# How to access website through LAN and security issues?

## pmam

I have just installed web server with nginx/mysql/php/wordpress  

I want to view how is it looked from other machine 

Please inform how to access website from LAN or WLAN connected machine,

in order to view or to work on the site by wordpress?

How to access from android smartphone?

----------

## khayyam

 *pmam wrote:*   

> I have just installed web server with nginx/mysql/php/wordpress. I want to view how is it looked from other machine. Please inform how to access website from LAN or WLAN connected machine, in order to view or to work on the site by wordpress? How to access from android smartphone?

 

pmam ... you can access via the 'ip address', or by configuring /etc/hosts, or DNS, to resolve that address into a hostname.

So, for example via use 'http://192.168.x.x/index.html' (or similar).  Or, the connecting machine might have an /etc/hosts that contains the following:

```
192.168.x.x fluffy.lan fluffy
```

... you would then connect to 'fluffy' via 'http://fluffy/index.html' or 'http://fluffy.lan/index.html'.

The DNS method would mean either configuring your router to 'resolve' such local addresses (assuming it offers such a thing), or setting up a DNS server to do so. Your probably better off using 'hosts' and setting your routers dhcp to hand out the same address to the machine hosting the webserver.

HTH & best ... khay

----------

## pmam

khayyam,

You have introduced 3 ways to access and I still need some advise...

First, At he moment I do not have a name for the web site - I will do it later on with no-ip - 

and from the local machine I access my site like that: http://localhost/wordpress/

So now I need to figure out each parameter in your example, and what is in may case:

The local machine (where the site is installed) is called: mg_e2180 and has static IP: 192.168.1.6.

If we are talking on the first way - please inform what should be the address? I have tried some options without success...

Regarding the second way (hosts) - Please inform if 'connecting machine' means local website machine,

or the machine that want to access to website? Also what exactly (according my details) need to add to /etc/hosts,

and what init.d to restart? (I use dhcpcd network manager) 

Let's leave for now the DNS way... But please inform if I need to do something regarding setting router:

'Your probably better off using 'hosts' and setting your routers dhcp to hand out the same address to the machine hosting the webserver. '

Thanks

----------

## charles17

 *pmam wrote:*   

> So now I need to figure out each parameter in your example, and what is in may case:
> 
> The local machine (where the site is installed) is called: mg_e2180 and has static IP: 192.168.1.6.

 

pmam, are these name and IP address identical to those shown by your router's web interface?

Then other clients should contact it using either of http://mg_e2180/wordpress and http://192.168.1.6/wordpress.

----------

## pmam

charles17,

 *Quote:*   

> shown by your router's web interface?

 

Please tell how can I show this info?

Can not access with http://mg_e2180/wordpress and http://192.168.1.6/wordpress

According your comment looks that it is not identical...

During this process hope to better understand routing method...

Thanks

----------

## charles17

 *pmam wrote:*   

> Please tell how can I show this info?

 Depends on your router. Mine simply is http://fritz.box.

 *pmam wrote:*   

> Can not access with http://mg_e2180/wordpress and http://192.168.1.6/wordpress 

 Can you ping http://mg_e2180/ or http://192.168.1.6/?

----------

## khayyam

 *pmam wrote:*   

> [...] from the local machine I access my site like that: http://localhost/wordpress/ So now I need to figure out each parameter in your example, and what is in may case: The local machine (where the site is installed) is called: mg_e2180 and has static IP: 192.168.1.6. If we are talking on the first way - please inform what should be the address?

 

pmam ... that would be 'http://192.168.1.6/wordpress' ... though your webserver may be configured for hostname mg_e2180 (you haven't said).

 *pmam wrote:*   

> Regarding the second way (hosts) - Please inform if 'connecting machine' means local website machine, or the machine that want to access to website? Also what exactly (according my details) need to add to /etc/hosts, and what init.d to restart? (I use dhcpcd network manager)

 

"connecting machine" means the machine, or device, doing the connecting ... so, the "machine accessing". You would add the following: 

```
192.168.1.6 mg_e2180 mg_e2180.lan
```

You would then access the webserver using 'http://mg_e2180/wordpress' ... this actually assumes your webserver is setup with 'mg_e2180' as 'hostname'.

 *pmam wrote:*   

> Let's leave for now the DNS way... But please inform if I need to do something regarding setting router: 'Your probably better off using 'hosts' and setting your routers dhcp to hand out the same address to the machine hosting the webserver.'

 

You've stated that the webserver has a "static IP: 192.168.1.6", but if the router is handing out dhcp then you should make sure the router isn't handing out that address to another machine, generally the router should offer the capacity to associate the MAC address of an interface so that it always recieves the same ip, and so that nothing else aquires that address. Maybe you're not using dhcp, so that may not apply.

best ... khay

----------

## pmam

charles17,

 *Quote:*   

> Depends on your router. Mine simply is http://fritz.box. 

 

If you mean to get into router - I do it by IP (not name):

http://192.168.1.1 and can see only IPs of connected machines to LAN/WLAN - without host names.

Yes - I can ping both ways:  

```
mg_6300 ~ # ping -c3 192.168.1.6

PING 192.168.1.6 (192.168.1.6) 56(84) bytes of data.

64 bytes from 192.168.1.6: icmp_seq=1 ttl=64 time=0.160 ms

64 bytes from 192.168.1.6: icmp_seq=2 ttl=64 time=0.153 ms

64 bytes from 192.168.1.6: icmp_seq=3 ttl=64 time=0.146 ms

--- 192.168.1.6 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 1999ms

rtt min/avg/max/mdev = 0.146/0.153/0.160/0.005 ms

mg_6300 ~ # ping -c3 mg_e2180

PING mg_e2180.lan (192.168.1.6) 56(84) bytes of data.

64 bytes from mg_e2180.lan (192.168.1.6): icmp_seq=1 ttl=64 time=0.166 ms

64 bytes from mg_e2180.lan (192.168.1.6): icmp_seq=2 ttl=64 time=0.161 ms

64 bytes from mg_e2180.lan (192.168.1.6): icmp_seq=3 ttl=64 time=0.162 ms

--- mg_e2180.lan ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 1999ms

rtt min/avg/max/mdev = 0.161/0.163/0.166/0.002 ms
```

Thanks

----------

## pmam

khay,

Here what I have in /etc/hosts of web site machine:

```

127.0.0.1 mg_e2180.lan mg_e2180 localhost

::1 mg_e2180.lan mg_e2180 localhost
```

Here what I have now in the other machine (connecting machine):

```
127.0.0.1 mg_6300.lan mg_6300 localhost

::1 mg_6300.lan mg_6300 localhost

192.168.1.6 mg_e2180 mg_e2180.lan
```

Thanks

----------

## pmam

khay,

 *Quote:*   

> 
> 
> You've stated that the webserver has a "static IP: 192.168.1.6", but if the router is handing out dhcp then you should make sure the router isn't handing out that address to another machine, generally the router should offer the capacity to associate the MAC address of an interface so that it always recieves the same ip, and so that nothing else aquires that address. Maybe you're not using dhcp, so that may not apply. 

 

Though I do not think this issue is causing to any problem at the moment - router handing out lower addresses: 192.168.1.2... and static IPs are upper little bit. However, it may cause future problems. It is quite new router and I am not so familiar with,

but have checked and till now have not found MAC addressing (I saw it in previous router), but found two IP Address Distribution modes:

DHCP server (current mode) and  DHCP relay - Can it be useful?

If I stay with DHCP server, maybe can do something with Start IP Address and End IP Address, 

or change all static IPs to the last part of IPs range - close to 192.168.1.234.

EDIT: I found another feature: 'Static Lease Type' - Hope it allocates static IP... Also see associated  MAC addresses 

I also added host names in the router.

----------

## pmam

Maybe there is any NAT rule in the router, 

or any 'over security' configuration of nginx or wordpress,

that blocks LAN access??

Also -  How to access local web site from android smartphone through WLAN?

----------

## khayyam

pmam ...

please explain the problem ... if you access the websever via the machine it's running on, and via 'http://mg_e2180.lan/wordpress' what happens? Similarly with 'http://www.mg_e2180.lan/wordpress' or whatever you've configured nginx to think is its FQDN.

best ... khay

----------

## Syl20

Back to the basics. On your webserver,

```
# netstat -anlp | grep 80
```

should show at least one line like :

```
tcp     0   0   0.0.0.0:80        0.0.0.0:*     LISTEN     <pid>/nginx
```

or

```
tcp     0   0   192.168.1.6:80    0.0.0.0:*     LISTEN     <pid>/nginx
```

If not, nginx does not listen on the LAN interface. No need to look elsewhere for now, you have to modify your nginx' conf.

Then, the LAN tests. If you use a computer on the same LAN (i.e. with an IP address on the same network. Here 192.168.1.0/24, I guess) as a client, it doesn't, and it mustn't, go through your router to join your webserver (even if the boxes are physically linked to the router. On this configuration, the router should act as an ethernet switch).

There are some tools that can help you to know how the client-server interaction works (or not). Like tcpdump and telnet. On the webserver, install tcpdump and run (eventually replace "eth0" by the name of your LAN interface) :

```
# tcpdump -ni eth0 tcp port 80
```

At the same time, on the client, install telnet (net-misc/netkit-telnetd), and run :

```
$ telnet 192.168.1.6 80
```

If nothing happens on the webserver's terminal, there are some points to check :

1/ Ethernet cables. Try to change them.

2/ The switch. If you have a crossover cable (maybe you don't need one, as most of the ethernet cards are able to "auto-cross" themselves when needed, but it's better to remove any doubt when testing the connection), try to link the two computers directly. 

3/ System security. Do you use a firewall (netfilter/iptables) or hardening parts (grsecurity or selinux) ?

Once the LAN tests OK, you can have a look on routing and NAT considerations, and on the application layer.

A little advice by the way : _do not_ use DHCP facilities on a server. Never. For your quietness, configure a static IP address on it (eventually reduce the DHCP range on your router to avoid IP conflicts).

----------

## pmam

khayyam,

I can access the websever via the machine it's running on, 

but can not access from other machine via 'http://mg_e2180.lan/wordpress' etc...

CneGroumF,

I get this output:

```
 netstat -anlp | grep 80

tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      2760/nginx: master  

udp        0      0 0.0.0.0:38008           0.0.0.0:*                           -                   

```

First please advise if nginx conf is ok according above output?

Now I am going to check the LAN...

EDIT: Looks there is a problem here:

```
telnet 192.168.1.6 80

Trying 192.168.1.6...

telnet: Unable to connect to remote host: Connection refused
```

EDIT2: 

```
tcpdump -ni enp2s0 tcp port 80

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
```

Thanks

----------

## khayyam

 *pmam wrote:*   

> I can access the websever via the machine it's running on,

 

pmam ... yes, you said that initally, the important part was the hostname, can you access using the above address on that same machine. I'm not familiar with nginx but with apache (httpd.conf) you provide a 'ServerName' directive and this should match the FQDN (fully qualified domain name) of the requested URL.

 *pmam wrote:*   

> EDIT: Looks there is a problem here:
> 
> ```
> telnet 192.168.1.6 80
> 
> ...

 

So, either the host isn't reachable, or port 80 isn't open (ie, blocked by a firewall, or nginx isn't listening on that port)

best ... khay

----------

## pmam

khayyam,

OK, now I see what did you mean - 

I can access on the web server's machine with this address: http://mg_e2180.lan/wordpress

Even without port 80 it is not reachable - With telnet it should be connected - right? Firewall... How to check?

```
telnet 192.168.1.6

Trying 192.168.1.6...

telnet: Unable to connect to remote host: Connection refused
```

----------

## pmam

Here output after a while:

```
tcpdump -ni enp2s0 tcp port 80

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes

21:38:40.931439 IP 192.168.1.7.32977 > 192.168.1.6.80: Flags [S], seq 2358450723, win 29200, options [mss 1460,sackOK,TS val 4680838 ecr 0,nop,wscale 7], length 0

21:38:40.931493 IP 192.168.1.6.80 > 192.168.1.7.32977: Flags [R.], seq 0, ack 2358450724, win 0, length 0

21:41:37.505548 IP 192.168.1.6.36601 > 68.232.35.121.80: Flags [S], seq 2382022945, win 29200, options [mss 1460,sackOK,TS val 4417767 ecr 0,nop,wscale 7], length 0

21:41:37.608018 IP 68.232.35.121.80 > 192.168.1.6.36601: Flags [S.], seq 299901729, ack 2382022946, win 65535, options [mss 1360,sackOK,TS val 3064783473 ecr 4417767,nop,wscale 9], length 0

21:41:37.608089 IP 192.168.1.6.36601 > 68.232.35.121.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 4417869 ecr 3064783473], length 0

21:41:37.797354 IP 192.168.1.6.36601 > 68.232.35.121.80: Flags [P.], seq 1:364, ack 1, win 229, options [nop,nop,TS val 4418059 ecr 3064783473], length 363: HTTP: GET /avatar/796dc902b870ce214ceb7246a3555175?s=49&d=mm&r=g HTTP/1.1

21:41:37.967977 IP 68.232.35.121.80 > 192.168.1.6.36601: Flags [.], ack 364, win 285, options [nop,nop,TS val 3064783549 ecr 4418059], length 0

21:41:37.970789 IP 68.232.35.121.80 > 192.168.1.6.36601: Flags [P.], seq 1:1673, ack 364, win 285, options [nop,nop,TS val 3064783550 ecr 4418059], length 1672: HTTP: HTTP/1.1 200 OK

21:41:37.970846 IP 192.168.1.6.36601 > 68.232.35.121.80: Flags [.], ack 1673, win 255, options [nop,nop,TS val 4418232 ecr 3064783550], length 0

21:41:47.970205 IP 192.168.1.6.36601 > 68.232.35.121.80: Flags [.], ack 1673, win 255, options [nop,nop,TS val 4428232 ecr 3064783550], length 0

21:41:48.109883 IP 68.232.35.121.80 > 192.168.1.6.36601: Flags [.], ack 364, win 285, options [nop,nop,TS val 3064786086 ecr 4418232], length 0

21:41:53.771180 IP 68.232.35.121.80 > 192.168.1.6.36601: Flags [F.], seq 1673, ack 364, win 285, options [nop,nop,TS val 3064787503 ecr 4418232], length 0

21:41:53.771350 IP 192.168.1.6.36601 > 68.232.35.121.80: Flags [F.], seq 364, ack 1674, win 255, options [nop,nop,TS val 4434033 ecr 3064787503], length 0

21:41:53.904762 IP 68.232.35.121.80 > 192.168.1.6.36601: Flags [.], ack 365, win 285, options [nop,nop,TS val 3064787534 ecr 4434033], length 0

```

----------

## pmam

Some additional info for this enigma...

As said I can not connect with telnet but - 

I have satellite receiver (linux) connected to same LAN and telnet is working ok with this receiver - 

so it probably indicates that problem is not at the router/NAT etc... 

I tried to connect with ssh and it is working ok:

```
ssh mg_e@192.168.1.6

Password:

mg_e@mg_e2180 ~ $
```

I found that net-firewall/iptables is installed but service is not started - 

do not know where this package come from - maybe it is installed by default Gentoo's installation or whatever...

I have checked LAN factors: changed cables, directly connecting with cable the two computers - without any change.

Thanks

----------

## khayyam

pmam ...

please provide the output of the following ... run on the machine acting as the webserver

```
# egrep -v '(^#|^$)' /etc/hosts

# lsof -i :80
```

If you don't have 'lsof' it's sys-process/lsof. I suspect the issue is that nginx isn't listening on '*:80' or the FQDN is pointing to 'localhost' rather than 192.168.1.6.

best ... khay

----------

## pmam

khay,

```
egrep -v '(^#|^$)' /etc/hosts 

127.0.0.1 mg_e2180.lan mg_e2180 localhost

::1 mg_e2180.lan mg_e2180 localhost
```

Here without output:

```
lsof -i :80
```

Here part of nginx.conf:

```
server {

      listen 127.0.0.1;

      server_name localhost;

      access_log /var/log/nginx/localhost.access_log main;

      error_log /var/log/nginx/localhost.error_log info;

      root /var/www/localhost/htdocs;

      

      location ~ \.php$ {

                       # Test for non-existent scripts or throw a 404 error

                       # Without this line, nginx will blindly send any request ending in .php to php-fpm

                       try_files $uri =404;

                       include /etc/nginx/fastcgi.conf;

                       fastcgi_pass unix:/run/php-fpm.socket;

           }
```

Thanks

----------

## NeddySeagoon

pmam,

First an overview of how the internet works.  You need to understand this as your web server will be a part of it.

When you browse to a website, say gentoo.org, you web browser has no idea how to reach gentoo.org because it needs an IP address.

It first looks in /etc/hosts but its not there. Then it looks in /etc/resolv.conf for your name servers. Its asks your first listed nameserver for the IP address corresponding to gentoo.org.

If you have visited gentoo.org recently, it will be in the name servers cache.  If not, your name server (often your router) known another name server to ask, ... and so on, until the hostname gentoo.org is resolved to an IP address and returned to your browser.

Your browser now makes up a query using the IP address.  The kernel knows how to route IP address, That's the routing table you see with the route command.

The kernel matches the IP (of gentoo.org) against all the routes. It works out that it cannot reach the IP directly, so the packet is sent over the default route to four next hop towards the internet.  Again, this process repeats until the message arrives.  Part of the message is your IP address, so gentoo.org sends a response, using the same process as above but without the need to consult a name server.  

```
server {

      listen 127.0.0.1;

      server_name localhost;
```

This bit is not correct. 

```
listen 127.0.0.1;
```

says to listen on lo, not eth0, or whatever your actual network interface is called

server_name localhost; should be the hostname of the PC.

Both /etc/hosts need a line describing the server.

The server will want to resolve its own hostname when it starts

The test machine, trying to reach the server needs a way to resolve the name to the external IP of the server, or you will be able to browse by IP but not by name.

-- edit --

Other than you are practicing in the privacy of your own LAN, so the outside world cannot see your website, you are using all the real internet features, so when you forward port 80 to your webserver, the world can beat a path to your door.

----------

## pmam

Neddy,

Thanks for your nice explanation of the routing principal of internet - it was really important for me!!!

Regarding 'listen 127.0.0.1;' - I found it in default nginx.conf - all wikis have this way.

My actual network interface called: enp2s0 - So please inform what should be instead?

Also regarding 'server_name localhost;' - My hostname is: mg_e2180 - 

so I need to change this line to: 'server_name mg_e2180'?

I do not find any actual examples to learn from, so please advise what is the right configuration.

However - As far as I can see, all the above is relevant for the next step -

as you can see in this topic, at the moment I am facing with local issue:

Can not connect to web server from another machine through LAN -

Even with telnet there is no connection. With ssh it is working.

Looks that something internal (LAN) has failure, and I do not know how to debug and work it out...

Thanks

----------

## NeddySeagoon

pmam,

Your webserver is listening to 127.0.0.1, which is the IP address of the loop back interface.

It is not listening to your LAN on enp2s0.

To make it listen on enp2s0, you need to use the IP address of enp2s0.

sshd is special.  It listens on all interfaces by default.  Here is a test.

At your servers console, do 

```
ssh 127.0.0.1
```

You should be able to log in.

This is of no practical value.  You have just conneced to the loopback interface on the machine you are sitting at.

Log out of ssh.

Again at your server, 

```
ssh 192.168.1.6
```

Is ssh 192.168.1.6 your server IP?

This time you are logging in to the machine you are sitting at using enp2s0.

Log out of ssh.

At the top of 

```
 

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::
```

You can set the ListenAddress.  The default 0.0.0.0 matches all addresses.

If you change this line to

```
ListenAddress 192.168.1.6
```

and restart sshd you will no longer be able to connect on 127.0.0.1.

Note that it is also uncommented.

Try it if you wish.  sshd will only be listening on 192.168.1.6.

Your webserver only listens to where its told to listen. 

```
listen 127.0.0.1; 
```

That's safe and works for testing from the machine its running on only.

To be able to test from other machines, you need to use the IP address assigned to the LAN interface.

----------

## pmam

Neddy,

OK - I tested your examples of ssh and it works as you described -

Now I see why I could connect with ssh - It listens on all interfaces...

However, I do not understand why I can not connect with telnet - its default is different? 

It does not listen on all interfaces? How to fix it?

```
telnet 192.168.1.6

Trying 192.168.1.6...

telnet: Unable to connect to remote host: Connection refused
```

I have changed in nginx.conf the line to:

```
listen 0.0.0.0;
```

And now finally I can connect from other machine to web server!!!   :Smile: 

It also works with: 

```
listen 192.168.1.6;
```

Please advise, what is the right way - which of them is better (more secure) 0.0.0.0 or IP address?  

Note: I can connect and see wordpress's site, however can not log in and make some changes  

I want to have remote option from another machine in the LAN - connecting to web server and edit with wordpress the site...

Thanks

----------

## NeddySeagoon

pmam,

Let me show by example.

I have a router with four internet cards.

One connects the internet.

Next to the wired network

Another to a my public facing servers

Last to my Wifi.

If I write 

```
listen 0.0.0.0
```

it will listen for incoming connections on all interfaces.

So I set ssh to listen only on the wired interface.  I don't want any break ins from the Internet.

WiFi is not very secure either ...

So which is most secure?

When you only have a single external interface, it doesn't matter much.  

Anyone who can connect to 127.0.0.1 already has physical access to the machine.

Good practice says you listen to as little as possible t provide the service you need to provide.

To put it another way, the wider you open the window, the more the dirt blows in.

```
telnet 192.168.1.6 
```

will not work because you are not running a telnet server and you did not provide a port.

By default, the telnet client tries to connect to a telnet server.  That's port 23.

```
telnet 192.168.1.6 80
```

should work now as it will connect to your webserver on port 80.

There is a list of well known ports in /etc/services.

You may even be able to write 

```
telnet 192.168.1.6 http
```

and /etc/services will be consulted for the port number.

However, telnet is old and primitive, so it may not work.

A telnet session with an Apache webserver looks like

```
NeddySeagoon_Static ~ # telnet minniebannister http

Trying 2a01:4f8:162:c::2...

Trying 5.9.82.14...

Connected to minniebannister.

Escape character is '^]'.
```

Next is my input, I just ran my finger along the keys ...

```
aoeuidfhgtc
```

And the servers response

```
HTTP/1.1 400 Bad Request

Date: Wed, 03 Feb 2016 20:56:33 GMT

Server: Apache

Content-Length: 285

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>400 Bad Request</title>

</head><body>

<h1>Bad Request</h1>

<p>Your browser sent a request that this server could not understand.<br />

</p>

<hr>

<address>Apache Server at localhost Port 80</address>

</body></html>

Connection closed by foreign host.
```

----------

## Syl20

 *pmam wrote:*   

> CneGroumF,
> 
> I get this output:
> 
> ```
> ...

 

Now you know 127.0.0.1 is only a local IP address.  :Wink: 

----------

## pmam

CneGroumF,

I suspected this output: 127.0.0.1 and saw in your output 0.0.0.0 -

but I saw in all nginx's wikis 127.0.0.1 and thought it is ok -

Probably wikis introduces nginx.conf with 127.0.0.1 to be on the safe side for the first stage - working locally till web site is prepared...

Anyway, analysing tools that you offered me here, are useful and looks I will need them in the future

At the moment, I put 'listen 0.0.0.0;' - hope it is ok - 

Now that I worked on nginx/wordpress/php/mysql web site - I quite worry regarding security issues:

I have no idea where to start from - how to get a safe web site?

Neddy well explained the process and gave good ideas and directions, 

I found some info here and there, but still do not have a whole security concept to work on.

Thanks

----------

## NeddySeagoon

pmam,

Good security is like the layers of an onion.  It is not to keep out the determined bad guys that may target you.

Its to make clear to an attacker that you have done something to make their task more difficult.

Once they get past the first layer, there is another layer ... and so on.

Eventually, the attacker will get the message that there are easier targets out there and move on.

When that happens, your security has done its job ... it was good enough.

----------

## Syl20

 *pmam wrote:*   

> Now that I worked on nginx/wordpress/php/mysql web site - I quite worry regarding security issues:
> 
> I have no idea where to start from - how to get a safe web site? 

 

As NeddySeagoon said, the more you do to slow down the attacker's work, the more you'll discourage him/it before the worst happens.

As I'm a pessimist, I'm giving you lots of homework.  :Laughing: 

Ideally, you should act everywhere you can. Be paranoid, do not count on only one or two securisation parts to feel quiet. Installing an armored door on a tent is counterproductive.

To secure a system, you first need to understand how it works, how its components work themselves and together, how that interacts with its environment, and what an attacker is likely to do when he/it wants to go into it, or to break it. Then, you'll be able to close as many useless open doors as possible, or at least to reduce the size of the entrances. So, you should start your securisation process by finding and reading some docs on the subject. The keywords "hardening" + <something>  on your favorite web search engine are a good start.

The first component to secure is obviously your web service. I don't know nginx, I'm much more comfortable with apache. But I suppose there are roughly the same security enhancement capabilities on nginx. Some research may help you to set the appropriate options with the appropriate values (avoid giving its version to the client, for example), and to add some securisation plugins (on apache, I often use mod_security and mod_evasive).

Apply the same method for PHP, mysql (begin with launching mysql_secure_installation, and saying "yes" to all the questions), and wordpress. If web administration interfaces are provided, try to forbid the access to them from anywhere else than your LAN stations. Set reasonably long and complex passwords for all of the accounts set. Change them regularly. If you can, change the default login names.

Then, the other parts interacting with the rest of the world. Ssh (PermitRootLogin, AllowTcpForwarking, and so on), and, if so, mail services, file services... That implies you know exactly what is running on your system.

Your system, by the way.

- Keep it up-to date. Make inquiries on security breaches (GLSA), fix them as soon as possible.

- Uninstall all you don't _really_ need.

- If not already done, switch to a hardened Gentoo profile. The programs compiled with the hardened toolchain will be more secure, and the hardened kernel offers a lot of useful components (grsecurity, for example), which can restrict the effects of security breaches. Once again, take the time to understand what you are doing before doing it. Inappropriate actions may have unexpected results, such as neutralizing other securisation parts (false-negatives), or making your service too much sensitive to DOS or other attacks (false-positives).

- Set up a firewall (netfilter/iptables), which forbids all you don't have explicitely permitted. Install and configure fail2ban.

- Restrict as more as possible the number of users able to log in, and restrict as more as possible the rights of those users. Set reasonably long and complex passwords for all of them. Change them regularly.

- Configure you syslog server to write every potentially interesting action, and have a look on logwatch, to parse the log files.

- Run an auditing tool, like lynis. It will show you what you forgot.

- (a bit off-topic, but...) Make backups !

Ok, now, your network.

- Be sure all the stuff between your server and internet (especially your router) is properly configured. Disable all you don't _really_ need. Restrict to the minimum the rest. Did I already say anything about passwords ?

- Think as if your server is contaminated. Avoid or forbid access to all it doesn't need to work (especially your private data). Ideally, put it in a separated network (DMZ), controlled by a firewall (for lack of anything better, your internet router should be able to do that).

----------

## NeddySeagoon

pmam,

I wasn't going to set homework but since this thread is going that way ...

Run a gentoo-hardened kernel with a fully hardened install.  When the hardened user space spots something nasty going on, the kernel is signalled to kill the process, so you need both bits.

If you overdo it, the box may never boot and if it boots, you may not be able to log in, and if you can log in, you way not be able to access some/all services.

You will get it wrong setting this up ... at least once.

Run a paranoid firewall, rather than a default half open firewall.  A half open firewall allows anything out.

The idea is to stop bad things that do get in from phoning home.  There is no need to wrestle with IPtables directly. I use Shorewall.

If you don't lock yourself out at least once, you are doing it wrong.

If you are doing this on a remote box, get yourself some IPv6 support.  IPv4 and IPv6 firewalls are completely separate entities.

You can arrange to get in over IPv6 when you mess up IPv4 and vice versa.

Do not allow root ssh logins at all. When you need root, log in as a normal user and use su or sudo.

Do not allow password logins over ssh.  Insist your users use keys with good passwords. (The password here is associated with the secret key).

Do not run any services listening to the outside world that you do not absolutely need.  They should be blocked by your firewall anyway.

Consider every package you install could be compromised and have an exploit that can be used against you.

Use paranoid mount options so that users cannot install and run random packages. e.g.  Mount /home and /tmp -o nodev,noexec.  There are other no options too.

All of the above is just general advice to make life difficult for an attacker.

Keep your user space up to date. GLSAs are published only after a fix is known.  By keeping up to date you may well get the fix in advance of the GLSA.

Security and useability are tradeoffs.  You choose how much  useability you are prepared to lose far the security you decide you need.

e.g.  If you don't connect your system to the insternet, its very secure but its not very useful as a server.

In the middle, you may decide not to install gcc on your server, so attackers cannot compile code on it that they can then use to extend the attack.

Depending on how you update the server, that may be a price you are willing to pay.

Any package (wordpress?) that assembles web pages by running programs (php) or scripts on the server has vulnerabilities of their own.

Consider what can happen if an attacker to get wordpress to run a program of their choosing?

That's a get you started ...  There is much more.

----------

## khayyam

 *NeddySeagoon wrote:*   

> Any package (wordpress?) that assembles web pages by running programs (php) or scripts on the server has vulnerabilities of their own. Consider what can happen if an attacker to get wordpress to run a program of their choosing?

 

pmam, Neddy, et al ... wordpress would be a bad choice imo, particularly as it's a major target for exploitation (and, based on the fact that this is a current issue, I mean ongoing target). Way back I had to ban users from using wordpress, it was just too much work, and too big a target ... lots of tears, boo-hoo, but sorry there was no way to keep both the users from installing whatever plugin they liked the look of (those are just for 2016) and then not updating, and be able to keep the number of attacks down to something managable.

So, I would choose something other than wordpress for a first attempt at a self-hosted site, and of course keep it simple. BTW, if you're planing this for a LAN then I wouldn't worry so much, but world accessable then I'd suggest against it.

best ... khay

----------

## pmam

CneGroumF & NeddySeagoon,

Yes! That what I need – homework…  :Smile:   I like to see the big picture before starting – It is a real starter.

Your precious info is very useful for me and hope for other Gentoo's forum members - 

I added 'security' to topic name for better searching result…

As you said, first need to figure out how it works, what I am doing and what is needed. Then do it step by step.

'Security and useability are tradeoffs.' - Need to achieve this tradeoffs very carefully.  

It will take time to well understand this process but you have sketched the path!

I have seen some of your tips (and already have done some) in other tutorials,

and yours comments increase my confidence that this is the right thing to do. 

e.g: 'mysql (begin with launching mysql_secure_installation, and saying "yes" to all the questions)' and '(avoid giving its version to the client, for example)' – I found this tip also here:  http://arstechnica.com/gadgets/2012/11/how-to-set-up-a-safe-and-secure-web-server/4/ - However as you may see this tutorial does not recommend on DMZ: 'It might be tempting to use the "DMZ host" function in your NAT router to open all of its ports to the Internet, but this is a terrible idea. It robs your host of much of the protection from attack it gains by being behind a NAT router.' I am still not familiar with DMZ, and no worry  :Smile:  - If I need to decide I will definitely more trust on your tip... However, maybe DMZ has some 'dialectic' aspects... and here where I need your point of views!

'e.g. If you don't connect your system to the internet, its very secure but its not very useful as a server.'

At the first stage I would prefer to limit access only to LAN users -

Please advise how to do it -  how verify that any port is not opened or etc?

And need to see how enable web administration interfaces to LAN users?

khayyam,

 *Quote:*   

> BTW, if you're planing this for a LAN then I wouldn't worry so much, but world accessible then I'd suggest against it.

 

I am planning this web server for world accessible - 

Please advise what do you recommend instead of wordpress - joomla or any other?

Thanks a lot to all

----------

## khayyam

 *pmam wrote:*   

>  *khayyam wrote:*   BTW, if you're planing this for a LAN then I wouldn't worry so much, but world accessible then I'd suggest against it. 
> 
> I am planning this web server for world accessible - At the first stage I would prefer to limit access only to LAN users. What do you recommend instead of wordpress - joomla or any other?

 

pmam ... I'm very much out-of-the-loop as far as CMS are concerned, it has been over seven years since I did any server administration. The advice above is based purely on what specific CMS are most targeted, wordpress seems to be top of this list, though I imagine there are others that suffer similarly, and attract a lot of attention. I guess it really depends on what type of content you're serving, and so the type of CMS that will fit your needs. I would look around for something that fits that need, but is less commonly used, and simpler than, wordpress. There are CMS (one in particular comes to mind, but the name escapes me) which uses a markup but generates static pages (so, no mysql, php, or what-have-you, involved) ... something of this nature will offer less of an attack surface, but as Neddy says above, its a tradeoff against ease-of-use, etc.

So, basically, do some research before hand, try and focus on what you actually need from a CMS, rather than opt for something that you're inclined to think everyone uses for such things.

best ... khay

----------

## pmam

Hope this limit access to LAN-only users (for the construction stage) - Need to verify ports status?

```
server {

      #listen 127.0.0.1;

      listen 0.0.0.0;

      server_name localhost;

      access_log /var/log/nginx/localhost.access_log main;

      error_log /var/log/nginx/localhost.error_log info;

         root /var/www/localhost/htdocs;

         autoindex on;

                     

      location ~ \.php$ {

                       # Test for non-existent scripts or throw a 404 error

                       # Without this line, nginx will blindly send any request ending in .php to php-fpm

                      try_files $uri =404;

                      include /etc/nginx/fastcgi.conf;

                      fastcgi_pass unix:/run/php-fpm.socket;

                      allow 192.168.1.0/24;

                      allow 127.0.0.1;

                      deny all;

           }   

         

   }
```

khayyam,

I see your point: The more popular CMS the more vulnerable - need to consider this tradeoff...

Thanks

----------

## Syl20

 *pmam wrote:*   

> However as you may see this tutorial does not recommend on DMZ: 'It might be tempting to use the "DMZ host" function in your NAT router to open all of its ports to the Internet, but this is a terrible idea. It robs your host of much of the protection from attack it gains by being behind a NAT router.' I am still not familiar with DMZ, and no worry  - If I need to decide I will definitely more trust on your tip... However, maybe DMZ has some 'dialectic' aspects... and here where I need your point of views!

 

I understand why Lee Hutchinson said that : on my ISP box, there are two ways to redirect requests from internet to a local service. One is called "NAT", but should be named "NAPT", or "PAT"  (P for "Port") : I can set up some rules to redirect internet requests to one specified TCP/UDP port towards one given local IP address. The other is called "DMZ", but should be named "total NAT" : if I enable that, _all_ the incoming traffic from internet is sent to one specified local IP address. None of these capabilities provides a semblance of a real DMZ, and the second one can be very dangerous if not well controlled.

Then what do I call "DMZ" (DeMilitarized Zone) ? A DMZ is an isolated network, in which we put all the services that should be available on internet. The network is separated from the LAN and from internet by a firewall (which is firsly a router). For example :

```
      ( internet )

           |

           |

       192.0.2.1

       ____|_____

      |          |

      | Firewall |

      |__________|

      ___|    |____

     |             |

192.168.1.1   192.168.2.1

     |             |

     |             |

  ( LAN )       ( DMZ )
```

There's only one way for a computer in the DMZ to join a computer in the LAN : the firewall. And the firewall, if well configured, disagrees.

Last, but not least, "demilitarized" doesn't mean "open house" from internet (that's the main "problem" if you use the "DMZ" capability as defined by my ISP). The firewall must also filter all the traffic (incoming and outgoing) between the DMZ and internet.

I don't know if and how an ISP box is able to do that. Personally, I set up my own firewall (a Gentoo box with several NICs) between my ISP stuff and mine.

----------

## NeddySeagoon

pmam,

For the time being, its your router that determines if the outside world can reach you website, no its settings.

If you forward port 80 (http) and/or port 443 (https) from your public IP to your website, the outside world can reach it.

If your router has these ports closed, you website is only available on your LAN.

Its a little more complex than that but you need to walk before you can run. 

On the basis that ISP provided routers are not very good firewalls, you can replace the router with your own firewall.

You can also continue to use the ISP provided router and add a firewall to the web server.

I run my router/firewall in a KVM.  I don't have a physical router.

Engineers from BT don't understand how it works and my ISP doesn't care as long as I don't ask them for support.

----------

## pmam

CneGroumF,

Thanks for your nice clarification - I am going to learn about DMZ and see if it is suitable to my settings.

NeddySeagoon,

Just to be sure I am understanding what you said regarding router - 

At the moment, I want LAN-only without any access of the outside world to my web site - 

Here a copy of current port status in my router - Please inform me if this is the minimum necessary 'opening' ports,

in order to enable browsing internet, or need to change some ports settings (This is the default router's settings)? 

```

Application                             Protocol   Port   Tx Throughput (Kbps)   Rx Throughput (Kbps)   

    

Web Server, Web access by HTTP/HTTP proxy   TCP   80      10.9                              7.4

Domain Name Server, UDP Domain Name Server   UDP   53      2.9                            2.9

Secured Web Server                            TCP    443      0.3                            0.2

```

And as you said: If I want to enable outside world's access (after construction stage),

need to 'forward port 80 (http) and/or port 443 (https) from your public IP to your website'

Thanks

----------

## gordonb3

A normal ISP provided router will not set up a DMZ as drawn by CneGroumF. Their implementation of "DMZ" is a single machine on the LAN to which all incoming traffic from the internet is forwarded unconditionally. You must therefore run a strict firewall on this machine, as anyone that can get access to it will have access throughout your whole LAN.

As far as Wordpress is concerned: this appears to be something of a hacker's magnet. BUT, the chances that any serious hacker would notice a site that is not owned by some big name organisation is rather small. What you should be concerned about are script kiddies, people using compromised computers to brute force scan the internet for exposed ports and common vulnerabilities. So here are a few tricks to make their life less easy:

If you need to expose a service such as ssh, limit where a connection can originate from. Ideally this would only be LAN, but you could also add the fixed IP from your work, holiday home etc. If you require access from dynamically assigned addresses you can use the netfilter 'geoip' target from xtables_addons. Yes that will typically allow several millions of people having access to a computer in your own country to try hack into your server, but you no longer need to worry about the other seven billion.

Use the netfilter 'recent' target to identify port scanners and automatically add the originating IPs to a blacklist. You can also use the 'recent' target to implement a technique known as 'knocking' to shield e.g. the ssh port. There are several examples for this on the net

Another netfilter trick: use string match on port 80 to find a GET for 'w00tw00t'. This is a common used request to identify that you are running a web server, after which the attacker script will try to find vulnerabilities in php, wordpress and other CMS systems or web based apps you might run.

Saving the best trick for last: configure your web server for vhosts and let the default host point to meaningless static content with no CGI support. Like the 'It Works!' page. Put 'Go Away!' on it if you like, just remember that the script kiddies will never read it. In all the years that I have been monitoring attempts on my home server I've never seen them use anything other than my public IP. Not even the reverse DNS name for it, which in my case translates to <connection-type>-<reversed-ip>.my-isp.com and would be just as useless for them.

----------

## NeddySeagoon

pmam,

I'm not sure what you are showing me here.

Post the make and model of your router.  That will allow us to read the manual. 

Security by obscurity is really no security at all.  Do not follow that route.

----------

## pmam

NeddySeagoon,

My router info: VTech IAD303+ or  IAD303A+ (It has also phone line oner ip)

I did not find its manual - Hope you can find some info. 

I would like to have two setups:

1) No access from outside world to web site - LAN-only

2) In the next stage: Enable outside world access to web site, with the minimum necessary access

Thanks

----------

## pmam

NeddySeagoon,

If there is no user manual of VTech on the net, I have another (more popular) router that can be used: D-Link DSL-2650U - 

http://www.google.co.il/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwiR_cvx4ezKAhWFdpoKHXSsBTUQFggiMAA&url=http%3A%2F%2Fwww.netcheif.com%2Fdownloads%2FDSL-2650U-UG.pdf&usg=AFQjCNGJzD9dlqVBQL0g2jXCGdTz1bAdlw&bvm=bv.113943665,d.bGs

Please advise security tips regarding this router.

I saw in TV report on Kaspersky Lab's Security Analyst Summit 2016 -

A lot of cybern's panic in the air - It is good for his business - However - Can we sleep well?

Thanks

----------

## gordonb3

 *NeddySeagoon wrote:*   

> Security by obscurity is really no security at all.  Do not follow that route.

 

As stated: Not against a serious hacker, but it does keep the script kiddies off your back. Don't confuse a hobby site with that of a big name corporation or government.

----------

## Syl20

Yes and no. For more quietness, you can, for example, make sshd listen on another TCP port than 22. But even script kiddies know nmap.

So you must secure sshd alike, and consider these options only as additions to a correct securing, not as replacements.

----------

## gordonb3

 *pmam wrote:*   

> 
> 
> Please advise security tips regarding this router.
> 
> 

 

Like I said:

 *Quote:*   

> A normal ISP provided router will not set up a DMZ as drawn by CneGroumF. Their implementation of "DMZ" is a single machine on the LAN to which all incoming traffic from the internet is forwarded unconditionally. You must therefore run a strict firewall on this machine, as anyone that can get access to it will have access throughout your whole LAN. 

 

On page 53 of the manual you linked it clearly states that the DMZ host must be well protected to keep the other PCs on your LAN from being infected through the DMZ. If you are worried about security, your DMZ must be in a completely separate LAN where you can use the firewall to prohibit the DMZ from initiating connections to PCs in your normal working LAN environment and of course the firewall itself. A not completely safe alternative to a single firewall handling routing between two LANs and the internet is to use two independent firewalls: the outside firewall serving between internet and DMZ and the inner firewall serving between DMZ and LAN. The unsafe element here being that the management interface of the outside firewall will be accessible to one gaining control of any machine in the DMZ.

----------

## gordonb3

 *CneGroumF wrote:*   

> Yes and no. For more quietness, you can, for example, make sshd listen on another TCP port than 22. But even script kiddies know nmap.
> 
> So you must secure sshd alike, and consider these options only as additions to a correct securing, not as replacements.

 

Honoustly I would never leave ssh open, even though many website providers do. If you do need it, knocking does provide a good method to hide it and if you do it right nmap will not be able to detect it because the knocking ports are in fact closed themselves. Let's say you need to knock three ports; even if for personal convenience you only use up to three digit port numbers that already sums up to a billion possible combinations and there's no putting tension on pins that will hint you're anywhere close to opening the lock.

As far as websites go, if script kiddies launch attacks on specific sites it will be a well known site and they will use your computer for it if they stumbled on to it during their targetless scans of the internet. If they hit port 80 on your public IP address and find Wordpress being hosted on it, their script will log it and allow them to input your IP address on other compromised machines that they dedicated for exploiting specific vulnerabilities or do password guessing. If there's nothing there, their log will show this as well and your IP may end on a list of future prospects to be checked once in a while if anything interesting is being placed on it. Which of course never will if you intentionally configured the default host to serve static content only.

Remember: script kiddies are lazy. Their main interest is to keep themselves hidden. As a result, none of the IPs you may find in any log will point to them. They will never visit your site to personally verify the non interesting content. It may take days or even weeks for them to read the log that says they breached your security. I have some experience in this area because of an unexpected feature in postfix; I was a spammer for about 90 minutes  :Embarassed: 

----------

## pmam

NeddySeagoon&CneGroumF&gordonb3,

Thanks a lot for your important tips! I read each line of yours and try to figure out how to implement. You gave me nice 'homework'   :Smile: 

I do not think the following issue directly refers to current discussion, however, has strong connection to security aspects:

I saw  in TV (see link below of this story) that a Hollywood hospital has been attacked by hackers who demanded 3.6 M$(and probably got 17000$) - otherwise hospital will not be able to access all data in its computers (docs, images etc). Hackers send email with pdf file attached. By opening this “pdf” file, all data is encrypted and a message of demanding money is showed on screen (called Ransomware). They attack private users as well, but here they demand more 'humble' amount of money: 500-700$ - depends on the economic level of the attacked country… They give an email of their “customers service” and chat is possible as well...

They give final date to arrange the money with bit coins but have some flexibility – 'nice pirates'..  :Smile: 

So - Please try to make some order in this nasty cybernate world…

1. Does it more difficult to do it on Linux than Windows?

2. How can they encrypt files without having password? Is it possible or they crack passwords?

3. What can we do in order to defend ourselves? Some of your already mentioned tips can help?

http://www.digitaltrends.com/computing/hollywood-hospital-ransomware-attack/

----------

## szatox

 *Quote:*   

> 1. Does it more difficult to do it on Linux than Windows? 

 Kinda. We tend to install "trusted" software, so you'd have to take over a repo to do something like that. However, if you managed to do that, you could could do worse than encrypting the data.

 *Quote:*   

> 2. How can they encrypt files without having password? Is it possible or they crack passwords? 

  Oh, encrypting files is easy. You can use any password you want. Decrypting is the tricky part, that's the whole point.

 *Quote:*   

> 3. What can we do in order to defend ourselves? Some of your already mentioned tips can help?

 

Good, old-fashioned backup. Preferably an off-line one, so it doesn't accidentally get damaged with a splash from the main hit.

----------

## NeddySeagoon

pmam,

What you describe is called "Social Engineering".  Its tricking the user to run a file.

Windows is targeted more than Linux because there are more windows users.

Windows users often run as root, without even thinking about it.  Then, when ransomeware gets in, it can do anything that root can do.

Linux is structured differently.  You have to make some effort to run everything as root.  When ransomeware gets in, it can only do whatever the user that runs it can do.  That's usually no more than encrypting /home/<username>.  Of course if <username> is it the root group or the disk group, that's as bad as running as root.

Its also harder to execute email attachments on Linux.  This is the default on Windows.  On Linux, you normally need to save an attachment and do chmod +x on it before you can run it.  You can set Linux to execute email attachments ... but why would you?

The way out is validated off line backups, as it is for most disasters.

A backup means at least two offline copies.  If you only have one 'backup' copy, when your working copy is not available, you no longer have a backup.

Validated because you need to know its good.  You really don't want to find out you have issues with your backups when your working copy fails.

Nasty email attachments on windows are often named

```
file.doc                                                               .exe
```

 so that the .exe is outside the email attachment window.

Homework.  What will windows do if you double click such an email attachment?

a) Open it in Word

b) Execute it?

----------

## pmam

 *Quote:*   

> That's usually no more than encrypting /home/<username>

 

Generally we work with DE as a user (but not root) - all database (docs, images etc) are under permissions of this user - 

So in case of ransomeware gets in, it can encrypting all database! Even if it is not root...

Since encrypting is a dramatic operation even when it is taking place as a normal process by the owner itself –

e.g: Why we will not  limit encryption only to root? Or at least to prompt a dialogue box with password demand  

I guess somehow there is a way to block encryption - by adding an option to menuconfig...

You know better than me… Encryption should not be so easily to execute in any aspects - Do not think so?

 *Quote:*   

> Its also harder to execute email attachments on Linux.

 

AFAIK in this case (to bypass 'exe careful') email attachment is pdf extension - If it is any matter...

 *Quote:*   

>  You can set Linux to execute email attachments ... but why would you?

 

Where this option is exist - I mean, how to check if it is not active...

 *Quote:*   

> A backup means at least two offline copies.

 

Validated I understand, but why 2 copies? Please explain why one copy on a separate machine is not enough?

BTW: Does backup  execute by a simple copying of directories to other machine?

or there is any package that facilitate backup more easily? May be some scripts can help (need to learn how to write it...)

 *Quote:*   

> Homework. What will windows do if you double click such an email attachment? 

 

According your nice 'preface' it will end with execution (of the security responsible in the company...   :Smile:  ) 

Thanks

----------

## NeddySeagoon

pmam,

10 out of 10 for your homework.

The simple view of the world says that you cannot prevent encryption or anything else being run by a user.

When malware gets in as a user, it can do anything that user can do, including downloading and executing packages.

Its need not be your own encryption used against you. 

If you are paranoid, you can mount /home and /tmp with the noexec option.  That will prevent all the writeable space open to normal users being used as a location to run software from.

```
/dev/mapper/HW-home             /home                   ext4            noatime,nodev,nosuid,noexec     0 0

/dev/shm                        /tmp                    tmpfs           noatime,nodev,nosuid,noexec     0 0

```

Why two copies?

The definition of having a backup is that you have a spare copy.  With exactly two copes, that's your working copy and one spare.

When your working copy is destroyed, you have only one copy, so you no longer have a backup.  

There are an assortment of programs for creating backps ... look in /usr/portage/app-backup

You can also do you own thing.

----------

## szatox

 *Quote:*   

> So in case of ransomeware gets in, it can encrypting all database! Even if it is not root... 

 Dude, such a thing is just a computer program. All programs do exactly the same thing: they read data, they process it, and they write it back. There is no way to say what the result of this processing is. At least, there is no way for another program to say it: you must be intelligent to predict the outcome. Computers are not intelligent.

There is a good news for you though: databases tend to use their data files, and they do that by keeping them open. You can run a test on a separate instance and check if the files are locked. On windows all programs by default set full locks on any files they open. On linux it's different, but it's still possible to prevent other programs from writing to a file you're using.

 *Quote:*   

> You can set Linux to execute email attachments ... but why would you?	
> 
> Where this option is exist - I mean, how to check if it is not active... 

 Have you deliberately configured it in a way that allows executing attachments directly from emails? If no, then it's not active

Setting no-exec for all user-writable locations is a bonus that would protect you from any running other programs that were not installed there by root.

----------

## pmam

 *Quote:*   

> Dude, such a thing is just a computer program.

 

I see - no way to distinguish encrypting... I thought it is an operator or algorithm that can be identified - So I thought...

noexec will be consider positively...

BTW: Is rsnapshot a useful backup application? I saw it in this wiki: https://wiki.gentoo.org/wiki/Backup

Thanks

----------

## gordonb3

 *NeddySeagoon wrote:*   

> 
> 
> The definition of having a backup is that you have a spare copy.  With exactly two copes, that's your working copy and one spare.
> 
> When your working copy is destroyed, you have only one copy, so you no longer have a backup.  
> ...

 

That is assuming the backup is a direct working copy. Normally you would use a backup to restore files to the original system or create a starter set for a newly built system in case the old one somehow became unrecoverable. I suppose you are referring to a redundancy cluster? In that case you are correct that a second backup should exist.

 *pmam wrote:*   

> BTW: Is rsnapshot a useful backup application?

 

Absolutely. It is essentially a wrapper for rsync that allows for easy creation of rotation scheme's. Which may in fact pose to be a limit if you want to set up something a bit more complicated.

----------

## NeddySeagoon

gordonb3,

Its more the on site backup and off site backup concept.

When at any time, for whatever reason, you are down to a single copy, you no longer have a backup.

----------

## gordonb3

I understand what you are saying, but again: you are assuming a situation where the backup data can be used as a working set. Particularly when databases are concerned the backup may not be in any running format or the backup machine not capable of serving the database. In many many cases the backup can only be used to restore something, if even a completely new machine. Meaning the backup will still be the backup rather than the new running environment, as would be the case in a redundancy cluster. Which by definition is not a backup at all.

----------

## paul_chany

I red this topic and want to set my home server too to be reachable from the Internet.

I'm connected to my ISP through a cable modem.

```
ISP

|

- Cable modem

  |-- headless server Bubba2, Gentoo linux ( firewall, router, webserver - nginx )

    |-- plug & play Switch

      |-- desktop machine, Gentoo linux

      |-- raspberry pi 2 RasPi, Gentoo linux ( webserver- nginx )
```

I shall remove webserver from Bubba2 and run webserver only on the RasPi.

I already setup DNAT on Bubba2 to the RasPi webserver - nginx.

I can reach RasPi webserver from the LAN.

I have a registered FQDN so I want to use it on RasPi's webserver.

What must I do more to can the RasPi's webserver reach from the Internet too?

----------

## NeddySeagoon

paul_chany,

A few choices

You need to Destination Network Address Translation (DNAT) port 80 from your public IP to RasPi, so that Web traffic from the internet arrives at RasPi.  You may also need to DNAT port 443. That's for https.

You may also choose to forward (no DNAT) packets on port 80/443 RasPi, in which case your webserver needs to listen on your public IP.

That's only useful if you have a static public IP.

If you have a dynamic public IP, you need to sign up to a service like no-ip.  They will give you a no-ip. URL that points to your IP, whatever it happens to be at the time.

If your public IP is static, you update the authorative nameservers for your FQDN to point to your static public IP.

Now it gets messy.  You should not need to do any of this, but you need to be aware of it.

Some ISPs block some incoming ports.  This is to stop you running your own servers.

The work around is to use non-standard ports.  This will prevent most users reaching your servers.

In the UK, a lot of cable subscribers don't even have a public IP, Their ISP keeps them behind NAT.  Then its game over. You cannot be reached from the internet.

----------

## paul_chany

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> A few choices
> 
> You need to Destination Network Address Translation (DNAT) port 80 from your public IP to RasPi, so that Web traffic from the internet arrives at RasPi.  You may also need to DNAT port 443. That's for https.
> ...

 

I have already set up DNAT for HTTP:

```
Web(DNAT) net loc:192.168.50.200
```

I have a dynamic public IP and I managed this already on my Bubba2 headless server with a bash shall script.

RasPi has a LAN IP address 192.168.50.200 - it is get this IP address always, this is already managed by dnsmaqs on Bubba2.

How to set up that that RasPi get a public IP address as Bubba2 does?

----------

## NeddySeagoon

paul_chany,

You don't need a public IP on RasPi.  You have DNAT.

If you forward port 80, without DNAT, packets with <Public_IP>:80 appear on your LAN.

RasPi can deal with them.  However, it now needs to deal with a dynamic IP address too.

DNAT is a better solution. 

When a packet arrives at <Public_IP>:80, its NATted to 192.168.50.200:80

Your router saves this information, so that replies get sent back to original requester.

----------

## paul_chany

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> You don't need a public IP on RasPi.  You have DNAT.
> 
> If you forward port 80, without DNAT, packets with <Public_IP>:80 appear on your LAN.
> ...

 

I already use DNAT on Bubba2 for the RasPi.

Then why can't reach my FQDN http://www.cspl.hu from the Internet?

----------

## NeddySeagoon

paul_chany,

First, can you browse RasPi from your own LAN.

```
http://RasPi_IP 
```

should return a web page?

Lets check your webserver is working.

If that works, can you browse 

```
http://Public_IP
```

from outside your network?

This will test the internet to RasPi.  If this step fails, either port 80 is blocked or there is something wrong with your network configuration at your end.

Doing 

```
$ ping cspl.hu
```

gets me 

```
$ ping cspl.hu

PING cspl.hu (192.184.88.81) 56(84) bytes of data.

64 bytes from redirect.webenlet.hu (192.184.88.81): icmp_seq=1 ttl=54 time=160 ms
```

From the "redirect.webenlet.hu", it appears that you have not set up your FQDN to point to your public IP address and your registrar is pointing it to redirect until you change it. You need an least an A record.

Now the hard bit. This has to be updated every time your public IP changes.  

Until you can browse by IP address, browsing by name won't work either.

----------

## paul_chany

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> First, can you browse RasPi from your own LAN.
> 
> ```
> ...

 

I can browse RasPi from my LAN.

I can't browse http://cspl.hu from my LAN.

I can't browse it from outside mine LAN because I'm at home now.

Can you browse it?

Port 80 is not blocked neither on Bubba2 nor on RasPi.

I'm using Shorewall firewall.

rules on Bubba2 are:

```
Web(ACCEPT)   net   $FW

Web(ACCEPT)   loc   $FW

Web(DNAT)   net   loc:192.168.50.200
```

Bubba2 has two interfacws: eth0 for WAN and eth1 for LAN.

and on RasPi:

```
Web(ACCEPT)   net   $FW
```

On dns.webenlet.hu there can one add an A record that as default redirect my cspl.hu domain to http://www.cspl.hu URL as default.

One can't add different A record at all.

However, this setup works when my webserver was on Bubba2.

----------

## NeddySeagoon

paul_chany,

I can both ping cspl.hu and browse http://www.cspl.hu/.

It says Kistechnikusok távképzése and links to the Free Software Foundation. 

I thought I recognised shorewall.

The firewall is its own zone in Shorewall, so you have three zones called net, fw and loc.

My rule to do DNAT for my webserver is

```
#ACTION         SOURCE          DEST            PROTO   DEST 

DNAT            net             dmz:$Web        tcp     http
```

net, dmz, $Web are resolved using the shorewall file fragments below.

```

# Local IP of Webserver

Web=192.168.10.123
```

 so I can write $Web in the rules file.

```
ZONE   TYPE            OPTIONS         IN                      OUT

#                                       OPTIONS                 OPTIONS

fw      firewall

green   ipv4

dmz     ipv4

blue    ipv4

net     ipv4
```

```
#ZONE   INTERFACE       BROADCAST       OPTIONS

net     ppp0            -

dmz     eth0            -               logmartians=1,nosmurfs,routefilter
```

http is resolved by consulting /etc/services and tcp is resolved from /etc/protocols.  Shorewall does this for free.

If you want me to browse to your webserver, you need to PM me your current public IP.

----------

## paul_chany

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> I can both ping cspl.hu and browse http://www.cspl.hu/.
> 
> It says Kistechnikusok távképzése and links to the Free Software Foundation. 
> ...

 

All right!

That is mine home page so far: Kistechnikusok távképzése and links to the Free Software Foundation. 

Then I can't open the http://cspl.hu only from my LAN.

Can't open it too when using it's IP address, which is at this moment ( remember, it is a dynamic IP ) 95.85.141.171.

However, I can to open it when browse http://192.168.50.200

When my webserver did run on Bubba2 then I was able to open http://cspl.hu from LAN.

Now, when my webserver run on RasPi I can't open neither http://cspl.hu nor http://95.85.141.171 from my LAN.

How can I solve this problem?

----------

## NeddySeagoon

paul_chany,

 *Quote:*   

> I can to open it when browse http://192.168.50.200

 

Works because 192.168.50.200 is a private IP address on your LAN.

When I browse 95.85.141.171, I get the same page as above.  Kistechnikusok távképzése and FSF link.

I think your shorewall rule is incorrect.

```
DNAT  net   loc:192.168.50.200  tcp     http
```

Fix your rule then restart shorewall.

-- edit --

```
$ ping 95.85.141.171 

PING 95.85.141.171 (95.85.141.171) 56(84) bytes of data.

^C

--- 95.85.141.171 ping statistics ---

8 packets transmitted, 0 received, 100% packet loss, time 6999ms
```

Ping fails too.

----------

## paul_chany

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> I think your shorewall rule is incorrect.
> 
> ```
> ...

 

I found the rule I'm using from here:

http://www.shorewall.net/two-interface.htm#DNAT

```
Web(DNAT)   net   loc:192.168.50.200
```

I think this is the same rule as

```
DNAT   net   loc:192.168.50.200   tcp   http
```

However, I tried booth without success.

Still can't reach http://cspl.hu from my LAN.

----------

## NeddySeagoon

paul_chany,

From your link, the two rules look to be the same.

You can't reach http://cspl.hu from your LAN as even when its working, it will resolve to your public IP. 

That needs another DNAT rule

```
#ACTION         SOURCE          DEST                    PROTO   DEST    SOURCE          ORIGINAL

DNAT            loc             192.168.50.200          tcp     80         -             $Public
```

This says that when you are trying to browse to your public IP, redirect the packets to 192.168.50.200 instead.

$Public is a placeholder for your public IP.

You need to update this and restart shorewall every time it changes.

Notice too that 

```
# ping cspl.hu

PING cspl.hu (192.184.88.81) 56(84) bytes of data.

64 bytes from redirect.webenlet.hu (192.184.88.81): icmp_seq=1 ttl=55 time=159 ms
```

your FQDN points to 192.184.88.81, not to 95.85.141.171, which you said was your public IP.

----------

## paul_chany

Hi Neddy,

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> From your link, the two rules look to be the same.
> 
> You can't reach http://cspl.hu from your LAN as even when its working, it will resolve to your public IP. 
> ...

 

I tried the above shown rule but Shorewall says:

ERROR: Missing destination zone /etc/shorewall/rules

So I edit the line and try out this:

```

#ACTION  SOURCE           DEST                         PROTO    DEST       SOURCE     ORIGINAL

#                                                               PORT       PORT(S)    DEST

DNAT     loc              loc:192.168.50.200           tcp      80         -          192.184.88.81

```

But this doesn't work neither.

----------

## NeddySeagoon

paul_chany,

It won't work until  http://cspl.hu points to your public IP.

When I wrote last  http://cspl.hu pointed to 192.184.88.81 and your public IP was 95.85.141.171

If you write the rule as 

```
#ACTION         SOURCE          DEST                    PROTO   DEST    SOURCE          ORIGINAL

DNAT            loc             192.168.50.200          tcp     80         -             net:$Public
```

it may help.

That will allow browsing to http://95.85.141.171 (your public IP) to work.

It will not fix http://cspl.hu not pointing to you dynamic public IP.

Hmm ... I get Kistechnikusok távképzése and the FSF link from both http://cspl.hu and http://95.85.141.171 now but 95.85.141.171 does not respond to ping requests.

----------

## paul_chany

Hi Neddy,

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> It won't work until  http://cspl.hu points to your public IP.
> 
> When I wrote last  http://cspl.hu pointed to 192.184.88.81 and your public IP was 95.85.141.171
> ...

 

No one can ping my public IP address because of this rule:

```
Ping(DROP)        net        $FW
```

The rule above

```
DNAT<-->loc<---><------>loc:192.168.50.200<----><------>tcp<--->80<---->-<----->net:95.85.141.171
```

is invalid for Shorewall, according to Shorewall's message:

 *Quote:*   

> ERROR: Unknown Interface (net) /etc/shorewall/rules

 

So I replace it with rule:

```
DNAT<-->loc<---><------>loc:192.168.50.200<----><------>tcp<--->80<---->-<----->95.85.141.171
```

But when I try to open http://95.85.141.171/ from my LAN, I can't.

----------

## NeddySeagoon

paul_chany,

As you have this rule,

```
Web(DNAT)   net   loc:192.168.50.200
```

I was expecting your shorewall to understand net.

Please post the routing table from Bubba2.

That's the output of 

```
route -n
```

----------

## paul_chany

Neddy,

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> As you have this rule,
> 
> ```
> ...

 

```
#route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         95.85.143.254   0.0.0.0         UG    2      0        0 eth0

95.85.140.0     0.0.0.0         255.255.252.0   U     2      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
```

In meantime I find this link, which describes the same situation as mine:

http://shorewall.net/FAQ.htm#Connections

----------

## NeddySeagoon

paul_chany,

I thought I understood your network topology, now its clear that I don't. 

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 

95.85.140.0     0.0.0.0         255.255.252.0   U     2      0        0 eth0 
```

This line suggests that you have a 95.85.140.0/22 subnet, or 1024 IP addresses.

I'm aware that cable companies do add things.

It may be that you are an the same cable subnet as 1023 other users.  I hope you all have good firewalls.   

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 

192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
```

Why do you have a bridge?

What interfaces are bridged?

I was expecting two normal interfaces.

----------

## paul_chany

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> I thought I understood your network topology, now its clear that I don't. 
> 
> ```
> ...

 

I set up my network with help of my friend.

She knows why do I have a bridge. I can just guess, why.

I think because I have an USB WiFi adapter and we ( she and me ) must to set up that that users on WLAN could use Internet too.

bridge_br0="eth1"

----------

## NeddySeagoon

paul_chany,

A network bridge always has two or more interfaces.  It connects the subnets on all the member networks together. 

Its just like a road bridge. To be useful, it needs two (or more) ends.

Its the software equivalent of a hardware network hub, all packets go everywhere.

Would you try to cross a road bridge that had only one end?

More seriously, is it possible that you intended to add more devices later and later never arrived?

----------

## paul_chany

Neddy,

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> A network bridge always has two or more interfaces.  It connects the subnets on all the member networks together. 
> 
> Its just like a road bridge. To be useful, it needs two (or more) ends.
> ...

 

I understand now what do you mean about bridging network interfaces.

My friend helped me out to set up my home software Access Point this way.

Look into /etc/config.d/net file:

 *Quote:*   

> # null setup for eth1 (lan Ethernet port)
> 
> # (this will be owned by the bridge, br0)
> 
> config_eth1="null"
> ...

 

Now, I changed my mind: I want to set my home network like this:

```
_ISP

_|--CableModem

__|--[ ethernet cable-RJ45 ] Bubba2

___|--Plug & Play Switch ___|--WiFi ( thanks to you )

_____|

----------

## NeddySeagoon

paul_chany,

Heres my setup

```

                              |

                     -------+-------

                     | VDSL - Phone |

                     |    PPoE      |

                     -------+-------

                            |

                            |

                            |

                 -----------+----------

                 |  Router - Public IP |

                 |         NAT         |

                 | eth1    eth2    eth3|

                  ----------------------

```

I have a static public IP, which my router gets on Interface ppp0. That's carried over its eth0.

The fully protected wired network on eth1 uses 192.168.100.0/24

The wireless network on eth2 uses 192.168.54.0/24  My wireless network is not permitted to connect to the wired network, except in response to requests from the wired network.

eth3 is for the DMZ. A few choice ports from the internet are forwarded here.

My firewall (Shorewall) is fairly paranoid.  The policy everywhere is deny. That means I have to write rules to allow all outgoing traffic.

Individual systems on my network do not need their own firewalls, Shorewall on the router does it all.

To add to the interest, my router is a kernel virtual machine.

WiFi is not very secure, anyone could be using it, so its kept separate.

Using a policy of deny is part of my security.  If something nasty goes get in, it will make it difficult for it to phone home. 

Rather than using a bridge, which lets your internet traffic go everywhere, I would run shorewall only on Bubba2 and make it firewall for itself and the rest of your network.

I guess your cable modem does NAT to the 192.168.50.0/24 network?

See the Gentoo Home Router Guide. It does not cover the use of Shorewall.

----------

## paul_chany

Neddy,

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> Heres my setup
> 
> Rather than using a bridge, which lets your internet traffic go everywhere, I would run shorewall only on Bubba2 and make it firewall for itself and the rest of your network.
> ...

 

Thank you very much for advices me.

I don't know whether my cable modem does NAT to the 192.168.50.0/24 network.

How can I know that?

----------

## NeddySeagoon

paul_chany,

You have posted

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         95.85.143.254   0.0.0.0         UG    2      0        0 eth0

95.85.140.0     0.0.0.0         255.255.252.0   U     2      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
```

```
# null setup for eth1 (lan Ethernet port)

# (this will be owned by the bridge, br0)

config_eth1="null"

# null setup for wlp1s0 (WiFi adaptor)

# (this will be owned by hostapd)

config_wlan0="null" 
```

and that your public IP was at one time, 95.85.141.171.

Putting this all together shows that eth0 gets your public IP and eth1 and wlan0 are in a bridge.

Shorewall does NAT between eth0 and br0.  That's odd but as long as you do not want to treat wired and wireless separately, its OK.

Its a bad idea to add a server to br0 because if it is ever compromised, there is nothing between it and your network.

You should add another interface to Bubba2 to use for your DMZ.  This will keep your server(s) which are exposed to the internet, separate from your LAN.

e.g.    eth2 on 192.168.25.1/24.  wlan1 would do too.  The important thing is to keep your servers on a physically separate network segment from everything else.

Breaking up br0 is only useful if you want to apply different firewall rules to wired and wireless hosts.

----------

## paul_chany

NeddySeagoon,

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> You have posted
> 
> ```
> ...

 

Now I'm using an usb ethernet adapter on my Bubba2. Because it is a headless powerpc box, I can't add more ethernet ports to it as I could on a regular PC box ( with adding another ethernet network card ).

```
# lsusb -t
```

 shows:

```
/:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=fsl-ehci/1p, 480M

    |__ Port 1: Dev 2, If 0, Class=Hub, Driver=hub/4p, 480M

        |__ Port 1: Dev 3, If 0, Class=Vendor Specific Class, Driver=pegasus, 480M

        |__ Port 2: Dev 8, If 0, Class=Vendor Specific Class, Driver=rtl8192cu, 480M
```

where Port 1: Dev 3 is the Bus 001 Device 003: ID 07a6:8515 ADMtek, Inc. AN8515 Ethernet USB Ethernet Adapter,

and Port 2: Dev 8 is the Bus 001 Device 008: ID 0586:341f ZyXEL Communications Corp. NWD2205 802.11n Wireless N Adapter [Realtek RTL8192CU] USB wireless Adapter.

On my Bubba2 eth0 is WAN ( net zone ), eth1 is LAN ( loc zone ) with WiFi as WLAN and eth2 is DMZ ( dmz zone ).

```
# ifconfig

br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500

        inet 192.168.50.1  netmask 255.255.255.0  broadcast 192.168.50.255

        inet6 fe80::222:2ff:fe00:73d  prefixlen 64  scopeid 0x20<link>

        ether 00:22:02:00:07:3d  txqueuelen 0  (Ethernet)

        RX packets 1338  bytes 86621 (84.5 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 44  bytes 3000 (2.9 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether 00:22:02:00:07:3c  txqueuelen 1000  (Ethernet)

        RX packets 1085  bytes 89784 (87.6 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 91  bytes 7905 (7.7 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::222:2ff:fe00:73d  prefixlen 64  scopeid 0x20<link>

        ether 00:22:02:00:07:3d  txqueuelen 1000  (Ethernet)

        RX packets 1312  bytes 121353 (118.5 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 74  bytes 8144 (7.9 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device base 0x2000  

eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.50.2  netmask 255.255.255.0  broadcast 192.168.50.254

        inet6 fe80::200:e8ff:fe00:11f1  prefixlen 64  scopeid 0x20<link>

        ether 00:00:e8:00:11:f1  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 8  bytes 648 (648.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
```

Now the routing table of Bubba2 is:

```
route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         95.85.167.254   0.0.0.0         UG    2      0        0 eth0

95.85.160.0     0.0.0.0         255.255.248.0   U     2      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 br0

192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
```

The /etc/conf.d/net on Bubba2 is:

```
# WAN Shorewall: net zone

config_eth0="dhcp"

# LAN + WiFi Shorewall: loc zone

# null setup for eth1 (lan Ethernet port)

# (this will be owned by the bridge, br0)

config_eth1="null"

# null setup for wlp1s0 (WiFi adaptor)

# (this will be owned by hostapd)

config_wlan0="null"

# bridge address (we ignore wifi here, it'll be added by hostapd)

config_br0="192.168.50.1 netmask 255.255.255.0 brd 192.168.50.255"

# no default route set for br0, leave forwarding etc. to shorewall

# add the lan Ethernet port (enp4s1) only to br0

# hostapd will add the WiFi adaptor (wlp1s0)

brctl_br0="setfd 0

sethello 10

stp off"

bridge_br0="eth1"

# DMZ Shorewall: dmz zone

config_eth2="192.168.50.2 netmask 255.255.255.0 brd 192.168.50.254"
```

In /etc/init.d I have:

```
@net.br0

@net.eth0

@net.eth1

@net.eth2

@net.wlan0
```

These are symlinks that points to:

-> net.lo

I did run:

```
# rc-update add net.eth2 default
```

to start eth2 too when booting.

In /etc/dnsmasq.conf I have:

```
# be a good citizen

domain-needed

bogus-priv

filterwin2k

# prevent wildcard matching

listen-address=192.168.50.1

bind-interfaces

# disables dnsmasq reading any other files

# like /etc/resolv.conf for nameservers

# no-resolv

# here is the explicit nameserver WE will use (Google)

# (clients will get 192.168.50.1)              

# server=8.8.8.8

# Interface to bind to

interface=br0

# Specify starting_range,end_range,lease_time                      

dhcp-range=192.168.50.151,192.168.50.200,12h

# Raspberry Pi in the DMZ zone         

dhcp-host=B8:27:EB:AC:CB:F1,192.168.50.200,24h
```

I'm using Shorewall firewall to set up:

interfaces, policy, rules, shorewall.conf, stoppedrules and zones.

After I reboot my Bubba2 I can't even SSH into it from LAN.

Moreover, I can't reach Internet from LAN, ping gentoo.org, etc.

Why?

----------

## NeddySeagoon

paul_chany,

Two interfaces in the same subnet is a bad idea.

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 

192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 br0

192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
```

The kernel looks at the destination IP address in every outgoing packet and applies the rules in the routing table, from the bottom up.

From your routing table, all packets going to  192.168.50.0/24 are sent to eth2.  That rule is applied first.  The rule for br0 is never reached.

The rule at the top matches everything. It sends traffic to your ISP.

Change the 50 in your entire DMZ subnet, so its a subnet in its own right.  You will need to change other things too.

----------

## paul_chany

NeddySeagoon,

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> Two interfaces in the same subnet is a bad idea.
> 
> ```
> ...

 

I changed it to 51:

In /etc/conf.d/net

```
# DMZ Shorewall: dmz zone

config_eth2="192.168.51.1 netmask 255.255.255.0 brd 192.168.50.255"
```

In /etc/dnsmasq.conf

```
# Specify starting_range,end_range,lease_time                      

dhcp-range=192.168.50.151,192.168.50.200,12h

dhcp-range=192.168.51.151,192.168.51.200,12h                         

# Raspberry Pi in the DMZ zone  

dhcp-host=B8:27:EB:AC:CB:F1,192.168.51.200,24h
```

```
# route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 br0

192.168.51.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
```

Still can't SSH into Bubba2 from LAN, still can't reach Internet from LAN, can't ping Bubba2: br0: 192.168.50.1, eth2: 192.168.51.1, Raspberry Pi 2: 192.168.51.200, http://gentoo.org, 8.8.8.8. Why?

Because I did make some mistakes.

Finally, it works.. almost! I can to reach Internet from my LAN, but I can not ping my webserver in dmz zone and can not reach it's homepage. I can SSH into my Bubba2 but can not SSH into my Raspberry Pi 2. Why?

/etc/conf.d/net

```
# DMZ Shorewall: dmz zone               

config_eth2="192.168.51.1 netmask 255.255.255.0 brd 192.168.51.255"
```

/etc/dnsmasq.conf

```
# Interface to bind to

interface=br0,eth2

# Specify starting_range,end_range,lease_time                      

dhcp-range=lan,192.168.50.151,192.168.50.200,12h

dhcp-range=dmz,192.168.51.151,192.168.51.200,12h                     

# Raspberry Pi in the DMZ zone  

dhcp-host=B8:27:EB:AC:CB:F1,192.168.51.200,24h
```

If I try to ssh from my desktop machine in LAN into Raspberry Pi 2 which is my webserver in DMZ zone, then I get:

ssh: connect to host 192.168.51.200 port 22: No route to host

I can't figure out what to add to /etc/conf.d/net and /etc/dnsmasq.conf files to get this working?

----------

## NeddySeagoon

paul_chany,

```
# DMZ Shorewall: dmz zone

config_eth2="192.168.51.1 netmask 255.255.255.0 brd 192.168.50.255"
```

I hope that 192.168.50.255 there is a typo.  It should be 51

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 br0

192.168.51.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
```

There is no default route there, in fact eth0 is not listed at all. This bit is missing.

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         95.85.143.254   0.0.0.0         UG    2      0        0 eth0

95.85.140.0     0.0.0.0         255.255.252.0   U     2      0        0 eth0 
```

----------

## paul_chany

NeddySeagoon,

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> ```
> # DMZ Shorewall: dmz zone
> 
> ...

 

I correct the IP address:

```
# DMZ Shorewall: dmz zone

config_eth2="192.168.51.1 netmask 255.255.255.0 brd 192.168.51.255"
```

Now the routing table is:

```
# route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         95.85.182.254   0.0.0.0         UG    2      0        0 eth0

95.85.182.0     0.0.0.0         255.255.255.0   U     2      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 br0

192.168.51.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
```

I can SSH into my Raspberry Pi 2 from my LAN.

I can open webserver: http://cspl.hu on RasPi2 from my LAN. Can you open it from the Internet too?

I think it works now.

----------

## NeddySeagoon

paul_chany,

It says Kistechnikusok távképzése at the top.  Then there is a button to join the Free Software Foundation and at the bottom it says 

GNU/linux, nginx, moodle

Raspberry Pi 2 Model B V1.1

Copyright 2016 Csányi Pál

All on a green background.

I think the Raspberry Pi 2 Model B V1.1 is a bit of a give away.

Well done

----------

## paul_chany

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> It says Kistechnikusok távképzése at the top.  Then there is a button to join the Free Software Foundation and at the bottom it says 
> 
> GNU/linux, nginx, moodle
> ...

 

Almost well done.

When I'm trying to emerge a package from my DMZ zone - from RasPi2 I get error message:

```
>>> Emerging (1 of 1) sys-process/htop-1.0.3::gentoo

>>> Downloading 'http://de-mirror.org/gentoo/distfiles/htop-1.0.3.tar.gz'

--2016-03-26 13:15:37--  http://de-mirror.org/gentoo/distfiles/htop-1.0.3.tar.gz

Resolving de-mirror.org... 217.72.206.21, 2001:8d8:5c0:404::3

Connecting to de-mirror.org|217.72.206.21|:80... failed: Connection refused.

Connecting to de-mirror.org|2001:8d8:5c0:404::3|:80... failed: Network is unreachable.

>>> Downloading 'http://hisham.hm/htop/releases/1.0.3/htop-1.0.3.tar.gz'

--2016-03-26 13:15:37--  http://hisham.hm/htop/releases/1.0.3/htop-1.0.3.tar.gz

Resolving hisham.hm... 69.163.225.224

Connecting to hisham.hm|69.163.225.224|:80... failed: Connection refused.

!!! Couldn't download 'htop-1.0.3.tar.gz'. Aborting.

 * Fetch failed for 'sys-process/htop-1.0.3', Log file:

 *  '/var/tmp/portage/sys-process/htop-1.0.3/temp/build.log'

>>> Failed to emerge sys-process/htop-1.0.3, Log file:

>>>  '/var/tmp/portage/sys-process/htop-1.0.3/temp/build.log'
```

When I'm trying to 'emerge --sync' from my LAN - from my desktop machine, I get error message:

```

# emerge --sync

>>> Syncing repository 'gentoo' into '/usr/portage'...

>>> Starting rsync with rsync://81.91.253.252/gentoo-portage...

Welcome to starling.gentoo.org / rsync.gentoo.org

Server Address : 81.91.253.252, 2a01:90:200:10::1a

Contact Name   : mirror-admin@gentoo.org

Hardware       : 2 x Intel(R) Xeon(R) CPU E5649 @ 2.53GHz, 3959MB RAM

Sponsor        : Qube Managed Services Limited, Zurich, Switzerland, EU

Please note: common gentoo-netiquette says you should not sync more

than once a day.  Users who abuse the rsync.gentoo.org rotation

may be added to a temporary ban list.

MOTD autogenerated by update-rsync-motd on Wed Dec 16 19:40:44 UTC 2015

@ERROR: access denied to gentoo-portage from 139-182-85-95.dynamic.stcable.net (95.85.182.139)

rsync error: error starting client-server protocol (code 5) at main.c(1648) [Receiver=3.1.2]

>>> Retrying...

>>> Starting retry 1 of 4 with rsync://91.186.30.235/gentoo-portage

Welcome to boobie.gentoo.org / rsync.gentoo.org

Server Address : 

Contact Name   : mirror-admin@gentoo.org

Hardware       : 2 x Intel(R) Xeon(R) CPU 3050 @ 2.13GHz, 3956MB RAM

Sponsor        : EUKhost, Maidenhead, England

Please note: common gentoo-netiquette says you should not sync more

than once a day.  Users who abuse the rsync.gentoo.org rotation

may be added to a temporary ban list.

MOTD autogenerated by update-rsync-motd on Thu Jul 24 06:32:46 UTC 2014

@ERROR: access denied to gentoo-portage from 139-182-85-95.dynamic.stcable.net (95.85.182.139)

rsync error: error starting client-server protocol (code 5) at main.c(1648) [Receiver=3.1.2]

>>> Retrying...

>>> Starting retry 2 of 4 with rsync://176.28.50.119/gentoo-portage

Welcome to quetzal.gentoo.org / rsync.gentoo.org

Server Address : 2a01:488:67:1000:b01c:3277:0:1

Contact Name   : mirror-admin@gentoo.org

Hardware       : 4 x Intel(R) Xeon(R) CPU E5649 @ 2.53GHz, 16073MB RAM

Sponsor        : Host Europe, Cologne, Germany, EU

Please note: common gentoo-netiquette says you should not sync more

than once a day.  Users who abuse the rsync.gentoo.org rotation

may be added to a temporary ban list.

MOTD autogenerated by update-rsync-motd on Wed Dec 16 19:33:43 UTC 2015

@ERROR: access denied to gentoo-portage from 139-182-85-95.dynamic.stcable.net (95.85.182.139)

rsync error: error starting client-server protocol (code 5) at main.c(1648) [Receiver=3.1.2]

>>> Retrying...

>>> Starting retry 3 of 4 with rsync://[2a01:90:200:10::1a]/gentoo-portage

rsync: failed to connect to 2a01:90:200:10::1a (2a01:90:200:10::1a): Network is unreachable (101)

rsync error: error in socket IO (code 10) at clientserver.c(125) [Receiver=3.1.2]

>>> Retrying...

>>> Starting retry 4 of 4 with rsync://[2a01:488:67:1000:b01c:3277:0:1]/gentoo-portage

rsync: failed to connect to 2a01:488:67:1000:b01c:3277:0:1 (2a01:488:67:1000:b01c:3277:0:1): Network is unreachable (101)

rsync error: error in socket IO (code 10) at clientserver.c(125) [Receiver=3.1.2]

>>> Retrying...

!!! Exhausted addresses for rsync.gentoo.org

>>> Syncing repository 'gentoo-b2' into '/usr/local/portage/gentoo-b2'...

/usr/bin/git pull

Already up-to-date.

=== Sync completed for gentoo-b2
```

When I 'emerge --sync' from my Bubba2 ( this is the firewall/gateway ) then I get messages:

```
...

<snipped intentionally>

sent 27.79K bytes  received 5.28M bytes  37.75K bytes/sec

total size is 411.87M  speedup is 77.65

=== Sync completed for gentoo

>>> Syncing repository 'sakaki-tools-lite' into '/usr/local/portage/sakaki-tools-lite'...

/usr/bin/git pull

 * waiting for lock on /var/log/emerge.log ...                                                            [ ok ]

>>> Syncing repository 'gentoo-b2' into '/usr/local/portage/gentoo-b2'...

/usr/bin/git pull

fatal: unable to access 'https://github.com/sakaki-/sakaki-tools-lite.git/': Failed to connect to github.com port 443: Connection refused

fatal: unable to access 'https://github.com/sakaki-/gentoo-b2-overlay.git/': Failed to connect to github.com port 443: Connection refused

!!! git pull error in /usr/local/portage/gentoo-b2

!!! git pull error in /usr/local/portage/sakaki-tools-lite
```

I added smoe rules into Shorewall:

on RasPi ( DMZ zone )

# Gentoo emerge

```
Rsync(ACCEPT)<->$FW<---><------>net

Rsync(ACCEPT)<->net<---><------>$FW

HTTP(ACCEPT)<-->$FW<---><------>net

HTTP(ACCEPT)<-->net<---><------>$FW

Web(ACCEPT)<--->$FW<---><------>net

Web(ACCEPT)<--->net<---><------>$FW
```

on Bubba2 ( firewall )

```
# Gentoo emerge

Rsync(ACCEPT)<->$FW<---><------>net

Rsync(ACCEPT)<->loc<---><------>net

Rsync(ACCEPT)<->dmz<---><------>net
```

but does not help. What could be now the problem?

I can Ping gentoo.org from RasPi2 ( DMZ zone ), Bubba2 ( $FW ) and desktop machine ( LOC zone, aka LAN ).

----------

## NeddySeagoon

paul_chany,

Look in your shorewall logs.

Did you restart shorewall after you made the changes?

Do you really have IPv6?

It seems you have IPv6 connectivity somehow, as you contacted a server at

```
 >>> Starting retry 3 of 4 with rsync://[2a01:90:200:10::1a]/gentoo-portage

```

Are you aware that IPv4 and IPv6 are completely separate.  Shorewall works for IPv4 only.  You need Shorewall6 for IPv6.

The concept of NAT does not exist in IPv6, all IPv6 addresses are public, so a boundary firewall is essential.

----------

## paul_chany

 *NeddySeagoon wrote:*   

> paul_chany,
> 
> Look in your shorewall logs.
> 
> Did you restart shorewall after you made the changes?
> ...

 

I do not use IPv6 at all, I think at least.

In shorewall zones file I have:

on desktop ( loc zone ):

```
fw      firewall

net     ipv4

loc     ipv4
```

on RasPi ( dmz zone ):

```
fw      firewall

net     ipv4
```

on Bubba ( firewall/gateway ):

```
fw      firewall

net     ipv4

loc     ipv4

dmz     ipv4
```

So I don't know why wants emerge to reach gentoo-portage with IPv6?

Finally, I solved it with shorewall rules on Bubba2:

```
# Gentoo emerge

Rsync(ACCEPT)   $FW             net

Rsync(ACCEPT)   loc             net

Rsync(ACCEPT)   dmz             net

Web(ACCEPT)     $FW             net

Web(ACCEPT)     loc             net

Web(ACCEPT)     dmz             net
```

----------

