Monthly Archives: October 2010

Protecting yourself from Session Hijacking

Session Hijacking has been around for many years. Now that there’s Firesheep, everyone using insecure wi-fi has been given a rude awakening.

You can find all that you want about firesheep and it’s howto on the author’s website here : http://codebutler.com/firesheep

Being Secure:
1: Use HTTPS EverywhereForce-TLS and similar plugins which force SSL on the website that you are browsing. Some sites like Facebook, Twitter use SSL only for login and don’t force SSL on the rest of the pages. These plugins can be useful in those cases. BUT, if a website doesn’t support SSL at all, you’re not left with many options.
2: Use SSH tunnelling (it’s very easy to setup on any OS and does not require any additional costs if you already have some server, for example your website hosting). This solution is not so good because some programs tend to skip system-wide proxy settings.
3: The best option: use VPN!*

Things that you should NOT do:

1: Panic and stop using public wi-fi – Public wi-fi is awesome. It’s very useful in a tech conference, or in a meetup or when you want to kill time in the airport,  etc.
2: Using insecure VPN – If you think a VPN is insecure ( red flags – cheap or free), don’t use it! VPNs that you use have to be secure on the VPN end. Don’t just use a VPN because it’s cheap and make sure the provider is not shady.

Some of the above solutions don’t work for the non-tech saavy crowd. So if you want to be secure generally, avoid using sensitive websites on public wi-fi and to be extra secure, use the aforementioned browser plugins.

Also, if you are a technically saavy person, advise the not-so-technically-gifted-others on how to be secure when using wi-fi. :)

Update: There’s this wonderful article on using Amazon EC2 as your VPN. There’s a free tier that’s been released recently by Amazon, and it will be free for an year from when you sign up. There can be a small monthly charge, but your credit cards, banking details, social networking profiles are worth much more than what you pay for the security you get!

Update 2: Just noticed there’s a more detailed version about protecting yourself from the author of the plugin himself! Check this out here!

ProFTPD timeout problem

I was recently configuring a FTP server in a Fedora box, and I had been stuck with this problem with ProFTPD for a long time.

Status: Connecting to ***.***.***.***:21…
Status: Connection established, waiting for welcome message…
Response: 220 ProFTPD 1.3.2rc1
Command: USER ***
Response: 331 Password required for ***
Command: PASS *****************
Response: 230 User *** logged in
Status: Connected
Status: Retrieving directory listing…
Command: PWD
Response: 257 “/” is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PORT ***,***,***,***,14,136
Response: 200 PORT command successful
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing

I spent very long hours with this problem, and kept searching around. And almost everywhere it was suggested that the firewall settings could be the problem. It took me very long to realize that most of the people complaining about this were just home users trying to setup a home network and use FTP in it. The box I was working with was a production grade server. So, I kept searching away and I finally tweaked the search string to “proftpd passive mode problem” and finally found out that I had NOT setup ProFTPD with the ip_conntrack_ftp module.

This module is necessary because the server is behind a NAT router and users connecting to it can only use passive ftp. By design, passive ftp servers do not know in advance what port the client will connect to. This module does that job of notifying the server about the port the present client is using to connect to the server.

So next time you have this problem and know that your firewall is tip top, do check out if the ip_conntrack_ftp module is used!

I hope this helps :)