Re: linux security/network issue....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday 18 January 2003 12:09 pm, Bruce Douglas wrote:
> steven...
>
> thanks for the input.... sorry.. the ip address wasn't my real
> address!!! however, the following is the output of the commands
> that you suggested... everything looks ok.. but i'm new to Linux...
>
> do i have to shut Linux down before these changes go into
> effect....??

No.

> after stopping the iptables.. i tried to hit my external server..
> no change... any other suggestions!!! i've been playing with this
> for 2-3 days now!!! and frankly.. i'm not sure why this is an
> issue.. and windows isn't!!!
>
> -bruce
> bedouglas@earthlink.net
>
>
> [root@lserver2 root]# ps -ef | grep httpd
> root      9694     1  0 Jan16 ?        00:00:24 Xvnc :1 -desktop X
> -httpd /usr/s
> root      9847     1  0 Jan16 ?        00:01:57 Xvnc :2 -desktop X
> -httpd /usr/s
> root     11040     1  0 20:57 ?        00:00:01 /usr/sbin/httpd
> apache   11043 11040  0 20:57 ?        00:00:00 /usr/sbin/httpd
> apache   11044 11040  0 20:57 ?        00:00:00 /usr/sbin/httpd
> apache   11045 11040  0 20:57 ?        00:00:00 /usr/sbin/httpd
> apache   11046 11040  0 20:57 ?        00:00:00 /usr/sbin/httpd
> apache   11047 11040  0 20:57 ?        00:00:00 /usr/sbin/httpd
> apache   11048 11040  0 20:57 ?        00:00:00 /usr/sbin/httpd
> apache   11049 11040  0 20:57 ?        00:00:00 /usr/sbin/httpd
> apache   11050 11040  0 20:57 ?        00:00:00 /usr/sbin/httpd
> root     11054     1  0 21:11 ?        00:00:00 redhat-config-httpd
> root     11142  9858  0 23:03 pts/2    00:00:00 grep httpd
> [root@lserver2 root]# netstat -natp | grep httpd
> tcp        0      0 0.0.0.0:80              0.0.0.0:*              
> LISTEN 11040/httpd
> tcp        0      0 0.0.0.0:443             0.0.0.0:*              
> LISTEN 11040/httpd

Apache is up and listening -- good.

> [root@lserver2 root]# tcdump -i eth0 port 80
> -bash: tcdump: command not found
> [root@lserver2 root]# tcpdump -i eth0 port 80
> tcpdump: listening on eth0
> 23:05:03.536575
> 1 packets received by filter
> 0 packets dropped by kernel

It looks like traffic is not getting thru to your machine.  From the 
linux box:

# tcpdump -i eth0 port 80

>From outside:

$ telnet your.external.ip.address 80

Or try to hit the web server

You should see something like:

tcpdump: listening on eth0

12:45:03.441614 65.223.121.236.4407 > 216.117.196.95.http: S 
331300152:331300152(0) win 5840 <mss 1460,sackOK,timestamp 15216207 
0,nop,wscale 0> (DF) [tos 0x10]

12:45:03.441672 216.117.196.95.http > 65.223.121.236.4407: S 
382262549:382262549(0) ack 331300153 win 5792 <mss 
1460,sackOK,timestamp 1858002176 15216207,nop,wscale 0> (DF)

12:45:03.478247 65.223.121.236.4407 > 216.117.196.95.http: . ack 1 win 
5840 <nop,nop,timestamp 15216211 1858002176> (DF) [tos 0x10]

If you do not see at least the above handshake, then the packets are 
not getting thru and the problem is probably on the router.  If you 
have stopped the local firewall and can reach the Linux box from the 
inside but not the outside it is almost certainly a routing problem.



> [root@lserver2 root]#
> [root@lserver2 root]#
> [root@lserver2 root]#
> [root@lserver2 root]# service iptables stop
> Flushing all chains:                                       [  OK  ]
> Removing user defined chains:                              [  OK  ]
> Resetting built-in chains to the default ACCEPT policy:    [  OK  ]
> [root@lserver2 root]# service iptables stop
> Flushing all chains:                                       [  OK  ]
> Removing user defined chains:                              [  OK  ]
> Resetting built-in chains to the default ACCEPT policy:    [  OK  ]
> [root@lserver2 root]#
> [root@lserver2 root]#
>
> -----Original Message-----
> From: psyche-list-admin@redhat.com
> [mailto:psyche-list-admin@redhat.com]On Behalf Of Stephen Carville
> Sent: Saturday, January 18, 2003 11:51 AM
> To: psyche-list@redhat.com
> Subject: Re: linux security/network issue....
>
>
> Are those really your addresses?  Dig reports the SOA as:
>
> 222.12.in-addr.arpa.    10800   IN      SOA     ns4.asp.att.net.
> hostmaster.ns.asp.att.net. 2001101603 10800 3600 604800 604800
>
> 222.198.in-addr.arpa.   3497    IN      SOA     afnoc.af.mil.
> dnsman.afnoc.af.mil. 2002062501 10800 1800 604800 3540
>
> (# == as root or with sudo, $ == doesn't matter)
>
> Check that httpd is running.
>
> $ ps -ef | grep httpd
>
> root     26838     1  0 09:22 ?        00:00:00 /usr/sbin/httpd
> apache   26841 26838  0 09:22 ?        00:00:00 /usr/sbin/httpd
> apache   26842 26838  0 09:22 ?        00:00:00 /usr/sbin/httpd
> apache   26843 26838  0 09:22 ?        00:00:00 /usr/sbin/httpd
> apache   26844 26838  0 09:22 ?        00:00:00 /usr/sbin/httpd
> apache   26845 26838  0 09:22 ?        00:00:00 /usr/sbin/httpd
> apache   26846 26838  0 09:22 ?        00:00:00 /usr/sbin/httpd
> apache   26847 26838  0 09:22 ?        00:00:00 /usr/sbin/httpd
> apache   26848 26838  0 09:22 ?        00:00:00 /usr/sbin/httpd
> stephen  27289 27234  0 11:40 pts/0    00:00:00 grep httpd
>
> Then make sure Linux is listening on the correct port and interface
>
> # netsat -natp | grep httpd.
>
> tcp        0      0 0.0.0.0:80              0.0.0.0:*
> LISTEN      26838/httpd
>
> tcp        0      0 0.0.0.0:443             0.0.0.0:*
> LISTEN      26838/httpd
>
>
> If both if both of the above are true, use tcpdump to determine if
> the traffic is really getting to the linux box
>
> # tcpdump -i eth0 port 80
>
> If httpd is up and running on the correct port and the traffic is
> getting thru, the problem is probably the RH firewalling.  Try
> turin ing it off:
>
> # service iptables stop
>
> On Saturday 18 January 2003 10:57 am, Bruce Douglas wrote:
> > hi...
> >
> > I have an issue that I believe points to Linux network security.
> > I'm trying to set my network up to allow external users view my
> > internal Apache server. My network setup is as follows:
> >
> >
> >
> > he Setup:
> >
> > 	+----------------+
> >
> > 	| External World |
> >
> > 	+----------------+
> > 	         ^
> >
> > 	         |(12.222.33.11)
> >
> > 	         v
> > 	+-----------------+
> >
> > 	| Firewall/Router | (198.222.33.1)
> > 	|    (Linksys)    |<--------------+
> >
> > 	+-----------------+               |
> >
> >                                         | (Internal Network)
> >
> >                                         v
> >                 +------------------------------------------+
> >
> >
> >                 v                                          v
> >            +--------------+                      
> > +---------------+
> >
> >            |  Linux Box   | (192.222.33.4)        | Windows 2K
> >
> > Box|(192.222.33.5)
> >
> >            |   (Apache)   |                       |    (Apache)  
> >            | |
> >            |
> >            |              |                       |  (PuTTY)      
|
> >
> >            +--------------+                       |              
> > | +---------------+
> >
> >
> > If I configure my router to do port forwarding with Port 80
> > pointing to the Windows Box with Apache, external users can view
> > the server. If I change the router/port forwarding to point to
> > the Linux Box/Apache server, the user is unable to access the
> > Apache server. A quick review of the Apache log files does not
> > reveal a hit to the server. This seems to indicate that the
> > request from the external user didn't "get" to the Apache server.
> >
> > I'm begining to believe that the real issue has to do with how
> > the Linux box is configured to accept/handle network
> > communications. I'm able to look at the linux Apache server from
> > other boxes within my network, provided I use the internal
> > (192.XX) address. So the Apache server is working properly.
> >
> > So my question: How do I expand the IP addresses that are able to
> > access the Linux Box? Or, might there perhaps be another problem?
> > I'm realtively new to the world of Linux. I have RH 8.0 with the
> > Gnome GUI. Pointers/assistance to whatever functions/commands
> > would be appreciated!!
> >
> >
> > Thanks
> >
> > Bruce Douglas
> > bedouglas@earthlink.net
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: psyche-list-admin@redhat.com
> > [mailto:psyche-list-admin@redhat.com]On Behalf Of
> > mlist.redhat.psyche@urs.us
> > Sent: Saturday, January 18, 2003 10:02 AM
> > To: psyche-list@redhat.com
> > Subject: Re: Mozilla 1.2.1 fails to start
> >
> >
> > ==> "wh" == Wade Hampton <wade.hampton@nsc1.net> writes:
> >
> >     wh> Folks, I have a strange problem.  I updated RH8 to the
> > latest wh> packages and to Mozilla 1.2.1 xft
> > (mozilla-1.2.1-0_rh8_xft). wh> All seemed OK until this morning.
> > When I went to start wh> mozilla, it would not start initially
> >
> > I've also had mozilla-won't-start problems.  I wasn't sure of
> > the initial cause, but I traced it to a corrupted 'XUL.mfasl'
> > file in the profile directory.  If I deleted this file, mozilla
> > started again.
> >
> > Carl

-- 
Stephen Carville http://www.heronforge.net/~stephen/gnupgkey.txt
Blessed are those who, in the face of death, think only of the front 
sight.



-- 
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list

[Index of Archives]     [Fedora General Discussion]     [Red Hat General Discussion]     [Centos]     [Kernel]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat 9]     [Gimp]     [Yosemite News]

  Powered by Linux