1 of 2
tutorial uses tools on both the Linux and Windows platform. The tutorial
assumes you have Linux and Windows experience. The tests were conducted on
Fedora Core 5 Linux kernel 2.6 and Windows XP SP 2.
also assumes your development environment is Linux, and your Desktop is
Windows. This is a common setup for those developing LAMP
tutorial does not pretend to be the end all be all of security documents. It
does include a lot of basic security procedures and practices that are easy to
implement and don't get in the way of getting your work done. Common and
uncommon ways of practicing security will be covered. These methods are meant
to be included into your existing security practices, and do not offer
satisfactory security when practiced alone.
tutorial is being delivered in segments. The first will cover:
1. SSH on
up SSL (HTTPS)
incoming connections through your router
second tutorial, will continue where the first finishes and include:
PGP to encrypt files
setup for remote authentication
DynDNS to map dynamic Ips to static hostnames
to utilities and informational resources are included at the end of this
It is a concern for developers, businesses and consumers ... just about
everyone is affected by security and the lack of it. I recently received a
letter from my credit union stating sensitive financial data had been stolen,
mine possibly included. My question to them is, “Why was this data not
encrypted?”. There is no excuse for not encrypting data in 2007 when storage
costs are at an all time low and computing power, an all time high.
don't use anti-virus or spy ware programs. Call me crazy, but I don't visit
sites or download software that would require it. However I do check for the
existence of such evil programs, by running two great utilities developed out
of the sysinternals lab, prior to their acquisition by Microsoft. One is
'Process Explorer' and the other is 'TCPView'. Download the tools now from the
links provided at the end of this tutorial and install them.
take a look at the 'Process Explorer' output:
Figure 1. Process
screen shot details many of the running applications on a Windows XP PC. The
real value to this utility is knowing what your PC looks like stock. By stock I
mean, before you installed all sorts of software onto it and connected to the
Internet. Periodically running 'Process Explorer' and checking if any new
programs have popped up without your knowledge is wise.
utility is much more powerful than task manager (CRTL-ALT-DEL -> Task
manager) because it shows all .exe running, and what parent processes spawned
feature allows you to right click on the program name, select 'Google' and a
web browser is launched, returning information about the utility. This can be
used to get familiar with utilities and possibly identify unwanted software.
You can also kill/stop processes directly from the window.
second tool, 'TCPView', shows all incoming and outgoing TCP/UDP (Network)
connections. Take a look at the TCPView output below:
Figure 2. TCPView Output.
screen shot details a list of applications running that have network
connections. It lists the ports and the remote address. You can easily see if
you have applications talking over the network that you didn't allow. Similar
to Process Explorer, get familiar with the applications that require network
access. This way, you can easily spot surreptitious software and block it via
your firewall, or remove it all together.
also includes a useful options; right clicking an application with a remote
connection and selecting 'Whois', will display detailed information about the
owner of the IP or Host name.
last simple security precaution for securing your PC, is to use a browser other
than Internet Explorer. Because IE holds over 60% of the browser market, most
exploits are built to target this platform. It gives crackers and malicious
software writers a better 'bang for their buck'. If you do use IE, make sure
you've updated to the latest version and disable active X controls, only allowing
it for trusted sites.
tutorial does not suggest removing your anti-virus or spy ware. However,
realize there are additional avenues you can pursue to protect your PC. Never
rely on just one software or hardware solution. You now have two new tools to
add to your arsenal against virus and malware.
developing over the LAN, connecting to the Linux server from the Windows
desktop can be done securely via SSH. SSH also works great for connecting from
across the Internet to your home or office. SSH over the LAN or Internet
enables command line access to Linux server, with all traffic encrypted.
'Putty' is an excellent utility that can be downloaded for free for Windows. On
Linux, the SSH daemon is installed by default on most distributions and can be
enabled with the following command as root:
[email@example.com] /sbin/service sshd start
runs on port 22 by default. If you are allowing remote access from your router,
we suggest moving to a non-standard port. This will block many brute force
attempts that are defined to hunt for SSH on port 22. It will also thwart any
worm or automated exploits that are targeted for the default SSH port.
change the port SSH runs on, as root execute the following commands:
[firstname.lastname@example.org] emacs /etc/ssh/sshd_config
the sshd_config file, comment out (place a # in front of the line) the 'Port
22' line and add 'Port 8022' on a new line (as detailed below):
the file and restart the SSHD process:
[email@example.com] /sbin/service sshd restart
SSH service will now be running on port 8022.
your Server Continued
access is a necessity when developing web based applications. When running over
the LAN, unencrypted, non-SSL web traffic is fine. However, when remote
employees or clients want access to projects, it is important to encrypt the
by default on most Linux platforms, includes a generic security certificate and
is set to run on both port 80 (http) and port 443 (https).
enable SSL web traffic, just change your URLs from HTTP://target to HTTPS://target. You will receive a prompt
like the one pictured below:
Figure 3. SSL
warning is presented because we do not have a valid certificate. Certificates
can be purchased from companies such as Verisign, at $399 for the cheapest*.
The free certificate works just the same as the purchased one, but will allow
visitors to bypass the warning message. For retail websites, investing in the
Verisign certificate is wise. However, for a low traffic development server,
its probably not a necessary purchase.
Remote Access to your Development Server
you will want to allow customers a sneak-peak of their projects as they are
being developed. You may also have satellite offices that need access to the
development server. Such needs are easy and securely addressed below.
that you have HTTPS and SSH setup on the LAN, configure the router to allow
incoming connections from the Internet to the two services offered on the Linux
this tutorial, we are using a Linksys Wireless Router, but the process is
similar for most routers. Access the routers web interface and navigate to the
page that allows configuration similar to that detailed below:
Figure 4. Router
in the values exactly as above, however, for the 'IP Address' field, place in
the value of your Linux server on your LAN. To find this information, execute:
Link encap:Ethernet HWaddr 00:08:54:B2:73:C8
note the 'inet addr:', which is your IP Address of your Linux server.
the values are set above, you can update the router and exit.
will now be able to connect to your router from anywhere on the Internet, to
both SSH port (8022) and HTTPS port (443).
next tutorial will explain how to map your dynamic IP address to a static
hostname. This provides a reliable way of accessing your server from anywhere
in the world, securely.
you have any questions or comments please contact me.
*As of 3/19/07 from Verisign.com
Sgro is the chief engineer and co-founder of ProjectSkyLine LLC, a full service
software company that provides web development, graphic design, application
programming, identity standards, Internet marketing and security.
ProjectSkyLine has just released their premier product, Project-Contact, a full-featured RSVP
management application for web use. If your company needs a custom solution
please contact Ben or anyone on the ProjectSkyLine team at http://www.projectskyline.com.