Category: Confidentiality

Derrick Smith Header Image
Recent Posts

File permissions on computer systems have long been the go-to security mechanism to protect files and restrict access for authorized use only but file permissions can only work when they are configured correctly. WordPress, like all other client/server web content platforms has files that are presented to a webserver which makes them accessible to a browser. These files, if configured incorrectly, can introduce malware into WordPress sites or provide attackers a way to escalate privileges.

WordPress.org publishes strict hardening guidance around file permissions here. To make configuring WordPress permissions easier, I wrote a script to automate the process.

For this script to work, I made a few assumptions about your environment:

  • Your web server is Apache installed on a Linux operating system
  • The root directory for your WordPress installation is located at /var/www/{virtual_host}/

To Run the script, supply the virtual host folder on the command line as a script parameter.

You can find the script below.

https://github.com/derricksmith/wordpress/blob/master/Permissions/wordpress.sh

!/bin/bash
SITE_FOLDER=$1
echo "Change owner on all sites"
echo ""
echo "chown -R -F www-data:www-data /var/www"
chown -R -f www-data:www-data /var/www
echo "Securing the entire site $SITE_FOLDER"
echo ""
echo "chmod 755 -type d /var/www/$SITE_FOLDER"
find /var/www/$SITE_FOLDER -type d -exec chmod 755 {} \;
echo "chmod 755 -type f /var/www/$SITE_FOLDER"
find /var/www/$SITE_FOLDER -type f -exec chmod 644 {} \;
echo "chmod 640 /var/www/$SITE_FOLDER/.php" chmod 640 /var/www/$SITE_FOLDER/.php
echo "chmod 640 -type f /var/www/$SITE_FOLDER/wp-admin"
find /var/www/$SITE_FOLDER/wp-admin -type f -exec chmod 640 {} \;
echo "chmod 640 -type d /var/www/$SITE_FOLDER/wp-admin"
find /var/www/$SITE_FOLDER/wp-includes -type f -exec chmod 640 {} \;
echo "chmod 440 /var/www/$SITE_FOLDER/.htaccess"
chmod 644 /var/www/$SITE_FOLDER/.htaccess
echo "chmod 766 /var/www/$SITE_FOLDER/sitemap." chmod 766 /var/www/$SITE_FOLDER/sitemap.
echo "chown -R www-data:www-data /var/www/$SITE_FOLDER/wp-content/uploads"
chown -R -f www-data:www-data /var/www/$SITE_FOLDER/wp-content/uploads
chmod 777 -R /var/www/$SITE_FOLDER/wp-content/uploads
find /var/www/$SITE_FOLDER/wp-content/uploads -type f -exec chmod 660 {} \;
chmod 770 -R /var/www/$SITE_FOLDER/wp-content/upgrade
chmod 750 -R /var/www/$SITE_FOLDER/wp-content/plugins
find /var/www/$SITE_FOLDER -name 'index.php' -exec chmod 640 {} \;
echo "Done"

If this script helped you with your WordPress permissions please leave me a comment below.

One of the better features of Palo Alto’s PAN-OS is the ability to define dynamic block lists as firewall objects. This feature enables the firewall to poll a HTTP/HTTPS source for a list of IPs or URLs which can then be acted upon by firewall policies. There are a number of publicly available IP lists and threat intelligence feeds that can be consumed by these objects on the Palo Alto firewall but generating IP lists from internal sources, such as IDS/IPS can be cumbersome. Depending on the type of threats you encounter, it may be beneficial to block IP addresses or URLs picked up by your IDS systems. To solve this problem I wrote a python script that can be run at the command line to generate a list of IP addresses that can be consumed by Palo Alto.

Use this on a SIEM to dynamically block threats that match IDS/IPS rules. All data generated from the script is stored in a local JSON file and an IP list is outputted to a text file at the designated location. The JSON file stores current, historical and excluded IPs and the script logs information to a syslog file and to the terminal if verbose is enabled.

I wanted a relatively low maintenance solution and the initial use case for the was to temporarily block reconnaissance traffic such as port scanning. Given this, I used a penalty system to increment the time an IP is blocked each time the IP is seen. Of course, you could utilize the script to block an IP indefinitely also.

You can find the tool on Github at https://github.com/derricksmith/siem/tree/master/av2pa and the command usage is below. If you find this script useful, please drop me a comment below or on Github.

Usage

Arguments

-a, –action           Define the action [add,remove,exclude,clear]

-v, –verbose        Output to terminal

-i, –ip                  IP address (required when action = add,remove,exclude)

-p, –penalty        Penalty for IP address

Actions

add

Add an IP address to the block list. If no penalty is defined the penalty is incremented each time the IP address is added until it reaches 16(indefinite).

remove

Remove an IP address from the block list. Removes the IP from the current, history and exclude dictionaries.

exclude

Add an IP to the exclude list. Excluded IPs will not be processed.

clear

Removes all IPs from the current, history and exclude dictionaries.

cycle

Cycles the blocklist and checks IPs and Penalty times. If penalty has been reached, IPs are removed from the blocklist. IPs with a penalty of 16 are not removed. Suggest running this on a cron job to periodically cycle through the IP list.

Penalties

1 = 1 minute

2 = 5 minutes

3 = 10 minutes

4 = 15 minutes

5 = 30 minutes

6 = 60 minutes (1 hour)

7 = 180 minutes (3 hours)

8 = 360 minutes (6 hours)

9 = 720 minutes (12 hours)

10 = 1440 minutes (1 day)

11 = 4320 minutes (3 days)

12 = 10080 minutes (7 days)

13 = 20160 minutes (14 days)

14 = 43200 minutes (30 days)

15 = 525600 minutes (1 year)

16 = indefinite

Run at command line

Block 1.2.3.4 temporarily, penalty is incremented

./av2pa.py -a add -i 1.2.3.4

Block 1.2.3.4 for 1 day

./av2pa.py -a add -i 1.2.3.4 -p ’10’

Block 1.2.3.4 indefinately

./av2pa.py -a add -i 1.2.3.4 -p ‘~’

Remove 1.2.3.4

./av2pa.py -a remove -i 1.2.3.4

Exclude 1.2.3.4

./av2pa.py -a exclude -i 1.2.3.4

Run Cron

* * * * * python path/to/your/av2pa.py

Script Settings

blocklist

Set location of the blocklist (e.g ‘/var/www/block_inbound.txt’). This file should be https accessible if you intend to setup a Palo Alto External Dynamic List

log

Set a log file location (e.g ‘/var/log/block_inbound’)

timezone

Set the local timezone(e.g ‘America/Denver’)