Stop Microsoft
Operating Systems => Linux and UNIX => Topic started by: Master of Reality on 25 April 2002, 01:19
-
how do i set apache to be on a certain interface?
when i just started it, it only listened/connected to my internal interface. I need it on my external interface.
-
It should have bound to both by default. Look at the "BindAddress" tag and the "Listen" tag in your httpd.conf file.
-
is there any special security issues i should know about when running a website on my server?
http://chatroom.fuckmicrosoft.com (http://chatroom.fuckmicrosoft.com)
-
Of course there are. People should have access to exactly what you want them to access and nothing more. Although a basic web site on a default Apache install is generally pretty safe you might want to turn off things you aren't using and hide unnecessary information. For instance, by default information can be obtained from Apache headers. Things like Operating system and version. Apache version, PHP version (if installed), SSL version, etc. This information can be turned off, as knowing this information can be helpfull to a hacker. PHP should be updated as there are vulnerabilities in the version you likely have (although they may not be easily exploited). You can also set directory permissions like not allowing directory listing (directory listing is turned off by default). I don't want to make it sound like if you don't button up Apache on a default install that you will get hacked because it's very likely that it won't but you do need to be concious of what security implications there are, especially if you are doing CGI programming or other server side generated content. I would suggest looking over Apache's web site and doing some Google searches on Apache+security etc.. Also if you use MySQL or PostgreSQL on your web server you not only have to worry about security of the database with Apache but weather the database server itself is secure and is not listening on your outside interfaces for people to try to hack... Especially if you don't set an admin password, etc.. The more services you associate with Apache the more complex your security becomes.
[ April 25, 2002: Message edited by: VoidMain ]
-
well.. i must have screwed something up somewhere (again). I setup apache (a while ago), http://chatroom.fuckmicrosoft.com (http://chatroom.fuckmicrosoft.com) and now i cant get to the website from any computer other than the computers in my network, i get a 525 error, cant connect to remote host (i think thats what the 525 error is). Could it be that my local computers are just getting off the internal interface? I dont know how they would do that because they have to look up the DNS name to find out that chatroom.fuckmicrosoft.com is my IP address. Could squid be blocking people from getting to my webserver?, i'm not running a transparent proxy. And squid and apache are running on the same red hat 7.2 machine.
-
Do a "netstat -a | grep www" which if you have Apache running and bound to all interfaces should show a line like:
tcp 0 0 *:www *:* LISTEN
If it is just bound to one interface or the other the "*" in "*:www" will contain the interface address or hostname.
I can ping/traceroute to you but I get "no route to host" when I try to telnet to your port 80 which I'm guessing means your provider is dropping http traffic to you. Maybe they don't want you putting up a web server. It would explain why you can get to your outside interface from your inside machines as you would not be going through their routers to get there.
I have an idea. Why don't you try running your web server on a port other than 80. Maybe they are only blocking 80. Try 8000 for instance, then restart your httpd service. Test it with http://chatroom.fuckmicrosoft.com:8000 (http://chatroom.fuckmicrosoft.com:8000)
[ May 07, 2002: Message edited by: VoidMain ]
-
try going to http://chatroom.fuckmicrosoft.com:3000 (http://chatroom.fuckmicrosoft.com:3000)
-
Nope, connection refused. Do you have anything in your ipchains rules that would be blocking 80 (or now 3000)? /sbin/ipchains -L
-
i looked at everything else and now i searched through the apache error logs. I found out that apache couldnt bind with port 80.
the error reads:
[date here is right after i restarted apache][crit] (98)Address already in use: make_sock: could not bind to port 80
what do you think would cause this?
-
Exactly what it says. You already have a process bound to port 80 so Apache can't start. When you stop Apache (/etc/rc.d/init.d/httpd stop) then do a "netstat -a | grep www" you should get nothing back. If you do you have another process listening on port 80.
-
there is something listening on my "http" port, i dont know what it is though. i did "netstat -a | grep http" it didnt show anything either time i did "netstat -a | grep www" i also did just "netstat -a" i looked at all the connections and it shows something listening on my http port.
-
You should be able to do a "netstat -p" and get the PID of the process that has port 80 open. When you know the PID then do a "ps auxwww | grep <PID>" (replace <PID> with the actual PID number from the netstat output). This should answer that question.
[ May 08, 2002: Message edited by: VoidMain ]
-
netstat -p doesnt show the port numbers. It also doesnt show all the programs connected to the internet (it doesnt show squid).
I tried "netstat -p | grep www" and netstat -p | grep http" (http and www are the same, arent they?) neither of those showed any programs.
Apache still says that the port is already in use and i cant figure out why.
I definatly do not have any ipchains doing anything to that port.
I dont have any other programs running other than squid.
-
Yes, on the newer RedHat's it would show up as http and not www. If nothing shows up when you run that command (as root) then you definately have a problem with httpd.conf. Did you change the config file at all? Comment out all the "Listen" and "Bind*" tags if you modified them and see if Apache will start. Understand that the logs are your friend. *error_log and /var/log/messages especially.
-
someone try to go to http://chatroom.fuckmicrosoft.com (http://chatroom.fuckmicrosoft.com)
-
"connection refused"
-
while using mozilla 1.0 on macos9.1, it took about 20 seconds while 'connecting to...' then told me that 'the connection timed out while connecting to...'
-
I have RedHat 7.3 on my server with squid and httpd already installed now. Squid is runing perfectly.
Apache still gives me the same error as above.
I did 'netstat -a | grep http' and it says:
tcp 0 0 *:http *:* LISTEN
what does this mean? As you said above, this is what i should get... but it still doesnt work.
[ June 28, 2002: Message edited by: Master of Reality / Bob ]
-
You can't even access it from one of your inside machines? That is, http://192.168.0.1/ (http://192.168.0.1/) if that is the inside IP address of your server. Is there any ipchians/iptables rules that would be restricting access to the http port (80)?
-
I can get to it from my internal machines still.
-
Ok, what is your external IP address? Can you get to that from your inside machines? If you can't, then you must have some firewall issues.
-
Lookup has started ...
; <<>> DiG 8.3 <<>> @(null) chatroom.fuckmicrosoft.com
; Bad server: (null) -- using default server and timer opts
; (2 servers found)
;; res options: init recurs defnam dnsrch
;; got aswer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; chatroom.fuckmicrosoft.com, type = A, class = IN
;; ANSWER SECTION:
chatroom.fuckmicrosoft.com. 23h34m40s IN A 204.92.81.125
;; AUTHORITY SECTION:
fuckmicrosoft.com. 1d4h56m43s IN NS NS1.I2NET.com.
fuckmicrosoft.com. 1d4h56m43s IN NS NS2.I2NET.com.
;; ADDITIONAL SECTION:
NS1.I2NET.com. 1d4h56m43s IN A 208.179.142.2
NS2.I2NET.com. 1d4h56m43s IN A 208.179.142.3
;; Total query time: 181 msec
;; FROM: localhost to SERVER: default -- 139.134.5.51
;; WHEN: Sat Jun 29 10:18:26 2002
;; MSG SIZE sent: 44 rcvd: 134
cannot connect to chatroom.fuckmicrosoft.com through http as you can see it is there, although Whois says that its not there
i can traceroute back to 204.92.81.125 and ping it properly so it is there and responding just not to http ?
is there a utility that can see what is listening at each port? there should be one somewhere though i don't know where?
hope this is helpful
-
We already know that apache is listening on port 80. What I asked him to do was to see if he could verify his outside address by doing an "ifconfig" and then seeing if he can get to that address from machine inside his house. If he can, then his provider is blocking port 80 and there is nothing he can do about it other than call them and bitch. But if his providers do not allow web servers then that is that, other than putting it on a port other than 80. Like 8000 might be a good one.
-
Or master could set me up with an account and let me ssh in and check it out... I could tell pretty quickly where the problem is.
-
it gives the same error in the error log when i tried running it on port 8000.
How do i setup an ssh account?
-
Could it be a problem with your domain registrar??
-
quote:
Originally posted by Master of Reality / Bob:
it gives the same error in the error log when i tried running it on port 8000.
How do i setup an ssh account?
You've already got SSH up and running, you just need to create me a userid:
# adduser voidmain
# password voidmain
Then send me a PM with the password and I'll change it as soon as I log in.
-
now someone can try to go to http://chatroom.fuckmicrosoft.com (http://chatroom.fuckmicrosoft.com)
-
quote:
Originally posted by Master of Reality / Bob:
now someone can try to go to http://chatroom.fuckmicrosoft.com (http://chatroom.fuckmicrosoft.com)
Nope, not yet...
-
try http://chatroom.fuckmicrosoft.com:8000 (http://chatroom.fuckmicrosoft.com:8000)
[ June 29, 2002: Message edited by: Master of Reality / Bob ]
-
holy shit it works for me. good work, now about that chatroom......
-
My ISP must be blocking Port 80.
Can virtual hosts (like chatroom.fuckmicrosoft.com) point to a specific port??
-
yes
-
is there anyway i can setup multiple websites on my one computer on the same ethernet card using different directory roots??
Can i setup virtual hosts so that when someone requests mes.servecounterstrike.com (which is a vhost to my IP) it will go to /var/www/counterstrike and not the default /var/www/html which is being used by chatroom.fuckmicrosoft.com
-
try going to http://chatroom.fuckmicrosoft.com (http://chatroom.fuckmicrosoft.com)
see if it works
then try http://mes.servecounterstrike.com (http://mes.servecounterstrike.com)
www.mescs.cjb.net (http://www.mescs.cjb.net)
[ July 05, 2002: Message edited by: Master of Reality / Bob ]
[ July 05, 2002: Message edited by: Master of Reality / Bob ]