I have a website, and I am planning for a pre-pilot release. I need to keep my website hidden from the general public and only can have access to a limited number of people (3-5 people ).
Currently, the website is hosted on the Oracle cloud
I need an alternative way for IP whitelisting
Related
I am using shared hosting.
My site was showing "ERR_CONNECTION_REFUSED".
So i went to see visitors to my (SSL) site.
I found that instead of regular names in the "User Agent" list,
cpanel visitors list is showing
user agent Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: scaninfo#example.com"
I want to know whether this is harmful and if yes,
How to avoid such unknown user agents?
Is there something i should do with ".htaccess" file?
Once again, i am using shared hosting (so, i have limited accessibility).
The ERR_CONNECTION_REFUSED you saw when accessing your website had nothing to do with the visitor you saw in cpanel. You might have had a different issue with your server configuration/shared hosting provider.
That "visitor" was an internet crawler, most likely from Palo Alto Networks, who owns Expanse. Long story short, it shouldn't cause any harm. They say that their crawlers are used to index/categorize URLs around the internet and/or to spot malicious content.
I advise you to ignore it, since there's not much you can do - I assume they have some ranges of IPs for their crawlers so you wouldn't be able to blacklist all of them anyway.
I have been doing a lot of research on this and I can't seem to find a definitive answer. Obviously these days security is a big issue, hacks are going on all over the place of major companies that invest millions into security and they're still getting hacked.
I work on Laravel a lot and use shared hosting with Hostgator or some similar company of high report. Laravel comes with a built in function for encrypting database info and decrypting to the user when requested.
However, I have a question on how secure this ACTUALLY is. If someone gets into my cPanel, my app key which is used for encryption is right there in front of them. Granted, my cPanel password is the one that's auto-generated by Hostgator and it's complete jibberish with semicolons and alphanumeric strings all over, so it's not easy to guess.
But I'm trying to learn a little bit more about security. If my app key in my env file is locked securely behind my cPanel login, is Laravels built in "encrypt()" method "enough" to call an app "secure"? Is there other measures within Laravel or my host provider that could make it more secure than just tight passwords? Is there some sort of practice of referencing the app key through an external source that's not located in the cPanel area? So even if my cPanel got hacked, my app key wouldn't be in those files and get exposed?
I'm not a security expert, but there are a few points I can share from my experience in working at highly-secured companies.
First, Laravel itself is fine. You can generally trust open source software since it's transparent and security bugs get discovered and addressed early. So you don't need to improve Laravel, just use it as is, preferably an LTS version.
Then, CPanel is a liability. You should minimize weak points on your system, i.e. those that are externally accessible. Get a VPS or a private server and access it via an SSH, don't use tools like CPanel and PhpMyAdmin on it. The less software you have that talks to the outer world, the less vulnerable you are to bugs in that software.
In my current company the production server can only be accessed via SSH from a single IP address, the address of the dev server. So I log in to dev server first, and then log in from there to the prod. It denies all connections from all other IPs.
If you are limited to using CPanel or something similar, consider protecting the login page with HTTP Basic Auth, some hosting providers allow that.
You also want to keep your system and software up to date. Not too new either as that may have bugs that haven't been caught yet. Our devops prefer to have it a couple of minor versions behind, so that the community has time to test it out and get hacked for you.
That's all I know as a web-dev, sure enough there are special tools and ddos protection services but that's beyond a dev's concern imo. If you just follow these steps, you should be safe. Hope that helped a bit, cheers :)
I'm having difficulties with selecting a host for a website that I'm working on and would appreciate some sincere tips. There are a lot of articles on the topics, many of which are biased, which is why I'm quite confused.
I need help selecting a specific host and service. I have the following requirements and would like a few different suggestions. Ideally, I want one suggestion on a specific service with Cloudflare since that's my primary choice even though I find their offering confusing. I also would like one suggestion with a provider that accepts BTCs as payment.
Now to my requirements:
The website is quite similar to KhanAcademy and Udemy. We want to host about 75 GB of videos that users should be able to view directly on the site (stream) with our own mediaplayer.
We also have about 15 GB of audios that users should be play directly on the site and download.
We do NOT want to use YouTube, Soundcloud or similar services.
Finally, we have an additional 25 GB of files that we need to host, and that users should be able to download.
The media should load quickly but since the site is new, we have no idea of bandwidth requirement. However, we expect that they will be slow at first but grow steadily over time.
We want the hosting service to come with SSL.
And we want a three-year subscription with a fixed upfront fee rather than monthly payments
Although this isn't a must, but we would prefer if we could use the same hosting service for two separate websites with different domains.
Security is not my area of expertise. I am working on a lightweight administrative Laravel web app for internal use by company (small) employees:
The app is intended to be used only by the employees
Remote work (from home) is not uncommon
Smartphones and laptops are usually used when working remotely
I would like to secure it as much as possible - beyond authentication, access controls or 2FA. I am trying to think of ways to make it virtually invisible to the public, but still available for the employees. Defining proper rules for crawlers might make it a bit more obscure but I think more could be done. Network based restrictions would limit the employee flexibility.
Based on this I got the idea that the app could be made available only if the request is made by an authorized device. I am not sure however whether or not this is a good approach. Neither do I know how to tackle the problem of authorizing the various devices and making that information available to the server during communication.
i.e. How would I tag a device as authorized so that I only have to do it once and can reliably validate the information in a web app? Regular authentication as well as role based access would still be in place but the app could return a 404 response if the accessing device is not whitelisted.
Is there a way to achieve something like this while not making it too restrictive for the users or painful to set up? Or is there a better method for achieving the same result?
Consider a VPN?
If you are hosting the device on an internal network, you could see if the IT dept. can set up VPN access to work remotely (in most cases, this is already in place) and then it does not need to be accessed over the internet via a URI. Instead you can simply navigate to the internal address once you're in the network through the VPN - no public access and no need to worry about pesky web crawlers!
It also makes it easier to moderate your application. For example, if an employee leaves the company you can simply revoke their VPN access and they'll no longer be able to access the application.
I have I Squarespace website I made for myself a while back. The main purpose at the time was to have something to link to from my iOS app, and I opted for something expedient rather that thinking long term just to get the app released. Fast forward to now and I have an AWS EC2 instance where I could do more with a personal site in the future. Ultimately it would be nice to get it off Squarespace and not have to pay another full year billing cycle, but the renewal date is a pretty tight deadline at this point.
Nothing on this domain requires must more than frontend web code really, but a completely different page UI could take more time than I have for this. I'm wondering if there might be a way to just temporarily have the Squarespace page source as is running on EC2 so I can worry about a possible non CMS design when I'm not worried about getting billed for another whole year by Squarespace.
I'm not sure if this is possible, but if not it seems like I should just port the content to minimalistic empty html files with no styling just to avoid the billing or get billed for a shorter time period. Billing seems like the limiting factor here. I would also need to add my new credit card to get billed for more time which I also have yet to do.
Basically, has anyone else dealt with this situation personally? What would you recommend I do? Does Squarespace even allow me to port to EC2 somehow, or is that more in the realm of WordPress? Thanks.
Note: Tomcat's what I'm using on the EC2 instance currently. I will also need to do the multiple site per instance setup for this, but I believe that's the most relevant config info here unless I'm forgetting something.
Not sure why you've already chosen to use Tomcat as I don't see anything that would allow you to easily convert your Squarespace site to a Java webapp. It looks like Squarespace sites can be exported into Wordpress, which you could host on an EC2 server.
Alternatively you could use wget to create a static copy of your website which you could then host easily on your EC2 server with Nginx, or skip EC2 and just host the static website on S3.