LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Mandriva
User Name
Password
Mandriva This Forum is for the discussion of Mandriva (Mandrake) Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 04-07-2004, 12:22 PM   #1
maverick106
LQ Newbie
 
Registered: May 2003
Distribution: Redhat 9.0
Posts: 7

Rep: Reputation: 0
Mandrake 10: Issues with "higher" security setting and web server


Hi all.

I'm not entirely new to linux, but this is certainly my first time attempting to set up a fairly secure server. I have Mandrake 10.0 installed, and am running the apache2 web server that is installed with the distro. I have copied all of my files over, modified the httpdcommon.conf file, and was still getting a 403 Forbidden error when attempting to go to the page from an external box. However, i noticed that if i moved the security setting down to "High" instead of "Higher", i was able to access the web page fine. \

I guess I don't really know enough about what the security settings are changing, but I need this box to be as secure as possible. I haven't been able to find any really good documentation on what the specific differences are between each of the security settings...can anyone help?
 
Old 04-07-2004, 12:28 PM   #2
Redeye2
Member
 
Registered: Feb 2004
Posts: 489

Rep: Reputation: Disabled
I suppose it's blocking the port 80 which is the one web servers use to communicate (in this case apache). Maybe you'll want to find and install a firewall that blocks every other port except those you definetely need and keep using the high setting on the mandrake security feature. Look for one in www.sourceforge.net

Last edited by Redeye2; 04-07-2004 at 12:30 PM.
 
Old 04-07-2004, 12:39 PM   #3
maverick106
LQ Newbie
 
Registered: May 2003
Distribution: Redhat 9.0
Posts: 7

Original Poster
Rep: Reputation: 0
I thought the same thing, but running nmap on localhost shows that port 80 is open for http...am i wrong in assuming that nmap can accurately show me which ports are actually open to connections?
 
Old 04-07-2004, 01:01 PM   #4
Redeye2
Member
 
Registered: Feb 2004
Posts: 489

Rep: Reputation: Disabled
Then it must the ports for the data that's going out. Because HTTP listens on port 80, but it sends data over other free ports 1800+ or so I think.
So I think that your server listens and connects on port 80 but can't send data back because the higher security settings won't allow it to acquire those out ports. Just a guess obviously
 
Old 04-07-2004, 01:10 PM   #5
maverick106
LQ Newbie
 
Registered: May 2003
Distribution: Redhat 9.0
Posts: 7

Original Poster
Rep: Reputation: 0
hmm, interesting. The only ports i see open are 22, 80, and 111, so that very well could be true. How do i go about changing that in mandrake? I assume i have to manually set some port to be the output port, or give httpd access to opening output ports...
 
Old 04-07-2004, 04:49 PM   #6
Redeye2
Member
 
Registered: Feb 2004
Posts: 489

Rep: Reputation: Disabled
The HTTP protocol automatically finds and assigns a free port to that connection which then it also automatically closes once it has transmitted the files. Which is to say that is doesn't open a permanent channel, it just opens, transmits and closes (that's why you have to use JSP sometimes if you need a persistent connection).
First, I'd say that you verify that connections are actually established on port 80. To see that:
1) In a console type netstat
2) Check if the port 80 is listening
3) Try to access a webpage on your computer and inmediately type netstat again. You should see that instead of listening, it should established, time wait, or something like that. It means that you had a connection (or currently have) which was established.

Once that is off the way, do the same but now with the mandrake firewall High settings (the ones that let you see the webpage) and do the same thing. But now it should state that other port (which wasn't there in netstat before), has been opened and it's status is established, time wait or whatever. That was the port used to send data to the client.
Up to this point you should be pretty much aware if mandrake is indeed blocking the out port, or the problem is still on port 80.
Keep replying until it works
 
Old 04-26-2004, 10:39 AM   #7
maverick106
LQ Newbie
 
Registered: May 2003
Distribution: Redhat 9.0
Posts: 7

Original Poster
Rep: Reputation: 0
I'd like to re-open this thread...i was out of town for a few weeks, and am now back to working on this server :-/

Anyway, I did the netstat tests suggested above, and found something interesting, though i'm not sure what to make of it.

When mandrake is set to 'high' (lower setting that it is allowing web access from) and I open a web page on the server, it establishes 2 connections as random high numbered ports. When i turn it up to 'higher', it only establishes one high numbered port for output, and, of course, does not allow access to the page. What could this indicate?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
No CDROM and sound after changing security level to "Higher" banhbao Mandriva 1 02-25-2005 06:52 PM
difference between "Web server local URL" and "IPv4 address"? kpachopoulos Linux - General 2 09-17-2004 01:30 PM
MDK 10 "higher" security issues bairdec Mandriva 2 05-16-2004 04:39 PM
Running Tomcat non-root with MSEC setting of "Higher" twbutler Mandriva 0 03-24-2004 08:26 PM
"Higher" security level stops me booting john_walsh54 Mandriva 3 10-04-2003 07:53 PM


All times are GMT -5. The time now is 08:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration