Tag Archives: Security

Safe(er) Browsing

Posted by on February 14, 2008 No comments

Soooo, you’ve been using IE to visit sordid sites and now your machine is fouled up with all sorts of malware. This mess was avoidable, so clean your machine and put on a browser prophylactic before indulging in your favorite solitary past times again…

What you’ll need:

SeaMonkey
NoScript
MultiZilla/MultiViews [optional]

Overview:

We’re going to be installing the SeaMonkey (SM) browser and it’ll be used to view sites that you don’t trust (you decide what that means in this instance, I’ll define it as anything that would appall your mother). NoScript and Multizilla are add-ons for SM, NoScript will prevent web pages from running scripts (java, etc) and potentially mucking up your machine, Multizilla will give SM some extra clean-up options.

01: Installing SeaMonkey

Download and install SM, I opted to install only the browser, you can perform a complete install if you want to check out all of the open source tools provided in the suite. I also opted not to use Quick Launch.

Following the installation, SM will launch and ask if you want to make it your default browser, answer No.

02: Enhancing/Protecting SeaMonkey

Using SM, open http://noscript.net/getit and click the "Install Noscript latest version*" link. You will be asked if you want to install the software, you do, click the Install button. You will be asked if you want to install NoScript to your profile, click OK. You should see a dialog explaining that NoScript has been successfully installed and will be available to you when you restart the browser. Click OK to dismiss the notification.

Still using SM, open http://multizilla.mozdev.org/installation/installation.html. This page can be a little confusing, don’t install the experimental nightlies, you want to scroll down until you see "Free MultiZilla [Installation] or [Download]", click the Installation button, you will again be asked if you want to continue, click the Install button. The next dialog will tell you to "Select OK, for a single user installation or Cancel, for a multi-user installation", click the OK button. If there are no problems, you’ll be told the install was a success and to restart your browser, click the OK button to dismiss the notification.

03: Configuring SeaMonkey

Close all open SM windows (if you opted to install and use Quick Launch you’ll want to close out of that as well). Now start SM again. It’s going to start with an open sidebar (F9 or View > Show/Hide > Sidebar to kill it) and some extra tool bars which I tend to hide (F12 to hide the MultiZilla bar & F1 to hide the Personal bar).

Now to configure MultiZilla: Choose Edit > Preferences select MultiZilla and click Open Preference Manager. Select the Privacy header and put a check into the boxes next to the options below:

  • Clear disk cache on exit
  • Clear location bar history on exit
  • Clear global history on exit
  • Clear all cookies on exit
  • Clear download history on exit
  • Clear all form data on exit

Now select the Sessions header, on the Save Behavior tab, choose Don’t Save Sessions, on the Restore Behavior tab choose Don’t Restore Sessions.

Note: There are other settings you can tweak to manage cookies and other content both in MuliZilla prefs and SM prefs. It’s up to you how paranoid you want to be.

04: Start Browsing

At this point we’re ready to go. SeaMonkey will clear its cache, history, etc when you exit the program and all scripts are disabled on all pages. You’ll notice that when you go to a page that has a script, a yellow notification bar will open in the bottom of your browser window, in that bar there’s an Options button. Clicking it will allow you to grant that site the ability to run scripts either permanently or temporarily, that way if you really NEED some functionality and NoScript blocks it, you can allow it.

Notes:

From time to time, SeaMonkey, NoScript and MultiZilla will let you know that there’s an update available for them. I would suggest installing the updates as they present themselves. They can add functionality and security fixes.

I’m not promising that this will keep your machine free and clear of malware, but it goes a long way to prevent infection. It’s certainly safer than using IE (switch to Firefox already!). YMMV.

While this was aimed at Windows users, NoScript and MultiZilla work just as well on the Linux release of SeaMonkey, don’t forget to install them if that’s your OS of choice :)

Protecting WordPress’ Control Panel

Posted by on October 10, 2007 No comments

Back when I started managing my own WordPress (WP) install, I was (and by was, I mean will always be) paranoid about letting just anyone with a ‘puter at my /wp-admin dir.

  • /wp-admin is where you go in WP to control the blog. It’s where you write to and post from, as well as perform administrative tasks.

I felt it prudent, so I took a few steps to protect the place. Firstly, I renamed the default admin account to something else. A task made fairly easy using your web host’s tools (phpmyadmin). Doing this will make it more difficult for fools to to make their way into the blog’s control panel. I also set up one helluvagood pass phrase for myself. Once that was done I took steps to limit just how many computers can hit that directory. This was done with a .htaccess file. Check out http://en.wikipedia.org/wiki/Htaccess for info on what else you can do with htaccess and some tutorials.

My file looks something like this:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “MattSnell”
AuthType Basic
<LIMIT>
order deny,allow
deny from all
allow from 192.168.1.100
allow from 192.168.1.101
</LIMIT>

What it does is deny access to ALL IP addresses (order deny,allow and deny from all) and then selectively allows ONLY those in the allow from list.

Since I have two public IP addresses that almost never change, I just specify them in the allow list and upload the file to my /wp-admin directory using scp or ftp. If my IP address ever changes, I won’t be able to edit or otherwise admin the blog until I go in and update the file. No biggie, only takes a moment.

So there you have it, change the default admin username, set a good pass and limit how many IP addresses can access the control panel. Feeling better already :)