Is ngrok safe to use or can it be compromised? - security

Is ngrok a safe tool to use? I was reading a tutorial which recommended to use ngrok test API responses that I make to outside services that need to connect to my endpoints also.

There is no source code available for Version 2.0, considering it started as an open source project in 2014. I am suspect of any code that opens a tunnel to my localhost from the cloud. Pretty scary stuff especially without source code!

It opens up a tunnel to your dev machine, which is partially secured by obscurity (a hard to guess subdomain), and can be further secured by requiring a password. But you're still opening yourself up to ngrok itself, and the company is completely opaque (no address, no employees, no business name, no LinkedIn presence; all I can find is that it has 1-10 employees and is private; not even sure what country its based in). On top of that the code is not open-sourced. No reason to think they're not legit, but not a lot of information available to build trust.
You may be able to use ngrok and other local tunnel services with more security by encrypting the traffic. See https://security.stackexchange.com/questions/177280/end-to-end-encryption-for-localtunnel-ngrok-setup/177357#177357 for more information.

I found good rating, but vacuous information here:
http://www.scamadviser.com/is-ngrok.com-a-fake-site.html
The kicker for me is
https://developer.atlassian.com/blog/2015/05/secure-localhost-tunnels-with-ngrok/
where the Atlassian folks recommend it highly.
I think I am going to use it.

If anyone is concerning compromising their development environment, you can use Docker. There are many ngrok/docker projects but here is the one I chose: https://github.com/gtriggiano/ngrok-tunnel
for macOS, use "TARGET_HOST=docker.for.mac.localhost"

They now offer a service where you locally run only ssh, no need to run any of their code on your machine.
You run something like ssh -R 80:localhost:8501 tunnel.us.ngrok.com http. This connects to one of their hosts and forwards connections they receive back to your machine and the service you run on localhost:8501.
This seems secure to me, the only thing is that you don't know what information they collect and who is connecting to your exposed service. They print all connections, but it's their binary that does this and someone might well listen in without you noticing. You can check connections on your end, but you cannot be sure who it is that connects.

Ngrok is a convenient and highly secure utility for creating tunnels to locally hosted applications via a reverse proxy. This is a utility for publishing locally hosted applications on the web. style="letter-spacing: 0px;">Simply put, any locally hosted application provides a publicly accessible web URL to the . H. Either a Spring Boot or Nodejs based web application, or a webhook for a chat application, etc.

Related

Where can I have a node.js server hosted

I currently have a website where I need to use node.js, I am not able to use node.js however, because the web host does not support it. What is the best way I go about hosting a server without having to completely change hosts?
[…] without having to completely change hosts?
If your current hosting provider doesn't support nodejs and you want to use nodejs, then you have to change hosting provider. Sorry.
I can recommend Google Cloud Engine. You can create a virtual machine, e.g. running Fedora, access it via SSH and install what you need, i.e. apache2, nodejs, etc.
If you're not comfortable with that, you should go for a managed hosting solution instead. It will probably be a little more expensive, and you'll have less flexibility in what programs you can use (since you share your virtual machine with other customers and can't make changes to the system yourself), but on the upside, most of the setup is done for you. There are many providers you can choose from; google "managed hostinig with nodejs" if you want an overview. I have used 1and1 before and was mostly happy with it. As you can see here, they have nodejs installed on their servers.
Your question makes hardly any sense... but
Heroku is really great for Node.js app hosting

How to add website password athentication for my Linux server webhost application

I am a Linux server beginner. In fact I am a beginner at a lot of the stuff I am trying to figure out. Therefore, I suspect much of my troubles are due to the fact I don’t know the right words to figure out what I am trying to do.
I am hosting an Ubuntu Linux server using a mirco AWS EC2 instance. On my server I have a number of server applications running, but one in particular is causing me problems.
I am using an independent free server application that hosts (not on port 80) a webpage for everyone to access. The same application has a pay version which adds a tons of features as well as the feature I need – namely, the ability to password protect the website. The free version I have does not even allow the ability to utilize proxy settings.
I would like to know what I need in order to force the webpage traffic through some authentication system before users have access to the sensitive data.
I have thought of a few possible methods so far:
1) reverse proxy server? (Although I cannot set up the app to use a proxy)
2) Use EC2 firewall IP address restriction to only accept traffic from another server (or my computer), and then require that server to authenticate access.
3) Some sort of access gateway or extra firewall installed on (and on top of) the EC2 instances that requires authentication over top of the running application.
4) Paying for some sort of (reverse) VPN service that forces web traffic through password authentication before allowing access to my website.
5) Some tool on sites like http://www.hidemyass.com that would allow me to use a secured connection.
If someone was to reply with just the simple language that I am missing, that would help immensely.
If you don't want to use a reverse proxy using Apache or Nginx, it will come down to the specifics of you application. What's your application running on ? Rails, Django, Tomcat ? All of these web apps have ways to setup routes that you can use to redirect all your users in case they are no authenticated.
Hope this helps.

Node.js online app with intranet DB

What I want to build is an application that sits online and it's used by different groups that each have their own intranet. Now, because of a stupid security policy the data can't sit outside the intranet. How would you go about building an app that it's still online, so you can push updates to everyone at once, but has a DB on each intranet's server?
My initial plan is to use Node.js and MongoDB.
If your db really has to be onsite, and your app really has to be offsite, then probably your only option is to set up a secure connection from your app, to the onsite db, and pretend as if its hosted locally to the app. This may/may not violate the security policies. You could in theory lock it down pretty well, with a vpn between the two networks. But this is not for the faint of heart, performance will suffer, and it does have security issues. It also means a bit of work for every site.
If the only reason you're wanting it to be "online" is for pushing updates as you stated, then you'll do better installing the app on-premise, and getting it to poll into a central server for notifications about new versions, download updates to itself, and install them automatically. Once you've created this, a new installation requires no new work.
I'm facing a similar problem right now, so here's my take on it, not really mongo or node specifc.
Put a db and a simple restful server on each of client's intranets. Servers can be exactly the same.
Put a routing facade accesible from internet that redirects requests to apropriate server based on url, ie: http://facade/server/resource becomes a request to http://server/resouce.
Configure the facade so that a requests to http://facade/resource go to each server, retrieve results and return all of them in some aggregated form.
Obviously there are more details to take into account, like permissions (can everybody publish to each server? if not, who can?), but the general idea is there.

Chat program without a central server

I'm developing a chat application (in VB.Net). It will be a "secure" chat program. All traffic will be encrypted (I also need to find the best approach for this, but that's not the question for now).
Currently the program works. I have a server application and a client application. However I want to setup the application so that it doesn't need a central server for it to work.
What approach can I take to decentralize the network?
I think I need to develop the clients in a way so that they do also act as a server.
How would the clients know what server it needs to connect with / what happens if a server is down? How would the clients / servers now what other nodes there are in the network without having a central server?
At best I don't want the clients to know what the IP addresses are of the different nodes, however I don't think this would be possible without having a central server.
As stated the application will be written in VB.Net, but I think the language doesn't really matter at this point.
Just want to know the different approaches I can follow.
Look for example at the paper of the Kademlia protocol (you can find it here). If you just want a quick overview, look at the Wikipedia page http://en.wikipedia.org/wiki/Kademlia. The Kademlia protocol defines a way of node lookups in a network in a decentral way. It has been successfully applied in the eMule software - so it is tested to really work.
It should cause no serious problems to apply it to your chat software.
You need some known IP address for clients to initially get into a network. Once a client is part of a network, things can be more decentralized, but that first step needs something.
There are basically only two options - either the user provides one (for an existing node of the network - essentially how BitTorrent trackers work), or you hard-code in a gateway node (which is effectively a central server).
Maybe you can see uChat program. It's a program from uTorrent creator with chat without server in mind.
The idea is connect to a swarm from a magnetlink and use it to send an receive messages. This is as Amber answer, you need an access point, may it be a server, a know swarm, manual ip, etc.
Here is uChat presentation: http://blog.bittorrent.com/2011/06/30/uchat-we-just-need-each-other/

Which subversion server type is best?

Subversion has multiple server types:
svnserve daemon
svnserve via xinetd
svn over ssh
http-based server
direct access via file:/// URLs
Which one of these is best for a small Linux system (one to two users)?
http:
very flexible and easy for administration
no network problems (Port 80)
3rd party authentication (eg. LDAP, Active Directory)
Unix + Win native support
webdav support for editing without svn client
slow, as each action triggers a new http-action approx. 5-8 times slower than svn://
especially slow on history
no encryption of transferred data
https:
same as http
encryption of transferred data
svn:
fastest transfer
no password encryption in std. setup: pw are readable by admin
firewall problems as no std.port is used
daemon service has to be started
no encryption of transferred data
svn+ssh
nearly as fast as svn://
no windows OS comes with build in ssh components, so 3rd party tools are essentiell
no daemon service needed
encryption of passwords
encryption of transfer
1 of those options is definitely a 'worst' one: file access. Don't use it, use one of the server-based methods instead.
However, whether to use HTTP or Svnserve is entirely a matter of preference. In fact, you can use both simultaneously, the write-lock on the repo ensures that you won't corrupt anything if you use one and then use another.
My preference is simply to use apache though - http is more firewall and internet friendly, it is also easier to hook into ldap or other authentication mechanisms, and you get features like webdav too. The performance may be less than svnserve, but its not particularly noticeable (the transferring of data across the network makes up the bulk of any performance issues)
If you need security for file transfers, then svnserve+ssh, or apache over https is your choice.
Check out FLOSS Weekly Episode 28. Greg Stein is one of the inventors of the WebDAV protocol for SVN and discusses the tradeoffs. My takeaway is that SVN: is faster but the http/webdav implementation is just fine for almost all purposes.
I've always used XInetD and HTTP.
HTTP also had WebDAV going on, so I could browse the source online if I wanted (or you can require a VPN if you wanted encryption and a dark-net type thing).
It really depends on what restrictions (if any) you're under.
Is it only going to be on a LAN? Will you need access outside of your LAN?
If so, will you have a VPN?
Do you have a static IP address and are you allowed to forward ports?
If you aren't under any restriction, I would then suggest going with xinetd (if you have xientd installed, daemon if you don't) and then (if you need remote access) use http-based server if you need remote access (you can also encrypt using HTTPS if you don't want plain text un/pw sent across).
Most other options are more effort with less benefit.
It's an SVN Repo -- you can always pack your bags and change things if you don't like it.
For ease of administration and security, we use svn+ssh for anything that requires commit access. We have set up HTTP based access for anonymous (read only) access to some open-source code, and it is much faster; the problem with svn+ssh is that it has to start up an ssh connection and a whole new svnserve for each user for every operation, which can get to be pretty slow after a while.
So, I'd recommend:
http for anonymous connections
svn+ssh if you need something secure and relatively quick and easy (assuming your users already have ssh set up and your users have access to the server)
https if you need something faster, secure, and you don't mind the extra overhead of administering it (or if you don't already have ssh set up or don't want to deal with Unix permissions)
I like sliksvn runs as a service in Windows, 2mins to setup and then forget about it.
It also comes with the client tools but download tortoise as well.
If you are going to be using the server only on the local machine and understand unix permissions, using file:// urls will be fast, simple and secure. Likewise, if you understand unix permissions and ssh and need to access it remotely, ssh will work great. While I see somebody else mentions it as "worst", I'm pretty sure that's simply due to the need to understand unix permissions.
If you do not like or understand unix permissions, you need to go with svnserve or http. I would probably choose to run it in xinetd, personally.
Finally, if you have firewall or proxy issues, you may need to consider using http. It's much more complicated, and i don't think you're going to see the benefits, so I'd put it last on your list.
I would recommend the http option, since I'm currently using svn+ssh and it appears to be the red-headed stepchild of the available protocols: 3rd-party tool support is consistently worse for svn+ssh than it is for http.
I've been responsible for administering both svnserve and Apache+SVN for my development teams, and I prefer the http-based solution for its flexibility. I know next to little about system administration, I'm a software guy after all, and I liked being able to hand authentication and authorization over to Apache.
Both tines the teams were about 10~15 people and both methods worked equally well. If you're planning for any expansion in the future, you might consider the http-based solution. It's just as easy to configure as svnserve, and if you're not going to expose the server to the Internet then you don't have to worry too much about securing and administering Apache either.
As a user of SVN, I prefer the http-based integration with Apache. I like being able to browse the repository with my web browser.
I am curious why NOT FSFS?? Important information - I am managing Windows systems.
I have done many projects with SVN and almost all of them were running from FSFS. Biggest repository was around 70GB (extreme), biggest ammount of repositories was around 700.
We never had any issues, even though we hosted it on Windows, NetApp and many other storage systems. Most of the time when I asked why NOT using FSFS only problem was that people simply didn't trust it.
Advantages:
No backend required (or dedicated server)
Fast and reliable
Hook scripts are supported
NTFS permissions are used
Easy to understand, easy to support, easy to manage
Disadvantages:
Not so easy access from outside your network (VPN)
Permissions only on repository-level (Read, Read/Write)
Hook scripts are running under current user credentials (which is sometimes advantage, sometimes disadvantage)
Martin

Resources