Category: GitHub

Introducing Passwds.io

Pronounceable Password Generator

I’d had this code sitting around for a while and decided to make a new site dedicated to it. It’s called passwds.io. It’s a simple service that produces pseudo-random passwords that have some elements that can actually be pronounced, hopefully making them easier to remember.

I do not recall where I got the original code to generate the pronounceable passwords, but am trying to find the source so I can credit where it’s deserved.

I threw thew site at passwds.io together in about an hour using the newest Bootstrap, PHP, and jQuery.

Brandon Lighter brought up the fact that I could be storing all generated passwords, but I’m not. This was developed as a tool for myself to use while I was a sys admin at a large local business, I’d use it to create new passwords for users in Active Directory. It’s still the same code.

Once I can bring the code to a level that isn’t so scattered, I will put it on GitHub so everyone can see the source and what’s going on. It’s really very, very simple.

Of course, I could omit the important “logging” piece when pushing to GitHub, but at some point people just have to trust others, and I’m flat out saying there’s no type of logging being done at passwds.io, other than the standard Google Analytics and Gaug.es for site analytics/

Brandon does bring up good points though, like no usage of special characters.

Secondly, they are only lower-case, upper-case, and numbers, which means you are pulling from a much smaller character set than you could be, making brute-force attacks easier.

I may add an option to do pronounceable passwords, or passwords with special characters enabled, which would probably break pronounceability. But options are always nice.

If you have other suggestions, I’d love to hear them. I’ve debated adding user accounts and the ability to save your generated passwords (that would be accessible only by you), but that sort of goes beyond the scope of passwds.io, which is simple, fast password password creation.

An example output from passwds.io can be seen in the screenshot below.
passwdsio-results

Also, check out Placezombie.com if you’re looking for some pretty gruesome zombie images to use as placeholder images in your designs. Sample 900×150 pixel greyscale image below, achieved with https://placezombie.com/g/900×150 :

Anyway, like I said, I’d love to hear your thoughts on passwds.io. Leave a comment here, it’s the best way to communicate with me about passwds.io. I haven’t bothered setting up passwds.io email yet.

0

Quickly Deploy LAMP Stacks with ServerPilot

Easily Deploy LAMP Stacks, and it’s free

I have yet to use ServerPilot, but will be setting up a new VPS at DigitalOcean in the coming weeks for a new venture. ServerPilot makes getting a LAMP stack setup very quickly.

ServerPilot will automatically install Nginx, Apache, PHP, and MySQL on a new, freshly installed/created, 64-bit Ubuntu 12.04 or Ubuntu 14.04. So if you’re using DigitalOcean, create your Droplet, and SSH to it. You should be able to harden SSH up a little, but make sure you don’t install any new packages yet.

Getting Started

Getting started with ServerPilot is crazy easy. All you need to be able to do is SSH into your server and run a command. I highly doubt anyone reading this doesn’t know how to do this. If you don’t, Google will tell you how.

1. Sign Up

Sign up for a free account with ServerPilot.

2. Connect A Server

“Connect” a new server. Just enter your servers hostname and click the “Continue With Setup” button. Screenshot below.
serverpilot-connect-server

3. Run The Install

Connect to your server via SSH. Remember, it must be a new server, preferably with no additional packages installed yet. To install Nginx, Apache, PHP, and MySQL, run the command below, from this gist:

The --server-id and --server-apikey values will be provided for you, they’re blacked out in the screenshot below.
serverpilot

Additional Information

On GitHub

ServerPilot also has a GitHub account with two repositories currently. One is ServerPilot/Vagrantfile and the other is ServerPilot/API.

ServerPilot/Vagrantfile

This repository provides a sample Vagrant configuration for testing ServerPilot. Basically a server that you can use to test ServerPilot before using it on a new, paid VPS. The README is very detailed, definitely read it if you need help using Vagrant. There’s even an example on using composer to create a Laravel app.

ServerPilot/API

From the README, The ServerPilot API is RESTful and allows you to manage ServerPilot resources using HTTP requests. All responses return JSON objects, including errors. As seems typical from ServerPilot, the documentation in the README is excellent.

The API will let you do things like list servers, connect new servers, or list all system users, among many others. An example that would list all servers can be seen in the gist below.

That request would return JSON similar to this:

Do you use Vagrant?

View Results

Loading ... Loading ...

Paid Accounts

You get a pretty cool monitoring dashboard for $10/month. I found the screenshot below in a post from Jake Peterson, it appears to be the ServerPilot monitoring dashboard.
serverpilot-dashboard
There’s the free plan, obviously, and then two paid plans. One is $10/month and the other is $49/month. You can see what you get for your money on their pricing page.

End

If you’re a PHP developer and use a VPS provider like DigitalOcean or Linode, ServerPilot is probably worth checking out. Even if you don’t end up using, it’s pretty neat that something like this even exists.

I only have one feature I’d really like to see, the ability to select certain packages to be installed. If that were included in the $10/month plan, I’d definitely do it. As it stands currently, though, it’s definitely a time saver and very well executed.

0

Placezombie: The Zombie Image Placeholder Service

Zombie Image Placeholders Are Back

And just in time for Halloween!

I wrote a post about my 10 favorite image placeholder services a while ago. Placezombies.com was one of them. Here’s the announcement blog post for Placezombies.com.

Down in the comments, you’ll see that the owners forgot to renew the domain name, so it obviously stopped working. The source was posted on GitHub, so I immediately forked it and got to work setting up a replacement.

A quick check revealed that placezombie.com was available, so I registered it. Score.

I really didn’t want to host this at DigitalOcean like I typically would, not knowing what to expect for bandwidth usage. Instead, I chose to host it at Heroku, using their free service.

Had a few issues getting it running, but after removing some Ruby stuff and creating the Procfile and package.json files that Heroku requires, I was almost good to go. Only thing holding me back was to replace the port number node.js was using with the port that Heroku uses. Did another git push heroku master, navigated to http://placezombie.com and there it was!

Here’s a 700×300 zombie below for proof!

Placezombie.com

That was generated like so:

<img src="http://placezombie.com/700x300" alt="Placezombie.com" />

You can do black and white images, too:
Placezombie.com

That was generated like so:

<img src="http://placezombie.com/g/700x300" alt="Placezombie.com" />

So, add some gore to your mock-ups, just make sure your clients aren’t too squeamish.
Placezombie.com

My 5 year old daughter is obsessed with Zombies and is going to fucking love this. She wants to be a Zombie Elsa (from the movie Frozen) for Halloween. :)

0

Find Shellshock Exploit Attempts & Probes From the Command Line and Papertrail

Never hurts to make sure

I’ve written about Papertrail a few times before, I love the service and it’s just too valuable to not use.

Papertrail makes it super easy to find Shellshock exploit attempts and probes. Probes are just checking a machine to see if it’s vulnerable to Shellshock. If you’re using CloudFlare, you’ll never see any Shellshock attempts show up in your logs, CloudFlare doesn’t even let them through.

See If Shellshock Affects You

Checking to see if your system is vulnerable to Shellshock is quite easy. It takes a relatively simple bash command:

env x='() { :;}; echo vulnerable to shellshock' bash -c "echo All good"

Run that code in a terminal. If you see All good, you’re not vulnerable. However, if you see vulnerable to shellshock, you are potentially vulnerable.

Yahoo-WinZip-Servers-Shellshock-Bug

Shellshocker.net provides a script that will download, compile, and install the newest version of bash for you. You should only use it though if your Linux distribution hasn’t already provided updated security release packages. If you’re interested, the code that runs Shellshocker.net is available on GitHub.

Find Shellshock Attemps and Probes Via The Command Line

This is very easy as long as you know the location of your Apache access log file. It’s typically something like /var/log/apache2/access.log. Assuming that’s the location of your Apache access log file, this command will pull out all the Shellshock probes and attempts:

grep '() {' /var/log/apache2/access.log

If nothing was returned, that means nobody has been trying to exploit Shellshock on your system, or even checking to see if your system is susceptible to Shellshock. If results are returned, look them over carefully to examine where the attempts are coming from, an IP address will be associated with every attempt.

Shellshocker.net Checker

Shellshocker.net also provides a bash script to check your machines for the Shellshock vulnerability. You can download the script and run it manually from your terminal, or, if you have cURL installed, run the following command:

curl https://shellshocker.net/shellshock_test.sh | bash

Running that command will produce results similar to the screenshot seen below. It checks for a number of Shellshock related vulnerabilities.
shellshocker

Find Shellshock Attemps and Probes With Papertrail

Go to your Papertrail events tab and search for the following:
"() {"

If anything is returned, those are Shellshock probes. Some example probes are listed in the gist that’s embedded below. None of the offending IP addresses have been redacted.

These actually made it through to Papertrail, which shouldn’t happen since longren.io sits behind Cloudflare. I’ll open a support ticket with them about it and update this post later.

0

Scotch Box: A Vagrant LAMP Stack That Just Works

Just a dead-simple local Vagrant LAMP stack for developers

I discovered Scotch Box recently, brought to us by the folks at scotch.io. It actually looks like Nicholas Cerminara has done most of the work, or as least done all of the committing to GitHub. Here’s the Scotch Box announcement at the Scotch.io blog.

After using Scotch Box for a day, I’ve decided this is how I will do all future development work. It’s so easy, and you really don’t need to know much about Vagrant or VirtualBox to get up and running with Scotch Box.

Scotch Box has a repository setup at GitHub that explains how to make use of Scotch Box. Basically, just clone the repository, and then run vagrant up inside that repo.

Scotch Box is currently running Ubuntu 12.04.5. Here’s a bit from the Scotch Box readme:

Scotch Box is a preconfigured Vagrant Box with a full array of LAMP Stack features to get you up and running with Vagrant in no time.

A lot of PHP websites and applications don’t require much server configuration or overhead at first. This box should have all your needs for doing basic development so you don’t have to worry about configuring Vagrant and you can simply focus on your code.

No provisioning tools or setup is really even required with Scotch Box. Since everything is packaged into the box, running “vagrant” is super fast, you’ll never have to worry about your environment breaking with updates, and you won’t need Internet to code.

Do you use Vagrant?

View Results

Loading ... Loading ...

Bringing Scotch Box Up

scotch

Once you’ve run vagrant up, you’ll be able to access your site at http://192.168.33.10/, you should see something similar to the image below.

Useful Stuff in Scotch Box

  • PHP 5.5
  • No Internet connection required
  • PHP errors turned on
  • Laravel and WordPress ready (and others)
  • Operating System agnostic
  • Goodbye XAMPP / WAMP
  • New Vagrant version? Update worry free. ScotchBox is very reliable with a lesser chance of breaking with various updates
  • Bootstrap and jQuery are saved in the server’s home folder in case you don’t have Internet (usually plains, trains or cars)
  • Chef and Puppet ready in case you want to add extra features on Vagrant Up
  • Super easy database access and control
    MIT License

Server Components Included

  • Apache
  • Vim
  • MySQL
  • PHP 5.5
  • Git
  • Screen
  • Composer
  • cURL
  • GD and Imagick
  • Mcrypt
  • Memcache and Memcached

Front End Stuff Included

  • NPM
  • Grunt
  • Bower
  • Yeoman
  • Gulp
vagrant-ssh

You can SSH to your server as well, by running vagrant ssh. Upon logging in via SSH you’ll see something similar to the image below.

Scotch Box is in its infancy still. It’s initial commit to GitHub was on October 6, 2014 and has about 10 commits in total.

Updating Scotch Box is easy too. To check for an updated version with Vagrant, do vagrant box outdated. That will tell you if there’s a newer version available. If there is a newer version available, you can update to it by running vagrant box update.

Head to the official Scotch Box website for more information on setting up databases, setting a hostname, and for more details on updating the box. Some basic Vagrant commands are also included to help you with basic Vagrant usage (ie: pausing, resuming, or destroying a server).

If you’re a LAMP developer like I am, and are tired of developing on your client’s dev servers, Scotch Box could be a good solution for you to develop locally. It’s sometimes much easier to develop locally then having to rely on a slow dev server provided by your client. :)

All the images in this post are included in the gallery below.

0