Transition Technology: Ticket Query

#881: Site on ParrotServer with a memory leak?

chris — Fri, 23 Oct 2015 11:19:04 GMT

It appears a site, or application, on ParrotServer might have a memory leak.

#541: Documentation of the WordPress sites

chris — Wed, 01 May 2013 20:25:57 GMT

These pages have been created for the documentation of the wiki:WordPress sites running on wiki:PenguinServer:

So far they only have a listing on the plugins for each site.

Ideally they would document all the plugins, the theme and the steps that need to be taken to upgrade each site and also any other things that need documenting.

Laura is this something you might be able to help with? I'm happy doing some work on it but you know your way around these sites far better than anyone else.

#537: Parrot setup and documentation

chris — Tue, 30 Apr 2013 11:11:36 GMT

Things done setting up parrot.webarch.net -- a new virtual machine for running Wordpress sites, see wiki:ParrotServer

#540: HTTPS for WordPress sites

chris — Wed, 01 May 2013 20:20:32 GMT

Currently the wiki:WordPress sites have have the following SSL certificates:

https://www.intransitionmovie.com/ -- Gandi commercial certificate and dedicated IP address
https://www.reconomy.org/ -- CAcert non-commercial certificate and shared IP address (SNI)
https://www.earthinheritors.net/ -- CAcert non-commercial certificate and shared IP address (SNI)
https://parrot.transitionnetwork.org/ -- Gandi TN wild card cert and shared IP address (SNI)
https://parrot.webarch.net/ -- CAcert non-commercial certificate, this is the default site for clients without SNI support

None of the site are set to enforce HTTPS for logins, this should be done ASAP for intransitionmovie.com

I think we have several options going forward, the first 3 of this are the only viable ones though, IMHO:

SNI and Seperate Certs and Shared IP

Get a Gandi SSL cert for each site and rely on SNI rather than having a dedicated IP address for each site, this is the cheapest way to solve the problem, the certs are around £15 each.

The clients that don't work with SNI are listed here: https://en.wikipedia.org/wiki/Server_Name_Indication#Client_side

Multi-domain Cert and Shared IP

Get a Gandi SSL cert with all the domains in, this is a little more expensive than seperate certs (around £20 per site) but it means that all the clients that don't work with SNI will work. One issue with this is when adding new site is that a brand new cert would be needed as additional names can't be added to multi-domain certs during their lifetime, this could be worked around by getting a single domain cert to run to the end of the life of the multi domain cert (this would use SNI).

Seperate Certs and Dedicated IPs

Getting a cert per site and a dedicated IP per site, this would cost the most as each IP address costs around the same as each cert, (so about £30 per site). It also seems like a great waste to use up a IP per site when they are so scarce and when technical workarounds to this old problem like multi-domain certs and SNI are now available. I don't favour this option.

Non-commercial CAcert Cert

This is the cheapest, it's fine if people are able to install the http://cacert.org/ root certificate but this is something that non-technical people seem to find hard and they also don't understand the security warnings that they get when the cert isn't installed. This option is the one currently in use but it's far from ideal and one of the other options needs to be adopted before enforcing HTTPS logins is deployed. I don't favour this option.

#619: Upgrade WordPress sites to 3.9.1

chris — Fri, 15 Nov 2013 14:38:05 GMT

News regarding the WordPress versions released since the sites were upgraded to 3.6.1 on ticket:594

We should consider how best to upgrade the wiki:WordPress sites running on wiki:ParrotServer and then ensure that they are upgraded.

#719: Transition Culture HTML Problems

chris — Mon, 14 Apr 2014 20:07:09 GMT

If you look at old Transition Culture articles they had hyperlinks and blockquotes, for example:

https://web.archive.org/web/20070228081440/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/

If you look at the version we now have this formatting has been lost and the first paragraph is a mess:

http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/

The formatting wasn't lost when the new TC design was first deployed:

https://web.archive.org/web/20080429205320/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/

It has happened since then.

We should consider investigating what caused the problems and how they can be fixed?

This might be a task that Simon would be best placed to undertake?

#808: WordPress email being rejected due to From field

chris — Mon, 17 Nov 2014 19:28:23 GMT

This issues is like ticket:737 but with WordPress rather than Drupal causing the problem.

Laura has forwarded one of the returned emails which contains:

host aspmx.l.google.com [173.194.67.26]: 550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC

#851: Bot attacks on Transition Culture

chris — Sun, 10 May 2015 11:12:12 GMT

Yesterday there was a load spike on ParrotServer caused by a bot doing thousands of POSTs to xmlrpc.php.

#853: Parrot access please

sam — Tue, 19 May 2015 17:07:13 GMT

Hi Chris

Ade & I were going to have a play around with making a proof of concept Wordpress microsite on Parrot.

Could you add me as a SSH user using the SSH keys associated with my sam@… account so I can follow the instructions here: https://trac.transitionnetwork.org/trac/wiki/ParrotServer#AddingaNewWordPressSite

Or if you'd rather not do that, just spin up a site titled 'conference15' with a user 'conference15' and my TN email as the admin email.

Thanks

Sam

#868: Is conference15.tn.org backed up in a convenient manner?

sam — Tue, 28 Jul 2015 13:05:25 GMT

Hi Chris

I was just wondering if the conference site is backed up in such a way that it would be easy to restore?

I could set up a database backup onto some free file hosting if not?

Thanks

Sam

#871: Brute Force Attacks Against WordPress Sites

chris — Mon, 21 Sep 2015 13:41:26 GMT

Today there have been 53,932 attempts to login to the TTT web site on ParrotServer all from the same IP address:

grep POST /home/ttt/logs/access.log | grep wp-login.php | grep 217.174.240.254 | wc -l
53932

I noticed this due the higher than usual load it was generating.

Would it be OK to spend an hour or two installing the WP fail2ban plugin on all the sites on the server?

Some more background on this issue:

https://docs.webarch.net/wiki/WordPress#Brute_Force_Attacks

#873: New Wordpress site please

sam — Tue, 22 Sep 2015 12:25:12 GMT

Hi Chris

I couldn't ssh into parrot for some reason, I think you said you created me a 'sam' user on there but I can't get in.

So could you set up a new Wordpress site on there.

wpdev.tn.org or similar, it's only going to be for testing some stuff so URL doesn't really matter.

Thanks

Sam

#887: Lot's of failed logins on conference15.transitionnetwork.org

sam — Fri, 04 Dec 2015 11:39:10 GMT

Hi all

Overnight I had 150 notifications of failed login attempts and subsequent IP address bans from the https://en-gb.wordpress.org/plugins/wordfence/ security plugin I installed.

It's coming from multiple IP addresses in multiple countries.

It seems like Wordfence is doing it's job and blocking IP's. I only mention it as I'm wondering if it could be related to the recent downtime.

Feel free to close this ticket, just thought it was worth sticking in here.

Thanks

Sam

#894: Brute Force Attacks Against WordPress XMLRPC

chris — Thu, 07 Jan 2016 11:23:51 GMT

For a few months I have see a lot of requests going to WordPress /xmlrpc.php and wasn't sure why, now it is clear:

Instead of going against wp-login.php (which can be easily blocked or protected via .htaccess) or doing a single attempt against xmlrpc, attackers are leveraging the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request.

https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

I'd like to install Stop XML-RPC Attack on all the WordPress site we host, unless anyone has a good reason not to. This plugin simply whitelists the JetPack/Automattic's subnets and blocks all other access to /xmlrpc.php.

I started tracking the abuse a while ago and you can see it and manually address it on ParrotServer like this:

sudo -i
wp-xmlrpc-abuse
IP addresses accessing xmlrpc.php more than twice for the last 1000 lines of each access.log:
      2 46.148.XX.XX
    733 195.62.53.243
    177 195.62.53.243
      2 66.76.XX.XX
dig -x 195.62.53.243 +short
  53-243.static.spheral.ru.
ipdrop 195.62.53.243

But we need to be more pro-active in blocking access or we are going to probably see some compromised sites.

#912: Stats for TTT

chris — Tue, 21 Jun 2016 10:29:02 GMT

Nicola at TTT has asked:

Could you let me know the size of the TTT and Transition Streets sites please? I have Google Analytics for TTT but not for Transition Streets, and I wonder if you could also tell me how many visitors it gets annually?

#917: Any misc files in Transition Culture web root?

sam — Thu, 14 Jul 2016 11:54:50 GMT

Hi Chris

Simon from Lumpy lemon has migrated Transition Culture.

We only have WP admin access & he was wondering:

"Just one small question: can you check in the webroot folder on your server and let me know if there are any non-WordPress files in there? e.g. Google verification files, that sort of thing. I don't think there should be, but best to check. If there are, can you send them over."

Thanks

Sam

#598: Redirect reconomyproject.org to reconomy.org

chris — Fri, 20 Sep 2013 12:16:56 GMT

Request from Shane:

I've noticed that the domain www.reconomyproject.org is still live and running. i.e. can surf around it. I think you set it up so that it would auto redirect to reconomy.org - not 100% sure about the technical spec behind how you did this but is it still working? I noticed this because a lot of the referrals on to our fb page our coming from reconomyproject.org rather than reconomy.org