If you're using rsync to sync the 2 NASs then there's no air gap. The systems are obviously networked together. What about using Backup Copy from Veeam instead of rsync. Just wondering is rsync may be the cause here.

Could someone have logged in as administrator on the Offsite NAS and (accidentally) changed permissions on the "User" account?

https://www.sec.gov/news/press-release/2018-40

I'm going to have to try those solutions out when I'm back home.

RDPGuard is the only solution that allows some kind of rate limiting functionality on RDP that I'm aware of. Any other solutions?

https://rdpguard.com/

@scottalanmiller said in The Myth of RDP Insecurity:

port locking

That's not always a viable solution though so, what else would you suggest can be done to reduce alerts in those cases?

@scottalanmiller said in The Myth of RDP Insecurity:

@nashbrydges said in The Myth of RDP Insecurity:

One benefit that's overlooked in your comment is that, when accessing RDP via a VPN, you can eliminate a lot of "noise" from logging and IPS/IDS platforms if you can eliminate all of the random attempts at accessing RDP once it's exposed to the internet. Sometimes, that's enough benefit to make VPN very nice to have. The alert fatigue is very real and with the VPN wrapper method, at least when you get a hit on an attempt at RDP, you know it may be worth investigating.

Are those logs you really need to watch, though? What are you looking for there? Anything worth watching for should be automated.

Totally agree. They are automated. Alerts are difficult to automate when your source IP is dynamic so when you get a hit that there are attempted logins to RDP, I tend to want to be sure to look at what's happening.

One benefit that's overlooked in your comment is that, when accessing RDP via a VPN, you can eliminate a lot of "noise" from logging and IPS/IDS platforms if you can eliminate all of the random attempts at accessing RDP once it's exposed to the internet. Sometimes, that's enough benefit to make VPN very nice to have. The alert fatigue is very real and with the VPN wrapper method, at least when you get a hit on an attempt at RDP, you know it may be worth investigating.

If you have fixed remote IP addresses accessing RDP then you can choose to mute the alerts from those IPs to reduce alert fatigue but not likely something I'd recommend.

@tim_g I added the code lines to the bottom of wp-config.php as well as set both fields in Settings to https.

Doesn't work. Get a too many redirects error.

I think because my URLs on the Settings tab are still showing HTTP instead of HTTPS, the scripts are being served up via HTTP. But if I change the URLs to HTTPS, browser errors out with too may redirects.

@tim_g said in Wordpress Install - Page is trying to load unsafe script:

I just looked again, and seen this as being blocked (but shows a green lock because FF is automatically blocking it):

Yeah I changed the theme to sixteen to see if that changed anything but still getting mixed content warnings.

@tim_g said in Wordpress Install - Page is trying to load unsafe script:

Try adding this to the bottom of wp-config.php:

if($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){

    $_SERVER['HTTPS'] = 'on';
    $_SERVER['SERVER_PORT'] = 443;
}

Added this but no change. Still getting the error. Looks like there are javascript being served via http instead of https.

@tim_g said in Wordpress Install - Page is trying to load unsafe script:

Also, in your WP settings page, verify these are "https":

If I di this, unfortunately, I can't get to the blog or admin pages. I get an error stating too many redirects.

When I "inspect element" with Chrome, I see these issues:

Mixed Content: The page at 'https://domain.com/blog/wp-login.php?redirect_to=http%3A%2F%2Fdomain.com%2Fblog%2Fwp-admin%2F&reauth=1' was loaded over HTTPS, but requested an insecure script 'http://domain.com/blog/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate&ver=4.9.4'. This request has been blocked; the content must be served over HTTPS.

Mixed Content: The page at 'https://domain.com/blog/wp-login.php?redirect_to=http%3A%2F%2Fdomain.com%2Fblog%2Fwp-admin%2F&reauth=1' was loaded over HTTPS, but requested an insecure script 'http://domain.com/blog/wp-content/plugins/better-wp-security/core/modules/strong-passwords/js/script.js?ver=4087'. This request has been blocked; the content must be served over HTTPS.

Mixed Content: The page at 'https://domain.com/blog/wp-login.php?redirect_to=http%3A%2F%2Fdomain.com%2Fblog%2Fwp-admin%2F&reauth=1' was loaded over HTTPS, but requested an insecure stylesheet 'http://domain.com/blog/wp-admin/load-styles.php?c=1&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4'. This request has been blocked; the content must be served over HTTPS.

Mixed Content: The page at 'https://domain.com/blog/wp-login.php?redirect_to=http%3A%2F%2Fdomain.com%2Fblog%2Fwp-admin%2F&reauth=1' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://domain.com/blog/wp-login.php'. This endpoint should be made available over a secure connection.

Mixed Content: The page at 'https://domain.com/blog/wp-login.php?redirect_to=http%3A%2F%2Fdomain.com%2Fblog%2Fwp-admin%2F&reauth=1' was loaded over HTTPS, but requested an insecure stylesheet 'http://domain.com/blog/wp-admin/load-styles.php?c=1&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.9.4'. This request has been blocked; the content must be served over HTTPS.

Thanks @Tim_G that shows this...

![header.jpg](http://domain.com/blog/wp-content/themes/twentyseventeen/assets/images/header.jpg)

Wonder why that image would be served via http even though the site redirects all http tp https.

I followed the install how-to on Mangolassi using wp-cli on Fedora 27 and managed to get Wordpress installed as a subdirectory on my main site. The main site is behind Nginx with proper SSL certs and that's been working beautifully. Problem is that when I go to the blog subfolder, I get this "Page is trying to load unsafe script" error which is breaking SSL. If I allow the unsafe script, Wordpress looks normal but site shows with broken SSL.

This is what I have if I don't allow the unsafe scripts to run:

This is the Nginx conf file:

server {
   listen 80;
   server_name domain.com www.domain.com;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name domain.com www.domain.com;
  
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header Referrer-Policy strict-origin;
  add_header X-Frame-Options "SAMEORIGIN";
  ssl_stapling on;
  ssl_stapling_verify on;
  server_tokens off;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  proxy_cookie_path / "/; secure; HttpOnly";


    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://192.168.100.85;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
}

This is the Apache conf file:

<VirtualHost *:80>
    ServerAdmin [email protected]
      <Directory /var/www/html/domain.com>
        Require all granted
        AllowOverride All
        Options -Indexes
      </Directory>
    DocumentRoot /var/www/html/domain.com
    ServerName domain.com
    ServerAlias www.domain.com
    ErrorLog /var/log/httpd/domain.com.error.log
    CustomLog /var/log/access.log combined
</VirtualHost>

Any ideas why the unsafe script error only with Wordpress install? When I access the regular site, no broken SSL, everything looks good, but Wordpress break SSL. I'm at a loss.

I'm assuming you would recommend using the .well-known addition to the conf files in the server block to avoid shutting down Nginx?

   location /.well-known/acme-challenge {
            root /var/www/letsencrypt;
         }

This guide is fortuitous. I had this planned for migration from Ubuntu this week. This makes my job easier. Thanks!

@black3dynamite said in Cloudflare SSL - Do You Use Or Not?:

@nashbrydges said in Cloudflare SSL - Do You Use Or Not?:

@black3dynamite @scottalanmiller Is there any benefit in using CF's SSL? I only see this as confusing if users verefy the cert in their browser. Granted, that's likely a pretty rare thing but still. Any specific reason for using it vs not? You're using it just because it's there?

I use the non strict Full SSL because I have some self-signed certs.

That would be a good use-case scenario. Thanks.