Securing the WordPress Login page

Of late I have seen quite a lot of brute force attempts to login into the admin account of this blog. The source IPs are wide and varied, ranging from Istanbul, Germany, Greece, US and more. In fact according to ArsTechnica article this has been happening for sometime now on a huge scale. I see a POST request on my site every few hours. Recently I submitted a list of such IPs to Deutsche Telekom Abuse Team for the offending IPs from their network.

Protection from the attack ArsTechnica suggested using

Limit Login and WP Better Security plugins. Limit Login is a simple and must have plugin. It blocks an IP for some hours our repeated failure attempts. Of course for this to be useful you need to have a strong password like mine, which is ….. . However, WP Better Security is the best but makes some drastic changes to your site. I don’t like to make so many changes, and would prefer that WordPress came bundled with those features. One of those features is modifying the login url. By default it is like http://blog.host/wp-login.php. This makes it an easy target. One simple way to fix this is change it.

Changing your login url

I do not want to physically rename wp-login.php, since that would mean after a WordPress upgrade the change would be gone. The other way is to rename it in your web-server configuration. Below is my relevant Nginx configuration. (If you are still using Apache then you may want to switch to Nginx.)

#!cink
server {
    server_name blog.host;
    # Other configs like root etc...
    location ^~ /wp-login.php {
        include phpparams.conf;
        if ($request_method = POST) { return 444; }
    }
    location ^~ /your-secret-login-page-name.php {
        rewrite ^ /wp-login.php break;
        include phpparams.conf;
    }
    # ...
}

The above config blocks all POST request to wp-login.php but allows GET requests. So, wp-login.php would show up but if someone tries to submit on that page then the server will close the connection (status 444 is a special code which instructs Nginx to close the remote connection). Since we are using ^~ to prevent Nginx from matching to any more regex locations so, if you have any location directive to match .php won’t be used. So, effectively your wp-login.php file source would be sent to the user instead of executing them. That is why I have included phpparams.conf. See the Nginx migration guide for the contents of phpparams.conf.

One Caveat

Now even if you open your-secret-login-page-name.php, the form will still send POST requests to wp-login.php, because after all that is the page which is being served. So, either you need to use web developer tools like Inspector to modify the web code or better write a GreaseMonkey or TamperMonkey script to do that for you.

Process to get new LPG gas connection

There are no silver bullets but it is better to know the process to avoid harassment. I recently got Indane LPG gas after making rounds of their office for about a month. Most of these was due to the lack of info. SO, here you go.

First step is you need to get the KYC (Know Your Customer) form from the dealer. There is nothing special about it so, even if someone happens to have a soft copy of it then you can get it printed. I had to wait for 2 weeks to get this. One format of KYC document is available on Indane site (here), but the one I got from the dealer was a little different. They will also give you an affidavit form, which you need to get printed on a Rs 20 Stamp Paper and notarized by a lawyer. You can get that form from here.

Tip: If you live anywhere in Hitec City, Hyderabad then there is a small shop available in Madhapur to Stamp Papers and notarize documents. – http://maap.in/w

Fill the KYC form and affix a colored photograph. Along with the Stamp Paper and KYC you need to attach your address proof and photo Id proof. Also you should provide the Aadhaar number on the KYC form, though its photocopy need to be attached if you are providing another photo Id proof.

Some of the accepted address proofs are:-

  • Rental agreement
  • Credit / Bank statement
  • Electricity bill
  • Self-declaration attested by Gazetted officer
  • Flat allotment/possession letter

Some of the accepted photo Id proofs are:-

  • Passport
  • Aadhaar
  • Pan Card
  • Driving License

Once you submit all the above, they say, they will make a verification call in a week. After that you may go to your dealer and deposit a sum of Rs. 5000 to get the new connection.

However, in my case they did not call me. When I anyway went there after a week I got the connection. I had to dig through the applications dump to find mine. Rs. 5000 deposit includes price of gasket, regulator, one cylinder, a stove and other misc charges. Buying stove from them is purely optional, but the agency might try to force you to buy that.

Along with the above stuffs you get a connection certificate sort of paper and the gas booklet. According to the agency you can only apply for single cylinder when you are getting a new connection. You can get the second one after three months.

Hope the above info helps. May god help you with your Gas hunting. 😛

More info:-

Configure your Belkin N150 router for BSNL broadband

  1. Login to your router dashboard. It should usually be at http://192.168.2.1.
  2. Now under “Inertnet WAN” click on “Connection Type”.
  3. Here select “PPPoE” and click on Next.
  4. Provide your BSNL username and password. Leave the “Service Name” field blank.
  5. For “VPI/VCI” field provide 0 and 35 as values.
  6. For “Encapsulation” field choose “LLC”.
  7. Leave all other fileds to their default values.
  8. Now Apply Changes. It will take around 30 seconds for the router to restart.
  9. Notice the top-right corner of the page and check the status. If it says “Connected”, then you are good to go.
  10. Else click on the “Home” link near that. On the home page click on Connect button.

Now you should be able to use this Wifi router with your BSNL broadband. Happy surfing. 🙂

PS: Now you no longer need to use your computer to dial the BSNL connection and login. Your router has your BSNL username and password, it will do the dialing and logging in.

Hack sbicapsec.com to run on Firefox

`AG_BACKQUOTE_TURN_ON`

www.sbicapsec.com is State Bank of India’s online share trading portal. This is a good portal but their site’s code quality is amazingly of low quality, dare I say, crappy. SBI being a public sector government institute, we can rest assured that the code quality or bugs in it would not get fixed soon, if ever.

Anyway as of now if you try using this portal in Firefox or Chrome, then maybe you will endup with a screen like this.

sbicapsec.com after login in Firefox. Notice no applet running, instead we have weird “:10”.

Notice the weird “:10” character in the screenshot, instead of the Java Applet.

Fixing sbicapsec.com to run in Firefox

Don’t worry the “hack” here is not illegal. This is used merely as an expression for making things work the way you want it which requires a lot of technical trickery to get it right.

The following has been tested in Firefox 13 and 14 in Mac OSX and Windows XP. You are free to try this as you may want it though. Also this should work in Chrome too.

Now let’s get into fixing this in few simple steps:-

  1. For your sake, open this blog page in your Firefox browser.
  2. Install GreaseMonkey browser extension. You may need to restart your browser.
  3. Install my GreaseMonkey user script by clicking on the link here – AppVersion Patch for SBICAPSEC.
  4. Click on Install button in the dialog box that you get.

That is it! You should now get the applet after login.

Fixed sbicapsec.com, after login.

How the fix works (for the technically inclined)

This section is for geeks, who would like to know how the script works. Also it is better to understand this, so that you understand, there is no malicious code in my script.

What is wrong in sbicapsec.com’s site? (Root cause)

The portal’s JS code assumes that `navigator.appVersion` will always return a string which will have a semi-colon (;). In fact that is true for IE and Chrome (in Mac OSX version only), but not for others. After this failure everything goes down like dominoes.

The popup we get after login has a `frameset` with three frames. The second one is the one which is supposed to present the Java applet. The layout of that page is roughly as below:-

[code lang=”html”]
<body>

<applet>
<param>
<param>
<param>

</applet>
</body>
[/code]

It seems the devs there had a requirement to set the `width` and `height` of the `applet` based on user screen’s dimension. For this they modified the code to use JS to dynamically generate the upper `applet` tag.

[code lang=”html”]
<body>

<script>
// This script will generate the upper applet tag with appropriate width and height.
</script>
<param>
<param>
:10
<param>

</applet>
</body>
[/code]

It is in the above `script` tag where it reads `navigator.appVersion` and tries to split it by `;` and then read the other part. When that errors out, so does the code following it. That code is supposed to write the upper `applet` tag. So, at the end we are left with many `param` tags and a dangling `</applet>` tag. The weird `:10` characters are written between two `param` tags.

From the way they have written the JS code, it seems the devs did not visualize the html page as a tree of blocks, instead for them it was a file stream; like the kind when you use your Java or C++ file output stream. The `script` block above uses `document.write()` to write the opening `applet` tag, instead of using JS to directly manipulate the DOM objects. I wonder how these devs can layout a page, who visualize it as a stream of characters? And, this is just a fraction of the real code, who knows what else is inside. It seems SBI needs to seriously train its devs. All this makes me loose faith over the security and reliability of their site.

Anyway, enough of the rant, back to the topic. The patch script I wrote will, simply try to do what there code was meant to do, add the `applet` tag. Because of the dangling `applet` end tag, I was unable to wrap my `applet` around the existing `param` tags. So, instead I detached all the `param` tags, emptied the parent (this reference was stored before detaching `param`), then added `param` tags inside the newly create `applet` tag and finally added the `applet` inside the previous parent of `param` tags.

I also tried using other techniques but they did not work. The first one was directly modifying `navigator.appVersion` to return a string with `;`, but it seems you cannot modify them. The second options was to replace existing `String.split()` function with my own version. In my version I would always return an array of at least length two, so that the code does not error out. Anyway this too did not work out since GreaseMonkey scripts are ran after the page is executed. GreaseMonkey does provide an option to run our scripts at the beginning too, but according to docs that is not supported inside frames.

Anyway, all’s well that ends well. 🙂

How to Reset the Root Password of MySql in Linux

I am posting this for my future reference. Also it my help passers by.

If you are using CentOS 6 (maybe others too). To reset the root password use the following steps:-

  1. sudo service mysqld stop
  2. sudo service mysqld startsos
  3. mysql -u root
  4. Now you will be at mysql prompt. Here type:-
    1. UPDATE mysql.user SET Password=PASSWORD(‘NewPassHere’) WHERE User=’root’;
    2. FLUSH PRIVILEGES;
    3. quit;
  5. sudo service mysqld restart