Tag Archive for security
Our First Implementation of SNI
We just implemented our first SSL domain to use SNI — which allows multiple websites to have independent SSL certificates yet share the same ipv4 address. This paves the way for us to coalesce several servers, and allows us to eliminate the multiple-ip-address fees for a bunch of clients.
Let us know if you get an error message on our own SSL cert, apparently Internet Explorer 8 and below on XP will, but every other major browser and user base will not: https://yourcomputergenius.com
Read more on SNI: en.wikipedia.org/wiki/Server_Name_Indication
OpenSSH
We’ve long been a proponent of OpenSSH.
You can grab a client/server version for Windows from sourceforge:
http://sshwindows.sourceforge.net/
However, here’s an interesting note about the SFTP server part of the package:
Creating Home Directories for you[r] Users
In the passwd file, you will notice that the user’s home directory is set as /home/username, with username being the name of the account. In the default install, the /home directory is set to the default profile directory for all users. This is usually c:\documents and settings.
If you want to change this location you will need to edit the passwd file. The passwd file is in plain text and can be edited in Notepad or any text editor. The last two entries for each user are safe to edit by hand. The second to last entry (/home/username) can be replaced with any other directory to act as that user’s home directory. It’s worth noting that when you run SSH on windows, you are actually running SSH in a scaled down version of cygwin, which is a Unix emulator for Windows. So, if you will be placing the user somewhere outside the default directory for their Windows profile, you will need to use the cygdrive notation.
To access any folder on any drive letter, add /cygdrive/DRIVELETTER/ at the beginning of the folder path. As an example, to access the winnt\system32 directory on the *c:* drive you would use the path:
*/cygdrive/c/winnt/system32*
Emphasis added.
http://www.digitalmediaminute.com/article/1487/setting-up-a-sftp-server-on-windows
Sender Verification
Email as a technology and public service is a mess.
It was engineered in a ‘closed system’ — ‘bad guys’ did not exist.
The need to scale to billions of users worldwide was not properly anticipated in the design.
Today we are left with a patchwork of underlying vulnerabilities and inconsistencies, made better or worse by higher-layer duct-tape fixes that sometimes even conflict with each other.
One of the technologies currently in use is Sender Verification. In short, when a server verification-enabled email server receives an email message, it queries the originating server, asking it if such a user exists. If one does, it approves the message; if one does not, it denies the message, and may go on to take further steps, such as blacklisting or greylisting the sender or the sender’s email server.
For this setup to work, it requires careful configuration, especially of the DNS records, for all the servers involved.
—~∞~—
We just solved a bizarre error related to this setup. In this scenario, users were getting their outbound emails blocked with a “550-No Such User Here 550 Sender verify failed” error. The emails were failing the sender verification, but only for one particular domain.
After some time and some troubleshooting, we discovered it was the same error that Mick West wrote about. It was a cpanel server, and the destination server was ostensibly hosted on the same server as the originating server. In actual fact, while the website, or A-Record (in global internet DNS) did in fact point to that server, the MX-Record pointed elsewhere. However, the internal DNS did not reflect this.
So, while email sent from any other server would check the global DNS and find the right mail exchange server to verify the email address with, any email sent through the same server (for example, by the users in question who were experiencing and reporting this error) would draw the incorrect MX record from the local (to that server) DNS. When the server would then try to verify the user, (actually against itself, istaed of the real mail server in this case) that verification would fail.
We changed the local DNS copy of the MX record, and the problems disappeared.
—~∞~—
Your Computer Genius is available to configure your hosting solution, establish sender verification for your domain, troubleshoot your DNS, setup your corporation or institution on a Google-Hosted service, and resolve all your computer woes.
