[00:29] <Juzzy> feedback welcome for you nginx users:
[00:29] <Juzzy> http://www.hax.nu/linux/nginx-missing-commands
[00:30] <Juzzy> http://www.hax.nu/security/securing-nginx
[01:09] <minasota> Juzzy: you host your site using wordpress?
[01:26] <Juzzy> ya this one is wordpress
[01:26] <minasota> Do you have ssl enabled when logging into the dashboard?
[01:26] <Juzzy> no
[01:26] <Juzzy> heh
[01:27] <minasota> I just realized on mine that the username and password get sent clear text
[01:27] <Juzzy> I own the servers and the router this is behind
[01:27] <Juzzy> so yea you can deface it if you really wanted to, I'd have to restore from a backup
[01:27] <minasota> I host from a DO droplet that has a constant vpn connection
[01:28] <minasota> but I'm not sure if when I loggin to dashboard if that is visable. I saw it in wireshark
[01:30] <minasota> adding   define('FORCE_SSL_ADMIN', true);  to wp-config.php doesn't seem to work unless I have a certificate
[01:30] <Juzzy> ah
[01:31] <Juzzy> using apache or nginx?
[01:31] <minasota> apache
[01:31] <Juzzy> you blocking php from executing in wp-content/uploads?
[01:31] <Unit193> Neither. :3
[01:32] <minasota> no, it's secure, needed it enabled to install themes without sftp etc
[01:33] <minasota> If I'm connecting to my server thru a vpn, then technically the username and password are not getting broadcast though, right?
[01:33] <Juzzy> right
[01:33] <minasota> Since the site is hosted on the same server
[01:33] <Juzzy> the vpn teminates on that server?
[01:33] <Juzzy> yea
[01:34] <Unit193> minasota: So why not get a cert?
[01:34] <minasota> Unit193: do want to pay
[01:34] <Unit193> minasota: I don't for mine either, Let's Encrypt or StartSSL! :D
[01:35] <minasota> hmmm
[01:35] <Unit193> I'd recommend looking into them, these days.
[01:36] <Juzzy> very few of the gazillion wordpress hacks are from stolen passwords
[01:36] <Unit193> Hah, yeeeeah. :P
[01:36] <minasota> www-data breaches I assume...
[01:37] <minasota> Lesson learned from Linux Mint
[01:37] <Juzzy> there's a lot of local hax on bad plugins
[01:37] <Juzzy> and bad permissions that let key files get overwritten
[01:38] <minasota> Unit193: would a StartSSL Class 1 cert be fine?
[01:38] <Unit193> 'Tis what I use.
[01:39] <Juzzy> you can also restrict urls based on from ip addresses too
[01:39] <Juzzy> just use a self signed one
[01:39] <minasota> ah
[01:39] <Juzzy> unless you're receiving creditcards or something
[01:40] <Juzzy> and need to build trust with customers
[01:40] <minasota> na, I just want the login to be secure
[01:40] <Juzzy> selfsign are just as secure as purchased ones
[01:41] <Juzzy> end users just can't validate it's not some hacked chinese server
[01:41] <minasota> Even though I'm connecting thru a vpn, I still don't like the password being in plain text
[01:41] <Juzzy> heh
[01:41] <Juzzy> if someone can steal that passwd they have hacked your local server
[01:41] <Juzzy> and you have much bigger issues
[01:42] <minasota> Juzzy: I doubt I'll have that problem, no one seems to visit my site anyway lol
[01:42] <Juzzy> they can just inject their own l/p
[01:42] <Juzzy> who do you host with
[01:43] <minasota> Digital Ocean droplet that I installed wordpress on.
[01:50] <Juzzy> ah ok
[01:50] <Juzzy> i'd offer to scan it
[01:50] <Juzzy> DO probably has protections for you
[14:16] <bwmaker> Morning, folks.
[16:44] <Juzzy> sup
[19:11] <bwmaker> Hey, Juzzy.
[19:12] <Juzzy> heya
[19:12] <Juzzy> been trying to build a sysadmin style blog, i doubt I'll get anyone following me though
[19:35] <bwmaker> For me, blogging is about thinking through things more than trying to be interesting. I don't care so much if people follow, but if I put something out there that helps someone, it's been useful for both of us.
[19:35] <bwmaker> So keep at it. :)
[19:42] <Juzzy> true but I want to get enough people interested so maybe I can write an ebook on topics
[19:42] <Juzzy> like how we moved out 750 servers to aws using automation
[19:42] <Juzzy> our*
[19:43] <Juzzy> that's a $30k-50k consultant in most places
[19:55] <bwmaker> Nice.
[19:55] <bwmaker> AWS will own us all one day.
[23:40] <netritious> Howdy