the fast, reliable localhost tunneling solution


Security and PageKite

2013-01-22, 14:30

Security and localhost

When you expose your webserver to the public Internet using PageKite, there are a couple of things to keep in mind:

  1. Malicious 3rd parties may attempt to abuse your webserver
  2. Restricting access to "localhost" only does not work

The first point is common to all public facing servers, and securing a running website is a relatively well understood problem (see below for some resources). However, this brings us to the second point - many security guides advise restricting access by IP-address and suggest that localhost (or 127.0.0.1) is a trusted source of traffic.

With PageKite, this assumption is no longer true. This is due to the fact that the pagekite.py connector usually runs on the same machine as the webserver itself. As a result, unless your webserver is configured to consult the X-Forwarded-For HTTP header, all traffic forwarded over PageKite will appear to originate at localhost and IP-based access restrictions may not work as intended.

Please see below for more details.

What are the risks?

If someone breaks into your website it is not the end of the world, but it can be extremely inconvenient.

Unfortunately, after a security breach has occurred, it is very hard to evaluate how much damage has really been done. If the attacker gained complete access to your computer, he may have installed back-doors or other malware allowing him to regain access later, to remote control your computer or to steal passwords or other personal or financial information. The only 100% safe course of action in this case, is to re-install your operating system from scratch.

One of the most common reasons web servers are targeted for attack, is so they can be used to host phishing pages, online scams or other malicious content. When this happens, we may be forced to temporarily disable your account to prevent harm to innocent bystanders and to prevent the PageKite service from getting blacklisted as a source of spam and illegal activity.

Securing your website

The following resources may be useful for improving the security of your website:

We also offer a few simple tips:

  1. While PageKite is switched off your website is inaccessible and unhackable. If you are using PageKite for testing or temporary demonstrations, one of the most effective security measures it to simply turn it off when you are not using it.
  2. If applicable, use pagekite.py's built-in access controls and SSL encryption. Leave the firewall enabled unless you have good reason not to.
  3. Just changing a few passwords will go a long way towards improving the security of your website. Many security breaches are caused by attackers guessing default or overly simple passwords.
  4. If you run your website inside a virtual machine, then even if it gets hacked your main machine may remain uncompromised.
  5. Place web-based configuration tools on a VirtualHost not exposed over PageKite.
  6. Static content is very hard to hack! :-)
  7. Always, always make frequent backups of any important work.

PageKite's built-in firewall

To reduce some of these risks, version 0.5 of pagekite.py ships with a very basic built-in firewall. This firewall blocks access to common attack targets, including but not limited to:

  • The WordPress administration interface: /wp-admin/...
  • The phpMyAdmin database administration tool
  • The XAMPP status page: /xampp/
  • Any PHP scripts named, admin.php, install.php or setup.php

Please note that the built-in firewall is by no means a perfect defense and should not be relied on. It is merely a convenience to protect against "drive-by-hacking" and is not a replacement for properly securing your website.

This firewall can be disabled by using the --insecure (global) or +insecure (per-kite) options, and will disable itself automatically if other means of authentication (+password/user=... or +ip/A.B.C.D=ok) are used.

PageKite access controls

To instruct PageKite to restrict access to your webserver, you can use commands like the following:

# Require 'user' to log on with password 'foo'
$ pagekite.py 80 yourname.pagekite.me +password/user=foo

# Only accept connections from the 1.2.3.0/24 network or 4.5.6.7
$ pagekite.py 80 yourname.pagekite.me +ip/1.2.3=ok +ip/4.5.6.7=ok

You can add as many passwords or IP address as you like.

Note that when these access controls are used, the built-in firewall is disabled for that particular kite.