Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: hjpal on November 25, 2010, 05:55:50 PM
-
My sme server is hosted remote.
I have ssh acces and can do db configurations etc. and access files.
I cannot however access remote-manager through web browser - I get access denied
Can anyone help med gain access throug shell commands?
-
Can anyone help med gain access throug shell commands?
Since you are able to SSH into your machine you should be able to access server-manager through the admin console when logged in as admin.
You should then also be able to configure remote access to server-manager from your IP address through server-manager on the remote access panel as it states:
Remote Management
It is possible to allow hosts on remote networks to access the server manager by entering those networks here. Use a subnet mask of 255.255.255.255 to limit the access to the specified host. Any hosts within the specified range will be able to access the server manager using HTTPS.
Tip: It is better to setup VPN to the server as that is more secure then exposing your server-manager to the outside world.
-
I have not had any success with the admin console. I have tried that.
Even though I type root plus password I get Invalid username or password
-
I have not had any success with the admin console. I have tried that.
Even though I type root plus password I get Invalid username or password
You said you had SSH working and now you are saying you cannot login as admin. Are you or are you not able to login using SSH as root?
You should use "admin" as username not root, with the same password (if you did not alter it), for server-manager (as well as the console). Please read the manual especially the tip: http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter6#The_Server_Console
Here is how to login to server-manager through the admin console: http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter6#Option_6:_Access_server_manager
-
you are right. The console may be accessed when admin is used. Thankyou.
But it would be nice to know if public access could be granted to different services using db configuration - I have not been able to.
I wonder if iptables may be accessed directly or should be avoided.
-
regarding this:
It is possible to allow hosts on remote networks to access the server manager by entering those networks here. Use a subnet mask of 255.255.255.255 to limit the access to the specified host. Any hosts within the specified range will be able to access the server manager using HTTPS.
What I can do REMOTE: access server console and through the console access the text-based server-manager
What I can't do: access server-manager via https://remoteserver/server-manager (this is rejected with an http 403 error)
And I would like to be able to do the latter.
db configuration show httpd-admin gives the remote network adress in the ValidFrom variable, access is localhost and status is enbled.
netstat -ant shows amongst others listen to 443,980,22
Does anyone have an idea why I cannot connect via browser?
On an XP I can establish a VPN connection connected as admin. But I don't know how I get to the graphical server-manager throug the established VPN connection.
-
What I can't do: access server-manager via https://remoteserver/server-manager (this is rejected with an http 403 error)
And I would like to be able to do the latter.
and it's a very bad idea..
the best way is to do a vpn, then simply go to http://lan-ip-of-sme/server-manager
or you can create a ssh tunnel with
ssh root@remoteipofsme -L443:localhost:443
then simply open a browser and go to https://localhost/server-manager
the latter works in any case.. with vpn you can have trouble if internal ip of SME is in the same class of your lan
HTH
-
hjpal
Server manager remote access is blocked by default for security reasons.
Look in the Remote Access panel in server manager (you can initially configure it in the text based server manager).
Add the remote host IP for each location you wish to access server manager from.
Alternative access methods have been suggested earlier in this thread.
Once you have a VPN connection established, you can access it using
https://localIP/server-manager
eg
http://192.168.1.1/server-manager
If WINS is setup correctly in your VPN setup, then you should be able to use
https://servername/server-manager
or
https://www.yourdomain/server-manager
(assuming that is resolvable via your VPN connection)
You can also create a VPN tunnel in Putty, and once that is established, then access server manager using
https://localhost/server-manager
Search forums or google for how to create a tunnel using Putty, it's so easy.
Quick howto
Create a normal Putty session parameters & save them, with these extra steps
Connection - SSH-Tunnels-
Add new forwarded port
Destination: localhost:443
Source port: 443
dot next to Local
then click Add button
This adds an entry in the Forwarded ports box as:
L443 localhost:443
Using any of these methods keeps your server protected from attack via server manager, rather than using other workarounds (which do exist) to open up server manager access to the whole Internet, which is definitely NOT recommended.
-
Stefano et al
...the latter (SSH Tunnel) works in any case.. with vpn you can have trouble if internal ip of SME is in the same class of your lan
That's why it's a good idea to have any servers you deal with on different LAN IPs (from each other).
Also VPN can sometimes be problematic from differing locations, and a connection is not always guaranteed depending on what equipment you traverse.
I rarely (never) have problems with SSH, so a SSH tunnel is very reliable way to then get to server manager.
-
I rarely (never) have problems with SSH, so a SSH tunnel is very reliable way to then get to server manager.
since I'm using linux (almost windows free on my side), I prefer ssh, always ;-)
-
Thankyou all.
I am on an XP. The Putty ssh tunnel suggestion worked.
The VPN tunnel did not - presumably because local ip is in the same class, which one warned.
I am aware of all the bad idea warnings, but I still don't know why a direct https connection to server-manager is rejected.
And yes - the remote host is added which I can see now in both server-manager and through a db configuration show httpd-admin
-
hjpal
The VPN tunnel did not - presumably because local ip is in the same class, which one warned.
You can use https://servername/server-manager if you configure the WINs server to be the remote SME in the VPN setup
I am aware of all the bad idea warnings, but I still don't know why a direct https connection to server-manager is rejected.
Because for security reasons that is the default design, and the firewall code blocks it.
And yes - the remote host is added which I can see now in both server-manager...
Because it reconfigures the firewall code and unblocks access only for that host IP or IPs (if more than one configured).
To see use
iptables -L
-
I am aware of all the bad idea warnings, but I still don't know why a direct https connection to server-manager is rejected.
And yes - the remote host is added which I can see now in both server-manager and through a db configuration show httpd-admin
As you have been told by me and others already, because you need to configure it explicilty to allow it, see my first post in this thread:
Since you are able to SSH into your machine you should be able to access server-manager through the admin console when logged in as admin.
You should then also be able to configure remote access to server-manager from your IP address through server-manager on the remote access panel.
-
As you have been told by me and others already, because you need to configure it explicilty to allow it, see my first post in this thread:
I don't know if we are talking about the same thing. As I have mentioned a couple of times, I believe that I have allowed explicit remote management access. In server-manager - security - Remote access under Remote Management the network and subnet mask of the remote network from which I want to access the server manager using https is added and visible. I have also told, that a db configuration show httpd-admin
shows the same remote network address. So you must be talking about something else that I have missed to do.
So apart from that - what more must be done then?
-
hjpal
..what more must be done then?
What you have done sounds correct to allow access ONLY from the specified remote host external (public) IP ie from PC's etc behind that gateway.
This is my setting & it allows access to server manager from PC's on the remote host IPs.
httpd-admin=service
PermitPlainTextAccess=no
TCPPort=980
TKTAuthSecret=xxxxxx
ValidFrom=110.xxx.xx.xxx/255.255.255.255
access=localhost
status=enabled
Are you saying that under those circumstances you still get a 403 error ?
Does https access work at all to the SME eg
https://yourdomain.com
If you are using a seperate firewall have you forwarded port 443 to the SME server
do a port scanning test at grc.com
Please explain exact your issue further.
-
my setting is also
httpd-admin=service
PermitPlainTextAccess=no
TCPPort=980
TKTAuthSecret=xxxxxx
ValidFrom=xxxx.xxxx.xxxx.xxxx/255.255.255.255
access=localhost
status=enabled
and I can do https://myremotehost/
and also https://myremotehost/phpmyadmin
but not https://myremotehost/server-manager
There is no firewall in front of myremotehost - all ports are open to the sme server
netstat -ant shows
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:548 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:980 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.2:53 0.0.0.0:* LISTEN
tcp 0 0 xx.xxx.x.xx:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN
tcp 0 0 xx.xxx.x.xx:3128 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:26 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4700 0.0.0.0:* LISTEN
tcp 0 0 xx.xxx.x.xx:22 zz.zzz.zz.zz:37977 ESTABLISHED
tcp 0 52 xx.xxx.x.xx:22 yy.yyy.yyy.yy:3638 ESTABLISHED
-
hjpal
Please lodge a bug report so your issue can be properly investigated
-
Please follow here: http://bugs.contribs.org/show_bug.cgi?id=6405