Transition Technology: Ticket Query

#824: Analysis of the 2014 maintenance ticket time

chris — Wed, 07 Jan 2015 15:48:14 GMT

Ed has ask that I spend up to 2 hours on an analysis of the 2014 maintenance ticket time for our meeting tomorrow in Bristol.

#814: Higher that usual loads on PuffinServer since early September

chris — Wed, 03 Dec 2014 17:12:35 GMT

The following load graph from PuffinServer shows that the load increased substantially in early September 2014, does anyone know why?

When I found I went to Drupal 7.33 and all I got was a slow site I thought that perhaps a Drupal 7 site on the server could be the cause but 7.33 came out on 7th November 2014.

Anyone have any ideas?

#847: Upgrade Servers to Debian Jessie

chris — Mon, 27 Apr 2015 09:30:11 GMT

The latest version of Debian, Jessie, 8.0, came out over the weekend, we should consider upgrading the three servers, PuffinServer, PenguinServer and ParrotServer and what issues would arrise when we do.

See the documentation on Upgrades from Debian 7 (wheezy) and Issues to be aware of for jessie, specifically:

#851: Bot attacks on Transition Culture

chris — Sun, 10 May 2015 11:12:12 GMT

Yesterday there was a load spike on ParrotServer caused by a bot doing thousands of POSTs to xmlrpc.php.

#763: Server Backups

chris — Mon, 21 Jul 2014 17:09:21 GMT

Two weeks ago annesley asked:

what off-site data storage, file backup and quick setup do we have?

I answered:

The 3 virtual servers have their file system mounted off a BSD/NFS/ZFS file server and the whole file system is backed up and stored onto another BSD/ZFS server in the same data centre. We did have backups also being copied to a server in Manchester but this is currently off-line as the Manchester server needs a disk swapping and rebuilding as a BSD/ZFS server.

A problem with this is that it's only me and Alan that have access to these backups, so I'd like to suggest I set up a new account for backups on our backup server and sort out cron jobs to rsync data to this account and document how people can access these backups.

The result would be that everybody would have SFTP access to 60 days worth of snapshots of backups from all three servers whenever needed without any need for my or Alan's intervention.

I expect this would take abount an hour to set up and another hour to document and help people understand it.

There would be no additional cost to the TN because backup space is already paid for.

#875: Free HTTPS certificates from Let's Encrypt

chris — Mon, 05 Oct 2015 10:48:11 GMT

From mid November 2015 Let's Encrypt should be live, providing free SSL/TLS certificates. Currently the TN pays for a Gandi wild card cert, costing £130.50 a year, in addition most the WordPress sites on ParrotServer don't have certs due to the cost, see ticket:540.

The Let's Encrypt code is designed to be set up to run automatically -- certs are only valid for 90 days and the automatic renewal process runs when the cert is 60 days old.

We should consider if we want to use Let's Encrypt and what things would need to be put in place to use it, the wild card cert is due to expire on 22/01/16.

PuffinServer -- are we still going to be running PuffinServer in January 2016? Is there any chance that we might be able to consider the suggestions in ticket:754#comment:61? I'm not sure if I want to spend time trying to get Let's Encrypt working with a old version of BOA, up to date versions of BOA might support it out of the box.
PenguinServer -- this site hosts a lot of sites, see the listing, automating Let's Encrypt would probably be a hour or two of work, it might makes sense to upgrade it to Debian Jessie at the same time.
ParrotServer -- I suggest we rebuild this server from scratch, this would enable it to have the latest version of the Webarch Secure Hosting scripts and this include support for fail2ban for WordPress and phpMyAdmin, thus solving ticket:871 and includes automatic provisioning of Let's Encrypt certs for sites.

What do people think?

#734: Create Trac & Wiki account for Annesley

ed — Tue, 03 Jun 2014 11:04:10 GMT

email: Annesley Newholm <annesley.newholm@…>

#735: Add Annesley to github

ed — Tue, 03 Jun 2014 11:05:40 GMT

Once Annesley is on TRAC, we can point him at this ticket, he can give us his github id and we can add it https://github.com/orgs/transitionnetwork/members

#783: IIRS design and development

ed — Mon, 08 Sep 2014 14:20:58 GMT

Ticket to track ongoing work on IIRS

#790: Annesley locked out of puffin

chris — Tue, 23 Sep 2014 14:05:18 GMT

Email from lfd:

Time:     Tue Sep 23 13:47:01 2014 +0100
IP:       XX.XX.XX.XX (HU/Hungary/XXXXXX.catv.pool.telekom.hu)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked:  Permanent Block
Log entries:
Sep 23 13:46:28 puffin sshd[6056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=tn.ftp
Sep 23 13:46:30 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2
Sep 23 13:46:33 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2
Sep 23 13:46:56 puffin sshd[6409]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=anewholm
Sep 23 13:46:58 puffin sshd[6409]: Failed password for anewholm from XX.XX.XX.XX port 54328 ssh2

#806: IIRS pre-beta usability issues

chris — Mon, 10 Nov 2014 21:30:27 GMT

Ticket to track usability issues etc.

#761: Spam account cull

ed — Thu, 17 Jul 2014 08:45:33 GMT

There are bucketloads of spam accounts swamping us. Spam commeting is swarming again. I just did several pages of deleting spam accounts. No doubt I nailed some humans too (sorry Sam if this comes back to you); but the overwhelming majority of new accounts are spam.

It's crap and we need to have another spam sweep - especially if we're staying in D6 for a while.

See work done in Feb 2013: #461 See wiki page done in Feb 2013: https://wiki.transitionnetwork.org/Spam_accounts

SAM I'm going to suggest you start looking at it, and get your head around it, and the various modules and processes we've got running, then ask you to act/escalate accordingly.

#757: Research and Design for TNv3

ed — Fri, 11 Jul 2014 13:36:54 GMT

R&D for TNv3

#821: Projects forms being hammered by Spam

ed — Wed, 07 Jan 2015 09:53:33 GMT

Projects forms being hammered by spammers. I got 24 in the last 45 minutes.

What to do?

Lock off to a certain type of user?

Adding Sam as owner to follow this up

#758: * Advisory ID: DRUPAL-SA-CORE-2014-003

paul — Wed, 16 Jul 2014 21:55:29 GMT

View online: https://www.drupal.org/SA-CORE-2014-003

Advisory ID: DRUPAL-SA-CORE-2014-003
Project: Drupal core [1]
Version: 6.x, 7.x
Date: 2014-July-16
Security risk: Critical [2]
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

.... Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)

Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.

The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability.

.... Access bypass (File module - Drupal 7 - Critical)

The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

Note: The Drupal 6 FileField? [3] module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField? - Access bypass [4]) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.

.... Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)

A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.

This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.

.... Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)

A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.

This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

/A CVE identifier [5] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Drupal core 6.x versions prior to 6.32.
Drupal core 7.x versions prior to 7.29.

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.32. [6]
If you use Drupal 7.x, upgrade to Drupal core 7.29. [7]

Also see the Drupal core [8] project page.

The denial of service vulnerability using malicious HTTP Host headers was

reported by Régis Leroy [9].

The access bypass vulnerability in the File module was reported by Ivan

Ch [10].

The cross-site scripting vulnerability with Form API option groups was

reported by Károly Négyesi [11].

The cross-site scripting vulnerability in the Ajax system was reported by

mani22test [12].

The denial of service vulnerability using malicious HTTP Host headers was

fixed by Régis Leroy [13], and by Klaus Purer [14] of the Drupal Security Team.

The access bypass vulnerability in the File module was fixed by Nate Haug

[15] and Ivan Ch [16], and by Drupal Security Team members David Rothstein [17], Heine Deelstra [18] and David Snopek [19].

The cross-site scripting vulnerability with Form API option groups was

fixed by Greg Knaddison [20] of the Drupal Security Team.

The cross-site scripting vulnerability in the Ajax system was fixed by

Neil Drumm [21] of the Drupal Security Team.

The Drupal Security Team [22]

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [23].

Learn more about the Drupal Security team and their policies [24], writing secure code for Drupal [25], and securing your site [26].

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [27]

_ Security-news mailing list Security-news@… Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

#737: SPF / Emails rejected from the website contact form

sam — Thu, 05 Jun 2014 15:46:13 GMT

We had a user report that they could not send a message via our contact form:

"Yesterday I sent a message to you via the contact form on the website. But obviously something went wrong: for I got a failure notice saying my message could not be delivered. Therefore I'm sending it directly via email (see below) hoping that you're receiving my message this way."

<info@…>: host mx1.spamfiltering.com[72.249.150.158] said:

550 81.95.XX.XX is not allowed to send mail from gmx.de. Please see http://www.openspf.net/Why?scope=mfrom;identity=userXX@gmx.de;ip=81.95.XX.XX (in reply to end of DATA command)

(User details edited as this is publicly archived)

I'm not sure I quite understand what's going on here. Chris indicated in email that this would affect other users whose email provider has set this kind of SPF record.

Can we make an educated guess as to what proportion of email providers set this kind of SPF?

How many messages do we never get to see? Is it a problem? Or a small enough number of users that we just don't worry about it?

Thanks

Sam

#809: [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

paul — Wed, 19 Nov 2014 21:35:25 GMT

View online: https://www.drupal.org/SA-CORE-2014-006

Advisory ID: DRUPAL-SA-CORE-2014-006
Project: Drupal core [1]
Version: 6.x, 7.x
Date: 2014-November-19
Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Multiple vulnerabilities

.... Session hijacking (Drupal 6 and 7)

A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session.

This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode" [3]), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.

.... Denial of service (Drupal 7 only)

Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users.

/A CVE identifier [4] will be requested, and added upon issuance, in accordance

with Drupal Security Team processes./

Drupal core 6.x versions prior to 6.34.
Drupal core 7.x versions prior to 7.34.

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.34. [5]
If you use Drupal 7.x, upgrade to Drupal core 7.34. [6]

If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113 [7]

Also see the Drupal core [8] project page.

Session hijacking:

Aaron Averill [9]

Denial of service:

Michael Cullum [10]
Javier Nieto [11]
Andrés Rojas Guerrero [12]

Session hijacking:

Klaus Purer [13] of the Drupal Security Team
David Rothstein [14] of the Drupal Security Team
Peter Wolanin [15] of the Drupal Security Team

Denial of service:

Klaus Purer [16] of the Drupal Security Team
Peter Wolanin [17] of the Drupal Security Team
Heine Deelstra [18] of the Drupal Security Team
Tom Phethean [19]

The Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [20].

Learn more about the Drupal Security team and their policies [21], writing secure code for Drupal [22], and securing your site [23].

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [24]

#812: space.transitionnetwork.org hacked?

chris — Thu, 27 Nov 2014 11:09:32 GMT

BOA email from PuffinServer:

Hello,
Our system detected that the site space.transitionnetwork.org has been hacked!
Common signatures of an attack which triggered this alert:
You are required to change your password immediately (password aged)
su: Authentication token is no longer valid; new one required
(Ignored)
Site tested positive for known Drupalgeddon exploit checks               [error]
Update module is disabled and Drupalgeddon cannot check for Drupal       [error]
Security Updates. Please check for a security update manually.
You are running Drupal 7.31
https://www.drupal.org/node/3060/release?api_version%5B%5D=103
The platform root directory for this site is:
  /data/disk/tn/distro/008/openatrium-7.x-2.19-7.31.1
The system hostname is:
  puffin.webarch.net
To learn more on what happened, how it was possible and
how to survive #Drupageddon, please read:
  https://omega8.cc/drupageddon-psa-2014-003-342
--
This e-mail has been sent by your Aegir system monitor.

#719: Transition Culture HTML Problems

chris — Mon, 14 Apr 2014 20:07:09 GMT

If you look at old Transition Culture articles they had hyperlinks and blockquotes, for example:

https://web.archive.org/web/20070228081440/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/

If you look at the version we now have this formatting has been lost and the first paragraph is a mess:

http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/

The formatting wasn't lost when the new TC design was first deployed:

https://web.archive.org/web/20080429205320/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/

It has happened since then.

We should consider investigating what caused the problems and how they can be fixed?

This might be a task that Simon would be best placed to undertake?

#741: Views editor disappears in backend

annesley — Thu, 12 Jun 2014 10:42:13 GMT

admin > views > edit the view editor interface appears and then disappears immediately this happens in Chrome / Ubuntu and Firefox / Mac