PHP - CSRF tokens

In this example I created a simple CSRF token to validate a user's identity. Obviously the final implementation is going to take more than what I am showing here. But the point here is to understand what CSRF tokens are, how they are created and how they are used.

A CSRF token, is unique to each user and is created in a randomized way. It is then used to identify the subsequent HTTP request and make sure the server is communicating the right data with the correct client. Below in PHP I start a session and then you can see that the session key tied to each user is a bin2hex() function which converts a string of characters to hexadecimal values. So that it remains unpredictable it is then multiplied using the random_bytes function. Random_bytes is a function that cryptographically generates pseudo-random bytes.

The HTML is a simple submit form where a user enters their name and a CSRF token is then created. Within this code you can see that the CSRF token is created using sha256 encryption. Then when the CSRF token matches the name that is submitted the page will reflect "Your name is: (your name you have submitted)". 

Here is what the output looks like when the name matches the token.

Here is a view from the Console to see what the page is doing. You can see the long encoded csrf value that is created when I enter my name 'Jason'.

Here since I haven't created somewhere to store values I am going to manually change the values for illustrative purposes. Now I put the value as changedValue0101010101. When I click submit this CSRF token will not match my name and the error message will be displayed.

CSRF tokens are used widely around the internet to ensure safety and are a great mechanism for a server to be able to identify users and to verify identities in HTTP requests.

Mouseflow for understanding customers and visitors

I found this today and it's quite interesting. With Mouseflow on a web page I am able to see recorded user sessions. This is particularly interesting because you can fully put yourself in the shoes of your visitors and see exactly how they interacted with a web page. It didn't seem to capture my particles.js particles I put on the test page, but it captured everything else. So it's not perfect but it seems to accurately record all the visitor's movements and actions. 

This is obviously more useful as you analyze thousands of visitors and then clear patterns can be more visible. So by taking into account what parts of a site people hover a mouse over or what they actually click on it gives a direction for what to focus on based on the site's user base.

The installation was quite simple. I included this little javascript tag:

        <!--Mouseflow Test -->

        <script type="text/javascript">

            window._mfq = window._mfq || [];

            (function() {

                var mf = document.createElement("script");

                mf.type = "text/javascript"; mf.defer = true;

                mf.src = "//cdn.mouseflow.com/projects/XX.js";

                document.getElementsByTagName("head")[0].appendChild(mf);

            })();

        </script>

I then activated the test page from the Mouseflow owner account and after I visited the page I was able to see my recorded session. 

Using Memcached to store and retrieve session data

I started with creating an Ubuntu VPS. I then installed Memcached from the CLI via SSH from my local machine. I secured the '.conf' file by setting it to listen on localhost and disabling UDP. I then configured SASL support for connecting my PHP scripts to the backend SQL database.

I then added Apache and PHP to the server. Next I created a php info page and put it on the server to view the memcached information. I can see that memcached is installed and is communicating with PHP properly.

 

Next to get a simple connection working and some data flowing back and forth I created this simple php page with a key. This script opens a new Memcached instance to the localhost and gets the requested key. If no key is found it adds one. On the next refresh then the newly created key which is a string of text is retrieved from Memcached.

Add cPanel & WHM to CentOS VPS (Log Rotation, Configuring BIND nameserver & Backups...)

For this example I added cPanel & WHM to a CentOS VPS I created. Upon installation of cPanel I did a lot of configurations including setting up the log rotations, a BIND nameserver and backups.

The installation from the command line is simple. The syntax is just a little different than most of the other posts where I use Ubuntu because that's my favorite version of Linux. However, I like to use the most efficient tools when I can and in this case it's CentOS. I have done a fair amount of scripting and automation using CentOS and Vagrant boxes so this was a cinch.  

To install the latest version of cPanel from the command line the commands are as follows:

cd /home

wget -N http://httpupdate.cpanel.net/latest

sh latest

/usr/local/cpanel/cpkeyclt 

From here the most difficult parts are done and the rest is quite intuitive if you've worked with servers and monitoring systems. I added my email and the nameservers to begin with. As you can see below with cPanel it is more about just knowing how to configure the system and you just select your parameters. For example at the bottom of this screen shot you can even select how you want to receive Apache logs. 

Next I was able to configure the Log Rotation. Log rotation is important to not use up all of a system's resources. In this automated process log files are compressed and stored within an archive folder for cPanel.

The cPanel allows for a lot of customization. In a previous blog post I went over how to manually create Cron Jobs: https://jgardnerla.blogspot.com/2020/04/cron-job-daemon-shell-script-to-send.html. However, with cPanel it's very simple to just plug in the days and times you want updates and backups to run. The manual process is good because it allows you to do more customization but this is a good solution if you want simple administration from a GUI.

As simple as cPanel is to use there is a lot it can do. Here I synchronized the server time which is important when serving requests and handling HSTS.

The server is just getting setup but here are the initial server logs. The system is starting up and the daemon's are beginning to listen on their appropriate ports so that they can spring into action when they are needed.

And here is the BIND nameserver starting up successfully.

Now to administer the cPanel I can just return to the secure portal and begin with any customizations or configurations that are required.

Certbot server for SSL certificate (Let's Encrypt) using SHA256withRSA

This is a really simple way of creating a certbot server for SSL certificates that automatically get renewed using Let's Encrypt. I just added python-certbot-apache from the command line.

Then I edited the /etc/apache2/sites-available/(TheTestDomain).conf file to have the proper server name.  I kept the default request scheme and port numbers. Now to renew the certificate all I have to do is run "certbot renew" from the command line and a new certificate will be generated and downloaded to my server.

Now you can see that upon visiting the domain the connection is deemed secure because there is a proper certificate. 

Here is more detailed information about the domain and the certificate. 

Here is the overview information of the certificate. It is encrypted using SHA256withRSA.

And now I just quickly double checked that certificates can indeed be renewed succesfully.

Disk space utilization monitoring with email alerts - Ubuntu Linux - Apache Server

This is very simple but very powerful. Within Linux you can create programs that are always executing or running silently in the background. These are called Daemons and they do everything from wake up a computer when a mouse is moved, automatically backup a server or in this case it can monitor a server 24/7 and send alerts when it notices anything suspicious or out of line.

Below I created a simple Daemon that monitors the disk space utilization and it sends emails to an account at tester@slabj.com which is the domain for the test server this is created on.

In essence an infinite loop is created and when a predefined threshold is crossed the server sends an email message to alert the administrator. The rest of the process is identical to what I covered in monitoring memory usage in this way so I won't go over that again but you can look at that article here for more clarity: https://jgardnerla.blogspot.com/2020/04/cron-job-daemon-shell-script-to-send.html. 

Create a Samba file share (SMB server) to send and receive files

Samba works in a similar fashion as FTP but it is more robust and can be used as a file sharing and storage system. First I created a Linux Ubuntu virtual machine and installed Samba from the command line. I created a user named tester and added a password.

I next created a user and a directory to be shared (/home/tester/samba). I configured the etc/samba/smb.conf file as below with the samba path and users. This is also not a read only server so files can be uploaded.

Next I opened a connection locally from my macbook to the server. The server is at the IP of the VPS I created and samba is located at ('/').

Connecting from the mac in this way doesn't require the CLI. From here it is GUI based and is pretty straight forward. I just connect and then I can drag and drop files into my local samba folder which will write the contents to the web folder.

Here is a sample text file I created in Atom on my macbook that I will send to the server.

And here it is on my virtual machine in a text file I opened with nano. Overall SMB creates an easy an efficient way of transferring files from client machines to a main server or vise-a-versa.