Part I, Part II, Part IV.

WordPress – prevent unauthorized admin logins

If you have a WordPress blog, you probably know that there are tons of attempts from users/scripts to try to take over your blog and post spam. There are a lot of plugins there that can take care of different security aspects, but by far, this simple solution works best for me.
It prevents anyone except white listed IPs to access your login page. Instead they’ll get error 404, page not found. The only problem is that you can’t have your own user base. So, if someone wants to post a comment, it can’t be a user registered on your blog. I use the Social Login plugin that allows users to login and register with one click on this blog, using their own social network’s logins.

Anyway, you need mod_rewite installed on your web server. Look for this line and if it’s commented, remove the # and reload the config.

LoadModule rewrite_module libexec/apache24/mod_rewrite.so

In the root of your blog, edit the .htaccess file and make sure it looks like this.
In my example, I have only two IPs allowed that can access the wp-login page. The rest will get page not found when accessing wp-login.php or wp-admin.

ErrorDocument 401 /index.php?error=404
ErrorDocument 403 /index.php?error=404

 <IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
 RewriteCond %{REMOTE_ADDR} !^198.16.3.247$
 RewriteCond %{REMOTE_ADDR} !^24.184.123.233$
 RewriteRule ^(.*)$ - [R=403,L]
 </IfModule>
 # BEGIN protect xmlrpc.php
 <files xmlrpc.php>
 order allow,deny
 deny from all
 </files>
 # END protect xmlrpc.php

AWS: ssh to a server with private IP only

I was playing with some servers in AWS. One of them had a public IP, but the second one had a private IP only. In order to access the 2nd server with private IP only, open up the key that was given to you for the 2nd server by AWS in PEM format in your favorite text editor. Select the text and copy it to the clipboard. The key looks like this. This key should belong to the 2nd server.

Now, log to the first server with the public IP as ec2-user.
Create a new file with nano or vi and paste the content. Save it as some_file.pem.
Change the permissions.

chmod 600 some_file.pem

Then log to the 2nd server with the private IP.

ssh -i some_file.pem <internal_IP>

NTP sync in a domain environment

On the PDC domain controller.

w32tm /config /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org" /syncfromflags:manual /reliable:yes /update 

On all other DCs.

w32tm /config /syncfromflags:domhier /update 

Resync manually.

w32tm.exe /resync /rediscover

Check the status.

w32tm /query /status

Ubunty 18 – DNS

First, configure the YAML file /etc/netplan, do netplan apply and then…

sudo rm -f /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

Ubuntu 18 – Change hostname

hostnamectl set-hostname <new_hostname>

Edit /etc/cloud/cloud.cfg and replace preserve_hostname: false to true

Change Windows password from command line prompt

Open up PowerShell/CMD with admin privileges and type:

net user username new_password

FreeBSD vmtools in vCenter

If you want to install VMWare Tools in FreeBSD running in vCenter, install this package.

pkg -y install open-vm-tools-nox11

If you want the full tools that cover X11, install open-vm-tools without “-nox11” suffix in the above command.
Edit /etc/rc.conf and add these lines.

vmware_guest_vmblock_enable="YES"
vmware_guest_vmhgfs_enable="NO"
vmware_guest_vmmemctl_enable="YES"
vmware_guest_vmxnet_enable="YES"
vmware_guestd_enable="YES"

FreeBSD change from DHCP to static IP, default gateway and DNS

Edit /etc/rc.conf and you’ll see a ifconfig DHCP assignment somewhere. Change the DHCP keyword with your static IP and netmask and don’t forget the default gateway.

ifconfig_vmx0="inet 192.168.1.11 netmask 255.255.255.0"
defaultrouter="192.168.1.1"

The DNS settings are under /etc/resolv.conf.

Find Wireless (WiFi) password

netsh wlan show profile <SSID> key=clear

Install git 2 on CentOS 7 from source

yum -y groupinstall "Development Tools"
yum -y install gettext-devel openssl-devel perl-CPAN perl-devel zlib-devel wget
wget https://github.com/git/git/archive/v2.23.0.tar.gz -O /tmp/git.tgz
cd /tmp
tar xzvf git.tgz 
cd git*
make configure
./configure
make install
cd /tmp
rm -Rf git*

Use git with a private key and no password

Anytime you push, clone or pull a repo, you’ll get prompted for a password which is kind of annoying. Do this to use a private key access and never get prompted for a password again. On your Linux workstation, make changes in line 2 and 3 and do:

cd
git config --global user.name "Kliment Andreev"
git config --global user.email "[email protected]"
ssh-keygen -t rsa -b 4096
cat .ssh/id_rsa.pub

Go to GitHub, in the upper-right corner click on the avatar, choose Settings and then SSH and GPG keys. Click to add a key, name it and paste the output from the ssh-keygen command above.
You have to change the remote origin to use SSH instead of HTTPS.

git remote set-url origin [email protected]:<github_username>/<github_repo>

vi – use spaces instead of tabs

Add this to ~/.vimrc

set tabstop=2 shiftwidth=2 expandtab

Replace tabs with spaces in vi

:%s/\t/ /g

Replace tabs with spaces in files

sed -i 's/\t/ /g' *

S3 bucket policy for static web hosting

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::example-bucket/*"
            ]
        }
    ]
}

Ansible execute playbook locally

ansible-playbook --connection=local --inventory 127.0.0.1, ansible.yml

Import AWS key from another region

Best practice is to have separate keys for all instances, but if you need “one key to rule them all” instances, you have to create a public key from your private key and import it in AWS keys.
Let’s say your private key is something.key.

ssh-keygen -y -f something.key > something.pem

Now, cat out the pem file and paste it under AWS key import.

vi tabs, spaces

Edit .virc or .vimrc and add this line

set tabstop=2 shiftwidth=2 expandtab

Convert tabs to spaces in existing file -> :retab

Log to AWS CLI using SSO

This tip requires an SSO configured, see this link.
Configure the SSO with aws sso configure once or multiple times for multiple profiles.
Then use aws sso login, a browser will pop up, log in and close the browser.
Export the profile you want to use, e.g. export AWS_PROFILE=dev, then aws sts get-caller-identity.
At this point use any CLI commands, e.g. aws s3 ls.

AWS IAM Identity Center (successor to AWS Single Sign-On) SCIM Access Token Approaching Expiration

If you received an e-mail from AWS that your token expires, open up the first two links at the bottom of the e-mail. The first one opens up your AWS console where the token is and the second one opens up a tutorial on how to create a new token. Create a new access token, but do not delete the old one. Copy the value (not the token ID), but the value that it will be presented to you only once.
Now, go to Azure, under Azure Active Directory, find the AWS SSO enterprise app and open it and from the left side on the screen, click on Provisioning. Expand the Admin Credentials and paste the token from AWS under Secret Token. Click Test Connection and if everything is OK, click Save and you are good and you can delete the old token in AWS.