| Juzzy | feedback welcome for you nginx users: | 00:29 |
|---|---|---|
| Juzzy | http://www.hax.nu/linux/nginx-missing-commands | 00:29 |
| Juzzy | http://www.hax.nu/security/securing-nginx | 00:30 |
| minasota | Juzzy: you host your site using wordpress? | 01:09 |
| Juzzy | ya this one is wordpress | 01:26 |
| minasota | Do you have ssl enabled when logging into the dashboard? | 01:26 |
| Juzzy | no | 01:26 |
| Juzzy | heh | 01:26 |
| minasota | I just realized on mine that the username and password get sent clear text | 01:27 |
| Juzzy | I own the servers and the router this is behind | 01:27 |
| Juzzy | so yea you can deface it if you really wanted to, I'd have to restore from a backup | 01:27 |
| minasota | I host from a DO droplet that has a constant vpn connection | 01:27 |
| minasota | but I'm not sure if when I loggin to dashboard if that is visable. I saw it in wireshark | 01:28 |
| minasota | adding define('FORCE_SSL_ADMIN', true); to wp-config.php doesn't seem to work unless I have a certificate | 01:30 |
| Juzzy | ah | 01:30 |
| Juzzy | using apache or nginx? | 01:31 |
| minasota | apache | 01:31 |
| Juzzy | you blocking php from executing in wp-content/uploads? | 01:31 |
| Unit193 | Neither. :3 | 01:31 |
| minasota | no, it's secure, needed it enabled to install themes without sftp etc | 01:32 |
| minasota | If I'm connecting to my server thru a vpn, then technically the username and password are not getting broadcast though, right? | 01:33 |
| Juzzy | right | 01:33 |
| minasota | Since the site is hosted on the same server | 01:33 |
| Juzzy | the vpn teminates on that server? | 01:33 |
| Juzzy | yea | 01:33 |
| Unit193 | minasota: So why not get a cert? | 01:34 |
| minasota | Unit193: do want to pay | 01:34 |
| Unit193 | minasota: I don't for mine either, Let's Encrypt or StartSSL! :D | 01:34 |
| minasota | hmmm | 01:35 |
| Unit193 | I'd recommend looking into them, these days. | 01:35 |
| Juzzy | very few of the gazillion wordpress hacks are from stolen passwords | 01:36 |
| Unit193 | Hah, yeeeeah. :P | 01:36 |
| minasota | www-data breaches I assume... | 01:36 |
| minasota | Lesson learned from Linux Mint | 01:37 |
| Juzzy | there's a lot of local hax on bad plugins | 01:37 |
| Juzzy | and bad permissions that let key files get overwritten | 01:37 |
| minasota | Unit193: would a StartSSL Class 1 cert be fine? | 01:38 |
| Unit193 | 'Tis what I use. | 01:38 |
| Juzzy | you can also restrict urls based on from ip addresses too | 01:39 |
| Juzzy | just use a self signed one | 01:39 |
| minasota | ah | 01:39 |
| Juzzy | unless you're receiving creditcards or something | 01:39 |
| Juzzy | and need to build trust with customers | 01:40 |
| minasota | na, I just want the login to be secure | 01:40 |
| Juzzy | selfsign are just as secure as purchased ones | 01:40 |
| Juzzy | end users just can't validate it's not some hacked chinese server | 01:41 |
| minasota | Even though I'm connecting thru a vpn, I still don't like the password being in plain text | 01:41 |
| Juzzy | heh | 01:41 |
| Juzzy | if someone can steal that passwd they have hacked your local server | 01:41 |
| Juzzy | and you have much bigger issues | 01:41 |
| minasota | Juzzy: I doubt I'll have that problem, no one seems to visit my site anyway lol | 01:42 |
| Juzzy | they can just inject their own l/p | 01:42 |
| Juzzy | who do you host with | 01:42 |
| minasota | Digital Ocean droplet that I installed wordpress on. | 01:43 |
| Juzzy | ah ok | 01:50 |
| Juzzy | i'd offer to scan it | 01:50 |
| Juzzy | DO probably has protections for you | 01:50 |
| bwmaker | Morning, folks. | 14:16 |
| Juzzy | sup | 16:44 |
| bwmaker | Hey, Juzzy. | 19:11 |
| Juzzy | heya | 19:12 |
| Juzzy | been trying to build a sysadmin style blog, i doubt I'll get anyone following me though | 19:12 |
| bwmaker | For me, blogging is about thinking through things more than trying to be interesting. I don't care so much if people follow, but if I put something out there that helps someone, it's been useful for both of us. | 19:35 |
| bwmaker | So keep at it. :) | 19:35 |
| Juzzy | true but I want to get enough people interested so maybe I can write an ebook on topics | 19:42 |
| Juzzy | like how we moved out 750 servers to aws using automation | 19:42 |
| Juzzy | our* | 19:42 |
| Juzzy | that's a $30k-50k consultant in most places | 19:43 |
| bwmaker | Nice. | 19:55 |
| bwmaker | AWS will own us all one day. | 19:55 |
| netritious | Howdy | 23:40 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!