WebMention is a modern re-implementation of PingBack, which uses only HTTP and x-www-urlencoded content rather than infinitely more complicated, not to mention bloated, XMLRPC requests. It was developed by the #indieweb community at IndieWebCamp, and is rapidly seeing adoption.

Since the best way to understand a protocol is to write an implementation of it, I bashed together a basic implementation of it for Elgg.

The plugin will automatically send webmention pings for content with URLs in the $object->description field (you can easily expand on this), it also exposes a webmention endpoint, and sets the appropriate discovery headers and meta tags. Plugin authors can hook into the plugin hooks that elgg-webmention generates and handle incoming mentions appropriately.

There is still a little more to do, the next step I think is to hook into a microformats parser, in order to get some richer semantic information as to the type of mention one is generating. My friend Ben has a very neat video of this kind of thing in action, and his idno project already implements it in the core code.

Have a play!

» Visit the project on Github…

JQueryJQuery is a popular, fantastically useful, and not to mention powerful, Javascript library used by many web applications around the Internet.

The current version of it is 1.9.1, but unfortunately the latest release of Elgg is still tied to a frankly ancient version (1.6).

Recently, I needed a more recent version of jquery in order to take advantage of the Bootstrap framework. So I put together a quick plugin which lets you easily use the latest version of JQuery in Elgg.

This saved me from a number of headaches, and I hope it’ll do the same for you.

Enjoy!

» Visit the project on Github…

Fail2Ban is a simple, but powerful, open source intrusion detection and prevention system which can run on most POSIX compliant operating systems. It works by monitoring various system logs for signs of intrusion attempts (failed logins etc), and on finding them, executes a preconfigured action.

Typically, this action is to block further access attempts from the remote host, using local firewall rules.

Out of the box, Fail2Ban comes configured to monitor SSH for signs of intrusion. However, since it works by monitoring log files, Fail2Ban can be configured to monitor many other services. I figured it would be pretty cool if you could also use it to protect Elgg sites as well.

Elgg already has a per user account lockout on login, however it is not without its limitations. It is pretty basic, and while it protects against access to specific accounts, it does not protect against dictionary attacks against multiple or non-existent accounts. Using Fail2Ban, you can protect against multiple access attempts from the same IP address easily, and the cut them off at the network level, frustrating the attack.

Installing Fail2Ban

The first step to getting this all working is to install Fail2Ban.

This is covered in detail elsewhere, but on Debian/Ubuntu it was a simple matter of pulling it from the apt repo:

sudo apt-get install fail2ban

Out of the box Fail2Ban will block using IPTables, but if you use shorewall, as I do, you’ll need to modify the actions to use that.

Getting Elgg to log access

It is an omission (quite possibly on my part), but the default Elgg login action does not explicitly log login attempts and login errors. While it is quite probable that you could hack together some regexp to parse the apache error logs, these are often quite noisy, highly changeable, often stored in odd locations, and, more often than not, are turned off in production environments.

I thought I’d make things a little easier on myself, and so I wrote a tiny Elgg plugin which overrides the default login action and outputs explicit error messages to the system auth.log, on both success and failure.

Once installed, you should begin to see logging messages start to appear in your server’s auth log (usually /var/log/auth.log) along the lines of this:

Mar 22 18:24:43 web elgg(web.example.com)[16483]: Authentication failure for fakeuser from 111.222.333.444
Mar 22 18:25:05 web elgg(web.example.com)[16483]: Accepted password for admin from 111.222.333.444

Again, to keep things simple, and to avoid getting a regular expression headache, I kept the authentication messages similar to those used by the SSH filter.

Monitoring the log with Fail2Ban

Finally, you need to configure fail2ban to look out for the Elgg messages in the auth.log.

  • Copy the elgg.conf into your fail2ban filters directory, on Debian this is in /etc/fail2ban/filters.d/
  • Create a jail.local in /etc/fail2ban/ if you have not already done so, and then create a rule, along the lines of the following:

    [elgg]
    enabled = true
    filter = elgg
    logpath = /var/log/auth.log
    port = all

Restart Fail2Ban, and you should be up and running! To test, attempt to log in (using a machine on a different machine if at all possible) and try a few failed logins.

A future enhancement of this that you could consider, especially if running in a production environment, is to modify the block action to redirect queries from the offender’s IP to a place-holder page explaining why they have been banned. This could probably be done quite easily using a REDIRECT rule, although I’ve not tried it yet.

Anyway, code, as always, is on github. Have a play!

» Visit the project on Github…