Router configuration for Apache

Kernels & Hardware, configuring network, installing services

Router configuration for Apache

Postby Aku » 2008-06-20 18:15

Hey guys

I'm still trying to set up my network correctly, can't get from my external IP to my server. This is the network layout:

ExternalIP, Port 80 -> Router (Zyxel p623me), forwarding port 80 to 192.168.1.2 -> My server (192.168.1.2)

It works over localhost but not over the external IP (DynDNS). :?

Here are some screenshots from the Router configuration.

Image

If there's any more data that could be helpful, please tell me what you need.
Aku
 
Posts: 31
Joined: 2008-04-19 08:45

Postby Quantum » 2008-06-20 20:08

Whoah man, you've got some pretty unsecure settings there.

Before you go any further, turn off all Remote Management (SNMP). Not LAN, but off, even though they're filtered. And turn off UPnP... they have it easy enough as it is. And check Web.

The NAT section also concerns me. 0.0.0.0 means all IPs, so you're forwarding all outside ports to all your LAN IPs! What are ports 6112-9? If torrent, just use 60940 and encrypt & peer-peer with BitTyrant; in your firewall open 60940 in and out, tcp and udp, and run the client as a very unprivileged user. Also make the webserver forward, start and end port 80, not 1-80. Ports below 1024 are privileged and should be handled with care.

Now for your question. {hehe} Do yourself a favor and in /etc/profile put this line:
alias listen='lsof -i -n -P |more'
... and next time you log in type listen in konsole. Make sure that Apache is listening on at least 192.168.1.2 . If not, change config file and reload. And while you're at it, set all daemons you can to only listen on the localhost (127.0.0.1), for security.
Quantum
 
Posts: 1455
Joined: 2006-03-21 19:06
Location: Seattle, Ecotopia

Postby Aku » 2008-06-21 09:21

Quantum wrote:Before you go any further, turn off all Remote Management (SNMP). Not LAN, but off, even though they're filtered. And turn off UPnP... they have it easy enough as it is. And check Web.

The NAT section also concerns me. 0.0.0.0 means all IPs, so you're forwarding all outside ports to all your LAN IPs! What are ports 6112-9? If torrent, just use 60940 and encrypt & peer-peer with BitTyrant; in your firewall open 60940 in and out, tcp and udp, and run the client as a very unprivileged user. Also make the webserver forward, start and end port 80, not 1-80. Ports below 1024 are privileged and should be handled with care.


Done, thanks.

Quantum wrote:Now for your question. {hehe} Do yourself a favor and in /etc/profile put this line:
alias listen='lsof -i -n -P |more'
... and next time you log in type listen in konsole. Make sure that Apache is listening on at least 192.168.1.2 . If not, change config file and reload.


I put it on the first free uncommented line but:
Code: Select all
bash: listen: command not found

I added Listen 192.168.1.2:80 to my httpd.conf and it seems to be up, netstat -tulpn | grep :80 returns:
Code: Select all
tcp        0      0 192.168.1.2:80          0.0.0.0:*               LISTEN     4331/apache


For some reason I can't even connect over localhost now. :?
Aku
 
Posts: 31
Joined: 2008-04-19 08:45

Postby TonyT » 2008-06-21 11:41

Just use the apache defaults. But change the port apaches listens on to 8080. This is because your isp likely filters port 80 so as to prevent subscribers from running Web servers. Then port-forward 8080 to the lan ip of the comp w/ apache.
TonyT
 
Posts: 357
Joined: 2006-09-04 11:57

Postby Aku » 2008-06-21 12:23

TonyT wrote:Just use the apache defaults. But change the port apaches listens on to 8080. This is because your isp likely filters port 80 so as to prevent subscribers from running Web servers. Then port-forward 8080 to the lan ip of the comp w/ apache.


192.168.1.2:8080 works but the external IP is still dead. What the hell?
hosts.allow has ALL:ALL by the way.
Aku
 
Posts: 31
Joined: 2008-04-19 08:45

Postby Quantum » 2008-06-21 12:44

listen is a new command you are creating, which shows which daemons are listening to what ports. This is for your use, and Apache has no use for it. Once you've put it in /etc/profile, you have to log out and back in for it to be available. I notice that Debian is busted however, in that it doesn't execute /etc/profile on login. So you must add this to /home/<youruser>/.bashrc
Code: Select all
if [ -f /etc/profile ]; then
   . /etc/profile
fi

if [ -f /etc/bash.bashrc ]; then
   . /etc/bash.bashrc
fi


Once you get listen running, it should look something like mine:
Code: Select all
# listen
COMMAND    PID    USER   FD   TYPE DEVICE SIZE NODE NAME
dnsmasq   5804 dnsmasq    4u  IPv4  10414       TCP 127.0.0.1:53 (LISTEN)
dnsmasq   5804 dnsmasq    5u  IPv4  10415       UDP 127.0.0.1:53
dnsmasq   5804 dnsmasq    6u  IPv4  10416       UDP *:38095
avahi-dae 5826   avahi   14u  IPv4  10461       UDP *:5353
avahi-dae 5826   avahi   15u  IPv4  10462       UDP *:46898
cupsd     5962    root    3u  IPv4  26708       TCP 127.0.0.1:631 (LISTEN)
squid     6338   proxy    5u  IPv4  11603       UDP *:49852
squid     6338   proxy   10u  IPv4  11766       TCP 127.0.0.1:8080 (LISTEN)
squid     6338   proxy   11u  IPv4  11767       UDP *:3130


Now; let's see your listen, and the NAT section of your router.
Quantum
 
Posts: 1455
Joined: 2006-03-21 19:06
Location: Seattle, Ecotopia

Postby Aku » 2008-06-21 13:00

Edit: Here's the lsof -i -n -P |more (listen didn't work) command.

Code: Select all
COMMAND    PID        USER   FD   TYPE DEVICE SIZE NODE NAME
portmap   2883      daemon    3u  IPv4   7910       UDP *:111
portmap   2883      daemon    4u  IPv4   7913       TCP *:111 (LISTEN)
hpiod     3142        root    0u  IPv4   8372       TCP 127.0.0.1:2208 (LISTEN)
python    3145       hplip    4u  IPv4   8383       TCP 127.0.0.1:44906 (LISTEN)cupsd     3266        root    1u  IPv4   8530       TCP 127.0.0.1:631 (LISTEN)
cupsd     3266        root    3u  IPv4   8533       UDP *:631
avahi-dae 3359       avahi   13u  IPv4  10596       UDP *:5353
avahi-dae 3359       avahi   14u  IPv4  10597       UDP *:32768
exim4     3439 Debian-exim    3u  IPv4  10732       TCP 127.0.0.1:25 (LISTEN)
inetd     3458        root    4u  IPv4  10773       TCP *:113 (LISTEN)
tor       3468  debian-tor    4u  IPv4  11187       TCP 192.168.1.2:35759->156.56.103.103:9001 (ESTABLISHED)
tor       3468  debian-tor    7u  IPv4  10804       TCP 127.0.0.1:9050 (LISTEN)
tor       3468  debian-tor   10u  IPv4  11514       TCP 192.168.1.2:37762->80.237.231.146:9001 (ESTABLISHED)
dhclient  3475        root    5u  IPv4  10892       UDP *:68
rpc.statd 3553       statd    3u  IPv4  11010       UDP *:32769
rpc.statd 3553       statd    6u  IPv4  10976       UDP *:761
rpc.statd 3553       statd    7u  IPv4  11019       TCP *:43916 (LISTEN)
proftpd   3595     proftpd    1u  IPv4  11105       TCP *:21 (LISTEN)
apache    3697        root   16u  IPv4  11392       TCP 192.168.1.2:8080 (LISTEN)


And the NAT.
Aku
 
Posts: 31
Joined: 2008-04-19 08:45

Postby Quantum » 2008-06-22 16:43

Still forwarding all ports to all internal machines man. You can not set that first entry to 0.0.0.0, as it opens up everything to The Internets. Set that to blank, or if it won't let you, set it to some bogus IP.

OK, your network plumbing for Apache looks fine. (assuming you have checkmarked router|InternetSecurity|Web) You should point your browser at
http://192.168.1.2:8080
... and if it does not work you must concentrate on whatever the Apache config problem is. If it works then point your browser at
http://<yourexternalWANIPinrouter>:8080
... and if it does not work, please give exact error. If it does work point your browser at
http://<yourdoman>:8080
... and if it now does not work you have a DNS problem. (See Registrar above)

A few security notes about your listen command:
- portmap tcp must always and forevermore only listen to 127.0.0.1 . This is an unsecure daemon. Change this in its config file.
- Yikes! Turn off auth in inetd (port 113) by commenting it out.
- You don't seem to be running NFS (also very unsecure), so find out what's starting rpc.statd and stop that.
Quantum
 
Posts: 1455
Joined: 2006-03-21 19:06
Location: Seattle, Ecotopia

Postby Aku » 2008-06-22 18:52

Quantum wrote:Still forwarding all ports to all internal machines man. You can not set that first entry to 0.0.0.0, as it opens up everything to The Internets. Set that to blank, or if it won't let you, set it to some bogus IP.

Done.

Quantum wrote:OK, your network plumbing for Apache looks fine. (assuming you have checkmarked router|InternetSecurity|Web) You should point your browser at
http://192.168.1.2:8080

Works, getting the placeholder page.

Quantum wrote: http://<yourexternalWANIPinrouter>:8080
... and if it does not work, please give exact error.

From lynx:
Code: Select all
Alert!: Unable to connect to remote host.


Quantum wrote:A few security notes about your listen command:
- portmap tcp must always and forevermore only listen to 127.0.0.1 . This is an unsecure daemon. Change this in its config file.

I uncommented OPTIONS="-i 127.0.0.1" in /etc/default/portmap.

Quantum wrote:-- Yikes! Turn off auth in inetd (port 113) by commenting it out.

In /etc/inetd.conf? Can't find it there.

Quantum wrote:- You don't seem to be running NFS (also very unsecure), so find out what's starting rpc.statd and stop that.

I disabled nfs-common with sysv-rc-conf.
Aku
 
Posts: 31
Joined: 2008-04-19 08:45

Postby Quantum » 2008-06-22 19:47

Aku wrote:
Quantum wrote:Still forwarding all ports to all internal machines man. You can not set that first entry to 0.0.0.0, as it opens up everything to The Internets. Set that to blank, or if it won't let you, set it to some bogus IP.

Done.

It is a pleasure to actually get feedback on what people found or did. Makes possible a deeper understanding. Thank you.


Aku wrote:Works, getting the placeholder page.

Is this all you have set up for now? Or should it be showing your site?


Aku wrote:
Quantum wrote: http://<yourexternalWANIPinrouter>:8080
... and if it does not work, please give exact error.

From lynx:
Code: Select all
Alert!: Unable to connect to remote host.

Sorry, just to make sure, you had substituted the actual IP address which is in your router for the external address? You didn't just click on my (exemplary) link?

Is your firewall set to accept incoming tcp on port 8080? If so, I am pretty well kerfuffled.


Aku wrote:
Quantum wrote:-- Yikes! Turn off auth in inetd (port 113) by commenting it out.

In /etc/inetd.conf? Can't find it there.

Not sure if you're running inet.d or xinet.d, and I have neither installed. But if memory serves, if inet.d it should be a line-item in inetd.conf, and if xinet.d in its directory, in the auth file, set it to disabled. Or just remove the daemon startup in rc5.d, since you're not using anything else of inet.d.
Quantum
 
Posts: 1455
Joined: 2006-03-21 19:06
Location: Seattle, Ecotopia

Postby Aku » 2008-06-22 20:25

Quantum wrote:It is a pleasure to actually get feedback on what people found or did. Makes possible a deeper understanding. Thank you.

You're more than welcome, glad to get some help. I have to use 0.0.0.0 for a bit longer though, MSN and some other stuff stopped working.

Quantum wrote:Is this all you have set up for now? Or should it be showing your site?

Nope there's no content yet.

Quantum wrote:Sorry, just to make sure, you had substituted the actual IP address which is in your router for the external address? You didn't just click on my link?

Yes, I'm just a Linux and especially Debian newbie. ;)

Quantum wrote:Is your firewall set to accept incoming tcp on port 8080? If so, I am pretty well kerfuffled.

Afaik I don't have one unless there's a default firewall that comes with Debian.

Quantum wrote:Not sure if you're running inet.d or xinet.d, and I have neither installed. But if memory serves, if inet.d it should be a line-item in inetd.conf, and if xinet.d in its directory, in the auth file, set it to disabled.

I'm pretty sure I have inet.d. And the inetd.conf file is empty, this is the only line that isn't commented-out:
Code: Select all
#:INFO: Info services
ident           stream  tcp     wait    identd  /usr/sbin/identd        identd


Quantum wrote:Or just remove the daemon startup in rc5.d, since you're not using anything else of inet.d.

Erh, S20openbsd-inetd?

Code: Select all
asgard:/etc/rc5.d# dir
K20bittorrent  S19hplip         S20exim4          S20vboxdrv  S89cron
K79nfs-common  S20acpid         S20hotkey-setup   S20vboxnet  S90binfmt-support
README         S20cpufrequtils  S20makedev        S21gdm      S91apache
S10sysklogd    S20cupsys        S20mplayer        S50proftpd  S99rc.local
S11klogd       S20dbus          S20openbsd-inetd  S89anacron  S99rmnologin
S18portmap     S20ddclient      S20tor            S89atd      S99stop-bootlogd
Aku
 
Posts: 31
Joined: 2008-04-19 08:45

Postby Quantum » 2008-06-22 21:52

Aku wrote:I have to use 0.0.0.0 for a bit longer though, MSN and some other stuff stopped working.

No, there is no legitimate reason why ANY outside ANYthing needs to reach into your network at the moment. They have no business doing that.

I am beginning to suspicion that this NAT entry doesn't behave according to convention. Maybe best to read the Zyxel user guide about this.


Aku wrote:
Quantum wrote:Sorry, just to make sure, you had substituted the actual IP address which is in your router for the external address? You didn't just click on my link?

Yes, I'm just a Linux and especially Debian newbie. ;)

This response is not clear. When I say:
http://<yourexternalWANIPinrouter>:8080
... I mean you should go to your router and find the external IP address (WAN) it currently has. This would likely be on a Home screen or Information screen for the router as WAN address or such. Substitute that IP address for when I say <yourexternalWANIPinrouter>, so if your external IP is 74.23.92.6 for example, in your browser:
http://74.23.92.6:8080
... you should see your placeholder page.


Aku wrote:
Quantum wrote:Is your firewall set to accept incoming tcp on port 8080? If so, I am pretty well kerfuffled.

Afaik I don't have one unless there's a default firewall that comes with Debian.

Please install and learn a good one (like Shorewall), as soon as possible. Sooner than is possible.


Aku wrote:
Code: Select all
ident           stream  tcp     wait    identd  /usr/sbin/identd        identd

Ah yes, please # that out, forthwith.


Aku wrote:
Quantum wrote:Or just remove the daemon startup in rc5.d, since you're not using anything else of inet.d.

Erh, S20openbsd-inetd?

Right. Delete that symlink in rc2.d, rc3.d, rc4,d, and rc5.d. (or better, move it into /etc/init.d/Filed)

See, the way Linux works is daemons are started on boot using the 'rc system'. The scripts to start them live in /etc/init.d. Linux can be started in different 'runlevels', such as single-user mode (rc2), multiuser with networking non-graphical (rc3), and multiuser with networking graphical (rc5.d). The one you use most is rc5, and so you should have the daemons you want started on boot symlinked in rc5.d. You don't need inet.d at the moment, so delete that symlink. (or better, move it into /etc/init.d/Filed) The S in the symlink means Start (as opposed to Kill), and the number determines in what order the daemons are started. This matters, because firewall should be started before networking, for example. rcS.d is where the System daemons are started. (for all runlevels) An easier way to **** around with daemon startups is K|System|KSysV.

BTW, nobody ever explained this stuff to me; I had to dig and sweat and tear out every bloody scrap of information I own, over great lengths of time, chasing down the information and furiously choking facts out of it.


Aku wrote:
Code: Select all
README      S20tor

Huh? WTF is the Tor daemon there for? You using that? Does it make you a Tor peer? And README doesn't belong here, only in init.d .
Quantum
 
Posts: 1455
Joined: 2006-03-21 19:06
Location: Seattle, Ecotopia

Postby Aku » 2008-06-23 16:48

Quantum wrote:No, there is no legitimate reason why ANY outside ANYthing needs to reach into your network at the moment. They have no business doing that.

I can't get Kopete to connect to MSN without it, so until I figure out which port exactly it is I'll keep the 0.0.0.0.

Quantum wrote:I am beginning to suspicion that this NAT entry doesn't behave according to convention. Maybe best to read the Zyxel user guide about this.

There's just some DAU stuff, nothing detailed about NAT.

Quantum wrote:This response is not clear. When I say:
http://<yourexternalWANIPinrouter>:8080
... I mean you should go to your router and find the external IP address (WAN) it currently has. This would likely be on a Home screen or Information screen for the router as WAN address or such. Substitute that IP address for when I say <yourexternalWANIPinrouter>, so if your external IP is 74.23.92.6 for example, in your browser:
http://74.23.92.6:8080
... you should see your placeholder page.

That's what I was trying to imply. I know about networking in general.

Quantum wrote:Please install and learn a good one (like Shorewall), as soon as possible. Sooner than is possible.

I will once I get this stuff working, just seems like yet another source of failure.

Quantum wrote:Ah yes, please # that out, forthwith.

Done. (What is this info service?)


Quantum wrote:Right. Delete that symlink in rc2.d, rc3.d, rc4,d, and rc5.d. (or better, move it into /etc/init.d/Filed)

Done.

Quantum wrote:See, the way Linux works is daemons are started on boot using the 'rc system'. The scripts to start them live in /etc/init.d. Linux can be started in different 'runlevels', such as single-user mode (rc2), multiuser with networking non-graphical (rc3), and multiuser with networking graphical (rc5.d). The one you use most is rc5, and so you should have the daemons you want started on boot symlinked in rc5.d. You don't need inet.d at the moment, so delete that symlink. (or better, move it into /etc/init.d/Filed) The S in the symlink means Start (as opposed to Kill), and the number determines in what order the daemons are started. This matters, because firewall should be started before networking, for example. rcS.d is where the System daemons are started. (for all runlevels) An easier way to **** around with daemon startups is K|System|KSysV.

Thanks for the info but what exactly does inet.d do if I don't need it? (And why is it run by default?)

Quantum wrote:BTW, nobody ever explained this stuff to me; I had to dig and sweat and tear out every bloody scrap of information I own, over great lengths of time, chasing down the information and furiously choking facts out of it.

I tried a good 3-4 hours of google & error myself but to no avail.

Quantum wrote:Huh? WTF is the Tor daemon there for? You using that? Does it make you a Tor peer?

Yes I'm using Tor but I'm not a node. (I hope?)

Quantum wrote:And README doesn't belong here, only in init.d .

Removed.
Aku
 
Posts: 31
Joined: 2008-04-19 08:45

Postby Quantum » 2008-06-24 03:08

Aku wrote:Thanks for the info but what exactly does inet.d do if I don't need it? (And why is it run by default?)


Well I've been drinking, bbut I'll do the best I can. inetd is wha't's describerd as a 'wrapper daemon'. It wraps around other commonly-used daemons providing an additional level of security. It's controlled by host.accept and host.deny (if memory sserves). It's an addiitional level of securoty for apps that don't have it inherently.


Aku wrote:I tried a good 3-4 hours of google & error myself but to no avail.

Bah, I haven't used that-search-engine-that-everybody-uses for several years. Clusty is better IMHO, and is a meta seach engine, which does every bit as well, and does not have the atrocious privacy policies that that-search-engine-that-everybody-uses has.

Aku wrote:Yes I'm using Tor but I'm not a node. (I hope?)

Daemon implies server, which implies node. Not necessarily bad, as long as it runs extremely unprivileged and that you are aware.
Quantum
 
Posts: 1455
Joined: 2006-03-21 19:06
Location: Seattle, Ecotopia

Postby Aku » 2008-06-25 12:41

Quantum wrote:Well I've been drinking, bbut I'll do the best I can. inetd is wha't's describerd as a 'wrapper daemon'. It wraps around other commonly-used daemons providing an additional level of security. It's controlled by host.accept and host.deny (if memory sserves). It's an addiitional level of securoty for apps that don't have it inherently.

Not much it seems, thanks that helped. :)

Quantum wrote:Bah, I haven't used that-search-engine-that-everybody-uses for several years. Clusty is better IMHO, and is a meta seach engine, which does every bit as well, and does not have the atrocious privacy policies that that-search-engine-that-everybody-uses has.

I'll try it. Pretty happy with most of google's results though.

Quantum wrote:Daemon implies server, which implies node. Not necessarily bad, as long as it runs extremely unprivileged and that you are aware.

Oh well my server's not doing much 99% of the time, guess it's alright.


I'll switch ISP's soon and due to that I'll also get a new router. Shall I let you know if that helped?
Aku
 
Posts: 31
Joined: 2008-04-19 08:45

Next

Return to System configuration

Who is online

Users browsing this forum: No registered users and 11 guests

fashionable