Twitter Weekly Updates for 2010-12-26
Twitter Weekly Updates for 2010-12-19
Twitter Weekly Updates for 2010-12-12
Twitter Weekly Updates for 2010-12-05
WordPress – selective proxy / firewalling
As mentioned before, I block most webservers I’m responsible for from making port 80 outbound requests. This helps reduce the likelihood of someone exploiting a vulnerability on one of the sites – as Apache wouldn’t be able to download some sort of root kit and so on.
Anyway, the firewall bit is relatively easy…. (This is shamelessly stolen from Bytemark)
/sbin/iptables -D OUTPUT -j no_www
/sbin/iptables –flush no_www
/sbin/iptables –delete-chain no_www
/sbin/iptables –new-chain no_www
/sbin/iptables -I OUTPUT -j no_www
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data -o lo -j ACCEPT
# DNS queries are fine
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol udp –dport 53 -j ACCEPT
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol tcp –dport 53 -j ACCEPT
# TCP/UDP/ICMP are blocked
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol tcp -j REJECT –reject-with icmp-admin-prohibited
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol udp -j REJECT –reject-with icmp-admin-prohibited
/sbin/iptables -A no_www –protocol icmp –match owner –uid-owner www-data -j REJECT –reject-with icmp-admin-prohibited
The annoying bit is that when this is done, WordPress’s admin panel becomes a bit useless… this can be cunningly fixed by editing the wp-config.php file and adding in something like :
if($_SERVER[‘REMOTE_ADDR’] == ‘’) {
define(‘WP_PROXY_HOST’, ‘’);
define(‘WP_PROXY_PORT’, ‘3128’);
define(‘WP_PROXY_BYPASS_HOSTS’, ‘localhost’);
So, if I’m browsing from my office PC, everything should just happily work.
Twitter Weekly Updates for 2010-11-28
Twitter Weekly Updates for 2010-11-21
Pidgin / MSN – ‘Unable to validate certificate’
Yesterday, I was forced to do some work, at work, when Pidgin failed to connect to MSN. It has a hard day.
I use Ubuntu Maverick on my desktop, and started out using the ‘stock’ Ubuntu version. As this wasn’t working, my first thought was to upgrade to the latest Pidgin release. Before I’ve compiled it from source, but this time I just used a PPA (see here)
But still, it didn’t work.
Time to rummage some more – and I found the following bug report – so I added in my 2p, and waited. Eventually the following solution came up :
- Within Pidgin, go to Tools -> Certificates and delete the one for omega.contacts.msn.com
- Visit https://omega.contacts.msn.com and download the SSL certificate (e.g. if using Firefox, click on the SSL icon in the URL bar and then export it (save to file)).
- From within pidgin’s ‘tools -> certificates’ Certificate Manager click add, and add in the SSL certificate you’ve just saved.
Now it works again.
What is vaguely curious is why Adium (which I use on my Macbook at home) didn’t have a problem – I thought they [Pidgin + Adium] were built off the same code base, and expected it to break, but it didn’t.