Category Archives: sysadmin

Protecting yourself against the WordPress login page exploit

Anyone that runs a wordpress blog will hopefully be aware of the recent exploit against the login page:

“You can abuse the password reset function, and bypass the first step and
then reset the admin password…”

and

“An attacker could exploit this vulnerability to compromise the admin
account of any wordpress/wordpress-mu <= 2.8.3”

There’s no fix in any released version yet but you can protect yourself with a bit of Apache config until one is released. Just add this to your wordpress virtualhost replacing “you.re.ip.add” with the IP address you want to access the login page from:

<Location /wp-login.php>
Order deny,allow
Deny from all
Allow from you.re.ip.add
</Location>

This will present any user not accessing your login page form that IP with a 403 Forbidden error. If you want to block all IPs until a fix comes out just miss out the Allow line:

<Location /wp-login.php>
Order deny,allow
Deny from all
</Location>

Tagged , ,

How to stop running out of memory when working on your server

It’s a fairly simple thing to do, but I have seen a lot of people drive their servers really far into swap and kill performance due to an administrative action they are performing in the shell. Just open up another terminal on your server and run:

# watch free -m

This is pretty useful if you’ve not got much free memory to play with and you’re installing a gem, using irb or syncing portage or whatever and as long as you keep an eye on it you can terminate your process if it starts to eat too far into swap.

Rewriting URL params in nginx

I came across this problem recently, a customer was moving to Ruby on Rails from another framework/language (.NET I think) and needed to re-write a bunch of URLs. Some needed the query parameters rewriting too. One example was rewriting the old search path, so the old URL:

http://somedomain.com/OldSearchPath.aspx?qry=things&page=4

would become:

http://somedomain.com/search?query=things&page=4

This should be fairly simple except for the qry parameter needed to be changed to query. A bit of googling didn’t turn up much but with some experimentation I came up with this using the pre-populated nginx $args variable:

location /OldSearchPath.aspx {
  if ($args ~* qry=(.+)) {
    set $args query=$1;
  }
}
rewrite ^.+$ /search redirect;

It even leaves the other parameters intact, so the pagination will still work.

Tagged ,

Connecting to your Engine Yard MySQL database using SSH tunneling

Quite a few people want to access their Engine Yard hosted MySQL databases remotely which is fine, just complicated by the fact that the database slices are only accessible from the slices themselves. There is no remote access available by default.

Lee Jensen posted a useful forum post Accessing your DB externally, but this advice doesn’t work so well for windows users so here is a brief tutorial.

First, download putty if you haven’t got it already, open it up and configure an SSH connection with the IP address and SSH port of your slice. You can get these from the welcome email you were sent:

Next, go to the Connection -> SSH -> Tunnels config section and configure as following:

In this example I have used mysql50-staging-1 as the MySQL server hostname, replace this with the one you are trying to access. When you have entered the source port and destination click ‘Add’, then ‘Open’. You should see a screen like this:

Enter the slice login details (not the MySQL login details!) and you should see a standard login prompt:

Right, that’s the last of putty for now. Open up your MySQL GUI (I am using MySQL Administrator in this example) and configure it like so:

Make sure you have specified localhost as the mysql hostname, that you are using the MySQL database login credentials and that the port matches the local port you set up in Putty, in this case 13306. Click connect and you should see something like this:

Success!

You should be able to change these instructions for any MySQL GUI (the putty config will remain the same).