Securing ssh with iptables

This is an old post. It may contain broken links and outdated information.

In the previous post, I discussed one possible method of keeping undesirables from connecting to your server via ssh: using the DenyHosts TCP wrapper to watch authentication attempts and block remote hosts based on conditions you set. DenyHosts (and other TCP wrappers) are easy to set up and don’t require much maintenance, but the block list files they generate can grow to a not-insignificant size; further, your web server must spend resources matching incoming ssh connection attempts against the block lists. If you’re on a particularly resource-constrained shared host, this might have some impact on overall server performance. Plus, even in its most recent update, DenyHosts can lag a bit in its blocking—because it uses regexes run against your server’s auth.log file to figure out what it needs to do, a remote attacker blasting out a tremendous number of logon attempts per second could get far above your allowed threshold of connection attempts in before DenyHosts drops the hammer.

There are lots of other things you can do to help secure your web server’s ssh port, but one of the most powerful and flexible is to bring iptables into the mix. Iptables is an applicaiton which comes preinstalled on most modern GNU/Linux distros and which provides instructions to the Linux kernel firewall. It is not a firewall in and of itself; rather, it provides a (relatively) easy way to view and modify the way the system’s built-in firewall tracks, filters, and transforms the network packets it receives.

In this particular use case, we care about iptables’s ability to perform actions on incoming ssh packets, based on parameters we define. Specifically, we’re going to use it to track all incoming ssh requests, and then block any host that tries to connect too many times. This is a simpler and more robust approach than the one DenyHosts takes, and the advantages are that it is self-maintaining and not dependent on log file parsing to work.

(Special thanks to my friend and mentor RB for passing along his feedback on the previous post and the instruction on how to get rolling with iptables!)

Read more

Securing your server with DenyHosts

This is an old post. It may contain broken links and outdated information.

Running any kind of server at all is a risk, because the internet is a bad place full of bad people who like to destroy things for fun (and if you don’t believe me, read this). It becomes a matter of risk management—you have to expose certain things, like TCP ports 80 and maybe 443, for your web server to be reachable; you also probably need to expose at least one management port somewhere so that your server can be poked and prodded should things go wrong with it.

This usually means exposing port 22 for ssh if you’re on some kind of Unix-ish operating system like we are here at the Bigdinosaur.org compound. Blindly exposing your ssh port is not without peril, but there are several things you can do to manage the risk—namely, moving the ssh daemon onto a different port; controlling which local accounts are allowed to log on via ssh; and most importantly, installing and configuring something like DenyHosts, a TCP wrapper designed to help keep undesirables from being allowed to log on at all.

Read more

Gzipping @font-face with Nginx

This is an old post. It may contain broken links and outdated information.

In a previous post, I discussed how to alter Octopress’s configuration to serve web fonts via the @font-face CSS method. This works great and will get your Octopress site working with locally-served web fonts, but there’s some optimization that can be done on the web server side; specifically, three of the four types of web font files are compressable and benfit from being gzipped by Nginx (or whatever web server you’re using) as they’re served out to your site’s readers.

We use Nginx here at the Bigdinosaur.org compound, and so this post will focus only on how to enable gzipping web font files with Nginx. Instructions for doing this with other web servers are easily locatable via the googles.

Read more

Running BIND9 and ISC-DHCP

Most people use a NAT router at home for connecting to the Internet, and most consumer-grade NAT routers offer some limited version of DHCP for automatically handing out IP addresses to desktops and laptops and game consoles and smartphones and some limited version of DNS for making sure all the devices on the network know what all the other devices are called. However, the feature set and functionality of these cut-down DHCP and DNS instances are almost always too limited to handle more than the simplest of network designs; sometimes, you need to be able to do more. For example, if you wanted to set up a separate DHCP zone for handing out addresses to untrusted wireless clients versus trusted clients, or if you wanted to do something more awesome like implement the Upside-Down-Ternet, you’d need something a lot more configurable than the little NAT router’s applications.

There are lots of options, but it’s easiest to just pull out the big guns and set up BIND9, the current version of the DNS software that powers the Internet, along with the ISC’s DHCP server. DNS and DHCP are like peas and carrots, as the saying goes—DHCP hands out the addresses, but doesn’t communicate to other network hosts who has what address; DNS knows how to correlate names to addresses but doesn’t hand out addresses itself. In this post, we’ll set up DNS and DHCP on Ubuntu, and then configure them to work together.

(NB. This blog entry ended up being bloody huge, because I don’t just list the configuration options to set but rather go into detail on what each one does. I’d intended to bang the post out in a single evening, but instead it’s taken a couple of hours over three days to complete. I hope it is informative and helpful!)

Read more

Using @font-face with Octopress

This is an old post. It may contain broken links and outdated information.

Octopress comes with awesome support for Google Web Fonts, which lets you quickly and easily add fonts to your web site from Google’s large library, but Google Web Fonts have their drawbacks. Using one Google Web Font will have little impact on your site’s load time, but every additional font you add to your web page increases the page’s load time, as clients must use additional HTTP requests to pull the web fonts from Google’s servers while at the same time loading your page and its contents. Plus, sometimes you want to use a (free and legal) font that’s not in Google’s library.

There’s a workaround—a CSS method named @font-face (more info), which allows you to host your own fonts on your web server and serve them to clients along with your page. At first glance, this doesn’t seem too terribly different from simply including fonts from a web source like Google, but hosting your own fonts via @font-face on a web server with keepalive is much quicker than pulling them from a separate server, as far fewer HTTP sessions have to be used to load the page and its contents. Fewer sessions means faster page loading!

While Octopress comes with a ready-made method of adding Google Web Fonts, it’s not set up out of the box to use @font-face-served fonts. However, it’s pretty easy to change the configuration!

Read more

Nginx: stable or dev?

This is an old post. It may contain broken links and outdated information.

Like most open source projects, Nginx has more than one “branch” of code—that is, more than one version available for public consumption. Ignoring platform-specific versions, the two main branches are “stable”, and “development”.

This is a common dichotomy. For projects divided thusly, the “stable” branch is intended to be a thoroughly tested, minimally-bugged, production-ready version of the application which can be deployed in real life. Conversely, the “development” branch usually has more features, but is typically a lot more rough and potentially buggy, having undergone less testing. Stable is for production, development is so that users can test upcoming features.

Read more

Securing Openfire clients

This is an old post. It may contain broken links and outdated information.

The last post on Openfire (discussing how to add SSL/TLS certificates) proved to be pretty popular, and I’ve gotten more than one request for a follow-on about securing Openfire clients—that is, forcing them to communicate with the Openfire server using only an ecrypted SSL/TLS connection rather than cleartext. In this post we’ll go through how to configure three popular IM applications to use SSL/TLS with Openfire. I’ll also add notes about how to enable OTR messaging encryption on two of those IM clients.

Read more

Embedding images in CSS

This is an old post. It may contain broken links and outdated information.

I’ve mentioned before that I’m CSS-stupid, and the practical effect of not knowing how to do damn near anything means that even small modifications to the Bigdinosaur.org main site usually involve a tremendous amount of reading and experimentation. I’ve stuck firmly to the current school of thought in web design, which is that HTML is purely for content, and layout should be done exclusively with CSS, and I’ve managed to produce a very simple but nice-looking site as a result.

However, running the site through a few web performance benchmarking sites led to a universal recommendation: use CSS sprites or CSS image embedding to reduce the number of HTTP connections necessary to load the site. Each HTTP session costs the web server a little bit of overhead (although using Nginx instead of Apache helps a whole lot with keeping the web server processes under control), and one of the ways to ensure your site loads as quickly as possible is to reduce the number of times a client has to ask the web server to send it things.

Read more

Openfire and SSL/TLS certificates

This is an old post. It may contain broken links and outdated information.

I’m a huge fan of StartCom’s StartSSL service—these days there are no few certificate authorities who will get you free or low-cost SSL/TLS certificates, but the customer service experiences I’ve had with StartSSL have been outstanding. They respond to e-mail very quickly, sometimes within minutes, and that’s what keeps me using them.

Bigdinosaur.org has been rocking the HTTPS ever since I came across this Ars Technica article a couple of years ago detailing how to get free SSL/TLS certificates for your web site. Once you start using real CA-generated certificates, you quickly realize how awesome it is to no longer have to deal with the hassle of self-signed certificates and worthless browser security warnings; I wanted a certificate for everything! The easiest way to do that, actually, is with what’s called a “wildcard” certificate, so named becaue instead of being valid for just a single host name, the certificate is valid for several. Shortly after signing up for free class 1 SSL/TLS certs from StartSSL, I went back and paid the fee for a class 2 identity validation, which then gave me the right to get as many class 2 certificates as I wanted—and, more importantly, gave me the ability to request wildcard certificates, too. Rather than deal with several certs for the several hosts that make up Bigdinosaur.org, I opted for a single wildcard certificate that covers *.bigdinosaur.org.

It was great and I installed it everywhere. The Bigdino web server uses it, my firewall uses it, postfix uses it, Murmur (the Mumble voice chat server we used for Minecraft) uses it, and even the Bigdino Openfire Jabber/XMPP instant messaging server uses it. In fact, this morning I got the notice that it had been two years since I’d generated the wildcard certificate, and it needed to be renewed. I spent a few minutes plugging the new certificate in to all the places where it needed to go, but I was a bit stymied by Openfire. I recalled going through some gymnastics to get the certificate installed on it a couple of years ago, but like a fool I didn’t write anything down, and so I had to embark on a long Google hunt to recreate whatever the hell I’d done in 2009.

Openfire makes it pretty darn easy to generate a self-signed certificate, or to generate a certificate signing request that you can send to your certificate authority, but it’s a little more difficult to take an existing certificate and import it. No small part of the problem is caused by Openfire’s web console not actually doing what you think it’s going to do when you attempt to import new certificates. Fortunately, several others have gone down this road before, and so here’s the procedure I pieced together from several different web sites and from posts on Openfire’s forum, particularly this one.

Read more

Serving Minecraft on Ubuntu

This is an old post. It may contain broken links and outdated information.

The first thing I ever saw of Minecraft was this video of an impossible waterslide which stretched up across the sky and down through footless caverns. I was entranced, and started playing shortly after that. Minecraft is primarily a sandbox game where you dig for resources and build things, all in glorious faux 8-bit graphics. Of late its creators have tried to turn it into a really bad Zelda clone, but fortunately it’s possible to ignore all the worthless stupid shit they keep adding and instead play it in the proper manner. It can be played single- and multiplayer, and while I normally hate playing with anyone online, Minecraft is my exception.

In October of 2010 I decided to download the Minecraft server application and take a stab at running my own Minecraft server, so that my buddies and I could have a private place to build things without worrying about random crazy people from the Internet kknocking down our sandcastles. There were some errors along the way, but I’ve settled on some guidelines and methods that have worked out very well for me.

Read more