Do you work with MySQL? I do… quite a bit.
Do you often script stuff on your server to make your life easier? I do that as well… quite a bit…
Are you including your database user account and password (or worse… your mysql instance root user account and password!) in plain-text in your script… I was doing this… and it is bad practice from a security standpoint for sure…
Okay, so if you have a bunch of scripts (and I have several for database maintenance and database backups) floating around and many of them contain your MySQL root user account credentials… that can be a real issue. There is a better way!
If you don’t know what a firewall is, let’s start there…
A firewall is basically a digital “wall” that sits on the edge of your network or device. When someone makes a connection over a network or the internet to your server, they connect by the IP address + a Port. Firewalls, on a very basic level, say “allow traffic on this port” or “deny traffic on this port.”
So for web traffic you might connect to our server here: 22.214.171.124 on port 80. There are a lot of services that run on any machine and many of them you don’t want to be accessible from the internet. For example, many distributions of Ubuntu come with a running DNS server that is accessible on port 53. If left alone, this could be a route for people to exploit your machine.
One way to think about it is like your home. Your house has a physical address that someone can punch into a GPS and it will take them to your driveway. However to get into the house they will need to go through a door or a window. Ports are those doors and windows. If a person needs access to the services of your kitchen, then they can come through the kitchen door. If they need access to your garage, you can send them through the garage door. On a computer, different doors (ports) tend to correspond to different services (servers). For example, Apache Web Server commonly uses port 80 for HTTP traffic to host a website, or port 443 to host a secure website with SSL. SMTP servers often use port 25 to receive incoming mail. FTP servers often use port 21, and so forth and so on.
So it is advantageous to block certain ports. I.E. you might allow everyone to visit your kitchen but you don’t want everyone in your bedroom. It is best to actually just block all ports by default and only allow specific ports to incoming traffic.
Finally it is worth noting that firewalls can do all kinds of interesting and complex things with traffic. Most of those functions are well outside of the scope of this article, and outside of the scope of UFW, but we will get there. (more…)
This was going to be a long article but I decided to cut it short.
You have a Remote Server – You need to securely access some sensitive service or another (let’s say a MySQL connection) and don’t want to open the port to up to the internet. What’s a person to do?
If you aren’t familiar with Owncloud, it is a very cool open-source software package that runs on Linux Apache (or Nginx) that provides “dropbox like” functionality that you can host yourself.
This is a big deal for the tech-savvy average-Joe that is worried about keeping private data private (i.e. he doesn’t want all of his personal documents stored by Microsoft, or Dropbox, or Google, etc.) but still wants the “cloud-like” functionality of being able to securely access and sync files across multiple devices.
It is also a big deal for any enterprise that wants to use “cloud storage” but has to worry about all of the above due to data security requirements. It is self-hosted, so you know exactly where all of the data is and you have control over the security components protecting it. Citrix, Dropbox, and others have realized a growing need for this and have “enterprise” products that are in the same vein. They just cost a good bit of money, don’t always meet all of the stringent security requirements imposed on some types of data, and tend to be complex/cumbersome systems.
Owncloud also has an enterprise version of their software offering which runs upwards of $10k/year. When I did a comparison of the “enterprise” vs. “open-source” the only value I could see in going enterprise was support, and one additional module that does granular file-activity-logging (i.e. user jdoe, shared this file, on this date). Obviously support is support, you aren’t going to get enterprise support without paying an enterprise price. Writing that off, that just leaves the enhanced logging.
I don’t have the requisite skill-set to build my own logging module. But Owncloud is ultimately just a web application running on Apache, so why not track it like we would any other web application? Namely, using a site analytics tool and the Apache access log. (more…)
If you haven’t use Filezilla Server before it is a pretty decent and easy to manage FTP/FTPS solution. While I don’t care for the Filezilla client (for several reasons, one of them being that it stores saved passwords in plaintext on your machine), the server software is okay… it runs nicely on Windows Server 2012 R2 and it is significantly easier to manage vs. Microsoft’s FTP Server in IIS. It’s simplicity however is also its flaw.
By default, Filezilla server only supports user accounts local to the application itself. Which means -NO- Active Directory authentication and no SSO for your Windows users.
However, Filezilla is open-source and some enterprising users have a version of it released on source-forge which makes use of OpenLDAP to support Active Directory authentication. (more…)