The New Rock Island Armory TM22 Rimfire Comes Loaded with Features, AR Styling

https://cdn.athlonoutdoors.com/wp-content/uploads/sites/8/2021/06/Rock-Island-STK100.jpg

While AR-type rifle remains white hot in popularity, the venerable .22 LR remains America’s most useful, economical round. From small game to target practice, to competition and even defense, the timeless .22 LR does it all. Now the Rock Island Armory TM22 offers a brand new take on the rimfire sporter.

The Rock Island STK100 features an aluminum grip for better shooting.

RELATED STORY

Rock Island STK100: Striker-Fired, 9mm Pistol has an Aluminum Grip

Rock Island Armory TM22 Rifle Series

Rock Island bills the TM22 as a “new age rifle.” The company claims it comprises a new standard, bringing classical attributes demanded in a semi-auto rimfire.

The entire rifle utilizes 7075 aircraft-grade aluminum from end to end. Leaning on the AR aftermarket industry, the grip utilizes common AR-15 style. The TM22 comes with a commercial buffer tube adapter, top rail and forend that accepts a host of standard aftermarket accessories via M-LOK compatibility.

The TM22 also comes with ambidextrous controls. It comes setup for right-hand use, but controls convert to left-hand for greater utility. Available in two different versions–20-inch or 18-inch barrel–the rimfire ships with two, 10-round magazines. For those really wanting to sling lead, they can pick up aftermarket 15- and 25-round mags as well.

Finally, the TM22 incorporates a trigger exhibiting a 2-pound break. Few platforms provide as much utility or fun as a well-crafted .22 LR. Loaded with features and AR styling, the new TM22 deserves a look. For even more info, please visit armscor.com.

Rock Island TM22-A-18 Specs

  • Caliber: .22 LR
  • Capacity: 10 Rounds
  • Action: Semi-Auto, Recoil Operated
  • Overall Length: 34 inches
  • Height: 7.68 inches
  • Overall Width: 3 inches
  • Barrel: Rifled
  • Barrel Length: 18 inches
  • Length of Pull: 13 inches
  • Number of Grooves: 6
  • Stock: Fixed Aluminum
  • Grip: AR Type
  • Finish: Black Anodized

Rock Island TM22-A-20 Specs

  • Caliber: .22 LR
  • Capacity: 10 Rounds
  • Action: Semi-Auto, Recoil Operated
  • Overall Length: 36 inches
  • Height: 7.68 inches
  • Overall Width: 3 inches
  • Barrel: Rifled
  • Barrel Length: 20 inches
  • Length of Pull: 13 inches
  • Number of Grooves: 6
  • Stock: Fixed Aluminun
  • Grip: AR Type
  • Finish: Black Anodized

The post The New Rock Island Armory TM22 Rimfire Comes Loaded with Features, AR Styling appeared first on Tactical Life Gun Magazine: Gun News and Gun Reviews.

Tactical Life Gun Magazine: Gun News and Gun Reviews

The Visitor Pattern in PHP

https://doeken.org/assets/img/visitor-pattern.jpg

The Visitor Pattern isn’t used often. This is because there are few situations in which it is applicable or even makes sense. However, it’s a nice pattern to know and to have in your tool belt when the time comes. Let’s look at how this pattern can be applied in a PHP environment.

🛑 The problem

Like a few other patterns, the Visitor Pattern tries to solve the problem of adding functionality to an entity without changing it (much…). In addition to this very generic problem, it provides a way of adding the functionality to multiple similar entities, which can’t be completely handled in the same way.

So let’s make the problem a bit more practical. Imagine you have two entities: Book and Document. And for both of these entities we want to know how many pages there are. Our Document has a public function getPageCount(): int which returns the number of pages, while the Book consists of an array of Chapter entities, which also have this function.

class Document

{

public function __construct(private int $page_count) {}

 

public function getPageCount(): int

{

return $this->page_count;

}

}

 

class Chapter extends Document

{

// Chapter specific code

}

 

class Book

{

public function getChapters(): array

{

return [

new Chapter(5),

new Chapter(7),

new Chapter(2),

];

}

}

To streamline the process of returning the page count for either of these entity types, we create a PageCountDumper. A (somewhat naive) implementation of this could look like this:

class PageCountDumper

{

public function handle($entity)

{

if ($entity instanceof Document) {

var_dump($entity->getPageCount());

} elseif ($entity instanceof Book) {

$count = 0;

 

foreach ($entity->getChapters() as $chapter) {

$count += $chapter->getPageCount();

}

 

var_dump($count);

} else {

throw new \InvalidArgumentException('PaperCalculator can not handle the provided type.');

}

}

}

And we can call it like this:

$document = new Document(20);

$book = new Book();

 

$dumper = new PageCountDumper();

 

$dumper->handle($document); // int(20)

$dumper->handle($book); // int(14)

This PageCountDumper has a handle() function that can handle both the Book and the Document entity, and will var_dump the proper page count for both. There are however a few things that stand out:

  • Because there is no shared interface or abstraction between Document and Book, the handle() function receives a mixed $entity and contains the logic for either situation. When adding on more entities, this type checking will pile on and can become quite cumbersome and unreadable.
  • We throw an exception when the entity type is unknown to avoid improper use.

We can do better!

👋 The Visitor Pattern Solution

So the Visitor Pattern provides a solution for this particular problem. It will remove the need for the instanceOf type checks, while keeping the reference to the entity type intact. And it will remove the need to explicitly throw an exception. Let’s see how the Visitor pattern tackles these issues.

Entity specific functions

First off, to remove the instanceOf checks, it requires a method for every possible entity type. For convention’s sake, we’ll call these methods: visitBook(Book $book) and visitDocument(Document $document). And because we are creating a Visitor let’s rename the calculator to: PageCountVisitor.

class PageCountVisitor

{

public function visitBook(Book $book)

{

$count = 0;

 

foreach ($book->getChapters() as $chapter) {

$count += $chapter->getPageCount();

}

 

var_dump($count);

}

 

public function visitDocument(Document $document)

{

var_dump($document->getPageCount());

}

}

By implementing separate methods, with type-hinted arguments, we’ve removed the need for the instanceOf checks. And because we can only call these methods with the appropriate type, there is no need to throw an exception. PHP would already do so when we provide an invalid argument.

If there is another entity in the future that needs its pages to be counted, let’s say a Report, we can add a pubilc function visitReport(Report $report) and implement that logic separately.

But, you might be thinking: This isn’t better. I still need to know what type my entity is in order to call the correct method!. And you would be correct. But hold on, this refactoring is only half of the visitor pattern.

Accepting a visitor

Remember when I said the entities the visitor works on should not be changed much? Yeah, well; there is one change that is needed on every entity to make the Visitor Pattern work. But only one, and this will make it accept any visitor, and therefore add any (future) functionality.

To avoid the instanceOf check, there is only one context in which we can be sure the entity is of a certain type: within the entity itself. Only when we are inside a (non-static) method of a class, we know for certain that $this is an instance of that type. That is why the Visitor Pattern uses a technique called Double Dispatch, in which the entity calls the correct function on the visitor, while providing itself as the argument.

To implement this double dispatch we need a generic method that receives the visitor, and relays the call to the correct method on the visitor. By convention this method is called: accept(). This method will receive the visitor as its argument. In order to accept other visitors in the future, we first extract a VisitorInterface.

interface VisitorInterface

{

public function visitBook(Book $book);

 

public function visitDocument(Document $document);

}

 

class PageCountVisitor implements VisitorInterface

{

// Make sure the visitor implements the interface

}

Then we create a VisitableInterface and apply it on Book and Document.

interface VisitableInterface

{

public function accept(VisitorInterface $visitor);

}

 

class Book implements VisitableInterface

{

// ...

public function accept(VisitorInterface $visitor)

{

$visitor->visitBook($this);

}

}

 

class Document implements VisitableInterface

{

// ...

public function accept(VisitorInterface $visitor)

{

$visitor->visitDocument($this);

}

}

Here you can see the double dispatch in action. The Book class calls the visitBook() method on the visitor and Document calls visitDocument(). Both are providing themselves as the parameter. Because of this minor change to the entity we can now apply all kinds of different visitors that provide a certain functionality for every entity.

To use the visitor on the entities we need to adjust our calling code like this:

$document = new Document(20);

$book = new Book();

 

$visitor = new PageCountVisitor();

 

$document->accept($visitor); // int(20)

$book->accept($visitor); // int(14)

With all the pieces now in place, we are free to create more visitors that implement the VisitorInterface and can perform a certain feature for both Book and Document. A WordCountVisitor for example.

Pros & cons

Like many other patterns, the Visitor Pattern isn’t the one pattern to rule them all. There are multiple solutions to different problems. The Visitor Pattern is just that; a possible solution to a specific problem. Let’s look at some reasons you might use it, and some reasons you might not.

✔️ Pros

  • You can add functionality to any entity by implementing the VisitableInterface once. This makes the entity more extendable.
  • By adding visitors the functionality you enforce separation of concern.
  • The entity is in control whether the visitor is accepted. You can omit the relay and cut the double dispatch.
  • The individual visitors are easier to test.

❌ Cons

  • The double dispatch can be confusing and make the code harder to understand.
  • The accept() and visit...() methods usually don’t return anything, so you need to keep records on the visitor itself.
  • All Visitors need every method on the VisitorInterface while it might not have an implementation for it.

Real world examples

Realistically, you aren’t likely to find this pattern much in the wild. However, it is a common practice in combination with Trees and Tree Traversal.

If you are unfamiliar with Trees & Tree Traversal, you can check out my previous blog on that.

When traversing a Tree, you are iterating over a continuous stream of Nodes. We can perform an action for every node in that Tree. This is called visiting… coincidence? These nodes are usually just an entity holding a value. Instead of adding a bunch of methods to these nodes; it’s actually a nice way of adding different features to these otherwise dumb entities.

Some tree implementations I’ve seen actually have A PreOderVisitor and a PostOrderVisistor. These will then return an array of nodes in that order. While that is a perfectly acceptable visitor, I believe a Visitor should not dictate the order in which it is applied to the tree. For some features it might not even matter what the traversal order is, while in some cases it might.

In my Trees & Tree Traversal post I gave the example of a document inside a tree structure. When traversing that tree in PreOrder you get a logical flow of the document; starting at the cover page. Some visitors we might want to build for that tree are:

  • RenderPdfVisitor which could render every node as a PDF file.
  • TableOfContentsVisitor which could create a table of contents with the correct page numbering.
  • CombinePdfVisitor which could combine every previously rendered PDF into a single PDF document.

And basically every example from that blog post can be build as a visitor.

Thanks for reading

Like I said, the Visitor Pattern isn’t very common, but it’s nice to have up your sleeve. Do you have any experience with this pattern? Please let me know in the comments. I’m curious to hear what you think of it.

I hope you enjoyed reading this article! If so, please leave a 👍 reaction or a 💬 comment and consider subscribing to my newsletter! I write posts on PHP almost every week. You can also follow me on 🐦 twitter for more content and the occasional tip.

Laravel News Links

Security in Laravel: How to Protect Your App

https://static.adevait.com/2021/10/Social-Sharing-photo-Template-1.jpg

Security is always a concern when you are developing a web application.

Not only do you need to think about the security features and vulnerabilities, but also about the possible issues that might appear during the process.

There are a lot of segments that need to be covered and taken care of if you want your application to be secure.

Fortunately, tools like the Laravel framework provide us with a lot of good practices and excellent features. So, if you are building your application using this framework, you can rest assured that the Laravel security package will deliver the results you want.

In this text, we are going to dive into these Laravel security features, and other out-of-the-box practices. We will take a close look into their implementation to understand how we can protect our application.

Checklist

  • Code injections
    • SQL injections
    • XSS attacks
  • Requests origin
  • Exposed files
  • A weak login implementation
  • The right configuration for your environment
  • Software/packages updates
  • Passwords vulnerabilities
  • Prevent CSRF attack
  • Prevent DOS attack
  • Security tips

Code Injections

SQL Injections

In plain PHP, we need to bind all the parameters on SQL queries. But in Laravel, we have the query builder and Eloquent ORM that provides automatic protection against SQL injections by adding param binding by default. Even with this, you should watch out for malicious requests, like for example:

User::query()->create($request->all());

This code could lead to a mass assignment. In this case, a user can send a payload like this:

{
    "name": "John Doe",
    "email": "[email protected]",
    "role_id": "admin" 
}

Another code that could lead to the same issue could be:

$user->fill($request->all());
$user->save();

In this example, we are hydrating an eloquent model with all the data from a request and then saving it.

A malicious user can try with different payloads. Or, they can add extra inputs with different names and try to find a weak implementation like this.

Hopefully, with this example, we can see that we need to take care of mass assignments. We cannot trust any user request, because any user can open the browser inspector and add an input in a monolith or modify the payload from an API.

Laravel provides different ways to handle this:

Set Fillable Property

We can prevent mass assignment by adding explicitly the fields that a model contains by using protected properties, “fillable” or “guarded”:

protected $fillable = ['name', 'email', 'password', 'role_id'];

In this case, we are adding explicitly the columns that a model contains. You can use the guarded property as an empty array. Personally, I do not like this approach as many projects have more than one developer and there is no guaranty that other developers would validate the data.

The forceFill() method can skip this protection, so take care when you are using this method.

Validate Request Data

You should validate any type of resource no matter where it came from. The best policy is to not trust the user. Laravel provides FormRequest so we only need to create one with artisan:

php artisan make:request UserRequest

You can define the rules to validate your requests:

public function authorize() 
{
    return $this->user()->check(); 
} 

public function rules() 
{     
    return [
        'name' => ['required', 'string', 'min:5', 'max:255'],
        'email' => ['required', 'email', 'unique:users'],
        'password' =>   ['required', Password::default()]
    ]; 
}

The authorize method must return a boolean. It is a convenient way to return an authorization validation before starting to validate the requested content. This is something to take in mind and it would apply in any route that has the middleware auth for web or sanctum/API if you are using token-based authentication.

The rules method returns an array with the rules that are validating your request. You can use a lot of rules out of the box or create your own custom rules. If you are interested to dive in deeper into this topic, you can find all the rules in the doc: https://laravel.com/docs/8.x/validation#available-validation-rules.

XSS Attack

This attack could be divided into two sections. The first one restricts special tags on the server and does not return special tags in the views.

Restrict Special Tags in the Server

You could use different approaches. PHP natively has some methods like strip_tags that only protect against HTML and PHP tags. You can even use a regex or use the PHP native method htmlentities() or filter_var both, although it does not protect completely against all the possible tags. In this case, my best recommendation is to use a specific package to solve this, like HTML Purifier.

Does Not Return Special Tags in the Views

If you are working with the Blade template engine, you should take care about how you are printing your data in your template:

<p></p>

The double mustaches syntax would protect you against XSS attacks by automatically escaping the tags for you.

<p>{!! $user->name !!}</p>

On the other hand, this syntax is dangerous. If you do not trust the data that could come, do not use it because the bang-bang syntax could interpret PHP.

Using Another PHP Template Engine

Laravel also provides an escape method that we use on any other template engine like Twig:

Using a Javascript Framework

Any modern Javascript framework automatically protects us to inject a script. VueJS, for example, has a v-html directive that already protects us against this type of attack.

Request Origin

In your application, you can get requests from multiple sites. It could be a webhook, a mobile application, requests from a Javascript project, etc.

In these cases, we should take a defensive approach. A lot of antiviruses are great examples that a non-trust list simply does not work as we cannot keep updating different origins and sites all the time. In this case, a trust list can be the best approach to only validate some origins.

In short, a trust list could work if we know the origins that we are going to allow. But what if we do not?

Maybe an unknown origin could try to send unauthenticated requests. In this case, Laravel once again provides a great tool out of the box. We can use the throttles middleware to protect a route or group of routes from malicious requests. This is one of Laravel’s security best practices to consider.

Route::get('dashboard', DashboardController::class)    ->middleware('throttle:3,10');

The param:3,10 represents that it allows 3 requests during 10 minutes. At the fourth request, it would throw an error 429 in the browser. If it is a request that has a content-type: application/json and accept: application-json, it would return a response with 429 status and a message with the exception.

You can go even further and add a RateLimiter on the app/Providers/RouteServiceProvider.php:

protected function configureRateLimiting() 
{  
    RateLimiter::for('global', function (Request $request) {
        return Limit::perMinute(1000);     
    }); 
}

Then in your route file, you can define a route like this:

Route::get('dashboard', DashboardController::class)->middleware('throttle:global');

If you want to dive deeper into the rate limiter, you can visit this resource. And if you want to get something more robust in terms of a trusts list, here is a great package for adding a white list implementation.

Do Not Trust Sites Without an SSL Certificate

A site that does not have an SSL certificate should not be allowed. No data should be sent without proper encrypted channels as this could lead to a potential man-in-the-middle attack where your data can be exposed.

Lastly, do not share session ids or cookies with insecure connections that do not use the HTTPS protocol. Doing so can also expose sensitive data.

Exposed Files

By default, Laravel only exposes the public directory. This is intended to avoid security breaches. Considering that any file that will be exposed can be accessed by anyone, you should avoid adding their sensitive data.

If you want to expose files to download, the best way to do this is by keeping the files on the storage directory and just adding a symbolic link on a public directory. Laravel provides a command to make it easier:

php artisan storage:link

Now, any file that your app stores in the storage directory will be available. Avoid adding manual permissions to any other directory as this could lead to a potential breach.

Weak Login Implementation

All the authentication workflow, register, forgot password, login, etc, are steps that require utmost attention. For example, if you return a specific message for any field that does not match in a login form, the attacker could know exactly when an email already exists in the database.

One of the strengths of the Laravel ecosystem is that they offer a lot of packages to work with authentication: 

  • laravel/ui – basic authentication, comes with blade views and bootstrap css
  • laravel/breeze – basic authentication, comes with blade views or inertiaJS components, use tailwindcss for styles
  • laravel/jetstream – basic authentication, user profile, 2FA, teams, comes for livewire and inertiaJS stacks, use tailwindcss for styles
  • laravel/fortify – authentication backend logic without any ui preset
  • laravel/passport – full JWT authentication (most of the time over engineer)
  • laravel/sanctum – api tokens authentication with scopes

In this case, a good practice would be to use a package that meets your needs, has official support, and has contributions from the community.

The Right Configuration For Your Environment

Let’s imagine that you push your code to the production environment, and in your production .env file, you set the key APP_ENVIRONMENT=local and APP_DEBUG=true.

In this case, every time that your app throws an error, it would show the stack trace of the exception and it would probably reveal more than you would like.

A stack trace screen would appear to any potential attacker. The technology that is used on the project – the database table and its structure, and the application directory structure – shows there might be more vulnerabilities to explode. With this in mind, take care of the environment file values, but take special care of those two keys.

Software/Packages Updates

By the time your project dependencies get updated, the package authors or the community could find vulnerabilities, like a patch, for example. That is why is so important to update every package that your app has – at least as a production dependency.

You can update your packages by simple running a composer/npm command:

composer update npm update

This command updates the current package/dependencies version. If you want to update to a major release you can execute:

composer outdated
npm outdated

Password Vulnerabilties

Any password should be hashed. Luckily, Laravel provides more than one way to hash data:

bcrypt('LaravelIsCool');
Hash::make('LaravelIsCool');

The APP_KEY is used to encrypt and decrypt data, but it can also be used for signed routes too. This has no relation with hashes, so use it with confidence.

Prevent CSRF Attack

Laravel API security also goes the extra mile with a mechanism to protect the application against CSRF attacks. This type of attack is very difficult to replicate and we do not need to cover it as the framework does it for us.

A CSRF attack makes a request from another browser tab and tries to submit malicious requests to the application. Laravel protects us against these attacks. Every request generates a token that changes on every request. This token would be known only by the application and every request should have this token to validate that the request comes from the same server.

In blade, you can use the directive @csrf:

<form method="POST" action="/profile">
    @csrf
    <!-- Equivalent to... -->
    <input type="hidden" name="_token" value="" />
</form>

To exclude some requests that come from a webhook that was created outside of our application, there is a protected property $except in the VerifyCsrfToken middleware:

protected $except = [
    'stripe/*',
    'http://example.com/foo/bar',
    'http://example.com/foo/*',
];

Prevent DOS Attack

These types of attacks can be divided into two popular categories:

DOS Attacks That Send a Lot of Requests

These attacks would send a lot of PHP requests that are not closed. The server responds to multiple requests until it cannot support more requests and the memory fails, resulting in our server going down. An example of these attacks could be a “slow loris” attack.

Laravel throttle middleware and RateLimiter help us to handle these attacks by IP. It’s important to remember that in your app context, you can handle, but not stop requests from the outside world. You should need other dev-ops tools and server platform tweaks to mitigate these attacks.

DOS Attacks That Send Large Files to Consume the Server Memory

Another variety of this attack could be in a public form. Maybe your application has some public form to submit a file. In this case, large files can exhaust the server memory. Keep in mind that the server should be serving data/resources to other users and handling this type of submits all at the same time.

To handle this attack, you can use the Laravel API security validator to validate the file from the request. Here is an example:

//file is exactly 512 kilobytes.. 
'photo' => ['mimes:jpg,bmp,png', 'file', 'size:512'] 
// file max size is 512 kilobytes.. 
'photo' => ['mimes:jpg,bmp,png', 'file', 'max:512']

Additional Security Tips

Here is a list of tips that could increase your app security:

Use a Honeypot on Any Public Form

Any public form can be submitted by anyone. To avoid malicious requests from bots, you can set a hidden input. The bots would fill the input (a normal user should not fill a hidden input), and then you can use the prohibited validation rule from Laravel validator:

// this input should never comes in the request 
'honey_pot_field' => ['prohibited'],

Constantly Change Your APP_KEY Value

This can be challenging if you have data encryption store models. In this case, I suggest using a package that handles it for you: https://github.com/rawilk/laravel-app-key-rotator. The package rotates the APP_KEY, decrypting and encrypting again all models that were encrypted.

Send an Email When a User Updates a New Email Account

Laravel provides a feature to send an email to verify a new account with new user registration. However, when the same user changes an email account, it does not verify the new email address. This process could be automated by a package: https://github.com/protonemedia/laravel-verify-new-email.

The same applies to password changes.

Register SSH Credentials on Your Server Cautiously

Try to connect with SSH only from places where your connection is “secure.” Avoid public wifi connections.

Set Tokens Lifetime

For Laravel Passport:

In your app/providers/AuthServiceProvider.php, you can set a specific lifetime for every token:

/** 
 * Register any authentication / authorization services. 
 * 
 * @return void 
*/ 
public function boot() 
{    
    $this->registerPolicies();
    Passport::routes();
    Passport::tokensExpireIn(now()->addDays(15));
    Passport::refreshTokensExpireIn(now()->addDays(30));
    Passport::personalAccessTokensExpireIn(now()->addMonths(6));
}

For Laravel Sanctum:

Just publish the sanctum config file and change the value. The time would be set in minutes:

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
'expiration' => null,

Use Authorization Features

Laravel security provides a native system to authorize users on any action. Actions that are not related to any specific model are typically covered by Gates, and the rules that are tight to a model could be covered by Policies. Laravel provides a lot of ways to apply these rules across the app layers. You can apply an authorization rule on:

  • Routes, by using your gates and policies as middlewares.
  • Controllers, using $this->authorizeResource() in the constructor of resource controllers.
  • Controllers, using a more granular validation with $this->authorize() method.
  • Any place, (models, custom services, resources, gates, policies, etc) where you have available the authenticated user with the method $user->can() or $user->cannot().
  • In Blade views, by using the directive @can and @cannot.
  • If you are using any javascript template system you can set an array of permissions in your user or any other model, to get pretty similar functionality, as any policy, the typical actions like viewAll , view , create , update , destroy, here an example:
<button v-if="$page.props.auth.user.permissions.admin_action.create">Admin Action</button> 
<td v-if="product.permissions.view"></td>

Conclusion

This introduction to the security aspects of Laravel allows us, the Laravel developers, to better understand how the framework already protects us from many vulnerabilities.

It also shows us the additional value of Laravel by allowing us to focus our time on development and not on solving common security problems.

An additional advantage is that we can see how working with a tool with such a wide ecosystem allows us to add third-party packages to solve specific problems that other developers have already faced before.

And if you’re in a reading mode and want to advance your Laravel skills, take a look at the following resources:

Laravel News Links

New Features in PHP 8.1 [Video]

https://i.ytimg.com/vi/hrdsRtrxl2s/maxresdefault.jpgIn this video, we discuss our favorite new features in PHP 8.1. Including enums, being able to initialize properties in the initializers of a class, read-only properties, fsync(), final class constants, and array_is_list().Laravel News Links

Essential Gunsmithing Tools: Bare Minimum to Gun Specific

https://www.pewpewtactical.com/wp-content/uploads/2016/07/12.-Start-Roll-Pin-with-Hammer-1024×769.jpg

New to the world of guns?

Find out the most essential gunsmithing tools you’ll need to keep your firearms running in great shape or to make easy modifications.

Oldschool Tools
Oldschool Tools

We’ll go in order from the most basic kit (some of which you’ll probably already have) to some more specialized tools as you progress in your gunsmithing journey.

Table of Contents

Loading…

Bare Essential Gunsmithing Tools

The great thing is that modern firearms are designed to be stripped/cleaned with minimal tools. Some don’t even require anything but your hands and the gun itself.

Brass Hammer & Plastic Mallet

Sometimes you want a little more force but not with something that could mar any of your finishes…

Start Roll Pin with Hammer
Start Roll Pin with Hammer

A brass hammer gives you the heft needed but doesn’t mar the normally much harder steel of a firearm. This hammer has interchangeable heads of brass, plastic, rubber, and even copper.

Brass Hammer
Brass Hammer

And I also keep a standard Rubber Mallet for some more forceful jobs.

Punches

Trigger Hammer Pin with Punch
Trigger Hammer Pin with Punch

Punches let you drive pins that hold together many types of guns. Again, we go with brass punches so they do not mar up the gun. We use and love the Starrett Brass Punch Set since they have longer punches than normal gunsmithing sets.

Wheeler Hammer & Punch Set
Wheeler Hammer & Punch Set

Or you can go with the combination hammer and punch sets from Wheeler which should be more than enough for introductory gunsmithing.

Hex / Allen Key Wrench Set

Tekton Long Hex Key Wrench Set
Tekton Long Hex Key Wrench Set

A lot of firearm screws utilize hex or Allen key patterns. To make it harder, there are metric and U.S. standards that roughly correlate to the origin of your gun. This long arm wrench set makes it easy for both standards.

I’ve probably bought half a dozen sets to place everywhere since they are never around when I need them!

Screwdrivers

Stanley All-in-One
Stanley All-in-One

And of course screwdrivers, you’ll need a sturdy multi-purpose one as well as a precision kit.

Threadlocker

Blue Threadlocker
Blue Threadlocker

Screws in a gun go through an immense amount of stress due to recoil and some will actually start backing out. That’s where threadlocker or Loctite (brand) comes in.

There are a couple of varieties but the two most used are blue (medium) which is great for vibration issues (such as handguard screws) and can be easily removed.

And red (high strength) ($6) which is when you want to lock something for almost forever (such as scope rings) since it requires heat to remove.

More Specialized Gunsmithing Tools

Torque Wrench

If you’re doing anything with precision involved like putting on optics…you’ll want a torque wrench combined with threadlocker.

Wheeler FAT Wrench
Wheeler FAT Wrench

Torque wrenches make sure you’re in spec with the in-lb force and that all the screws have equal tension.

And the industry standard (and our go-to for years) is the Wheeler FAT Wrench.

50

at Amazon

Prices accurate at time of writing

Prices accurate at time of writing

It comes with useful bits that will do for most jobs…and it’s super easy to dial in the appropriate force.

Fix It Sticks

Looking for the top-of-the-line gunsmithing kit? Check out Fix It Sticks.

FixIt Sticks
Fix It Sticks

The Works is truly the works and even has its own super nice torque wrench. Pricey but the best shooters out there (and most of the Pew Pew Tactical team) has one in their range bag.

280

at Fix It Sticks

Prices accurate at time of writing

Prices accurate at time of writing

Want to learn more about the kit? Check out our complete Fix It Sticks Review and also our coupon PEWPEW10 that will save you 10%.

Also…don’t have a range bag yet…check out our Best Range Bags article.

Trigger Pull Gauge

Doing some trigger mods?

You’ll want to make sure you’re actually doing something instead of going by pure feel.

We have an in-depth guide to the Best Trigger Pull Gauges.

Trigger Pull Gauges

But the simplest one that will work for all but the most OCD is the Wheeler Trigger Pull Scale.

Wheeler Trigger Pull Scale (2)
Wheeler Trigger Pull Scale
20

at Amazon

Prices accurate at time of writing

Prices accurate at time of writing

Gun Specific Gunsmithing Tools

There are tons of gun-specific tools, but here are the main ones that you’ll likely use for your Glock and AR-15.

Glock Tool

Glock Tool
Glock Tool

This tool is actually really useful to get the pins in and out without marring the polymer frame, and also to disassemble magazines.

AR-15 Armorer’s Wrench

There’s a lot of versions of the AR-15 Armorer’s Wrench…so much so that we have our own dedicated article.

However our go-to is the Magpul Version.

Best Armorer’s Wrench
59

at Brownells

Prices accurate at time of writing

Prices accurate at time of writing

There are versions on Amazon but we haven’t had the greatest of luck with them breaking little bits when torquing important AR-15 parts.

AR-15 Upper Receiver Vise

If you’re adding a barrel (or taking one off)…you’ll need a special vise to make sure you don’t warp the upper receiver.

Aero on Receiver Vise
Aero on Receiver Vise

The current one we use is the Obsidian Arms.

40

at Brownells

Prices accurate at time of writing

Prices accurate at time of writing

Real Avid AR-15 Armorer’s Kit

If you want a one-and-done situation for your AR-15…check out the Real Avid Armorer’s Master Kit.

Real Avid AR-15 Armorer’s Master Kit
Real Avid AR-15 Armorer’s Master Kit

It’s ginormous and has everything you need. And we have a full review.

235

at Gun Mag Warehouse

Prices accurate at time of writing

Prices accurate at time of writing

Application Specific Gunsmithing Tools

There are too many to list here but they all depend on your specific application. If you want to fit 1911 parts, you’ll need some files and a polishing compound. But if you’re just looking to drift your AK sight, you’ll need a special tool.

Check out our DIY Gunsmithing Tutorials where we cover all the steps and necessary tools.

Looking for more gear we’ve tested to get you started? Start with these:

Tested Shooting Ear Protection Muffs
Tested Shooting Ear Protection Muffs

Conclusion

There you have! The tools we recommend when starting your firearm journey.

All of these should get you where you’re going, but know that certain tasks might require more specific tools. So, it’s always recommended to do a little research before you jump into a project.

(Lest you be like us and make 25 trips to Home Depot or Lowes…)

What tools do you use the most? Let us know in the comments below. Are you building an AR-15? Make sure to read up on the parts and tools you need to do the job at our AR-15 Parts & Tools List.

The post Essential Gunsmithing Tools: Bare Minimum to Gun Specific appeared first on Pew Pew Tactical.

Pew Pew Tactical

What about my mental health?

It’s a threat to my mental health to make me do this.

I believe that 2 + 2 = 4.

Two plus two always equals four.

I will not deny reality.

I will not be forced to subjugate myself to someone else’s fantastical whims.

To violate that, to force me to acquiesce to someone else’s delusion is a threat to my mental health and I will not do it.

There are four lights.

How to Set Up Your Own Secure Email Server

https://static1.makeuseofimages.com/wordpress/wp-content/uploads/2021/10/set-up-secure-email-server-featured.jpg

Major email service providers such as Google and Microsoft occasionally scan your emails to provide targeted ads and other services. You may be concerned by this as it does violate your privacy. One of the easiest ways to prevent this breach of your privacy is to set up your own secure email server.

Setting up your private email server is fairly easy and once the initial set up is complete, you can further customize it according to your preferences.

What Is a Private Email Secure Server?

Whenever you receive an email, it is first stored on an email server before being downloaded to your email client or browser. These email servers are usually managed by the same companies that provide you with email addresses, such as Google, Yahoo, and Microsoft.

While these services do provide you with a lot of convenience, they can easily scan confidential and regular emails to provide targeted ads and improve services such as Google Assistant. Additionally, government entities and law enforcement agencies can ask your email provider to reveal your inbox.

On the other hand, you have complete control over your emails when you use a private email server. This is because the server is located at your own house, on a computer you own.

The glaring advantage of having your own secure email server is privacy. Your emails are completely your own. You can also use one to send completely anonymous emails.

Your ISP and your employers are completely devoid of any access to your emails. This provides a peace of mind that no third-party email providers can match. A private email server allows you to set up filters that are simply not possible when using a regular email service.

However, all this does come at a cost. You are completely responsible for the security of your email server. While your emails can no longer be snooped upon by companies, the server can still be compromised by a determined hacker.

Email providers have dedicated teams that look for security flaws in their servers. However, in the case of a private email server, you are completely responsible for making sure that the server is secure.

How to Set Up Your Own Secure Email Server

Setting up your private email server shouldn’t be a problem at all, provided you follow the steps listed below accurately.

However, before getting started, ensure that you have all the things needed to set up the server. These include:

  • A separate computer with decent hard drive capacity. This will act as the email server and store all your emails.
  • A domain name for your private email server.
  • A good and stable internet connection.
  • An email server service to route your emails. Ideally, it should also have features such as a spam filter, and antivirus protection.

Download and Install an Email Server

The first thing you need to get started is an email server software. There are plenty of programs available. However, most of them are paid.

For this tutorial, let’s make use of an open-source and free email server called hMailServer. To download the application, simply go to hMailServer’s download page and click on the file under “Latest Release”.

Related: IMAP vs. POP3: What’s the Difference? Which One Should You Use?

After downloading the app, simply follow these steps to install it:

  1. Run the downloaded file.
  2. On the Setup welcome screen, click Next.
  3. On the next screen, click on the “I accept the agreement” radio button. Be sure to read through the license agreement first.
  4. On the next screen, choose where you want to install the hMailServer application. It’s better to install it in the C: drive itself.
  5. On the components selection screen, choose Full Installation from the drop-down menu and click Next.
  6. In the next window, choose the database you would like to use. Ideally, choose the first option, i.e. Use built-in database engine. Click on Next.
  7. Choose whether you want to create a start menu shortcut or not, then click Next.
  8. The following screen will prompt you to create a password for your email server. Type in a strong password and click on Next.
  9. Now, click on Install. Wait for the installation to complete.
  10. After the installation finishes, ensure the Run hMailServer Administrator checkbox is checked and click on Finish.

How to Set Up hMailServer

The actual set up process for your private email server is also fairly easy. The following steps should give you a clear idea on how to set up your email server, and some good practices while doing the same:

  1. Run hMailServer Administrator. The app should already be running if you followed step 10 in the section above.
  2. In the window that opens, click on Connect and when prompted, enter the password you entered during installation in step 8 above.
  3. On the welcome screen, under Getting started, click on Add domain.
  4. Under the General tab, type in a domain name under “Domain”. Ensure that the Enabled checkbox is ticked, and then click on Save.
  5. Now, using the navigation bar on the left, go to Domains and then click on the domain name you’ve just entered. Click on the Accounts directory.
  6. In the Accounts window, click on Add.
  7. In the next window, type a name under the Address text box. This will function as your email address.
  8. Enter a suitable password in the Password section. Click on Save.
  9. Now, using the navigation bar, go to Settings > Protocols.
  10. Check SMTP, then uncheck the POP3, and IMAP checkboxes. Remember to click on Save.
  11. Following this, click on Advanced, under the “Settings” heading itself. Under “Default domain”, type localhost, and then click on Save.
  12. Click on the + button to expand the Advanced settings tree.
  13. Navigate to TCP/IP ports and ensure that ports 25, 110, and 143 are enabled for SMTP, POP3, and IMAP respectively.
  14. Now, test your email server by navigating to Utilities > Diagnostics. Select the domain that you created earlier, and click on Start to begin the test.
  15. This will check whether you can successfully connect to the mail server you just created.

After following the aforementioned steps, your private email server is ready to run.

All you need to receive and send emails is a client such as Thunderbird or Outlook. Use the domain credentials you created earlier to log in.

Related: The 5 Best Free Email Clients for Your Desktop PC

Additionally, you can also enable and customize features such as antivirus and spam protection by running the hMailServer Administrator utility. Look for these features on the navigation bar.

Your Private Email Server Is Ready

As is evident, setting up your own email server is not that difficult. In fact, it should take you less than an hour to get it up and running, if you don’t run into any unexpected issues. However, in case you’re looking for more advanced features, it is advisable to hire an IT professional to set it up for you.

And if it isn’t possible for you to set up your own email server, using alternative, secure email services is the next best option.

The 5 Most Secure and Encrypted Email Providers

Fed up with government and third-party surveillance of your emails? Protect your messages with a secure encrypted email service.

Read Next

About The Author

Manuviraj Godara
(136 Articles Published)

Manuviraj is a Features Writer at MakeUseOf and has been writing about video games and technology for over two years. He is an avid gamer who also spends his free time burning through his favourite music albums and reading.

More
From Manuviraj Godara

Subscribe to our newsletter

Join our newsletter for tech tips, reviews, free ebooks, and exclusive deals!

Click here to subscribe

MUO – Feed