So I'm working on a project by connecting to an FTP server which hosts the project (webdev app project based in PHP).
However I want to go work from cafe's once in a while an not just from home and i was wondering how can I do that securely?
The FTP connection is encrypted with "Pure FTP" setting in Netbeans, and there's a username and password requirement from the FTP server.
I also have a running VPN service on my laptop.
Is this enough? Or should I secure it better? I tried to find information but my search did not yield sufficient information, so any reference will also be great.
Code#30
You don't. FTP is plaintext protocol and public wifi is usually not encrypted if it is what you mean. You don't want to send passwords over this. But there are several way how to make it usable:
Use SFTP or FTPS, which adds a layer of security to the file transfer protocol.
Use VPN to the network where the FTP server is (not VPN to somewhere else -- you would be still tranfering the passwords from the other side of VPN).
Use stunnel, SSH port forwarding or SSH SOCKS proxy.
Related
I need informations about security risks and proof of concepts to work with an local client.
In my option, a user will install two components:
The game client
The client launcher
The launcher is running as an background process all the time. The launcher provides an WebSocket server.
The user will open my website to start the game (with game-server lists and other settings). The Website connects to the game launcher to handle all actions (change configuration, start the game executable)..
Problem:
How realize the communication with the website and the game launcher? Okay, Websockets, yes. But browsers forbid to connect to localhost/127.0.0.1 by security reason.
An fake-pointer as DNS or hosts-file to an subdomain like local.game.tld is bad, because SSL-Certificates can be revoked here as bad usage.
Another idea was to provide an NPAPI-Plugin for the browser. But it seems, that the NPAPI is deprecated and useless for the future.
Whats the best practice to communicate between webpages and local installed software?
But browsers forbid to connect to localhost/127.0.0.1 by security reason
This isn't true. Browsers allow you to connect to localhost / 127.0.0.1. I do it all the time on my machine.
The issue is that TLS (wss://localhost, not ws://localhost) requires a certificate and browsers forbid mixed content (you can't have an https website load non-encrypted resources).
fake-pointer as DNS or hosts-file to an subdomain like local.game.tld is bad, because SSL-Certificates can be revoked here as bad usage.
As part of your game installer you could create a hosts file entry with a certificate for mygame.localhost (possibly using a local script) and then ask the player to authorize the installation of the certificate using their password. This way your certificate won't be revoked... but you are right that this his suboptimal.
EDIT: also, please note that the domain name must be at the end, not at the beginning (i.e., game.localhost and not localhost.game).
Whats the best practice to communicate between webpages and local installed software?
Generally speaking, if your game is installed on the local machine, there's no need to encrypt the communication between the local browser and the local machine.
You can easily write your local server to accept only connections from the local machine (or, at worst, if need be, accept connections from the local area network - though this adds security risks).
Your webpage and WebSocket data can be sent "in the clear" (ws:// and http://) between the local server and the browser since they are both on the same machine - this way you don't need a browser. The local server would initiate (as a client) any encrypted connection it needs when communicating with an external service (was:// / https://).
EDIT (from the comments):
There are the only 2 solutions I know of:
Installing a self-signed certificate; or
Using http instead of https and having the server handle outside traffic as if it were a client (so all traffic going outside is encrypted).
I have found the security hole in website. I can to sign in throught anonymous account so I signed in. So I am trying get index.html from website and I receive following message: Illegal PORT command.
Use port or pasv mode.
How can I get this file then edit and next upload modifited file again?
if you're administering an FTP server, it would be best for you to configure your server to support passive mode FTP. However, you should bear in mind that in doing so, you would be making your system more vulnerable to attacks. Remember that, in passive mode, clients are supposed to connect to random server ports.
Thus, to support this mode, not only should your server have to have multiple ports available, your firewall should also allow connections to all those ports to pass through!
But then the more open ports you have, the more there will be to exploit. To mitigate the risks, a good solution would be to specify a range of ports on your server and then to allow only that range of ports on your firewall.
We have an external secure FTP server that we want to access through HTTPS (our infrastructure does not support FTPs). I know that's possible but I don't know how. I'm looking for something like this:
ftp://ftp.mozilla.org/pub/mozilla.org/zz
http://ftp.mozilla.org/pub/mozilla.org/zz
Thanks!
To add some clarification: FTP and HTTP are, as SLaks said, two entirely different things. The links you have posted use two separate protocols. One if ftp, and one is http. You appear to be getting confused by the second link because it still has ftp in it. What is happening there is that "ftp.mozilla.org" is the domain name of that server. the pages themselves look similar because there is not actual page you are referencing (you are visiting the directory itself) and there is no default page specified in that directory (for example, no index.html).
The default behavior in this case is to simply list the directory contents, which is pretty much what the ftp protocol does anyway.
So:
You will need to either install a web server program (not an ftp server program!) on the ftp server (the physical box) and let users download files using the http(s) protocol, or you will as SLaks suggested need to create your own proxy (or find one that exists) that will receive commands from the http protocol and transform them into the equivalent ftp commands, which are then sent to the ftp server.
Personally, I recommend the former, as it is less complicated.
FTP and HTTP are two different protocols that have nothing to do with each-other.
You need to run an HTTP server.
You can either run an HTTP server that exposes the same files (like Mozilla does), or write an HTTP proxy for the FTP server.
Sounds like you are looking for a web-based FTP client. http://www.net2ftp.com/ is a good place to start, but you will have to configure the tunnel appropriately within your network. A solution like net2ftp will tunnel traffic to and from the server as HTTP, then running local scripts.
You will also want to remember that there are other file protocols your network administrator can open up aside from SFTP/FTP. Ask them about a private SSH key alternative, which would avoid a public-facing web-based FTP server/client solution.
Is there a way to connect to an Amazon EC2 server via SFTP with SSH private key authentication only? I've been busting my head researching this but couldn't find a proper answer.
Basically, I need to edit files in Dreamweaver and enable automatic upload on save.
I have some detailed instructions of the setup:
Download Bitvise SSH Client (Tunnelier)http://www.bitvise.com/download-area
In login tab, press ‘Use keypair manager’ and import your amazon .pem key. You should finally end up with something like this:
In login tab set your amazon instance information
Host: ec2 instance IP Port: 22 Username: ec2-user Initial method:
publickey – slot 1
In services tab setup localhost listener for FTP connections like below:
Press Login to connect to the Amazon EC2. If success, it will open the ssh and SFT terminals. You may now close these 2 windows.
In Dreamweaver, setup a new server to connect to bitwise 127.0.0.1 listener. You can set the Root Directory of the FTP.
Now when you put files to ‘Amazon Test’ they will be directed to your amazon EC2 instance, in selected Root Directory above.
Adobe doesn't offer the option to use SFTP with private key authentication with Dreamweaver.
According to Adobes web site you can use FTPS where there is a certificate used for authenticating that your connecting to the correct server and obviously encryption, but nothing about the use of SFTP with private key authentication.
You can read all about what is available with Dreamweaver remote server connect function here: http://helpx.adobe.com/dreamweaver/using/connect-remote-server.html
You can use Putty's Pageant and FileZilla which I know is a bummer considering the cost of Adobe Dreamweaver (I have it) but appears to be the only other secure option.
You can read about how to use the 2 here: http://wiki.filezilla-project.org/Howto
I see this is an old post, but I just ran into this issue. I have been using an app that has the same issue for years, my solution was to use Bitvise Tunnelier (http://www.bitvise.com/tunnelier) it allows you to connect to ssh with your key pair and it will proxy FTP to localhost on whatever port you set. So in Dreamweaver you connect to localhost at that port with regular FTP. It's secure enough for most cases because Tunnelier will not accept connections from anything but local.
The download page on their site can be a pain to find, it is here: http://www.bitvise.com/download-area . You will want "Download Bitvise SSH Client (Tunnelier)".
You may simply allow password authentication on your EC2 instance (which is disabled by default) by looking at the following instructions
http://bensnotepad.com/enable-password-access-to-your-amazon-ec2-linux-instance
We have a local server with SVN installed on it that we are using for development/testing purpouses. We would like to checkout the data from it to the live server that is somewhere out there.
The only way to do that which I thought of was to use "svn checkout" from the live server, right? This way we do not need to FTP the changes to it, that may cause problems is we forget to upload some of the changes. And if we found a problem we can alway go back to previous stable version, right? Correct me if I am wrong about any of these.
The problem is that our local server (Ubuntu) does not have a IP that is reachable from outside. We have a router from out ISP, but we can not use that to access the local server from the live. We are willing to ask the ISP provider to setup a second IP for the local server, but for security sake they want to setup a separate machine with Windows and windows base security software (firewall - http://www.kerio.com/control/ and antivirus) that will cost us a lot. Can we just setup a free firewall on the local server (Ubuntu as I said) and solve the problem without spending additional money?
I hope I was clear.
It's always hard to comment without knowing the exact situation, but this sounds a bit crazy.
What you would usually do is set up port forwarding for one port to the local server. The server would then be reachable (for example) through 123.45.67.89:3690
That's a three-minute task to set up in a normal household router.
As long as the Ubuntu server is closed otherwise, and Subversion or whatever you are using for authentication is properly configured and up to date, this should not create security issues.
In any case, putting a Windows machine in between to act as a firewall sounds really unnecessary. Ubuntu comes with everything necessary to secure the setup properly.
If the remote server has an ssh server, then you can use ssh forwarding.
From the internal svn server:
ssh -R 7711:localhost:3690 {REMOTE_SERVER}
7711 is an arbitrary port (you can use any free port on the remote system) that will be forwarded from the remote system to port 3690 (svn) on the svn server.
3690 is the port on the internal svn server that you want to talk to (via svn://).
If you are using subversion over http:// then use port 80 instead of 3690.
If you are using subversion over https:// then use port 443 instead of 3690.
After setting up the forward, then you can do this on the remote system:
svn checkout {SCHEME}://localhost:7711/{PATH}
{SCHEME} is svn, http, https, etc.
{PATH} is the normal svn path you want to check out.
Notes:
the forwarded traffic is tunneled through the ssh connection (on a different "channel") so it is also encrypted which is a nice benefit.
by default, the remote end of the forward will listen on the loopback interface so only processes on that system will be able to use the port forwarded port.
As soon as you close the ssh session, the forwarded port will also close. It only lasts the duration of the ssh connection.
ssh forwarding is very powerful. If you can ssh between two systems, then you can get around any sort of connection problem like this.
Do man ssh and read about the -L and -R options.
Useful links about ssh forwarding:
http://www.rzg.mpg.de/networkservices/ssh-tunnelling-port-forwarding:
http://www.walkernews.net/2007/07/21/how-to-setup-ssh-port-forwarding-in-3-minutes/
check if your ISP router provide some port forwarding abilities,
You should probably forward the ssh port ( after ensuring that everyone password is secure/or enforcing login with ssh keys file), and use SVN+SSH protocol to access your repository.
You should be able to open up and forward a single port (3690 by default) on your existing IP to the local server, as pointed out by Pekka. This depends on your router, and your ability to access the configuration interface on the router.
Instead of having to deal with SSH and worry about people trying to access your local server from anywhere, you could setup a firewall to only allow incoming traffic from your single remote server. Depending on the router setup, you could simply use the builtin firewall on the local server. It would still be advisable to have some svn authentication, though.
The SSH forwarding method described by kanaka prevents the entire issue about remote access to the local machine, but it requires you to execute the forwarding command from the local server every time you need to access svn on the remote server.