New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !

How to limit access

Got problems with Bubba? Then this forum is for you.
Locked
lkbrow1
Posts: 28
Joined: 30 Jan 2007, 21:22

How to limit access

Post by lkbrow1 »

I am trying to limit the outside access to my Bubba. It is behind a
firewall that only forwards Port 80 to it. But the firewall will not limit
who it forwards. So I added in /etc/hosts.deny to deny all and added
in /etc/hosts.allow my main host and my company which is external to
the firewall. This does seem to restrict ssh inside the firewall to only my main host but the http port does not seem to be restricted. Any suggestions. I see where this distribution does not have xinetd but only inetd.
tor
Posts: 703
Joined: 06 Dec 2006, 12:24
Contact:

Post by tor »

Hi lkbrow1,

Regarding external web access to Bubba. One security note is that if you want to make sure that no one intercepts your traffic you should open up port 443 in your gateway and then use https when accessing Bubba. Traffic will then be encrypted which makes it tougher for others to eavesdrop on you.

If you then would like to limit from where the webpages are visible. The "easiest" way should be to alter the apache config.

As an example. To limit access to the web-admin you have to edit the file /etc/apache2/conf.d/web-admin

Today it looks like this:

Code: Select all

Alias /web-admin "/usr/share/web-admin/"
<Directory "/usr/share/web-admin/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Allow from all
        AddType application/x-httpd-cgi .cgi
        Options ExecCGI
</Directory>
The trick here is to alter the lines with Allow and Deny. Changing it to start with a Deny from all to and then tell who can access it with one or more Allow from XX

So as an example, to only allow access from the local network it could look something like this:

Code: Select all

Alias /web-admin "/usr/share/web-admin/"
<Directory "/usr/share/web-admin/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
        Allow from 192.168.0
        AddType application/x-httpd-cgi .cgi
        Options ExecCGI
</Directory>
And for this to have effect you have to tell apache to reread its configuration by issuing a:

Code: Select all

/etc/init.d/apache2 reload
More information on how to write these Allow and Deny can be found here http://httpd.apache.org/docs/2.0/mod/mo ... html#allow

Finally, this configuration is most likely overwritten by upgrades. So after an upgrade please check to see that the alterations you have made is still there.

/Tor
Co-founder OpenProducts and Ex Excito Developer
Locked