Showing posts with label linux. Show all posts
Showing posts with label linux. Show all posts

Friday, July 4, 2008

Secure HTTP over SSH proxy with Linux

In an previous post I made I detailed how to create a secure your browser's HTTP communications by tunneling the HTTP session over an SSH proxy using Putty.

Putty is what you would use if you use a Windows desktop. If you're on a Linux Desktop you do not need Putty since you should have OpenSSH with the distribution you use.

Doing a man ssh on your Linux Desktop should give you the manual on how to use your SSH client: 

SSH(1)                                                         BSD General Commands Manual                                                         SSH(1)

NAME
     ssh - OpenSSH SSH client (remote login program)

SYNOPSIS
     ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D  [bind_address:]port] [-e escape_char] [-F configfile] [-i identity_file] [-L
         [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R  [bind_address:]port:host:hostport]
         [-S ctl_path] [-w local_tun[:remote_tun]] [user@]hostname [command]

... etc ...
The synopsis gives you the format of the command and the options that can be used with the ssh command. Of interest is the -D option. This allows you to bind the SSH session to a local address and port. Below is the part of the manual explaining the D option: 
     -D [bind_address:]port
             Specifies a local “dynamic” application-level port forwarding.  This works by allocating a socket to listen to port on the local side,
             optionally bound to the specified bind_address.  Whenever a connection is made to this port, the connection is forwarded over the secure
             channel, and the application protocol is then used to determine where to connect to from the remote machine.  Currently the SOCKS4 and
             SOCKS5 protocols are supported, and ssh will act as a SOCKS server.  Only root can forward privileged ports.  Dynamic port forwardings can
             also be specified in the configuration file.

             IPv6 addresses can be specified with an alternative syntax: [bind_address/]port or by enclosing the address in square brackets.  Only the
             superuser can forward privileged ports.  By default, the local port is bound in accordance with the GatewayPorts setting.  However, an
             explicit bind_address may be used to bind the connection to a specific address.  The bind_address of “localhost” indicates that the listen‐
             ing port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.
Basically it means that you can start an SSH session using the OpenSSH client with a command such as: 
ssh -D localhost:8000 user@example.com
and it will create a SOCKS proxy on port 8000 that will tunnel your HTTP connection over SSH to the server at example.com under the username user.

Now you can configure your applications that access the internet to use the secure HTTP tunnel you've created to your remote SSH server. The applications are not limited to web browsers, you can configure your Instant Messenger, Skype, Games etc. to use the socks proxy, as long at the communication protocol is supported.

Configuring Firefox to use the Socks Proxy

  • Tools -> Options -> Advanced -> Network
  • Under Connection click on the Settings button
  • Choose Manual Proxy configuration, and SOCKS v5
  • Fill in localhost for the host, and 8000 (or the port number you used) for the port
  • Click OK and reload the page

Now what you can do is have the the ssh session start up when you start your desktop. Thats if you want to use your secure tunnel every time you use Firefox or whatever program you have configured to use it. On Ubuntu (Debian) you'd add a shell script to your home directory.
Example: 

#!/bin/sh
ssh -D localhost:8000 user@example.com
That should start up the ssh connection and create the socks proxy when you log in. The other alternative is to create a launcher and use ssh -D localhost:8000 user@example.com as the command, allowing you to launch the proxy whenever you need.

You can also set up an ssh key for authentication instead of having to log in. This is detailed in other posts: http://pkeck.myweb.uga.edu/ssh/ and http://sial.org/howto/openssh/publickey-auth/. This allows you to use the proxy transparently in the background without having to start it and log in.

For Firefox you can switch between proxy and direct connection using the switchproxy extension.

Disclaimer: Please note that it is your responsibility to use the information in this article within the legal laws of your country. Some countries do not allow encryption of internet traffic, therefore you SHOULD NOT use this resource if you live in such a country. I provide this information without warranty and free of charge and will not be held accountable for any damages lost due to its use.. etc etc.

Posted by at 3 comments:
Labels: , , , , ,

Thursday, April 17, 2008

Secure Joomla file permissions - Linux with Apache

Joomla allows web based installation of extensions, because of this, on most Joomla setups I've looked at, the method of allowing PHP to install the Joomla extensions is to allow global write access (chmod 777) to the Joomla installation directories. This is not a secure way of managing a Joomla site.

A secure website should not have any folders or files with global write access, especially on shared servers, yet on 90% of Joomla websites I've looked at, this is the case.

An example is when you install community builder, probably the most used Joomla 3rd party extension. If Community Builder tries to write to the /images folder but fails to do so during installation, it will spit out, "You must chmod 777 your images folder", I forget the exact sentence.

So why do you open up global write access? The reason is that your ftp or shell account user is different from the PHP user. When PHP executes, it executes under a certain user, by default the Apache user which can be "apache" or "www-data" or something else depending on the Apache settings. So if a you have a folder that has permissions 0755, and is owned by "joe", apache cannot write to this folder because it has insufficient permissions.

Ways of enabling PHP to write to Joomla installation folders

  1. Change folder permission to 0777
  2. 0755 permissions, change owner to www-data and group to users
  3. 0755 permissions, change file group to apache group

In which cases would you use each permission setting?

Change folder permission to 0777

chmod 0777 path/to/folder
If you are on a shared server, then your only choice is (1) to chmod the folders to 0777. Only the root user can chown folders and files. Since most hosting accounts are on shared servers, the majority of Joomla sites (and other CMSs) will have installation folders with 0777 perms.

0755 permissions, change owner to www-data and group to users

chown www-data:users path/to/folder
This is probably the most recommended setting. This allows Apache to read and write from the folder since it is the owner of the folder, yet also allows users in the group "users" to write to the folder. Thefore, if your FTP users are under the group "users" they will be able to update files, while the Joomla installer will be able to install and update components.

0755 permissions, change file group to apache group

chown joe:www-data path/to/folder
This isn't the normally recommended way, but it is what I normally do. This permission setting allows only the user "joe" to write to the folder and not every other user. It also allows apache to write to the folder. So only joe can ftp into this folder and write as opposed to method (1) where any user in the group "user" can write to the folder via ftp. (this doesn't prevent anyone from using apache to write to that folder however).

How to install Joomla extensions on a shared server without giving global write access

  1. Install Extensions Manually via FTP and MySQL Queries
  2. Chmod 0777 only for the installation period, then chmod back to 0755

Install Extensions Manually via FTP and MySQL Queries

This allows you to install the extension, but if the extension wants to write to a folder later, you still have the permission problem since the folder is owned by your FTP user. However, it is good to know how to do this, since it can be a method if combined with other methods. If you have shell access this is easier. See my post on remotely installing Joomla, and use this for extensions. For the mysql portion, you need to retrieve the mysql queries from extensions XML install file and run those queries against your Joomla database. Then you also have to manually add the entry in the extension table, whether the components, modules or mambot table for that extension.

Chmod 0777 only for the installation period, then chmod back to 0755

I've written a PHP Shell script for this that you can run in the command line if you have Shell access to your server. 

#!/usr/bin/php
<?php

// joomla extension folders, add more folders here if you need.
$folders = array(
 'media',
 'components',
 'modules',
 'templates',
 'mambots',
 'administrator/templates', 
 'administrator/components',
 'administrator/modules',
 'images',
 'images/stories'
);

// get Joomla directory
fputs(STDOUT, "Please enter the path to the Joomla directory: ");
$jpath = trim(fgets(STDIN));
// check for ending slash
if ($jpath[strlen($jpath)-1] != '/') {
 $jpath .= '/';
}
// make sure path exists
if (!is_dir($jpath)) {
 fputs(STDOUT, "$jpath is not a valid joomla directory");
 return 1;
} else {
 // check for each folder
 foreach($folders as $folder) {
  if (!is_dir($jpath.$folder)) {
   fputs(STDOUT, "Error: A required Joomla folder $jpath$folder was not found. \n");
   return 1;
  }
 }
}

fputs(STDOUT, "Joomla directory set to: $jpath \n");

// allow global write access on joomla extensions folders
foreach($folders as $folder) {
 fputs(STDOUT, "Unsecuring: $jpath$folder \n");
 if (!chmod($jpath.$folder, 0777)) {
  fputs(STDOUT, "Error: Could not change permissions on $jpath$folder. Please chmod 0777 $jpath$folder manually. \n");
 }
}

fputs(STDOUT, "Joomla directories are ready for writing. You can install your extension \n");
fputs(STDOUT, "Press any key when you complete your installation to secure Joomla again... \n");
$enter = trim(fgets(STDIN));

// remove global write access on joomla extensions folders
foreach($folders as $folder) {
 fputs(STDOUT, "Securing: $jpath$folder \n");
 if (!chmod($jpath.$folder, 0755)) {
  fputs(STDOUT, "Error: Could not change permissions on $jpath$folder. Please chmod 0755 $jpath$folder manually to secure.\n");
 }
}
fputs(STDOUT, "Joomla install directories secured. \n");

return 0;

?>
To run it, save it to a location on your joomla server, name it something like joomla_exts.php and invoke it in the shell with: 
./joomla_exts.php
The script will prompt you for the Joomla folder, then it will chmod each installation directory to 0777, and tell you to make the component install. So you just install the component in the Joomla web based installer. After installation, just hit enter in the shell script to secure the Joomla installation directory again. This works better then that above method, since all folders will be 0755 after installing the component, but the folders created by the component will be owned by the apache user, allowing the component to write to them. Make sure you don't leave this script in the web root. Keep it under the web root, or delete it after use.

If you're totally lost, here is a bit on file permissions in Linux. Here is a very good article on setting up Apache including file permissions and virtual hosts.

Posted by at 1 comment:
Labels: , ,
Subscribe to: Posts (Atom)