You are currently browsing the category archive for the ‘internet’ category.
It’s foolish to use an absolute term such as securely in the context of computer security. A better title would have used the qualifier more. If you happen to be a security expert, please be so kind as to leave a comment with any tips, admonishments, etc.
The Task
I need to allow users to upload files to a web server via an SFTP client, period. I don’t want them to be able to do anything else, and I don’t want them to be able to see any files other than their own.
Configure SSH
SSH configuration is located in the /etc/ssh/sshd_config file.
I prefer to disallow the root user from logging in remotely via ssh, change yes to no for PermitRootLogin:
PermitRootLogin no
I prefer to disallow using passwords when logging in remotely, so I require the use of public keys. Change yes to no for PasswordAuthentication. Before you activate the following line, make sure you’ve setup your SSH keys properly or you may lock yourself out of your server. The short answer is to generate a public/private key pair on your local machine and place the public key (typically id_rsa.pub) in the ~/.ssh/authorized_keys file on the server, then test it by logging in via ssh – you should not be prompted for a password if successful:
PasswordAuthentication no
To allow access for these special sftp users, I change the Subsystem sftp line to be:
Subsystem sftp internal-sftp
and add the following at the very end of the config file:
Match Group sftp
ChrootDirectory /home/%u
PasswordAuthentication yes
X11Forwarding no
ForceCommand internal-sftp
The Match statement sets up a chroot jail for any user in the sftp group so that the user will only have access to their home directory. It also overrides the global rule to disallow password login so the sftp users may use the traditional means of username/password to login. It also forces them to use the sftp command instead of allowing normal shell access.
To activate these changes, restart the ssh daemon:
sudo /etc/init.d/ssh restart
Add Users
When adding users, we need to ensure they’re in the sftp group so that the Match statement in sshd_config will actually match. Alternatively, you could match on some other criteria such as username. First create the sftp group:
sudo groupadd sftp
Then add a user with that group and no shell specified:
sudo adduser --shell /bin/false --ingroup sftp brian
Conclusion
That should take care of everything. Test the new user by attempting to login via ssh:
ssh brian@10.0.0.1 brian@10.0.0.1's password: This service allows sftp connections only. Connection to 10.0.0.1 closed.
That should fail as shown above. Also test to see if you can view any directories outside of the users’s home directory:
sftp brian@10.0.0.1 sftp> ls /etc Couldn't stat remote file: No such file or directory Can't ls: "/etc" not found sftp>
Some additional tools to enhance security:
- shorewall firewall
- fail2ban (locks ip addresses out for a time period after N failed attempts)
- rkhunter (checks for root kits)
- chkrootkit (checks for root kits)
Sunrise, Sunset & Twilight
I was curious about the exact time of sunrise & sunset at my location, so I found this US Naval Observatory site. In the process, I learned a more precise definition of twilight. I wanted to be able to automate the process of retrieving the information, so my first attempt was to simply put the query parameters used in the form in the URL as an HTTP GET request, but the server wouldn’t accept that, so I needed to issue an HTTP POST request.
Ruby Code
Ruby is a great language for this sort of task, so I put together the following simple program:
require 'net/http'
YOUR_ID = '' # A unique ID per comment above
YOUR_CITY = '' # The name of your city
YOUR_STATE = '' # Two letter state abbreviation
now = Time.now
month = now.month
day = now.day + 1 # Tomorrow
year = now.year
Net::HTTP.start('aa.usno.navy.mil') do |query|
response = query.post('/cgi-bin/aa_pap.pl',
"FFX=1&ID=#{YOUR_ID}&xxy=#{year}&xxm=#{month}&xxd=#{day}&st=#{YOUR_STATE}&place=#{YOUR_CITY}&ZZZ=END")
if response.body =~ /Begin civil twilight[^0-9]*(d+:d{2} [ap].m.).*Sunrise[^0-9]*(d+:d{2} [ap].m.).*Sunset[^0-9]*(d+:d{2} [ap].m.).*End civil twilight[^0-9]*(d+:d{2} [ap].m.)/m
puts "#{month}/#{day}/#{year}"
puts "Begin Twilight: #{$1}"
puts "Sunrise : #{$2}"
puts "Sunset : #{$3}"
puts "End Twilight : #{$4}"
end
end
You just need to edit the three constants that begin with YOUR_. The id used on the Navy web form is ‘AA’, but they have a comment in the HTML that requests you use a unique id of your own up to 8 characters to help them with tracking. You can find a more complete version of the code in my github profile.
Emacs Goodness
After writing the above Ruby script, I made it executable, ‘chmod +x sunrise.rb’, and placed it in my path so I could write a simple Emacs function to invoke it.
(defun bja-sunrise () "Display sunrise, sunset & twilight information." (interactive) (shell-command "sunrise.rb"))
Imagine my surprise when I invoked the Emacs apropos help ‘C-h a’ to see my newly defined function and discovered that Emacs, naturally, already has several commands to display sunrise/sunset information!
- calendar-mouse-sunrise/sunset
- Show sunrise/sunset times for mouse-selected date.
- calendar-sunrise-sunset
- Local time of sunrise and sunset for date under cursor.
- sunrise-sunset
- Local time of sunrise and sunset for today. Accurate to a few seconds.
It doesn’t, however, display twilight information, so my simple function still has a purpose in life. Emacs is awesome 
Here’s a great introduction to Twitter. You can follow me on Twitter here: http://twitter.com/lojic
I prefer to not have cookies stored in my browser, but it’s impractical to not store any cookies since this would require repeatedly logging in to authenticated sites that I frequently use. A simple solution in Firefox is the following:
From the Edit menu, choose Preferences and then click the Privacy tab. You should see a dialog similar to the following one:
Check the “Accept cookies from sites” checkbox. For the “Keep until” setting, select “I close Firefox”. The latter is the key – it will erase all cookies from Firefox whenever you close the program. Of course, we don’t want to erase all the cookies, so click the “Exceptions…” button on the right and you’ll see a dialog similar to the following:
Just type the name of the web site you want to allow in the text box and click the “Allow” button, and Firefox will add it to the exception list so it won’t be deleted when you close Firefox. You can add a full URL such as http://www.MySite.com, or just the domain name MySite.com to allow cookies for any host in that domain. You an also add sites you want to disallow any cookies from by clicking the “Block” button.
I have about 30 sites that I allow Firefox to store cookies for, but this technique has helped me avoid accumulating tons of unwanted cookies in Firefox. I hope it’s helpful for you.
I’ve been using Gizmo to make voice-over-ip calls for many months now, and I’ve been extremely pleased with it. They have clients for Linux, Mac & Windows, and the call quality has been outstanding when both ends have broadband.
I picked up an inexpensive Plantronics headset with attached microphone which makes extended conversations while working at a computer a joy. Gizmo call quality is to POTS call quality as stereo is to clock radio. I highly recommend checking it out.
I’ve written about del.icio.us several times before (use the search box to find the articles). I’ve been using the service for quite a while and still consider it to be one of the most valuable web services I use.
I just discovered the tag bundling feature from this article and tried it out. Tag bundling, as you might expect, allows you to group your tags. For example, my first bundle was “people”, so now I can see all my people tags in one group. I’ll be adding more bundles soon.
If you’re not using del.icio.us, you should really check it out. And if you, are and don’t know about tag bundling, give it a shot.
del.icio.us makes it easy to share tags – for example, here’s a link for my bookmarks on the Ruby programming language. I haven’t discovered a similar way for sharing bundles, so if you know, please leave a comment.
I was reading an article about adding code to JavaScript to make it more functional, and one of the blog commenters mentioned some built-in features that were added to JavaScript 1.6 & 1.7 on Firefox, so I checked out the links (see below) – very cool stuff.
-
Array methods
- indexOf
- lastIndexOf
- every
- filter
- forEach
- map
- some
- Array & String generics
- Generators & Iterators
- Array Comprehensions
- Block Scope w/ let
- Destructuring Assignment
- etc.
They won’t help if you have to target IE also, but it should be possible to conditionally include your own code to implement the ones that don’t require syntactic changes for pages loaded from IE. That would reduce network load for customers using Firefox.
New in JavaScript 1.6 (Firefox 1.5)
New in JavaScript 1.7 (Firefox 2.0)
Hopefully IE will catch up someday, but if not, I can see taking advantage of Firefox specific JavaScript enhancements for niche applications. Firefox is so easy to install, that it should be easy to convince customers to use it for certain custom applications.
- 365.25 days per year
- 12 months per year
- 24 hours per day
- 60 minutes per hour
- 60 seconds per minute
- 1,024 MB per GB
- 1,024 KB per MB
- 8 kilobits (kb) per kilobyte (KB)
Put that all together and you get the following:
3.19 (month kb) / (sec GB)
So when you see a web hosting company stating a bandwidth per month (in GB), you can multiply that by 3.19 to get a kilobits per second figure. In other words, 18 GB/month of bandwidth is the amount of bandwidth that a 56Kb modem would consume at full capacity, and 480 GB/month is roughly the same as a 1.5Mb T1 line.
I wrote an article back in May about a way to give half star ratings on Netflix. It had the advantage of working in any browser and not requiring any software installation, but it wasn’t very user friendly.
Since then, I’ve been doing a lot of JavaScript coding, so I thought I’d give Greasemonkey a try. I found a script here to give half-star ratings, but I didn’t care for the hover captions and JSLint pointed out a few issues, so I cleaned it up a little:
Code
// ==UserScript==
// @name Netflix Half Stars
// @description allows half star user ratings on Netflix
// @include http://*netflix.com/*
// ==/UserScript==
// http://userscripts.org/scripts/review/8118
// Modified by Brian Adkins
if (!unsafeWindow.sbHandler) { return; }
var sbHandler = unsafeWindow.sbHandler;
sbHandler.sbOffsets = [8,18,27,37,46,56,65,75,84,94];
sbHandler.displayStrings[0.5] = ".5 stars";
sbHandler.displayStrings[1.5] = "1.5 stars";
sbHandler.displayStrings[2.5] = "2.5 stars";
sbHandler.displayStrings[3.5] = "3.5 stars";
sbHandler.displayStrings[4.5] = "4.5 stars";
sbHandler.sbImages[0.5] = new Image();
sbHandler.sbImages[0.5].src = sbHandler.imageRoot+"stars_2_5.gif";
for(var i = 2; i < 11; i++) {
sbHandler.sbImages[i/2] = new Image();
sbHandler.sbImages[i/2].src = sbHandler.imageRoot + "stars_2_" +
(Math.floor(i/2)) + (i % 2 === 0 ? "0" : "5") + ".gif";
}
sbHandler.getStarCount = function (evt) {
var x = unsafeWindow.getElementMouseCoordinate(evt, this.element);
for(var ii = 0; ii < 10; ii++) {
if(x <= this.sbOffsets[ii]) { return (ii + 1) / 2; }
}
return 0;
};
Installation
Save the JavaScript code with .user.js extension e.g. netflix_halfstar.user.js and then open that file in Firefox and Greasemonkey should prompt you to install it.
Here’s a video that explains why using a site such as del.icio.us can be useful. I think they may have failed to mention that you can mark bookmarks as private on del.icio.us, so it’s not necessary to expose your bookmarks to the world. However, in my case, I only mark a small fraction as private.
I’ve been using del.icio.us for quite some time. After I had been using it for a while, I realized that it had been a long time since I bookmarked something in my browser because I had developed a habit of bookmarking in del.icio.us. Most browsers force you into placing a bookmark into a hierarchical, or directory, structure, but on del.icio.us you can assign as many “tags” as you like to a particular bookmark so you can search for things more easily. del.icio.us also allows you to export your bookmarks so you aren’t at the mercy of a proprietary service.
Another thing that is handy is to subscribe to the del.icio.us feeds of your friends to be automatically notified when they bookmark something that may be of interest.
Recent Comments