How to patch Windows server 2012 R2 to resolve the MS15-034 vulnerability

The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. All Windows servers 2008 R2 and 2012 are affected!

Windows Update seems to have done the trick automatically for my 2008 R2 servers but the 2012 servers are still affected after installing the latest updates.

How to check if you are affected?

If you have a Linux server lying around, type this command:

wget --header="Range: bytes=18-18446744073709551615" http://serverip/iis-85.png

Continue reading

How to enable/disable the VMware ESXi 5.x firewall

I just installed a fresh VMware ESXi 5.5 and configured the firewall using vSphere client to not allow remote connections. When testing the firewall I noticed that the rules weren’t working. There seems to be no way to see the status of the firewall or enable/disable it through vSphere but it turned out to be disabled by default.

To enable the firewall, log in to SSH and type this command:

esxcli network firewall set --enabled true

Continue reading

Export certificate and private key from a pfx file

When moving certificates from Windows servers to Linux you may need to export the private key and certificate from a pfx file. This is how it’s done:

1. Export the private key

openssl pkcs12 -in cert.pfx -nocerts -out cert.key.wpass

Replace cert.pfx with the certificate exported from Windows. The private key will be exported to cert.key.wpass including a password that you need to selecting in this step Continue reading

16 simple ways to secure your WordPress site

WordPress is a popular target for attackers and currently there are a lot of botnets discovering vulnerable sites and trying to brute force the admin password. If you haven’t hardened your WordPress installation, this is the perfect time to do that.

1. Don’t use the defaults

When installing a new instance of WordPress, make sure you choose other name for the administrator account than admin and change the default table prefix (wp_) to anything else.
Continue reading

How to disable ciphers vulnerable to the BEAST vulnerability on Windows server/IIS

By default the SSL protocol encrypts data by using CBC mode with chained initialization vectors. This allows an attacker, which is has gotten access to an HTTPS session via man-in-the-middle (MITM) attacks or other means, to obtain plain text HTTP headers via a blockwise chosen-boundary attack (BCBA) in conjunction with Javascript code that uses the HTML5 WebSocket API, the Java URLConnection API, or the Silverlight WebClient API. This vulnerability is more commonly referred to as Browser Exploit Against SSL/TLS or “BEAST”. Continue reading

How to create pfx (PKCS12) file using openssl

If you have a certificate file and private key and need to move that to a Windows server you can easily create a pfx file that can be imported on the Windows server.

Here’s how:

openssl pkcs12 -export -in {cer_filename}.cer -inkey {key_filename}.key -out {pfx_filename}.pfx

You will be asked to provide a password. You’ll need to use this password when you import the certificate on the Windows server.