Tuesday, December 8, 2015

Block WordPress XML-RPC Requests Using Apache .htaccess

I recently noticed an increase in unauthorized attempts to access the /xmlrpc.php endpoint of the company WordPress blog. Although the attempts seem to have been unsuccessful, we did decide to limit access to the endpoint to requests originating from the company networks and VPN nodes. The following are some steps you can take if you are facing a similar situation.

Edit the blog .htaccess file:

vi /var/www/html/style-blog/style-blog/.htaccess

Add or update the following:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 50.111.111.111
allow from 127.0.0.1
</Files>

This blocks access to xmlrpc.php from all hosts except localhost and 50.111.111.111 (the fictitious IP address for the San Francisco Office).

To grant access to a host, simply white-list the host's IP address using the `allow from` directive. The Apache daemon may have to be restarted for the changes to take effect:

sudo /etc/init.d/httpd restart

To test whether it works access http://blog.mycompany.com/xmlrpc.php . The following cURL command can be used to check XML-RPC access is:

curl http://blog.mycompany.com/xmlrpc.php

You should see the following message accessed from a machine whose public IP address is white-listed:

"XML-RPC server accepts POST requests only."

You should see the following output when accessed from a machine whose public IP address is NOT white-listed:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /xmlrpc.php
on this server.</p>
<hr>
<address>Apache/2.2.31 (Amazon) Server at blog.weddingtonway.com Port 80</address>
</body></html>
Posted by at
Labels: , , ,
Location: San Francisco, CA, USA

Thursday, November 5, 2015

Creating and Verifying MD5 Checksums

Creating MD5 Checksums

The md5sum command found on most Unix/Linux operating systems can be used to create MD5 checksums for files or to verify the integrity of files if the MD5 checksums for those files are already available.

Let us suppose you want to create an MD5 checksum file containing the checksums for the binary files my_disk_image-1.iso, my_disk_image-2.iso and my_disk_image-3.iso. You can accomplish this by passing the three files as arguments to the md5sum command and redirecting the output to a text file:

$ md5sum -b my_disk_image-1.iso my_disk_image-2.iso my_disk_image-3.iso > MD5SUM

The "-b" option instructs the md5sum command to treat each file as a binary file. If you are working text with files, you can use the "-t" option. The generated checksum file "MD5SUM" will look similar to the following:

302d1a8fa7e13871d9909947eb23935d *my_disk_image-1.iso
2f5be4a2fe3d80b134aba6c6023eca57 *my_disk_image-2.iso
52237af3336321e0b03586055b8e5d78 *my_disk_image-3.iso

The first 32 characters of each line is the MD5 checksum for the file mentioned on that line. The asterisk that precedes the file name indicates that the file is a binary file.

Directories and Subdirectories

The following command can be used to compute checksums for file in a given directory and it's sub-directories.

find /path/to/the/directory -type f -print0 | xargs -0 md5sum > MD5SUM

This command creates a file called "md5sums" containing the MD5 checksum for all the files in /usr/share/man and its sub-directories.

find /usr/share/man -type f -print0 | xargs -0 md5sum -b > md5sums

As you can see the by the path names, the command has created MD5 hashes for files residing at various levels of the directory tree.

...
3710f7bc99303ceb90a1ae1e75361913 */usr/share/man/fr/man7/backend.7.gz
f3f6fb8a04b9e78971d875ed8645f848 */usr/share/man/fr/man7/filter.7.gz
9caaf4f56d9f2a72ce9fe977c703475c */usr/share/man/man5/sane-dc210.5.gz
f170bb97e4fc6b919426cfecc2ef583b */usr/share/man/man5/faillog.5.gz
...

Verifying a File's Integrity Using it's MD5 Checksum

To generate the MD5 checksum for a file you can do the following:

$ md5sum -b my_disk_image-1.iso
e36e064cf65e4dc62ea279dc860c8f9a *my_disk_image-1.iso

Checking each of the 32 characters of the checksum against the original is tedious. If you already have the original MD5 checksum file, you can perform the following:

$ cat MDSUM
302d1a8fa7e13871d9909947eb23935d *my_disk_image-1.iso
2f5be4a2fe3d80b134aba6c6023eca57 *my_disk_image-2.iso
52237af3336321e0b03586055b8e5d78 *my_disk_image-3.iso

$ ls my*.iso
my_disk_image-1.iso  my_disk_image-2.iso my_disk_image-3.iso

$ md5sum -c MD5SUM 
my_disk_image-1.iso: OK
my_disk_image-2.iso: OK
my_disk_image-3.iso: OK

Here are some status messages you may see:

OK                   - MD5 checksums matched.
FAILED               - Generally means the MD5 checksums did not match.
FAILED open or read  - The file could not be read or is missing.

When Checksums Fail

Here is a case where validating the checksums failed:

my_disk_image-1.iso: OK
my_disk_image-2.iso: FAILED
md5sum: my_disk_image-3.iso: No such file or directory
my_disk_image-3.iso: FAILED open or read
md5sum: WARNING: 1 of 3 listed files could not be read
md5sum: WARNING: 1 of 2 computed checksums did NOT match

In the above scenario:

  • my_disk_image-1.iso was identical to the original.
  • my_disk_image-2.iso was different from the original.
  • my_disk_image-3.iso was missing from the directory.

Beyond MD5

The sha1sum (that is a "one", not lowercase "L") command can be used to create a SHA-1 Checksum. The sha225sum, sha256su, sha384sum, and sha512sum commands compute the 224, 256, 384, and 512 bit (respectively) SHA-2 hashes. The usage and options of these commands are the same as for the m5sum command.

Links

MD5
http://en.wikipedia.org/wiki/MD5
checksum
http://en.wikipedia.org/wiki/Checksum
md5sum
http://en.wikipedia.org/wiki/Md5sum
Posted by at
Labels: , , ,
Location: San Francisco, CA, USA

Tuesday, June 9, 2015

Using Peddler to Access Amazon Marketplace Web Service (MWS)

Peddler is a Ruby Gem that can be used to access Amazon Marketplace Web Service (Amazon MWS) from Ruby. The following are some Ruby snippets that can be used to write a Ruby script that accesses MWS or to make ad-hoc queries against MWS from within IRb (Interactive Ruby.

Install Peddler Gem:

gem install peddler
Successfully installed excon-0.45.3
Successfully installed jeff-1.3.0
Successfully installed peddler-0.16.0

You may have to use sudo, depending on how you installed RubyGems.

Setup the Peddler client instance:

require 'peddler'

# Setup client
client = MWS::Orders::Client.new({
  :primary_marketplace_id => "ATVPD00000000",                             # Marketplace ID
  :merchant_id            => "A1UX7000000000",                            # Seller ID
  :aws_access_key_id      => "AKIAJ000000000000000",                      # AWS Access Key ID
  :aws_secret_access_key  => "fT+tcCTUBUsd7w00000000000000000000000000"   # Secret Key
})

# Setup error callback. This helps debugging Amazon API error messages.
client.on_error{|req,resp| puts resp.body }

# Get API Status
puts client.get_service_status

The following are some of the ways you can query MWS orders:

# Retrieve orders. CreatedAfter or LastUpdatedAfter must be specified.
# - created_after
# - created_before
# - last_updated_after
# - last_updated_before
# - order_status  (Unshipped, Shipped, Canceled)

resp1 = client.list_orders(:created_after => '2015-05-01')
puts resp1.body

resp2 = client.list_orders(:created_after => '2015-05-01', :order_status => ['Unshipped', 'PartiallyShipped'])
puts resp2.body

resp3 = client.list_orders(:created_after => '2015-05-01', :order_status => ['Shipped'])
puts resp3.body

These are some documentation pages that were helpful when investigating Peddler:

Peddler
https://github.com/hakanensari/peddler
Peddler API Docs
MWS::Orders::Client
MWS::Orders::Client#list_orders
Amazon API Docs
List Orders
Posted by at
Labels: , ,
Location: San Francisco, CA, USA
Subscribe to: Posts (Atom)