Wednesday, March 5, 2014

YAWS Home Router Non-Root Run

Last night I was starting to contemplate how to make my site more secure. A little about my site:

  • Run on a Virtual Machine so as to insulate from attacks on my host machine. It's easier to restore this way too; someone hacks it I just restore the machine back to what it was. 
  • It's run from a home network. I have access to the router and its settings.
  • Running CrunchBang Linux, it's a Debian distro (just like Ubuntu).
Up until this point I've been running YAWS as root. The reason why I've been doing this is because privileged ports (anything less than 1024) are not accessible for non-root users. At the site: 


They give several options for how to run yaws as non-root. It's important that we run as a regular user instead of root. None of the ways documented in the YAWS documentation would work for me. I did like the idea of patching the kernel and maybe I'll try it later but for now I just wanted security.

This morning I came up with a really elegant solution for my situation: use an unprivileged port and then make the router re-route traffic from port 80 to my non-privileged port! It was such an easy solution that I didn't think it would work. 

Step 1: Open yaws.conf and change your port to an unprivileged port. I used 8080:

<server myawesomesite.com>
    port = 8080
    ...
</server>

Anywhere port = 80 is shown, change it to port = 8080. The 8080 port is greater than 1024 and no other application was using it. 

Step 2: Find your IP Address. Just do an ifconfig command from the terminal. You should get something like this:


The inet addr is your IP Address.

Step 3: Open your router configuration page. Normally you can just open a web browser and go to 192.168.1.1.

Step 4: Find the Port Forwarding page. For Linksys models you can go under Applications & Gaming > Single Port Forwarding.

Step 5: Fill out the following:
    External Port: 80
    Internal Port: 8080
    Protocol: Both
    To IP Address: (your computer's IP Address)
    Enabled: Checked

It's that simple. Start your YAWS server as a non-root user and it just works. No fussing with configuration files or installing any other crazy software. Although modifying the kernel does sound fun...


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)