I've a droplet on DO in which there is a MONGODB instance. I can connect through the "ssh user#ip" command in OSX using the terminal, but if i want to connect it with Meteor(local) i need to do port forwarding with "ssh -L port:localhost:portserver user#ip -f -N" and use launch Meteor with --port. To access the MONGODB i removed the password so you can access only with the ssh and enabled a firewall as suggested on the DO guide.
My question is: Is there a way to connect Meteor(local) with MONGODB without using the ssh tunneling each time? Or make it run the command before the meteor starting?This app is going to be on the phone(Android) for personal use so it won't go on production.
Second question: Is the ssh tunneling + port forwarding slower than connecting with user#password to MONGODB?
Third question: I'm going to use the ssh also for another mongoDB that will go in production, is it better to use user#password and connect using MONGO_URL var?
Thanks for the help!
There are 2 things to consider here:
- authentication
- encryption
the ssh tunnel insures encryption, while the password ensures authentication.
You can open up your DB to the world, and be protected by password, but if you don't have encryption, it's pretty much vulnerable to all sorts of network sniffing attacks (whenever on an open network or if someone is listening in the middle)
So, you would need encryption, that is SSL (TLS really, but best knowns as SSL)
You should looks at the MongoDB docs for this:
https://docs.mongodb.org/manual/tutorial/configure-ssl/
TLS can also be used for authentication, using a client certificate and a setting the server certificate to only accept those clients with a valid certificate. That's a little more complex as you'd need to configure your certification authority (OpenSSL most likely) to generate the right certs.
You can use tools like :https://github.com/cloudflare/cfssl to make your life easier in generating certs.
Hope that helps.
Related
I am setting up a WPA2 Enterprise-secured Wifi for my company. I set up a RADIUS server (FreeRadius) which talks to our Azure AD for authenticating our users. Because of the nature of the connection (RADIUS<-> AzureAD), EAP-TTLS is the only protocol that can be used.
Since EAP-TTLS does server validation via server certificate, but the client-side does not have to be validated via client certs, that makes it easy to deploy to employees connecting to our WiFi since I don't have to deploy client certs to all the client devices.
Problem is I don't understand the exact process of connecting the clients.
Example #1: When connecting an iOS device to the WiFi, I get the dummy CA and server certificates shown on my screen that were generated on my RADIUS server. I can choose to either trust them or not. This way server validation is done, which makes the connection secure and makes complete sense to me.
Example #2: When connecting an Android device, I don't get this prompt with the CA and server certificates. What I get is an option to either:
Select a CA cert -> This means I have to deploy the RADIUS-generated CA cert to EVERY client device. This does not make sense to me because in the end it's like I am deploying client certificates to devices which complicates the setup a lot and negates the main advantage of EAP-TTLS.
Don't validate -> This means that the device just connect to the network without validating the server at all. This way, I can connect to the WiFi too but that is not acceptable since the client does not verify the server at all which makes the network not secure.
Use system certificates -> Selecting this prompts the user to enter a domain. I suppose this option uses the already pre-installed CAs Android has by default, but I am not sure what to make of it. What domain is the device asking for? I can't connect this way if I enter my company's domain, the RADIUS server says that the client has an unknown CA cert. Makes sense since the device is not using it's generated CA cert.
All in all, I understand the way iOS does the connection and in my mind that is how EAP-TTLS is supposed to work, with server validation and all. Android makes things very confusing, since it is making me install the CA on the device manually instead of just getting it via the started connection (like iOS does).
Can someone point what I am missing here? Am I wrong in some assumptions or is this just an Android technicality that is supposed to work this way? What would be the easiest setup solution in this case?
Thanks in advance!
The question asked here is quite outdated and vague, especially considering the changes with android 7.0+ and ssl. I've primarily used burp proxy to see the traffic going in and out of my device. My android is rooted and I've exported and installed burp suites root ca certificate according to this tutorial. This allows me to see httpS and wsS traffic decrypted in clear text. The only issue with burp suite is http and websocket are the only protocols it natively supports. I have an android application that uses tcp socket and ssl. I want to use Wireshark to inspect that data. I've heard suggestions on how I might go about doing this. One of them is use something called tcpdump but I'm unfamilier and confused with that and other methods and I need to make sure I can decrypt the ssl.
You can redirect the traffic from the rooted android device to a transparent TLS proxy, which decrypts and re-encrypts the TLS traffic while leaving the WebSocket data untouched. Both PolarProxy (our tool) and SSLsplit can export the proxied traffic to a PCAP file in decrypted form. This allows you to inspect the decrypted WebSocket traffic in Wireshark without having to bother with key log files.
I created a reverse tcp payload for android on port 3333. and forwarded it with serveo. But the main Concern is anyone in the world can listen on this port and get the reverse connection. How can i make this connection private so only i can access it ?
Used serveo and ngrok and stuck with ngrok. I believe them when they say it's safe but I also added additional layers of security to my host machine that issues the SSH, by hardening the SSH config and opening up the minimum ports required in iptables. For example I limited inbound SSH traffic only from my local subnet. I did this because while learning about ngrok, I found on the net (forgot where) that there is a chance someone can determine the IP of the host machine.
Serveo is just using reverse proxy. He can see you from server as ssh client who allowed server to move traffic to local server.
I created my own server using nginx and Amazon ec2 instance, certbot for free ssl.
I want to monitor HTTPS traffic from my application to remote server. I am trying to follow this instruction and it works for HTTP (without s), but not for HTTPS.
What is wrong? Should I write some custom code in my application to use https-proxy ?
The easiest way to do this is to use CharlesProxy to proxy your device or emulator traffic for you. The only extra step you need to do is to install the CharlesProxy SSL certificate on your device/emulator which is very straight forward:
Download the certificate from Charles Proxy (it's in their help menu) and place it on your device, then install via security settings on your device.
You then configure your device or emulators network connection to use a manual proxy and set it to the Charles Proxy address and port. Enable SSL proxying and your SSL connections will be securely routed end-to-end via Charles and Charles will be able to show you the content of requests and responses in the clear.
I'm using WireShark for sniffing, it allow you to monitor and filter raw data. But because you using https and all transactions encrypted i suppose it can't help you. May be you can switch from https to http for debug, and later when all will be works fine change protocol back to https
Do you mean you can't see the traffic at all or do you get it encrypted? Is this a web application or native application? which Android version are you using? phone or emulator?
Normally, if you set up the proxy properly, you will get the traffic, but encrypted so you can't read it. In order to see the actual content in Fiddler you would need your device to trust Fiddler's root certificate (used to create fake certificates on the fly). See this:
http://www.fiddler2.com/fiddler/help/httpsdecryption.asp
Unfortunately, I have not found a way to add root certificates to an android device other than
rooting it and replacing the certificate store (like this)
https means http secure, so it obviously can't be sniffed so easily. what would be the point if it would be the same unsecure thing as normal http?
you have to learn a bit more about secure network comunications. or, long story short, at least you will have to learn how to use a specilly devised http proxy like charles http://www.charlesproxy.com/documentation/welcome/ so you will be able to monitor you own https traffic in a clear form.
I am building an app that creates a http connection between Android and a specific Server. I transfer data using JSON and all is going well, but now I am trying to secure the connection, by which I mean I don't want a third party to view the data being uploaded. The Server doesn't use SSL certificates and so I am currently thinking of how to implement a secure connection. So far I have two ideas:
Create a self-signed certificate and put it on the server file system. Problem with htis is that the Server owner doesn't want me poking around his system. I'd rather not get into a debate with him about it
Use Jsch (or other) SSH library to create a secure connection. Problem with thisis, I have never used SSH before.
What do you recommend? Is there another option?
Get them to setup SSL on the server and be done with it. Since the server has to decrypt the data, you need to do something on the server, whether that is installing a key and certificate or modifying the web app to decrypt your data. Using SSL is by far the best option. SSH can be tricky, and they might be less likely to allow SSH connections from mobile devices than regular HTTP(S).