SSH SOCK Proxying and preventing it

Posted At : July 1, 2009 3:46 AM | Posted By : Mark Lynch
Related Categories: Systems admin
I've been using SSH portforwards extensively for getting access to remote networks securely for years, but today I came across another very useful thing you can do with SSH. That is use it as a SOCKS proxy.

This is useful if you are on a corporate network that has specific restrictions on certain sites that you need to access. You can use the following command so set it up:

ssh -D 8080 your_ssh_server

This will create a socks proxy on port 8080 and if you configure your browser proxy settings to use a socks proxy on localhost port 8080 - see picture.

Once this is done all your browser traffic will go through the proxy network.

Preventing Port Forwards on your SSH server

However, you may not want everyone who has a login to your ssh server from being able to do this, so you can conditionally limit access to who can do portforward with the following in you sshd_config file:

AllowTcpForwarding no
Match User someuser
AllowTcpForwarding yes
or
AllowTcpForwarding no
Match Group somegroup
AllowTcpForwarding yes

I found that little gem here on nabble.

Comments (0) | del.icio.us | Linking Blogs

CFMX Query Timeout Gotcha

Posted At : May 19, 2009 4:04 AM | Posted By : Mark Lynch
Related Categories: mysql, ColdFusion
NOTE: I found this blog post in my to be posted ones from 2008.

While doing some load testing a while back we came across a strange error while simulating the load that we were expecting. The simulated load had a large first peak, followed by a quieter period, followed by some more peaks.

During the load test we noticed a few query errors that we had never seen before, they related to the query connection timing out.

It turns out that the way CF times out datasource connections is slightly quirky as described below:

The other timeout setting in the CF Admin datasource detail page is just labeled as Timeout, with a paired setting for Interval. This timeout value is how long a connection should be idle before it is removed. So if a connection goes unused for this period of time, then the next time ColdFusion checks that connection it will be removed from the pool. The frequency that ColdFusion checks the connection idle time is set by the Interval setting. The default for the Timeout setting is 20 minutes and the Interval is 7 minutes, so every 7 minutes ColdFusion will check connections for that datasource and remove connections that have been idle for 20 minutes or more. The number of connections idle connections removed from the pool at each interval is hardcoded in ColdFusion to just five. Say you have 20 idle connections hanging around in a pool, this would require at least 28 minutes to be cleaned up.

Timeout (min)
The number of minutes that ColdFusion MX maintains an unused connection before destroying it.
Interval (min)
The time (in minutes) that the server waits between cycles to check for expired data source connections to close.

Cheers, Mark

Comments (0) | del.icio.us | Linking Blogs

HOWTO find files that are not world readable

Posted At : May 18, 2009 11:47 AM | Posted By : Mark Lynch
Related Categories: Linux, Mac OSX, Open Source, Systems admin, Ubuntu
I ran across some permissions errors on content that some users uploaded to a website. The files uploaded were not world readable so were coming up as forbidden:

This simple find command shows the offending files:

/usr/bin/find . -type f ! -perm -004

A quickie but a goodie.

Cheers, Mark

Comments (0) | del.icio.us | Linking Blogs

ColdFusion per vhosts mappings

Posted At : May 6, 2009 3:32 AM | Posted By : Mark Lynch
Related Categories: ColdFusion, Open Source, Systems admin
One of the features of CF8 that I was most interested in and most let down on was per application mappings. The reason I was so keen was so that we could keep core library application files out of the webroot for additional security, but still have different versions of the same codebase. I.e. some sites running farcry3 some running farcry5 for example.

This didn't transpire and so now we use the following technique on apache to map the folder in and then lock it down with apache.

In the vhost section add the following:

Alias /farcry /path/to/non-webfolder/farcry
<Location /farcry/>
Order Deny,Allow
Deny from all
</Location>

Note: it is important that there is no /farcry mapping defined in the CF Administrator or it will override this setting.

What the above does, is to map in the non-web accessible folder, but then locking it down so it cannot be browsed from the web. This seems pointless but CF can still see the files and correctly resolves the paths even though they are secure from the outside world.

This then allows us to version our sites independently - i.e. if we want to upgrade from farcry 5 to 5.1 we can do it one site at a time, instead of having to test them all at once.

Note - Railo already has per vhost mappings which solve the same problem as this. But if you are on CF7 or CF8 then this works a treat.

Cheers, Mark

Comments (2) | del.icio.us | Linking Blogs
BlogCFC was created by Raymond Camden. This blog is running version 5.1.004.