Connect remotely to an iis based website - iis

I was asked to make some modifications on a website that is hosted on an iis7 server. I was given the DNS address and a password (I'm guessing I need a username also..) but I have no idea how to connect to the server to even see the files (after that I know how to make the necessary changes).
Is there a manual on how to do this (I'm guessing it's pretty simple).
Do I need special software?

I figured out I needed to connect through mtscs to the server

Related

Is ngrok safe to use or can it be compromised?

Is ngrok a safe tool to use? I was reading a tutorial which recommended to use ngrok test API responses that I make to outside services that need to connect to my endpoints also.
There is no source code available for Version 2.0, considering it started as an open source project in 2014. I am suspect of any code that opens a tunnel to my localhost from the cloud. Pretty scary stuff especially without source code!
It opens up a tunnel to your dev machine, which is partially secured by obscurity (a hard to guess subdomain), and can be further secured by requiring a password. But you're still opening yourself up to ngrok itself, and the company is completely opaque (no address, no employees, no business name, no LinkedIn presence; all I can find is that it has 1-10 employees and is private; not even sure what country its based in). On top of that the code is not open-sourced. No reason to think they're not legit, but not a lot of information available to build trust.
You may be able to use ngrok and other local tunnel services with more security by encrypting the traffic. See https://security.stackexchange.com/questions/177280/end-to-end-encryption-for-localtunnel-ngrok-setup/177357#177357 for more information.
I found good rating, but vacuous information here:
http://www.scamadviser.com/is-ngrok.com-a-fake-site.html
The kicker for me is
https://developer.atlassian.com/blog/2015/05/secure-localhost-tunnels-with-ngrok/
where the Atlassian folks recommend it highly.
I think I am going to use it.
If anyone is concerning compromising their development environment, you can use Docker. There are many ngrok/docker projects but here is the one I chose: https://github.com/gtriggiano/ngrok-tunnel
for macOS, use "TARGET_HOST=docker.for.mac.localhost"
They now offer a service where you locally run only ssh, no need to run any of their code on your machine.
You run something like ssh -R 80:localhost:8501 tunnel.us.ngrok.com http. This connects to one of their hosts and forwards connections they receive back to your machine and the service you run on localhost:8501.
This seems secure to me, the only thing is that you don't know what information they collect and who is connecting to your exposed service. They print all connections, but it's their binary that does this and someone might well listen in without you noticing. You can check connections on your end, but you cannot be sure who it is that connects.
Ngrok is a convenient and highly secure utility for creating tunnels to locally hosted applications via a reverse proxy. This is a utility for publishing locally hosted applications on the web. style="letter-spacing: 0px;">Simply put, any locally hosted application provides a publicly accessible web URL to the . H. Either a Spring Boot or Nodejs based web application, or a webhook for a chat application, etc.

How to add website password athentication for my Linux server webhost application

I am a Linux server beginner. In fact I am a beginner at a lot of the stuff I am trying to figure out. Therefore, I suspect much of my troubles are due to the fact I don’t know the right words to figure out what I am trying to do.
I am hosting an Ubuntu Linux server using a mirco AWS EC2 instance. On my server I have a number of server applications running, but one in particular is causing me problems.
I am using an independent free server application that hosts (not on port 80) a webpage for everyone to access. The same application has a pay version which adds a tons of features as well as the feature I need – namely, the ability to password protect the website. The free version I have does not even allow the ability to utilize proxy settings.
I would like to know what I need in order to force the webpage traffic through some authentication system before users have access to the sensitive data.
I have thought of a few possible methods so far:
1) reverse proxy server? (Although I cannot set up the app to use a proxy)
2) Use EC2 firewall IP address restriction to only accept traffic from another server (or my computer), and then require that server to authenticate access.
3) Some sort of access gateway or extra firewall installed on (and on top of) the EC2 instances that requires authentication over top of the running application.
4) Paying for some sort of (reverse) VPN service that forces web traffic through password authentication before allowing access to my website.
5) Some tool on sites like http://www.hidemyass.com that would allow me to use a secured connection.
If someone was to reply with just the simple language that I am missing, that would help immensely.
If you don't want to use a reverse proxy using Apache or Nginx, it will come down to the specifics of you application. What's your application running on ? Rails, Django, Tomcat ? All of these web apps have ways to setup routes that you can use to redirect all your users in case they are no authenticated.
Hope this helps.

Upload website to server

I'm a developing a website and the client has decided to provide they're own hosting. They've purchased a mac mini, this is all they require for the scope of the project. They've given me to full access to the server via a remote desktop connection. I'm not too great on this side of things. I'm sure there's a lot of required information I'm not providing for a full answer but any help? I'm not really sure what I'm suppose to be doing with this.
Is your website static (no server side language / database)?
Is it for internet or intranet?
The generic answer would be telling you to enable OS X Apache server, configure a virtual host, edit httpd.conf configuration, configure the static ip, configure the DNS servers, etc, etc, etc. Quite a lot of steps (but most are simple).
Take a look at this serie of articles: http://oreilly.com/pub/ct/49

What is the (most?) secure way to handle database connections in a web application?

I have a web application written in Perl using PostgreSQL.
When accessing the PostgreSQL database I need to supply both username and password. In order to have the password available for unattended start-ups of the system I need have that password embedded in my application or in a configuration file or as an environment variable configured in Apache.
In either case I have to have the password in clear text format somewhere.
How is it done in real web sites?
The most secure way to do it is to have a configuration file, and put that outside the public folders.
Make sure the password is somewhere the web server is never going to serve. If possible put it outside the webroot; if that's not possible,
Make sure the file containing the password is readable only by the user the web server runs as, and not writeable by anyone
Rotate it regularly, to minimise the impact if it does somehow leak
Make sure that the database user you're using has minimal permissions. Eg, for a Wordpress installation, create an account just for Wordpress to use, and give it access only to the databases it actually needs
Configure the database to only accept connections from the web server, to minimize the impact of a leak by preventing the attacker from being able to use that password from just any old random node on the net
You can "trust" your Web server's IP (or the localhost, if it's the same node) in your PostgreSQL's pg_hba.conf, and use no password at all. At least, I don't think it's less secure than storing the database password somewhere in the file system of your Web server.
Of course, you can try encrypting and obfuscating the password somehow. But this security through obscurity is not really a barrier for someone who has managed to get into your Web server, especially when all the Perl source code is there to read.
You can store the password in ~/.pgpass (for the web server user, of course). This is obviously not safe in shared hosting where the same user is used for many different websites, but if you have a dedicated setup it often works very well. See http://www.postgresql.org/docs/current/static/libpq-pgpass.html.
The important thing is to store it outside the general web tree.
Use Firewall IP:port filter at PostgreSQL Server and limit the access to only IPs of your web-server.

make server auto-append #domain.com to ftp account

I have a client who, printed 10,000 advertisements with a specific password for an FTP account written on it lets say: horses1, for many reasons I have had to migrate her over to a new host, she chose mediaTemple, and bought an account.
The Login is now horses1#HER-DOMAIN.com, which is a problem, becuase of all her print ads.
I'm thinking this can be fixed with mod_rewrite and htaccess, but I'm pretty sure apache2 and ftp are different programs... I'm really screwed if I cant fix this....
EDIT:
is there a way to create an FTP user alias?
Apache is just a HTTP server. But maybe mod_ftp and its StripHostname option can help you.
Apache is an HTTP server (which, due to being magic, can be made to act like pretty much any kind of TCP/IP server you like, but almost never is) so won't be responsible for the FTP.
The FTP will almost certainly be supplied by a different server, and you'll need to find out what that is and what level of configuration control you have on it before you can proceed any further.
FTP sites that need #domain are almost always shared hosts.
You will not be able to make configuration changes to make it work without.

Resources