RationalSpace

Archive for the ‘Security’ Category

Making FTP work on Amazon EC2

leave a comment »

Though FTP is not a great way to transfer files on a server due to security issues, sometimes, due to reasons like specific requirements of business partners’ etc, you have to set it up. The better way to transfer files however, is SFTP. I already wrote a blog about how to set it up here.

Now about FTP setting up.

  1. Check whether vsftpd is there on your server. If not , install it. sudo apt-get install vsftpd
  2. Check if port 21 is open. telnet IP 21. If not, go to your EC2 dashboard, check the security group to which your server is attached, edit it – Add port 21 there and save.
  3. Edit vsftpd.conf
    1. vi /etc/vsftpd.conf
    2. Disable anonymous login :
      anonymous_enable=NO
    3. Allow local users to be able to login :
      local_enable=YES
    4. Allow users to write in their FTP directory :
      write_enable=YES
    5. Restrict users to their local directory: chroot_local_user=YES
    6. Check your listen address :
      listen_address=0.0.0.0
    7. Save file and restart ftp :
      /etc/init.d/vsftpd restart
    8. Do a netstat and check output
      netstat -a | grep 21
      It should show
      tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
  4. You may need to open passive mode instead of active if your firewalls or client’s firewalls don’t allow communication. To make passive mode work, you need to do some more extra stuff
    1. Make sure ports greater than 1024 are open in your security group. So add a range 1024-1048 and save.
    2. In vsftpd.conf , specify the range of ports that will be used for opening a passive connection.
      pasv_max_port=1024
      pasv_min_port=1048
    3. It turns out that vsftpd advises the incoming PASV command the internal IP of EC2 instance, which FTP clients would not be able to resolve. To solve this problem, we explicitly tell vsftp to use our public IP address instead of asking the server for it. If you don’t have an Elastic IP associated with the instance, you will need to enable pasv_addr_resolveand provide your public DNS
      pasv_address=your.public.ip.address
    4. Restart vsftpd.
  5. You may also want to read up on passive vs active modes. I found a nice answer here on stackoverflow.
Advertisements

Written by rationalspace

May 27, 2014 at 5:09 pm

Posted in Cloud, Security, Utilities

Tagged with , ,

Setting up SFTP on amazon ec2

leave a comment »

I wanted to set up SFTP on my ec2 instance for a particular user in such a way that he has access only to his folder and can’t really see anything else. Setting up SFTP is not a challenge if you already have an ec2 instance running. SFTP runs over SSH protocol – so most likely this will just be running on your machine. Now to set up a new user , you will have to do the following:

  1. Add a user and set some desired password:  adduser joe This usually creates the home folder for that user also.
  2. We need to make that home folder of user owned by root sudo chown root:root /home/joe
  3. Give proper permissions to this folder sudo chmod 755 /home/joe
  4. Create one writable folder inside this where the user can put his files. mkdir /home/joe/files chown joe /home/joe/files
  5. Allow SFTP to allow users with passwords also to login. By default, it expects a ppk/pem and does not allow tunneled clear text passwords. So open /etc/ssh/sshd_config and change PasswordAuthentication yes
  6. Also Change the subsystem location in this file #Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp
  7. Create a user section in this file to limit his access
    Match User joe
    ChrootDirectory /home/john
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no
  8. Save file.
  9. Restart ssh service ssh restart

Now you should be able to open a SFTP connection through any of the clients like FileZilla, CyberDuck etc. Just type in your IP/hostname, username and password and it should open up “/” directory where you will find the folder “files”. You can put your files there. Also, you will not be able to access anything apart from your folder 🙂
Things to be careful with :

  1. Make sure that you have taken a backup of the file /etc/ssh/sshd_config
  2. Make sure that you have a simultaneous shells open. So that if you do a mistake and restart your ssh, you should still be able to fix it and not get locked out.

Written by rationalspace

May 20, 2014 at 4:39 pm

Posted in OpenSource Tech, Security

Tagged with , ,

Hiding Apache and PHP version information in response headers

leave a comment »

This is an important security check that all web-masters should make – hide the web server information from the response headers.

One can easily check the response headers in firebug. It comes like this :

Server: Apache 2.4

To hide apache version  from the response headers , you can do the following in your apache config:

ServerTokens ProductOnly
ServerSignature Off

And restart apache.

You can also do a similar thing to hide php information. Find your php.ini and make sure this piece of code is there.
expose_php = Off

Again, restart apache and you are done.

Written by rationalspace

April 9, 2014 at 4:22 pm

How to store passwords securely

leave a comment »

When we give our password to an internet service, we assume that its going to be safe. But is it?

How can we store passwords safely?

Hashing is the standard way of protecting a user’s password before it’s stored in a database. Many common hashing algorithms like md5 and even sha1 are unsafe for storing passwords, because hackers can easily crack passwords hashed using those algorithms. md5 is better than storing raw passwords, but is not well suited for password encryption as it can easily be broken. sha1() and hash() functions are slightly more secure (especially in combination) but still don’t give as much protection against hackers as Phpass.

The most secure way of hashing passwords is to use the bcrypt algorithm. The open-source phpass library provides that functionality in an easy-to-use class.

1.Download this library. All you need is the file PasswordHash.php
2.Include the phpass library require(“PasswordHash.php”);
3.Initialize the hasher $hasher = new PasswordHash(8, false);
4. Store the hash $hashedPassword = $hasher->HashPassword('$userpasswd');
5. Check if password is correct or not $hasher->CheckPassword('the wrong password', $hashedPassword); // false

Written by rationalspace

May 7, 2013 at 1:15 pm

Posted in OpenSource Tech, Security

Tagged with , , , ,

How to block all IPs of a country?

leave a comment »

Not all search engines/crawlers are useful for SEO. Often we see  websites being bombarded by Chinese crawlers which are unwanted.   Depending on your target audience, you might want to block IPs of a particular country. Now, this can be done at various levels

  1.  Server level – server itself rejects the request using iptables
  2. Webserver level by configuring rules in apache/nginx etc
  3. Application level – check the IP at application level and then redirect to 502 page or something.

The best way is to do at server level itself so that we can avoid the requests coming to webserver & application and they do what are they supposed to do that is : perform tasks/ render pages for target audience and not unwanted crawlers.

Now if we want to do this at server level, adding rules in iptables manually can be quite cumbersome. It is also hard to figure out all the IPs associated with a country.  After a bit of research, I figured there is an easy way to do this:

http://ipinfodb.com/ip_country_block_iptables.php

One can use their API to generate the IPs of a particular country and then add the appropriate rules in iptables.

You may cron this script to run every week and block any new IPs of the desired country.

Written by rationalspace

February 18, 2013 at 3:03 pm

Posted in Security

Tagged with ,

%d bloggers like this: