Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: Graham on April 07, 2017, 12:13:54 AM
-
I've started using SME Server again and I'm looking for a way to stop some of the local networks being able to access /server-manager and SSH.
Is this possible?
-
Are you using SME 10? Because that's in early Alpha, and shouldn't be used in anything remotely resembling a production environment.
-
Post in the wrong place I'm using SME 9, can this be moved please
-
moving to 9.x section as requested
-
hi, welcome back :-)
try to play with this:
https://wiki.contribs.org/DB_Variables_Configuration#Additional_information_on_customizing_iptables
involved services are sshd and httpd-admin
HTH
-
You say "networks", so here are some examples using network terminology.
Assumption: you want to block access to server-manager and ssh from 10.10.10.0/24
config setprop httpd-admin DenyHosts 10.10.10.0/24
config setprop sshd DenyHosts 10.10.10.0/24
signal-event remoteaccess-update
Undo using:
config delprop httpd-admin DenyHosts
config delprop sshd DenyHosts
signal-event remoteaccess-update
-
Doesn't look like that works, I can see after doing
config setprop sshd DenyHosts 192.168.8.0/24
signal-event remoteaccess-update
The following is added to masq config
# sshd: TCPPorts: 22, AllowHosts: , DenyHosts: 192.168.8.0/255.255.255.0
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 22 \
--destination $OUTERNET --src 192.168.8.0/255.255.255.0 --jump denylog
Which adds the following to iptables
-A InboundTCP_4881 -s 192.168.8.0/24 -d 192.168.8.12/32 -p tcp -m tcp --dport 22 -j denylog
However ssh is still able to be accessed from any IP on 192.168.8.0/24
my Local Networks are set as
192.168.6.0/24
192.168.8.0/24 ---- servers IP 192.168.8.12
-
Interesting.
It looks like you're specifically trying to deny access to your server from the server's own local network; I don't see any way to do that without custom templates.
If your server is currently in 'server-only' mode, you could put it in server-gateway mode and put the 192.168.8 network on the WAN -- then your issue is allowing the services you want accessible from 192.168.8.x rather than denying the services that are customarily assumed to be safe from the LAN.
If you want to pursue custom templates...
sshd
customize /etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundTCP07FilterSSH.
Here I've taken the masq code from your last post and removed the "--destination $OUTERNET" bit.
note that the ssh port is hard coded - you'll have to change it here manually if you also change the ssh port in server-manager
#
#create custom template directory
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
#
# copy current ssh fragment
# (note the space and dot at the end of the next line)
cp /etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundTCP07FilterSSH .
#
# add a custom masq rule to the end of the template that does not reference "$OUTERNET"
# (this command adds content outside the perl braces {}, so is treated as plain text during template expansion)
echo '
# custom template
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 22 \
--src 192.168.8.0/255.255.255.0 --jump denylog
' >> 90InboundTCP07FilterSSH
#
#activate changes
signal-event remoteaccess-update
To disable/remove these changes:
#sshd
rm -f /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90InboundTCP07FilterSSH
#
# activate changes
signal-event remoteaccess-update
server-manager
My advice re 'httpd-admin' is/was misguided. server-manager (httpd-admin) shares a port with httpd-e-smith - you probably didn't mean to block access to your SME web server as well as server-manager.
To allow access to server-manager from 192.168.6.0 while denying it from 192.168.8.0 (the server's LAN), you'll need to copy and customize /etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/01localAccessString or /etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/90e-smithAccess20manager
(details left up to you...)
-
regarding ssh, maybe a custom fragment for /etc/hosts.allow will do the trick
-
I've given the SSH masq template a try and still seems to be letting SSH connection in from 192.168.8.0.
Below is the output of iptables the bold one is the rule that is being added.
What we are trying to have is only the IT department is able to access the management parts of SME who are on 192.168.6.0
[root@gws-alpha ~]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ForwardedTCP
-N ForwardedTCP_8442
-N ForwardedUDP
-N ForwardedUDP_8442
-N InboundICMP
-N InboundICMP_8442
-N InboundTCP
-N InboundTCP_8442
-N InboundUDP
-N InboundUDP_8442
-N PPPconn
-N PPPconn_1
-N SMTPProxy
-N SSH_Autoblock
-N denylog
-N gre-in
-N local_chk
-N local_chk_8442
-N state_chk
-A INPUT -j state_chk
-A INPUT -j local_chk
-A INPUT -j PPPconn
-A INPUT -s 224.0.0.0/4 -j denylog
-A INPUT -d 224.0.0.0/4 -j denylog
-A INPUT -p icmp -j InboundICMP
-A INPUT -p icmp -j denylog
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j InboundTCP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j denylog
-A INPUT -i bond0 -p udp -j InboundUDP
-A INPUT -i bond0 -p udp -j denylog
-A INPUT -p gre -j gre-in
-A INPUT -p gre -j denylog
-A INPUT -j denylog
-A FORWARD -j state_chk
-A FORWARD -p tcp -m tcp --dport 25 -j SMTPProxy
-A FORWARD -j local_chk
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ForwardedTCP
-A FORWARD -p udp -j ForwardedUDP
-A FORWARD -j denylog
-A OUTPUT -j PPPconn
-A OUTPUT -s 224.0.0.0/4 -j denylog
-A OUTPUT -d 224.0.0.0/4 -j denylog
-A OUTPUT -j ACCEPT
-A ForwardedTCP -j ForwardedTCP_8442
-A ForwardedTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j denylog
-A ForwardedUDP -j ForwardedUDP_8442
-A ForwardedUDP -p udp -j denylog
-A InboundICMP -j InboundICMP_8442
-A InboundICMP -p icmp -j denylog
-A InboundICMP_8442 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A InboundICMP_8442 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A InboundICMP_8442 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A InboundICMP_8442 -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A InboundICMP_8442 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A InboundICMP_8442 -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A InboundICMP_8442 -j denylog
-A InboundTCP -j InboundTCP_8442
-A InboundTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j denylog
-A InboundTCP_8442 ! -d 192.168.8.12/32 -j denylog
-A InboundTCP_8442 -d 192.168.8.12/32 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A InboundTCP_8442 -s 192.168.8.0/24 -p tcp -m tcp --dport 22 -j denylog
-A InboundTCP_8442 -d 192.168.8.12/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A InboundTCP_8442 -d 192.168.8.12/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A InboundTCP_8442 -d 192.168.8.12/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A InboundTCP_8442 -d 192.168.8.12/32 -p tcp -m tcp --dport 465 -j ACCEPT
-A InboundUDP -j InboundUDP_8442
-A InboundUDP -p udp -j denylog
-A InboundUDP_8442 ! -d 192.168.8.12/32 -j denylog
-A PPPconn -j PPPconn_1
-A SSH_Autoblock -m recent --set --name SSH --rsource
-A SSH_Autoblock -m recent --rcheck --seconds 900 --hitcount 4 --rttl --name SSH --rsource -j denylog
-A denylog -p udp -m udp --dport 520 -j DROP
-A denylog -p udp -m udp --dport 137:139 -j DROP
-A denylog -p tcp -m tcp --dport 137:139 -j DROP
-A denylog -j ULOG --ulog-prefix "denylog:"
-A denylog -j DROP
-A gre-in ! -d 192.168.8.12/32 -j denylog
-A gre-in -j denylog
-A local_chk -j local_chk_8442
-A local_chk_8442 -i lo -j ACCEPT
-A local_chk_8442 -s 192.168.8.0/24 -j ACCEPT
-A local_chk_8442 -s 192.168.6.0/24 -j ACCEPT
-A local_chk_8442 -s 192.168.12.0/24 -j ACCEPT
-A state_chk -m state --state RELATED,ESTABLISHED -j ACCEPT
-
Graham
Is this as simple as "Can you change the root/admin password & only let those who should have access know the new password".
Perhaps even configure different passwords for root & admin.
Further to that create the user permissions file for ssh to control access rights per user.
You need to provide more info on which user login(s) you are trying to block.
-
regarding ssh, maybe a custom fragment for /etc/hosts.allow will do the trick
Thanks that did the trick for SSH.
Create Custom template /etc/e-smith/templates-custom/etc/hosts.allow/sshd
sshd: 192.168.6.0/255.255.255.0
followed by
signal-event remoteaccess-update
For Server Manager I ended doing
Create Custom template /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/27ManagerProxyPass
{
# vim: ft=perl:
$haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no';
$plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no';
$plainPort = ${'httpd-e-smith'}{TCPPort} || '80';
$sslPort = ${modSSL}{TCPPort} || '443';
$OUT = '';
foreach $place ('server-manager','server-common','user-password')
{
if (($port eq $plainPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
{
$OUT .= ' RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$' . "\n";
$OUT .= " RewriteRule ^/$place(/.*|\$) https://%{HTTP_HOST}/$place\$1 [L,R]\n";
}
if ($port eq $sslPort)
{
# mod_auth_tkt needs to know the protocol to write 307 redirection
$OUT .= " RequestHeader set X-Forwarded-Proto \"https\"\n";
}
$OUT .= " ProxyPass /$place http://127.0.0.1:${'httpd-admin'}{TCPPort}/$place\n";
$OUT .= " ProxyPassReverse /$place http://127.0.0.1:${'httpd-admin'}{TCPPort}/$place\n";
$OUT .= " <Location /$place>\n";
$OUT .= " order deny,allow\n";
$OUT .= " deny from all\n";
if ($port eq $plainPort)
{
$OUT .= ' allow from 127.0.0.1' . "\n";
}
elsif (($haveSSL eq 'yes') && (($port eq $sslPort) || ($plainTextAccess ne 'yes')))
{
$OUT .= " allow from 127.0.0.1 192.168.6.0/255.255.255.0 $externalSSLAccess\n";
} else {
$OUT .= " allow from 127.0.0.1 192.168.6.0/255.255.255.0\n";
}
$OUT .= " </Location>\n";
}
}
followed by
expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith/