computers Archives - benslayton.net

Configuring Perfect Forward Secrecy and HSTS for your HTTPS site

October 4, 2017 by Ben Slayton Leave a Comment

After setting up the SSL certificate, configuring Perfect Forward Secrecy and HSTS for your HTTPS site are incredibly important steps. It can be pretty daunting, however, and adding the wrong settings to your apache2.conf can even completely disable your entire site. Using this guide, you can easily configure these important security settings on Apache.

Perfect Forward Secrecy

PFS basically means that the computer generates a new key each time it passes information back and forth. If a key becomes compromised, the attacker can only access a small amount of information.

PFS is a feature provided by the web server and is configured through conf files. Open the Apache configuration file at

/etc/apache2/apache2.conf

with your choice of text editor and navigate to the bottom.

You should have a section with SSL directives. The default on Debian 8 contained these:

SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

I commented the second line out and replaced it with these two:

SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256

After saving the conf file, I restarted apache with a

service apache2 restart

and that was that.

HSTS

HSTS stands for HTTP Strict Transport Security, which ensures that clients only interact with the web page using HTTPS. It’s a response header set in the virtual host settings of Apache that tells the browser to disregard any plain HTTP connections.

Putting this into the settings for the default virtual host sounds like the way to go but unfortunately it won’t work. It’s only configurable per domain so you’ll have to go into every virtual host conf file and add it there. Luckily that’s pretty simple; just paste a couple of lines in the correct place and we’re done.

On Debian 8, Apache is configured with a main conf file for the server and the domains/virtual hosts in other directory. Mine had this path:

/etc/apache2/sites-available/mydomain.com.conf

Open the conf file of the virtual host and search for the settings for the secured version of the site, which should be in a section starting with this (the * will probably be an IP address):

< VirtualHost *:443>

On the next line, paste the following lines:

# Guarantee HTTPS for 1 Year including Sub Domains 
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

This instructs the browser to only use HTTPS for connections to that domain or subdomains for a year.

A WORD TO THE WISE: if you include subdomains, you will not be able to connect to ANY web server on a subdomain, even if it’s on a remote server. HSTS requires a PROPERLY CONFIGURED CERTIFICATE – not self signed! – on every subdomain.

So, for instance, you might have your web server on mydomain.com with HSTS set up properly. Then you spin up a VPS VOIP server and set it up as a subdomain, like voip.mydomain.com. If you have a self-signed certificate (or otherwise improperly configured cert) on that remote subdomain server, you will not be able to connect to that server’s web server using HTTPS or HTTP, effectively locking you out of any web interface on the remote server. Ask me how I know!

Even though it’s a remote server, your browser sees the HSTS settings on the main domain and will refuse to allow ANYONE to connect. You won’t even be offered the opportunity to add an exception!

To undo this, simply remove the

includeSubDomains

directive from the above code snippet and restart Apache.

Be aware of this!

With that warning out of the way, go ahead and restart Apache with a

service apache2 restart

and you are done. Bask in the glow of industry standard web security!

Web fonts aren’t working when visiting your site through HTTPS

October 4, 2017 by Ben Slayton Leave a Comment

If you ever notice that your web fonts aren’t working when visiting your site through HTTPS, don’t worry. It’s likely an easy fix.

ThreeMilesPerHour / Pixabay

Open the file in which you imported your web fonts (likely the css file) and check out the url. If it starts with http: , that’s a problem. Browsers today generally won’t allow this “mixed content“, an unsecured resource loaded through a secured site, though you can override it (not recommended!).

The fix is simple: change the url from http:// to // . This tells the browser to fetch the resource using whatever connection the page was originally loaded with.

Example:

@import url(http://fonts.googleapis.com/css?family=Montserrat);

becomes

@import url(//fonts.googleapis.com/css?family=Montserrat);

Configure SSH key authentication for your Linux server

January 17, 2017 by Ben Slayton Leave a Comment

To the inexperienced, learning to configure SSH key authentication is one of those things that might seem like more trouble than it’s worth. Unless you’re a battle hardened sysadmin, talk of public and private keys can be daunting and the price of a slight misunderstanding could be a compromised server or stolen data. However, once properly prepared, it allows you to log in using a special password that can not be guessed and is nigh on impossible to steal.

Fortunately, configuring SSH key authentication only takes a few minutes to set up even for the uninitiated, and the concepts behind the magic are relatively easy to understand.

For this article, I’ll expect that you can already connect to a Linux server via SSH with a password, have little or no problem navigating to directories and running simple commands via Linux terminal, and are familiar with the concepts of user accounts and home directories. This should work with little variation on most Linux distros.

The basics

There’s really only a few steps:

create a public and private key pair on each machine you want access to or from
copy the public key from the client machine to the authorized_keys file on the SSH server
profit?

For this post, I’ll refer to the Linux server that you want to SSH into as The Server and the connecting workstation – Linux, Windows or macOS – as The Client.

If you’re connecting from a Windows machine, there are a few more steps and programs involved. I’ll go over them as well.

The keys

So, the first step to configure SSH key authentication is creating your public and private keys. What exactly are keys, you ask? Well, they’re essentially huge, complex passwords, created and used in pairs. One of the pair (the public key) you give out to The Server and the other (the private key) you keep secret on The Client, the machine you’re connecting from. Basically (and waaaay oversimply), when you add the public and private keys to each other, you should get a specific answer. If the answer is correct, then you’re in. If not, you’re not.

To be extra clear, you only need to worry about moving the public key of The Client to The Server’s authorized_keys file and not the other way round.

SSH Keys on The Linux Server

On a Linux machine, SSH keys are stored as text files that reside in the home directory of the user you’re logged in as.

If you’re using the root user (you really shouldn’t be, according to best practices), it would likely be

/root/.ssh

If you’re using another account, it would likely be

/home/username/.ssh

Along with the keys, you’ll find a few other text files that are created when keys are generated:

id_rsa – The user’s private key
id_rsa.pub – The user’s public key
authorized_keys – A list of public keys from machines that are allowed to connect to the current machine
known_hosts – a list of machines that have successfully connected at least once to the current machine

This .ssh directory is created in the current user’s home directory if there isn’t one already. You copy The Client’s public key to the authorized_keys file of The Server and that’s that.

Creating the keys

On a Linux or macOS system, it’s easy enough to generate keys via the terminal using the built-in ssh-keygen command. On Windows, third party software is required.

Linux/macOS/OS X:

Open a terminal window and type the following:

ssh-keygen -t rsa

and press enter. It will ask where the keys should be saved. Press enter again to accept the default of the current users home directory.

The next step asks for a passphrase for the private key, which I recommend you set; even a simple one.

The next step, after repeating your passphrase if you wanted one, is the computer creating a new 2048 bit RSA key pair in the home directory of the user you’re logged in as.

Now your keys are done but need to be transferred to The Server.

In the terminal, type

ssh-copy-id user@hostname.example.com

where user is the user name on The Server, and @hostname.example.com is the address of The Server. It will ask for your password on the remote machine, then move the id_rsa.pub of whoever you’re logged in as to the remote server.

Now you should be able to

ssh user@hostname.example.com

and be in without a password. You can skip to The SSHD.

Windows:

To configure SSH key authentication on Windows, which doesn’t have a key generating command like Linux and macOS, you’ll need a couple of tools. You probably already use PuTTY to SSH into a Linux server, so you might as well download and use some of the other PuTTY tools you’ve always skipped over: PuTTYgen and Pageant.

PuTTYgen takes the place of ssh-keygen and gives you a nice Windowsy GUI to mouse your way to a new ssh key. Pageant works in tandem with PuTTY and automates the whole key management and handshake for you.

Download PuTTYgen and Pageant from the download page. Put all three in the same directory – I just dump them into a “putty” folder in my documents. Fire up PuTTYgen and you’ll see a pretty stark interface (but that’s a good thing):

Leave everything at their defaults and click the “Generate” button. PuTTYgen will ask you to move the mouse around, using this random cursor positioning information to generate your key pair. After it finishes, you’ll have a bunch characters at the top of the window that make up your public key as well as a fingerprint and comment:

Don’t expect your numbers to be the same as mine; they will all be different and I’ve also obscured some details to deter the scoundrels. I KNOW YOU’RE OUT THERE!

Put a passphrase in the “Key Passphrase” and “Confirm Passphrase” boxes (or not – but seriously, I recommend it). Go ahead and save the public and private key to the directory of your choice and fire up Pageant. It works from your system tray, so right-click the icon of a computer wearing a hat and choose “Add Key”. Navigate to the private key, the ppk file that you saved a moment ago, and choose it. If it asks, put in the passphrase you chose during creation.

Now you can right-click Pageant in the system tray and click “New Session”. If you put the programs in the same directory like I mentioned, it will launch PuTTY. Magic.

Copy the public key from the top of the PuTTYgen window to your clipboard, and head over to The Server.

Where the key goes

You’ll need to SSH into The Server and paste the PuTTYgen public key into The Server’s authorized_keys file.

If The Server’s keys haven’t been generated already, set up keys using the same method detailed in the Linux instructions above. After the key pair is done, use your favorite text editor to edit

/home/username/.ssh/authorized_keys

and paste your public key to the first blank line in the file. Save the file and you are done setting up the keys.

The SSHD

CAREFUL NOW

The next steps will disable the ability to log in to SSH with a password. If you haven’t set up key authentication correctly, you could find yourself locked out of your server if you’re connecting via SSH.

JUST IN CASE

Make sure you have another way to access your machine, like a console (for a virtual machine) or physical access to the keyboard, before you begin the next step.

Finally, the last steps, configuring the SSH server on The Server to reject passwords. With your choice of text editor, edit

/etc/ssh/sshd_config

and look for:

#PasswordAuthentication yes

Delete the hash sign, change yes to no, and save the file. Restart sshd and you’re done. Your current SSH session will continue, but the next time you try to connect, there will not be a prompt for password.

So what now?

You should now have a working key pair with the public key on The Server and the private key on The Client. Your SSH server should reject password attempts, with the only way to gain access being the key in the file on your local machine.

To test and see if you’ve configured SSH key authentication correctly, simply connect to The Server using the SSH client of your choice.

In Windows, right click the Pageant icon in your system tray, choose “New Session”, and it should bring up PuTTY. Start your session and Pageant should do the authenticating/key handshaking.

In Linux/macOS, just do a

ssh user@hostname.example.com

and you should just glide right on in. You’ll get a password prompt if you put a passphrase on your private key.

elementary OS – A fast and open replacement for Windows and macOS

December 31, 2016 by Ben Slayton Leave a Comment

I’m trying out elementary os, a simplified version of Ubuntu with a minimalist desktop and new open source app store. So far it’s beautiful but I’m finding myself with my usual Linux anxiety:

When will something break that I’ll get tired of fixing? Let’s keep our fingers crossed.

How to get information about your web server using php

September 22, 2015 by Ben Slayton Leave a Comment

If you need to know a lot of intimate information about your web server and have php installed, finding it is trivial process using a php function called phpinfo().

Simply create a plain text file called myphpinfo.php in a browser accessible space on your web server, paste the following code into the file and save it:

<?php echo phpinfo();?>

Now, access the file through your browser. It will print out a trove of information about your web server and php, including the operating system, specific web server, encryption type, loaded modules and plugins, and more.

One word of advice: make sure you delete the file after you’re done. This file is basically a road map of how your server is set up and can be used to make attacks against your server easier. Seeing how easy it is to recreate the file, it’s advisable to get in the practice of destroying it instead of leaving it laying around.