Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: hjpal on November 25, 2010, 05:55:50 PM

Title: no remote access to server-manager
Post by: hjpal on November 25, 2010, 05:55:50 PM
My sme server is hosted remote.
I have ssh acces and can do db configurations etc. and access files.

I cannot however access remote-manager through web browser - I get access denied

Can anyone help med gain access throug shell commands?
Title: Re: no remote access to server-manager
Post by: cactus on November 25, 2010, 06:31:43 PM
Can anyone help med gain access throug shell commands?
Since you are able to SSH into your machine you should be able to access server-manager through the admin console when logged in as admin.

You should then also be able to configure remote access to server-manager from your IP address through server-manager on the remote access panel as it states:

Quote
Remote Management

It is possible to allow hosts on remote networks to access the server manager by entering those networks here. Use a subnet mask of 255.255.255.255 to limit the access to the specified host. Any hosts within the specified range will be able to access the server manager using HTTPS.

Tip: It is better to setup VPN to the server as that is more secure then exposing your server-manager to the outside world.
Title: Re: no remote access to server-manager
Post by: hjpal on November 25, 2010, 07:21:38 PM
I have not had any success with the admin console. I have tried that.
Even though I type root plus password I get Invalid username or password
Title: Re: no remote access to server-manager
Post by: cactus on November 25, 2010, 07:33:11 PM
I have not had any success with the admin console. I have tried that.
Even though I type root plus password I get Invalid username or password
You said you had SSH working and now you are saying you cannot login as admin. Are you or are you not able to login using SSH as root?

You should use "admin" as username not root, with the same password (if you did not alter it), for server-manager (as well as the console). Please read the manual especially the tip: http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter6#The_Server_Console

Here is how to login to server-manager through the admin console: http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter6#Option_6:_Access_server_manager
Title: Re: no remote access to server-manager
Post by: hjpal on November 25, 2010, 08:23:45 PM
you are right. The console may be accessed when admin is used. Thankyou.

But it would be nice to know if public access could be granted to different services using db configuration - I have not been able to.
I wonder if iptables may be accessed directly or should be avoided.
Title: Re: no remote access to server-manager
Post by: hjpal on November 26, 2010, 02:16:18 PM
regarding this:
Quote
It is possible to allow hosts on remote networks to access the server manager by entering those networks here. Use a subnet mask of 255.255.255.255 to limit the access to the specified host. Any hosts within the specified range will be able to access the server manager using HTTPS.
What I can do REMOTE: access server console and through the console access the text-based server-manager
What I can't do: access server-manager via https://remoteserver/server-manager (this is rejected with an http 403 error)
And I would like to be able to do the latter.
db configuration show httpd-admin gives the remote network adress in the ValidFrom variable, access is localhost and status is enbled.
netstat -ant shows amongst others listen to 443,980,22
Does anyone have an idea why I cannot connect via browser?

On an XP I can establish a VPN connection connected as admin. But I don't know how I get to the graphical server-manager throug the established VPN connection.





Title: Re: no remote access to server-manager
Post by: Stefano on November 26, 2010, 02:38:05 PM
What I can't do: access server-manager via https://remoteserver/server-manager (this is rejected with an http 403 error)
And I would like to be able to do the latter.

and it's a very bad idea..

the best way is to do a vpn, then simply go to http://lan-ip-of-sme/server-manager

or you can create a ssh tunnel with

Code: [Select]
ssh root@remoteipofsme -L443:localhost:443

then simply open a browser and go to https://localhost/server-manager

the latter works in any case.. with vpn you can have trouble if internal ip of SME is in the same class of your lan

HTH
Title: Re: no remote access to server-manager
Post by: janet on November 26, 2010, 02:44:12 PM
hjpal

Server manager remote access is blocked by default for security reasons.

Look in the Remote Access panel in server manager (you can initially configure it in the text based server manager).
Add the remote host IP for each location you wish to access server manager from.

Alternative access methods have been suggested earlier in this thread.

Once you have a VPN connection established, you can access it using
https://localIP/server-manager
eg
http://192.168.1.1/server-manager

If WINS is setup correctly in your VPN setup, then you should be able to use
https://servername/server-manager
or
https://www.yourdomain/server-manager
(assuming that is resolvable via your VPN connection)

You can also create a VPN tunnel in Putty, and once that is established, then access server manager using
https://localhost/server-manager
Search forums or google for how to create a tunnel using Putty, it's so easy.
Quick howto
Create a normal Putty session parameters & save them, with these extra steps
Connection - SSH-Tunnels-
Add new forwarded port
Destination: localhost:443
Source port: 443
dot next to Local
then click Add button
This adds an entry in the Forwarded ports box as:
L443  localhost:443


Using any of these methods keeps your server protected from attack via server manager, rather than using other workarounds (which do exist) to open up server manager access to the whole Internet, which is definitely NOT recommended.
Title: Re: no remote access to server-manager
Post by: janet on November 26, 2010, 02:48:54 PM
Stefano et al

Quote
...the latter (SSH Tunnel) works in any case.. with vpn you can have trouble if internal ip of SME is in the same class of your lan

That's why it's a good idea to have any servers you deal with on different LAN IPs (from each other).
Also VPN can sometimes be problematic from differing locations, and a connection is not always guaranteed depending on what equipment you traverse.
I rarely (never) have problems with SSH, so a SSH tunnel is very reliable way to then get to server manager.
Title: Re: no remote access to server-manager
Post by: Stefano on November 26, 2010, 02:57:40 PM
I rarely (never) have problems with SSH, so a SSH tunnel is very reliable way to then get to server manager.

since I'm using linux (almost windows free on my side), I prefer ssh, always ;-)
Title: Re: no remote access to server-manager
Post by: hjpal on November 26, 2010, 04:53:34 PM
Thankyou all.
I am on an XP. The Putty ssh tunnel suggestion worked.
The VPN tunnel did not - presumably because local ip is in the same class, which one warned.

I am aware of all the bad idea warnings, but I still don't know why a direct https connection to server-manager is rejected.
And yes - the remote host is added which I can see now in both server-manager and through a db configuration show httpd-admin
Title: Re: no remote access to server-manager
Post by: janet on November 26, 2010, 05:04:31 PM
hjpal

Quote
The VPN tunnel did not - presumably because local ip is in the same class, which one warned.

You can use https://servername/server-manager if you configure the WINs server to be the remote SME in the VPN setup


Quote
I am aware of all the bad idea warnings, but I still don't know why a direct https connection to server-manager is rejected.

Because for security reasons that is the default design, and the firewall code blocks it.

Quote
And yes - the remote host is added which I can see now in both server-manager...

Because it reconfigures the firewall code and unblocks access only for that host IP or IPs (if more than one configured).

To see use
iptables -L
Title: Re: no remote access to server-manager
Post by: cactus on November 26, 2010, 05:06:46 PM
I am aware of all the bad idea warnings, but I still don't know why a direct https connection to server-manager is rejected.
And yes - the remote host is added which I can see now in both server-manager and through a db configuration show httpd-admin
As you have been told by me and others already, because you need to configure it explicilty to allow it, see my first post in this thread:

Since you are able to SSH into your machine you should be able to access server-manager through the admin console when logged in as admin.

You should then also be able to configure remote access to server-manager from your IP address through server-manager on the remote access panel.
Title: Re: no remote access to server-manager
Post by: hjpal on November 27, 2010, 12:09:31 AM
Quote
As you have been told by me and others already, because you need to configure it explicilty to allow it, see my first post in this thread:
I don't know if we are talking about the same thing. As I have mentioned a couple of times, I believe that I have allowed explicit remote management access. In server-manager - security - Remote access under Remote Management the network and subnet mask of the remote network from which I want to access the server manager using https is added and visible. I have also told, that a
Quote
db configuration show httpd-admin
shows the same remote network address. So you must be talking about something else that I have missed to do.

So apart from that - what more must be done then?
Title: Re: no remote access to server-manager
Post by: janet on November 27, 2010, 12:46:06 AM
hjpal

Quote
..what more must be done then?

What you have done sounds correct to allow access ONLY from the specified remote host external (public) IP ie from PC's etc behind that gateway.
This is my setting & it allows access to server manager from PC's on the remote host IPs.

httpd-admin=service
    PermitPlainTextAccess=no
    TCPPort=980
    TKTAuthSecret=xxxxxx
    ValidFrom=110.xxx.xx.xxx/255.255.255.255
    access=localhost
    status=enabled

Are you saying that under those circumstances you still get a 403 error ?
Does https access work at all to the SME eg
https://yourdomain.com
If you are using a seperate firewall have you forwarded port 443 to the SME server
do a port scanning test at grc.com

Please explain exact your issue further.
Title: Re: no remote access to server-manager
Post by: hjpal on November 27, 2010, 09:11:26 AM
my setting is also
Quote
httpd-admin=service
    PermitPlainTextAccess=no
    TCPPort=980
    TKTAuthSecret=xxxxxx
    ValidFrom=xxxx.xxxx.xxxx.xxxx/255.255.255.255
    access=localhost
    status=enabled

and I can do https://myremotehost/
and also https://myremotehost/phpmyadmin
but not https://myremotehost/server-manager

There is no firewall in front of myremotehost - all ports are open to the sme server
netstat -ant shows
Quote
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State     
tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:515                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:548                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:139                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN     
tcp        0      0 127.0.0.1:980               0.0.0.0:*                   LISTEN     
tcp        0      0 127.0.0.2:53                0.0.0.0:*                   LISTEN     
tcp        0      0 xx.xxx.x.xx:53              0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN     
tcp        0      0 127.0.0.1:3128              0.0.0.0:*                   LISTEN     
tcp        0      0 xx.xxx.x.xx:3128            0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN     
tcp        0      0 127.0.0.1:26                0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN     
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN     
tcp        0      0 127.0.0.1:4700              0.0.0.0:*                   LISTEN     
tcp        0      0 xx.xxx.x.xx:22              zz.zzz.zz.zz:37977          ESTABLISHED
tcp        0     52 xx.xxx.x.xx:22              yy.yyy.yyy.yy:3638         ESTABLISHED
Title: Re: no remote access to server-manager
Post by: janet on November 27, 2010, 01:13:03 PM
hjpal

Please lodge a bug report so your issue can be properly investigated
Title: Re: no remote access to server-manager
Post by: chris burnat on November 28, 2010, 08:06:10 AM
 Please follow here: http://bugs.contribs.org/show_bug.cgi?id=6405