Sysadmins of the North is just another technical blog, like so many others out there. Most posts are written in English, some in Dutch. For the most part, I write as it comes; posts may seem incoherently written sometimes (my apologies). Here on Saotn.org you’ll find all kinds of computer, server, web, sysadmin, database and security related stuff. Browse the latest posts per category here, search for posts, or make a selection from the categories menu.

 
Drop me a comment somewhere to say hi, or discuss about security, website or WordPress, MySQL optimization and performance, Windows Server and IIS web server topics.
 

 

 

 

E-Book Gallery for Microsoft Technologies

E-Book Gallery for Microsoft Technologies, free content for Azure, ASP.NET, Office, SQL Server, SharePoint Server and other Microsoft technologies in e-book formats. Reference, guide, and step-by-step information are all available. All the e-books are free. New books will be posted as they become available.

E-Book Gallery for Microsoft Technologies

More quality sysadmin & DevOps IT books selected for you. Categories include:

Enjoy!

Back To The Future: Unix Wildcards Gone Wild

Back To The Future: Unix Wildcards Gone Wild: DefenseCode‘s Leon Juranic released an article explaining an old-school hacking technique: Unix wildcard poisoning attacks. No ASLR bypass, ROP exploits or 0day remote kernel exploits, but if you wonder how basic Unix tools like ‘tar’, ‘chmod’ or ‘chown’ can lead to full system compromise, keep on reading.

Back To The Future: Unix Wildcards Gone Wild

WordPress 3.9.2 Security Release fixes XML-RPC DoS

WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately. This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated on joint security releases.

Read more

WordPress: Send authenticated SMTP email over TLS

Send authenticated SMTP email in WordPress over TLS, by overriding the function wp-mail() and utilizing the PHPMailer class.

I was suprised WordPress is not able to send email using an SMTP server out-of-the-box. Not to mention using TLS transport for security. A quick Google search showed me multiple plugins to handle this. Hence, everything is handled through plugins in WordPress… Need to optimize your website? Use plugin x. Want a more secure WordPress? Use plugin y.

Read more

Mod_evasive on IIS

Website DDoS protection with .htaccess and mod_evasive on Windows IIS.

Mod_evasive is a module for Apache and Windows/IIS (with Helicon Ape), to provide protection and evasive action in the event of an HTTP DoS-, DDoS or bruteforce attack. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denies an IP address access to a website if it’s requesting the same page more than 10 times a second. This is configurable. Properly configured and tested, mod_evasive can provide great security and protection against Denial of Service (DoS)- or Distributed Denial of Service (DDoS), and bruteforce attacks.

Read more

WordPress XMLPRC

Huge increase in WordPress xmlrpc.php POST requests

WordPress xmlrpc.php DDoS and user enumeration attacks: huge increase in HTTP POST requests on WordPress xmlrpc.php, how to identify and leverage these WordPress xmlrpc.php brute-force and user enumeration attacks.

Since today, I notice a huge increase in HTTP POST requests on WordPress xmlrpc.php, on multiple websites. This could be related to WordPress’ xmlrpc.php pingback DDoS vulnerability discoverd last March and reported by Sucuri, or it may be related to the WordPress pingback vulnerability reported by Acunetix. But it might be something new as well…

Read more

Remove IIS Server version HTTP response header

How to remove unnecessary HTTP response headers in IIS 7, 7.5, 8.0 and ASP.NET.
Windows IIS loves to tell the world that a website runs on IIS, it does so with the Server HTTP response header, as shown below. In this post I’ll show you how to rewrite and remove unwanted response headers in IIS, because we don’t want to give hackers too much information about our servers.

Read more

6 Tips to improve Joomla! performance

Joomla! performance tuning on Windows Server IIS

In this article, I’ll show you how to optimize Joomla! on Windows Server IIS with just three six (6) important, but basic, performance tips. Everyone wants a fast loading website, whether it’s based on WordPress, Drupal, Joomla, or something else. For WordPress, a lot of posts are available here to optimize WordPress performance, and Drupal can easily be improved with the BOOST module.

But what about Joomla? How can we optimize and improve Joomla!’s performance and speed easily? Here are three six (6) simple tips…
Read more

Decoupling Umbraco from your front-end website

Jason Deacon, from Australia’s design and development company Wiliam , writes about how to use a back-end instance of Umbraco 7, which is completely decoupled from the front-end (an ASP.NET MVC 5 site).

Decoupling Umbraco
Our approach leverages a file called “Umbraco.config” which is really just a XML file which Umbraco publishes all its public content to whenever a node is published in the interface. This XML structure mirrors the document types and properties of the site structure populated in Umbraco and therefore offers the perfect snapshot of the content the site can serve, without having to query a database for it.

Read Decoupling Umbraco from your front-end website.

MySQL database optimization with indices

Why MySQL indices are so important

At Vevida, we like to help our customers as much as possible. Even with optimizing a MySQL database when they don’t ask for it (when they don’t know performance can be improved), for example by adding an index because we spotted a slow query in our slow-query log. Indexes are used by MySQL to help find rows quickly. We want to make it as easy as possible for MySQL to find the relevant rows, the more precise or specific we are the less the number of rows MySQL has to fetch.

The other day I spotted the following in MySQL slow-query log:
Read more

Convert MySQL MyISAM tables to InnoDB

MySQL storage engine, MyISAM versus InnoDB: if you want to convert a MyISAM table to InnoDB, the process is fairly easy.

In the earlier days of MySQL, the default storage engine for your database was MyISAM. This is why you still encounter a lot of examples with engine=MyISAM online. Nowadays, the InnoDB storage engine is MySQL’s default. MyISAM is no longer actively developed, InnoDB is. Therefor, all/most MySQL performance optimizations are for the InnoDB engine and it’s wise to choose this as your table storage engine.

Read more

Send email with Ghost using SMTP authentication and TLS encryption

Ghost Publishing platform uses Nodemailer to send e-mails with Node.js. It can send e-mail using SMTP, sendmail or Amazon SES and is unicode friendly.

As you know, more and more web hosting providers require SMTP authentication (often abbrevated as SMTP AUTH) and a TLS encrypted connection to send email. Here you’ll find some script examples to send SMTP AUTH email over TLS with ASP, ASP.NET and PHP. Can we do the same with Ghost and Node.js?
Read more

Export and migrate WordPress to Ghost

import posts from wordPress in Ghost

A little while ago I installed Ghost on IIS, along with the required Node.js and iisnode module. All in an isolated test environment, in which Ghost runs as a production site only. Now I wanted to import a WordPress blog into Ghost, but failed.

Here’s how I resolved this particular Ghost import error.
Read more