• SystemAdministration
• Systems
• Blog

• To Systems Overview

---

Systems - Blog

Basics

Purpose

The blog, blog.cacert.org, meets the needs of PR and the CAcert community in publicizing CAcert's activities.

Physical Location

This system is located on a Debian Lenny vserver on physical machine Sun2.

Logical location

IP: 172.16.2.13 blog.intra.cacert.org

HTTP: via Tunix port forwarding passthrough associated with blog.cacert.org:443 and blog.cacert.org:80

Applicable Documentation

small guide (WIP)

Administration

System Admin:

• Primary: Stefan Freudenberg
• Secondary: Philipp Gühring

Wordpress Administrators:

• stefan

Wordpress Editors: PR team

Wordpress Authors: anyone with a named certificate Wordpress Contributor: anyone with a named certificate Wordpress Subscriber: every spammer or person who hasn't posted and hasn't logged in

Services

Listening services

• port	service	access origin	purpose
  80	HTTP	Tunix gateway	web access point via HTTP and HTTPS (managed by Tunix)
  443	HTTPS	ALL	web access
  4433	HTTPS	local	Plugin testing
  22	SSH	hopper	SSH access for remote administration

DNS

• A - blog.cacert.org - goes through Tunix proxy

Databases

• blog - production database - credentials in wordpress config file (/etc/wordpress/config-blog.cacert.org.php)
• blogtest - test database - copied from mysql dump

Connected Systems

• Some connection to www.cacert.org as blog items show up there too.

Outbound network connections

• HTTP (80) blog update service -http://rpc.pingomatic.com/ (ref: http://blog.cacert.org/wp-admin/options-writing.php )

• HTTP (80) to Akismet anti spam service (http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config - check network status)

Security

• http://codex.wordpress.org/Hardening_WordPress (TODO)

Non-distribution packages and modifications

• Standard wordpress install has been modified as follows:

   $ chgrp -R safe /usr/share/wordpress
   $ chmod g+s /usr/share/wordpress/wp-content{,/uploads,uploads/2009,uploads/2009/05}

  /usr/share/wordpress/wp-includes/pluggable.php wp_mail function

• $wp_email = 'webmaster@cacert.org';

• $sitename = 'cacert.org';
• TODO may need more backs or a plugin overwrite of the wp_mail function favicon.ico
• Copied from /root/favicon.ico to /usr/share/wordpress/favicon.ico

Plugins

• /usr/share/wordpress/wp-content/plugins
• http-authentication.php hacked to do certificate authentication by daniel - cleanup before release
• i-love-social-bookmarking
• akismet - which needs updates manually now and then

Risk assessments on critical packages

• wordpress - higher risk - managed by Debian Security

Tasks

Adding a category

• Steps:

• https://blog.cacert.org/wp-admin/categories.php

Critical Configuration items

/etc/wordpress/config-blog.cacert.org.php

Wordpress database configuration. Rest of wordpress config is in database (assumed).

/etc/apache2/sites-available/wordpress{,-ssl,-ssl-test}

Apache site config

Changes

Planned

Login over SSL only

Its optional so far - Require SSL for /wp-admin and /wp-login.php - safari rewrite test maybe

OpenID

• openid plugin needs wordpress version update and may conflict with X509.

Subscribe2

• subscribe plugin - email subscriptions of blog

---

CategorySystems