When you expose your webserver to the public Internet using PageKite, there are a couple of things to keep in mind:
The first point is common to all public facing servers, and securing a running website is a relatively well understood problem (see below for some resources). However, this brings us to the second point - many security guides advise restricting access by IP-address and suggest that
localhost (or 127.0.0.1) is a trusted source of traffic.
With PageKite, this assumption is no longer true. This is due to the fact that the
pagekite.py connector usually runs on the same machine as the webserver itself. As a result, unless your webserver is configured to consult the
X-Forwarded-For HTTP header, all traffic forwarded over PageKite will appear to originate at
localhost and IP-based access restrictions may not work as intended.
Please see below for more details.
If someone breaks into your website it is not the end of the world, but it can be extremely inconvenient.
Unfortunately, after a security breach has occurred, it is very hard to evaluate how much damage has really been done. If the attacker gained complete access to your computer, he may have installed back-doors or other malware allowing him to regain access later, to remote control your computer or to steal passwords or other personal or financial information. The only 100% safe course of action in this case, is to re-install your operating system from scratch.
One of the most common reasons web servers are targeted for attack, is so they can be used to host phishing pages, online scams or other malicious content. When this happens, we may be forced to temporarily disable your account to prevent harm to innocent bystanders and to prevent the PageKite service from getting blacklisted as a source of spam and illegal activity.
The following resources may be useful for improving the security of your website:
We also offer a few simple tips:
pagekite.py's built-in access controls and SSL encryption. Leave the firewall enabled unless you have good reason not to.
To reduce some of these risks, version 0.5 of
pagekite.py ships with a very basic built-in firewall. This firewall blocks access to common attack targets, including but not limited to:
Please note that the built-in firewall is by no means a perfect defense and should not be relied on. It is merely a convenience to protect against "drive-by-hacking" and is not a replacement for properly securing your website.
This firewall can be disabled by using the
--insecure (global) or
+insecure (per-kite) options, and will disable itself automatically if other means of authentication (
+ip/A.B.C.D=ok) are used.
To instruct PageKite to restrict access to your webserver, you can use commands like the following:
# Require 'user' to log on with password 'foo' $ pagekite.py 80 yourname.pagekite.me +password/user=foo # Only accept connections from the 188.8.131.52/24 network or 184.108.40.206 $ pagekite.py 80 yourname.pagekite.me +ip/1.2.3=ok +ip/220.127.116.11=ok
You can add as many passwords or IP address as you like.
Note that when these access controls are used, the built-in firewall is disabled for that particular kite.