• Allowing File Uploads direct from Dropbox

    It's been over 3 months since Dropbox announced the availability of 'Chooser', a simple way to allow users to upload files to your site direct from their Dropbox, but I've not seen it in use anywhere. That's a little dissapointing really, partially because it's incredibly simple to use and implement, but also because I was really hoping it might prompt some of Dropbox's competitors to create something similar.

    It makes life a lot easier for your users (especially those who want to upload from a *cough iOS* device with file uploads disabled ) and the hassle of setting it up is minimal.

    In this post, I'll be showing how to implement the Dropbox chooser into a simple PHP site

  • Allowing your Internal Search Engine to Index JIRA Issues

    I use a number of tools on my network, including a private JIRA install (i.e. you need to log in to view anything) and the Sphider PHP search engine (I've generated a lot of documentation over the years).

    Unfortunately the two aren't exactly compatible, as Sphider has no way to log into JIRA, but I wanted my JIRA issues and comments to be indexed so that relevant items can be included in my search results. One option would be to set JIRA to public mode, but I'd rather maintain the need to log in.

    So instead I created a simple PHP script - JIRA Issue Listing - to generate a list that Sphider could index, but would redirect 'real' users to the relevant issue on JIRA.

    This post is the documentation for that script

  • Archiving a large backup across multiple discs on Linux

     

    Hopefully, we all back up our data, but what should we do once our data won't fit on our chosen media?

     

    We have two options (as we obviously don't want to delete our data!)

    • Use a different backup medium
    • Split the backup across multiple volumes

    Sometimes the former just isn't appropriate, as much because of the cost of harddrives vs Optical Media (i.e. CD's/DVD's).

    This short tutorial will explain how to create a single backup archive, and then split it across multiple CD's/DVD's.

     

  • Audi A6: Front Brake Pad Replacement

    Changing the front brake pads on the Audi A6 Savant is a relatively straight forward task to complete. The brakes are one of the areas where Audi appear to have taken the wise decision not to over-complicate things too much.

    This documentation applies to the 2000 model, but the steps should be similar for others too

  • Avoiding BCC Leaks with Exim

    This issue is, by no means, Joomla specific - but Joomla's mass mail functionality provides a good example of what can go wrong.

    The expectation that most users have, is that the list of recipients BCC'd on an email will never be visible to any of those recipients.

    Unfortunately, whether or not that's the case may well depend on the Mail Transport Agent (MTA) that you are using.

    Those familiar with Joomla's Mass Mail feature will know that by default, recipients are BCC'd - unfortunately, if you're using Exim (which most CPanel servers, for example, are) then you may in fact find that those receiving your message can see exactly who it was sent to.

    Whether or not this BCC Leak is visible to the recipients will depend on what mail client they use (assuming they're not in the habit of looking at the mail headers anyway....), but those using Google Apps/Google Mail will have the list clearly presented to them when viewing the mail.

  • BGitHub Feed

    GitHub Feed is a simple module designed to call the GitHub API so that you can display the latest commits to a repository on your Joomla! site. During development of the module, the ability to optionally display a list of issues was added, as was the ability to display a (very) basic profile for a single user.

    This documentation details how to configure mod_BGitHub_feed

     

  • Building a Tor Hidden Service From Scratch - SELinux

    On a system with SELinux, upon attempting to start Tor, you may see errors similar to the following

        [root@localhost tor]# service tor start
        Raising maximum number of filedescriptors (ulimit -n) to 16384.
        Starting tor: Apr 02 15:53:14.041 [notice] Tor v0.2.5.11 (git-83abe94c0ad5e92b) running on Linux with Libevent 1.4.13-stable, OpenSSL 1.0.1e-fips and Zlib 1.2.3.
        Apr 02 15:53:14.042 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
        Apr 02 15:53:14.042 [notice] Read configuration file "/etc/tor/tor-rpm-defaults-torrc".
        Apr 02 15:53:14.042 [notice] Read configuration file "/etc/tor/torrc".
        Apr 02 15:53:14.056 [notice] Opening Socks listener on 127.0.0.1:8080
        Apr 02 15:53:14.057 [warn] Could not bind to 127.0.0.1:8080: Permission denied
        Apr 02 15:53:14.058 [notice] Opening DNS listener on 127.0.0.1:54
        Apr 02 15:53:14.060 [warn] Could not bind to 127.0.0.1:54: Permission denied
        Apr 02 15:53:14.060 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040
        Apr 02 15:53:14.062 [warn] Could not bind to 127.0.0.1:9040: Permission denied
        Apr 02 15:53:14.062 [warn] Failed to parse/validate config: Failed to bind one of the listener ports.
        Apr 02 15:53:14.062 [err] Reading config failed--see warnings above.
        /usr/bin/torctl start: tor could not be started
    

    Which is almost certainly the result of a selinux policy

  • Building a Tor Hidden Service From Scratch - Part 1 - Design and Setup

    Despite some fairly negative media attention, not every Tor Hidden Service is (or needs to be) a hotbed of immorality. Some exist in order to allow those in restrictive countries to access things we might take for granted (like Christian materials).

    Whilst I can't condone immoral activities, Tor is a tool, and any tool can be used or misused

    This is part one in a detailed walk through of the considerations and design steps that may need to be made when setting up a new Tor Hidden Service.

    The steps provided are intended to take security/privacy seriously, but won't defend against a wealthy state-backed attacker.

    How much of it you'll need to implement will obviously depend on your own circumstances, and in some cases there may be additional steps you need to take

  • Building a Tor Hidden Service From Scratch - Part 2 - HTTP and HTTPS

    Despite some fairly negative media attention, not every Tor Hidden Service is (or needs to be) a hotbed of immorality. Some exist in order to allow those in restrictive countries to access things we might take for granted (like Christian materials).

    Whilst I can't condone immoral activities, Tor is a tool, and any tool can be used or misused

    This is part Two in a detailed walk through of the considerations and design steps that may need to be made when setting up a new Tor Hidden Service.

    The steps provided are intended to take security/privacy seriously, but won't defend against a wealthy state-backed attacker.

    In Part One we looked at the system design decisions that should be made, and configured a vanilla install ready for hosting hidden services.

  • Building a Tor Hidden Service From Scratch - Part 3 - General User Anonymity and Security

    This is Part 3 of my Hidden Service From Scratch documentation. In Part One we designed and built our system, in Part Two we configured HTTP Hidden Service hosting.

    In this documentation, we'll be looking more generally at user account and identity protection, as well as examining why you may need to maintain a certain level of paranoia even if your hidden service doesn't fall outside the law in your home country.

  • Configuring LetsEncrypt on a CentOS 6 NGinx Reverse Proxy

    For those who haven't come across it, LetsEncrypt allows you to obtain free DV SSL Certificates but requires a server side script to be run periodically in order to renew the certificates (for better or worse, a 90 day expiration period has been used).

    Although the provided script has plugins to allow support for automatically generating SSL certs based on NGinx and Apache configurations, the script assumes that the server is the origin and that the relevant docroot is available for writing to.

    In the case of a reverse proxy - this won't be the case. We want the certificate on the Reverse Proxy (being the endpoint the client connects to) but the websites files are hosted on another server.

    This documentation details a simple way to work around that on a NGinx reverse proxy (it should be possible to adjust the config for Apache's mod_proxy if needed).

  • Configuring NGinx to act as a Reverse Proxy for PHPMyAdmin

    In a previous post, I detailed how to Use NGinx to serve static files and Apache for dynamic as well as the minor tweaks you need to make to have it work nicely with Joomla.

    One thing I didn't cover, though, is setting up PHPMyAdmin. This documentation isn't going to go into the detail of installing and configuring PHPMyAdmin as there's plenty of that available elsewhere on the web. What we will discuss, though, is the NGinx configuration changes you need to make to have the connection reverse proxied to Apache.

    These steps only really apply if you've gone for a system-wide installation of PMA. If you've unpacked into a web-accessible directory then you probably don't need to make any changes!

  • Configuring Postfix to automatically forward mail for one address to another

    There seem to be a number of people searching for how to do this, and from what I can see there's very little quick and easy documentation on the net. You've got a server, hosting a website (for example) for example.com.

    You want the server to accept mail for example.com but to automatically pass the mail onto a different address.

    Assuming you're running Postfix, it's as simple as the steps below

  • Configuring Postfix to block outgoing mail to all but one domain

    This is so simple to do, but I have to look it up every time I need it (not something that comes up regularly!);

    When configuring a development server, you may find you have a need to ensure that emails will not be sent to any domain except those you explicitly permit (for example if you're using real-world data to do some testing, do you want to send all those users irrelevant emails?).

    This documentation details how to configure Postfix on a Linux server to disregard any mail sent to domains that are not explicitly permitted.

  • Copying a Linux Kernel From One System to Another

    There may be occasions where, for testing purposes, you want to copy a kernel from one machine to another.

    There are some fairly self-explanatory caveats:

    • The donor and target system must be running on the same architecture
    • The target machine shouldn't have any (important) hardware that's unsupported by your donor kernel

    Obviously, you'll ideally want to make sure that the hardware is as close to identical as possible (otherwise your testing may be invalid) so the above should be considered a minimum

  • Creating a virtual Network Interface in CentOS 6

    Sometimes you need to assign more than one IP to a server, even if it only has one NIC. To do so, you create a virtual interface, attached to the physical NIC.

    This documentation details how to do this in CentOS 6

  • Creating a Virtual Network Interface in Debian

    There are times when you might want to assign more than one IP to a system, even if it only has a single physical NIC. This documentation details how to create a virtual network interface (known as aliasing) under Debian (see here for how to alias in Centos 6).

  • Creating an IPv6 Tunnel on Linux

    RIPE, the European internet registry has started heavily rationing IPv4 addresses, meaning that the day of IPv6 only connections is fast approaching. BT don't yet support IPv6 on their connections, but I need to be able to use IPv6 to help ensure that servers are correctly set up to handle IPv6 only traffic.

    So, I need to create an IPv6 over IPv4 tunnel.

    This documentation details the steps to do this using Helium Electric's (free) tunnelbroker service

  • Generating a vanity .onion address

    Tor Hidden Services are accessed through a web address ending in .onion. Generally speaking these appear to be random strings of letters and numbers, though they're actually a representation of the public key generated when the operator created their hidden service.

    It is possible, however, to attempt to generate a keypair which will allow you to generate a desired vanity URL, though the process is essentially a brute-force of key combinations, so may take some time.

  • Hosting TOR Hidden Services (.onions)

    The level of effort required to set up a TOR Hidden Service (known as a .onion) largely relates to the amount of paranoia you need to exercise regarding your anonymity.

    Whilst the ins and outs of Operational Security (Op-Sec) are a little too intricate for a single post, this documentation will take you through the steps required to configure a Debian server to host a .onion site with reasonable protections in place.