fmmarzoaidecnet.com

• Next message: engelbert gruber: "Re: [suse-security] Web server security holes ?"
• Previous message: Harald Scharf: "AW: [suse-security] Web server security holes ?"
• In reply to: Oliver Grube: "RE: [suse-security] Web server security holes ?"
• Next in thread: engelbert gruber: "Re: [suse-security] Web server security holes ?"
• Next in thread: Francisco M. Marzoa Alonso: "Re: [suse-security] Web server security holes ?"
• Reply: Francisco M. Marzoa Alonso: "Re: [suse-security] Web server security holes ?"
• Reply: engelbert gruber: "Re: [suse-security] Web server security holes ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Oliver Grube wrote:

> Hello Marc,
>
> >PS: I do NOT need the machine beeing accessible by
> external machines in HTTP
> If you don't need your HTTP... just switch it off by
> editing /etc/rc.config "start_httpd=no"
> or stop it by typeing /sbin/init.d/apache stop

Sorry, i've read too fast.

Think that Marc means that he *NEED* the HTTP server running for
*INTERNAL* machines only. So stop apache is not a solution.

You can use a firewall, directly using ipchains in example, or ( i
didn't try this and i'm not sure if it's factible ), wrap apache with
inetd daemon and edit /etc/hosts.allow and/or /etc/hosts.deny to tell
your systems the IP addresses that are allowed to access that service.

I've wrote a tiny perl script that do, among others, exactly this. It
starts masquerading services and some firewalling rules, i've attached
it with this message because it's very little, excuse me if a disturb
anybody.

It is normally called by ip-up (start) and ip-down (stop) scripts from
pppd.

Have a good one.

>
>
> Greetinx,
>
> Oliver Grube
>
> ---------------------------------------------
> --IT-Secure - Mit Sicherheit gute Lösungen.--
> ---------------------------------------------
> Security Support * oliver.grubeit-secure.de
> +49 2161 6897-180 * http://www.it-secure.de
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribesuse.com
> For additional commands, e-mail: suse-security-helpsuse.com

--
Francisco M. Marzoa Alonso
Nuevo Mundo - Dpto. Informático         ICQ#:         62850923
Henri Dunant, 19 - 28036 Madrid         tfno: +34 91 343 18 40 ext. 207
España / Spain                          fax:  +34 91 350 28 45

#!/usr/bin/perl # Author: Francisco M. Marzoa Alonso # Last update: Mon Jan 17 17:49:04 CET 2000 # # This script starts internet masquerading and firewalling services. #

use strict;

sub showUsage { my $pName = $0; # This should be changed by a true detection of program invocation name

print STDERR "This script starts/stops internet masquerading services.\n\n"; print STDERR "Usage:\n"; print STDERR "$pName start|stop|restart networkdevice localaddress\n\n"; }

sub startMasquerading { my $nDevice = shift _; my $localIP = shift _; # DONE! : This should be changed in the future by a symbolic value which returns this host IP.

system ("logger -t '/etc/ppp/inet.masq' 'Starting masquerading nd=$nDevice'");

# Masquerading system ("/sbin/ipchains -P forward DENY"); system ("/sbin/ipchains -A forward -i $nDevice -j MASQ"); system ("echo 1 > /proc/sys/net/ipv4/ip_forward");

# Bloqueo de conexiones externas a telnet system ("/sbin/ipchains -I input -s! 192.168.66.0/24 -d $localIP/32 telnet -p tcp -j DENY"); # Bloqueo de conexiones externas al web system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 www -p tcp -j DENY");

# Bloqueo de conexiones externas a sendmail system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 smtp -p tcp -j DENY");

# Bloqueo de conexiones a lpd system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 printer -p tcp -j DENY");

# Bloqueo de conexiones al servidor pop system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 pop3 -p tcp -j DENY");

# Bloqueo de conexiones al servidor fax # system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 hylafax -p tcp -j DENY"); }

sub stopMasquerading { my $nDevice = shift _;

# Eliminar los bloqueos system ("/sbin/ipchains -F input"); # Eliminar el masquerading system ("/sbin/ipchains -D forward -i $nDevice -j MASQ"); system ("/sbin/ipchains -P forward ACCEPT"); }

my ($action, $networkDevice, $localAddress);

$action = $ARGV [0]; $networkDevice = $ARGV [1]; $localAddress = $ARGV [2];

system ( "logger -t '/etc/ppp/inet.masq' 'a = $action, nd = $networkDevice , la = $localAddress'"); if ( (!$action) || (!$networkDevice) || (!$localAddress) ) { showUsage (); } else { if ($action eq 'start') { startMasquerading ($networkDevice, $localAddress); } elsif ($action eq 'stop') { stopMasquerading ($networkDevice); } elsif ($action eq 'restart') { stopMasquerading ($networkDevice); startMasquerading ($networkDevice); } else { showUsage (); } }

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribesuse.com For additional commands, e-mail: suse-security-helpsuse.com

• Next message: engelbert gruber: "Re: [suse-security] Web server security holes ?"
• Previous message: Harald Scharf: "AW: [suse-security] Web server security holes ?"
• In reply to: Oliver Grube: "RE: [suse-security] Web server security holes ?"
• Next in thread: engelbert gruber: "Re: [suse-security] Web server security holes ?"
• Next in thread: Francisco M. Marzoa Alonso: "Re: [suse-security] Web server security holes ?"
• Reply: Francisco M. Marzoa Alonso: "Re: [suse-security] Web server security holes ?"
• Reply: engelbert gruber: "Re: [suse-security] Web server security holes ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]