Menu

Project Gimu

Software research and development

yrCommerce – Revamped

There was an introduction to the fresh Twitch Copypasta DB update a few days ago. Today, I’m introducing the new update, namely v.8.0, to the E-Commerce software yrCommerce.

Backend Changes

Major backend changes have been done to help reduce server load by a large margin.

Frontend Changes

I’ve also reduced the JavaScript code as much as possible and revamped the whole mobile interface to match all existing desktop features. Additionally, pages have also been changed to make them a bit more SEO-friendlier.

Admin Panel

Subcategory-Types

Subcategory-types can now be explicitly created under a new tab below the subcategory management by specifying name and order. This also implies that you can now easily select types from drop-down menus within the subcategory manager.

Product Wishes

Products can now optionally have individual notes when adding to the cart.

PayPal PLUS Integration

PayPal PLUS has been added to the ever growing amount of payment options.

Bug Fixes

Fixed user resetting not working sometimes.

Twitch Copypasta DB – Revamped

Now that it is almost 2017, it’s a good time to reflect on where Twitch Copypasta DB is going. Since it was running on an old framework, I’ve decided to update and revamp most of the code. The most significant changes, some of which are not live yet, are listed below.

Sorting and Searching

Sorting and searching experience has been radically improved. Paginating through search results will now (finally) yield correct results.

Emoticons

The latest change adds another page listing global emoticons. Custom emoticons of streams are listed on their respective profile.

Mobile Improvements

Even more mobile-friendly than before!

Look & Feel

Good stuff (see attached image).

SSH and Port Knocking

It turns out that SSH brute-force attacks, dictionary attacks or combinations of those are daily routines nowadays. Server logs are quickly filled with login attempts, in the hopes that one of them is right. The best prevention against these kind of attacks is to have a good password, or even better to force key-based authentication.

However, this won’t stop automated attacks from trying out usernames and passwords anyway, which is generally annoying. Thus, the approach to hide the SSH port, which by default is 22. One solution some people do is moving SSH to a non-standard port. Basically, some random number that won’t conflict with anything else.

Another interesting trick is to not immediately expose the SSH port, but only when a client is saying “Open Sesame”. Jokes aside, that’s roughly what port knocking allows us to do. There are many variants on port knocking and many programs that implement it. The following tutorial will use knockd as port-knocking server.

Install Prerequisites

Download and install the knock-server rpm package:

$ wget http://li.nux.ro/download/nux/misc/el6/i386/knock-server-0.5-7.el6.nux.i686.rpm
$ rpm -ivh knock-server-0.5-7.el6.nux.i686.rpm

Configuration

The configuration file can be found under /etc/knockd.conf.

[options]
        logfile = /var/log/knockd.log

[openSSH]
        sequence    = 6000,7000,8000
        seq_timeout = 15
        command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[closeSSH]
        sequence    = 8000,7000,6000
        seq_timeout = 15
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

In the above configuration, we’ve stated that any host that sends a TCP SYN message to port 6000, then 7000 and finally to 8000, within 15 seconds, will cause the iptables command to be run. As you can see, the use of iptables is not hard-coded to knockd at all, meaning that any command can be run when the port sequence is triggered, allowing us to do all sorts of fancy stuff. To close it up, we do the same sequence in reverse order (that’s because we have configured it to do so).

Final Steps and Usage

Once everything is installed and configured, start it up and begin testing. Leave a separate SSH connection open to the server while you are testing!

$ systemctl enable knockd
$ systemctl start knockd

On the client, try out knocking with telnet:

$ telnet example.com 6000
$ telnet example.com 7000
$ telnet example.com 8000

The knockd log file, located under /var/log/knockd.log, should print out something like this:

[2016-11-12 16:11] <CLIENT_IP>: openSSH: Stage 1
[2016-11-12 16:12] <CLIENT_IP>: openSSH: Stage 2
[2016-11-12 16:12] <CLIENT_IP>: openSSH: Stage 3
[2016-11-12 16:12] <CLIENT_IP>: openSSH: OPEN SESAME
[2016-11-12 16:12] openSSH: running command: /sbin/iptables -I INPUT -s <CLIENT_IP> -p tcp --dport 22 -j ACCEPT

Your iptables configuration should now contain a new line, which accepts the client’s IP on port 22. Closing the connection can also be done as seen above, of course with the respective sequence of ports (8000, 7000, 6000 in this case).

The next step is to lock everyone else out from the SSH port. Add a new rule to the firewall, but make sure it goes to the bottom:

$ iptables -A INPUT -p tcp --dport ssh -j DROP

Finally restart iptables (ATTENTION: this will drop your current SSH connection, make sure that everything above is working!):

$ systemctl restart iptables

Conclusion

It certainly doesn’t prevent a targeted attack, but it might prevent most automated attacks. You are also not bound to the iptables command, meaning that you can do all sorts of fancy stuff with port knocking.

Server Migration and Blog Update (2016)

The server transfer has been completed without any major problems. As I have moved from Octopress to WordPress, all posts from the old site will be available again in the following weeks.