Shell-In-A-Box a web based AJAX terminal emulator to remotely control you Linux Server. Recently, I explained how to install Shellinabox on Ubuntu and how to install SSH server on Ubuntu. This post explains, how to increase Shellinabox security on Apache webservers. Shellinabox allows users to login using their username and password and grants access to their login shell, exactly like SSH remote access. While Shellinabox offers great convenience to system administrators, it can offer an easy entry point for hackers if it is not secured properly. Without further delay, let us look at some of the ways you can increase Shellinabox security.
5 Easy Steps to Increase Shellinabox Security
There are multiple ways to secure your Shellinabox installation. Described below are 5 easy things you can do to increase your Shellinabox security. Before we begin, it is good to know how to start, stop, and restart Shellinabox and Apache. Use the following commands to restart Shellinabox and Apache:
sudo service shellinabox reload sudo service apache2 reload
To find out how to start, stop, and restart Shellinabox using simple and convenient aliases, refer to this post.
1. Change default listening port
Shellinabox by default listens on port 4200. You would access Shellinabox by going to
http://localhost:4200. The problem is hackers know this as well. So if they know your IP address they could access your Shellinabox by going to
http://XXX.XXX.XXX.XXX:4200, where the XXX.XXX.XXX.XXX represents your IP address. Therefore changing the default listening port to a random port makes it difficult for hackers to reach your Shellinabox. To do this on Linux/Ubuntu you will have to edit
sudo nano /etc/default/shellinabox
Find the lines below and change the port number from the default 4200 to another random port (eg. 6125):
# TCP port that shellinboxd's webserver listens on SHELLINABOX_PORT=6125
Save and exit. Restart Shellinabox as described above. Your Shellinabox should now be available at
http://localhost:6125. If you have setup port forwarding on your router/DHCP server, you can access your Shellinabox using
http://XXX.XXX.XXX.XXX:6125, where XXX.XXX.XXX.XXX is your external IP address. If you have a domain name setup that refers to your IP address, then you can reach your Shellinabox using
2. Enable SSL
Accessing Shellinabox through
http sends all information as unencrypted data. This could be dangerous if you are working on your Shellinabox remotely from the internet. The solution is to encrypt the data during transfer, which makes sniffing by hackers harder. To enable and enforce HTTPS access on Linux servers with Apache, install the following run-time libraries:
sudo apt-get install libssl0.9.8 libpam0g openssl
Restart your Shellinabox and Apache server. It should now be accessible only through
https://localhost:6125. Note that you may have to have a SSL certificate generated. Refer to Apache documentation if you want to generate your own certificate. By default, the system will install self-signed certificates for you. These certificates are likely to raise warnings when you point your browser to the site.
3. Restrict Shellinabox to Localhost Only
You can restrict access to Shellinabox from Localhost only. In other words you can access Shellinabox only from the system on which it is running. To do this on Linux/Ubuntu you will have to edit
/etc/default/shellinabox as shown below:
sudo nano /etc/default/shellinabox
Find the line below and add
--localhost-only at the end (as shown below):
Save and restart Shellinabox. While this can increase Shellinabox security, it will prevent access to your Shellinabox from others systems and remote access through the internet. This can be a great inconvenience. You can overcome this drawback by setting up Apache reverse proxy as described in Step 4.