Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I'm about to start a project for coding a remote control software for windows machines and I would like to start from the server side application. I need something like OpenSSH server because the main purpose of the program would be to provide http tunneling of the client through the server,something like proxy but more secure and with encryption. I have some experience mainly with a several unix-based daemons and clients in C++ or Python, but here I am facing with something bigger. My major problem for now is the tunneling part - I don't know how to do it and it's very important to implement. The clients should be able to surf the web through the server (like SSH tunneling) and i have no idea how this works. I would like someone to point me to some nice links where this is explainned well, or at least recommend me some books i should look up.
Thanks.
I currently in a project use a combination of an openvpn tunnel to a windows machine and then use Cygwin on Windows for SSH access to Windows machines. It works, it's simple and it's free :)
http://www.cygwin.com/
You don't describe the threat against which you want to provide security, so I'm going to assume that you want to prevent an attacker located between the client and server from reading and/or modifying the web traffic, and this is why you require encryption.
To do that, you don't need to write your own code. Instead, you can get what you need by running a HTTP proxy (such as squid) and an SSH server (such as openssh) on the server, and tunneling access to the HTTP proxy over SSH.
You would configure the HTTP proxy to accept connections only from "localhost", while the SSH server accepts connections from your client systems.
A nice description of how such a setup would be used from a Windows client can be found at http://kimmo.suominen.com/docs/proxy-through-ssh/ (It describes using such a setup to get into an intranet from the internet, but the principle is the same)
For security, you'll want to go through the SSH server configuration file and disable everything but port forwarding of the one specific port that's needed to access the HTTP proxy.
That's what you describe as "the main purpose" taken care of. If there are other things that you require the server to do on behalf of the clients, my suggestion would be to implement those as a separate application running on the server, with a HTTP interface (CherryPy is a simple way to do that in python) that clients can access via the HTTP proxy.
Not sure if this is what you need but I guess you could use a VPN. OpenVPN builds an encrypted vpn and you can configure it to send gateway (with DHCP) and routes you want to clients so you can redirect all client http traffic to the server you want though the encripted connection.
Doc. link if you need
You can run an OpenSSH server on Windows, e.g.: http://sshwindows.sourceforge.net/
Unfortunately that particular link points to a dead project with the latest release made in 2004. How many security updates were there since 2004? More than zero, I'm sure...
Related
I am a Linux server beginner. In fact I am a beginner at a lot of the stuff I am trying to figure out. Therefore, I suspect much of my troubles are due to the fact I don’t know the right words to figure out what I am trying to do.
I am hosting an Ubuntu Linux server using a mirco AWS EC2 instance. On my server I have a number of server applications running, but one in particular is causing me problems.
I am using an independent free server application that hosts (not on port 80) a webpage for everyone to access. The same application has a pay version which adds a tons of features as well as the feature I need – namely, the ability to password protect the website. The free version I have does not even allow the ability to utilize proxy settings.
I would like to know what I need in order to force the webpage traffic through some authentication system before users have access to the sensitive data.
I have thought of a few possible methods so far:
1) reverse proxy server? (Although I cannot set up the app to use a proxy)
2) Use EC2 firewall IP address restriction to only accept traffic from another server (or my computer), and then require that server to authenticate access.
3) Some sort of access gateway or extra firewall installed on (and on top of) the EC2 instances that requires authentication over top of the running application.
4) Paying for some sort of (reverse) VPN service that forces web traffic through password authentication before allowing access to my website.
5) Some tool on sites like http://www.hidemyass.com that would allow me to use a secured connection.
If someone was to reply with just the simple language that I am missing, that would help immensely.
If you don't want to use a reverse proxy using Apache or Nginx, it will come down to the specifics of you application. What's your application running on ? Rails, Django, Tomcat ? All of these web apps have ways to setup routes that you can use to redirect all your users in case they are no authenticated.
Hope this helps.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am trying to understand what is the right tools for creating an app with text, audio and video exchange. As server-side tool i want to use node.js.
There is a lots of examples which shows you client-side code, but what about server-side? I know, that for WebRTC server is needed only for signaling purposes, but i cant find a descriptive giude helping me to find out how to say:"Hey, here is this guy, he wants to talk to you, so here's his IP" or something simmilar.
How to make sure that i am establishing direct conection? How to establish the most performant kind of connection? I know that there is some NAT traversal protocols, but how i can explicitly use/enable them?
Can i create distributed Skype-like network by connecting many-to-many peers and having some signaling/auth servers? Or maybe use some peers as servers for signaling only?
All the above can be obtained with software such as Flash Media Server (or Red5 for open source). If you want to use Node.JS, you will need to either create your Node services (message queue, media server), or use some already available, and have Node.JS handle the interaction between them. So all of these will be needed:
Node web service(s) with web sockets
Node / other message broker (mq)
Node / other media server (FMS, Red5)
Optional, a caching service for multiple Node web services (Redis)
You can choose Flash, it has great support for RTMFP/RTMP. If you really want WebRTC, you will have to create a STUN node service for p2p discovery, which is connected to the caching service to handle authorizations.
RTMFP is an option, webrtc too. Most performant depends on how you define performance: quality? latency? how should it be biased? If you want low latency, go for p2p. If you want recording capabilities, either rtmp or a node webrtc relay.
Yes, but you will most likely need a team to do that :)
Found almost all of the answers :)
There are no any restrictions for server-side tools, so you can use whatever you want. Node.js fits great. For communication purposes WebSockets or XHR can be used, but there is no restrictions for any others.
In the process of creating connections browser will generate some events with all needed data. You just need to send it to both sides and process it there. There is also offer/answer system, so connection can be made only with agreement from both sides.
Browser will try to establish best connection possible by default. If it's can't be done it will fallback to TURN, which translates data through server.
It will be possibe when DataChannels will be implemented.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I've been going over the documentation for Elastic Search and I'm a big fan and I'd like to use it to handle the search for my ASP.NET MVC app.
That introduces a few interesting twists, however. If the ASP.NET MVC application was on a dedicated machine, it would be simple to spool up an instance of Elastic Search and use the TCP Transport to connect locally.
However, I'm not on a dedicated machine for the ASP.NET MVC application, nor does it look like I'll move to one anytime soon.
That leaves hosting Elastic Search on another machine (in the *NIX world) and I would probably go with shared hosting there.
One of the biggest things lacking from Elastic Search, however, is the fact that it doesn't support HTTPS and basic authentication out of the box. If it did, then this question wouldn't exist; I'd simply host it somewhere and make sure to have an incredibly secure password and HTTPS enabled (possibly with a self-signed certificate).
But that's not the case.
That given, what is a good way to expose Elastic Search over the Internet in a secure way?
Note, I'm looking for something that hopefully, will not require writing code to provide shims for the methods that I want (in other words, writing forwarders).
A plugin for elasticsearch that allows you to replace the HTTP transport with an embedded instance of Jetty is now available.
Because it uses Jetty to handle the HTTP transport, it can handle SSL connections as well as be configured for authentication.
(Note, the following is still sound advice, in that it's generally good practice to abstract your operations out in this manner)
After a number of discussions on the ElasticSearch mailing list, I've discovered that the current solution is to host ElasticSearch behind another application layer and then to secure that layer.
The reasoning is solid; ElasticSearch is akin to a database, and you wouldn't make your database public-facing to all.
Something that I (and others) trip up on is that because ElasticSearch uses HTTP as a transport and uses JSON as the syntax for operations, that ElasticSearch is meant to be public-facing.
However, there is currently a request to add HTTPS transport support (assuming a certificate is provided) along with basic (digest) authentication.
You'll have to firewall the machine in some way, permitting only the traffic from the appserver, e.g. using iptables on linux, or some kind of personal firewall on windows.
This takes you into serverfault.com territory, though - there isn't a programming solution to this one.
I'm developing a chat application (in VB.Net). It will be a "secure" chat program. All traffic will be encrypted (I also need to find the best approach for this, but that's not the question for now).
Currently the program works. I have a server application and a client application. However I want to setup the application so that it doesn't need a central server for it to work.
What approach can I take to decentralize the network?
I think I need to develop the clients in a way so that they do also act as a server.
How would the clients know what server it needs to connect with / what happens if a server is down? How would the clients / servers now what other nodes there are in the network without having a central server?
At best I don't want the clients to know what the IP addresses are of the different nodes, however I don't think this would be possible without having a central server.
As stated the application will be written in VB.Net, but I think the language doesn't really matter at this point.
Just want to know the different approaches I can follow.
Look for example at the paper of the Kademlia protocol (you can find it here). If you just want a quick overview, look at the Wikipedia page http://en.wikipedia.org/wiki/Kademlia. The Kademlia protocol defines a way of node lookups in a network in a decentral way. It has been successfully applied in the eMule software - so it is tested to really work.
It should cause no serious problems to apply it to your chat software.
You need some known IP address for clients to initially get into a network. Once a client is part of a network, things can be more decentralized, but that first step needs something.
There are basically only two options - either the user provides one (for an existing node of the network - essentially how BitTorrent trackers work), or you hard-code in a gateway node (which is effectively a central server).
Maybe you can see uChat program. It's a program from uTorrent creator with chat without server in mind.
The idea is connect to a swarm from a magnetlink and use it to send an receive messages. This is as Amber answer, you need an access point, may it be a server, a know swarm, manual ip, etc.
Here is uChat presentation: http://blog.bittorrent.com/2011/06/30/uchat-we-just-need-each-other/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I have a server behind a firewall. It runs a web application (Java servlets under Apache Tomcat) and responds only to port 443 (HTTPS). There is no scripting code in the pages served - the forms use HTTP POST to receive the form, process the data (with appropriate input filtering) and then output an HTTP result page.
I am currently using an appliance firewall, but it is 'hardware-flakey'. I have been looking at upgrading to a more 'industrial strength' solution, but the vendor is quite insistant that I purchase a subscription to their "deep packet inspection" software. He claims that even web servers need this kind of protection.
I am not convinced, but do not have the security background to be certain. The firewall would sit between the "world" and my server, and use "port forwarding" to allow only ports 443 and 22 (for maintenance) to reach the server.
So - do I really need this deep packet inspection, or not?
Given that the only protocols that you're interested in (ssh and https) are "negotiate encryption on connect" there's little that a standard firewall will be able to inspect after that point. Once the SSL/SSH session is established the firewall will only see encrypted packets. Ask your vendor what their product examines in this context.
Alternatively, it is possible that the device acts more like a proxy -- that it acts as the server-side end-point for the connection before relaying on to your real server -- in which case it is possible that the product does something deeper, although this isn't the case if the firewall really is "port forwarding" as you say. Again, your vendor should be able to explain how their device operates.
Also you may want to ask what vulnerabilities/risks the inspection system is intended to protect against. For example: Does it look out for SQL injection? Is it targetted to a particular platform? (If your web server runs on a SPARC CPU, for example, then there's little point inspecting URLs for x86 shellcode).
As a network security professional, this sounds like overkill to me.
Martin Carpenter's answer is 100% on target. Anytime you're considering security, you need to understand
What you're securing,
What you're securing it against,
The likelihood of an attack, and
Your risk if an attack succeeds.
For your application, which allows only encrypted, authenticated communication on only 2 ports, I can see only a few vulnerabilities:
Denial-of-service (DOS) is always a threat unless your firewall blocks those attacks.
You might have other applications listening on other ports, but you can detect them with any simple port scanning program.
You may want to restrict outbound communication to prevent a user or rogue application from initiating communication to an unauthorized server.
I also agree that it's a good idea to ask the vendor what "deep packet inspection" means to him and why your particular situation requires it. Unless you get a specific, knowledgeable answer, in layman's terms, that makes sense to you, I'd go elsewhere. There's nothing about network security that can't be explained simply, without buzzwords.
Update on several fronts...
First - I now have reason to believe that part of the flakiness of the OTS hardware product is a combination of low-powered CPU and insufficient buffer memory. In weeks of logging and a few crashes, there are no entries in the logs before the crash, yet I'm logging everything according to the log control. Talking with another firewall vendor, it was indicated that may suggest the buffer is filling faster than it can empty during heavy use. This corresponds with findings - the most used IP is the one crashing the most often.
So I checked, and the firewall did have some deep packet inspection stuff turned on. I've turned it off to see if things improve.
The firewall's main purpose in my network scenario is "gate keeper". That is, I want the firewall to prevent all traffic EXCEPT http, https and some ssh from ever getting beyond the WAN port. Since there are no users inside the firewall, any traffic generated from the inside comes from my application and can be allowed out.
Further talks with the one vendor indicated that they no longer thing deep packet inspection is necessary - the other fellow was just trying to "upsell" me on the unit in question. I also found out their hardware won't really do all that I want without spending a ton of money.
I'm now seriously exploring the use of OpenBSD and a PF firewall to do what I reauire in a cost-effective manner.