvalds: Founder of the Linux Kernel. In 1991 introduced Linux to the world saying, “I’m doing a (free) operating system (just a hobby, won’t be big and professional like gnu) for 386(486) AT clones.” Despite Linus being the creator of Linux, and also the largest contributor of code to the project, Linus has only contributed 1% of the total code.
Linus Torvalds: Founder of the Linux Kernel.
In 1991 introduced Linux to the world saying, “I’m doing a (free) operating system (just a hobby, won’t be big and professional like gnu) for 386(486) AT clones.” Despite Linus being the creator of Linux, and also the largest contributor of code to the project, Linus has only contributed 1% of the total code.

So at the end of it all, those who call themselves true libertarians, conservatives, or even just a full out privacy rights advocate should be throwing their closed source software away whenever possible, and embrace the true freedom only granted by software to the user which is FOSS or even better, FLOSS. It’s time to really embrace freedom to its fullest extent in all facets of your life. You can even start slowly dipping your toes in the water of the open source movement. I use Mozilla Thunderbird instead of Microsoft Outlook, Mozilla Firefox or even better GNU IceCatinstead of Microsoft Edge or Internet Explorer, Notepad++ (NotepadQQ in GNU/Linux) instead of Notepad,LibreOffice instead of Microsoft Office, GNUCash instead of Quickbooks, ProjectLibre instead of Microsoft Project,7-zip instead of WinZIP and WinRAR, Dia instead of Microsoft Visio, Scribus instead of Microsoft Publisher, and etc. You can find a FOSS or FLOSS solution for almost any task that you need to do today.

download (3)

If any readers are interested in a deep look into the philosophy, culture, and history of the entire Free, Libre, and Open Source Movements, I highly recommend watching the documentary Revolution OS (About 1 1/2 hours) which is freely available on YouTube ( https://youtu.be/jw8K460vx1c) and elsewhere.

Update: After Speaking to Richard Stallman some changes were made

This article was originally written by me for Being Libertarian

Automatic Filters for IPTables Firewall

So I have been building servers for quite sometime, and if you have been operating servers for a while, you know of attempted intrusions into your server. I have been using Fail2Ban and UFW for quite some time on my Ubuntu servers and they work rather well. I would have them automate the job of managing IPTables, which can be rather cumbersome. Especially with IT people whose specialty may not be firewalls. So I have been looking around for a way to automate my job. My favorite tools thus far include

  1. Fail2Ban – scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action(e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
  2. UFW – Uncomplicated Firewall, The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.
    Gufw is a GUI that is available as a frontend.
  3. Blocklist.de – www.blocklist.de is a free and voluntary service provided by a Fraud/Abuse-specialist, whose servers are often attacked on SSH-, Mail-Login-, FTP-, Webserver- and other services.
    The mission is to report all attacks to the abuse deparments of the infected PCs/servers to ensure that the responsible provider can inform the customer about the infection and disable them.

It’s rather easy to set up these update the IPTables with a simple crontab daily, which will sync with blocklist.de

First become root
sudo -i

Then download the script to cron.daily and make it executable
curl -s https://gist.githubusercontent.com/klepsydra/ecf975984b32b1c8291a/raw > /etc/cron.daily/sync-fail2ban

chmod a+x /etc/cron.daily/sync-fail2ban

Optional but Recommended, Initial run manually:
time /etc/cron.daily/sync-fail2ban

Tomorrow, check your /tmp/iptables.fail2ban.log file to see who’s been blocked.
The lists you get are stored locally for now at /etc/fail2ban/blacklist.*
Your server should now be a little bit more secure with a few thousand new IP addresses added to your IPTables

Install the latest Mozilla Thunderbird or Firefox in Ubuntu GNU/Linux

So I ran into an issue with my Mozilla Thunderbird today when I was finished setting up my new email, contact, and calendar server with Mail-in-a-box. So I go to add the lightning extension for calendars, and low and behold I find out my Thunderbird (the one that came in the the default Xubuntu repos for 14.04LTS) was out of date and not supported by lightning. The Ubuntu repos had version 38.8, but what version was Mozilla at themselves? 45.1 as of this post. So I quickly installed the latest binary but I tend to be forgetful about updates, so I wanted to tie it into the apt package manager so I found a PPA that works.

First if thunderbird is installed remove it, and maybe backup your .thunderbird folder just in case. But you shouldn’t have to worry about losing any data.

sudo apt-get remove -y thunderbird

Next we need to add a new repository called Ubuntuzilla so edit your sources.list. I used nano for this, but feel free to use whatever you like.

sudo nano /etc/apt/sources.list
add to the end
deb http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main

or you can do that all with one command
echo -e "\ndeb http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main" | sudo tee -a /etc/apt/sources.list > /dev/null

Then grab the keys and update
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com C1289A29
sudo apt-get update

Install your desired package, with one of the following commands:
sudo apt-get install firefox-mozilla-build
sudo apt-get install thunderbird-mozilla-build
sudo apt-get install seamonkey-mozilla-build

Source

How to make “WHOIS” work with new TLD’s e.g. *.xyz, *.online

So I have been building a lot of servers and generally I like to segment them to different domains but whois by default only will work with *.com, *.info, *.net you know the usual TLD’s you think of. But now there are so many new ones I like to scoop up I still want to test my server settings with whois. Well have no fear on my Xubuntu 14.04LTS I use everyday simply create the file “whois.conf” in the /etc/ folder. So use your favorite text editor and paste this file in to get any new TLD resolved.
Open Nano (or whatever text editor you prefer)
sudo nano /etc/whois.conf

Once inside your text editor paste this list (list is very long so I added a read more section you will need to open to see the entire list)

#
# WHOIS servers for new TLDs (http://www.iana.org/domains/root/db)
# Current as of 2015-09-12
#

Continue reading “How to make “WHOIS” work with new TLD’s e.g. *.xyz, *.online”

How to Make Super Secure Passwords Easily with One Command

We all know when it comes to security, a secure password is always the most important thing. However remembering a complex password is always the toughest part anywhere. Especially when it comes to being a system administrator, our passwords are usually the most vital of anyone in the company. When it comes to telling people they need complex passwords, what always comes to mind is this xkcd comic about passwords.

password_strength

As the bottom text suggests we have come to the point where it’s hard for us to remember passwords, but easy for computers to guess. So what’s the solution? Well what I do as a GNU/Linux person is use the command already built in to generate super secure passwords using the sha1sum, sha224sum, sha256sum, sha384sum, and sha512sum commands.

First off pick a random word or phrase. Now remember capitalization, spaces, and such will always effect the sum spit out. let’s start with sha1sum which is the shortest, and using the word “password” as our example throughout this tutorial

echo "password" | sha1sum
c8fed00eb2e87f1cee8e90ebbe870c190ac3848c

So we see using the word “password” it spits out the sha1sum of the word, and we now have a very complex password. Now let’s try it with SHA256

echo "password" | sha256sum
6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e

So you see as we increase the strength of the sha256sum, the output sum is longer, and with a longer password comes even more security. Now let’s try SHA512

echo "password" | sha512sum
9151440965cf9c5e07f81eee6241c042a7b78e9bb2dd4f928a8f6da5e369cdffdd2b70c70663ee30d02115731d35f1ece5aad9b362aaa9850efa99e3d197212a

So now we see the output is incredibly long and complex. This is a great way to make incredibly secure passwords.