IP range vs. single IP

If you’re running Squid instances that you share with friends and family (for content filtering, etc…), remember to pay attention to using a combination of IP ranges and single IP address entries with ACLs. Else, your going to be allowing your instances to be open proxies. And that’s not good.

Remind yourself to tail access_log files as often as possible, or setup some type of reporting so you’re fully aware of who’s trying to access the web through your private proxies.

Twitter suspended my account

It’s been two days since Twitter decided to suspend my account. Still waiting for an email from them explaining exactly what i violated in their Terms of Service.

I re-tweet a lot of posts by Japanese photographers/models, for the most part.

I believe they permanently suspended @danskoya because in my first inquiry, i mentioned “snowflake” and “trigger” and that’s a bad combo for SJWs hired by Twitter to be moderators. Besides that, my birthday was set to December 1, 1899

I suppose it is time to move on. More writing.

leftover PIDs causing FreeBSD to autoreboot

We had a power loss at home not too long ago which caused my FreeBSD box to reboot endlessly despite running ‘fsck’

It turned out there were several existing PID files leftover in /var/run/ that were not deleted by the system after power came back. It was baffling because the system would go through the normal boot processes, startup services and when it was about to start SSHD, a crash dump or some sort of kernel panic is displayed. A few seconds later, the system would reboot and do it over again.

Booting into single-user mode and running “fsck” several times did not remove the leftover PID files. Once they were deleted, the system booted normally.

first impressions: @vultr Bare Metal Server w/ pre-installed FreeBSD 12.0

I signed-up to be on the waiting list last week, but quickly noticed today there was a spot available. They had a promo with 2 x 240GB SSDs so I took the bait and tried out their Bare Metal Server running a pre-installed FreeBSD 12.0-RELEASE amd64 (my choice).

Deployed and in less than 3 minutes, I had access to the box via SSH. I made observations and noted minor issues I had with the default setup.

  • /etc/fstab pointed to /dev/ufs/rootfs
  • drive cyclinder errors on the console window
  • unable to boot your own FreeBSD ISO image to start from scratch

After searching online for hints, I found this thread addressing the exact issues I had with bsdinstall – after running it once more and using /dev/ada1 as the target disk, I’m taken back to a shell prompt instead of the normal reboot after a fresh install.

Proceeded to update /etc/fstab to point to /dev/ada1p2 and rebooted with no issues. Ran the installer once more but this time, used /dev/ada0 as the target disk; updated /etc/fstab to point to /dev/ada0p2 and rebooted with no issues. The “cylinder errors” on the console window I mentioned earlier also disappeared.

YMMV, but this was a learning experience for me. By the way, if you have Floating IPs on the same data center as the bare metal server, you can use those with this setup.

Here’s a closer look at the errors I encountered:

Sep 10 16:53:50 guest kernel: GEOM: diskid/DISK-PHDV723501UJ240AGN: the secondary GPT header is not in the last LBA.
Sep 10 16:53:50 guest kernel: Trying to mount root from ufs:/dev/ufs/rootfs [rw]...
Sep 10 16:53:50 guest kernel: GEOM: diskid/DISK-PHDV723501UJ240AGN: the secondary GPT header is not in the last LBA.

Sep 10 17:15:46 guest kernel: UFS /dev/ada0p2 (/) cylinder checksum failed: cg 5, cgp: 0xf3ecdcef != bp: 0x59b1fb60
Sep 10 17:15:46 guest kernel: UFS /dev/ada0p2 (/) cylinder checksum failed: cg 5, cgp: 0xf3ecdcef != bp: 0x59b1fb60

@vultr, SSH tunneling & jump host

I’ve got a few @vultr instances that have Squid listening for connections that I also use to tunnel through my local machine’s HTTP/HTTPS traffic.

In the example config below, Piscataway is the “jump host” to Frankfurt & Tokyo

Remember to modify the “username”, “ip address” & “port” values accordingly. Also, I’m assuming you already have an IdentityFile setup.

edit ~/.ssh/config and add the lines below:

Host piscataway
        User username
        Hostname piscataway_sshd_ip_address
        Port 22
        IdentityFile /path/to/file
        LocalForward 1234 piscataway_squid_ip_address:3128

Host tokyo
        User username
        Hostname tokyo_sshd_ip_address
        Port 22
        IdentityFile /path/to/file
        ProxyCommand ssh -q -W %h:%p piscataway
        LocalForward 5678 tokyo_squid_ip_address:3128

Host frankfurt
        User username
        Hostname frankfurt_sshd_ip_address
        Port 22
        IdentityFile /path/to/file
        ProxyCommand ssh -q -W %h:%p piscataway
        LocalForward 6969 frankfurt_squid_ip_address:3128

To connect to “Frankfurt” & tunnel through, simply type: ssh frankfurt then configure your local machine Proxy settings to point to port 6969

To verify your IP address, you can use https://danskoya.com/ipmoose.php

WordPress Security Tips 2019

  • Before you install the latest and greatest hyped WordPress security plugin out there, first, do some basic inventory of what lives in the DocumentRoot – depending on your setup, there may be several of these locations. Manually examine them closely using a shell or file browser.

  • Setup a @vultr VPS for $6/month and utilize the provided IPv4 address to enforce IP-based restriction in any and all your WordPress sites – most importantly, your /wp-admin/ and /wp-json/ areas. There are other uses for such VPS – the IP address stuff is just one of many.

  • Inventory your plugins & themes thoroughly – don’t need it? deactivate then delete it completely from /wp-content/plugins/ and /wp-content/themes/. Don’t let any be a sitting duck waiting to be exploited.

  • And lastly, ensure your site(s) are running the latest WordPress code base.