krypted.com

Tiny Deathstars of Foulness

Earlier, I wrote an article on how to export data from the macOS Wiki Service. But now that you have your data in a file, where are you going to import it into. Well, you could do some kind of custom hosting service. Or if you want to run your own server, you could use a Synology. Synology makes installing WordPress a snap. To get started, first open Package Manager. From Package Manager, search for WordPress.

Click Install.

Click Yes to install the dependencies.

Enter a username and password to pass to Maria DB (root with a blank password).

Enter a username and password for the wordpress database and click Next.

Click Apply. 

Click Open under WordPress.

Select a language for WordPress to use.

Set the title of blog, provide a username and password to log in and make new articles, provide an email address, and select whether your site will be indexed by search engines and then click Install WordPress.

Click Log In. You’ll then be placed into the main WordPress screen. Bookmark this page, but you can get back any time by visiting <IPADDRESS>/wp-admin or <IPADDRESS>/wp-login where <IPADDRESS> is the address or hostname of the server.

If you’re migrating from macOS Server, you can then import your database into WordPress. To do so, log into WordPress and hover over Tools, clicking Import.

At the Import screen, select Run Importer under WordPress as the format to import from.

At the Importer screen, select the database you exported from the macOS Server wiki export article.

Click “Upload file and import”. Now that you have data in WordPress, let’s do the fun part. Hover over Appearance in the left sidebar and click on Themes. Then, find a theme that best suits your needs using the Search box!

March 29th, 2018

Posted In: Mac OS X Server, Microsoft Exchange Server, Synology, WordPress

Tags:

In an earlier article, I mentioned that MAMP Pro was still the best native GUI for managing web services on the Mac, now that macOS Server will no longer serve up those patchy services. After we cover the management in this article, you’ll likely understand why it comes it at $59. 

So you’ve installed MAMP. And you need more than the few basic buttons available there. So MAMP Pro came with it and you can try it for a couple of weeks for free. When you open MAMP Pro, you’ll see a screen where you can perform a number of management tasks. This is a more traditional side-bar-driven screen that will look like what Server Admin might have looked like before the web services screen got simplified in macOS Server.

The Hosts item in SETTINGS will show you each host installed on the server. Think of a host as a site. Each web server can serve up a virtually unlimited number of websites. You can configure an IP binding to the site, or hav
 
If you click on the plus sign, you can add a site. In this example, I’ll add www.krypted.com and then click on create. When doing so, you can configure a database for each site (e.g. if you’re doing multi-tenant hosting), build a site off a template, or select a root directory for the site. 



The Apache tab of each host allows you to configure host-specific settings, including enabling options for directives such as Indexes, Includes, SymLink following, and CGI. More options than were in macOS Server for sure. You can also order allows, allow overrides, add new directives, set the index (or the default page of each site), add additional virtualhosts (such as krypted.com for www.krypted.com), and add a server admin email address. 

These were Apache-centric settings for each host. Click on the Nginx tab if you’re using Nginx instead of Apache. Nginx is a bit less “patchy” so there are a fewer options here. But they’re similar: Configure an index, add parameters, and a feature not available in the GUI options for Apache: allow or deny access based on IP.
 
The SSL tab allows you to generate a CSR, upload the cert and key file, and force connections to use https.

The Extras tab allows you to automatically install standard web packages. For example, here we’ll select WordPress.

Click on the Databases tab. To connect a site to a database, enter the name of the database when prompted. Note: the site itself will need credentials in order to connect, and if you’ve setup an “Extra” in the above step, the database will automatically be configured.

Next, let’s configure the ports used by the web servers. The previous settings were per-site. The rest that we cover in this article will be per-server, as these are global settings applied to the daemons themselves. Each of those services will have a port or ports associated with them. For example, the standard web port used is 80 or 443 for SSL-based connections and the standard port for MySQL is 3306. For publicly-facing sites these would be the standard ports, and given how common they are, there’s a button for “Set ports to 80, 81, 443, 7443, 3306”. Otherwise, you can enter each independently. Because the attaching of daemons is done here, this is also where you configure the user that services run as, as well as when to start the services and truncate log files.

The Editor option configures how the editor appears, which we’ll cover last in this article. The Editing option manages how the editor works (e.g. things  like tabs, autocompletes, etc.

The Fonts & Colors tab allows you to select each color assigned to various types of text.  

The Default Apps tab allows you to configure which app is opened when opening each type of file supported. 

Again, we’ll look at the editor later in this article. First, let’s finish getting the web server setup. Click on Apache. Here, you can load new Apache mods you download from the interwebs. I should mention that an important security step in locking down a publicly-facing web server is to disable all of the mods you don’t absolutely need. 

At the bottom of this screen, there’s also a handle little link to the directory with your logs, so you can read through them if needed.

The Nginx option underneath is similar. Access to log files is there, as is the ability to enable installed Nginx mods. 

The MySQL option also provides access to some straight-forward command-line options, but in a nice GUI. Here, you can configure a root password for MySQL ( which does this: Reset A Lost MySQL Password ), enable phpMyAdmin, MySQL Workbench, and Sequel Pro-based administration, enable network access to the MySQL Service (using ports configured in the Ports section of the app) which I cover at Allow Remote Connections To MySQL, and view logs.

The Dynamic DNS options are cool. Click there, and if your web server is behind a DHCP address, you can configure a dynamic DNS service including DNS-O-Matic, no-ip.com, dyn.com, easydns.com, etc. This way when you reboot and get a new IP address from your ISP, it’ll update the service automatically.

Memcached is a distributed memory object caching system. It’s used to make sites appear faster or to distribute caching between servers for systems that, for example, get clustered. It’s included here for a reason, I’m sure of it! Either way, I actually use it for a few things and like the fact that it’s there. To enable, simply choose how much memory to give it, configure the logging level (usually low unless you’re troubleshooting), and gain access to logs. If you check the “Include Memcached server in GroupStart” then memcache will fire up when you start your web services.

Click postfix. Here, you configure your server to route mail through an email account. If you run this from the command line, you can also configure your server to be a mail server; however, when you do that you’re likely to get mail bouncing all over the place. So if the server or a service on the server is supposed to send mail, it’s usually best to route through something like a gmail account. 

The Languages section allows you to configure how PHP, Python, Perl, and Ruby work on the server. For PHP, you can configure which version of PHP is installed, configure a version of PHP for hosts, enable caching (different than memcached), enable a few basic extensions (I’ve been playing with oauth a lot recently), choose logging options, and have a simple way to see the logs. 

Since you’re running on a Mac, you already have Python, but if you click on the Python option, you can make the version of Python bundled with Mac is 2.7.10 instead of 2.7.13.

Click on Perl to do the same.

Click on Ruby to do the same.

The editor is also pretty easy to use. Simply use the plus sign to add a file you’d like to edit. Keep in mind when browsing that everything MAMP Pro needs is self-contained in the /Applications/MAMP directory, so it should be pretty easy to find files for editing. 

And that’s it. This seems like a lot of stuff, but between sites like ServerFault and other Apache/Nginx articles, you’ll likely find most of the things you need. It’s worth mentioning that I consider this another baby step to just managing Apache using config files. macOS Server tried hard to reduce the complexity of where different settings and options are derived from; MAMP Pro makes no allusion that web server management should be so simple. That’s one of the things I like about it. It’s like you went from riding in a buggy on the back of a bike to riding with training wheels. The more you know, the better off you are.

March 10th, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security, WordPress

Tags: , , , , , , , , , , ,

Wordpress has an app. That means there’s an API to normalize communication using a predictable programmatic interface. In this case, as with many others, that’s done using a standard REST interface to communicate. The easiest way to interact with any API is to just read some stuff from the server via curl. You can feed curl the URL to the API by using your URL followed by /wp-json – as follows, assuming a URL of http://www.krypted.com: curl http://www.krypted.com/wp-json To view header information: curl -s -D - http://www.krypted.com -o /dev/null In the below example we’ll ask for a list of posts by adding /wp/v2/posts to the URL: curl http://www.krypted.com/wp-json/wp/v2/posts You’ll see a list of some posts in the output along with a little metadata about the posts. You can then grab an ID and ask for just that post, using a post ID of 48390: curl http://www.krypted.com/wp-json/wp/v2/posts/48390 You can also see revisions that have been made to a post by appending the URL with /revisions curl http://www.krypted.com/wp-json/wp/v2/posts/48390/revisions You can see comments with the comments route: curl http://www.krypted.com/wp-json/wp/v2/comments Or pages with the pages route: curl http://www.krypted.com/wp-json/wp/v2/pages Or users with the users route: curl http://www.krypted.com/wp-json/wp/v2/users Or media that has been uploaded with the media route: curl http://www.krypted.com/wp-json/wp/v2/media And the output of each can be constrained to a single item in that route by providing the ID of the item, which shows additional metadata about the specified item. And there are routes for categories, tags, etc. There’s also some good stuff at https://github.com/WP-API such as https://github.com/WP-API/Basic-Auth which is a plugin that allows you to auth against the API. curl --user admin:krypted http://www.krypted.com/wp-json/users/me Not only can you look at user information, you can also add and remove posts. You would add by doing a -X followed by a POST and then feeding a file with the –data option curl --user admin:password -X POST http://www.krypted.com/wp-json/posts --data @post.json The output would then include the ID of your new post to wordpress. In the following example, we’ll get rid of the post we were looking at earlier using -X and DELETE in the URL, assuming a username of admin, a password of krypted, and a post ID of 48390: curl --user admin:krypted -X DELETE http://www.krypted.com/wp-json/posts/48390 If successfully deleted the response would be as follows:
{ “message”:”Deleted post” }
To dig in deeper, check out http://v2.wp-api.org/reference/posts/ where the whole schema is documented. You can also use the https://github.com/WP-API GitHub site to access a command called wp (as well as PHP, node, and java clients) that can be run at the command line for simple scripting interfaces. This could allow you to, for example, simply backup posts to json files, etc. Also, it’s worth noting that various plugins will require their own interface (note there’s no themes or plugins route), such as woocommerce, interfacing with http://gerhardpotgieter.com/2014/02/10/woocommerce-rest-api-client-library/ or https://woocommerce.github.io/woocommerce-rest-api-docs/.

July 14th, 2017

Posted In: WordPress

Tags: , , , , , , , ,

The following is a list of ISO country codes: AFGHANISTAN AF ALBANIA AL ALGERIA DZ AMERICAN SAMOA AS ANDORRA AD ANGOLA AO ANTARCTICA AQ ANTIGUA AND BARBUDA AG ARGENTINA AR ARMENIA AM ARUBA AW AUSTRALIA AU AUSTRIA AT AZERBAIJAN AZ BAHAMAS BS BAHRAIN BH BANGLADESH BD BARBADOS BB BELARUS BY BELGIUM BE BELIZE BZ BENIN BJ BERMUDA BM BHUTAN BT BOLIVIA BO BOSNIA AND HERZEGOVINA BA BOTSWANA BW BOUVET ISLAND BV BRAZIL BR BRITISH INDIAN OCEAN TERRITORY IO BRUNEI DARUSSALAM BN BULGARIA BG BURKINA FASO BF BURUNDI BI CAMBODIA KH CAMEROON CM CANADA CA CAPE VERDE CV CAYMAN ISLANDS KY CENTRAL AFRICAN REPUBLIC CF CHAD TD CHILE CL CHINA CN CHRISTMAS ISLAND CX COCOS (KEELING) ISLANDS CC COLOMBIA CO COMOROS KM CONGO CG CONGO, THE DEMOCRATIC REPUBLIC OF THE CD COOK ISLANDS CK COSTA RICA CR CÔTE D’IVOIRE CI CROATIA HR CUBA CU CYPRUS CY CZECH REPUBLIC CZ DENMARK DK DJIBOUTI DJ DOMINICA DM DOMINICAN REPUBLIC DO ECUADOR EC EGYPT EG EL SALVADOR SV EQUATORIAL GUINEA GQ ERITREA ER ESTONIA EE ETHIOPIA ET FALKLAND ISLANDS (MALVINAS) FK FAROE ISLANDS FO FIJI FJ FINLAND FI FRANCE FR FRENCH GUIANA GF FRENCH POLYNESIA PF FRENCH SOUTHERN TERRITORIES TF GABON GA GAMBIA GM GEORGIA GE GERMANY DE GHANA GH GIBRALTAR GI GREECE GR GREENLAND GL GRENADA GD GUADELOUPE GP GUAM GU GUATEMALA GT GUINEA GN GUINEA-BISSAU GW GUYANA GY HAITI HT HEARD ISLAND AND MCDONALD ISLANDS HM HONDURAS HN HONG KONG HK HUNGARY HU ICELAND IS INDIA IN INDONESIA ID IRAN, ISLAMIC REPUBLIC OF IR IRAQ IQ IRELAND IE ISRAEL IL ITALY IT JAMAICA JM JAPAN JP JORDAN JO KAZAKHSTAN KZ KENYA KE KIRIBATI KI KOREA, DEMOCRATIC PEOPLE’S REPUBLIC OF KP KOREA, REPUBLIC OF KR KUWAIT KW KYRGYZSTAN KG LAO PEOPLE’S DEMOCRATIC REPUBLIC (LAOS) LA LATVIA LV LEBANON LB LESOTHO LS LIBERIA LR LIBYAN ARAB JAMAHIRIYA LY LIECHTENSTEIN LI LITHUANIA LT LUXEMBOURG LU MACAO MO MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF MK MADAGASCAR MG MALAWI MW MALAYSIA MY MALDIVES MV MALI ML MALTA MT MARSHALL ISLANDS MH MARTINIQUE MQ MAURITANIA MR MAURITIUS MU MAYOTTE YT MEXICO MX MICRONESIA, FEDERATED STATES OF FM MOLDOVA, REPUBLIC OF MD MONACO MC MONGOLIA MN MONTENEGRO ME MONTSERRAT MS MOROCCO MA MOZAMBIQUE MZ MYANMAR MM NAMIBIA NA NAURU NR NEPAL NP NETHERLANDS NL NETHERLANDS ANTILLES AN NEW CALEDONIA NC NEW ZEALAND NZ NICARAGUA NI NIGER NE NIGERIA NG NIUE NU NORFOLK ISLAND NF NORTHERN MARIANA ISLANDS MP NORWAY NO OMAN OM PAKISTAN PK PALAU PW PALESTINIAN TERRITORY, OCCUPIED PS PANAMA PA PAPUA NEW GUINEA PG PARAGUAY PY PERU PE PHILIPPINES PH PITCAIRN PN POLAND PL PORTUGAL PT PUERTO RICO PR QATAR QA RÉUNION RE ROMANIA RO RUSSIAN FEDERATION RU RWANDA RW SAINT HELENA SH SAINT KITTS AND NEVIS KN SAINT LUCIA LC SAINT PIERRE AND MIQUELON PM SAINT VINCENT AND THE GRENADINES VC SAMOA WS SAN MARINO SM SAO TOME AND PRINCIPE ST SAUDI ARABIA SA SENEGAL SN SERBIA RS SEYCHELLES SC SIERRA LEONE SL SINGAPORE SG SLOVAKIA SK SLOVENIA SI SOLOMON ISLANDS SB SOMALIA SO SOUTH AFRICA ZA SOUTH GEORGIA AND THE SOUTH SANDWICH ISLANDS GS SPAIN ES SRI LANKA LK SUDAN SD SURINAME SR SVALBARD AND JAN MAYEN SJ SWAZILAND SZ SWEDEN SE SWITZERLAND CH SYRIAN ARAB REPUBLIC SY TAIWAN TW TAJIKISTAN TJ TANZANIA, UNITED REPUBLIC OF TZ THAILAND TH TIMOR-LESTE TL TOGO TG TOKELAU TK TONGA TO TRINIDAD AND TOBAGO TT TUNISIA TN TURKEY TR TURKMENISTAN TM TURKS AND CAICOS ISLANDS TC TUVALU TV UGANDA UG UKRAINE UA UNITED ARAB EMIRATES AE UNITED KINGDOM GB UNITED STATES US UNITED STATES MINOR OUTLYING ISLANDS UM URUGUAY UY UZBEKISTAN UZ VANUATU VU VENEZUELA VE VIET NAM VN VIRGIN ISLANDS, BRITISH VG VIRGIN ISLANDS, U.S. VI WALLIS AND FUTUNA WF WESTERN SAHARA EH YEMEN YE ZAMBIA ZM ZIMBABWE ZW

May 26th, 2017

Posted In: Swift, WordPress

Tags:

Database won’t start? InnoDB errors are a pain. Where was krypted for a month? Did everything finally get to me and I gave up blogging? No, the site ended up having some problems with corruption in some rows of the InnoDB tables. But, I was able to get the site back up by putting the database into recovery mode. How did I do this? It’s pretty straight forward. Open my.cnf and paste these lines in there: innodb_force_recovery=3 innodb_purge_threads=0 Once the corruption is resolved, bring up empty databases and import your mysqldump into the new databases and link your site back up. But, the InnoDB force recovery puts the database into recovery mode, which is read only. So I wasn’t actually able to use the site, just look at it. At least the content was available, right? When MySQL isn’t writeable, you can’t log in as an admin, etc. The rest is one of the bigger pains I’ve encountered that didn’t result in an all nighter at a customer. I’ll write that up when I have time some day. In the meantime, next time someone changes my root password and breaks my backup scripts so I can’t just bring in a mysqldump, I’m breaking their arms. You’ve been warned.

May 15th, 2015

Posted In: Mac OS X, Ubuntu, Unix, WordPress

Tags: , , , , , , ,

Pow is a Rack server for OS X. It’s quick and easy to use and lets you skip that whole update an Apache file, then edit /etc/hosts, ethane move a file, then run an app type of process. To get started with Pow, curl it down and pipe it to a shell, then provide the password when prompted to do so: odr:~ charlesedge$ curl get.pow.cx | sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 9039 100 9039 0 0 10995 0 --:--:-- --:--:-- --:--:-- 10996 *** Installing Pow 0.5.0... *** Installing local configuration files... /Users/charlesedge/Library/LaunchAgents/cx.pow.powd.plist *** Installing system configuration files as root... Password: /Library/LaunchDaemons/cx.pow.firewall.plist /etc/resolver/dev *** Starting the Pow server... *** Performing self-test... *** Installed For troubleshooting instructions, please see the Pow wiki: https://github.com/basecamp/pow/wiki/Troubleshooting To uninstall Pow, `curl get.pow.cx/uninstall.sh | sh` To install an app into Pow, create a symlink to it using ln (assuming ~/.pow is your current working directory): ln -s /path/to/myapp Then just open the url, assuming my app is kryptedapp.com: open http://kryptedapp.com Pow can also use ~/Library/LaunchAgents/cx.pow.powd.plist to port proxy. This allows you to redirect different apps to different ports. When pow boots, it runs .powconfig, so there’s a lot you can do there, like export, etc. Once you’re done testing out pow, if you don’t decide it’s awesome, remove it with the following command: curl get.pow.cx/uninstall.sh | sh

February 2nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Ubuntu, Unix, WordPress

Tags: , , , , , , , ,

Yesterday, I wrote an article on technical writing. Today, I’m laying out a few basic rules with regards to when to capitalize things. This is pretty straight forward but I find it can help to remember the rules to lay them out in a basic way. These things should have their first character capitalized:
  1. The first letter of a sentence. This includes a quoted sentence inside a sentence but not a phrase within a sentence. This also includes the first letter of a terminal command when a sentence starts with a command, although I try to restructure those sentences when they come up as it’s not a hard thing to do.
  2. The letter I.
  3. Titles. Each letter in the title of books, movies, poems, songs, articles, newspaper/magazine articles and works of art should be capitalized. This includes when these objects start with a word such as Of, A, The, And, etc but not when those words are in the middle of a title. Titles can also include specific course titles (such as when there’s a number attached). When using a compound title each otherwise capitalized word should be capitalized and each word not otherwise capitalized should not be.
  4. The names of people. Each word in a persons name should always be capitalized. Also their honorary titles/high ranking officials when preceding a name, such as President, Doctor, etc as well as an abbreviated title, such as Mr and Mrs. However, when those titles are used without a specific person attached they don’t need capitalization (although keep in mind if addressing someone with their title that should be capitalized). Titles that occur after a name do not require capitalization. Additionally the name of a relative when used as a proper noun should be capitalized.
  5. Gods, religious figures and holy works should be capitalized, although when describing a group of gods you need only capitalize the region or name of the pantheon and not the non-specific use of the word gods.
  6. The names of schools. This includes any educational institution, not just a college and university. Also, the name of a degree.
  7. Places. This includes bodies of water. A River, Lake, etc. As with the names of people, if you don’t put the name of the specific lake, but use the word you don’t need to capitalize that. A place can also be a mountain or building. Specific buildings, monuments, mountains, hills, volcanoes, etc. should have their first letters capitalized. Specific street names also have the first letter of each word capitalized. Also note that planets always start with the first letter capitalized.
  8. Specific flags.
  9. Regions. When discussing the Midwest, Sun Belt or South as a noun those should be capitalized. However, when using those words as an adjective they don’t need to be. A country, county, city or other region should also have the first character capitalized. I’ve always felt though, that the region unless a specific place, should have to earn the capitalization and it’s worth noting that Big 10/midwestern football just isn’t what it used to be… Also note that you should capitalize directions that are names but not directions when referring to a compass heading. Capitalize countries, languages and nationalities.
  10. Times. Days of the week, months and holidays. Seasons when used in a title, but not when used generally.
  11. Periods and events, except century numbers that are spelled out.
  12. Trademarked names. One thing I try to avoid here is using a trademarked name in writing as a verb, even if that word has become commonplace. For example, while you frequently hear people say to Xerox something I would change that to make a copy of something.
  13. Groups and organized bodies. Athletic, civic, national, political, and racial groups should be capitalized. This includes the name of a court and some other government terms, including Administration when describing a presidents administration, Cabinet when describing that of a president or prime minister and Federal when referring to the government of a country.
  14. Lists. If the first word of any bullet or item in a numbered list is capitalized then all should be, including directions. If two or more sentences follow a colon (not one sentence) then the first word of each should be capitalized; however, if there are items after a colon that are not sentences they do not require capitalization unless another rule requires it.
  15. The first word of salutations and complementary closings.
  16. Words derived from proper nouns.
  17. Initials, initialisms, initials with names and acronyms (unless in commands where the acronym is the command as you’re actually writing the name of the command). Acronyms include the call letters of television and radio stations.
  18. Any character in text that you quote should be capitalized exactly as it appears (although if all words begin with a capitalized character then you don’t need to quote the string).
  19. The first word of each line of poetry, unless not quoted in the poem.
  20. When shouting using the written word one can capitalize each letter of the word to add inflection; however, this is not necessarily proper nor a rule, simply commonplace.
Finally, it’s worth mentioning that writing such as this is a blog. While I don’t like that word, I find that such writing typically frequently allows the writer a certain amount of flexibility with regards to grammatical rules (for better or worse). This could be due to the fact that much of what’s written is done in the middle of the night. While this isn’t an excuse to use poor grammar it does tend to mean a less stringent editorial process over the grammar used. In other words, read/use the content at your own risk. 🙂 Note: At the request of my readers I’d be happy to write a follow-up article on when to capitalize assets, but I might have to bust out some of my books from Accounting 101 in college to do so!

August 25th, 2013

Posted In: Articles and Books, WordPress

Tags: , , ,

When doing updates in WordPress, upgrading the WordPress version or the Plug-Ins causes the site to enter into Maintenance Mode. While in Maintenance Mode, a message appears that says “Briefly unavailable for scheduled maintenance. Check back in a minute.” rather than the actual site. Sometimes, especially if you’re using the automatic updating functions, an update might fail and the site may be stuck in Maintenance Mode. WordPress looks at the root level of a directory for some hidden files that can tell a site to operate in a different manner. If there’s a file called “.maintenance” then the site will display the message above. When an update of a Plug-in fails, the .maintenance file is never deleted and the site is stuck in Maintenance Mode. To correct the error, simply ftp into the root of the site and delete the file. It’s hidden, so make sure your ftp software isn’t suppressing the ability to see a hidden file. Whatever Plug-in or update failed likely also broke something. Usually, if it’s a Plug-in then you’ll need to re-install that plug-in, as the update process removes the old Plug-in and then adds it back. If it’s a Theme, you might need to re-install the Theme. Programmatically, you can also enable Maintenance Mode by creating this file and then disabling Maintenance Mode by deleting (or renaming) the file again.

December 27th, 2012

Posted In: Mac OS X Server, Ubuntu, Unix, WordPress

Tags: , , , , , , , ,

I’ve had a pretty easy time using Nikto over the years. Nikto is a security scanner specific to web servers. I did a post on Nessus recently, but Nessus is a tool for looking at any service running on a system and trying to find available vulnerabilities. Nikto is can do many of the same things, but is specific and therefore more in depth for web servers. This involves looking at things like CGI directories and robots.txt files as well. Nikto is written in Perl. In order to do everything Nikto can do there are a few perl mules that need to be installed. But let’s look at one of the easiest implementations available for Nikto, which is Yang (short for Yet Another Nikto GUI), available on the OS X App Store. Yang is so easy, you can literally install the app, type a domain name and hit Start to get started. Yang also runs the latest release of Nikto. Let’s look at what a basic scanning process looks like. To get started, open the App Store and search for Nikto. Yang appears, so click on Install by the name of the app. Once installed, click on Yang in LaunchPad to fire up the scanner (or open from /Applications). When Yang opens, click on the Preferences in the toolbar. Go through each of the options and choose the ones that make the most sense for each scan you run. Keep in mind that each box can increase or decrease the amount of time scans require or the output of the scan drastically. The author of the app was kind enough to include tool tips for the options, very helpful. Click back on the Scan icon in the toolbar and enter the name of the site to scan in the “Website to analyze” field. Then click on Launch. The scan then begins. This might take some time. And not “go get some coffee time” but more like, “go take a nap time.” While the scan is running, click on Logs in the toolbar. Here, you can see the exact command run against Nikto. If you download Nikto from cirt.net you can use these exact commands, although there will be a little work getting the app up and running, defining config files, etc. If you want to do anything (such as writing output to metasploit) then you might end up needing to go ahead and install manually. But if you’re just interested in running some quick scans as sanity checks for deployed configurations, etc then this is a nice little tool that is a bit too nice to be free. Especially given that the author went ahead and built out Nikto with LibWhiskers, SSL support and a few other goodies that aren’t required for a basic deployment. It’s also (IMHO) a really good example of putting a GUI wrapper around command line tools. I’ve played with a few other GUI overlays for Nikto and this one is by far the best one I’ve seen for OS X. Well worth the time to check it out!

July 5th, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, sites, WordPress

Tags: , , , , , , , , , ,

Comments on this site have been a pain since I enabled them about 2 1/2 years ago. I believe I enabled them due to something some judgmental person said when they couldn’t comment on an article I had written. During the first year, there was a lot of fine tuning the spam blocking to try and keep out the spammy crap. That continues to be a work in progress, but it seems to be in pretty good shape. During those couple of years I ended up racking up a queue of about 7,000 in the spam category and another 2,000+ in the pending category (which meant I need to deal with them). I was dealing with comments every day, but I’d miss a few and it built up over the course of a couple of years. Tonight, I either addressed or cleared out all but 17. My database is much happier. The 17 remaining are thoughtful questions and require thoughtful answers, so I’ll get to them when I have time to provide such an answer. In the meantime, note that now that it’s all cleaned up, if there are any comments, feel free to post and I should actually respond at this point… Sorry for being latent on those up ’till now.

June 26th, 2012

Posted In: sites, WordPress

Tags: ,

Next Page »