Home » Home Server » 5 Easy steps to Increase Shellinabox Security

5 Easy steps to Increase Shellinabox Security

written by Anand October 31, 2012

Shell-In-A-Box a web based AJAX terminal emulator to remotely control you Linux Server. Recently, I explained how to install Shellinabox on Ubuntu and how to install SSH server on Ubuntu. This post explains, how to increase Shellinabox security on Apache webservers. Shellinabox allows users to login using their username and password and grants access to their login shell, exactly like SSH remote access. While Shellinabox offers great convenience to system administrators, it can offer an easy entry point for hackers if it is not secured properly. Without further delay, let us look at some of the ways you can increase Shellinabox security.

5 Easy Steps to Increase Shellinabox Security

There are multiple ways to secure your Shellinabox installation. Described below are 5 easy things you can do to increase your Shellinabox security. Before we begin, it is good to know how to start, stop, and restart Shellinabox and Apache. Use the following commands to restart Shellinabox and Apache:

sudo service shellinabox reload
sudo service apache2 reload

To find out how to start, stop, and restart Shellinabox using simple and convenient aliases, refer to this post.

1. Change default listening port

Shellinabox by default listens on port 4200. You would access Shellinabox by going to http://localhost:4200. The problem is hackers know this as well. So if they know your IP address they could access your Shellinabox by going to http://XXX.XXX.XXX.XXX:4200, where the XXX.XXX.XXX.XXX represents your IP address. Therefore changing the default listening port to a random port makes it difficult for hackers to reach your Shellinabox. To do this on Linux/Ubuntu you will have to edit /etc/default/shellinabox:

sudo nano /etc/default/shellinabox

Find the lines below and change the port number from the default 4200 to another random port (eg. 6125):

# TCP port that shellinboxd's webserver listens on
SHELLINABOX_PORT=6125

Save and exit. Restart Shellinabox as described above. Your Shellinabox should now be available at http://localhost:6125. If you have setup port forwarding on your router/DHCP server, you can access your Shellinabox using http://XXX.XXX.XXX.XXX:6125, where XXX.XXX.XXX.XXX is your external IP address. If you have a domain name setup that refers to your IP address, then you can reach your Shellinabox using http://domain.com:6125

2. Enable SSL

Accessing Shellinabox through http sends all information as unencrypted data. This could be dangerous if you are working on your Shellinabox remotely from the internet. The solution is to encrypt the data during transfer, which makes sniffing by hackers harder. To enable and enforce HTTPS access on Linux servers with Apache, install the following run-time libraries:

sudo apt-get install libssl0.9.8 libpam0g openssl

Restart your Shellinabox and Apache server. It should now be accessible only through https://localhost:6125. Note that you may have to have a SSL certificate generated. Refer to Apache documentation if you want to generate your own certificate. By default, the system will install self-signed certificates for you. These certificates are likely to raise warnings when you point your browser to the site.

Recommended Guides:

3. Restrict Shellinabox to Localhost Only

You can restrict access to Shellinabox from Localhost only. In other words you can access Shellinabox only from the system on which it is running. To do this on Linux/Ubuntu you will have to edit /etc/default/shellinabox as shown below:

sudo nano /etc/default/shellinabox

Find the line below and add --localhost-only at the end (as shown below):

SHELLINABOX_ARGS="--no-beep --localhost-only"

Save and restart Shellinabox. While this can increase Shellinabox security, it will prevent access to your Shellinabox from others systems and remote access through the internet. This can be a great inconvenience. You can overcome this drawback by setting up Apache reverse proxy as described in Step 4.

4. Setup Shellinabox Apache Reverse Proxy

To add a layer of convenience to your Shellinabox security, you can setup Apache reverse proxy. To do this, you will have to first enable mod_proxy on Apache:

sudo a2enmod proxy

Then, make a backup of /etc/apache2/mods-available/proxy.conf:

sudo cp -a /etc/apache2/mods-available/proxy.conf /etc/apache2/mods-available/proxy.conf.backup

Next, edit /etc/apache2/mods-available/proxy.conf and make sure it looks like what is shown below. Add and edit any existing lines as necessary.

ShellInABox Reverse Proxy

ShellInABox Reverse Proxy (text)

Save and exit. Restart Shellinabox and Apache. Now you can access your Shellinabox through https://localhost/shell or https://XXX.XXX.XXX.XXX/shell (from internet using your IP address – requires port forwarding). The last line in the code above allows you to access Shellinabox through https://domain.com/shell. Ignore it if you do not have a domain name that refers to your IP address.

What this does is to increase Shellinabox security by not revealing the Shellinabox port to the outside world.

Recommended Guides:

5. Enable Apache Authentication

Last but not the lease, enable Authentication. Every time you access Shellinabox, you will be asked for a username and password as shown in the picture below:

Shellinabox Security

To do this you will, first have to create a .htpasswd file. More information is available in Apache documentation. But the easiest way to achieve this is to use one of the htpasswd generators available online.

After you enter the username and password two code blocks will be generated. Copy the contents of the .htpasswd code block and save it to /etc/apache2/.htpasswd_siab. Next, copy the contents of the .htaccess code block and add it to /etc/apache2/mods-available/proxy.conf as shown below:

ShellInABox Reverse Proxy

ShellInABox Reverse Proxy (text)

Save and exit. Restart Shellinabox and Apache. You should be prompted for a password everytime you try to access Shellinabox.

After you are done with all the configuration/editing, run the following command to ensure that your new Shellinabox defaults are updated:

sudo update-rc.d shellinabox defaults

Restart your Apache and Shellinabox one last time. Each step adds one additional layer of security. Together they increase your Shellinabox security and make it nearly impervious.

There you go. Install Shellinabox and follow the above steps to increase Shellinabox Security. Enjoy the convenience of web based terminal emulator.

IPVanish VPN Exclusive 20% Off - only $5.19/month:
VPN Guides
Windows, Android, Ubuntu
Kodi OpenVPN
OSMC on RPi
♦ Hide your browsing (no logs), Anonymize Streaming and Downloads
♦ Circumvent Geo/Country Restrictions and access worldwide content
♦ Works on Windows, Mac, Linux, Android, iOS, Router, and more
♦ Money back guarantee - Sign Up Now
Super Hot deal for National Cybersecurity Awareness Month. 2-years premium VPN from IPVanish for $99 (only $4.12 per month)

Related Articles

12 comments

Petri Heiskanen December 20, 2012 - 4:51 am

With this I am able to access only from local host with http://localhost:XXXX.

When I write xxx.xxx.xxx.xxx/shell (From outside) to my address field it prompts for the password like it should but after that I get a timeout.

Any idea what’s wrong?

Also:

Did you forget “/shell” from ?

Reply
Anand December 20, 2012 - 3:07 pm

Petri, you know what, you are right. The “/shell” was being left out when the code was being parsed, I guess due to the preceeding forward slash. I have now replaced the code with an picture of the code, which should take care of the problem.

Adding the /shell, should take care of the problem you are facing. Thanks for pointing out.

Reply
Petri Heiskanen December 20, 2012 - 4:08 pm

I’m afraid it didn’t. I just noticed it when apache wouldn’t start because of it.
Is there any additional information you would like to know?
It’d nice to get this to work so I can use ssh from work. They have some restrictions and I’m often a bit bored. (I do my work well thou)
I would really appreciate your help.

Reply
Anand December 20, 2012 - 5:32 pm

Petri, that is indeed the benefit of having ShellInaBox. Regarding your problem. The timeout tells me that you are reaching your proxy but not connecting to ShellInaBox. First make sure your proxy.conf file is mistake-free (any missing slashes can cause problems).

Are you trying HTTP or HTTPS? If you are trying HTTPS, then is your Apache server configured for SSL? If not I suggest that you remove the “Redirect” line at the end, reload your Apache server, and retry. Even otherwise, I suggest that you try to get ShellInaBox working through regular HTTP connection before moving to the more secure HTTPS.

Reply
Petri Heiskanen December 21, 2012 - 11:57 am

I don’t want to fiddle too much with the actual server cause I got this going:
http://www.torrent-invites.com/seedbox-tutorials/203543-dedicated-server-kimsufi-ovh-seed-box-setup-rutorrent-autodl-irssi-znc-ubuntu.html

Fortunately I have few Raspberry Pi’s at my disposal so I went thru all the steps with it and the ssl part went fine. However, after I did part 4 I could no longer connect to SIAB.

Any toughts?

Reply
Anand December 21, 2012 - 12:26 pm

Have tried my suggestion above? Use just HTTP connection. You do this by leaving the following line out from your proxy.conf code:

Redirect permanent /shell https://domain.com/shell

Save, exit and reload Apache. My suspicion is that your SSL is not configured properly.

Reply
Anand December 21, 2012 - 12:42 pm

Also, if you are going to use SSL, is the HTTPS port (443) port forwarded on your router to your server? Just checking.

Reply
Petri Heiskanen December 21, 2012 - 1:29 pm

Well… Now I feel like a complete idiot… and people can even see my real name =_=

Everything works now. My initial thought was network settings, but I never asked.
I’m not at all familiar with proxy’s and I really need to read more about apache.
And I’m sure as hell going to keep following this site 😀
You might want to add the port forwards to this guide.

Thank you very much and Merry Xmas!!!

Anand December 21, 2012 - 7:09 pm

Glad it worked out. A port forwarding guide is coming soon. Enjoy the convenience of SIAB.

UPDATE (5/5/2013): Here is the guide on port forwarding: https://www.smarthomebeginner.com/setup-port-forwarding-on-router/

Reply
Rodney May 21, 2014 - 10:37 am

You should reorder this to setup the reverse proxy and test it before restricting SIAB to localhost only. To keep people from locking themselves out before setting up the proxy if using SIAB

Reply
Mosskin June 23, 2016 - 6:41 pm

Why would someone want to restrict access to localhost? Isn’t the whole idea of this thing to be able to access your machine remotely? If you’re sitting at the machine you can just use the built in console…

Reply
Alejandro June 25, 2016 - 11:51 am

Hello, thanks for commmenting. Your question is resolved in step 4 of the tutorial. Please note the purpose of it is basically to hide ShellInABox from possible outside attackers. Hope it helps.

Reply

Leave a Comment