Categories
General

Destiny

I’ve said before about how much I enjoy playing the game Destiny, and, to a much smaller extent, its successor Destiny 2. I used to be an avid player — jumping on for a few hours a night, playing with a clan, running strikes, missions and raids.

I was a late start into Destiny. I remember buying the base game just before House of Wolves launched. That meant I missed out on the real experience of running Vault of Glass first.

I was never a PvP person. I enjoyed the stories, the character building, the worlds, the music and the exploitability the PvE experience had to offer. After playing by myself a bit I got into a clan – Legion of Morn (Which sadly is no more) after watching Brendan on Twitch. LoM were great with a few really active players and I was always able to jump on and have a run at some PvE activity. The whole community surround Destiny at the time was phenomenal. Bungie had a pretty open API that allowed people to build incredible applications. Ones that transferred gear to your characters or gave you insights into how you or other people played, and even how much time you spent on Destiny in various activities.

I ran my first raid, Vault of Glass, away back 03/03/2016, and then various raids since then. My favourite of all was Kings Fall. A proper, behemoth of an activity that replied on multiple people doing multiple things, with everyone having to take their turn – so you could always be the one who did certain things thanks to the mechanics. I only ever completed Kings Fall 4 times but man, I still reminisce on it fondly.

Destiny 2 then came out and despite being better looking, with better playability, something just didn’t strike the same feelings as Destiny 1 did. I went with my clan into Destiny 2 full of wonder, but very quickly it was apparent that some decisions had been made by Bungie that put the whole game in jeopardy — not from a “this game is going to crash” type thing, more of a “this game is about to lose all its player base”.

Destiny 2 has always had 2 sides. PvE (Player vs Everything – where you normally fight or battle computer based opponents) and PvP (Player vs Player, where you would fight against other Destiny players from around the world), and for a while, it seemed as though PvP wash the driving force behind the decisions Bungie was making, and it affected a large portion of the player base — me included.

Destiny 2 was the start of me realising that it’s not the game I started playing. It’s not the game I enjoyed playing. I’ve forced myself time and time again to play Destiny 2, having now clocked more hours in it vs Destiny, and I still just don’t feel the same about it. Some missions are brilliant. The opening story and subsequent story missions have been phenomenal, but more recently the stories just don’t feel like they have the same depth or planning as they used to.

Its a shame. I still love the stories. I still love the lore. I love the background, almost everything about it apart from playing the game. I’ll happily read the lore entries, and watch other people play – anything to do with Destiny. Apart from play it.

That saddens me.

Categories
Hosting

New Domains!

Because everyone needs more domains, right?

During a conversation the other week I was lamenting about how much of a pain it is to have to explain my domain when giving it out —

Yeah, its hyphen web — the take-away sign then the word web. W for Whisky, E for Echo, B for Bravo.

A typical reply when asked for my email address

I was asked — why don’t you just buy it without the hyphen? Good advice I suppose. Except that it had already been purchased. I checked on it previously and had done so at random intervals since registering nick-web.co.uk. The last update the wayback machine was on the 10th January 2018 – where it simply proclaimed

Welcome to nickweb.co.uk

Staging Server

and had done so since May 2013. Prior to this is looked like a personal server for a Nick B.

I love that about the Wayback Machine — pop in a domain and see how its changed over the years. I’m a bit annoyed at myself as a number of years ago I requested that I be excluded from it and I can’t figure out how to re-enable it, but I digress.

Checking the domain I seen that it was now available for purchase! So I jumped on it, meaning nick-web.co.uk is now improved, with one character less! 14 to 13 characters – a whopping 7.1% decrease!

But Wait – Theres More!

Nominet have also introduced the .uk domain – dropping the .co section. Checking with OVH they had a deal and I ended up grabbing that domain for less than £2 for the first year. A bargain! So that means that the domain now has 10 characters, translating to a near 30% reduction in characters!

The domains will all redirect to the nick-web.co.uk domain as I’ve had it since 2002. I can’t get rid of it that easily!

Why? Why not…

Categories
Hosting PHP

What to expect when your expecting… to be hacked

A bit of a disappointing one this. Theres nothing worse (well, I’m sure there is but in this context lets leave it as is) than receiving that dreaded e-mail from your host. It starts with a subject line similar to

Security Incident Concerning

and a body of text along the lines of

A security risk has been detected on your server.
We have been informed that your server contains or redirects to harmful or malicious content, such as malware or phishing sites.

Not at all ideal. In summary — the server in question began to host malicious content. It was from a domain that I don’t use and have a holding page only up, and a user at some point has reported the URL as a malware/phishing attempt. This then gets reported to my host, who then reports it to me.

After getting the email I was a bit perplexed as to how this site had been flagged as a security risk. I checked the URL given and sure enough, a redirect was in place taking it away from my server to some other (compromised) server. I thought it might have been a coding issue that allowed my domain to freely redirect pages (meaning any attacker could mask their own server with mine). I logged in and checked a few things. It wasn’t my code that was doing anything. I checked and seen a few other files that shouldn’t have been there, all with recent creation dates. A quick

find . -maxdepth 20 -mtime -20

netted me a few files that had been created 2 days prior. These were in a variety of directories, and as I spread my domains across a couple of servers these files also appeared in those directories. The suspect files all were all Base 64 encoded, and executed php scripts – given that they all started with

<?php eval(base64_decode('BASE64ENCODEDSTRINGHERE')) ?>

These files either redirected pages, contained a mass emailer (LeafPHPMailer) or opened up a (pretty feature rich but visually poor) file manager. I’m not going to go into too much detail but the reason for the infection came from one WordPress installation that I had completely forgot about after transferring to the new host. Its a site thats very seldom accessed, and to be honest, doesn’t require a WordPress Installation, but it was an easy CMS solution for someone.

Using an out-of-date plugin the attacker managed to place obfuscated PHP file on the server. This file was then accessed via a web browser which ran the PHP code, and allowed other files to be placed in different locations on the server.

When I deployed these servers I began hardening them against attacks like this. Unfortunately, I didn’t finish it. Some of my actions stopped the potential full-scale destruction of the server which I’m thankful for, but I’m a bit annoyed I didn’t finish my hardening steps.

Having separate users for different tasks on the server helped. This meant that any file modifications were only able to be done at the root web-directory level. Config files, where appropriate were hosted out-with the directory, and permissions meant that other files could not be modified. There were a few other steps that I’m not going to go into detail about however cashing up on a couple of guides on how to harden or secure your server should help.

After figuring out what happened, and how it happened, I stopped any public access – essentially shutting down the HTTP Daemon, removed any newly created files matching the time scales above, pretty deleted any WordPress installations and re-downloaded fresh copies of the MD5-checked files from wordpress.org, then manually checked all the database tables for Indicators of Compromise (IoC’s) line by line, entry by entry, and slowly reloaded everything.

I then finished my hardening that I should have done before.

I think it’s important to vent that “hacking” isn’t hacking any more. It’s what used to be known as “Script Kiddies” who are now essentially Serious and Organised Crime Groups that use these phishing and malware scams to extract money. Theres no hacking in the traditional sense – just the unauthorised access to computers that wreck havoc on people who are caught by it. It’s the same as a teenager using a Low Orbit Ion Cannon.

Am I embarrassed this happened to me? Of course. Annoyed? Yep. But I’m also relieved that it did — it means I was able to stop it before it became much, much worse.

Categories
Quick Post

A phenomenal cover

I love this song by The Weeknd – it’s called Blinding Lights and this is one of my favourite covers. I really like Teddy Swims voice – I’m not a fan of all his covers, or even his original songs, but man. This song just hits the mark.

Categories
Interesting Reads Quick Post

The faces of Microsoft : Type Magazine

The faces of Microsoft : Type Magazine
— Read on www.typemag.org/post/the-faces-of-microsoft

Categories
Hosting

And Done

Thats all my domains now moved over to the new host.

7 years ago I started hosting with Digital Ocean. At exactly 0218Hrs on Friday 23/08/2013 I made my first $5 droplet – and that $5 droplet worked exceptionally well. I had automated backups and with VAT it came to around $7.20 every month. Not a lot by any stretch of the imagination.

The existing VPS was destroyed at 1655Hrs, Monday 30/03/2020 – meaning that droplet ran for exactly 2411 days, 14 hours and 37 minutes. Or 6 years, 7 months, 7 days, 14 hours and 37 minutes – give or take a few seconds. Its a good thing I waited until today to destroy the droplet otherwise there would be an extra calculation due to the DST difference!

But anyway. Onwards and upwards. My new host is £1.20 per month for each server, with a £10 setup fee. I currently have 2 separate servers running – for both reliability and to ease strain as a new customer. So far I’ve spent £16.80 per server for 3 months. Thats £5.60 per month each, so £11.20 per month. Making it a tad more expensive.

Just for information. I just spent the last hour dealing with Digital Ocean’s Billing API to obtain all the following figures – then attempting to use jq to parse this data – and finally excel to do some quick calculations. I also used [1],[2] and [3] in my quest to save time.

Im going use the rounded up value of 6 years and 8 months for the following math – exactly 80 months.

I’ve had a total of $110 in Digital Ocean credit over those 18 months — this includes welcome credit and referrals. Over the 80 months I spent exactly $427.04. Minus that credit brings the total cost to $317.04, so per month that equates to $3.96. Not bad, and still under the $5 cost it should have been! Converting that into UK Pounds equates to roughly £3.15 per month.

As I said my new server is only £1.20 per month, but there’s two of them, so £2.40. A whopping 75p per month saving.

However – I still have to factor in that £10 (each) per server set upon cost – and if I take the average of 80 months £20 becomes £0.25 per month.

All totalled, It looks like i’ll be saving around 50p per month.

Damm. I wish I had done the math before the moves.

Categories
General

GeForce Now – it’s kind of a game changer

Last night I figured I would give the Nvidea GeForce Now service a quick bash. All the details about the service are on its website, however it provides you with a cloud gaming computer for free (with a 1 hour play limit per session), or for £5 a month, up to 6 hours playing (plus some added extras).

I have an old gaming PC. It struggles to play anything modern. I don’t really want to spend any decent amount of money getting the components together and building/upgrading a PC.

I have a 2012 mac mini which is my main computer, and a 2017 Surface Pro that I use for general tasks that require windows, in addition to my other iOS devices. Both the mac and the Surface Pro handle the GeForce Now service like a champ. It’s a shame there’s no iOS app at present, but it is available on Android.

To help illustrate this point I loaded up Destiny 2 and used the free GeForce Now service. I sat with the Surface Pro in the living room perched on my lap, Xbox controller connected (because I really can’t play with a keyboard and mouse on a game that I’ve spent years playing both it and its predecessor on a controller) and it worked almost flawlessly. Given it was a wireless connection (but 5Ghz) I had a couple of streaming hiccups – both of which lasted under 1 second and the game (and I) recovered from. This was while watching the launch of the Antares Rocket Cygnus NG-13 live via NASA TV.

We’re living in the future.

I know this won’t appeal to hard core gamers, and possibly not even to streamers because of the bandwidth that will be required, but for me, a filthy casual, it’s perfect. I can now get Destiny 2 at 60fps that’s buttery smooth (and actually loads the menus exceptionally fast). The 1 hour playtime doesn’t bother me just now – but to honest – this is the kind of service I won’t mind paying £5 per month for.

Categories
Hosting

🤦🏼‍♂️

There comes a time when everyone makes a mistake with computers. Garbage In Garbage Out and all that jazz. I seem to just like shovelling a large amount of Garbage into my servers. Take this evening for example.

I have one domain left to transfer to my new servers. The third last one was this blog and that went almost without a hitch. There were some wordpress-related things I hadn’t accounted for but nothing I couldn’t handle. The penultimate one was another wordpress installation that went much smoother after I transferred this blog.

And then I started preparing the move for the last domain. I’m being careful with this one because I know things will go wrong given half a chance. I’ve been checking and re-checking everything and decided to start to the process this evening.

First up was to update the existing code on that domain so that I could transfer everything fresh. That has a small hiccup which ended with me erasing (thanks to an errant FTP command) almost every folder and leaving but a handful of files behind.

Panicking, I managed to copy a new instance of the software over however in my haste this overwrote the main configuration file. Thank goodness I managed to remember some very old username/password/database combinations.

That ended up being rescued and is now working fine on the old host.

Whilst running about I then tried to login to my new host and managed to type with my ham-fists the incorrect password a few times and put my own IP address in a fail2ban jail.

I managed to get a remote KVM Console running via my hosting provider, and took myself out of the fail2ban jail. Now, I’m not entirely sure why I thought this was a good idea but I seen this button and figured I should click it.

CTRL+ALT+DEL

Now I’m no new entrant to linux and its ilk. I’m also not a stranger to Windows – and my organisation requires the use of Ctrl+Alt+Del to initiate a login. Completely forgetting that Ctrl+Alt+Del on Linux restarts the server I click the button. No confirmation. No warning. Just a graceful restart.

Remember how I didn’t want any downtime? 🤦🏼‍♂️

I am not a smart man.

On the plus side, I today confirmed that a reboot would bring all services back online in a sane manner!

But the last site move has been postponed.

Categories
Hosting

Easy root MySQL Password reset

I’ve recently found myself in that awkward situation where I’ve chosen a (very) secure password for a root MySQL user and I’ve forgotten it. I suppose its the most secure password I’ve had then because even I cant use it to login to the MySQL database – not that you should be using a root account under any circumstances – this was debugging.

I’ve had this happen before and I’ve used the

--skip-grant-tables

trick that stops the MySQL server, starts it up with no password, allows you to change the password, then stop and restart the server with the new password in force.

Ideally I wanted no downtime (even for those few precious seconds). As usual, google ended up pointing (to me) to a unknown way to reset the root password using another account that has full root privileges in a standard Ubuntu install.

Full credit to https://www.configserverfirewall.com/ubuntu-linux/reset-mysql-root-password-ubuntu/, and the main parts are only reproduced here in case the original site goes offline.

The debian-sys-maint user account is an administrative user account automatically created when installing MySQL Server on Ubuntu and this user have full access to all databases.

Quote from https://www.configserverfirewall.com/ubuntu-linux/reset-mysql-root-password-ubuntu/https://www.configserverfirewall.com/ubuntu-linux/reset-mysql-root-password-ubuntu/

This means that viewing the debian.cnf file using cat

sudo cat /etc/mysql/debian.cnf

nets us directly the login details including password for this account. Looking under

user = debian-sys-maint

is a

password = LongAndRandomPassword

so, using these details, a a quick

mysql -udebian-sys-maint -p

and

FLUSH PRIVILEGES;
 ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'NewVerySecurePassword';
 FLUSH PRIVILEGES;

nets you with an uninterrupted uptime MySQL password reset.

Now. To read about this account that has MySQL Root Privileges that I’ve never noticed before.

Categories
General

Wedding Website

I don’t post too much personal stuff on this site. I never have. However, I’m getting married this year, and, as is the done thing now, I’ve we’ve decided to have a wedding website.

I’m not going to post a link to it, again – personal, but I am happy to discuss what I’ve done and how I’ve done it.

First off, I had to figure out what the website would be for – there’s the standard of letting guests know about the location, the date, the time, the plan, the food etc – and I wanted it to be custom. I’ve never been one to pick an off-the-shelf product when I can roll my sleeves up and get handy with code.

I also wanted an RSVP system – something fast and efficient that would be easy to use.

I started by looking at other sites. We have a few weddings to attend this year and browsed a few of the sites offered. They all offered the functionality I was looking for but just not what we wanted.

I started off with hosting. As per this post, I’ve now found decent, reliable hosting at a frankly absurd price (£1 per month! – Affiliate link). As long as you have some System Administration and Security know-how – its a cinch to set up.

I’ve also bought myself an email hosting service that was discounted during Black Friday from MXRoute. It came to a total of $10 annually. It also now routes most of my other mail. This is also important as I didn’t want to use the built in PHP Mailer.

Next, I went with the tried and tested versatile can-do-anything site maker, WordPress. I had toyed with the idea of self coding everything but after seeing what was available, there was absolutely no need.

I kept the standard theme from WordPress, Twenty Nineteen and set about making the pages. My next hurdle was the RSVP, and there’s a plugin that’s designed just for that, which I ended up getting direct from the authors site – however it looks like I managed that timing particularly well as they only offer it via the WordPress site now. Functionality looks similar but your mileage may vary.

To keep the whole lot safe I’ve installed a couple of more security conscious plug-ins to stop spray and focused attacks, and replaced the built in wpmail() function with a plugin that allows me to specify my own mail server.

Designing the invites was done via a Wedding stationary company, but for the RSVP code also came in handy. I created a very small snippet that took a selection of letters (with obvious easy-to-mistake letters removed) and set about making unique 3 letter codes for each guest to RSVP. That, coupled with an Excel spreadsheet to get all the data in a nice format meant a bulk upload to the RSVP plugin was easy.

For making the RSVP cards I decided to purchase a small Brother QL-700 – normally £40 but I managed to get a (hardly) used one for £20. 62mm labels with unlimited length came in at a pitiful £5. The Brother software is actually pretty flexible and can take an Excel (or CSV) file as an input database and allowed me to print, to sticky labels. I made use of the append

(C1 & "TEXT" & C2)

function in excel to get all the individual columns set the way I like and the software allowed certain columns to be input as a QR code.

It turned the Excel spreadsheet from similar to this

to this

IMAGE

And allows labels for postage to be printed.

The website will stay the way it is until the day of the wedding, at which point I’ll make the whole thing a PDF document, and remove the site and replace it with any images that are shared with us by our friends and family attending, with an option to download the original in a PDF form.