My Internet Tutorials

I'm usually not too paranoid about public surfing, but lately I've been doing some research on it, especially on a public wi-fi network, and now I'm a lot more paranoid.

I'm careful about physical security, having had one of my old Apple laptops seized by a ignorant employer. I had recently enabled the firmware level protection and password on wake-up as well. It really pissed of the IT guys that this puny Mac had better protection than their systems. Need less to say, they had nothing on me and gave the computer back.Since then, I've always made sure that I had the security settings active in case the computer left my possession.

Recently, I spent some time at a client facility where they had a guest wi-fi network, blazing 20mbps to boot. The only downside was a strict internet filter. It so happens that my web server happens to have a few adult related domains on it, and most filters just deny my ip address instead of the offending domains, so sometimes you wont even be able to see my non-adult domains, like this one. This presents a problem when I want to check my email, and the whole server is blocked.

So, off to Google to see what I can do. Basically I wanted to bypass the filter and shield my data from the clients IT department and anyone else on the network. One way to do this is called a Virtual Private Network, or VPN. This encrypts your data stream from your computer to another computer acting as the server, then on to the internet. Unfortunately, most VPN systems are pricey, and difficult to set up, additionally, the best VPNs are router based, requiring you to use that router on your network. As you've probably figured out, I don't like paying if there's a free option available, so I kept looking.

One of the things I learned in all this research is just how open a public wi-fi network is. If your sitting at a coffee shop using their free open wi-fi, that guy across the room may just be reading your mail over your shoulder. Or in my current situation, my clients IT department.

So, I'm looking for a free system, easily set up that will allow me to:

1. Bypass Internet filters
2. Protect my data while on a open network

Enter ssh tunnels, stage left!. Ssh stands for Secure Shell, and it is an incredibly powerful tool once you learn a bit about it. Ssh tunnels work just like a VPN in that you have an encrypted stream running from your computer to another computer on the internet, then on to wherever you are surfing. No hardware, just a little setting up. We'll get to that in just a bit, first the generic explanation.

Ssh is a more secure version of a terminal program. Terminal programs are used to communicate with a computer on the command line level, like DOS on an old PC, or UNIX/Linux. Every Mac running osX is based on Unix, so you have all kinds of powerful Unix functionality hidden in your Mac. Ssh implements encryption to make a terminal session secure. The program can be configured to encrypt any data stream on any port or channel between two computers running ssh. This encrypted stream is called a tunnel.

This tutorial assumes that you have two computers. One at home on an internet connection, and a laptop you keep with you. If you have only one, then you can get a free or paid shell account on another computer with ssh access. Google "ssh shell account".

All of the instructions below are given for Macintosh computers using an Airport wi-fi router. Most of the actual settings can easily be translated to Linux and Windows with a few tweaks. Windows users will have to install a ssh client to their machines. Most of these directions are a mashup of several different pages on the internet, most of which are listed at the end of this article.

This first part must be done while you have both computers in front of you. The computer you are using at a public wireless node is the mobile computer, and the home computer is the one staying home and acting as your server. Any commands that don't require your personal username or ip address can be copied and pasted in Terminal.

The first step is to generate encryption keys that will authenticate your laptop when connecting to the server.

Open Terminal on your mobile computer. (It's in the Utilities folder inside your applications folder)
type this command:

mkdir ~/.ssh

This creates a hidden folder in your user directory called ssh. If you get a message saying file exists, then the folder is already there. Next command:

ssh-keygen -t dsa -f ~/.ssh/id_dsa

This tells the program ssh-keygen to use(-t) dsa encryption to create a key pair named id_dsa and place them (-f) in the .ssh folder we created. You will be asked for a password at this point, it is up to you whether you provide one at this point. My suggestion is to use a blank password for this key as this key pair should only be used for authenticating the machine for an ssh session. If you enter a pass phrase for this key, you will be asked for it every time you use the key to authenticate an ssh session.

The next step is to move the public key from your laptop to the machine that will be staying home, I'm going to provide the command line steps to do this. If you want to use some other method like file sharing, and know how to view hidden folders, then use that method. You will need your home computer's ip address, you can find this in the Sharing preferences pane under personal file sharing.

Remember to press enter or return between lines:

cd .ssh
 
scp id_dsa.pub your_user_name@home-computer-ip-address:~/.ssh/id_dsa.pub

an example of what the second command should look like:

scp id_dsa.pub mike@127.0.0.1:~/.ssh/id_dsa.pub

Enter the password for the username your using.

First we are moving into (cd) the hidden ssh folder on the computer we're using, then the second command uses a secure file transfer program called scp to move the file called id_dsa.pub from the directory we're in to your home computers .ssh directory.

This next step involves logging into your home computer using the ssh program. If you haven't done this before, ssh will ask you if you want to trust this unknown server, you must type 'yes' for it to continue.

ssh  your_user_name@home-computer-ip-address

Enter your password as in the last step. Then :

cd ~/.ssh

We have just logged into your home computer and moved to its hidden ssh folder. Next steps (pressing return between lines):

 
cat id_dsa.pub >> authorized_keys2
 
chmod 640 authorized_keys2
 
rm id_dsa.pub
 
exit

What have we done? First we added (cat) the contents of id_dsa.pub(your public key) to a file called authorized_keys2, creating the file if it doesn't exist. Then we changed the permissions of the file for security (chmod). We removed (rm) the public key file, and the exited the remote session(exit).

The next part will discuss setting up your home computer as a server and configuring your Airport firewall.

To view the other parts of this tutorial, you must register for free using the register link under the login above. Select the free option and enter your information.

Even though this site isn't very active yet, I still check the stats and logs fairly regularly (its fun to watch the counts grow). I noticed an inordinatly lage percentage of a particular user agent in my report:



6%?!? Thats an awful lot of traffic for a spider or crawler. Also, notice the different versions of this user agent! The libwww-perl user agent comes from a library of utilities for accessing the internet from a perl based program. Unfortunately, many hacker programs use this library. These are the scripts that the "script kiddies" use. These scripts are basically looking for holes in your website that they can exploit to take over or subvert your website to their own uses.

Doing a bit of research, I learned that this is a pretty common problem for website owners. Some have gone to great lengths to identify and lock-out each of these programs individually, others have locked out the entire libwww-perl library.

Examinig my raw log files, every instance of an attempted attack was turned away by the existing security measures of Joomla, enhanced by my routine of using the SEO functions of Joomlas .htaccess file.

I decided that it might be prudent to add the suggested code in this article to my .htaccess file and see if it affected Joomla in any way. Success! no adverse effects with Joomla, and one more layer of armor.

Here's some background on the .htaccess process. Apache looks for a file called .htaccess in the directory of every file requested. With this file you can customize how Apache handles files in that directory. Putting an .htaccess file in your root directory controls how Apache handles Web requests to that directory.

If you search online for .htaccess you will find many tutorials on the subject. I will show you how to add or edit this file here and the code you need to better secure your site.

Files beginning with a dot or period are special files, and sometimes you wont see them. Some FTP programs will allow you to change in the preferences the ability to see these files. If you're using Joomla and JoomlaXplorer, you should be able to see these files.

If you don't have a .htaccess file in your root directory, you can create one in a text editor and then upload it. If you have one already in place, then you can simply edit it by downloading and editing it in a text editor, and then re-uploading it to your server.

Joomla fix:

Step one: make sure that  SEO is turned on in your Joomla control panel.

Click for larger image
Step two: Make these changes to your htaccess.txt file.

Add these lines:

RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^(.*)=http: [NC]
 

 
 
  RewriteEngine on
 
  
  
 
  RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^(.*)=http: [NC]
 
  RewriteRule ^(.*)$ - [F,L]
 

• Stop the Botnets! | Emerging Technology Trends | ZDNet.com
• Computer Scientist Fights Threat of Botnets
• Understanding Hidden Threats: Rootkits and Botnets | US-CERT.gov
• FBI’s ‘Operation Bot Roast II’ Identifies and Captures Eight Individuals Responsible for Infecting over 1 Million Compromised Computers | US-CERT.gov
• Cyber Security Tips | US-CERT.gov

Because of my interest in social marketing and social bookmarking I have become very active in using digg.com. However, I quickly noticed that my submissions to the Web site did not have a thumbnail attached. Doing a bit of research on the Web site, I found where this feature is documented along with several others:

http://digg.com/tools/

Since I primarily use Joomla, I have done quite a bit of research to see if anyone has implemented this sort of feature to no avail. Fortunately, its a very easy feature to add by hand.

Here is the tag you need:

 <link rel="image_src" href="full url to image" />

 All you need to do is add the full url to your image inside the quotes and put it in the html of your post.

Using the workaround from this article:

http://myinternettutorials.com/content/view/30/15/

Make sure that your TinyMCE editor is off when adding this link tag, otherwise it will erase or alter it so it doesn't work.

There are a few other things to be aware of when using this link tag. One, don't use more than one link tag thumbnail image per article. Also, submitting from your front page with several articles with link tags may confuse the digg program.

In a future article I will go into how to add this functionality as a mambot.