I created a reverse tcp payload for android on port 3333. and forwarded it with serveo. But the main Concern is anyone in the world can listen on this port and get the reverse connection. How can i make this connection private so only i can access it ?
Used serveo and ngrok and stuck with ngrok. I believe them when they say it's safe but I also added additional layers of security to my host machine that issues the SSH, by hardening the SSH config and opening up the minimum ports required in iptables. For example I limited inbound SSH traffic only from my local subnet. I did this because while learning about ngrok, I found on the net (forgot where) that there is a chance someone can determine the IP of the host machine.
Serveo is just using reverse proxy. He can see you from server as ssh client who allowed server to move traffic to local server.
I created my own server using nginx and Amazon ec2 instance, certbot for free ssl.
Related
I have a NodeJS server that I'm currently working on in my machine. The OS is Windows 10.
I'm part of a small team of two and we are currently in a stage of development where i'm branching out to android app development and the other guy is making additional changes to the NodeJS server.
Thing is, when we gather and use the same network, I can successfully connect to the server being hosted in another computer via the app by using target computer's IP_address:port when making the HTTP request, but when we are "home-office-ing" we can't seem to be able to see or connect to the server being hosted in each other's machines.
Even by using the http://192.168.0.x:port ,address which works when we are connected in the same network, we can't access and get ERR_CONNECTION_TIMED_OUT when in different networks.
The port we are using to open the server is port 80, but we tried with port 3000 and forwarded it on the router, and still, it doesn't work
Is there a way to open up the server so it can be seen by a computer in an outside network?(I know that it will also be available for any other computer to see and interact with the server)
You have to use public IP address.
The most easiest solution is to rent a VPS with public IP address.
Just Google 'rent vps server' to find any hosting provider.
I have a client-server application for Android.
For security reasons it was decided to raise between client and server SSH tunnel to protect the information transmitted.
For SSH I used a application ConnectBot.
Is there any sense in raising SSH to sew in the app itself?
P.S. Sorry for my English.
I've a droplet on DO in which there is a MONGODB instance. I can connect through the "ssh user#ip" command in OSX using the terminal, but if i want to connect it with Meteor(local) i need to do port forwarding with "ssh -L port:localhost:portserver user#ip -f -N" and use launch Meteor with --port. To access the MONGODB i removed the password so you can access only with the ssh and enabled a firewall as suggested on the DO guide.
My question is: Is there a way to connect Meteor(local) with MONGODB without using the ssh tunneling each time? Or make it run the command before the meteor starting?This app is going to be on the phone(Android) for personal use so it won't go on production.
Second question: Is the ssh tunneling + port forwarding slower than connecting with user#password to MONGODB?
Third question: I'm going to use the ssh also for another mongoDB that will go in production, is it better to use user#password and connect using MONGO_URL var?
Thanks for the help!
There are 2 things to consider here:
- authentication
- encryption
the ssh tunnel insures encryption, while the password ensures authentication.
You can open up your DB to the world, and be protected by password, but if you don't have encryption, it's pretty much vulnerable to all sorts of network sniffing attacks (whenever on an open network or if someone is listening in the middle)
So, you would need encryption, that is SSL (TLS really, but best knowns as SSL)
You should looks at the MongoDB docs for this:
https://docs.mongodb.org/manual/tutorial/configure-ssl/
TLS can also be used for authentication, using a client certificate and a setting the server certificate to only accept those clients with a valid certificate. That's a little more complex as you'd need to configure your certification authority (OpenSSL most likely) to generate the right certs.
You can use tools like :https://github.com/cloudflare/cfssl to make your life easier in generating certs.
Hope that helps.
I want to monitor HTTPS traffic from my application to remote server. I am trying to follow this instruction and it works for HTTP (without s), but not for HTTPS.
What is wrong? Should I write some custom code in my application to use https-proxy ?
The easiest way to do this is to use CharlesProxy to proxy your device or emulator traffic for you. The only extra step you need to do is to install the CharlesProxy SSL certificate on your device/emulator which is very straight forward:
Download the certificate from Charles Proxy (it's in their help menu) and place it on your device, then install via security settings on your device.
You then configure your device or emulators network connection to use a manual proxy and set it to the Charles Proxy address and port. Enable SSL proxying and your SSL connections will be securely routed end-to-end via Charles and Charles will be able to show you the content of requests and responses in the clear.
I'm using WireShark for sniffing, it allow you to monitor and filter raw data. But because you using https and all transactions encrypted i suppose it can't help you. May be you can switch from https to http for debug, and later when all will be works fine change protocol back to https
Do you mean you can't see the traffic at all or do you get it encrypted? Is this a web application or native application? which Android version are you using? phone or emulator?
Normally, if you set up the proxy properly, you will get the traffic, but encrypted so you can't read it. In order to see the actual content in Fiddler you would need your device to trust Fiddler's root certificate (used to create fake certificates on the fly). See this:
http://www.fiddler2.com/fiddler/help/httpsdecryption.asp
Unfortunately, I have not found a way to add root certificates to an android device other than
rooting it and replacing the certificate store (like this)
https means http secure, so it obviously can't be sniffed so easily. what would be the point if it would be the same unsecure thing as normal http?
you have to learn a bit more about secure network comunications. or, long story short, at least you will have to learn how to use a specilly devised http proxy like charles http://www.charlesproxy.com/documentation/welcome/ so you will be able to monitor you own https traffic in a clear form.
I feel like it must be possible to connect to the IBM VPN with Android using an L2TP/IPSec CRT VPN, but am not totally sure. IBMers use the AT&T Global Network Connect Client that has integrated VPN management. While this client is proprietary, I think the proprietary parts are the way it attempts internet connections, not really the VPN part.
Here are the VPN details reported by the Global Network Client:
Service: Managed VPN - IPSec DualAccess (default)
VPN Server IP address: XXX.XXX.XXX.XXX
VPN Server type: AGN SIG
VPN Key Exchange Security: Diffie-Hellman Group 2
VPN Data Security: ESP,3DES,SHA1
VPN Data Compression: LZS
I can see during VPN connection where the client is verifying a certificate. My guess is if I could find this certificate on the laptop, upload it to my SD card, and register the certificate on the Android, I could set up the connection successfully with a L2TP/IPSec CRT VPN.
Any idea where the client certificate could be found on the laptop?
Any takers?
AFAIK, on most Android smartphones, you can't do it as a user, because there aren't access to the settings that you need.
This has been discussed at length at http://code.google.com/p/android/issues/detail?id=3902
Because it needs a change in the ROM, the only way around it for you is if you're willing to root your phone.
The only exception to this that I'm currently aware of is the Motorola Droid Pro, which has the necessary ROM modifications baked-in. There are a ton of articles around about it as Motorola made a bit of noise about it being the only Android to include support for Cisco IPSec - e.g. http://www.pcworld.com/businesscenter/article/207556/new_droid_pro_security_features_lead_the_way.html