# mod_deflate configuration
# Restrict compression to these MIME types
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xml+rss
AddOutputFilterByType DEFLATE text/css
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
After restarting Apache and running PageSpeed again I got 93/100 for Desktop Optimization!
After updating Sucuri plugin I also noticed one new security recommendation: Disable Server Banners. Essentially they recommend to turn off any information exposing your server version and modules. For that I just added two lines to /etc/httpd/conf/httpd.conf:
And the last minor note that I had no issues with upgrading my AWS instance to Amazon Linux 2018.3. And they actually help you to do that in motd:
sudo yum clean all
sudo yum update
And you will get latest Linux 4.14 kernel and bunch of updates. I encountered no issues with my WordPress after restarting my box.
More then a year ago I installed SSL/TLS support for this blog using Amazon’s guide. Now that certificate has expired and I need a new one. This time I decided to use Let’s Encrypt because I have successfully used it for my other projects. And it was actually very easy:
chmod +x certbot-auto
./certbot-auto run --apache -d blog.apalagin.net
This tool will complain that Amazon Linux is experimental. But I had no issues with that and it did all the work for me! Then only caveat is that Let’s Encrypt certificates expire in 2 month, so you should add a cron job to renew it regularly. For example, something like this in your /etc/crontab:
39 1,13 * * * root /home/ec2-user/certbot-auto renew
I also should mention that there is a next version of Amazon Linux – 2.2 – and you can install Cerbot there from EPEL repository.
Major of instructions were taken from StackOverflow. Though I didn’t follow all steps plus I also had to deal with SSL module. Anyway the migration was fast and flawless. Just don’t forget to backup you website 🙂
Here are my instructions if you followed AWS tutorial to setup WordPress on Apache with SSL. Note that following these instructions is relatively safe and doesn’t corrupt any WordPress files (if you on Amazon Linux).
- Stop Apache and remove httpd 2.2 and PHP 5:
sudo service httpd stop
sudo yum remove httpd* php*
- Install Apache 2.4 and mod_ssl
sudo yum install http24
sudo yum install mod24_ssl
- Install PHP 7 and required modules
sudo yum install php70
sudo yum install php70-mysqlnd
sudo yum install php70-gd
- Update Apache configuration to react on index.php files:
sudo nano /etc/httpd/conf/httpd.conf
Find dir_module section and update it to:
DirectoryIndex index.html index.php
Find <Directory "/var/www/html"> and update it to:
Options Indexes FollowSymLinks
Require all granted
- Now it’s time to copy back your SSL configuration:
sudo mv /etc/httpd/conf.d/ssl.conf.rpmsave /etc/httpd/conf.d/ssl.conf
- Final steps: adding httpd to boot sequence and launching it:
sudo chkconfig httpd on
sudo service httpd start
Voila! Your WordPress should be back online running on PHP 7! Many thanks to WordPress, PHP, Apache and Amazon people who surely worked hard to make such transitions so simple and burden-free.
Yesterday I checked my blog and got “Request timed out”. As you can guess from the title I become a victim of XML RPC exploit. There a lot of info on Internet describing what XML RPC exploit is and how to defend your blog. I will describe how I fought that attack myself. Well, with the help from mighty Google search 🙂
So when I logged into my AWS instance the first symptom was high CPU load from httpd. Which is not very surprising for t2.micro instance type 🙂 Then I checked /var/log/httpd/access_log and found tons of events like this:
18.104.22.168 - - [14/Oct/2016:20:03:56 +0000] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
The first mitigation is to disable access to /xmlrpc.php in .htaccess:
Redirect 301 /xmlrpc.php http://127.0.0.1
That reflects the attacker and unloads your server so you can log in to WordPress admin console. The next thing is to shield your WordPress from similar attacks.
For that I installed WP Fail2Ban Redux plugin which logs all malicious events (including xmlrpc) to system log so they can be analyzed by Fail2ban service. Then I installed actual fail2ban service using yum and copied configurations from plugin’s folder. Note that you have to specify correct path to system log file plus default configuration does not actually ban (in Amazon Linux at least). Here is my local.jail for WordPress:
enabled = true
filter = wordpress-hard
logpath = /var/log/messages
maxretry = 2
action = iptables-multiport[name=WordPress, port="http,https", blocktype=DROP]
enabled = true
filter = wordpress-soft
logpath = /var/log/messages
maxretry = 5
action = hostsdeny
Basically these rules will block furious attacker using firewall (by dropping tcp packets). The wordpress-soft rule is about password attack and it just adds host to the hosts.deny for 10 minutes (default ban time). After that you can remove redirect rule from .htaccess if you need xmlrpc feature. I will keep it disabled…
I haven’t visited my blog for a while, so was very surprised to see “Error Establishing a Database Connection” page. At first I thought someone had hacked my box 🙂 Instead MySQL server was down. I checked server logs and found fatal errors from mysql:
InnoDB: Fatal error: cannot allocate memory for the buffer pool
I googled that issue immediately and according to StackExchange my database couldn’t allocate more system memory and process died. Hm, 1G of RAM is not enough for a tiny blog???
Anyway, I have moved WordPress database to Amazon RDS. I went with t2.micro so it shouldn’t cost much. For the safety reason my instance does not have public IP and allows only connections from WordPress host.
I installed my WordPress blog only 7 days ago. I never shared the link cause it’s kinda my private experiment for fun. But it’s been a second day someone is atacking my website. It’s a simple attack – password guessing– and there is no chance for attacker to succeed as I’m not there old granny and use randomly generated passwords. Anyway it’s exciting to be part of this cruel world!
Sucuri plugin logs failed logins, so I’m able to see there IP-address (well, gateway). According to ip-www.net it’s Russian Federation. Saint Petersburg City if to be precise. Wow! Rumors don’t lie that russian hackers are everywhere 😀
The easiest thing would be to block there access to my IP. But AWS security groups are always permissive. So the only cheap way is to drop there packets using iptables:
sudo iptables -I INPUT -s 22.214.171.124 -j DROP
I googled help on StackOverflow 🙂
If you want to restore your firewall rules during reboot, then don’t forget to call iptables-save!
I am not a security guru nor a hacker. But I listen to what people say about security, vulnerabilities, exploits etc. And I am aware that default installation of anything (including whole LAMP stack) is not secured.
Amazon’s guides about LAMP and WordPress contain some security topics. So your installation will not be completely ridiculous 🙂 But Amazon also has a nice guide for setting up SSL/TLS. And it worked perfectly for me! I followed everything step by step, got free SSL certificate from startssl.com and even tested my server using Qualys SSL Lab! Whoa!
I’ve also applied security guide from WPBeginner and installed security plugin to monitor my blog and alert me if something goes wrong! Interesting stuff!
I first read the idea of using VPN to access your AWS instances in one of many books about AWS (maybe it was AWS for Dummies?). Author created a EC2 instance based on AMI with OpenVPN. I decided to do the similar thing.
10 years ago I setup OpenVPN server myself right on the main router on my job. I had to compile it from sources and then configure. Now I am too lazy for that and found a nice article How to setup your private VPN on Amazon AWS. Thanks webdigi!
I quickly ran through there CloudFormation template and found nothing suspicious. It took actually less then 10 minutes to get up and running. And the first thing I did is denied SSH connections to my WordPress from all IPs except my VPN. Got illusion of safety and protection now 🙂
This morning I decided to play with Appearance settings in WordPress. Well, you can add images to header or as a background etc. But when you select an image it asks you to crop it and fails with “There has been error cropping your image”! The solution was googled quickly, thanks to yuan3y.com. For Amazon Linux I had to do this:
sudo yum install php56-gd
sudo service httpd restart
My new domain name is apalagin.net. Thanks to Amazon’s Route 53 that was super easy. And cheap. Amazon is not an actual domain register (as they say). But they allow to register tons of domains! Though my favorite domain .expert wasn’t there 🙂