Let’s Encrypt The Internet! Installing Free TLS Certificates On Ubuntu 16.04

Why should we install security certificates?

I’m a big proponent of protecting data and encrypting communication on the internet regardless of the source or destination. There are just some things that shouldn’t be shared, and it’s the same reason why all envelopes aren’t made entirely of transparent plastic (recycling aside).

This doesn’t just protect your “data” but the transfer of secure information like your credit card numbers and passwords. You should always be cognoscente of the sites you’re sending your data to, and whether you would be okay sharing that information with a perfect stranger.

Note: most people still like to refer to these certificates as SSL certificates. This is referring to an old and obsolete protocol that used to be used for encryption. The new version, and widely accepted standard today is the TLS encryption protocol. At the time of writing this blog, I’ve successfully installed a TLS 1.2 certificate using Certbot with a strong key exchange (ECDHE_RS with P-256), and a strong cipher (AES_128_GCM) according to the security audit in Google Chrome. (Ctrl+Shift+I > Security tab).

Things you’ll need before moving forward.

I’m going to make the assumption that you’ve taken the time to set up your Ubuntu server and install Apache on it. Specifically that you’ve properly configured your (one or more) domains in separate Virtual host files that specify the ServerName.

Let’s get encrypting!

Firstly, you’ll want to add the Certbot repository to your list of software repositories. To do this, run the following command.

sudo add-apt-repository ppa:certbot/certbot

Once that’s finished running its course, you’ll want to pull the latest version of all of your software repositories.

sudo apt-get update

Finally, you can install the Certbot client using the following command.

sudo apt-get install python-certbot-apache

Ubuntu will then take a few moments to install the required software and the client on your system. You’re finally ready to install your TLS certificate on your server.

TLS how to install it! (hah, encryption pun)

This step is actually exceedingly easy. I was very pleased at how simple it was to install, and I think you’ll really enjoy it too.

To run the Certbot installation script and install your certificate into your Virtual Host in one shot, run the following command.

sudo certbot --apache -d yourdomain.com

You can add more domains to this single certificate by specifying multiple domains. Just flag on another -d www.yourdomain.com and you’re flying!

The installation script will walk you through a few questions regarding an administrative email address, accepting their terms of service, and whether or not all traffic will be going through HTTPS or not. It’ll look something like this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):support@[redacted]

-------------------------------------------------------------------
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------
(A)gree/(C)ancel: a

-------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------
(Y)es/(N)o: y
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for [redacted]
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate for [redacted] to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

-------------------------------------------------------------------
Congratulations! You have successfully enabled https://[redacted]

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=[redacted]
-------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/[redacted]/fullchain.pem. Your cert will
   expire on [redacted]. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

They even offer up an easy way to renew your certificate when it eventually expires! Fantastic!

I have to renew this thing every few months?!

Yep! These free certificates will expire every 90 days. There are technical reasons why they would want you to renew your certificate, like renewing your encryption keys to reduce the risk of decryption. Other than that, it’s nice to automate auto renewal, so you never have to think about this again (almost).

We’ll be using our handy-dandy cron to manage our renewal.

sudo crontab -e

This will prompt you to select a text editor. Vim is my preferred, so I select 3. Add the following line at the bottom of your file to schedule your task to run every day at 4:15am.

15 4 * * * /usr/bin/certbot renew --quiet

:wq to write/quit in Vim and you’ll see a friendly little installation message.

You can opt to run the renewal script less frequently, but since it checks and only updates certificates set to expire in less than thirty days, you won’t be wasting very many precious CPU cycles.

Lastly, since we installed the certificate with the --apache flag, it’ll automatically reconfigure the Apache server every time it renews. This means less server maintenance and downtime!

Final Thoughts

Encryption used to be a very painful process, and even though cPanel and WHM made it easier than before, it was never a simple or pleasant process. I would spend at best 20 minutes to an hour waiting for email verifications, installations, and whatever else these Certificate Authorities required to get everything up and running. With Certbot and Let’s Encrypt, I was encrypting and serving an existing Apache site in less than five minutes.

Overall, I’d have to say I’m very happy with the process. I’m even happier about the cost, time, and effort savings. Now… if they’d only release a logo or badge of some sort for sites that want to promote the use of their services… How am I supposed to let other people know how awesome you are without a sticker on the back of my laptop and the bottom of my website!? 😉

– Cole

Prevent XML-RPC Brute Force Attacks – WordPress on Ubuntu 16.04

Overview

In my foray into cloud hosting, I’ve noticed that a few of our servers started to peak in their CPU usage more than what normal web traffic would cause(2-5% and 10-30% on our t2.medium and t2.small AWS EC2 servers respectively). After looking at the Apache2 logs, I found that there was a significant number of hits trying to look for combinations of phmyadmin, db, sql, and many other url keywords. This is obviously bothersome, but we’re all secure, so it didn’t cause much of an issue.

What did cause worry was the sheer number post requests to the /xmlrpc.php file. The IP addresses appear to be located in russia, and there were a handful different IP addresses that all had very similar origins. I’ve obscured the starts, but the IP range was ***.***.204.7-12. There is obviously enough traffic to blip our CPU usage on the medium server and enough to task the small server in a big way. To be more exact, there were ~78,000 requests in the log originating from those IP addresses over the past few days.

Why Is This Happening To Me?

There are many reasons hackers would like to gain access to your hosting server. One of the major reasons may be to steal resources to mine or farm bitcoin or some other cryptocurrency.

XML-RPC allows for very efficient brute force hacking, as it allows for hackers to check many username/password combinations in one single request. This is all at the cost of giving developers access to remote procedure calls.

XML-RPC Solution: Apache2 Deny From All

As I don’t use WordPress mobile, or other applications/plugins that require external access, I’ll be disabling access from external addresses.

The simplest solution to blocking this type of traffic on an Apache2 server is to simply deny access to the /xmlrpc.php file itself. To do this, you just have to add a few lines to your site configuration files in Apache2.

sudo vim /etc/apache2/sites-available/*yoursitehere*.conf

Your VirtualHost configuration should look something like the example below after adding the bolded lines.

<VirtualHost>
#Some stuff
    <files xmlrpc.php>
      order deny,allow
      deny from all
      # you can allow from your own IPs using the following line
      # allow from ###.###.###.###
    </files>
</VirtualHost>

Finally restart Apache2 and you’re on your way to preventing hackers from eating up your server availability.

sudo service apache2 restart

XML-RPC Solution: Security Plugins

Note: This may be a better solution for those of you who wish to use applications that require XML-RPC to function properly.

There are some security plugins that will either deny access to the file, blog IPs that are abusing the service, or will disable XML-RPC altogether. Jetpack is one of those security plugins that will aid in blocking brute force attacks. WordFence and it’s firewall are really great for blocking IP addresses that are abusing your servers with irrelevant traffic.

Conclusion

If you do decide to utilize a security plugin, keep in mind that their scans and extra filtering procedures may have an adverse effect on your servers speed and responsiveness as well. This is sometimes a necessary evil, but you should plan ahead accordingly.

Blocking access to certain system files may prevent you from accessing certain features. However, you may find your site security more important than whatever feature that may be.

After having denied access to the file, we’re back down to our low utilization on the t2.medium server of <1%. I’m glad to see my CPU Credit Balance stabilize!

Installing, Configuring, and Maintaining MySQL on Ubuntu 16.04 LTS

This will be a relatively short informative blog regarding how to setup and secure an installation of MySQL on Ubuntu.

MySQL Server Installation

Firstly, update your package library and install your MySQL server.

sudo apt-get update
sudo apt-get install mysql-server

You’ll be prompted to create a root password during the installation. Make sure it’s a complicated password that you’ll remember, because you’ll be needing it.

MySQL Server Configuration

You’ll want to be sure to harden security on your MySQL installation by running the security script.

sudo mysql_secure_installation

This will prompt you to enter your root user password that you created during installation.

Firstly, the setup will ask if you would like to install a VALIDATE PASSWORD PLUGIN that can test passwords and improve security. If you’re the only one administering databases and are diligent about using great passwords, you opt-out.

Second, it will ask if you’d like to change the root password. If you’re having second thoughts about your password strength, you can change it now.

Third, it will ask if you would like to remove anonymous users. I typically use applications like WordPress and Magento, so I always have database users created out of the gate. I opted to remove anonymous users, but you may decide to run this script again before launching your site and remove them at a later date.

Fourth, it will ask if you would like to disallow root user remote access. I strongly suggest enabling this, especially considering that we’ll have phpMyAdmin installed shortly, removing any need for this.

The last two questions are to remove the test database, and to reload the privilege table, both of which I answered yes, as I won’t be needing the test database, and the privileges are important.

Server Status

To check the status of MySQL server you can run the sudo service mysql status command. If the server is not running, you can start it with sudo service mysql restart or sudo service mysql start.

Reset MySQL Root Password

You may find yourself in the situation that you have forgotten your root password. This recently happened to me after I jumped into a server that I had not maintained in quite some time (it was development, don’t worry).

The first step to resetting your password is to gain access to the terminal (ssh is typically what I use). Once you’re in, you’ll want to stop the MySQL service.

sudo service mysql stop

Once you’ve stopped running your server, you’ll need to prep the next command by creating a folder for it to access.

sudo mkdir /var/run/mysqld
sudo chown mysql: /var/run/mysqld

You can start the server with a few options that I’ll explain.

sudo mysqld_safe --skip-grant-tables --skip-networking &

The --skip-grant-tables flag turns off the need for authentication, and the --skip-networking flag turns off the ability to access the database remotely (important when authentication is disabled).

Once you’ve run the server, enter the mysql command line tool, and change the password.

sudo mysql

For MySQL 5.7.6 and later:

ALTER USER 'root'@'localhost' IDENTIFIED BY 'YourNewPassword';

For MySQL 5.7.5 and earlier:

SET PASSWORD FOR 'root'@'localhost' = PASSWORD('YourNewPassword');

Then you’ll need to reboot your MySQL server.

#Shut down MySQL
sudo mysqladmin -S /var/run/mysqld/mysqld.sock shutdown

#Start the MySQL service normally.
sudo service mysql start

From there on out, you can use whatever you set as YourNewPassword to access root functionality.

Conclusion

MySQL is fun. Don’t get bogged down with the basics! With this basic installation information, you’ll be well on your way to working with databases and enjoying all that relational databases have to offer!

Cheers,
Cole Speelman