Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Frackin script kiddies!!



On Aug 3, 2010, at 2:06 PM, Jarod Wilson wrote:
> 
> I have a public-facing web server. One of the things it serves up is
> mythweb. I require access to mythweb to go over ssl with
> authentication. What else would you propose that I do, short of not
> running mythweb on a public-facing web server?

Take a step back for a second and look at what SSL does: it encrypts the end to end communication between your public facing web server and the remote browser.  This ensures that the communication is secure but it does nothing to ensure that the browser making the connection is authorized to do so.

Now look at what SSH and VPNs do: they encrypt the end to end communication *and* they authenticate the user trying to communicate.  This is what you are missing: authentication on the communication link.  So, what you need to do is put some kind of authentication there.

You can do this easily with SSH tunnels if you require PK auth and secure your keys with passwords, and then allow HTTP connections to your web front end only from within your private network.

You can do it with X.509 certificates with TLS but this requires setting up a certificate authority for your network.  IMO this is overkill for a home network but is the right answer for larger networks (corporate, school, etc).  The using this mechanism you configure the web server to require X.509 authentication before it will even consider talking to you.

You can do it with a VPN.  As with SSH tunnels you configure the web server to only accept connections from the internal network.

I use a combination of 1 and 3.  I use an SSH tunnel to proxy all my web requests through a Squid proxy running at home behind my firewall with a tunnel set up like this:

  autossh -f -M 20000 -L 3128:proxy.home.net:3128 -C -N foo.gotdns.org

and setting my browser's proxy to localhost:3128.  For times when I need to see what's going on inside, like VNC connections, I use OS X's built-in PPTP VPN.  In both cases the only way to talk to anything on the inside is through a secured and authenticated channel.

--Rich P.









BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org