vincentkong.com

If you have a server, but only want to allow users to copy files via sFTP without providing shell access. This can be done with rssh, a restricted shell for use with OpenSSH that allows only scp and/or sftp.

To install rssh

$ apt-get install rssh

By default rssh doesn’t allow anything, to allow only sftp modify the rssh.conf file.

$ nano /etc/rssh.conf

Uncomment the line for allowsftp and other transfer protocols you want to enable.

#allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync

To restrict a user to only allow sftp access, modify the /etc/passwd file

$ nano /etc/passwd

For example

ftp:x:100:100::/home/ftp:/usr/bin/rssh

To provide my computer with even more protection against security threats such as viruses, spywares, and rootkits, I recently installed WinPatrol an intrusion prevention system. Unlike traditional security programs which scans your hard drive to search for threats that has already been installed on your system, WinPatrol takes a snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Sometimes, you are connected to an internet which is unknown/insecure such as public WiFi hotspots or you are just surfing the internet at work.  In these type of scenarios you might want to secure your connection so no one can sniff at what or where you’re surfing. One way to create a secure connection is to create an SSH tunnel, and have your web browser use it as a SOCKS proxy.

The first requirement is to have a remote host running an SSH server. e.g. a box at home running OpenSSH. Then, you need to have an SSH client installed on your local machine, for Windows you can use PuTTY.

Establish an SSH tunnel using PuTTY:

Create a new PuTTY session

Run PuTTY and create a new session to connect to the remote host. Fill in the hostname, the port (usually 22), make sure SSH is checked.

Configure the Secure Tunnel

Click on “Tunnels” on the left panel to set up dynamic fowarding for a local port. Under “Add new forwarded port” type in the port number (e.g. 4080) for the source port, leave the destination blank, and check Auto and Dynamic. Then click the “Add” button. You should see D4080 listed in the “Forwarded Ports” box.

Establish an SSH tunnel on Linux:

Use the following command:

$ ssh -D 4080 username@remote_host_server

The tunnel is created when you login to the SSH server.

Configuring Your Web Browser:

To use the SSH tunnel as a SOCKS proxy you need to change the connection settings in the browser.

In the Firefox Connection Settings:

• Check “Manual Proxy Configuration:”
• Fill in 127.0.0.1 for the “SOCKS Host:” and 4080 for “Port:”
• Check “SOCKS v5″

Once everything is done you are now surfing the web securely.

This covers how to protect parts of a website in Apache using the .htaccess files.

To use .htaccess files, you need to enable it in the server configuration by specifying the directive AllowOverride AuthConfig, typically within the <Directory> section.
<Directory /opt/apache/htdocs>
AllowOverride AuthConfig
</Directory>

Create a password file, which should be placed somewhere not accessible from the web. For example if your documents are served in the directory /opt/apache/htdocs, you can put the password file in the /opt/apache/passwd directory. To create the file use the htpasswd command that came with Apache.

$ htpasswd -c /opt/apache/passwd/passwords myusername

Create an .htaccess file in the diretory you wish to protect. For example, if you wish to protect the directory /opt/apache/htdocs/protect:

$ cd /usr/local/apache/htdocs/protect/
$ nano .htaccess

Add the following lines inside the file:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /opt/apache/passwd/passwords
Require user myusername


• The AuthType directive determines the method that is used to authenticate the user. The most common method is Basic, however, it sends the password unencrypted.
• The AuthName directive sets the Realm to be used in the authentication. The realm is used by the browser to determine what password to send for a given authenticated area.
• The AuthUserFile directive sets the path to the password file that created with htpasswd.
• The Require directive provides the authorization part of the process by setting the user that is allowed to access the protected area. To allow anyone in that is listed in the password file use: Require valid-user

Once the .htaccess file has been saved, you have restricted access to the area you want to protect.

For more information: http://httpd.apache.org/docs/2.0/howto/auth.html

Firestarter is a firewall program which provides an user friendly graphical user interface.

Installing Firestarter

1. Select System -> Administration -> Synpatic Package Manager and select firestarter. Then choose to install the package.
2. After installing Firestarter, log out and then back in again (to update the menus to show Firestarter).
3. Once the desktop is back up, select Applications -> System Tools -> Firestarter. When you run Firestarter for the first time, it will walk you through a wizard which should be very easy to follow.
4. After you finish the wizard save your settings. The Firestarter main window then opens.

Configuring Firestarter

The configuration files for Firestarter could be found in /etc/firestarter, however it is not recommend that you edit these files manual. The graphical interface is very intuitive making it easy to add and remove firewall rules.

More information on Firestarter configuration