Lojic Technologies

Archive for the ‘internet’ Category

How to Allow File Uploading Securely on Ubuntu Linux

leave a comment »

It’s foolish to use an absolute term such as securely in the context of computer security. A better title would have used the qualifier more. If you happen to be a security expert, please be so kind as to leave a comment with any tips, admonishments, etc.

The Task

I need to allow users to upload files to a web server via an SFTP client, period. I don’t want them to be able to do anything else, and I don’t want them to be able to see any files other than their own.

Configure SSH

SSH configuration is located in the /etc/ssh/sshd_config file.

I prefer to disallow the root user from logging in remotely via ssh, change yes to no for PermitRootLogin:

PermitRootLogin no

I prefer to disallow using passwords when logging in remotely, so I require the use of public keys. Change yes to no for PasswordAuthentication. Before you activate the following line, make sure you’ve setup your SSH keys properly or you may lock yourself out of your server. The short answer is to generate a public/private key pair on your local machine and place the public key (typically id_rsa.pub) in the ~/.ssh/authorized_keys file on the server, then test it by logging in via ssh – you should not be prompted for a password if successful:

PasswordAuthentication no

To allow access for these special sftp users, I change the Subsystem sftp line to be:

Subsystem sftp internal-sftp

and add the following at the very end of the config file:

Match Group sftp
        ChrootDirectory /home/%u
        PasswordAuthentication yes
        X11Forwarding no
        ForceCommand internal-sftp

The Match statement sets up a chroot jail for any user in the sftp group so that the user will only have access to their home directory. It also overrides the global rule to disallow password login so the sftp users may use the traditional means of username/password to login. It also forces them to use the sftp command instead of allowing normal shell access.

To activate these changes, restart the ssh daemon:

sudo /etc/init.d/ssh restart

Add Users

When adding users, we need to ensure they’re in the sftp group so that the Match statement in sshd_config will actually match. Alternatively, you could match on some other criteria such as username. First create the sftp group:

sudo groupadd sftp

Then add a user with that group and no shell specified:

sudo adduser --shell /bin/false --ingroup sftp brian


That should take care of everything. Test the new user by attempting to login via ssh:

ssh brian@
brian@'s password:
This service allows sftp connections only.
Connection to closed.

That should fail as shown above. Also test to see if you can view any directories outside of the users’s home directory:

sftp brian@
sftp> ls /etc
Couldn't stat remote file: No such file or directory
Can't ls: "/etc" not found

Some additional tools to enhance security:

  • shorewall firewall
  • fail2ban (locks ip addresses out for a time period after N failed attempts)
  • rkhunter (checks for root kits)
  • chkrootkit (checks for root kits)

Written by Brian Adkins

June 3, 2011 at 11:52 am

Posted in internet

Tagged with ,

Retrieve Sunrise, Sunset & Twilight Info in Ruby

with 5 comments

Sunrise, Sunset & Twilight

TwilightI was curious about the exact time of sunrise & sunset at my location, so I found this US Naval Observatory site. In the process, I learned a more precise definition of twilight. I wanted to be able to automate the process of retrieving the information, so my first attempt was to simply put the query parameters used in the form in the URL as an HTTP GET request, but the server wouldn’t accept that, so I needed to issue an HTTP POST request.

Ruby Code

Ruby is a great language for this sort of task, so I put together the following simple program:

require 'net/http'

YOUR_ID    = ''    # A unique ID per comment above
YOUR_CITY  = ''    # The name of your city
YOUR_STATE = ''    # Two letter state abbreviation

now   = Time.now
month = now.month
day   = now.day + 1 # Tomorrow
year  = now.year

Net::HTTP.start('aa.usno.navy.mil') do |query|
  response = query.post('/cgi-bin/aa_pap.pl',
  if response.body =~ /Begin civil twilight[^0-9]*(d+:d{2} [ap].m.).*Sunrise[^0-9]*(d+:d{2} [ap].m.).*Sunset[^0-9]*(d+:d{2} [ap].m.).*End civil twilight[^0-9]*(d+:d{2} [ap].m.)/m
    puts "#{month}/#{day}/#{year}"
    puts "Begin Twilight: #{$1}"
    puts "Sunrise       : #{$2}"
    puts "Sunset        : #{$3}"
    puts "End Twilight  : #{$4}"

You just need to edit the three constants that begin with YOUR_. The id used on the Navy web form is ‘AA’, but they have a comment in the HTML that requests you use a unique id of your own up to 8 characters to help them with tracking. You can find a more complete version of the code in my github profile.

Emacs Goodness

After writing the above Ruby script, I made it executable, ‘chmod +x sunrise.rb’, and placed it in my path so I could write a simple Emacs function to invoke it.

(defun bja-sunrise ()
  "Display sunrise, sunset & twilight information."
  (shell-command "sunrise.rb"))

Imagine my surprise when I invoked the Emacs apropos help ‘C-h a’ to see my newly defined function and discovered that Emacs, naturally, already has several commands to display sunrise/sunset information!

Show sunrise/sunset times for mouse-selected date.
Local time of sunrise and sunset for date under cursor.
Local time of sunrise and sunset for today. Accurate to a few seconds.

It doesn’t, however, display twilight information, so my simple function still has a purpose in life. Emacs is awesome 🙂

Written by Brian Adkins

March 11, 2009 at 12:41 am

Twitter in Plain English

leave a comment »

Here’s a great introduction to Twitter. You can follow me on Twitter here: http://twitter.com/lojic

Written by Brian Adkins

January 5, 2009 at 10:20 am

Posted in communication, internet, video

Tagged with ,

Automatically Delete Unwanted Cookies in Firefox

with one comment

I prefer to not have cookies stored in my browser, but it’s impractical to not store any cookies since this would require repeatedly logging in to authenticated sites that I frequently use. A simple solution in Firefox is the following:

From the Edit menu, choose Preferences and then click the Privacy tab. You should see a dialog similar to the following one:


Check the “Accept cookies from sites” checkbox. For the “Keep until” setting, select “I close Firefox”. The latter is the key – it will erase all cookies from Firefox whenever you close the program. Of course, we don’t want to erase all the cookies, so click the “Exceptions…” button on the right and you’ll see a dialog similar to the following:


Just type the name of the web site you want to allow in the text box and click the “Allow” button, and Firefox will add it to the exception list so it won’t be deleted when you close Firefox. You can add a full URL such as http://www.MySite.com, or just the domain name MySite.com to allow cookies for any host in that domain. You an also add sites you want to disallow any cookies from by clicking the “Block” button.

I have about 30 sites that I allow Firefox to store cookies for, but this technique has helped me avoid accumulating tons of unwanted cookies in Firefox. I hope it’s helpful for you.

Written by Brian Adkins

January 26, 2008 at 1:06 pm

Posted in internet

Tagged with , , ,

Gizmo Project

leave a comment »

I’ve been using Gizmo to make voice-over-ip calls for many months now, and I’ve been extremely pleased with it. They have clients for Linux, Mac & Windows, and the call quality has been outstanding when both ends have broadband.

I picked up an inexpensive Plantronics headset with attached microphone which makes extended conversations while working at a computer a joy. Gizmo call quality is to POTS call quality as stereo is to clock radio. I highly recommend checking it out.

Written by Brian Adkins

November 13, 2007 at 4:29 pm

Posted in internet, technology

Tagged with

del.icio.us Tag Bundling

leave a comment »

I’ve written about del.icio.us several times before (use the search box to find the articles). I’ve been using the service for quite a while and still consider it to be one of the most valuable web services I use.

I just discovered the tag bundling feature from this article and tried it out. Tag bundling, as you might expect, allows you to group your tags. For example, my first bundle was “people”, so now I can see all my people tags in one group. I’ll be adding more bundles soon.

If you’re not using del.icio.us, you should really check it out. And if you, are and don’t know about tag bundling, give it a shot.

del.icio.us makes it easy to share tags – for example, here’s a link for my bookmarks on the Ruby programming language. I haven’t discovered a similar way for sharing bundles, so if you know, please leave a comment.

Written by Brian Adkins

November 3, 2007 at 8:47 pm

Posted in internet

Tagged with ,

Functional Features in JavaScript on Firefox

leave a comment »

I was reading an article about adding code to JavaScript to make it more functional, and one of the blog commenters mentioned some built-in features that were added to JavaScript 1.6 & 1.7 on Firefox, so I checked out the links (see below) – very cool stuff.

  • Array methods

    • indexOf
    • lastIndexOf
    • every
    • filter
    • forEach
    • map
    • some
  • Array & String generics
  • Generators & Iterators
  • Array Comprehensions
  • Block Scope w/ let
  • Destructuring Assignment
  • etc.

They won’t help if you have to target IE also, but it should be possible to conditionally include your own code to implement the ones that don’t require syntactic changes for pages loaded from IE. That would reduce network load for customers using Firefox.

New in JavaScript 1.6 (Firefox 1.5)

New in JavaScript 1.7 (Firefox 2.0)

Hopefully IE will catch up someday, but if not, I can see taking advantage of Firefox specific JavaScript enhancements for niche applications. Firefox is so easy to install, that it should be easy to convince customers to use it for certain custom applications.

Written by Brian Adkins

October 7, 2007 at 12:01 am