[Solved] Hosting files with obfuscated urls

LeftyAce · 2014-03-08 05:41:56

Hi all,

I would like to be able to use a simple server to serve files for family members to access remotely. I can obtain a persistent url using no-ip.

I would like users to be able to download files (via ftp?) painlessly, i.e. using just a basic browser, and without having to enter a password.

Many file hosting services allow you to create a unique random url for a file, the idea being that only someone in posession of that unique string can download the file, it is not something that can be discovered by anybody wandering the web.

Is there a way to configure an ftp server so that it only responds when a user asks for a specific path, such as

my-url.no-ip.biz/randomString/file.zip

I realize this is "security through obscurity" which isn't _really_ secure, but for temporary hosting I think it's my best option. Any suggestions for a way to do this, or a better approach entirely, are much appreciated!

-Lefty

Last edited by LeftyAce (2014-03-09 18:51:10)

x33a · 2014-03-08 05:54:23

Avoid FTP. You can simply serve the files over HTTP. For example, using apache.

If you don't need authentication, simply disable file listing in apache. No need to obfuscate files. Just give the users the link for the download, and only they will be able to download the file.

Last edited by x33a (2014-03-08 05:54:54)

LeftyAce · 2014-03-08 06:36:37

Thanks x33a, it looks like apache will do the trick. I have two questions:

Currently I can access the server via http://localhost/~lefty/ and it shows the contents of public_html. I added a .htaccess file with the following text, followed by a blank line:

Options -Indexes

Now I should be able to get to http://localhost/~lefty/testFile.txt, but it fails saying Error 500, the same error I get attempting to just list localhost/~lefty/

Any idea what I'm doing wrong with the .htaccess file?

Second question:
I can only access the server using localhost or 127.0.0.1. If I open firefox on the server and type the external IP address/~lefty, it just sits there with the spinning circle thing. I went into NAT forwarding for my router and enabled the "Apache" service. This same procedure for "SSH" allowed me to ssh into the machine successfully. This is my iptables config:

# Generated by iptables-save v1.4.20 on Thu Dec  5 00:21:51 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:380]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Thu Dec  5 00:21:51 2013

Any idea why connecting via IP doesn't work, even locally?
Thanks again for your help,

-Lefty

x33a · 2014-03-08 08:08:03

Take a look at your apache logs, there should be a clue. If you are unable to parse the information, post the logs, as well as your apache config and site config.

brebs · 2014-03-08 10:48:30

Retroshare is good for secure filesharing.

Regarding your iptables rules, you're making the classic mistake - DROPping and REJECTing, without any LOGging for debugging info, e.g.:

$ipt -N logndrop
$ipt -A logndrop -m limit --limit 1/min --limit-burst 3 -j LOG --log-level warning --log-prefix "disallowed: "
$ipt -A logndrop -j DROP

LeftyAce · 2014-03-09 03:45:04

Thanks for pointing me to the logs (duh, should have checked there first). I haven't worked on the firewall problem, first I want to fix the directory listings.

It turns out that using .htaccess was disabled in /etc/httpd/conf/httpd.conf. So now I am trying to control listings through /etc/httpd/conf/httpd.conf (I want this to be a global setting anyway). I have a section that looks like this:

<Directory />
     AllowOverride none
     Require all denied
     Options -Indexes
</Directory>

I added the "Options -Indexes" myself. I think this should prevent listing of directory contents anywhere on the filesystem ("/"). I then restart the httpd service:

 # systemctl restart httpd.service

But if I go to localhost/~Lefty/ I still see a list of contents. Do I need to look elsewhere in httpd.conf? Is there a better way to do this?

Thanks,

Lefty

progandy · 2014-03-09 04:10:51

In the default config there is a <Directory /srv/http> block. This overwrites a block for <Directory /> for all files in /srv/http I guess.

Last edited by progandy (2014-03-09 04:12:34)

LeftyAce · 2014-03-09 04:19:35

I went through and added the "Options -Indexes" to every <Directory> block I could find, still no luck. Currently the only place that is accessible is localhost/~Lefty (my homedirectory/public_html). Unfortunately, I can still list the contents...

progandy · 2014-03-09 04:28:16

The user directories are defined in /etc/httpd/conf/extra/httpd-userdir.conf
Edit: If you want to enable -Indexes in htaccess files, modify the file e.g. like this:

AllowOverride FileInfo AuthConfig Limit Indexes Options=Indexes

Last edited by progandy (2014-03-09 04:41:11)

LeftyAce · 2014-03-09 04:40:00

Thank you! That did the trick.

Now, I can't figure out why I cannot access the server using the external IP. I'm attempting this from a web browser on the same computer, so localhost/~lefty/testFile.txt shows up, but if I plug in my external ip (as determined using ipchicken or pinging my no-ip.biz hostname) xx.xxx.xxx.xx/~lefty/testFile.txt firefox sits there saying "Connecting to xx.xxx.xxx.xx" and then eventually gives up. I tried enabling iptables logging using brebs' suggestion, but I cannot find the resulting logs (nothing new shows up in /var/log, and /var/log/everything has no entries more recent than 20 minutes ago).

Any ideas on that one?

x33a · 2014-03-09 05:55:14

Try disabling iptables altogether, so that we can be sure that it is causing the problem.

LeftyAce · 2014-03-09 14:34:12

Alright, I disabled iptables, and I have the same problem where if I try to access the apache server using the external ip or the no-ip.biz domain it times out. Using localhost and the 192.168.x.x address assigned by my router works fine. I have a NAT forwarding rule enabled on my router for Apache which looks like it's supposed to forward ports 80 and 443, but I'm not sure how to test that it's working.

x33a · 2014-03-09 15:05:21

What is the output of

# netstat -tulpen

Slithery · 2014-03-09 15:22:26

This is all to do with your router, your apache and iptables setup is fine.

The problem is that home routers don't do port forwarding out from your internal network and then back again via your external IP (this is called packet rewriting or NAT loopback), this feature is usually only available on business class routers that cost a lot of money. To access your apache server from your internal network you need to use its internal IP address, not the external.

If you need to be able to access your apache server by name then either add an entry to your hosts file or set up an internal DNS server.

Last edited by Slithery (2014-03-09 16:16:05)

LeftyAce · 2014-03-09 18:50:50

Slithery, thank you so much! Sure enough, when I test from a computer outside my home network it works perfectly. I don't need access from inside my own network, I just thought it would be the test-case with the fewest pitfalls. Clearly not.

I have re-enabled iptables, and everything works correctly. Thank you all for your help!

Arch Linux

#1 2014-03-08 05:41:56

[Solved] Hosting files with obfuscated urls

#2 2014-03-08 05:54:23

Re: [Solved] Hosting files with obfuscated urls

#3 2014-03-08 06:36:37

Re: [Solved] Hosting files with obfuscated urls

#4 2014-03-08 08:08:03

Re: [Solved] Hosting files with obfuscated urls

#5 2014-03-08 10:48:30

Re: [Solved] Hosting files with obfuscated urls

#6 2014-03-09 03:45:04

Re: [Solved] Hosting files with obfuscated urls

#7 2014-03-09 04:10:51

Re: [Solved] Hosting files with obfuscated urls

#8 2014-03-09 04:19:35

Re: [Solved] Hosting files with obfuscated urls

#9 2014-03-09 04:28:16

Re: [Solved] Hosting files with obfuscated urls

#10 2014-03-09 04:40:00

Re: [Solved] Hosting files with obfuscated urls

#11 2014-03-09 05:55:14

Re: [Solved] Hosting files with obfuscated urls

#12 2014-03-09 14:34:12

Re: [Solved] Hosting files with obfuscated urls

#13 2014-03-09 15:05:21

Re: [Solved] Hosting files with obfuscated urls

#14 2014-03-09 15:22:26

Re: [Solved] Hosting files with obfuscated urls

#15 2014-03-09 18:50:50

Re: [Solved] Hosting files with obfuscated urls

Board footer