Yesterday I decided to attempt setting up a local Etherpad of my own, for use within the network/family. That meant upgrading my local server from Ubuntu Hardy to Karmic (well, I could’ve added the Karmic repositories to my installation, but a re-install was due anyway so…). I got Etherpad up and running locally (i.e. as long as I connect to it through elinks and 127.0.0.1:9000) but that doesn’t really help me as I want it available throughout the entire network. I will have to tinker more with that later.
There were, however, other services to get back online as well, such as WordPress. And it just so happens that while I was installing and tinkering with it, I happened to notice that there have appeared some rather cool (security-wise) plugins:
The antivirus plugin simply scans your current theme for malicious code, such as base64 encoded payloads, which apparently has been added to freely downloadable themes from various sites around the net.
I use the default theme, so I don’t really worry about the source for this theme but that just assures me that the theme is clean from the beginning. A security weakness could change that in a matter of seconds.
Invalidate logged out cookies
I don’t imagine I will get much use of this plugin as I normally only log on through my own computer, but should I find myself sitting in an internet café logging on, it is comforting to know that I won’t have to remember to physically destroy the auth-cookie which WordPress sets up on login.
Limit login attempts
This is a so called “speed bump”. This won’t create perfect security (there isn’t such a thing anyway) but it will slow an attacker down substantially, to the point where s/he gives up and goes after some other poor sap with more pathetic defenses.
It is a rather simple concept really: If the blog receives more than A erroneous login attempts in a row, ignore any further attempts from that IP for B minutes. If there are more than C * A attempts in a row, ignore any further attempts from that IP for D minutes/hours/days (where A, B, C and D are all fully configurable integers)
One time passwords
I will have to ask my webhost if they plan on upgrading to PHP5 any time soon, because this plugin requires it. What it does is to create a number of disposable (one time) passwords, which can be used instead of your regular password (which would be awesome to use for instance at an internet café, no risk that keyloggers or other eavesdroppers get hold of anything valuable).
The original WordPress auth cookie implementation just checks that there is an authentication token in the cookie which correspond to an identical token in the database. Which opens up for man-in-the-middle attacks. Safer cookies adds your IP adress to the mix (well hash, I suppose) and thus makes it a bit harder for a session hijacking to take place.
I have to admit, this is my favorite of them all. It disables any information leakage at the login form (such as “sorry the password is incorrect”) An attacker, upon seeing that message immediately thinks “ah, so the username was correct”.
Furthermore, it removes the WordPress version from the html-source, which makes it harder for automated tools to know what attacks to apply.
(These are incidently the exact things I have been doing manually after every update, and hated every second of it since I don’t find mucking about in WordPress’ internals all that thrilling)
This one blocks a whole lot of badness which otherwise could be inserted through what the plugin calls “application parameters”. Examples of which are disallowing directory traversing (../../etc/passwd) and SQL queries.
The only thing left for me to do now is to continue to hack away at the Etherpad installation and wish you all a Merry Christmas
Update: Although good in theory, I all of the sudden started experiencing problems with the Invalidate logged out cookies plugin. The sort of problems which meant that I was being redirected to the login-page after a successful login… And since the plugin logs me out upon activation, I can only assume that there is some interference between that plugin and some other plugin. It is entirely possible that there is some configuration which could be done to get it all working, but since I get logged out on activation I can’t check that, and it isn’t all that important to me, I just chose to disable it instead. #HolidayLazinessFTW