Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: kevincallan on February 04, 2005, 08:36:17 PM
-
I have read as many posts as I can find on this subject but none have resulted in a solution yet.
Two days in a row, my system was barraged by break-in attempts. When the traffic is too heavy, my DSL modem hangs up and I have to restart the modem. This usually breaks the automatic dyndns update also, so the web server is no longer available on the network.
So, I decided that security needed to be beefed up and I went to the server-manager to add in a filter for the network I usually access from. When I entered the network and mask octets and clicked save, the server-manager just hung. I can still access the server via ssh but now the server-manager and all http services are non-responsive.
I looked at the file /etc/httpd/conf/httpd.conf file and there are numerous sections like (line 229 is "allow..."):
<Directory /home/e-smith/files/server-resources>
Options +Indexes
order deny,allow
deny from all
allow from 127.0.0.1 255.255.255.255/0.0.0.0
</Directory>
When I try to execute "service httpd-service start" the message comes back:
Starting httpd-admin: Syntax error on line 229 of /etc/httpd/admin-conf/httpd.conf:
syntax error in network portion of network/netmask
and when I try to execute "service httpd start" the message comes back:
Starting httpd: Syntax error on line 668 of /etc/httpd/conf/httpd.conf:
syntax error in network portion of network/netmask
The code snippet in the /etc/httpd/conf/httpd.conf file is (line 668 is the "allow..."):
ProxyPass /server-brand http://127.0.0.1:980/server-brand/
<Location /server-brand>
order deny,allow
deny from all
allow from 127.0.0.1 255.255.255.255/0.0.0.0
</Location>
Can anybody tell me what I can do to remedy the problem short of reinstalling the server? I am fairly inexperienced with expanding templates and such but from my reading, it seems that might be what I need to do to regenerate the httpd config files.
When I enter "/sbin/e-smith/db networks show", I get a command prompt back.
Please advise if you have any suggestions.
Thank you,
Kevin
-
.. whereas my httpd.conf file shows:
allow from 127.0.0.1 192.168.0.0/255.255.255.0 172.16.17.0/255.255.255.0
change this manually first to make sure its what you need then if it works expand the templates (backup your changed ones first) and try again.
If it fails you prob have a custom template fragment from your firewall SME panel that is generating the httpd.conf file with the iptables additions you no longer want. 2 choices, remove the ofending template fragment so the expand routine works or edit the SME database to remove the customisations you added.
HTH
-
Thanks for the tip. At this time, I have no custom templates for any sections.
I rebuilt the httpd.conf and admin-httpd.conf files by:
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
/sbin/e-smith/expand-template /etc/httpd/admin-conf/httpd.conf
and the "allow from" lines switched to:
allow from 127.0.0.1 192.168.1.0/255.255.255.0 255.255.255.255/0.0.0.0
The above "allow from" line is present at both line 668 of /etc/httpd/conf/httpd.conf and line 229 of /etc/httpd/admin-conf/httpd.conf.
However, when I run:
service httpd start
I get:
Starting httpd: Syntax error on line 668 of /etc/httpd/conf/httpd.conf:
syntax error in network portion of network/netmask
and when I run:
service httpd-admin start
I get:
Starting httpd-admin: Syntax error on line 229 of /etc/httpd/admin-conf/httpd.conf:
syntax error in network portion of network/netmask
I don't understand what the syntax error is on these lines. They look proper to my minimally experienced eye.
Thanks,
K
-
.. its the:
255.255.255.255/0.0.0.0
bit thats the prob.
You must have changed a db entry so that when the template regens the conf file its including your changes or the templates are missing or faulty:
In /etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf you should find:
00logfilenames
01localAccessString
20Manager
80Aliases05userpanel
85DefaultAccess
85ServerResourcesAccess
90e-smithAccess15brand
90e-smithAccess15common
90e-smithAccess20manager
90e-smithAccess20password
90e-smithAccess30user
The file that may be faulty is 01localAccessString, mine reads as:
{
use esmith::util;
#------------------------------------------------------------
# Compute "localAccess" string for use in template below.
#------------------------------------------------------------
my %networks;
tie %networks, 'esmith::config', '/home/e-smith/networks';
my @access = esmith::util::computeLocalAccessSpec( $LocalIP,
$LocalNetmask, \%networks, 'private');
$localAccess = "@access";
my $validFrom = ${"httpd-admin"}{"ValidFrom"} || 'none';
$validFrom =~ s/,/ /g;
unless ($validFrom eq 'none')
{
$localAccess .= " $validFrom";
}
$localAccess =~ s:/255.255.255.255::g;
"";
}
This file computes a parameter used by the rest of the templates in this chain called $localAccess. It is this value that is giving probs on your system in the httpd.conf.
Check it out
-
I have all of the template sections that you listed except for:
80Aliases05userpanel
90e-smithAccess30user
My listing of the 01localAccessString is identical to the one you posted in your reply.
I thought 255.255.255.255/0.0.0.0 allowed all possible IP addresses access and that changing the numbers would only filter out some networks. Is that not true?
-
In the mean time, I tried manually modifying the httpd.conf files and replaced:
allow from 127.0.0.1 192.168.1.0/255.255.255.0 255.255.255.255/0.0.0.0
with:
allow from all
and the services start right up. I can access server-manager just fine.
So I simply click the save button in the "Remote access" panel and the httpd.conf files are regened from the templates and the problem is back.
This appears to be a bug but I am not expert enough to say. Another thread has eluded to the buginess of this issue at http://forums.contribs.org/index.php?topic=24251.msg97889#msg97889
As far as I'm concerned, this problem is not solved and I fully expect it to come back next time I use the Remote access panel of the server-manager.