I have a Linux based Web Server running Fedora. I have created and hosted couple of HTML pages on that.
I have info providing CLI tools that run on this server but must be accessible to all users from their browsers
I haven't started and these are my requirements
How do I provide that servers shell (BASH) via HTML page? What are the softwares that make it possible?
Can I provide auto-login enabled shell?
I just want to avoid multiple users having to open SSH sessions to the server. Also I can provide instructions and terminal access hand in hand using HTML pages.
ShellInABox appears to provide a colored terminal interface to browsers via Ajax. (homepage) Since it runs as a separate webserver, you may need to link your users to a different port on your site. There are surely more alternatives (other projects like this) out there.
The following advice applies regardless whether you use ShellInABox or continue to provide ssh access.
If you don't fully know and trust all your users, then assume at least one of them is a whizzkid cracker, determined to crash or break into your system. The first thing he may try to do is log in and run a forkbomb.
You should therefore do your best to sandbox users, so they cannot harm the system or each other. Restrict their access privileges (file/folder/network access) to only what is needed to achieve the tasks you allow. SELinux and AppArmor have facilities for this. You can find some more sandboxing techniques here and here. Docker is a new system that may be worth investigating.
It would be very wise to host your login server on a separate or virtual machine, distinct from your main webserver, so that any user who does manage to break out of the sandbox will not be on the same machine as your other services. (But note he will still be inside your LAN!) User-mode-linux is a less secure alternative and chroot is worse still, but better than nothing!
If users should be able to save files, then I would recommend giving each user a separate account, especially if their files should persist between sessions. Of course, as a workaround for auto-login you could provide a guest account with password guest555 for all users, but then a malicious user could bother others by deleting files or putting nasty stuff in the shell startup scripts. (I certainly don't recommend guest/guest because crackers regularly scan the net for ssh servers hosting that account!)
Related
My Laravel database got hacked for the second time. the hacker deleted all tables and left a table threatening to delete it If I didn't send bitcoin. That's not a problem since I do have a backup but what can I do to prevent it?
This is for Laravel 6. the first time I had debugging mode ON in the .env file so I thought this might be the problem. after turning debugging off I still got hacked am I missing anything?
Hello Mohamed Elmoniry,
I would check your server database configuration for the following security settings I mean this is pretty basic and normally done automatically if you are not self hosting and using a service like forge or digital ocean, but here you go:
Update the password plugin
Change the root password
Remove anonymous users
Disallow remote root login
Remove test database
If you are new to this and you are using MYSQL on your server you can run the following command/script that will automatically guide you through that process
sudo mysql_secure_installation
Additionally:
If you are using a web server I would also enable SSH and deactivate password login.
If you are using a firewall I would check that only the necessary ports to your application are allowed by the UTM (Unified threat management) if it is a hardware firewall. (same applies to a software firewall)
It would be great if you know how the hacker got into the database. Maybe you have an old database version? Maybe you have an easy-to-crack password and have exposed your database to the internet. Laravel by default blocks SQL injection, so that can't be it.
If you have exposed your database, a good first step is to block all requests and allow only ones from certain IP addresses, like your server and IP addresses where you often work. This way, hackers can only get to your database if they are on one of those IP's.
Do you publish your code to GitHub? Maybe the hacker got the password from your repository (this is only possible if this is public). You should make sure you NEVER EVER publish your .env file to the internet and only keep local copies.
But the best solution would be to find out how he got in. Then you can block that entrance. You should certainly check your database version and update it if necessary.
it seems your website has some shell (malware) stored. Virus take palace with following reasons :
Old version framework (but you are using v6, that is updated)
A shell/virus already in code (check if a php shell exist, & scan with antivirus)
You have public git repo, where attacker placed his malware
You have credentials hardcoded that leaked, either through git repo or JS files.
You have unrestricted file upload option in your code, which allow hacker to upload shell.
your database server is publicly exposed,allowing anyone to access.
If you are using older jenkins or other automation tool, which exploit used.
SQL injection, (check logs)
Thanks, Jaikey
Check whether your .env or .env.sample files expose to public for some reason?
https://yourdomain.com/system/.env
If yes, block the public access of .env by adding the code below to the .htaccess file.
<FilesMatch "^\.env">
Order allow,deny
Deny from all
</FilesMatch>
i am planning to open a shared web hosting company. before opening i am configuring and checking that all things are up and running or not.
i had tried webmin, virtualmin and ajenti as web hosting manager on ubuntu server but i am not satisfied with them. is there any alternative to them which have secure administrator and client side control panel and easier to manager client account and hosts.
i am using apache2 as web server and mysql as database serve.
Thank You
Try ZPanel, it is cross-platform and has a great looking control panel. They also provide an installer which installs Apache, PHP, MySQL, and ZPanel, all pre-configured to run a shared hosting service.
Link
Getting shared hosting right isn't an easy thing to do especially if you want to allow your clients to use scripting languages like PHP. By default, PHP runs under the same userid regardless of which of customer the files belong to. So they will be able to see the files (including config files with database passwords) of the other customers.
There are ways around this problem, but most of them are either inconvenient for the customer or they bring other problems (like having to run the Apache as root).
Besides the shared hosting market is quite full with existing companies which have huge data centers and therefore can offer much more service at lower costs.
So my suggestion would be: Look at new services that you can provide. Docker Hosting or LXC Hosting isn't that common yet and you can better compete there.
If you really want to do simple shared hosting, and are in search of an admin tool: Try ISPCONFIG3
We currently have an application that runs on one dedicated server. I'd like to move it to OpenShift. It has:
A public-facing web app written in PhP
A Java app for administrators running on Wildfly
A Mysql database
A filesystem containing lots of images and documents that must be accessible to both the Java and PhP apps. A third party ftp's a data file to the server every day, and a perl script loads that into the db and the file system.
A perl script occasionally runs ffmpeg to generate videos, reading images from and writing videos to the filesystem.
Is Openshift a good solution for this, or would it be better to use AWS directly instead (for instance because they have dedicated file system components?)
Thanks
Michael Davis
Ottawa
The shared file system will definitely be the biggest issue here. You could get around it by setting up your applications to use Amazon S3 or some other shared Cloud file system though fairly easily.
As for the rest of the application, if I were setting this up I would:
Setup a scaled PHP application, even if you set the scaling to just use 1 gear this will allow you to put the MySQL database on it's own gear, and even choose a different size for it, such as having medium web gears (that run php) and a large gear that runs the MySQL database. This will also allow your wildfly gear to access the database since it will have a FQDN (fully qualified domain name) that any of your applications on your account can reach. However, keep in mind that it will use a non-standard port instead of 3306.
Then you can setup your WildFly server as whatever size you want, but, keep in mind that the MySQL connection variables will not be there, you will have to put them into your java application manually.
As for the perl script, depending on how intensive it is, you could run it on it's own whatever sized gear with some extra storage, or you could co-locate it with either the php or java application as a cron job. You can have it store the files on Amazon S3 and pull them down/upload them as it does the ffmpeg operations on them. Since OpenShift is also hosted on Amazon (In the US-EAST region) these operations should be pretty fast, as long as you also put your S3 bucket in the US-EAST region.
Those are my thoughts, hope it helps. Feel free to ask questions if you have them. You can also visit http://help.openshift.com and under "Contact Us" click on "Submit a request" and make sure you reference this StackOverflow question so I know what you are talking about, you can ask any questions you might have and we can discuss solutions for them.
Three weeks ago, I found a list of my website's users and info on Paste Bin giving away all privacy. I ran updates and protected against SQL Injections. I also added a pre-request to save the SQL in text format in a LOG table whenever user input is required to be able to analyse any injection if my protection wasn't enough.
Then today the same post was on Paste Bin again with recent entries so I checked the LOG table to find only clean entries. Is there anything else than injections I should worry about? The web seems to give info about Injections only!
Could they have had access to the dbpassword in a php file on the server and could they have connected from and external server?
Should I change the dbpassword frequently?
Are there any solution non-script wise like hosting security plan or something like that which should be efficient enough?
I am receiving physical threats from hacked users and would really like to close this quickly...
If you're implementing your own protection against user input, you're probably doing it wrong. Most standard database libraries will give you a way of passing in parameters to queries where it will be sanitised properly, and these will have been coded with more things in mind than you're probably aware of. Reinventing the wheel in anything security-related is a bad idea!
Other things to worry about:
Password policy (strong passwords)
Access to your database server (is it firewalled?)
SSH access to your server (again, firewalled?)
Keeping all of your software up-to-date
Just to add to the other answers that you've had so far. If someone is posting the contents of your database online then you need to assume that the server(s) running the application and database have been compromised, as once they've gained initial access, it's likely that they'll have placed root-kits or similar tools onto the server to keep access to it.
As to how they got in there's a number of potential options, depending on the architecture of your solution, and it's imposssible to say which is the case without more details. Some of the more likely options options would be
SSH passwords
Administrative web apps (e.g. PHPMyAdmin) with common passwords or vulnerabilities
Access via hosting service (e.g. weak passwords on administrative login panels)
If the site is PHP based Remote File Inclusion issues are a distinct possibility
If you can I'd recommend engaging a forensics or incident response company to help you recover the data and rebuild, but failing that I'd recommend getting a backup from before the compromise and using that to rebuild the server, then ensure that all software is updated and patched and passwords are not the same as the compromised system, before bringing it online.
The best protection for this is to allow connections to the mysql database only from the machine where your application runs.
First of all, make sure, network access to the MySQL database is "need to know" - in most cases this is a simplye bind-address 127.0.0.1.
Next change the DB password, just because yes, you can (C)
Now think of this: If somebody got your DB passwd from your PHP files, you already are in deep s***t: Nothing stops him or her from just repeating that stunt! You need to audit your application for backdoors (after the fact problem) and how the guys got in there (before the fact problem). Check your apache logs for requests with unusual GET parameters - a filename in there mostly is a dead givaway.
I agree with Razvan. Also if you're running any CMS or prepackaged web pages, make sure they're the latest version. They most likely access as localhost from the web server. Hackers follow the change logs of those and every time a security patch is released, they attack published vulnerabilities on servers running the older version. It's often performed in bulk by crawlers. Odds are they have a database with your server listed as running old versions of things.
First you need to ensure that this "php file" containing the DB password(s) is not within the web root directory, otherwise they could simply access it like: http://mydomain.com/dbpassword.php.
Second, immediately change the passwords used to access your database.
Third, ensure that mysql will only accept connections from 'localhost', vs allowing connections from anywhere; '%'. And if it is a dedicated server, then you should "harden" the box and add an IP rule to IPTables where mysql access is only allowed from the server's IP. These changes would ensure that if they did get your db username/password creds, they can not access the database from a remote computer, instead they would have to exploit your application, or ssh into your server to gain access to your database.
Next, you should disable all user accounts to your site, and force them to update their passwords using a closed loop verification process. This will ensure no ongoing malicious activity is occurring with your users or their accounts.
These are just a few steps to take, there are others such as tracking local users login activity. It is possible that one of your system's user accounts has been compromised (rooted). The point is, you need to consider all points of access to your system and services therein, if you are unable to do it, it may be time to hire or contract a seasoned sysadmin to help you.
If this is shared web hosting, and another user is logged in with shell access and is able to guess the path to your web root, and the password configuration (PHP or other script) file is world readable, then the user can read it.
This is one of the most common vulnerabilities and is very easy to exploit.
If this is the case:
To correct the issue, you need to move the configuration file out of your web root folder and/or change the permissions on it so that it's not world readable, and then change your database password.
Most likely, the user would not be able to inject anything into your application.
Changing the database server so that it's only accessible locally or to your web server would do no good, since the malicious user would be on the same web server and still be able to access it.
If you did not see any malicious queries, then they are probably accessing your db via the MySQL command line (or PHPMyAdmin or other tool), and not through your application.
Enabling the general query log would allow you to see all queries in plain text in the log, but if this is shared web (and MySQL server) hosting, you probably won't be able to enable this.
This is something you may wish to report to your web host. They may be able to find the attacker and suspend their account or provide you with evidence.
I'm running Windows 7 Pro and have a few servers running. One of the servers is a SSH / file server that was made via Cygwin. I already have logging setup internally using syslog-d; however, it does not provide adequate logging. When a user is connected to the server I can see him/her in the Windows 7 Resource Monitor and it shows his/her IP address as well as how much data is being sent/received. When a user is downloading a file from the file server I can also see in the resource monitor what file he/she is downloading by looking at the disk usage.
Herein lies the first question: How can I log users' IP address, the time they connect & disconnect, what files they download, and what their download speed was, to a database in MySQL?
In addition to the aforementioned server, I also use IIS to host a website, and would like to have some sort of networking logging.
If I could find a tool that would work for both of these servers that would be the best solution.
I did some searching and found a program called Snort that looks like it would work for the network side of things, but not for the disk usage. I'm not familiar with this program at all, but at first glance maybe it could accomplish part of what I want to do? Maybe there is an easier/better way?
I'm pretty new to MySQL and know very little about network and disk logging so any and all help and guidance would be much appreciated. Thanks!
Advanced Web Statistics does a pretty good job of making sense of the IIS log files, and though it will give you more information than you need, it will certainly give you the information you want. It is open source, and my hosting provider uses it for the ASP.NET sites I have developed.
As far as logging the information to MySQL:
I am assuming that you already have, or know how to get the information and you simply want to log it to a MySQL DB.
1st, you will need to create the database.
2nd, you need the MySQL connector for your programming language of choice. The MySQL ADO.NET connector is excellent and easy to use. I am also assuming you know at least one programming language and how to connect it to a database. If not, I recommend C# with ADO.NET-- it is super easy and there are plenty of tutorials online.
3rd, write a program to send your information to the database, when you receive it.