Tag Archives: shared hosting

Securing Administration of Shared Hosting

If you didn’t already know, ssh can be used to tunnel a single TCP port from the client to the server. I wanted to use this ability to prevent my site credentials and cookies from being sent in plaintext over the internet (since I’ve been trying to avoid paying for SSL/TLS). This works on Dreamhost, but should work on pretty much any shared hosting provider that allows you to ssh into the server.

In short it takes a few hacks to get everything to play together and requires super user privileges on the machine you are connecting from, but does not require any special privileges on the remote server.

First establish a specific subdomain (or alternative domain) to ssh into (for example ssh.tidgubi.com). This will prevent DNS conflicts with the main domains (www.tidgubi.com and tidgubi.com).

Next edit your local hosts file. Create entries so your computer resolves your webserver to your local machine (127.0.0.1 www.tidgubi.com).

Login with an administrator account or console session (for a long time I didn’t realize you could just open a console and type login <admin_account>).

Create an ssh tunnel between your computer and your webserver by running command sudo ssh kenji@ssh.tidgubi.com -L 80:www.tidgubi.com:80
This command breaks down as follows:

  • sudo – requires root permissions to listen on local port 80
  • ssh – run the ssh client program
  • kenji@ssh.tidgubi.com – username and ssh server
  • -L – specifies local port forwarding
  • 80 – local port to listen for data on
  • www.tidgubi.com – remote webserver. This is resolved by the ssh server, so it does not conflict with the hosts file change
  • 80 – remote port to forward traffic to. Assuming you’re forwarding traffic to a standard webserver, this should be port 80

Notes

  • This does not work well if you try to use a different local port, because different servers and web-apps redirect traffic differently and may override explicitly set ports in the URL
  • This commands only forwards traffic coming from the local client. You can add the -g option to the ssh command if you want to allow other computers to send data to the webserver
  • Ideally you can ssh directly into your webserver, so the forwarded traffic does not get sent out on any network once it is plaintext again.

Next use .htaccess to restrict access to administrative pages.