Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Damian on March 05, 2005, 08:08:07 PM
-
I have a user that only ever logs into https webmail remotely but will need to change their password and enable the vacation messages. Anyone managed to enable access to user-manager panel without hacking httpd.conf (or a fragment) ?
Damian
-
There is a doc
"remote access to user manger.doc" by Dungog Networks at
http://www.dungog.net/sme/files/userpanel/
which explains how to do it. Involvs ssh by the remote user.
-
Hi CheahCH,
Thanks for the link. I use this method every day for server-manager access to remote sites but this lady is on an apple mac and would run a mile from putty (is it available on a mac?). I don't want to open user-manager up to the net if I don't have to because she's on DSL and her IP is DHCP (can I buy a vowel?). I couldn't track her IP address to allow it access.
Damian
-
You can also do it by establishing a VPN connection (which takes me about 5 seconds to do) and then browsing by server IP eg
https://192.168.xx.xx/user-manager
https://192.168.xx.xx/user-password
https://192.168.xx.xx/server-manager
-
Hi Ray,
That's right she could. The reason she uses webmail though is that she's not strictly part of the company and is therefore not really allowed on the network. Webmail is a good compromise.
I know it sounds like I'm making life difficult but I'm not (honest!). These are good suggestions and thanks for making them.
Damian
-
I appreciate the security/confidentiality issue, although if you use group memberships correctly then the user would have access to nothing except their own home folder, which already exists anyway if they have a user account & use webmail.
-
> Anyone managed to enable access to user-manager panel without hacking httpd.conf (or a fragment) ?
the lastest user-manager version allows for this
with a db entry
http://www.dungog.net/sme/files/6.5updates/
it doesn't require 6.5 we just made this addition at the same time as the other changes
* Fri Feb 11 2005 Stephen Noble <@>
- change rpm scripts from httpd-* graceful to restart
- to allow rpm to install on both SME 6.0 + 6.5
- added alias, /user is same as /user-manager
- allow remote access to /user, with alt IP range from /server-manager access
- /sbin/e-smith/db configuration set httpd-user 188.122.45.122
- /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
- /etc/rc.d/init.d/httpd-e-smith restart
- see also /sbin/e-smith/db configuration show httpd-admin for format
- bad things happen if you enter an invalid ip ie>256
- remove displayed mitel references and old images
- [1.6.5-1]
-
Thanks for that Stephen. Even though I'm "watching" this topic I didn't recieve a post update. Not the first time either :-?
Damian
-
Hi Guys,
Ray was mentioning that it takes him 5sec to do a VPN, pleeeeeeeeeze would you be able to help me??? I am getting nowhere with this VPN story. I have posted a thread already..please could someone shed some light on a way (anyway) to achieve a vpn for remote users to access their email on a win2k server behind the sme 6.01.
Thanks and regards
GB
-
xebec
> Ray was mentioning that it takes him 5 sec to do a VPN
I lied, it actually takes me 16 seconds from the time I click on the Start menu to access the VPN icon, enter my password and establish the connection.
Negotiating the connection itself takes about 5 seconds.
Once connected if you want to map a drive to a workstation shared folder just do:
net use M: \\workstationIP\sharename
eg
net use M: \\192.168.1.95\C
then you will have a M: drive that is actually the share on your workstation.
It sounds as if your problem may be router related, search the forums on VPN for all the gory details, you have to open certain ports and allow certain protocols. It's all in the forums, just search.
It's far easier to use sme with an ADSL modem that is in bridged mode. All the work is done by the sme firewall then, rather than having to work out how to configure your routers etc.
I don't believe that the sme firewall is any less secure than a dedicated router firewall (in most situations that is). I have been using sme since v3 for over 5 years and the firewall has never been compromised. A hacker recently broke in via crappy php code (phpBB as well as a bug in php), but then thousands of other users also got hacked this same way. The danger is in badly written (php) apps rather than the sme firewall.
-
Ray,
When your PHP app was compromised was the damage only limited to the php web app itself or did they gain full access to your server.
Regards
Jack
-
jackl
> When your PHP app was compromised was the damage
> only limited to the php web app itself or did they > gain full access to your server.
phpBB passwords were removed and the site details were tampered with.
As well all index pages on the server were changed.
Some services were not running properly so there was some other tampering also.
I rebuilt the server and updated phpBB, php & all other php apps, even removed some that were not considered necessary.
phpBB and gallery have mail lists you can subsribe to, to be kept informed in a timely fashion of security vulnerabilities and updates.
phpBB got stung badly on this one.
See
http://forums.contribs.org/index.php?topic=25064.msg102655#msg102655
-
I installed the package above (e-smith-userpanel-1.6.5-1.noarch.rpm). Now how do I make it avalible to the whole world?
Is it possible to do this without making the Server Manager availible to the whole world?
-
Smitro
>....how do I make it avalible to the whole world?
Read snobles post again, he clearly gives the commands you need on a IP by IP basis, not to the whole world as you ask for.
-
I stumbled upon this by accident - and this is NOT a good security policy.....
BUT - if you go to the Remote Access panel and add:
0.0.0.0 with a subnet of 0.0.0.0
It works.
The entire internet can access your server via https:
I have done this on a couple boxes that have users with dial-up accounts (their ip changes with each connection) so any other method would have been difficult.
AGAIN - This is NOT a good solution - but it is an easy one.
:roll:
-
What is the effects of this on other services?
My box is sitting behind a router, so I have blocked services such as samba and LDAP from the outside world, but will this have any effect on FTP users? and other servies?
Sounds insecure, but how insecure are we talking?