Digital Ocean, how can i secure my SSH connections? - digital-ocean

I'm new to this online server area, all I've done so far is create a server on Digital Ocean using Ubuntu 20.04 operating system with LAMP library (apache2) installed.
Currently I use Putty to access the server's command line (I use private key ssh authentication files).
When I put the domain URL or IP, enter port 22, and click "Open connection", the application automatically manages to connect to the server asking for login and password.
Pretty simple isn't it? My concern is that anyone who has the least knowledge can come across the gateway to my server, just that he has the login and password to access.
But when I try to connect with putty on sites like stackoverflow.com, google.com, facebook.com and among others, putty doesn't give me the opportunity to type the login.
Knowing this, how do I secure my server so that it can act in the same way as the aforementioned sites?

You could add some sort of VPN and whitelist a select amount of IP addresses able to access your server. This would add an extra layer of security.

Related

Can a remote server send response to a local client on a custom port?

For network gurus out there, I'll like to ask some questions regarding some unique setup where the server will be sending a request to a client on localhost on a certain port.
I have a cloudy understanding of some network fundamentals that I hope you'll be able to help me out.
Kindly check the image below:
Basically, there's a static website hosted in AWS s3 and at some point this website will send a request to https://localhost:8001.
I was expecting that it will connect to the nginx container listening on port 8001 in my local machine, but it results in 504 gateway error.
My questions are:
Is it possible for a remote server to directly send data to a client at a particular port by addressing it as localhost?
How is it possible for the static website to communicate to my local docker container?
Thanks in advance.
In the setup you show, in the context of a Web site, localhost isn't in your picture at all. It's the desktop machine running the end user's Web browser.
More generally, you show several boxes in your diagram – "local machine", "Docker VM", "individual container", "server in Amazon's data center" – and within each of these boxes, if they make an outbound request to localhost, it reaches back to itself.
You have two basic options here:
(1) Set up a separate (Route 53) DNS name for your back-end service, and use that https://backend.example.com/... host name in your front-end application.
(2) Set up an HTTP reverse proxy that forwards /, /assets, ... to S3, and /api to the back-end service. In your front-end application use only the HTTP path with no host name at all.
The second option is more work to set up, but once you've set it up, it's much easier to develop code for. Webpack has a similar "proxy the backend" option for day-to-day development. This setup means the front-end application itself doesn't care where it's running, and you don't need to rebuild the application if the URL changes (or an individual developer needs to run it on their local system).

In Qt/C++, How Do I Redirect x.com Domain to y.com on Windows without HOSTS file?

I've been thinking of the concept of an ad blocker that runs at the OS level, rather than as a browser extension. I know that I can place x.com in Windows' %windows%\system32\drivers\etc\hosts file and point it to the IP of y.com, and on y.com I can serve up content that says, "This ad blocked by Example Ad Blocker". However, the domain list I have is quite large -- like literally a thousand domains and growing, and so this wouldn't work well in file lookups. Does Windows permit some way to programmatically, like Qt/C++, add a DNS reroute rule in a more speedy way?
There's a risk of doing domain intercepts and DLL hooks using APIs because AV products and/or Microsoft would have to whitelist you and certify you so that your activity doesn't look like a virus. And the odds of them doing that are not only low (unless you're a multimillion dollar company), but they want to protect their ad marketing too.
The best option is to make a browser extension for each of the browsers. You can even check the source code of the AdBlock Chrome extension to see how it works. The trouble with that in 2017, however, is that there's no common browser extension platform just yet. It's getting much closer, but it's still not standardized yet. The new standard uses the Chrome standard. Opera, Firefox, Edge, and of course Chrome support this new standard to some degree, but it's kind of unsmooth still. And for anyone outside of that, such as IE11 or earlier, they're not going to have your Chrome-style browser extension and you'll have to go the seriously hard route to make one just for those earlier browsers or ask the customer to upgrade when your adware product installs.
If you want something that doesn't require a browser extension, then the option you want is to add another DNS server connection in the user's DNS client settings. I don't know how to do this yet via C#, Qt/C++, or C++. However, you can shell out from those languages and use the "netsh" command to create those DNS connections. Probably a good strategy would be to find the user's default gateway IP. Then, make the DNS priority like so:
your DNS server that redirects x.com to y.com so that you can do ad blocking from y.com via a web server
the user's default gateway IP
Google's DNS (8.8.8.8) in case the default gateway IP has changed for the user
So, it would be something like these 4 netsh commands:
netsh delete dnsserver "Wireless Network Connection" all
netsh interface ip add dns name="Wireless Network Connection" addr=1.1.1.1 index=1
netsh interface ip add dns name="Wireless Network Connection" addr=192.168.254.254 index=2
netsh interface ip add dns name="Wireless Network Connection" addr=8.8.8.8 index=3
Change "Wireless Network Connection" to "Local Area Connection" if they are using a cable for their computer instead of wireless. (Few do that these days.)
Change 1.1.1.1 to the IP address of your special DNS server.
Change 192.168.254.254 to the IP address of their default gateway.
The third rule (8.8.8.8) tells the computer to use Google's DNS if all else fails. This is important because they could disconnect their laptop at home and go to a café or something, and we need their DNS stuff to still work.
Now, once you get the DNS client settings right, you need a cheap Linux cloud host to serve up the DNS server and web server. You might even need more than one in case one goes down for maintenance, and possibly on a different cloud zone or even cloud hosting provider.
For the DNS product, if you have Linux skills, you can install and configure dnsmasq pretty easily to get a cheap and easy to manage DNS server on Linux. Or, if you search your Linux repositories, you can find other DNS servers, some more robust than others, some harder to use than others.
For the web product, you can install NGINX or Apache on each of the two DNS servers. Then, you can make a configuration where any domain connection can come to it and it will load a web page for that domain. The web page can say something like, "Ad Blocked By X Ad Blocker" or whatever you want in very small font (small enough to fill the ad spot).
Once this is all in place, you'll have to reboot the Win PC client and also clear their browser cache and history so that DNS will route through the new arrangement.
The end result is that when people on that Windows PC surf the web and load an ad, their OS will make a DNS request to translate domain name to IP address. The first DNS server they'll reach will be your private DNS server. It can then say that x.com ad domain (as an example) is the IP address of your private DNS server. That private web server will then be contacted and it will display the ad block message. For all other requests not served up by your DNS servers, they'll go to their default gateway. If that's not serving up DNS as needed, then they'll failsafe to the Google DNS on 8.8.8.8. So, web browsing will work fine, minus ads.
As for a bad domain list, there's a community-maintained bad domains list here on Github.
The trouble with the private DNS server that you host is that you're now having to pay a bandwidth bill for gobs of connections to it. That's probably undesirable unless you've got a proper way to monetize that. A better strategy would be to NOT use a private DNS server on the web and use a local DNS server and a local web server. You'd have to code both of those or use some third-party product for that. The trouble there, however, is that you may have some commercial licensing problems with that, or increased costs, and it won't work for some web developers who already use a web server on their workstation.
Therefore, as you can see from the added costs, hassle, and workstation configuration nuance troubles, the best strategy would be to use the browser extension for ad blocking.
However, even at that, how are you going to differentiate your product from the free ad blockers out there that are doing a sensational job already?

Shibboleth bypass for IP range

I have Shibboleth configured on an IIS server and am using it protect a .NET application.
I need authenticated access for users accessing the application over the web and for that Shibboleth is working fine.
The application also hosts web services which need to be accessed by other applications in the same server and for that working with Shibboleth is a challenge since web service clients cannot deal with the log in page.
Is it possible to configure Shibboleth to ignore requests coming from the same server for example by checking the IP address?
It won't directly answer your question, but I can share a workaround I found and hope it can help with your problem too.
Define another website in IIS pointing to the same folder as the initial one, and make it only respond to a different domain (like something.local). Then in IP Address and Domain Restrictions, make sure only 127.0.0.1 is allowed to access it.
In C:\Windows\System32\drivers\etc open the file "hosts" in Notepad (running with Administrator privileges). Add the line "127.0.0.1 something.local" (no quotes; make sure the domain is the same one you defined before)
Now, make the webservices call the application by the new domain.

problems connecting with the server of my website

I have a website and until some time ago it was administrated by a friend of mine; recently our relationships have been reduced, so I took the entire control of the website.
I'm not really expert with some aspects in the management of a web site. Actually I would make some back-end edits and I should connect with the server of the website.
I have the host IP, a username and a password. I tried to connect using Filezilla but I receive an error message: 530 Login incorrect.
So, I contacted the domain provider, I was convinced that the domain provider was the same of the hosting provider, but they told me that it was not true and that the hosting for the website is provided by "someone else" (it could be an other hosting provider or a private web-server, for example).
I don't know what to do.
How can I connect to the server of my website? What am I missing?
p.s.: sorry for my bad english
I think you might be pointing filezilla at port 80. Try pointing at the ftp port (21 probably.) If this doesn't work it could be that the hosting uses a non standard port.
If in doubt get some support from the hosting company. Only they know how they are set up. If the use something like cpanel you can access files through that. They may be reluctant to help if you can't prove the site is yours. Usually by using the email address you set up when you bought the hosting.
And no, the domain provider does not have to be the same as the hosting provider. My domains are hosted at godaddy and I have odd bits of hosting all over the place ;)

CFHTTP firewall issue? How are CFHTTP requests made?

CFHTTP on my new CF 9 server is failing. I get back "408 Request Time-out" when attempting to connect to the test page on the server via its internal or external IP. I am not using SSL and using the standard port 80.
My old CF 9 server can connect to itself fine but it also fails if attempting to connect to the new server.
If I RDP into the server, I am able to pull up the same test page via a web browser or via telnet to that ip port 80.
I suspect that this is a firewall issue. I'd like to know how CF makes an HTTP request under the hood before I talk to the hosting team. What service is making the call? What port is it running under, etc.
You don't say what operating system you are running under, but if it is Windows, I'd take a look at the Windows Firewall settings on your new machine, and disable the firewall. That will allow you to check if indeed it is the Firewall in the way.
If that works you can then try and add a firewall exception for the application, i.e. JRun.
Hope that helps.