Micro Web Servers
Security
How To Secure Your 24/7 Web Server
A 24/7 webserver facing the Internet needs to be secured
Runing a web server from home
Put your iPod Touch or Apple TV 2G behind a firewall
Some ISP's like Rogers give you a fixed IP
You can register a domain name and point the DNS AAA to your Rogers IP
If you are using DSL the IP changes constantly
Most home firewalls support Dymanic DNS such as DynDNS which includes a free domain name
Use port 80 forwarding on your firewall to point to the internal IP of the web server
In the lighttpd.conf make sure you are using a setup similar to the below
Only add what ever mime types you need
Copyright 2011 Technoids.com
Sample lighttpd.conf
include "mod_fastcgi.conf"
server.document-root = "/var/www/"
server.port = 80
server.errorlog = "/var/log/lighttpd/error.log"
accesslog.filename = "/var/log/lighttpd/access.log"
server.modules = (
"mod_access",
"mod_accesslog",
"mod_fastcgi",
"mod_cgi",
"mod_compress",
"mod_evasive"
)
evasive.max-conns-per-ip = 10
url.access-deny = ( "~", ".sqlite" )
$HTTP["useragent"] =~ "Wget" { url.access-deny = ( "" ) }
$HTTP["referer"] !~ "^(http://technoids\.com|http://www\.technoids\.com)" {
url.access-deny = ( ".jpg", ".gif", ".png", ".zip" )
}
$HTTP["remoteip"] == "127.0.0.1" { url.access-deny = ( "" ) }
cgi.assign = ( ".pl" => "/usr/bin/perl")
compress.cache-dir = "/tmp/"
compress.filetype = ("text/plain", "text/html")
server.tag = "Technoids.com"
server.name = "Technoids.com"
server.pid-file = "/var/run/lighttpd.pid"
index-file.names = ("index.html", "index.php")
server.error-handler-404 = "404error.html"
server.max-fds = 512
server.kbytes-per-second = 120
connection.kbytes-per-second = 32
mimetype.assign = (
".pdf" => "application/pdf",
".swf" => "application/x-shockwave-flash",
".zip" => "application/zip",
".mp3" => "audio/mpeg",
".gif" => "image/gif",
".jpg" => "image/jpeg",
".png" => "image/png",
".css" => "text/css",
".html" => "text/html",
".htm" => "text/html",
".js" => "text/javascript",
".ico" => "image/x-icon",
".txt" => "text/plain"
)
mod_evasive is a very simplistic module to limit connections per IP
server.kbytes-per-second
Limit the throughput for all connections to the given limit in kbyte/s
connection.kbytes-per-second
Limit the throughput for each single connection to the given limit in kbyte/s
All Lighttpd Configuration Options
url.access-deny
Denies access to all files with any of given trailing path names.
$HTTP["useragent"]
Used to block bad bots
$HTTP["referer"]
Used to prevent hotlinking files
$HTTP["remoteip"]
Used to block bad IP's
Password
Make sure to use a strong password for the user root
Combination of Upper Lower Numbers & Special Characters
(Note: ony the first 8 characters are recognized)
Change Local Time Zone (Default is PST)
rm /private/var/db/timezone/localtime
cd /private/var/db/timezone/
ln -s /usr/share/zoneinfo/Canada/Eastern localtime
Note replace Canada/Eastern with your time zone
To find your time zone cd /usr/share/zoneinfo/ ls
Network Info
Check All Open Ports
SSH netstat - n (AppleTV 2G netstat is installed)
apt-get install netstat (for iPhone Touch & iPad)
View Data Sent & Received Every 5 Seconds
SSH netstat -I en1 5 (wireless)
SSH netstat -I en0 5 (ethernet)
Typical Open Ports
TCP port 22 SSH/SFTP
TCP port 80 Web Server (lighttpd)
UDP port 123 network time
TCP port 3689 iTunes Library Sharing feature (daap)
UDP port 5353 Finding computers using Bonjour (mdns)
UDP port 53 DNS
Apple Subnets
Web Server Logs
Add a Log Rotator Script (See the one in Extras)
How to check your logs for hack attempts
Check logs for "friendly" bots and crawlers
SSH grep "bot" /private/var/log/lighttpd/access.log
SSH grep "crawler" /private/var/log/lighttpd/access.log
SSH grep "robot" /private/var/log/lighttpd/access.log
SSH grep "spider" /private/var/log/lighttpd/access.log
View realtime Lighttpd log stats
SSH tail -f /var/log/lighttpd/access.log (AppleTV 2G)
Download tail here for the iPhone Touch & iPad
SFTP tail /private/var/stash/bin SSH chmod + tail
Block Apple Updates
(This will prevent iOS updates and call home traffic)
SSH nano /private/etc/hosts
Add these lines
127.0.0.1 mesu.apple.com
127.0.0.1 2gactivation.apple.com
127.0.0.1 a1.v.phobos.apple.com
127.0.0.1 a568.phobos.apple.com
127.0.0.1 ab2-so.apple.com
127.0.0.1 albert-so.apple.com
127.0.0.1 albert.apple.com
127.0.0.1 appldnld.apple.com
127.0.0.1 appldnld.apple.com.edgesuite.net
127.0.0.1 apple.ca
127.0.0.1 apple.com
127.0.0.1 apple.com.edgesuite.net
127.0.0.1 ax.itunes.apple.com
127.0.0.1 ax.phobos.apple.com
127.0.0.1 ax.phobos.apple.com.edgesuite.net
127.0.0.1 ax.search.itunes.apple.com
127.0.0.1 ax.sidebar.itunes.apple.com
127.0.0.1 ax.su.itunes.apple.com
127.0.0.1 buy.itunes.apple.com
127.0.0.1 buyiphone.apple.com
127.0.0.1 c.itunes.apple.com
127.0.0.1 click.linksynergy.com
127.0.0.1 deimos.apple.com
127.0.0.1 deimos2.apple.com
127.0.0.1 deimos3.apple.com
127.0.0.1 gdata.youtube.com
127.0.0.1 genius.itunes.apple.com
127.0.0.1 indigo-edge.apple.com
127.0.0.1 indigo01.apple.com
127.0.0.1 ips.apple.com
127.0.0.1 itunes.apple.com
127.0.0.1 itunes.apple.com.edgesuite.net
127.0.0.1 itunes.com
127.0.0.1 metrics.apple.com
127.0.0.1 metrics.mzstatic.com
127.0.0.1 my.itunes.apple.com
127.0.0.1 myapp.itunes.apple.com
127.0.0.1 mzstatic.com
127.0.0.1 mzsupport.apple.com
127.0.0.1 nwk-unbrick3.apple.com
127.0.0.1 phobos.apple.com
127.0.0.1 sc.itunes.apple.com
127.0.0.1 search.itunes.apple.com
127.0.0.1 secure.me.com
127.0.0.1 sidebar.itunes.apple.com
127.0.0.1 storepreview.apple.com
127.0.0.1 su.itunes.apple.com
127.0.0.1 support.mac.com
127.0.0.1 trailers.apple.com
127.0.0.1 userpub.itunes.apple.com
127.0.0.1 www.apple.ca
127.0.0.1 www.apple.com
127.0.0.1 www.atdmt.com
127.0.0.1 www.atlassolutions.com
127.0.0.1 www.google.com
127.0.0.1 www.itunes.com
SSH killall lighttpd to activate changes
404 Errors (Page Not Found) logging
SSH mkdir /private/var/www/IDS
lighttpd.conf
Change server.error-handler-404 = "404error.html" to server.error-handler-404 = "/IDS/404error.php"
Add these lines
$HTTP["remoteip"] == "127.0.0.1" {
url.access-deny = ( "" )
}
$HTTP["url"] =~ "/\IDS/" {
url.access-deny = ( "" )
}
404error.php (/private/var/www/IDS/404error.php)
<html>
<head>
<title>Page Not Found</title>
<meta http-equiv="refresh" content="1;url=/">
</head>
<?php
$ip = $_SERVER['REMOTE_ADDR'];
$pagina = $_SERVER['REQUEST_URI'];
$visitorSpecs =
"<center><BR><BR><BR>".
"<h2><b>Page Not Found";
echo $visitorSpecs;
$datum = date("d-m-y / H:i:s");
$invoegen = $datum . " - " . $ip . " - " . $pagina . "<br />";
$fopen = fopen("404IPs.html", "a");
fwrite($fopen, $invoegen);
fclose($fopen);
?>
</html>
SSH Access
If you want to use SSH from outside the firewall
Change the SSH port to prevent SSH brute force attacks.
1) The simplist way with no changes on the web server
On the firewall port forward a different port number to port 22 on the web servers IP
(NOTE: SSH to that port on the firewalls IP from outside the firewall & SSH to port 22 on the web servers IP inside the firewall)
Or
2) Change the SSH port on the web server (Two possible mehods)
2A) SSH nano /private/etc/services
Add the line
unknown 225/tcp # secret SSH port (225 or any free non standard port)
nano /Library/LaunchDaemons/com.openssh.sshd.plist
Change
<key>SockServiceName <key>
<string>ssh</string>
To
<key>SockServiceName</key>
<string>unknown</string>
reboot
2B) SSH nano /etc/ssh/ssh_config
Change this line
# Port 22
To
Port 225 (225 or any free non standard port - remove #)
reboot
NOTE: Re 2A) & 2B) Don't forget to port forward the new SSH port on the firewall
Note: By default Lighttpd does not allow directory browsing
Minimum Hosts Addition
127.0.0.1 mesu.apple.com
mesu.apple.com must be blocked to stop iOS Updates
Updating the iOS will brick the iDevice
requiring a restore and jailbreaking again
(Web Server and data Gone ! => Start over)
Download hosts file shown to the left (It includes localhost)
Backup the original hosts file /private/var/etc/hosts
unzip hosts.zip
SFTP hosts /var/etc/
Block all unnecessary outgoing traffic hitting the Internet
NOTE AppleTV 2G specifically has a lot of call home traffic
Hundreds of Mbytes a month, mostltly to
phobos.apple.com/bag.xml
itunes.apple.com/WebObjects/MZStore.woa/wa/availableStoreFronts
Edit com.apple.mDNSResponder.plist using a Plist Editor
/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
Change
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/mDNSResponder</string>
<string>-launchd</string>
</array>
To
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/mDNSResponder</string>
<string>-launchd</string>
<string>-NoMulticastAdvertisements</string>
</array>
URL Blocking Examples
Add line(s) to lighttpd.conf
$HTTP["useragent"] =~ "YandexBot" { url.access-deny = ( "" ) }
Block empty user agent headers
$HTTP["useragent"] == "" { url.access-deny = ( "" ) }
Stop image & file hijacking (anti-hotlinking)
$HTTP["referer"] !~ "^(http://YourDomain\.com|http://www\.YourDomain\.com)" {
url.access-deny = ( ".jpg", ".jpeg", ".png", ".zip" )
}
$HTTP["remoteip"] == "127.0.0.1" { url.access-deny = ( "" ) }
Block directory from all
$HTTP["url"] =~ "/\Directory/" { url.access-deny = ( "" ) }
Block multiple user agents in one line
$HTTP["useragent"] =~ "wget|Wget|cURL" { url.access-deny = ( "" ) }
More Examples at Calomel.org List of User Agent Strings
The Importance of Backing Up Your SHSH Blobs ASAP Can Not be Understated
March 12 2011
The backup server is an iPod Touch 4G running iOS 4.1. I forgot to backup my blobs when I purchased it so I decided to back it up now. Now that iOS 4.3 has been just released the only blobs that I could back up is for iOS 4.3. There is no jailbreak for iOS 4.3 yet. So if I have to restore it for any reason I am out of luck for using it as a web server until a new jailbreak is released. The major advantage to iOS 4.1 with Limera1n jailbreak is that the SpringBoard Plist can be unloaded giving a huge amount of free memory. With iOS 4.2.1 and Greenpois0n jailbreak disabling SpringBoard will render the iPod Touch useless and must be restored.This iPod Touch will stay at iOS 4.1 and never get an updated iOS. The other avantage is it survives reboots (the auto-lock is completely disabled). The previous server was a iPod Touch 2G and was online with zero problems for over a year until I retired it for this faster iPod Touch 4G.
By backing up your blobs you can always upgrade and or downgrade the iOS
(as far back as the first iOS when you saved your blobs)
For a dedicated web server the older the iOS the better
iOS 4.1 with SpringBoard & Cydia running Default Plists Loaded
iOS 4.1 with SpringBoard NOT running (Blank screen with the white apple)
SSH launchctl unload -w /System/Library/LaunchDaemons/com.apple.SpringBoard.plist
Create a sitemap.xml
/private/var/www/sitemap.xml
Free sitemap generator is here
Do not include any files or folders you do not want published in Google
Sample robots.txt
(Bad bots ignore robots.txt)
/private/var/www/robots.txt
User-agent: *
Disallow: /wordpress/wp-content/
Disallow: /wordpress/wp-icludes/
Disallow: /wordpress/trackback/
Disallow: /wordpress/wp-admin/
Disallow: /wordpress/archives/
Disallow: /wordpress/category/
Disallow: /wordpress/tag/*
Disallow: /wordpress/tag/
Disallow: /wordpress/wp-*
Disallow: /wordpress/login/
Disallow: /wordpress/*.js$
Disallow: /wordpress/*.inc$
Disallow: /wordpress/*.css$
Disallow: /wordpress/*.php$
Disallow: /images/
Disallow: /IDS/
User-agent: All
Allow: /
User-agent: Googlebot-Image
Disallow: /
User-agent: ia_archiver
Disallow: /
User-agent: duggmirror
Disallow: /
User-agent: YandexBot
Disallow: /
IMPORTANT NOTICE
As Soon As You Jailbreak Your iDevice
Backup the SHSH Blobs and the iOS used on CD
You might need them later for a restore
Use TinyUmbrella to backup the SHSH blobs
The older the iOS the better - Less memory usage
Less CPU usage - Less network chatter
DO NOT UPGRADE the iOS Less is More
The output from 404error.php is /private/var/www/IDS/404IPs.html
Pages not found will also be redirected to the web root
404IPs.html
Sample output
10-04-11 / 20:59:43 - 46.109.177.245 - /phpBB3/
404IPs.html will show Bad-Bots Bad-Guys and possible missing pages.
It's a simple way to detect problems before they get out of hand.
Feel free to reprint any contents of Technoids.com only if a credit & link is given to Technoids.com
