after much pain I managed to configure firewalld so that I only allow specific services to given IP-numbers.
Now I want to give access to all IPs to https/447. But I don't know how to do that. My current configuration is listed below.
# firewall-cmd --get-active-zones
customzone
sources: ipset:Trusted_IP_all
drop
interfaces: enp0s31f6
The drop zone:
# more drop.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
<short>Drop</short>
<description>Unsolicited incoming network packets are dropped.</description>
<forward/>
</zone>
And the customzone:
# more customzone.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
<short>Custom Zone Configuration</short>
<description>All incomming connections are blocked by default. </description>
<service name="ssh"/>
<service name="http"/>
<service name="https"/>
<source ipset="Trusted_IP_all"/>
</zone>
The "Trusted_IP_all" contain a selected few IP-nr/ranges
Related
I'm working on a ASP.net web application and I want to bind it so it can be used from a remote network through OpenVPN. I already have the connection with the network and I can ping my device from the other devices inside the network. This is the configuration I used for OpenVPN
client
dev tap
proto tcp
dev-node openvpn
remote 86.89.135.168 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 5
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
#ifconfig 192.168.201.221 255.255.255.0
#route-gateway 192.168.201.1client
In the applicationhost.config I'm binding this:
<bindings>
<binding protocol="http" bindingInformation="*:52022:*" />
<binding protocol="http" bindingInformation="*:52022:192.168.201.68" />
<binding protocol="http" bindingInformation="*:52022:localhost" />
</bindings>
I can access the application by localhost or by the local ip adress. But when I try to access it with the vpn ip from a device in the network I get this:
My firewall is off and even though it doesn't work. And like I said it works in other devices in my local network and in the host machine but it doesn't work with devices from the remove network.
Can someone help me solving this? I'm new at this.
I solved my problem by:
1.Adding my VPN executor as an Exclusive in the 'virus and threat protection settings'.
2.Adding it to “Allow an app or feature through Windows defender Firewall” (if its not in the list you got to click on "allow another app"
3.Add a TCP Inbound rule in the "Windows Defender Firewall with Advanced Security” to the port that you VPN will be using for communication. In my case it is 443.
We have not seen anywhere in the documentation of ActiveMQ how to hide the embedded jetty version. This is marked as a security thread by our penetration testers when we are using a web sockets transport on port 80. We have been playing around with the configuration file jetty.xml and the parameters, but no success. It has been addressed for other projects (see https://issues.apache.org/jira/browse/HADOOP-13414) by a patch in the code,
So far we have been trying to change the configuration in jetty.xml.
After searching for jetty properties, this is how we configured the property for the property:
<bean id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<property name="sendServerVersion" value="false">
</property>
</bean>
However, this has no effect in the exposing of the version. We tried further with a connection factory, but this also had no effect:
<bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject" ref="Server" />
<property name="targetMethod" value="setConnectors" />
<property name="arguments">
<list>
<bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<constructor-arg>
<list>
<bean id="httpConnectionFactory" class="org.eclipse.jetty.server.HttpConnectionFactory">
<constructor-arg ref="httpConfig"/>
</bean>
</list>
</constructor-arg>
<!-- see the jettyPort bean -->
<property name="host" value="#{systemProperties['jetty.host']}" />
<property name="port" value="#{systemProperties['jetty.port']}" />
</bean>
</list>
</property>
</bean>
Are we on the right track, or does it need to be addressed by the codebase of ActiveMQ?
This is how we show the version:
#nmap -sV -p80 localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-23 18:16 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000098s latency).
PORT STATE SERVICE VERSION
80/tcp open http Jetty 9.2.22.v20170606
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds
Edit: we received an answer in the ActiveMQ JIRA that indicates that it will need some code modification in the ActiveMQ project. We will update this question if the current state changes. Current ActiveMQ is 5.15.3.
Quoting Tim Bain from the linked issue:
Since org.apache.activemq.transport.discovery.http.EmbeddedJettyServer.start() creates its Server by calling new (no Spring injection), and the code of that method doesn't provide any means to specify an HttpConfiguration, the ability to change this behavior requires a code change. There is similar code in org.apache.activemq.transport.WebTransportServerSupport, also without any ability to specify an HttpConfiguration that would disable the sending of the version number.
The use of ...
org.eclipse.jetty.server.HttpConfiguration.setSendServerVersion(false);
... is the correct setting.
However, you cannot change this AFTER the server has been started.
The startup of the server itself, is the only place you can make this change.
When the Connectors are created/initialized is the only place this setting is used.
This is because that setting is propagated into many components during startup (the Http/1 Generator, the Http/2 Generator, the ErrorPage generator, the WebSocket Upgrade process, etc)
I an not very familiar with solr. I have installed solr successfully. It is using jetty webserver. My solr version is 4.10.3. It admin page is not protected by password. Anyone can access it. I want to apply a paaword on solr admin. How I will do it?
Enable authentication in solr admin running with solr 6.1 and jetty
Pre condition:
Solr version 6.1
Solr is running successfully in the system
Solr Admin running through jetty
Process:
1. Edit jetty.xml
Edit the file “server/etc/jetty.xml”
Add following before the Configure tag ends
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
2. Edit webdefault.xml
Edit the file “server/etc/webdefault.xml”
Add following before the web-app tag ends
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>core1-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
Special Note:
Value used in the role-name tag need to be same used in “realm.properties” file
3. Create new file “realm.properties”
Create a file named “realm.properties” in the location “server/etc/” and put the below content
admin: admin123,core1-role
User Name: admin
Password: admin123
Role name: core1-role
(This need to be same as the name used in role-name tag in server/etc/webdefault.xml” file )
4. Final Step
Restart Solr server
Now access Solr in your browser http://localhost:8983/solr/
You will find the browser is asking for username and password. Enter the username and password.
For version below 5
If you are using solr-webapp then you need to modify web.xml file and add these lines:
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr Lockdown</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>solr_admin</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr</realm-name>
</login-config>
For Jetty server, you need to add below lines in /example/etc/webdefault.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>**admin-role**</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
Update /example/etc/jetty.xml file
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
/example/etc/realm.properties :
admin: s3cr3t, admin-role
Username = admin
password = s3cr3t.
Role name = admin-role
Solr version 5+
In latest Solr version folder structure got changed. You will find all files in below folder-path.
{SOLR_HOME}/server/etc/jetty.xml
{SOLR_HOME}/server/etc/webdefault.xml
Create new credential file at {SOLR_HOME}/server/etc/realm.properties:
admin: s3cr3t, admin-role
For more info you can help solr wiki docs
If you are using tomcat,
Open [Tomcat install dir]\tomcat-users.xml for editing.
Add the following lines within the <tomcat-user> element and save the changes (using your own username and password):
<role rolename="solr_admin"/><user username="your_username" password="your_password" roles="solr_admin"/>
Open Tomcat install dir\webapps\solr\WEB-INF\web.xml for editing.
"solr" in the path is the name of the instance you want to secure. Typically this is "solr," but may be different if you are running an advanced setup.
Add the following lines within the <web-app> element:
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr Lockdown</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>solr_admin</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr</realm-name></login-config>
Save the changes and restart Tomcat. Test your changes by starting a new browser session and navigating to your site, for ex. http://localhost:8080/solr/ You should be prompted for credentials.
If your Tomcat install dir tomcat-users.xml file is being modified then
go to tomcat-users.xml file under Servers in Project Explorer and add your changes there.
As setting a password to Solr is a pain in the ass (sorry, but some time you have to name it as it is) I propose an other solution: Restrict access to it using iptables.
If you install Apache Solr Server usually the Server will listen on Port 8983. Hence the servers admin interface will be available under:
http://YOUR_SERVERS_IP:8983/solr/
So we can restrict connections to port 8983 as follows:
iptables -A INPUT -p tcp -s localhost --dport 8983 -j ACCEPT
iptables -A INPUT -p tcp -s YOUR_SERVERS_IP --dport 8983 -j ACCEPT
iptables -A INPUT -p tcp --dport 8983 -j DROP
This will accept all requests from localhost (first line) and from the server's IP itself (second line), but drop all other connections (last line). The second line is not necessary but helps us to find easy access to Solr's admin interface. To access the admin interface form a local machine, we have to forward all connections to the server at first. The easiest way to do this, is using sshuttle (lazy mans VPN):
sshuttle --dns -r root#YOUR_SERVERS_IP 0/0
Performing this command on the local machine, from where we want to access the admin interface.
An other option is, to use ssh tunnelling with the open ssh client:
ssh -D 1080 root#YOUR_SERVERS_IP
Set up a socks proxy in your browser to port 1080.
I'm dealing with Solr v.4.10 too and this is really annoyingly hard. None of the so-called "solutions" works for me. I ended up installing Nginx on my Ubuntu box and proxy the :8983 port to docker, where password is required by Nginx. This works for me.
I have just to inform what was solution in my case. Actually my website was written in ajax that's why by setting passowrd also protect my website. So its not the solution in case where solr has to be used by open internet. So its best solution as guided by solr wiki is to use proxies like node.js, nginex etc. as given here
Using node.js proxy and applying iptable rules ( as guided above) solve my problem.
How do I run a Hazelcast client from the console?
I have this config in xml:
<hazelcast-client xsi:schemaLocation="http://www.hazelcast.com/schema/client-config hazelcast-client-config-3.3.xsd"
xmlns="http://www.hazelcast.com/schema/client-config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<network>
<port auto-increment="true" port-count="100">5701</port>
<outbound-ports>
<!--
Allowed port range when connecting to other nodes.
0 or * means use system provided port.
-->
<ports>0</ports>
</outbound-ports>
<join>
<multicast enabled="true">
<multicast-group>224.2.2.3</multicast-group>
<multicast-port>54327</multicast-port>
</multicast>
</join>
</network>
</hazelcast-client>
and I need a console like this when I run run.sh or run.bat, but I want it to be a client not a member.
You can use the clientConsole.bat given by Hazelcast to connect to any Hazelcast server and get a console for that. Using the console you can query any existing map or queue in your Hazelcast server.
I use hazelcast-3.8.1.
In the demo directory you can find clientConsole.bat/clientConsole.sh.
To connect to an existing server you need to provide the details in a "hazelcast-client.xml" file. Here is the content of "hazelcast-client.xml" file:
<hazelcast-client xmlns="http://www.hazelcast.com/schema/client-config">
<group>
<name>[GROUP_NAME]</name>
<password>[GROUP_PASSWORD]</password>
</group>
<network>
<cluster-members>
<address>[HAZELCAST_SERVER_HOST_NAME_OR_IP]</address>
</cluster-members>
</network>
</hazelcast-client>
Above [HAZELCAST_SERVER_HOST_NAME_OR_IP] is the ip or hostname of hazelcast server which you want to connect and get client console.
[GROUP_NAME] and [GROUP_PASSWORD] should be same what is mentioned in "hazelcast.xml" file on Hazelcast server.
Recently, I upgraded my dev env from ver1.1 to ver 1.5 of the Azure SDK (I know - am a little too late :))
What I noticed was that my webrole was opening up at the port 81 always. Is there a way for me to force open the azure webrole on port 80 in my dev env?
The reason I need this is :
I have a browser extension which connects to my webrole - and it expects the webrole to be on port 80; Until now, testing on the dev env was easy - I just need to do an etc/host redirection and my regular browser plugin would connect to my dev fabric.
On my website, I also provide open-auth authentication from google/facebook. I would not be able to test that on my dev env if I access it as www.mywebsite.com:81/ instead of www.mywebsite.com
Anyone has a pointer?
Kapil
Just make sure port 80 is available. The compute emulator takes the port you asked for or the first available port above that.
If you are using emulator - this will be an issues, cause it opens first free port.
If you will host your role on azure, you can configure your port in config file.
For example , in this configuration:
<WebRole name="TestApplication1">
<Sites>
<Site name="Web">
<Bindings>
<Binding name="Endpoint1" endpointName="Endpoint1" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="Endpoint1" protocol="http" port="80" />
</Endpoints>
<Imports>
<Import moduleName="Diagnostics" />
</Imports>
<ConfigurationSettings>
<Setting name="MyCustomSettingInAzure" />
</ConfigurationSettings>
You can see that for endpoint1 we configured port to use with number 80.
Update:
I've searched a bit, and found this post:
http://social.msdn.microsoft.com/Forums/en/windowsazuredevelopment/thread/ae2df7e0-5005-4bcd-8b69-bb53323eb589
There are some ideas which i believe can help you. It will require adding some commands to your pre-build actions.
One more update
Please run command : Netstat -a -n -o
This will show who is using port 80
If you can't force it to use port 80 in stead of port 81 in your development environment even if it the port is available, then you could install Fiddler2 and try to add the following Fiddler rule at the bottom of OnBeforeRequest():
// Windows Azure force socket 80
if (oSession.host == "app.dev.com:81") { oSession.host = "127.0.0.1:80"; }
if (oSession.host == "127.0.0.1:81") { oSession.host = "127.0.0.1:80"; }
if (oSession.url == "127.0.0.1:81") { oSession.url = "127.0.0.1:80"; }
I haven't tested it, but I think that could give you a pointer of how to do it.
Okay - the issue has been solved. Please see this thread for more details.
http://social.msdn.microsoft.com/Forums/en-US/windowsazuredevelopment/thread/5447f16e-2eed-4170-9771-17c7c9e7e570?prof=required
Basically I pointed my default site in the IIS to point to a different port and that worked
Kapil