It has been only within the last couple of days the website has been back online. For better or for worse, in October I decided to do a backup and hit the do-release-upgrade button on the box. It didn’t go well.
Nowadays with security holes being flagged left right and centre, being a great advocate of keeping the software updated, I took a stab. Funnily enough, the system decided to use ‘slight of hand’, turned my arm and drove the knife back into me. 100% damage. 1 hit. Didn’t really see that coming.
More annoyingly, my resurrect potion had no affect because the backup was totally rubbish. (I really must play about with backups more…).
Anyway after a nice system admin reset my box, the painstaking task of preparing, installing and configuring started again. But this time, with some interesting revelations! I decided to ditch loads of software thus making this new build a bit more economic.
Lets see, a massive ditch of vsftpd! This has always been a pain in the arse to configure and setup correctly, especially when it comes to permissions. I now use SFTP which is not only a bit less fiddly, but it also allows me to close about 25 ports and relieves F2B on having to monitor the auth logs. Sorted!
I have also come to the conclusion that I may have to understand openvpn a bit more; I decided to ditch openvpn-as because of a few reasons. Mainly because of the juggling needed to effectively secure the web admin interface. It wasn’t worth broadcasting on the internet for just an initial connection setup of 2 devices.
I tried having the pages on a different port which I would manually open/close when needed, also tried .passwd in .htaccess but that could be circumnavigated.
Lastly I decided to remove the training wheels, that is, phpmyadmin. Just like the openvpn-as UI issue, this is the same difference. I really do love phpmyadmin to bits but unless your hosting sites for friends / family etc, it’s not worth having such a security risk left public.
Lastly, WordPress. I decided that for compatibility, Google ReCaptcha must go. However, I have replaced with askimet and fail2ban plugin to hopefully cover my ass. I will be looking at this more closely.
So all in all, It wasn’t such a bad ordeal in the end but it has taken me some time to rethink the situation. I have a few things to check off my list before I can happily say that recovery time is at a low, but atleast for now this build is running really well!