All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
LookingGlass IP Leakage
This is a notice to all providers that you need to secure the "LookingGlass" directory of your looking glass if you're using @telephone's LookingGlass application. In the default install the rate limit database is unprotected which contains the IPs of ALL users that have ever run a network command from your looking glass. Granted, this isn't really a "security" issue as you can't compromise the server with this information, however I'm sure that your users would be pretty unhappy should someone download this information.
If you're using Apache on CentOS for your looking glass, I've added some information on how to secure the entire LookingGlass directory in my LookingGlass installation tutorial (entire tutorial created today). Note that the LookingGlass directory only contains libraries and the ratelimit database; nothing in that directory is normally directly accessed by a user.
NOTE: If you don't have network command rate limiting enabled then this does not affect you, however every provider that I bothered to check has it enabled.
Thanks.
Comments
Thanks. Checking mine now.
Updated:
Yes, confirmed.
i can confirm this confirmation.
Why is it even writing the IP's to a DB ...
Thanks for the heads up. Ours has rate limiting disabled, so it should be OK
I believe he made a list of IP's running commands for rate limiting purposes but I guess he never empties the database?
For nginx just stick before the last } in default.conf:
location /LookingGlass { deny all; }
Guess I gave people too much credit... Figured securing your "/LookingGlass" folder would be rudimentary as it contains your config file and the rate limit DB. My bad.
@ATHK - It uses an SQLite for data persistence. If the IP was stored in cache, then a low level attack or DDOS could reset/fill the cache leaving the rate limiting crippled/useless.
In regards to the data that can be obtained, it's simply IP address, time of last command, and number of commands.
Nothing personal, and honestly just a big list of IPs
To secure your install just use an .htaccess for Apache or a location block in Nginx with a deny all.
Unfortunately it doesn't look like everyone is that observant.
Why would you store data in the docroot to begin with?This rate limit db (and your config file, really) should be outside of the docroot.
I don't see any sensitive data in the config file, don't think it's a problem where it is stored.
That is good practice, yes, however in this case even if someone got your config file there's nothing that can really be done with it. The only "sensitive" data would be IPs of current, past, or future customers. However, since customers are normally sensitive about literally everything when it comes to their information, then this looks "bad" on the provider for allowing this information to be downloaded, hence this post.