Tag: security

Monitor and alert about composer and npm package security vulnerabilities

This might be one of those itches that affects one person and one person alone, but I scratched it and now I’m sharing the result just in case someone else finds it helpful.

There are some great tools out there already to tell you if you are running outdated and vulnerable composer dependencies in your Laravel app. GitHub’s Dependabot is a common one. Freek Van der Herten’s “How to monitor your Laravel app for critical vulnerabilities” and the related “Monitor your Laravel app for vulnerabilities with Oh Dear” is another great example of a ready-to-go solution for this.

I wanted a system that would work independent of where my code repos are hosted, that didn’t assume a fully realized Laravel app, and that integrated in to my use of Nagios for infrastructure monitoring. I wanted something that would be able to take a list of root directories of any kind of application using composer and/or npm packages on a given server, and alert me as if there are known security vulnerabilities to handle.

(For some reason, thinking about this as a server-level issue makes sense to me. If one package on one app on a server is vulnerable, the whole server is vulnerable to compromise.)

Thus was born package-vulnerability-audit, which combines a PHP scanning tool that runs the “audit” functions of both composer and npm on each application and outputs a JSON file with the results, and a Nagios NRPE script that checks the JSON file and returns an OK/WARNING/CRITICAL result to Nagios.

Once it’s set up, I can control the way I get alerted about these issues, and in theory give them a bit more urgency than an email notification.

The early reality is that I have some package updates to do, and I probably should have just spent time on that instead of building (with help from Claude) another tool. 😅

Simple small business proxy server using squid

When I was figuring out how to enable our team at the newspaper to work in a more distributed fashion while maintaining network security, I looked at a variety of VPN and proxy options. In the end I settled on a simple proxy server setup using the squid open source proxy software.

I needed a solution that would work not only for our staff, where I could have some significant control over the setup of their work computing devices, but also for our contractors, where they would be using devices that were not under our control and presumably used for a mix of other things. I didn’t want anything locked in to a hardware vendor or dependent on a specific physical office location having connectivity. I wanted something fast to set up for each individual user, and that wouldn’t require installation of special software, activating/monitoring connections, or worrying about variations in network rules about what VPN connections were allowed.

I settled on squid:

  • We have a proxy auto-configuration file (PAC) that we serve publicly.
  • We set up a squid username/password for every user that needs one
  • Users tell their device the URL of the PAC file
  • Their device uses our squid proxy for the hosts/IPs we specify in the PAC file, and otherwise uses their default network configuration.
  • The first time their device attempts to connect via the proxy, they’re prompted to enter their username/password, and that typically is saved in their OS settings forever.

Using this approach we can ask network traffic bound for one of our internal services/servers to go through our proxy instead of over the public Internet. That in turn allows us to limit connection attempts to only trusted internal hosts (including the proxy), creating a kind of simple private network.

Continue reading Simple small business proxy server using squid

How long does it take between when a plugin update is released and when auto-updates install it on your WordPress site?

Auto-updates for WordPress themes and plugins were released this year in WordPress version 5.5. They allow WordPress site owners to opt-in to automatically have new versions of plugins and themes installed when they are released, without any intervention from the site owner.

If you use auto-updates, one question might be on your mind:

How long will it take between when the author of a plugin releases a new version and when that new version is installed on your WordPress site?

This question is vital for site owners and managers. Especially in scenarios when new plugin or theme versions contain critical security fixes, time is of the essence to avoid possible unauthorized access to your WordPress site.

To get to the answer, let’s first review how plugin and theme releases happen.

The Plugin and Theme Release Process

When a plugin or theme author is ready to make an update to their software, they upload those changes to the directory on WordPress.org. This is where the code for their theme or plugin is hosted publicly.

Most theme and plugin authors also indicate the release of non-trivial changes by increasing the version number associated with their plugin. Maybe it’s a small “point release” like going from version 1.1 to version 1.2, or maybe it’s a major release like going from version 3.0 to version 4.0. The change in version number lets everyone know that there’s new functionality and fixes available. It’s a convenient way to refer to how software has changed over time.

Once the updated software and version number change is live on WordPress.org, it’s immediately in effect for new installations of that plugin or theme. Anyone downloading and installing a plugin or theme from that directory will now be using the latest code made available by the author.

But what about existing sites that already have that theme or plugin installed? How do they learn about the new changes and new version?

How WordPress Sites Discover Updates

You might think it happens through a “push notification” sent to your site from WordPress.org. But the WordPress.org systems would have to contact thousands or maybe millions of sites to tell them about an update to a single plugin. That’s just not practical.

Continue reading How long does it take between when a plugin update is released and when auto-updates install it on your WordPress site?