How can I configure the firewall with node js?Could you give me a sample project?
A firewall is a completely different piece of network infrastructure than node.js which is an application environment. So while the two may be used in the same deployment, they are different tools for different jobs. You would not typically "configure the firewall with nodejs". Your firewall would usually have its own admin interface that you can login to and then make configuration changes.
If your firewall had a secure HTTP API for doing firewall administration, you could build a node.js app to login and then send HTTP requests to the firewall to modify its configuration. The details of how to do that depend entirely upon what the HTTP API is in the firewall so we'd need to see that in order to recommend anything more specific. In general, one can make an HTTP request from a node.js app to another HTTP server using the request-promise module in NPM.
Both Windows and Mac (and of course Linux) enable you to view and modify the firewall settings via some kind of command line tool.
For example, this post talks about modifying Windows firewall settings through the netsh command, and this post covers command line firewall management in OSX (Mac).
Since Node.js is able to execute command line commands via Child Processes, theoretically, you can modify a system's firewall settings through code running in Node.js.
There's also an npm package called firewall which claims to "Add or remove system firewall rules using Node.js.".
This is a valid question. Network firewall and application firewall both can co-exist together.
Related
A little bit of context. I have developped a webapp on node.js (and a glamourous set of extensions). It has been approved for testing with true users at my company and i am supposed to deploy it now. Problem is that basically i have no idea unto how attack this problem. I have so many questions.
For the moment i have created a virtual machine on the local server. I have installed ubuntu server unto it and i have the intuition about how to deploy the app in this part (i suppose following the same steps as when i started to work on this project). I do not know however if i can have remote access from the outside of my network to this virtual machine. I also dont know if additional configuration in ubuntu's side is needed to make such an idea work (for example: in the installation there was a part about proxies that at the moment i decided to ignore)
From the few documents i have read about it since i was assigned this, a solution may lie in using nginx. The logic behind it if i am not mistaken (and please correct me if i am) is that nginx can help linking the HTTP requests (through the port 80 which is normally opened for access in most machines) and link it to a specific port on the machine (The sexy app i have developped).
In a more early stage, what ressources would i need to start this off? Would i need a domain name? IS it necessary? Do i need a different virtual server to link the apps or can they be on the same machine?
If you have additional comments or tips for someone that is learning to do this kind of thing, please do.
For remote access, you will need a couple of things. First of all, you will need to make sure that your virtual machine is on a bridged adapter. I'm not sure what virtual machine you are on, or I'd give you more detail on how to do this. Second, you will need to make sure that your router has port 80 (or whatever port you chose to use) setup via port forwarding so that requests coming in map to the server (a request comes to the router on the port, the router must then know where to send those requests to). Finally, if you want to use a port other than port 80, you should be able to configure this in the nodejs configuration. This may also be configurable in the router so that requests coming in on port 80 are mapped to, say 8080, but, given that this is a company, it's probably easier to reconfigure the nodejs server than have it set up special mapping.
This experience comes from personal experience with hosting web servers at home. Corporate routers should need similar configuration unless each system has a public IP address on the internet, which is unlikely.
I'm totally new to Linux but have been developing on windows platforms for years. I'd like to set up an Ubuntu server on AWS to house Node.js. If I run through the default install for Ubuntu server, load Node.js and start up a simple Node.js server on port 80 is there anything else I need to do to secure the server?
There are many ways to harden a server, I will only name two that are absolutely necessary.
On Ubuntu server there might or might not be activated already, but you should always check.
Activate a firewall
The simplest way to handle iptables rules for firewall is ufw. Type in your terminal:
ufw default deny # Silently deny access to all ports except those mentioned below
ufw allow 22/tcp # Allow access to SSH port
ufw allow 80/tcp # Allow access to HTTP port
ufw enable # Enable firewall
ufw reload # Be sure that everything was loaded right
Be sure to allow SSH, otherwise you will be locked outside your server. Also note that UFW (and iptables) allows to allow or deny single IP addresses and subnetworks.
Force pubkey login in SSH, disable root login and use fail2ban
Password login is weak if an attacker can try accessing your server anytime, unless you use a long and impossible-to-remember pseudo-random sequence. SSH allows to handle authentication via public/private keys, which are more robust and far less predictable, being generated from a random seed.
First generate your own pair of keys and add your public key to ~/.ssh/authorized_keys on the server, so that you are not locking yourself out. After, and only after, have a look at /etc/ssh/sshd_config. The two relevant options are:
PermitRootLogin no
PasswordAuthentication no
This way, the attacker must guess the username of the administrator before even trying the password, because they cannot login as root. You don't need to access as root to get root privileges, you will be able to elevate from your user account with su or sudo.
Finally, use fail2ban to temporarily ban by IP address after a certain number of wrong attempts to authenticate (so that attackers cannot brute force that easily). I said temporarily because if an attacker spoofs your legitimate IP, he/she can perform a DoS on you.
After applying all changes, restart the daemon with:
service ssh restart
I will repeat it, be careful, check everything or you will lock yourself out of your server.
Other remarks
A default Debian/Ubuntu installation is secure enough to be exposed on the Internet without fearing any major flaw. Still, you should always review security settings, gather information about software you are deploying on the server and periodically inspect logs searching for abnormal patterns.
Other tools that might be useful are Apparmor, providing MAC profiles for most system services (Postfix, HTTPd...), LXC for sandboxing, chroots, etc... It depends on how critical the infrastructure is.
I think this topic is too wide for a SO answer.
The best place to start would be probably to start mapping the security best practices and the required knowledge for you to gain.
Knowledge Centers:
CSA - Cloud Security Alliance: The place to have full understanding of what is required to run a server in the cloud.
OWASP - Open Web Application Security Project. Deals with your web app. Take a look at the top 10 list
PCI - The payment card industry regulator. Though you are probably not storing credit cards - this is a good source to learn. Here is an intro.
Now you have several approaches to deal with it:
Enterprise approach - learn, plan, implement, test, create ongoing processes.
Guerrilla approach - Iterative: find the lowest hanging fruit and handle it.
Hybrid - combine some properties from both approaches.
Regarding your lowest hanging fruit / most critical attack vectors:
Your Perimeter aka Proper Firewall Configuration - since you are running on AWS you should consider using their powerful network based FW (aka Security Groups). For simple use-cases you can use their console UI. For more complex setups you might want to add dedicated security management services such as Dome9 that could assist with management of both network based and host based security policies.
Utilize WAF (Web application firewall) - consider either using mod-security - host based WAF that can be installed on your nginx that (hopefully) sits in front of your nodejs. OR alternatively use WAF as a service by Incapsula or Cloudflare
Setup proper centralized logging. Compare Splunk Cloud, Sumo Logic, LogEntries and Loggly to find your service of choice.
Harden your server authentication and accounts (too long to cover here)
I have setup FTP within IIS7 on a Windows 2008 Virtual Machine. I enabled Port 21 within the endpoints and Active FTP works just fine. But I am unsure to how to connect through Passive. I followed Microsoft documentation (enabled a range of ports within IIS and allowed the same ports on the local firewall) I also allowed the ports within the endpoints in Azure Management. This didnt work.
I read somewhere on an unofficial MS forum that MS do not allow Passive FTP within Azure. Is this true? If not can someone direct me to the right documentation?
Thanks
SOLUTION
I followed instructions in this article.
The problem I was having was I didn't stop and start the FTP service after doing this. It wont work otherwise.
Passive FTP should work fine in Windows Azure Virtual Machines. However, you may not be able to choose large port range since you can only have up to 25 endpoints in Azure and this could be limitation to have Passive FTP. This Forum discussion talk more about it.
You can find this blog which explains how they configure Passive FTP with IIS on Windows Virtual Machine.
An additional piece of info about the post referenced above (http://www.itq.nl/blogs/post/Walkthrough-Hosting-FTP-on-IIS-75-in-Windows-Azure-VM.aspx) - at the end it says you need to use the following command to add the port range in IIS:
appcmd set config /section:system.ftpServer/firewallSupport \
/lowDataChannelPort:7000 /highDataChannelPort:7014
This failed for me, because the port range is locked so it can only be set on the root IIS node. The error is:
Support (Your site name) /lowDataChannelPort:5000 /highDataChannelPort:6000
ERROR ( message:Can not set attribute "lowDataChannelPort" to value "5000".. Rea
son: This configuration section cannot be used at this path. This happens when t
he section is locked at a parent level. Locking is either by default (overrideMo
deDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny"
or the legacy allowOverride="false".
. )
If you traverse up the IIS nodes to the root server node, choose Features View, then FTP Firewall Support, you can set the Data Channel Port Range there using the text box, without the need for scripting, and avoiding this error. Once this is done, you then need to restart the ftp service (as noted above), and passive FTP works well.
I've added this additional answer here because being unable to run the appcmd command to set the port range had me going around in circles for a number of hours, and this may help others avoid the same problem.
I thought others might run into this. If you get the security message indicating that the parent is locked, just go back into your FTP and turn OFF Require SSL Connections. Then rerun the command. Setup your endpoints, open the firewall, etc. THEN go in and turn back on Require SSL Connections!
I need to assign rules in my firewall using programming.. I mean I want to create a web app in which user can select the firewall rules for their ip address and those rules will be assigned to that IP. There would be only one firewall machine. I think a firewall with nice api will do this. Anyone knows open source firewall with good api??
The linux firewall is called netfilter and is a part of the linux kernel. There are various userland tools which manipulates it, most notably the de-facto standard utility iptables. As you need to be root in order to modify firewall rules, and web servers should not run as root, I'd recommend a two-tier approach to solving this: A web app which modifies a set of rules (in a SQL db, or a config file), and a daemon running as root which monitors for rule changes and applies them by executing iptables.
I have a flash-based (AC3) application which does some network activity. Is there any way to see what requests it generates? Something like network console.
Sources are not available and there is no way to modify the application.
Im on linux platform (Ubuntu), so dont have any flash developer tools. The only solution that comes to my head is to setup traffic logging on OS level.
Any ideas?
You should run Wireshark or Snort. By defining filters (in the case of Wireshark) or rules (in the case of Snort), you can whittle it down.
It will also help if you stop other services/daemons/programs using the HTTP protocol.
You could run it through a local proxy such as Charles Proxy.
Fiddler is another proxy for windows.
You can also use httpWatch which let's you track all requests just like Fiddler.
You can find it here and download the free version: http://www.httpwatch.com/?gclid=CMr11s6-qKQCFcHr7QodjXRW5w