web application – Is this HSTS HTTP Response Header Misconfigured?

I recently discovered during a penetration test that the HSTS was returned by the application but in this format:

“Strict-TransportSecurity”

Instead of:

“Strict-Transport-Security”

Does this format mean that the header (HSTS) is not validated by the client and prevented from doing what it is designed to do? As I understand HTTP headers are case insensitive but I’m not sure if this is a valid header name.

Any advice is greatly appreciated. Thank you

users – Locked myself out after enabling misconfigured Google Authenticator

I post this as an answer, because someone might be as stupid as I am :]
I browsed various old backups and found the settings.php line that grants admin permissions to anonymous user, and it worked.

If you add:

$config['user.role.anonymous']['is_admin'] = 'true';

in your settings.php, every anonymous user is admin. That way I could get back into admin panel and uninstall TFA and Google Authenticator. Deleted the line, logged back in as user1 and installed both modules again.

Handy way to do it, if you don’t have drush. But not recommended for production sites obviously.

dns – Can a domain be taken by someone else if custom nameservers are misconfigured?

Domain names are registered to your user account on the registrar website. So the only way to get permanent access to a given registered domain is to either:

  • take ownership of the user account (stealing credentials)
  • transferring the domain to another account

Now that second part is usually locked when you create your domain, and you need to take active steps from your registrar account to allow such transfer to happen. allow-transfert is an option to enable DNS server to work with a primary/secondaries setup, not to transfer ownership.

In the end, should the nameserver be compromise, you always can revert the configuration on the registrar to use their own DNS or a new one you’ve just configured.
Of course, if someone has access to your own NS, they can do malicious things with your domain name, such as redirecting users to their own websites.

Safely shutting down seemingly misconfigured (but working) PostgreSQL replication/archiving

I’m helping administer two PostgreSQL servers (one primary, one replica) plus a separate server running Barman for WAL archiving. I was not originally involved in setting up the replication and archiving. The configuration is rather old, some of it dating back to 2015 and PostgreSQL 9.3, although we’re now running 9.5. The history of configuration changes is sadly not documented. The person who built the setup is still around, but this was their first time setting up replication as well.

Some time ago we ran into a mysterious data corruption issue on our primary server after some storage system troubles at our VPS provider. These issues were present even when restoring a Barman backup to a fresh server. This was preventing us from cleanly upgrading to PostgreSQL 12, but we determined that we were able to cleanly dump our actual production database in the main cluster and restore it to a newly created recovery cluster.

We decided to shut down our replication + Barman archiving setup and start them over from scratch as well, and in researching how to do this I ran into some interesting configuration issues. tl;dr: the current setup is working, but not how I thought it was, and now I need guidance on how to cleanly shut it off.

The first clue that something was off was when I was looking at what replication slots were configured on the primary server with select * from pg_replication_slots. This produced no results, to my confusion. My assumption (based on the description of the person who built the setup) was that we were slots at least for Barman, and I thought we would be doing so for the replication as well.

Before I go further, here are the relevant settings from the three servers, with sensitive details altered:

# Primary server's postgresql.conf
wal_level = hot_standby
max_wal_senders = 4

archive_mode = on
archive_command = 'rsync -a %p companyuser@backup-server:/backup/thingamabob/incoming/%f'
max_replication_slots = 2
# Replica server's postgresql.conf
wal_level = hot_standby
hot_standby = on
# Replica server's recovery.conf
standby_mode = 'on'
primary_conninfo = 'host=primary-server user=postgres'
trigger_file = '/tmp/trigger_file0'
# /home/companyuser/.barman.conf on the backup server
(barman)
barman_home = /backup
barman_user = companyuser
log_file = /backup/barman.log
minimum_redundancy = 1

(thingamabob)
description = "Thingamabob"
archiver = on
# 5436 is the SSH tunneled port to our primary DB server, which has
# a 'barman' user
conninfo = host=localhost port=5436 user=barman dbname=postgres
backup_method = postgres
slot_name = backup
retention_policy = RECOVERY WINDOW OF 4 DAYS
retention_policy_mode = auto

Let’s look at the Barman WAL archiving side first, which I think I’ve figured out. archive_mode and archive_command are rsyncing the completed WAL segments from the primary server to the backup server, and Barman has the requisite control connection to the primary server. Apparently due to a misunderstanding, .barman.conf has slot_name = backup set, even though we’re using traditional WAL archiving only, and slot_name is used by the more recent WAL streaming functionality of Barman. The dead giveaway here is the lack of the streaming_archiver and streaming_conninfo settings. So, the setting is useless, but fortunately harmless in this setup.

What I don’t really understand is the replication setup. We’re not using slots here (recovery.conf doesn’t have the primary_slot_name setting), and the documentation for the standby_mode and primary_conninfo settings is not telling me how the replication is actually functioning correctly.

Finally, some concrete questions based on the information presented so far:

  1. We’re not using replication slots, nor wal_keep_segments, nor restore_command. My assumption is that our replication setup is working through sheer luck: the replica server has not had significant downtime, and therefore whatever the default WAL file retention period of the primary server is has been sufficient for our replication to never fail due to the primary server removing an old WAL file that the replica has not yet received. Is this assumption correct?

  2. How does the replica server know when and from where to retrieve WAL files from the primary server? What in our settings is actually doing this, or are PostgreSQL defaults just achieving this? Is it polling something over primary_conninfo?

  3. I assume that the simple way to end the Barman WAL archiving is to remove the archive_mode and archive_command settings from the primary server’s configuration, and then to stop barman cron from running once per minute on the backup server. Is this correct? Based on my reading of the documentation, archive_mode is not involved in the replication side of things.

  4. What is the correct way of terminating the replication? My current assumption is to do one of the two things below, but is either one of these actually correct?

  • shut down Postgres on the replica server, remove the standby_mode setting, remove recovery.conf and upon starting Postgres again, it’ll act like the primary server.
  • create the trigger file and wait for recovery to be done, and then possibly remove standby_mode and restart Postgres..? I’m not quite sure how standby_mode behaves after recovery has ended.

htaccess – How have I misconfigured basic auth for my wordpress site?

I’ve installed WordPress on a bare Ubuntu20-04 box following Digital Ocean’s guide.
Now I want to password protect the entire site but as I can’t find any plugins that protect uploaded files and images, I’m attempting to use basic auth.

So I’ve created a .htpasswd file

-rw-r--r-- 1 root root 132 Jan 12 00:07 /etc/wordpress/.htpasswd

I’ve edited /var/www/mysite.com/.htaccess (substituting a real domain for mysite)
to read:

# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - (E=HTTP_AUTHORIZATION:%{HTTP:Authorization})
RewriteBase /
RewriteRule ^index.php$ - (L)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php (L)
</IfModule>

# END WordPress
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/wordpress/.htpasswd
require valid-user

But the site still loads happily without my desired ugly login prompts.
…what am I doing wrong?

Alternative solutions to basic auth are welcome but I thought that appeared to be the simplest route to protecting uploaded content. (it’s for hosting info about an apartment block for the block’s inmates and some things eg meeting minutes are semi-confidential – if people have to log in once per session to access the site I don’t mind)

rDNS problem misconfigured | Web Hosting Talk

Hello everybody,

I need help with reverse DNS, because I have a problem with it. I've set up rDNS on my hosting provider using rdns1.mydomain.com, and I have a server hostname that is gateway1.mydomain.com. I'd like to use different names for both, because the email providers want to display both different names, so my emails go to the Inbox.

When I open the email delivery software via the cpanel, I see the following:

View post on imgur.com

Can you please tell me what I have to do?

How can I agree with the rDNS?

Do I have to change the server host name to match the rDNS or what?

Do I have to change the server host name to match the rDNS or what?

I want to use smtp513.mydomain.com to send the email, and I want to use Gateway1.mydomain.com to get access to Whm and Cpanel. I'm not sure what to do, so I need your help.

Any advice would be very grateful.

Thank you in advance.

Read more misconfigured

I like to use this tool to easily display the first pictures of my posts on the main page and to understand how many hits you have as a post.

It turns out that there is NO place in the font code of my template to configure Continue Reading.

How can I change this?
I took a picture to try to replace the sentence, but I do not know how to express it.