Reminder: Drupal 6, 7, and 8 core security release window moved to February 24

Posted by Drupal core announcements on February 12, 2016 at 1:28pm

This is an early reminder that this month's security release window for Drupal core, which would normally be on the third Wednesday of the month, is being moved to February 24 to avoid conflicting with DrupalCon Asia.

February 24 is also the end-of-life date for Drupal 6, so this will be the last security release window for Drupal 6.

Drupal 8 Views Plugins (Part 2) : The display extender plugin

Posted by blog.studio.gd on February 12, 2016 at 10:06am
Let's see how and why to use a views display extender plugin.

Drupal 8 Contrib Module Development with Dave Reid, Juampy NR, & Andrew Berry

Posted by Lullabot on February 11, 2016 at 9:00pm
Matt & Mike discuss Drupal 8 module development with Dave Reid, Juampy NR, and Andrew Berry onsite at the Lullabot retreat in Palm Springs, CA.

8.1.0 will be released April 20; beta begins March 2

Posted by Drupal core announcements on February 11, 2016 at 8:58pm

Drupal 8.1.0, the next planned minor release of Drupal 8, is scheduled for Wednesday, April 20, 2016. Minor releases include new features, usability improvements, and backwards-compatible API improvements. Here's what this means for core patches.

Drupal 8.1.0-beta1 will be released March 2

  • In preparation for the minor release, Drupal 8.1.x will enter a beta phase on March 2.
  • Developers and site owners can begin testing the beta.
  • The 8.2.x branch of core will be created, and future feature and API additions will be targeted against that branch instead of 8.1.x.
  • All outstanding issues filed against 8.1.x will be automatically migrated to 8.2.x once it is opened.
  • During the beta phase, core issues will be committed according to the following policy:
    1. Issues that are allowed for patch releases will be committed to all three minor branches (8.0.x, 8.1.x, and 8.2.x).
    2. Issues specific to added 8.1.x functionality, or disruptive changes that have a positive impact outweighing their disruption, will be committed to both 8.1.x and 8.2.x. (Such issues can be moved back to the 8.1.x branch after the automatic migration.)
    3. Most issues that are only allowed in minor releases will be committed to 8.2.x only.

Drupal 8.1.0-rc1 will be released April 6

  • The release candidate phase for the minor release begins on April 6, and starting on that date, the 8.1.x branch will be subject to release candidate restrictions, with only critical fixes and certain other limited changes allowed.
  • April 6 is also the final scheduled patch release window for 8.0.x, and it will not receive further development or support after that date aside from its final security release window on April 20.
  • All outstanding issues filed against 8.0.x will be automatically migrated to 8.1.x after the final 8.0.x patch release. Future bug reports should be targeted against the 8.1.x branch.
  • Minor versions may include changes to user interfaces, translatable strings, themes, internal APIs like render arrays and controllers, etc. (See the Drupal 8 backwards compatibility and internal API policy for details.) Developers and site owners should test the release candidate to prepare for these changes.
  • 8.2.x will remain open for new development during the 8.1.x release candidate phase.

See the Drupal core release cycle overview, Allowed changes during the Drupal 8 release cycle, and Drupal 8 backwards compatibility and internal API policy for more information.

As a reminder, we have until the start of the beta to add great new features to Drupal 8.1.x, and migrate, usability, and bugfixes are all priorities for 8.1.0.

Windows+Vagrant+WinNFSD Without File Update Problems

Posted by HollyIT on February 11, 2016 at 6:07pm
Categories: DrupalPlanet Drupal

I have used Windows to develop on for years. I have been through WAMP, XAMPP and EasyPHP, plus also going my own route to handle my web development. Last year I switched to Vagrant so that I could mimic the varying servers I work with from all my clients. Of course I was quickly plagued with the problem most Windows vagrant users face - extremely slow page loads.

Build Your Own PHP Framework

Posted by Darren Mothersele on February 11, 2016 at 5:00pm

I'm excited to announce that I'll be back running training at this year's Drupal Camp in London. This will be the 3rd year in a row that I've offered training at the camp. I'm doing something a bit different this time...

Build Your Own PHP Framework

In this training you will build your own PHP framework.

But, why reinvent the wheel?

Building your own framework is a great way to learn the fundamentals of modern PHP. Regardless of your choice of framework, this will make you a better developer. A similar foundation of components underlies Drupal, Symfony, Silex, and Lavavel.

If you are a developer going from Drupal 7 to Drupal 8 then you need to adopt an object-oriented mindset.

Drupal doesn't always get it right. If you understand the basic principles you know when and why you're breaking them. You can make pragmatic choices as a programmer, without embodying bad practices.

"Build Your Own Framework" is a fun training to learn modern PHP. You will learn the "SOLID" principles of PHP package design. The training will demystify dependency injection, hexagonal architecture and other design patterns. We will look at HTTP Foundation and the other Symfony components.

Come armed with a basic knowledge of PHP, a laptop that can run PHP, and an open mind. Leave with a better understanding of the principles behind modern PHP and Drupal 8.

Tickets available here.

The training will be held on Friday March 4, 2016 at City University London.

Building websites for the blind

Posted by IXIS on February 11, 2016 at 4:15pm
teaser image for blog post

This months Northwest Drupal User Group (NWDUG) in Manchester had a lovely visit from a non developer to talk about how the Internet has changed his life and the challenges of using the Internet as a blind person.

Being blind since he was a child has meant that some activities weren't possible before the Internet became accessible to everyday people - such as reading the news or magazine articles. Now Sunil works with the Internet everyday at his job in the British Red Cross.

read more

Global Training Days - February 2016 Summary

Posted by Drupal Association News on February 11, 2016 at 3:05pm

We kicked off the 2016 Global Training Days on February 5th. Twenty-two sites held a training in 11 countries, making it a great start to all things training in 2016.

Training events were held all over the globe in a variety of spaces. From offices to the public library and spaces where public university and governmental institutions collaborated with private organizations, Drupal was brought to a wide audience. Trainers gave introductory lessons with demos and hands-on site building exercises to attendees. Thank you to everyone who participated!

Here are just a few of the tweets we received about the first of the 2016 Global Training Days.

See more photos and updates at #DrupalGTD on Twitter. The full list of participants is on the 2016 page.

Learn more about the program at drupal.org or sign up to provide training at the next event.

Personal blog tags: Drupal Global Training DayGTD

Manage meeting room availability and take bookings with BAT for Drupal

Posted by roomify.us on February 11, 2016 at 2:45pm
We put together extensive documentation on how to use BAT, using a meeting room availability and booking example throughout. This is one of the most often requested features - especially from libraries and educational institutions - so we hope you will find it useful. We hope this will help and would love to hear your thoughts - get in touch.

Publishing a code sample book from Stackoverflow to LeanPub using Drupal and GitLab

Posted by Pronovix on February 11, 2016 at 2:09pm

In this blogpost we want to share how Bruno Lowagie (the original developer of iText) designed a workflow that allows him to publish questions and answers from Stackoverflow on the iText Drupal site and then export them to LeanPub (utilizing a custom Drupal module).

Create Git diffs with proper function context

Posted by drunken monkey on February 11, 2016 at 12:37pm
TL; DR

For years I have been annoyed (slightly, but still) that Git diffs for PHP classes always just contained the class header instead of the method header as the function context. I finally got round to doing a bit of research and it turns out that the solution is astonishingly easy: just one small and simple config file and it will magically work.

The problem

You might have noticed it, and maybe been annoyed by it, too: when you create a diff file with Git and have changes inside PHP class files, you get hunks that look like the following:

@@ -40,6 +40,7 @@ class SearchApiViewsHandlerFilter extends views_handler_filter {
       '<=' => t('Is less than or equal to'),
       '=' => t('Is equal to'),
       '<>' => t('Is not equal to'),
+      '!=' => t('Is REALLY not equal to'),
       '>=' => t('Is greater than or equal to'),
       '>' => t('Is greater than'),
       'empty' => t('Is empty'),

So, where you would normally expect the function context, to quickly get an idea what that change means, the diff instead just contains the class name, which is much less helpful (especially if the file name already tells you the class).

Well, after years of being regularly (slightly) annoyed by this (more so in recent years, with the OOP shift in Drupal 8), I finally searched this new place called "the interwebs" and arrived at the very simple solution.

The solution

It turns out Git's diff functionality already has support for creating the right function context information for various file types – it just doesn't know which files correspond to which file type. (It seems not even the standard .php extension is recognized by default.)

To remedy this, simply create a file with the following contents:

*.engine   diff=php
*.inc      diff=php
*.install  diff=php
*.module   diff=php
*.php      diff=php
*.profile  diff=php
*.test     diff=php
*.theme    diff=php

Save the file either in .git/info/attributes or .gitattributes (for just the local project), or (to change this globally) in $HOME/.config/git/attributes (or $XDG_CONFIG_HOME/git/attributes, if that variable is set). That's it – testing again, we now see the proper function context in the diff:

@@ -40,6 +40,7 @@ public function operator_options() {
       '<=' => t('Is less than or equal to'),
       '=' => t('Is equal to'),
       '<>' => t('Is not equal to'),
+      '!=' => t('Is REALLY not equal to'),
       '>=' => t('Is greater than or equal to'),
       '>' => t('Is greater than'),
       'empty' => t('Is empty'),

Much better, right?

Note: I haven't yet found out where to put the global attributes file for Windows. If you know, please post a comment and tell me, and I'll include it here.

Background information

For more information on Git attributes, please see the documentation. I didn't know about this at all before, but it seems there's actually a lot you can configure per file type, so there might be other very practical tips for customization.
If you find or know of any, please post them so others can profit from them, too – just as I hope this post was useful to at least a few of you!

As an afterthought, I've also added this tip to the Git documentation in Drupal.org's handbook. Hopefully, more people will find it that way.

Logging in Drupal 8

Posted by Wellnet Blog on February 11, 2016 at 10:48am
Logging in Drupal 8

Many Drupal websites are not just simple websites but real applications, with many functionalities, integrations and logic. It’s often necessary to keep track of what is happening in the application to understand if something went wrong or even just to monitor the user activities.
It is...

User Experience Design with Drupal and Beyond

Posted by DrupalCon News on February 11, 2016 at 4:04am

Did you know you, yes YOU, could potentially provide the most valuable information at all of DrupalCon New Orleans?

What We're Up To at DrupalCon Asia in Mumbai

Posted by Acquia Developer Center Blog on February 10, 2016 at 8:07pm
Jeffrey A. "jam" McGuiredrupalcon logo

Acquia is once again a sponsor of DrupalCon, and those of us who have the chance to take part in DrupalCon Asia in Mumbai, India are getting excited. This post covers the sessions we'll be part of in Mumbai.

Tags: acquia drupal planetdrupalconMumbai

Building a Drupal site with Behaviour-Driven Development

Posted by J-P Stacey on February 10, 2016 at 8:03pm

(This article first appeared on the Agile Collective blog.)

The Global Canopy Programme (GCP) needed to retrieve news syndicated from many public sources, manage it via an internal application, then re-syndicate it reliably to several public-facing websites. This application—called Forest Desk—needed to be described and built “just in time”, both to fit the clear initial requirements but also to adapt to any discoveries made along the way.

Read more of "Building a Drupal site with Behaviour-Driven Development"

Membership Drive 2015 recap

Posted by Drupal Association News on February 10, 2016 at 7:44pm

From October 13 to December 30, 2015, we ran our biggest membership drive campaign ever. We did a lot of experimenting and I want to share some results and learnings with you.

But first, I'll tell you about our program. Drupal Association membership is for anyone who uses Drupal, and anyone who wants to support our community and the project through a donation of membership dues. Membership is one way to contribute to Drupal, but it is by no means the only way.

The biggest accomplishment in this campaign: 10% growth

During the campaign period, we saw 10% overall growth in our membership (3,266 to 3,590 members). For the last two years over this same period of time, we had seen 1% growth in membership. Last year’s growth is a huge win.

Goal vs actual

Our campaign goals were to raise $100,000 and to have 1,000 new members sign up.

The results looked more like this: $50,896 and 480 new members.

We also had 148 lapsed members return and our overall membership grew. Despite not hitting our goals, we are happy to have new and renewing members and some new knowledge about campaign content.

Homepage image with banner stating Support the project you love. Become a Member Today.Homepage with banner that has Mike Anello photo and quote and Campaign ends this week. Help now.Testing content

When the campaign launched on October 13, we put our first banner ever on drupal.org to test whether an increased presence on the site would make a difference in membership sales. The answer is a big Yes. There were spikes in membership sales around the times we launched and changed the content of the banners. The biggest day of sales took place on the day after the launch, Oct. 14, when 74 members paid dues.

On December 14, we refreshed the banner to include a photo and quote from a member who gave us a testimonial. We rotated the banners and a separate block on the drupal.org homepage until the end of the campaign to highlight a few members.

This graph shows the results during our December banner rotation period. There was a trough around the Christmas holiday, so testing this at a non-holiday time of year will be beneficial in a future campaign.graph of memberships sold and content launches

What we learned

A greater drupal.org presence helps sell memberships, and being mindful about what content to show our active members is important for inspiring people to share the campaign. If members see a banner, they should easily be able to share it or hide it.

We need to keep telling your stories. I saw some of the members who gave testimonials were given kudos in the community. It feels good to see the faces of the community and to see just why you care. We have continued sharing stories, starting with DrupalCon Asia.

On days we launched banners or refreshed content, we saw the biggest sales spikes and flurries of social activity. The time of year when many people step away from their computers could impact campaign performance, so testing at another time of year should be done.

Thanks to everyone who participated in this campaign. From the 27 members who gave testimonials, to everyone who joined or renewed membership or encouraged the community to be a part of the drive, we appreciate your help.

See the full report at https://docs.google.com/presentation/d/1h0r32Tfw7TZ6osQbgtfMMJCZ3gjHMmwYlqOF8Xnmc80/edit#slide=id.g34532c755_069

Personal blog tags: Membership

Image Styles and Sizes in Drupal 8

Posted by OSTraining on February 10, 2016 at 6:50pm
Colorbox Drupal

One thing that all site builders need to think about is image size.

The size of your images can have an enormous impact on your site's speed and it's performance on mobile devices. Fortunately, the Drupal 8 core provides tools for controlling and optimizing the size of your images.

In these two videos, Robert shows you how to use Drupal 8 image styles and image settings.

A lot of exciting Drupal 8 media news!

Posted by Janez Urevc on February 10, 2016 at 4:10pm
A lot of exciting Drupal 8 media news!

Media made a big leap towards a first major milestone. It's time to test what we have and help stabilise it.

At the beginning of November 2015 MD Systems announced the Media initiative program that they initiated in cooperation with Ringier, Gassmann media and Südostschweiz. Initiative was kicked off with a week long sprint, which happened at first week of December in Zurich. Work didn't end when sprint was over. Together with the team at MD Systems I continued to work on most important tasks to achieve a major milestone.

Media sprint attendees
Photo by Stefanie Gupta

Note nr. 1: MD Systems are funding part of my time to work on Drupal 8 media. They are constantly investing in Drupal core and many contrib modules. They are one of the greatest Drupal service providers and number 1 Drupal organizational contributor taking their size into consideration. You need a site built? You should definitely get in touch with them.

Note nr. 2: Examiner.com (my employer and very well know enterprise Drupal 7 site) gives every developer a so-called "Drupal day" every other week. This allows me to work on Drupal 8 media components. We have been working on a Drupal 8 project for a while now, which also allowed me to do a lot of contrib work during my work hours. Thank you! You are great!

Since my last post we did a ton of work in many areas. Let me quickly list most important ones:

  1. Image cropping: We added few more features to Crop API. Image widget crop used those to provide new features such as soft and hard crop size limits, handling of default crops and ability to use cropper tool outside of field widget context. This allowed us to add cropper tool to the file edit form that File entity provides. Image widget crop was also promoted to a full project on drupal.org. We also started working on Crop API integration for Focal point module, which is very close to be committed. This will bring even more standardization in this area, which is something we are very excited about.

  2. File entity: we managed to bring this important module to the level where we can confidently say that it has reached feature parity with Drupal 7 version. This allowed us to bring it back home (to drupal.org) and make -dev version available on the project page.

  3. Entity browser: we continued our work on the configuration UI. Patch is almost ready. We need few more people to help us with testing and reviews. I hope that we will be able to commit it in the next week or so. We also added new selection display plugin which supports multi-step workflow (upload few images, select few more from media library, import some more from a 3rd parts service, save everything in one step). This allows us to build content creation experiences that we never saw in Drupal core or contrib before. Plugin could use some visual improvements. This is great introductionary task for any themers and/or frontend develpers that would like to join us. Get in touch!

  4. Image effects: together with @mondrake we started new project that will become home for majority of image effects that didn't find it's way into core. We already ported most of effects from ImageCache actions and added few more that lived in other Drupal 7 modules. Effects that are currently available in Image effects module are: watermark, auto orientation, brightness, color shift, contrast, set canvas and strip metadata. There is also text overlay effect that is waiting to be reviewed and tested.

There are many other things in different areas of the ecosystem. We fixed bugs and added features in Media entity, Field formatter, Inline entity form, Entity embed, ...

What is next

In the course of the next few weeks we need to review and commit remaining patches. After that we'd like to tag new releases for most of the modules in the ecosystem. This will encourage people to start actively using and testing them.

Media ecosystem for Drupal 8 is not perfect yet, but we are able to support more and more use cases. Testing, finding bugs and fixing them in a timely manner should be our priority at this point. We want to stabilize the ecosystem to allow our users to rely on our components.

How to help?

Start contributing. You can write documentation, test modules in the ecosystem and report bugs, fixing bugs or work on new features, design UX, write automated tests, share ideas and much, much more. You have a skill, we have a task for you.

We are available on IRC. Join us on #drupal-media channel on Freenode.net and get involved. We always publish general announcements on groups.drupal.org/media.

If you prefer more personal communication you can always ping me on Twitter (@slashrsm) or use the contact form on my blog to get in touch.

About me

I (Janez Urevc - @slashrsm) am one of the architects and maintainers of the media ecosystem for Drupal 8. If you like what I am doing please consider donating to my Bitcoin address: 1Xqe6gYWEbF1iKsy3Mr5SbAyebNyucj5t.

Together with some colleagues I'm building a small team of professionals that will be providing top-level consulting, training and development related to media in Drupal 8. If you're interested or you'd like to work with us please get in touch.

slashrsm Wed, 10.02.2016 - 17:10 Tags Drupal Media Enjoyed this post? There is more! Zurich Drupal 8 media sprint was a success! When will media be ready for Drupal 8?

View the discussion thread.

Drupal Bits and Bytes: How to Add Content in an Update Hook

Posted by Mediacurrent on February 10, 2016 at 3:22pm
Drupal bits and bytes

Why would I want to add content in an update hook?

The Uncomplicated Firewall

Posted by Lullabot on February 10, 2016 at 1:37pm

Firewalls are a tool that most web developers only deal with when sites are down or something is broken. Firewalls aren’t fun, and it’s easy to ignore them entirely on smaller projects.

Part of why firewalls are complicated is that what we think of as a "firewall" on a typical Linux or BSD server is responsible for much more than just blocking access to services. Firewalls (like iptables, nftables, or pf) manage filtering inbound and outbound traffic, network address translation (NAT), Quality of Service (QoS), and more. Most firewalls have an understandably complex configuration to support all of this functionality. Since firewalls are dealing with network traffic, it’s relatively easy to lock yourself out of a server by blocking SSH by mistake.

In the desktop operating system world, there has been great success in the "application" firewall paradigm. When I load a multiplayer game, I don’t care about the minutiae of ports and protocols - just that I want to allow that game to host a server. Windows, OS X, and Ubuntu all support application firewalls where applications describe what ports and protocols they need open. The user can then block access to those applications if they want.

The OS X firewall UI

Uncomplicated Firewall (ufw) is shipped by default with Ubuntu, but like OS X (and unlike Windows) it is not turned on automatically. With a few simple commands we can get it running, allow access to services like Apache, and even add custom services like MariaDB that don’t ship with a ufw profile. UFW is also available for other Linux distributions, though they may have their own preferred firewall tool.

Before you start

Locking yourself out of a system is a pain to deal with, whether it’s lugging a keyboard and monitor to your closet or opening a support ticket. Before testing out a firewall, make sure you have some way to get into the server should you lock yourself out. In my case, I’m using a LAMP vagrant box, so I can either attach the Virtualbox GUI with a console, or use vagrant destroy / vagrant up to start clean. With remote servers, console access is often available through a management web interface or a "recovery" SSH server like Linode’s Lish.

It’s good to run a scan on a server before you set up a firewall, so you know what is initially being exposed. Many services will bind to ‘localhost’ by default, so even though they are listening on a network port they can’t be accessed from external systems. I like to use nmap (which is available in every package manager) to run port scans.

$ nmap 192.168.0.110
Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-02 13:16 EDT
Nmap scan report for trusty-lamp.lan (192.168.0.110)
Host is up (0.0045s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Listening on for SSH and HTTP connections makes sense, but we probably don’t need rpcbind (for NFS) or MySQL to be exposed.

Turning on the firewall

The first step is to tell UFW to allow SSH access:

$ sudo ufw app list
Available applications:
  Apache
  Apache Full
  Apache Secure
  OpenSSH

$ sudo ufw allow openssh
Rules updated
Rules updated (v6)

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----

OpenSSH                    ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)

Test to make sure the SSH rule is working by opening a new terminal window and ssh’ing to your server. If it doesn’t work, run sudo ufw disable and see if you have some other firewall configuration that’s conflicting with UFW. Let’s scan our server again now that the firewall is up:

$ nmap 192.168.0.110
Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-02 13:31 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds

UFW is blocking pings by default. We need to run nmap with -Pn so it blindly checks ports.

$ nmap -Pn 192.168.0.110
Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-02 13:32 EDT
Nmap scan report for trusty-lamp.lan (192.168.0.142)
Host is up (0.00070s latency).
Not shown: 999 filtered ports

PORT   STATE SERVICE

22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds

Excellent! We’ve blocked access to everything but SSH. Now, let’s open up Apache.

$ sudo ufw allow apache
Rule added
Rule added (v6)

You should now be able to access Apache on port 80. If you need SSL, allow "apache secure" as well, or just use the “apache full” profile. You’ll need quotes around the application name because of the space.

To remove a rule, prefix the entire rule you created with "delete". To remove the Apache rule we just created, run sudo ufw delete allow apache.

Blocking services

UFW operates in a "default deny" mode, where incoming traffic is denied and outgoing traffic is allowed. To operate in a “default allow” mode, run sudo ufw default allow. After running this, perhaps you don’t want Apache to be able to listen for requests, and only want to allow access from localhost. Using ufw, we can deny access to the service:

$ sudo ufw deny apache
Rule updated
Rule updated (v6)

You can also use "reject" rules, which tell a client that the service is blocked. Deny forces the connection to timeout, not telling an attacker that a service exists. In general, you should always use deny rules over reject rules, and default deny over default allow.

Address and interface rules

UFW lets you add conditions to the application profiles it ships with. For example, say you are running Apache for an intranet, and have OpenVPN setup for employees to securely connect to the office network. If your office network is connected on eth1, and the VPN on tun0, you can grant access to both of those interfaces while denying access to the general public connected on eth0:

$ sudo ufw allow in on eth1 to any app apache
$ sudo ufw allow in on tun0 to any app apache

Replace from <interface> with on <address> to use IP address ranges instead of interface names.

Custom applications

While UFW lets you work directly with ports and protocols, this can be complicated to read over time. Is it Varnish, Apache, or Nginx that’s running on port 8443? With custom application profiles, you can easily specify ports and protocols for your own custom applications, or those that don’t ship with UFW profiles.

Remember up above when we saw MySQL (well, MariaDB in this case) listening on port 3306? Let’s open that up for remote access.

Pull up a terminal and browse to /etc/ufw/applications.d. This directory contains simple INI files. For example, openssh-server contains:

[OpenSSH]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.

ports=22/tcp

We can create a mariadb profile ourselves to work with the database port.

[MariaDB]
title=MariaDB database server
description=MariaDB is a MySQL-compatible database server.

ports=3306/tcp
$ sudo ufw app list
Available applications:

  Apache
  Apache Full
  Apache Secure
  MariaDB
  OpenSSH
$ sudo ufw allow from 192.168.0.0/24 to any app mariadb

You should now be able to access the database from any address on your local network.

Debugging and backup

Debugging firewall problems can be very difficult, but UFW has a simple logging framework that makes it easy to see why traffic is blocked. To turn on logging, start with sudo ufw logging medium. Logs will be written to /var/log/ufw.log. Here’s a UFW BLOCK line where Apache has not been allowed through the firewall:

Jan 5 18:14:50 trusty-lamp kernel: [ 3165.091697] [UFW BLOCK] IN=eth2 OUT= MAC=08:00:27:a1:a3:c5:00:1e:8c:e3:b6:38:08:00 SRC=192.168.0.54 DST=192.168.0.142 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65499 DF PROTO=TCP SPT=41557 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0

From this, we can see all of the information about the source of the request as well as the destination. When you can’t access a service, this logging makes it easy to see if it’s the firewall or something else causing problems. High logging can use a large amount of disk space and IO, so when not debugging it’s recommended to set it to low or off.

Once you have everything configured to your liking, you might discover that there isn’t anything in /etc with your rules configured. That’s because ufw actually stores its rules in /lib/ufw. If you look at /lib/ufw/user.rules, you’ll see iptables configurations for everything you’ve set. In fact, UFW supports custom iptables rules too if you have one or two rules that are just too complex for UFW.

For server backups, make sure to include the /lib/ufw directory. I like to create a symlink from /etc/ufw/user-rules to /lib/ufw. That way, it’s easy to remember where on disk the rules are stored.

Next steps

Controlling inbound traffic is a great first step, but controlling outbound traffic is better. For example, if your server doesn’t send email, you could prevent some hacks from being able to reach mail servers on port 25. If your server has many shell users, you can prevent them from running servers without being approved first. What other security tools are good for individual and small server deployments? Let me know in the comments!

Pages

Subscribe with RSS Subscribe to Drupal.org aggregator - Planet Drupal