Lets say you need to access your Ubuntu Linux PC at your home from the other PC behind very restrictive firewall. Lets also say that all you have access to is port 80 (http) and port 443 (https). Lets unlock this situation. Ill show you how to setup Shell In A Box with additional layer of security with Apache2 SSL. Prerequisite for the following guide is that you have fully working Apache 2 installation on you Ubuntu system. If you need instructions for this, you can find them on one of my older posts:
Ubuntu Netbeans and LAMP server with Xdebug as non-root user
In this post I’ll mostly give you CLI commands without to much explanation so it is up to you to go trough the procedure and adjust it according to your own setup. Reason for this approach is that the procedure is a bit longer and there could be 10 pages explanation for all of this. Of course I’ll give basic explanation for most important commands. So lets get down to business…
Basic HTTPS Shell In A Box
First we download and install Shell In A Box. For the 32-bit architecture do this:
wget http://code.google.com/p/shellinabox/downloads/detail?name=shellinabox_2.10-1_i386.deb
For the 64-bit architecture do this:
wget http://code.google.com/p/shellinabox/downloads/detail?name=shellinabox_2.10-1_amd64.deb
Next thing is to install Shell In A Box:
sudo dpkg -i shellinabox*.deb
Now we need to add a few options to Shell In A Box .conf file:
sudo gedit /etc/default/shellinabox
You need to replace line:
SHELLINABOX_ARGS="--no-beep"
with line:
SHELLINABOX_ARGS="--no-beep --localhost-only --disable-ssl"
Lets enable necessary Apache2 modules:
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod ssl
Now we need to copy default Apache 2 SSL virtual host and modify it for our purpose:
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/default-ssl-shellinabox
sudo gedit /etc/apache2/sites-available/default-ssl-shellinabox
We need to add following inside
ProxyPass http://localhost:4200/
Order allow,deny
Allow from all
Now we enable our new site and restart Shell In A Box and Apache2 services:
sudo a2ensite default-ssl-shellinabox
sudo service shellinabox restart
sudo service apache2 restart
Custom self signed SSL certificate
You can already access your Ubuntu Linux PC shell on the location https://localhost/shell. If you also need additional layer of security using HTTP authentication besides you accounts user name and password, read on. Ubuntu comes with "default" SSL certificate so your https page is working, but the safe bet will be to create custom self signed SSL certificate. This process will require password (make up something complex) you'll need to remember or write down. When process asks you for things like country, name etc. feel free do leave it blank, I do. If you set "Common Name" field to say www.TechyTalk.info, certificate could only be used on www.TechyTalk.info so the best way is to leave everything blank for our "hobby" purpose.
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
sudo mkdir /etc/apache2/ssl
sudo cp server.crt /etc/apache2/ssl
sudo cp server.key /etc/apache2/ssl/
Now we will adjust our Apache2 virtual host and point it to the SSL certificate we have just created:
sudo gedit /etc/apache2/sites-enabled/default-ssl-shellinabox
Adjust "SSLCertificateFile" and "SSLCertificateKeyFile" lines to the following:
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
If you don't plan to do HTTP authentication you should restart Apache2, else you can proceed.
sudo service apache2 restart
HTTP authentification
So now our site is using our custom SSL certificate. Next thing is to set HTTP authentication. Intention is to use additional password besides you accounts password to access your PC (you can never be to safe). Here are the commands to make this happen (replace <
sudo htpasswd -c /etc/apache2/.htpasswd <
We need to modify Apache2 mod proxy .conf file with our additional user name and password. Make sure to replace <:
sudo gedit /etc/apache2/mods-available/proxy.conf
We need to modify it like this:
ProxyRequests Off
AddDefaultCharset off
AuthUserFile /etc/apache2/.htpasswd
AuthName EnterPassword
AuthType Basic
require user ##USERNAME##
Order allow,deny
Allow from all
Now we restart Apache2:
sudo service apache2 restart
Thats it. Now you go to https://localhost/shell, enter HTTP user name and password, then Ubuntu Linux user name and password and do whatever you want to do on your PC remotely. In addition to this if you connect using ADSL or wireless broadband it is useful to setup something like DynDns so you could access your PC using user friendly doman name.
This post is a bit longer so there's a lot of room for mistakes on my part and yours. So please if something doesn't work comment here sou I could correct any eventual mistakes. Cheers!
No comments:
Post a Comment