Security Archives - markri.nl

Secure web proxy with Symfony

April 20, 2018March 4, 2022 markri Leave a comment

For the past few months I got caught up into puppet, monitoring and other devops stuff. Wether or not security is part of devops (honestly I don’t care as long as security is taken into mind when developing) I was also tasked with securing some backend systems for the company that I work for as part of ISO 27001 certification. One of them was a PHP based application which had a code base, so old, so spaghetti bolognese that it could wake you up in the middle of night soaking in sweat when thinking about its security design. Nevertheless it was a critical application, that couldn’t be merged easily to a new code base like Symfony or another tool. So how to improve its security?

If it was built in Symfony, I could easily setup a firewall, add NelmioSecurityBundle and maybe add a 2-factor bundle and get on with it. But yeah, it wasn’t. Maybe I could just go into the spaghetti and implement some meatballs with composer and make the best of it? Meh…. There will always be the risk of open holes, maybe a “require ‘check_login.php’;” is forgotten, or login method might be vulnerable from a good old SQL injection. So this was not an option.

The app was used publicly by some of our customers, so IP whitelisting was no option. It just needed public protection from vulnerability scanners, So I wanted it to be wrapped in a secure package. More like a portal. What if I wrapped the entire application into a secured Symfony environment? But that would incur another session_start from the old application. So it needed to more separated than that. And at that point the idea of a Symfony web proxy was born. The Symfony layer would handle all the security, after which every request is proxied to the old PHP application. So the requirements would be

A symfony application @ my.symfony.proxy which functions as login portal
After logging in, every request is ported to an another site. Something like https://my.symfony.proxy —> http://old_application_at_private_location:8080

Here’s how with Symfony 4.x (using flex) on PHP 7.2.

Setting it up

First we create a new project and install and setup some needed libraries. I mentioned them here below

composer create-project symfony/skeleton .
composer require sec-checker # Enable vulnerability scan for packages
composer require --dev profiler # Easy dev time
composer require logger # Logs might come in handy
composer require doctrine/orm doctrine/doctrine-bundle # Database access for users
composer require form # Login form
composer require security nelmio/security-bundle symfony/security # Security components
composer require guzzlehttp/guzzle # Proxying requests
composer require twig templating symfony/asset # Add templating

composer create-project symfony/skeleton .

composer require sec-checker # Enable vulnerability scan for packages

composer require --dev profiler # Easy dev time

composer require logger # Logs might come in handy

composer require doctrine/orm doctrine/doctrine-bundle # Database access for users

composer require form # Login form

composer require security nelmio/security-bundle symfony/security # Security components

composer require guzzlehttp/guzzle # Proxying requests

composer require twig templating symfony/asset # Add templating

Now that we installed everything we needed we can configure our application.

Security

Lets start with my favourite and most complex part of our application (now we’re still sharp). First we configure our security.yaml

Now comes the interesting part. I wanted to use the same user and password database provided by the old native PHP app. So I need to create an entity that respects the existing table, and add this as a user provider in the security.yaml.

providers:
  oldapp:
    entity:
      class: App\Entity\User
      property: username

providers:

oldapp:

entity:

class: App\Entity\User

property: username

Because the old app uses plain md5 hashing for the password without any salt or iterations I needed to change the encoder to some lower standards, so it integrates seamlessly with the old standard. Obviously this is not recommended security. If this is your exact same case, and would like to enhance this security. Then I recommend you to add an extra salt column, and rehash the password on login with some salt and iterations with the default encoder. On the login event you only need to check if there is already salt or not to pick the right encoder.

encoders:
  App\Entity\User:
    algorithm: md5
    encode_as_base64: false
    iterations: 0

encoders:

App\Entity\User:

algorithm: md5

encode_as_base64: false

iterations: 0

Now we can configure the firewall, wich is somewhat standard. Change according to your needs. Don’t forget to name the right provider.

main:
  anonymous: true
  pattern: ^/
  form_login:
    provider: oldapp
    csrf_token_generator: security.csrf.token_manager
    login_path: login
    check_path: login
    always_use_default_target_path: true
    default_target_path: /
  logout: true
  switch_user: false
  logout_on_user_change: true

main:

anonymous: true

pattern: ^/

form_login:

provider: oldapp

csrf_token_generator: security.csrf.token_manager

login_path: login

check_path: login

always_use_default_target_path: true

default_target_path: /

logout: true

switch_user: false

logout_on_user_change: true

Last but not least, add the access control

  access_control:
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/, roles: ROLE_USER }

access_control:

- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }

- { path: ^/, roles: ROLE_USER }

User Entity

In my case I wanted to reuse an existing user database (within the old application), which is served under MySQL. So I created an entity which reflects this table to be able to reuse this data. This is how my entity looks like:

/**
 * @ORM\Table(name="users")
 * @ORM\Entity()
 */
class User implements AdvancedUserInterface, EquatableInterface
{

    /**
     * @ORM\Column(type="integer")
     * @ORM\Id
     * @ORM\GeneratedValue(strategy="AUTO")
     */
    private $id;

    /**
     * @ORM\Column(type="string", length=25, unique=true)
     */
    private $username;

    /**
     * @ORM\Column(type="string", length=64)
     */
    private $password;

    /**
     * @ORM\Column(name="active", type="boolean")
     */
    private $active;

    /**
     * @var string No salt used in poweradmin
     */
    private $salt = '';

    /**
     * @var array Just a simple role is enough for our case
     */
    private $roles = ['ROLE_USER'];


    public function getRoles()
    {
        return $this->roles;
    }

    public function getPassword()
    {
        return $this->password;
    }

    public function getSalt()
    {
        return $this->salt;
    }

    public function getUsername()
    {
        return $this->username;
    }

    public function eraseCredentials()
    {
        // Nothing, just here to comply with interface
    }


    public function isEqualTo(UserInterface $user)
    {
        if (!$user instanceof User) {
            return false;
        }

        if ($this->password !== $user->getPassword()) {
            return false;
        }

        if ($this->salt !== $user->getSalt()) {
            return false;
        }

        if ($this->username !== $user->getUsername()) {
            return false;
        }

        return true;
    }

    public function isAccountNonExpired()
    {
        return true;
    }

    public function isAccountNonLocked()
    {
        return true;
    }

    public function isCredentialsNonExpired()
    {
        return true;
    }

    public function isEnabled()
    {
        return $this->active;
    }

}

100

101

102

103

104

105

106

107

108

/**

* @ORM\Table(name="users")

* @ORM\Entity()

class User implements AdvancedUserInterface, EquatableInterface

{

/**

* @ORM\Column(type="integer")

* @ORM\Id

* @ORM\GeneratedValue(strategy="AUTO")

private $id;

/**

* @ORM\Column(type="string", length=25, unique=true)

private $username;

/**

* @ORM\Column(type="string", length=64)

private $password;

/**

* @ORM\Column(name="active", type="boolean")

private $active;

/**

* @var string No salt used in poweradmin

private $salt = '';

/**

* @var array Just a simple role is enough for our case

private $roles = ['ROLE_USER'];

public function getRoles()

{

return $this->roles;

}

public function getPassword()

{

return $this->password;

}

public function getSalt()

{

return $this->salt;

}

public function getUsername()

{

return $this->username;

}

public function eraseCredentials()

{

// Nothing, just here to comply with interface

}

public function isEqualTo(UserInterface $user)

{

if (!$user instanceof User) {

return false;

}

if ($this->password !== $user->getPassword()) {

return false;

}

if ($this->salt !== $user->getSalt()) {

return false;

}

if ($this->username !== $user->getUsername()) {

return false;

}

return true;

}

public function isAccountNonExpired()

{

return true;

}

public function isAccountNonLocked()

{

return true;

}

public function isCredentialsNonExpired()

{

return true;

}

public function isEnabled()

{

return $this->active;

}

Controllers

We need a few methods; first the login and logout method, which are pretty straight forward.

    public function login(AuthenticationUtils $authUtils)
    {
        // get the login error if there is one
        $error = $authUtils->getLastAuthenticationError();

        // last username entered by the user
        $lastUsername = $authUtils->getLastUsername();

        return $this->render('security/login.html.twig', array(
            'last_username' => $lastUsername,
            'error'         => $error,
        ));
    }

    public function logout(Request $request, TokenStorageInterface $storage)
    {
        $storage->setToken(null);
        $request->getSession()->invalidate();

        return $this->redirect($this->generateUrl('login'));
    }

public function login(AuthenticationUtils $authUtils)

{

// get the login error if there is one

$error = $authUtils->getLastAuthenticationError();

// last username entered by the user

$lastUsername = $authUtils->getLastUsername();

return $this->render('security/login.html.twig', array(

'last_username' => $lastUsername,

'error' => $error,

));

}

public function logout(Request $request, TokenStorageInterface $storage)

{

$storage->setToken(null);

$request->getSession()->invalidate();

return $this->redirect($this->generateUrl('login'));

}

Then finally the core of this whole blog, a catchall controller. This method is called upon every other request (catchall magic is handled in the routing part further on). It just reads the current request, and passes everything within a curl request (Guzzle) to the old application that needs to be protected. In my case I placed the application in nginx under port 8080, which is shielded by a firewall and only accessible from localhost. Change the URL to your own “old application”

    public function catchall(Request $request, TokenStorageInterface $storage)
    {
        // Catch logout action, to redirect to own logout function
        if ($request->query->get('logout') !== null) {
            return $this->redirect('logout');
        }

        $client = new Client();

        $baseURL = 'http://localhost:8080';
        $cookieJar = unserialize($request->getSession()->get('appcookie'));
        $url = $baseURL . $request->getPathInfo();

        $headerparams = $request->headers->all();
        $formparams = $request->request->all();
        $query = $request->query->all();

        $result = $client->request($request->getMethod(), $url, [
            'headers' => $headerparams,
            'form_params' => $formparams,
            'query' => $query,
            'cookies' => $cookieJar
        ]);

        return new Response($result->getBody(), $result->getStatusCode(), $result->getHeaders());
    }

public function catchall(Request $request, TokenStorageInterface $storage)

{

// Catch logout action, to redirect to own logout function

if ($request->query->get('logout') !== null) {

return $this->redirect('logout');

}

$client = new Client();

$baseURL = 'http://localhost:8080';

$cookieJar = unserialize($request->getSession()->get('appcookie'));

$url = $baseURL . $request->getPathInfo();

$headerparams = $request->headers->all();

$formparams = $request->request->all();

$query = $request->query->all();

$result = $client->request($request->getMethod(), $url, [

'headers' => $headerparams,

'form_params' => $formparams,

'query' => $query,

'cookies' => $cookieJar

]);

return new Response($result->getBody(), $result->getStatusCode(), $result->getHeaders());

}

So now we basically created a proxy application. Now you can serve every existing site with your own custom domain (don’t use this for bad stuff, mkay?).

Security listener

Underneath all of this, we still need to add a little more custom logic to take over the login process. Instead of logging in directly with the original login of the application, I wanted to use symfony login. This is done with a security listener. Be sure that you change the code to an actual working login.

    /**
     * @param InteractiveLoginEvent $event
     */
    public function onSecurityInteractiveLogin(InteractiveLoginEvent $event)
    {
        // Login is succesfull, so retrieve password
        $password = $event->getRequest()->request->get('_password');
        $username = $event->getRequest()->request->get('_username');
        $loginUrl = getenv('LOGIN_URL');

        // Pass it as a login request to underlying application to get the session cookie
        $cookieJar = new CookieJar();
        $client = new Client();

        $client->request('POST', $loginUrl, [
            'form_params' => [
                'query_string' => '',
                'username' => $username,
                'password' => $password,
                'userlang' => 'en_EN',
                'authenticate' => 'Go'
            ],
            'cookies' => $cookieJar
        ]);

        // Store it into our own session
        $event->getRequest()->getSession()->set('appcookie', serialize($cookieJar));
    }

/**

* @param InteractiveLoginEvent $event

public function onSecurityInteractiveLogin(InteractiveLoginEvent $event)

{

// Login is succesfull, so retrieve password

$password = $event->getRequest()->request->get('_password');

$username = $event->getRequest()->request->get('_username');

$loginUrl = getenv('LOGIN_URL');

// Pass it as a login request to underlying application to get the session cookie

$cookieJar = new CookieJar();

$client = new Client();

$client->request('POST', $loginUrl, [

'form_params' => [

'query_string' => '',

'username' => $username,

'password' => $password,

'userlang' => 'en_EN',

'authenticate' => 'Go'

'cookies' => $cookieJar

]);

// Store it into our own session

$event->getRequest()->getSession()->set('appcookie', serialize($cookieJar));

}

Routes

There are four routes needed for the controller. Besides the security related routes there is one route which is particularly interesting. This is the catchall route which should be named lastly to catch all other routes that are not matched by the fixed security related routes. This is done by providing a regex with just .* to match anything.

login:
    path: /login
    defaults: { _controller: 'App\Controller\DefaultController::login' }

logout:
    path: /logout
    defaults: { _controller: 'App\Controller\DefaultController:logout' }

catchall:
    path: /{req}
    defaults: { _controller: 'App\Controller\DefaultController:catchall' }
    requirements:
        req: ".*"

path: /login

defaults: { _controller: 'App\Controller\DefaultController::login' }

logout:

path: /logout

defaults: { _controller: 'App\Controller\DefaultController:logout' }

catchall:

path: /{req}

defaults: { _controller: 'App\Controller\DefaultController:catchall' }

requirements:

req: ".*"

Templates

The template is a somewhat basic login template based on a simple twitter bootstrap theme. Placed under security/login.html.twig

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>{% block title %}Welcome!{% endblock %}</title>
    </head>
    <body>
        <div class="container">
    
            <form action="{{ path('login') }}" method="post" class="form-signin">
    
                <div class="form-signin-heading">
                    <h1>Please login</h1>
                </div>
    
                {% if error %}
                    <p class="alert alert-danger">{{ error.messageKey|trans(error.messageData, 'security') }}</p>
                {% endif %}
    
                <input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}" />
    
                <label for="username" class="">Username</label>
                <input type="text" id="username" name="_username" value="{{ last_username }}" class="form-control" />
    
                <label for="password" class="">Password</label>
                <input type="password" id="password" name="_password" class="form-control"/>
    
                <button type="submit" class="btn btn-lg btn-primary btn-block">login</button>
            </form>
        </div>
    </body>
</html>

<!DOCTYPE html>

<html>

<head>

<title>{% block title %}Welcome!{% endblock %}</title>

</head>

<body>

<h1>Please login</h1>

</div>

{% if error %}

<p class="alert alert-danger">{{ error.messageKey|trans(error.messageData, 'security') }}</p>

{% endif %}

<label for="username" class="">Username</label>

<label for="password" class="">Password</label>

<button type="submit" class="btn btn-lg btn-primary btn-block">login</button>

</form>

</div>

</body>

</html>

Wrapping it up

To conclude; it’s relatively easy to setup a web proxy with modern security standards to protect your old (irreplaceable) spaghetti app. With Symfony at its base, some configuration and the usage of the right libraries, we only need a few files with satisfactional result.

I created a repository which contains all of the above, which you can use out of the box. This is found at my github account @ https://github.com/markri/symfony_web_proxy

CopperheadOS review

February 7, 2017February 3, 2019 markri Leave a comment

Sadly CopperheadOS died (at least for me it did). The director of CopperheadOS found himself way to important with his dick move to seize ownership of the entire company, and left the other 50% owner (the main author behind CopperheadOS) empty handed.

Goodbye from CopperheadOS

I guess the following still applies for other ROMS. Just like Michael Micay advised, just use plain AOSP without gapps. For me this is CarbonROM with F-Droid and Yalp, while waiting for a more security and privacy centered ROM.

Unlike many, who apparently got nothing to hide (https://en.wikipedia.org/wiki/Nothing_to_hide_argument), I’m a bit keen on my privacy and security. This has probably something to do with my daily job as a DevOps engineer, but should nevertheless be interesting for anyone who wants to be back in control of their data. This CopperheadOS review is about taking that control.

One approach on security is to know where your weak spots are. For me this was my Android phone. It seems like everyone is downloading all kinds of binary apps, and are trusting them blindly. This feels likes the Window 95-98 era where many would just download and run any *.exe without hesitation. Another argument was the obscure Google Play services, not knowing what it does send back to Google and what doesn’t. And even when I do know, I don’t have any reasonable opt-out possibility for sending any data. In my quest of searching for alternative ROM for better security and privacy I found CopperheadOS. Which I’ll be reviewing here.

CopperheadOS is a plain AOSP with additional hardening and focus on open source apps, without any binary sending my data to the cloud. This was somewhat a leap of faith, as I would be obliged to part from some binary apps I rely on in my daily life (altough not entirely true, but read along). But as it turned out there are lots of open source alternatives which offer same or nearly same functionality.

App repository

Because CopperheadOS is stripped from the Google Play Framwork (hooray!) it comes with F-droid as app installer. With F-droid you can find only open source apps, so this is my primary source of finding new apps before switching to an alternative.

Binary apps

My main focus is to stay functional, not becoming some paranoid hermit with a tin foil hat. With a healthy feeling of unwillingness I had to install Whatsapp to stay connected with family and friends. I could’t convince them to use Conversations (which requires registering a jabber account). And some banking apps don’t come open source either. This is why I installed aptoide to be able to install trusted binary apps. You need to (must actually) only install trusted apps. Altough I think Aptoids’ malware checking flow could be better concerning the signature checking. Checking signature against other marketplaces is kind of vague for me. So be on your guard here.

IM

Already mentioned above, I’d like to use Conversations. It offers same functionality as whatsapp, but offers great encryption on a federated network. Which is IMHO the best kind of privacy AND security you can get nowadays without compromise. A jabber account is free for registration (e.g. jabber.at). Once you have registered a jabber account and installed conversations, switch over to OMEMO encrypted messaging.

Browser

CopperheadOS comes with Chromium as default browser. Although I like Chromium very much at my desktop (not to be confused with closed source Chrome). It doesnt allow extensions on Android. Therefore I switched to Firefox to be able to install an adblocker (ublock origin) and a cookie wall (self destructing cookies for inactive tabs).

Search engine

Sorry to say Google; you gave me great search results but I don’t want to live in your filter bubble anymore. After a period of time I started to trust the quality of search results from DuckDuckGo. I’m not saying this company is great for total anonymity, but it is far more better than Google. And in combination with self destructing cookies, searching becomes even more anonymous.

SMS

Another great thing of CopperheadOS is it’s SMS app Silence, it offers a standard SMS app with the possibility of encrypting your messages. Before first usage a key needs to be exchanged with someone who also runs Silence, after which all text messages are encrypted from that point forward.

Cloud backup

Another Google thing that needed to be untied was the backup procedure. For this I installed a Nextcloud server on a VPS and the DavDroid app on Android which syncs my contacts, agenda and tasks to NextCloud. Another nice feature is the automatic backup of newly created photo’s.

Other open source apps and alternatives

~~CSipSimple: Excellent VOIP client~~
~~DavDroid: Syncs my contacts, calendar and tasks with my NextCloud server~~
~~OpenVPN for android: Which I use on public wifi hotspots~~
~~OSMAnd~: Excellent navigation app based on open street maps~~

Conclusion

Nothing in the world comes for free, Google needs to earn some to be able to provide all the services the offer. Altough I don’t want this to be a Google rant, the ties between stock Android and the Google cloud is becoming very diffuse, and gave me an itchy feeling about it. This is why I wanted a clear cut between my data and Google, instead of paying with my privacy and not knowing how much I’ll be paying in the end. With CopperheadOS you can make a clear cut, just to be back in control of your own data without any significant compromise. Installation was pretty straigh forward on a Nexus, so it’s easy to just give it a try I’m sure that (if you have the same considerations I have) you won’t be disappointed.

WordPress CVE scanner using wpvulndb.com

September 26, 2016April 20, 2018 markri 1 Comment

In my previous posts I already wrote about a WordPress CVE scanner (part 1, part 2). It kept haunting me with failures and disappointment. It began with blackbox scanning (slow and performance killing) which moved to whitebox scanning with Wordstress which proved to be buggy. So it needed to be addressed one more time (hopefully).

Mission

A whitebox WordPress vulnerability scanner getting its CVE’s from wpvulndb.com, which is simple to use… I decided to write my own in WP-CLI.

Result

WP-CLI is an awesome tool to manage your WordPress installation from the command line, and it recently started supporting extensions. So I created one, and wrote some documentation for it. Installation is done with:

wp package install markri/wp-sec

1	wp package install markri/wp-sec

Documentation can be found at

http://wp-sec.org

It doesn’t need to be more complex than this.

Wordstress a whitebox CVE scanner for WordPress

May 27, 2016April 20, 2018 markri 2 Comments

a better whitebox scanner is found in a more recent post of mine

A.k.a. WordPress security monitoring 2. In my previous article about worpress vulnerability monitoring the tool wpscan was used. This tool is a black box scanner, which gave us too much false positives and generated a great deal of load on our server which is somewhat a waste of resources. So I went searching for a whitebox scanner to have better results and to make more efficient use of server resources. In this quest I stumbled upon Wordstress.

It came to me as a surprise that this tool isn’t actively used or downloaded. Which is a pity. I think Wordstress is greatly undervalued, because it adresses some issues which are fundamental if you take WordPress security seriously. Let me explain why by explaining the architecture, which will imply the benefits.

The Wordstress project consists of two parts:

– A WordPress plugin which exposes versions for (core, plugins and themes). Only viewable with a certain key through a GET request.
– The Wordstress Ruby gem, wich fetches all versions from the installed plugin (so you can scan remotely). The found versions are checked against the online WordPress CVE database (https://wpvulndb.com)

Console output of the ruby gem:

mdekrijger@knutsel:~/Projects/wordstress/lib$ wordstress -k 31fa45ebbc3f13ac38b0d832a29d179010dfa327 https://mysite.nl
+--------------------+-----------------------------+
| Scan summary |
+--------------------+-----------------------------+
| Wordstress version | 0.72.0 |
| Scan started | 2016-05-27 10:27:06 +0200 |
| Scan duration | 1.706 sec |
| Target | https://mysite.nl:443 |
| Wordpress version | 4.5.2 |
| Scan status | Scan completed successfully |
+--------------------+-----------------------------+
+-------------------+-----------+
| Vulnerabilities found |
+-------------------+-----------+
| Wordpress version | 0 |
| Plugins installed | 0 |
| Themes installed | 0 |
+-------------------+-----------+

mdekrijger@knutsel:~/Projects/wordstress/lib$ wordstress -k 31fa45ebbc3f13ac38b0d832a29d179010dfa327 https://mysite.nl

+--------------------+-----------------------------+

| Scan summary |

+--------------------+-----------------------------+

| Wordstress version | 0.72.0 |

| Scan started | 2016-05-27 10:27:06 +0200 |

| Scan duration | 1.706 sec |

| Target | https://mysite.nl:443 |

| Wordpress version | 4.5.2 |

| Scan status | Scan completed successfully |

+--------------------+-----------------------------+

+-------------------+-----------+

| Vulnerabilities found |

+-------------------+-----------+

| Wordpress version | 0 |

| Plugins installed | 0 |

| Themes installed | 0 |

+-------------------+-----------+

If you cron the check, and report the output (mail, monitoring tool, chat), you’re automatically reported of new vulnerabilities in your site. We added our output to a Grafana dashboard, displaying the numer of vulnerabilitis for every of our WordPress setup.

Recently I forked the gem and updated it to use the new API v2 from wpvulndb.com and implemented some extra output methods (like Nagios with appropiate exit codes). Also did some bugfixes which adds https support and improvements on error messaging. Adding new features wasn’t that hard, so please commit your missing features as a PR’s to https://github.com/thesp0nge/wordstress Paolo will be happy to merge them.

I don’t have exact numbers here, but the majority of hacks worldwide are due to outdated software. This is why Wordstress is so important, which adresses this problem. Instead many people prefer to use only a WAF plugin like Sucuri or Ithemes. Don’t get me wrong, these tools are very helpful, and I think you should use a WAF in some way, but it doesn’t address the core problem. Good security always starts with updating software.

WordPress vulnerability monitoring

November 5, 2015April 20, 2018 markri 1 Comment

Due to recurring security issues with WordPress I wanted a some kind of wordpress vulnerability monitoring for our Wordpress implementations. The current monitoring setup is implemented with good old fossil Nagios. Despite of many better alternatives, Nagios still does a great job in alerting me through the aNag app. In this post I’ll describe a simple Nagios setup for continuously monitoring WordPress vulnerabilities. It’s pretty straightforward if you already know Nagios. Nevertheless the scripts I wrote to wrap things around should be re-usable (more or less) to be used in any other setup (ELK?).

Scanning WordPress is done with the wpscan tool, which can be downloaded from http://wpscan.org . Output of this tool is stored, transformed and displayed in the Nagios way of doing this. As a prerequisite you need to install this tool on your server (hint; use the RVM method) and have PHP/MySQL installed for different subcommands that will be called.

Nagios configuration

First we’re going to write the command, service and service template in Nagios. Check interval is set to once every 24 hours. And by using a parent service (template), you can easily create more checks for other WordPress instances. I copied the configuration from my generated config, which is created by Nconf, but shouldn’t make any difference in directly using this config.

# The actual command
define command {
  command_name                          check_wordpress_security
  command_line                          /opt/wpscan/wpscan.rb --update -u $ARG1$ | $USER1$/wpsecurity_store $HOSTNAME$ '$SERVICEDESC$' | $USER1$/wpsecurity_filter | $USER1$/wpsecurity_message
}

# Service check that will pop up in your nagios dashboard
define service {
  service_description                   Check Wordpress security MySite
  check_command                         check_wordpress_security!http://www.mysite.com
  host_name                             myserver.virtual.hostingcompany.tld
  check_period                          24x7
  notification_period                   24x7
  event_handler_enabled                 0
  use                                   security-service
  contact_groups                        +admins
}

# Following is a template for this specific check, so multiple sites are easily configured without repeating config
define service {
  name                                  security-service
  register                              0
  notes_url                             /nagios/security/show.php?hostname=$HOSTNAME$&desc=$SERVICEDESC$
  max_check_attempts                    2
  check_interval                        1440
  retry_interval                        720
  notification_options                  w,u,c,r
  active_checks_enabled                 1
  passive_checks_enabled                1
  notifications_enabled                 1
  check_freshness                       0
  check_period                          24x7
  notification_period                   24x7
}

# The actual command

define command {

command_name check_wordpress_security

command_line /opt/wpscan/wpscan.rb --update -u $ARG1$ | $USER1$/wpsecurity_store $HOSTNAME$ '$SERVICEDESC$' | $USER1$/wpsecurity_filter | $USER1$/wpsecurity_message

}

# Service check that will pop up in your nagios dashboard

define service {

service_description Check Wordpress security MySite

check_command check_wordpress_security!http://www.mysite.com

host_name myserver.virtual.hostingcompany.tld

check_period 24x7

notification_period 24x7

event_handler_enabled 0

use security-service

contact_groups +admins

}

# Following is a template for this specific check, so multiple sites are easily configured without repeating config

define service {

name security-service

notes_url /nagios/security/show.php?hostname=$HOSTNAME$&desc=$SERVICEDESC$

max_check_attempts 2

check_interval 1440

retry_interval 720

notification_options w,u,c,r

active_checks_enabled 1

passive_checks_enabled 1

notifications_enabled 1

check_freshness 0

check_period 24x7

notification_period 24x7

}

The actual command(s)

When you look closely at the configured command you will see a lot of piping. I could have put all into one command, but that wouldn’t be re-usable in a future possible ELK setup. It’s also a bit easier to change these scripts to your needs, as its purpose is more obvious.

The actual scanning is done with /opt/wpscan/wpscan.rb –update -u $ARG1$. The output of wpscan is intended to be read by humans, so we need to convert this into something that Nagios understands. Note that this feature should be released in the future as it is announced in the 3.0 release of wpscan (https://github.com/wpscanteam/wpscan/issues/198). Until then we use our own filter for transforming which is defined in $USER1$/wpsecurity_filter . This filter will process the wpscan output to a JSON string which is passed to $USER1$/wpsecurity_message that will exit for your with the right exit code and message for Nagios. See gists below for this filtering and messaging to Nagios:

#!/bin/env php
<?php

$data = stream_get_contents(STDIN);

preg_match_all('/\[(\+|\!|i)][^\[]*/', $data, $sections);

$lines = $sections[0];
$types = $sections[1];

$struct = array();

if (empty($lines)) {
    echo json_encode(array(array('text'=>'No output received from wpscan')));
    exit;
}

foreach ($lines as $key => $line) {

    $text = preg_replace('/\[.\]/ ', '', $line);
    $type = $types[$key];

    if ($type == '+') {
        continue;
    }

    if (preg_match('/We could not determine a version so all vulnerabilities are printed out/', $text)) {
        continue;
    }

    if (preg_match('/vulnerabilities identified from the version number/', $text)) {
        continue;
    }

    switch(true) {
        case preg_match('/The version is out of date, the latest version/', $text):
            $falsePositiveLine = $lines[$key - 1];
            $info = $text;
            $text = preg_replace('/\[.\]/ ', '', $falsePositiveLine);

            $struct[] = array(
                'text' => $text . $info,
            );

            break;
        case $type == 'i';
            // only if previous line contains a ! add info to that item
            $previousType = $types[$key -1];
            if ($previousType != '!') {
                continue;
            }

            $pos = count($struct) -1;
            $previousStructItem = $struct[$pos];
            $previousStructItem['text'].=$info;

            // Reassign to struct
            $struct[$pos] = $previousStructItem;

            break;
        default:
            $struct[] = array(
                'text' => $text
            );
            break;
    }
}

echo json_encode($struct);

#!/bin/env php

<?php

$data = stream_get_contents(STDIN);

preg_match_all('/\[(\+|\!|i)][^\[]*/', $data, $sections);

$lines = $sections[0];

$types = $sections[1];

$struct = array();

if (empty($lines)) {

echo json_encode(array(array('text'=>'No output received from wpscan')));

exit;

}

foreach ($lines as $key => $line) {

$text = preg_replace('/\[.\]/ ', '', $line);

$type = $types[$key];

if ($type == '+') {

continue;

}

if (preg_match('/We could not determine a version so all vulnerabilities are printed out/', $text)) {

continue;

}

if (preg_match('/vulnerabilities identified from the version number/', $text)) {

continue;

}

switch(true) {

case preg_match('/The version is out of date, the latest version/', $text):

$falsePositiveLine = $lines[$key - 1];

$info = $text;

$text = preg_replace('/\[.\]/ ', '', $falsePositiveLine);

$struct[] = array(

'text' => $text . $info,

);

break;

case $type == 'i';

// only if previous line contains a ! add info to that item

$previousType = $types[$key -1];

if ($previousType != '!') {

continue;

}

$pos = count($struct) -1;

$previousStructItem = $struct[$pos];

$previousStructItem['text'].=$info;

// Reassign to struct

$struct[$pos] = $previousStructItem;

break;

default:

$struct[] = array(

'text' => $text

);

break;

}

echo json_encode($struct);

#!/bin/env php
<?php

$data = stream_get_contents(STDIN);

$lines = json_decode($data, true);

if (count($lines) == 0) {
    echo 'OK - No vulnerabilities found';
    exit(0);
}

echo sprintf('WARNING - (%s) Wordpress vulnerabilities found', count($lines));

exit(1);

#!/bin/env php

<?php

$data = stream_get_contents(STDIN);

$lines = json_decode($data, true);

if (count($lines) == 0) {

echo 'OK - No vulnerabilities found';

exit(0);

}

echo sprintf('WARNING - (%s) Wordpress vulnerabilities found', count($lines));

exit(1);

If you’ve read closely, you might already noticed a missing command, namely $USER1$/wpsecurity_store $HOSTNAME$ ‘$SERVICEDESC$‘. Reason to name this separately is because it is optional. From the outside it just moves STDIN to STDOUT, seemingly doing nothing. In its internals, it stores the output in a MySQL database, which can be accessed with a custom PHP script from the Nagios dashboard (by using the “notes_url” configuration directive). See gist below for this storage:

#!/bin/env php
<?php
$pass = '<secret>';
$user = 'nagios';
$db = 'wpsecurity';

$data = stream_get_contents(STDIN);
$hostname = $argv[1];
$desc = $argv[2];

$mysqli = new mysqli('localhost', $user, $pass, $db);

$stmt = $mysqli->prepare("INSERT INTO log (`datetime`, `output`, `server`, `desc`) VALUES (NOW(), ?, ?, ?)");
$stmt->bind_param('sss', $data, $hostname, $desc);
$stmt->execute();
$stmt->close();

$mysqli->close();

echo $data;

#!/bin/env php

<?php

$pass = '<secret>';

$user = 'nagios';

$db = 'wpsecurity';

$data = stream_get_contents(STDIN);

$hostname = $argv[1];

$desc = $argv[2];

$mysqli = new mysqli('localhost', $user, $pass, $db);

$stmt = $mysqli->prepare("INSERT INTO log (`datetime`, `output`, `server`, `desc`) VALUES (NOW(), ?, ?, ?)");

$stmt->bind_param('sss', $data, $hostname, $desc);

$stmt->execute();

$stmt->close();

$mysqli->close();

echo $data;

By using different subcommands we can easily replace the filter later on when wpscan 3.0 is released, also the wpsecurity_store is optional as it outputs exactly what it receives (so you can leave that out if you don’t want storage; also remove the notes_url from Nagios config if you do so).

Vulnerabilities overview

In the Nagios dashboard there is only room for just one sentence for the state of that service. Just naming the number of found vulnerabilities isn’t enough. That’s why we stored the output in MySQL. With a notes_url config we can redirect to a separate PHP file which will display the output generated by wpscan. Please adjust to your needs 🙂 as it is just bare minimum. In the example below are 2 PHP includes which can be downloaded from the SensioLabs repo https://github.com/sensiolabs/ansi-to-html.

<?php

include('AnsiToHtmlConverter.php');
include('Theme.php');

$pass = '<secret>';
$user = 'nagios';
$db = 'wpsecurity';

$host = $_GET['hostname'];
$desc = $_GET['desc'];

$mysqli = new mysqli('localhost', $user, $pass, $db);
$stmt = $mysqli->prepare('SELECT `datetime`, `output` FROM log WHERE `server` = ? AND `desc` = ? ORDER BY `datetime` DESC limit 1');
$stmt->bind_param('ss', $host, $desc);

$stmt->execute();
$stmt->bind_result($datetime, $output);
$stmt->fetch();
$stmt->close();

use SensioLabs\AnsiConverter\AnsiToHtmlConverter;
$converter = new AnsiToHtmlConverter();
?>

<html>
<body bgcolor="#000000">
<?php echo nl2br($converter->convert($output)); ?>
</body>
</html>

<?php

include('AnsiToHtmlConverter.php');

include('Theme.php');

$pass = '<secret>';

$user = 'nagios';

$db = 'wpsecurity';

$host = $_GET['hostname'];

$desc = $_GET['desc'];

$mysqli = new mysqli('localhost', $user, $pass, $db);

$stmt = $mysqli->prepare('SELECT `datetime`, `output` FROM log WHERE `server` = ? AND `desc` = ? ORDER BY `datetime` DESC limit 1');

$stmt->bind_param('ss', $host, $desc);

$stmt->execute();

$stmt->bind_result($datetime, $output);

$stmt->fetch();

$stmt->close();

use SensioLabs\AnsiConverter\AnsiToHtmlConverter;

$converter = new AnsiToHtmlConverter();

<html>

<?php echo nl2br($converter->convert($output)); ?>

</body>

</html>

Nagios dashboard

If all went well (see /var/log/nagios/nagios.log for errors), you should be seeing something like screenshot below. Watch for the the document icon right from the service description. This link will lead you to the next screenshot.