MakeUseOf » SSL

How To Set Up A Proxy Server In Ubuntu Linux

Dave Drager — Thu, 27 Jan 2011 17:31:12 +0000

There are many reasons why you might want to learn how to set up a proxy server in Ubuntu Linux to send your browser traffic through. Perhaps you are surfing on an unsecured wireless network, or maybe you don’t want the BOFH at work to see where you are going on the Internet. Whatever your reason, it is fairly simple these days as long as you have some computer ability and are able to set up a system at home or work to serve as a proxy.

What is a proxy? Simply put, a proxy is an intermediate stop that your browser makes while requesting webpages and other web content from the Internet. Many companies legitimately use them so that they can filter content both for security purposes as perimeter control, as an anti-virus/anti-malware solution, or to make sure employees are adhering to Internet policy.

When your browser makes a request, it first contacts the proxy server. If the proxy server is also a cache – it will check the cache locally to see if the content already exists – if it does it will serve it locally, speeding up your browser experience considerably, or if it doesn’t, it makes a request for that content on the general web.

The Easy Proxy For Ubuntu

The ‘easiest’ way to create a proxy with Ubuntu is creating a tunnel through SSH. Jorge wrote this excellent how-to on the topic, and the process remains much the same for us.

For a quick overview, you first must have an Ubuntu server with SSH access available to you. You can do this by having a server on your home connection, work connection, or wherever you want your proxy to sit.

Once you have that set up, you follow the process in the article to use the “SOCKS” protocol to tell your browser to use that proxy location to download all information from.

This method also works if you have a wireless router that supports SSH, such as Tomato or DD-WRT.

The Almost-Easy Proxy For Ubuntu

The second way you can do this is to use a web proxy. As long as your Ubuntu system is set up to serve websites, you can install a web app named GlypeProxy which will act as a proxy for your web browsing session. Simon has a great how-to on setting up GlypeProxy and it would work the same way if you were running a web server on your own Ubuntu system.

Using this method has its pluses and minuses. On the upside, you do not need to modify your own browser settings to use this web proxy. This would be essential if you are in an environment where you do not have the ability to specify a proxy server in your browser options.

On the downside, unless your web server is set up to use SSL encryption, it is also very insecure. Anyone watching the traffic from your machine would still be able to view your content with no problem at all.

The Complicated-To-Install But Full-Featured Proxy

On the more involved side of things, you can install a “real” proxy server on your Ubuntu Linux machine. Proxy software has been developed specifically to address many issues spoken of above and there is a lot of software out there available that can do the job for you.

There are two main types of proxies we will go over, a “normal” proxy and a “transparent” proxy. The normal proxy works as above – you specifically have to enter the proxy information in your browser for it to be used in your web browsing. The second kind, a transparent proxy, works in such a way that all of your web browsing goes through the machine whether you specify it in your browser settings or not.

A real proxy server on Ubuntu usually centers around a piece of software named Squid. Squid is an open source proxy server in wide use across the internet. Squid is easy to install and configure. Install and edit the configuration file:

$ sudo apt-get install squid3
$ vi /etc/squid3/squid.conf

And add:

http_access allow local_net
acl local_net src 192.168.0.0/255.255.255.0

Where 192.168.0.0 is your local network. Restart squid and you have a basic proxy server set up – you would modify your settings to use a web proxy on port 3128 and the IP address of your Ubuntu system.

You can really get fancy with how you set up a proxy server in Ubuntu Linux. Howtoforge has this great tutorial on setting up Squid with Dansguardian and ClamAV for antivirus and malware protection.

Whatever Works For You…

From easy to hard, whatever kind of proxy server you need, Ubuntu can provide. Let us know your setup and how it works for you!

How To Get Your Very Own Free SSL Certificate

Mohan Ramkumar — Wed, 07 Jul 2010 18:31:03 +0000

A Secure Sockets Layer (SSL) certificate helps us to encrypt the data being transmitted via the Internet. It will come in handy if you are running a blog or a personal webpage and logging into them from an unsecured public access WiFi Hotspot (such as coffee shops, airports etc).

Transmission of your login information over an unsecured connection can be intercepted and hacked. Internet security is a topic of interest for MUO authors and our readers alike.

SSL certificates encrypt the login data before transmitting them to your ISP/server making it harder for eavesdroppers to break in. That’s exactly why banks, financial institutions, ecommerce sites etc. use SSL for securing login information, user identity information and credit card data.

SSL certificates cost a lot if bought from providers like Verisign, GoDaddy etc. For those us who don’t run mission critical portals, that is not an option. Let us see how to get free SSL certificates from StartSSL.

Obtaining The Free SSL Certificate

A simple signup form kickstarts the process of getting the free SSL certificate. All the details, including home/company address to phone number are mandatory requirements. Once the signup is done, an email with the verification code is sent to the email address you specified.

After entering the verification code, the application is sent to the second stage of verification by the StartSSL team and we are advised to wait for about six hours before being contacted by their team.

However, I got a confirmation mail in less than 5 minutes with a link to the account. Remember, this email is good for only 24 hours from the time it has been received, so act fast.

Installing The SSL Certificate

StartSSL offers free certificates with no holds barred and with absolutely no hidden charges. You can choose either a 128 bit or 256 bit key for encryption.

We have the option to choose between a high grade or medium grade private key. Once the type of key is selected, it is generated and we are taken to the installation page.

Once the install button is clicked, the certificate is installed. There is also an option to download and store the certificate to an external disk and I strongly advise you to do it.

Now that the certificate is installed in the browser, we can just click on the Authenticate option to enter the control panel. No need for an username and password. We are identified by way of the unique private key and hence it is very important to back it up securely.

Validating The Domain Name

After authentication, we can start the process of validating the domain name & the email address with the help of the Validations Wizard. From the dropdown, you can choose the appropriate option. Let us go ahead and validate a domain name.

Once we enter the domain name, an email address has to be associated with it to confirm domain ownership.

Once the email address is verified, the domain is validated. However, this being a free SSL certificate, StartSSL requires the renewal of this validation every 30 days, which involves the same process.

Certificate Wizard

I chose the Webserver certificate since I am planning to use it for my WordPress installation. We need to enter a password to create a private key and then we have to enter the subdomain where the certificate will be used. Subdomain is a mandatory requirement.

The certificate created will support the domain and the sub domain. As the final step, we now have the text box displaying the encoded certificate information. Copy the content, paste it in a notepad file and rename the file as ssl.crt

The same page also has links to download the intermediate and root certificates. Download them to the same folder.

Uploading Files To Server

Navigate to the How to Install section in the FAQ section. Choose your server setup, for example Apache and you will have the code to modify the http.conf or ssl.conf file. Copy it and update the file in the root folder of the domain in your webserver.

From the same page download the ca.pem & sub.class1.server.ca.pem files. Upload all the files to the root folder and now we have the SSL enabled connection at the website.

Final Thoughts

Please exercise caution with the last step and ensure that all the directories (marked by arrows in the image above) follow the same naming convention of your ISP or location in your webserver. And do remember to validate the domain every 30 days to enjoy the security provided by the free SSL certificate.

Are there any other services offering free SSL certificates? If you know of any, do share them with us.

18 WordPress Security Plugins & Tips To Secure Your Blog

Damien Oh — Fri, 13 Mar 2009 16:44:32 +0000

Without a doubt, for a self-hosted blog, WordPress is the best blog CMS that you can get. However, being a popular and open source software, it also means that hackers have full access to the code which they can scrutinize to find any exploits they can use to hack into any WordPress-enabled site.

On the good side, one of the best things about WordPress is its plugin system that allows anyone to install any plugins or create your own plugins to extend its functionality, including improving security.

Here, I have listed some wordpress security plugins (and a couple of tricks) that you can use to secure WordPress blog.

All the plugins and tricks listed below are meant for WP 2.7 and above. If you are still using an older version of WordPress, it’s time to upgrade your blog.

Protecting Your Login

1. CHAP Secure Login

This plugin uses the CHAP protocol to encrypt your password. The password is first salted with a random number (nonce) generated by the session, followed by the md5 transformation algorithm. This result is then sent to the server where it is decrpyted and authenticated. This is a zero-configuration plugin, which means you can use it immediately after activating it.

2. Stealth Login

Stealth Login obfuscates your login page by allowing you to define a custom login page rather than the default wp-login.php. In the event that your password is leaked, the hacker will also have a hard time finding the correct login URL. A good use of this is to prevent any malicious bots from accessing your wp-login.php file and attempting to break in.

3. Login Lockdown

Login Lockdown is useful in preventing a brute force attack. What Login LockDown does is to record the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, it will lockdown the login function and prevent any people from that IP range to log in.

4. AskApache Password Protect

This plugin adds an additional HTTP authentication to provide a second layer of defense for your blog. You can set up password protection for your blog using HTTP Basic Authentication, or you can choose to use the more secure HTTP Digest Authentication.

Note that this plugin might/might not work depending on your server capability. If your site does not pass the AskApache configuration tests (the tests run by the plugin to detect your server capabilities), contact your web host and see if they can make changes on the server side.

5. Semisecure Login Reimagined

This plugin provides a “semisecure” login environment by encrypting your password with the RSA cryptography

Protecting Your Database

6. WP-DB-Backup

Perhaps for some of you, backing up a database could mean a troublesome technical chore. With WP-DB-Backup, you just need to configure it once and get it to run automatically at regular intervals.

What this plugin does is to automate the backing up of your database and have it sent to your email inbox. Other than the default table created by WordPress, you can also backup custom tables created by plugins. In the event that your account crashes, you can easily import and restore the database with the backup.

7. WP-DBManager

Wp-DBManager is just like a phpmyadmin within your dashboard. You can easily manage your database directly within your dashboard. There are useful features such as optimizing/repairing/backing up/restoring your database and if you are technical enough, you can even run your own SQL query from the option page.

On the bad side, if any hackers manage to login to your site, this plugin is going to be a gateway for them to create havoc in your database.

8. Change database table prefix

The default prefix used by WordPress is “wp”. You can easily change the prefix to other terms that are difficult to guess using the WP-Security-Scan. More detail on this plugin below.

9. Protect your wp-config.php file

Your wp-config.php file contains all your database login credentials and it should be hidden from public view in all circumstances. In your htaccess file, put in this line:


order allow,deny
deny from all

to prevent anyone from viewing the wp-config.php file.

Protecting Your Admin Page

10. Admin SSL

This plugin forces SSL on all pages where passwords can be entered so that all information transmitted are encrypted.

One thing though, you have to own a SSL certificate before you can do it. If you are not willing to shell out the extra money to buy a private SSL certificate, you can ask your Web host about Shared SSL. Most web hosts provide Shared SSL for all their clients and it is easy to configure.

11. Change login username

Using “admin” as your login username is the last thing you want to do. When you first installed WordPress, you should immediately create another administrator account with your own username and password and delete the “admin” account.

Prevent Others From Viewing Your Internal File Structure

12. Hiding the WP version

In most WordPress themes under the section, there is always a line of code showing the WordPress version that you are using. Giving away your WordPress version number means telling the hacker what exploit to use to hack into your site.

Since WP2.6.5, WordPress has made it even harder to remove the wp version as it embeds that information within the wp_header tag. A plugin that you can use to remove that information is WP-Security-Scan.

13. Hiding the WP-content

The WP-content folder is where you stored all your plugins and theme files. This is the place where you want to prevent other people from looking into. You can either upload a blank index.html file to the wp-content folder, or create a .htaccess file in the wp-content folder and add this line:

Options All -Indexes

14. Block wp-folder from indexing by search engines

While you want the search engines to index your blog and bring in lots of traffic, the last thing that you want to see is to let the search engines expose your internal file structure to the public. What you can do is to block all your wp-folder from indexing by search engine by adding the following entries to the robot.txt:

Disallow: /wp-*

Maintenance

15. WP Security Scan

I have mentioned this plugin several times, so it is time for me to explain what it does. WP-Security-Scan checks your WordPress for security vulnerabilities and suggests/provides corrective actions. The corrective actions include changing your database prefix, hiding the WordPress version number from the header and allows you to test out the strength of your password.

Once in a while, it is a good idea to run the inbuilt security scanner and check your blog for any security invulnerabilities.

16. Change password regularly

Not only should you change your password regularly, you must also make sure that it is a strong one. If you have difficulty in creating one, find one how you can create strong passwords that you can remember easily.

17. Update WordPress and all plugins to the latest version

Needless to say, upgrading to the latest version of WordPress and plugins is the best way to protect yourself.

Protecting Your Connection

18. SFTP

Transferring files to your online account is a common thing to do. However, instead of using the unsecured FTP, you should use SFTP (Secure FTP). This will create a SSH connection and sent all your files encrypted to the server. If you need help creating a SFTP connection, here’s the guide.

The above information should be sufficient for you to create a secure WordPress blog. If you have not implemented any of these, I would urge you to do so now.

What other methods do you use to secure your WordPress blog?

GmailAssistant – The Ultimate Gmail Notifier

Travis Quinnelly — Fri, 30 May 2008 22:50:15 +0000

GmailAssistant is an amazing little java application that allows you to check multiple Gmail accounts including Gmail for Domains at the same time. GmailAssistant accesses your Google accounts securely using IMAP over SSL. Basically folks, that means that it’s pretty secure!

GmailAssistant allows you to completely customize your notification options. You can choose to have it find all mail, unread in the Inbox, and even mail with specific labels. You can even choose different alert methods…i.e. popup message, chime, blink keyboard LED.

Features

Single-File – GmailAssistant is launched from just one file. All you need to run it is contained in that one executable .jar file.
No Installation – GmailAssistant is packaged into one executable .jar file, which means it runs on any Operating System.
Leave It – GmailAssistant does not modify any system settings in any way. Everything needed for it runs in the .jar file.
Convenience – Always on top, SOCKS proxy, save/load program and account settings in encrypted profiles, automatic profile loading, adjustable mail check frequency, persistent and navigable popup messages
Updates – Easily update GmailAssistant with one click.
License – GNU General Public License version 2.

What it looks like

Here is the GmailAssistant Main form. From this page you can configure your various Gmail accounts.

Listed below is the “Account Form” where you specifiy your specific details for your various Gmail or Gmail for Domains accounts. This is where you’ll also set up the specific privileges about how you want GmailAssistant to notify you and alert you to your accounts.

Last but not least, is the view from the system tray. Here you’ll see the small GmailAssistant icon where it will display your alerts.

(By) Travis is a husband, engineer, entrepreneur, technology swami, visual communicator, WordPress lover and writer in his spare time. You can check out his personal blog at TQuizzle.com.