Diary of an Emacs tragic

Tag: security

  • A word on WordPress security

    First of all, I am not an expert on security. So please check this info for yourself, and don’t be shy to suggest improvements either.
    In order to keep your WordPress site secure, one of the things you can do is slow down a potential brute force attack, so the attacker can try fewer login/password combinations per second.
    There is an excellent plugin by convissor over at wordpress.org called Login Security Solution that does just that. I have been running it for a while now and it is very good. It emails you if your site is under attack and informs you about what its doing. It also ensures users have secure passwords. I have mentioned it before.
    Recently I have had a few attacks and encountered a minor problem with the plugin. Daniel has been extremely proactive in tracking down the issue. But during the process I found that the attacks were coming from 3 IPs.
    That made me think I should ban those IPs. And that led me to fail2ban. This is an excellent tool that monitors for failed login attempts and simply temporarily bans that IP using your firewall.
    In debian you install it with aptitude install fail2ban. If you want to enable apache monitoring, you need to add:

    [apache]
enabled = true

    to /etc/fail2ban/jail.local
    restart fail2ban and that’s it. Within minutes of me activating it, it had already banned a few IP addresses due to failed ssh login attempts.

  • Choosing passwords for the 21st century

    The recent Mat Honan hack got me thinking about password strength. It turns out he was hacked not due to having a poor password, but because of a security flaws in Amazon and Apples’ systems. Nevertheless it serves as a good reminder to keep yourself safe.
    One thing you can do is use very long passwords for important things. Increasing the length of your password can make it seriously more difficult for anyone to brute force attack your password.
    To get an idea of the impact a long password, have a look at this site: How Big is your Haystack. It lets you type in a password and it gives you an idea of how long it would withstand a brute force attack for. Obviously don’t type your real password in, but type in something that uses the same number of letters, numbers, capitals and punctuation and see how it looks.
    8 lower case letter passwords? 2.17 seconds in an offline attack scenario. It’s not until you get up to 17 lower case letters that it pushes the offline attack scenario into the the virtually impossible range.
    So how do you go about picking a strong password?
    Diceware. Essentially you roll a dice 25 times to form 5 groups of 5 numbers. Then you look each number up in the list of words to generate a 5 word password. Being 5 words makes it relatively easy to remember but also very long.
    If you don’t feel like rolling dice, you could consider using random.org to generate a list of numbers for you. If you choose this approach, make sure to visit the site using https and get a nice long list and choose a set of numbers from the list. Write it down on a piece of paper and put it in a safe place. Note this is not as secure as using the offline dice rolling approach.
    As a final note, consider using multi factor authentication if you can. Google have made it available for gmail and I recommend you sign up for it.