I am trying to block all traffic from a Facebook app, iOS and Android, on a particular network. I can block web access, meaning if a user tries to log in to www.facebook.com from a computer, the router will detect and block it. The user won't be able to have access.
However, mobile apps go through just fine on the same network. I need to prevent users from using the Facebook app on their phone. How do I do this?
I was thinking of using WireShark to see what URL the phone app is connecting to and blocking that URL. I'm sure this is fine, but is there a baseURL I can block which prevents mobile users from accessing Facebook? Is there a list of Facebook URLS I can block which prevent app access?
Whatever tool you are using on the router, I am sure must be supporting pattern matching while filtering packets.
So I suggest you can block all traffic for
*.facebook.com and *.messenger.com.
Having said that it is probably not enough to just filter HTTP packets based on URL. There are ways of circumventing this using VPNs or proxy websites.
You should consider blocking all outgoing traffic on ports other than 80 and 443.
Similarly other protocols like ICMP or UDP too because they can be used to tunnel VPN connections.
I am saying this because we have applied all these methods to get unrestricted access at uni. :)
Probably you can use a proxy server like squid to control the traffic better.
Related
In some countries like Iran or china because of severe Internet censorship, people use a foreign VPN server to bypass government censorship.
Imagine we implement a none-SSL VPN for people who connect their phone to the Internet through this VPN. I want to know if they use a secure application within their phone which is secured by SSL like Instagram or WhatsApp, still, is there any security issue for the transmitted data between their phone and server?
I mean is it possible in this case their data would be sniffed by the government or others? (although the VPN is none-SSL but Instagram is SSL secured)
If I understand the scenario you have described, the VPN does not use SSL when communicating with the user device, but the secure application requires the use of SSL between the server and the client device.
The answer would depend on a few more things. Does the "severe internet censorship" flat out restrict the usage of the application? Take Instagram for example. Is the government banning the use of the application in its entirety or just certain aspects (such as filtering specific tags)? Sometimes the term "internet censorship" is used to mean one of these things but not the other (though most often the former).
Assuming the application is banned in its entirety, and the connection to the VPN is not secured by SSL, then the domain which is being banned would be visible to eavesdroppers at some point prior to the secure channel establishment (with SSL or rather TLS) between the client device and server. For example, it is likely the case that the DNS resolution of the domain is unencrypted (either at the client device level or communicating the query to the VPN). So, the eavesdropper (say, the government) would be able to see this and possibly act on it (say by dropping the request if they have a middlebox unknown to you).
So basically, if the connection to the VPN is not secured by SSL (or TLS) then there would be no benefit in using the VPN with regards to censorship.
I was wondering if it is possible to secure an expressjs RESTful API that only a react native app and react website could access.
For exemple my server is running on port 8000, my react native app is on port 3000 and my website on port 5000. I want the server to listen only to requests coming from these ports.
Let's say I have a POST route to mydomain.com/signup I don't want users to make that post request using external websites or tools like Postman.
What would be the best way to ensure my mobile app and Web site are the only ones allowed to access my RESTful routes.
First off, you are a bit mistaken about how a request to your API works. When your react app on port 3000 makes a request to your server on port 8000, it's just a random incoming request. It doesn't "come" from port 3000. In fact, the incoming port number with be some randomly generated port with 5 or 6 digits. Outbound ports are dynamically generated by the TCP system and you can't tell what "app" it came from.
Second off, your RESTful API server is just a server on the internet. Anyone can make a request to it. Using cross origin protections, you can provide some limits about what can be done from browser Javascript (only allowing requests from your particular domain's web pages), but other requests (not from a browser) cannot be blocked this way.
So, any code jockey using any tool other than a browser can write code to your API. What someone like Google does is they require you to either have an APIKey that they issued to you or they require some login credentials (often a cookie from a previous end-user login) that identifies the user making the request as a permitted user using their system. Even with these tools, this just means that a permitted user is accessing the API, it does not mean that only your app is accessing the API. And, in fact, you can't really prevent that.
So, what most people do is they require a login or APIKey credential and they track the type of use of the API. If the use of the API seems appropriate (particularly the types and frequency of requests), then that use is permitted. If the use of the API does not seem appropriate (often too many requests over some period of time), then that particular credential or user may be blocked from accessing the service either temporarily or permanently.
Let's say I have a POST route to mydomain.com/signup I don't want users to make that post request using external websites or tools like Postman.
You cannot effectively do this. There are obstacles you can erect to make it more difficult like putting an expiring token in your web page and having your own use of the API include the token and then detecting if its a valid token, but a determined hacker will just scrape the token from the web page and still access your API using it from whatever programming tool they want.
What would be the best way to ensure my mobile app and Web site are the only ones allowed to access my RESTful routes.
You can't. Your API is on the web. Anyone with whatever credentials you require can access it.
I would like to implement a web application for a company in China. I need to use WeChat mini-APP to make the sign-up/login straight-forward.
Please correct my assumptions if I am wrong:
To implement the login of the website from WeChat, I need to use the OAuth2 protocol
I also need to create a WeChat developer account under a real name (need ID card or business registration stuff) if I want to diffuse the application
I also need to register a domain name to WeChat so that they can allow OAuth2 authentication to this domain name
Question: can I still use my localhost virtual machine to develop my server?
(I didn't try but I assume WeChat will reject to create an OAuth2 token for localhost 127.0.0.1)
Or do I need to have a development domain name with a development server available from the Internet so that I can debug the OAuth2 authentication?
EDIT 1: I tried to send a HTTPS POST request https://127.0.0.1:8080 and I got an error linking to this URL
https://developers.weixin.qq.com/miniprogram/dev/framework/ability/network.html
EDIT 2: I tried to send a HTTPS POST request https://192.168.1.148:8080 which correspond to my dev computer and I got the error VM17415:1 Cannot send network request to localhost. (My test phone and computer both connected to network 192.168.1.x trough WiFi)
The documentation is available in English on the official WebSite [1]. It is written: network APIs allow communication with LAN IP addresses. So basically, if the phone is connected to the same network as the virtual machine (i.e. WiFi), one should be able to send any kind of HTTP/HTTPS request properly.
Note that the development environment WeChat DevTools block this feature by default. In order to enable it, the user should open the Project Settings and check the box 'Does not verify valid domain names, web-view (business domain names), TLS versions and HTTPS certificates.'.
[1] https://developers.weixin.qq.com/miniprogram/en/dev/framework/ability/network.html
I want to build a node js internet gateway/captive portal. So I can have a user 'authorize' his mac address or ip address if the mac address is not possible like used for wifi hotspots
So what I have in mind is node can have a dhcp server and it gives its ip address as the gateway. So if the user loads a page on the web browser it gives them an authentication screen and they can then log in and the gateway can then route its packets correctly.
How can I do the authorization step with node.js so if they're not logged in it presents a log in page & if they are to route the packets correctly?
You need couple of pieces to put this together.
#1: http proxy - If you can run a DHCP server and assign IP addresses, then you can run and http-proxy to capture all internet traffic.
#2: You'll then need to add authentication logic to this proxy which can check for a cookie, magic packet, token or something that verifies access and lets them through or redirects to login page.
node-http-proxy is a very popular and flexible node http proxy server that you can easily add your own logic to.
node-http-auth-proxy is another such project with an example of how to handle authentication built in.
Having a proxy also allows you to whitelist/blacklist sites/IPs, something you may wanna do based on your target audience.
I want users, when they are in the workplace (e.g. on the LAN), to authenticate themselves with their regular username and password. Auto-login is disabled.
However - logging in from outside the LAN should trigger a 2-level authentication (like SMS, mail or similar). How can we get information about the users network when they try to log in to the application from outside the LAN?
NB - it does not matter if you have AD user and pwd. If you are on the outside you have to trigger the 2 level auth.
NB2 - we do not want any client-side scripts running, so this must be something coming with the initial request
Technology: IIS 7, ISA 2006, .Net 4, MS Sql 2008 server.
Question also asked here: https://serverfault.com/questions/354183/what-2-level-authentication-mechanism-is-available-that-can-differentiate-if-the
Information why ISA server remove the information I need: http://www.redline-software.com/eng/support/articles/isaserver/security/x-forwarded-isa-track.php
If it's reasonable, don't expose your web server to anything outside of your LAN -- require VPN access.
If that isn't reasonable, you should be able to use the REMOTE_ADDR variable to determine the source of the request. Whitelist your LAN as single-factor and require everything else to be multi-factor. Depending on the scenario, the server variables will be similar to either
Context.Request.ServerVariables ["REMOTE_ADDR"]
or
Request.UserHostAddress()
If you have a proxy in the way, make the proxy tag the originating IP source in the headers and read the request headers to determine the external IP.