Search Results

Search found 16455 results on 659 pages for 'hosts allow'.

Page 184/659 | < Previous Page | 180 181 182 183 184 185 186 187 188 189 190 191 | Next Page >

Configuring iptables rules for HAProxy and others

- by MLister

I have the following relevant settings for HAProxy: defaults log global mode http option httplog option dontlognull retries 3 option redispatch maxconn 500 contimeout 5s clitimeout 15s srvtimeout 15s frontend public bind *:80 option http-server-close option http-pretend-keepalive option forwardfor # ACLs ... I have three backends (including a Nginx server) configured in HAProxy, all listening on different ports of 127.0.0.1. And my iptables config is this: *filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections # # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE # -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT My questions are: Would the above iptables config work with the settings/options in my HAProxy config? I am also runnning a postgres and a redis server on the same machine, what settings do I need to adjust for these two to enable them work with iptables?

Read the article
Windows XP - Website unaccessible on single pc in LAN

- by DorentuZ

For serveral days now, a website isn't accessible on a single pc in the LAN. On the other pc's, it works just fine. And it's just a single website that's not accessible as far as I know of. The website generates a timeout on every single web browser I've tried (IE8, Firefox and Chrome). However, traceroute, nmap and telnet all work just fine. I've even tried multiple user accounts and safe mode, but that didn't work either. As a side note: using a linux live cd did work and I could access the website without any problems. The hosts file is the windows default, the ip- and dns settings on the network adapter normal as well. No strange processes are running and no viruses found. According to tcpview and netstat there are connections to the domain, but every request in the browser results in a timeout.. Any idea what's happening?

Read the article
How many iptables block rules is too many

- by mhost

We have a server with a Quad-Core AMD Opteron Processor 2378. It acts as our firewall for several servers. I've been asked to block all IPs from China. In a separate network, we have some small VPS machines (256MB and 512MB). I've been asked to block china on those VPS's as well. I've looked online and found lists which requires 4500 block rules. My question is will putting in all 4500 rules be a problem? I know iptables can handle far more rules than that, what I am concerned about is since these are blocks that I don't want to have access to any port, I need to put these rules before any allow. This means all legitimate traffic needs to be compared to all those rules before getting through. Will the traffic be noticeably slower after implementing this? Will those small VPS's be able to handle processing that many rules for every new packet (I'll put an established allow before the blocks)? My question is not How many rules can iptables support?, its about the effect that these rules will have on load and speed. Thanks.

Read the article
LAN full of public ipv4 addresses - How to filter it?

- by sparc86

The answer to my question maybe is not that hard but anyways, I do not know what to do. So, I just got in a new job in a Univerisity and I found out that the network (the LAN) is full of public IP addresses. Seriously, the whole LAN (probably more than 150 hosts) has it' own internet IP address and I don't know how to manage it. I have a very good experience using iptables (Linux firewall) in a NAT'ed environment. But then how should I proceed in an environment where all my LAN is working with a bunch of public IP addresses? Should I just use the "forward" rules and ignore the NAT rules or is there any other issue in such environment which I should take care? Can I add a firewall between the router and the LAN in order to produce packet filtering for these public IP addresses in my LAN or will this just not work? Thanks!

Read the article
Revoke directory access for a particular user in Solaris

- by permissiontomars

I have a need to allow directory access to a particular user on my file system. I want this user to be unable to access any other directory in my file system (initially anyway. It may need access to some directories later). For example: I have a directory called /opt/mydir. - I want my dedicated user to only be able to access this directory, and nothing else. - I want all other users to be able to access this directory as normal. I'm new to Linux and its permissions. I've read a fair bit of background material but I'm a little confused. Is there anyway to revoke permissions to /opt/mydir for a single dedicated user? A possible flawed method would be to only allow access to /opt/mydir and exclude every other user. This won't work because I want all other users to work as normal; accessing the directory. I'm working on Solaris 10. Any suggestions are appreciated.

Read the article
Spoof database connection to be local instead of remote

- by spydon

I am trying to connect one of our clients "as is" programs to a remote database instead of a local one, they say that they have coded it to be able to do it, but for some reason the program crashes when trying to connect to a remote database. I don't have the source code so I can't really dig much deeper than that and the company does not provide any upgrades or custom modifications. I can succesfully connect to the database through SqlDbx and HeidiSQL so I know that the server is set up correctly. This is why I need to find a way to spoof a remote connection on port 1433 to appear like a local database connection to the program. I thought about editing the hosts file, but it will most likely crash other programs if I bind localhost to another IP than 127.0.0.1. Any ideas?

Read the article
Port forwarding (portmap) works only locally

- by Tag Wint

There are four hosts hostA winXP hostB Win2003 hostC Linux RHEL hostD Linux RHEL hostA cannot connect to C and D directly, but B can hostA connects to hostB using VPN hostB and hostC belong to the same subnet1 hostD is in subnet2 From hostA I need to connect to hostC and hostD by SSH. Now I can do it as follows: 1.connecting from hostA to hostB by RDP logon and there: 2.start putty client. I'd like to omit step 1 and connect from A to C and D directly On hostB I have admin acoount and configure port forwarding as follows: netsh interface portproxy add v4tov4 listenport=N1 connectaddress=hostC_IP connectport=N2 netsh interface portproxy add v4tov4 listenport=N3 connectaddress=hostD_IP connectport=N2 netsh interface portproxy show all: Listen on IPv4: Connect to IPv4: Address Port Address Port --------------- ---------- --------------- ---------- * N1 hostC_IP N2 * N3 hostD_IP N2 Now from hostB I can connect to either C and D: ssh localhost:N1 ssh localhost:N3 from hostA ssh hostB:N1 works too, but ssh hostB:N3 DON'T I guess the reason might be different subnets, still have no idea how to fix it. What should I do?

Read the article
Equalizing Agent and Master Nagios on state change alone

- by punith

We have a setup where there are distributed Nagios running on multiple sites and are equalizing their data to the main Nagios server. The problem is it sends back the data to main Nagios server no matter if there is a state change in host or service. Is it possible to configure the slave Nagios to check the service/Host every 5 sec but send back the data only if there is a state change. Currently it is implemented by Obsess Over Hosts/Service which always runs the command which will equalize. Nagios version is 3 I am no administrator but a developer so I don't know the exact jargon so please bare with me.

Read the article
SMTP Server setting on Windows 2008 R2

- by user223298

I am very very new to this and just trying to configure SMTP virtual server. I have followed a few threads to get it all running, but the mails are not being delivered. What I have done so far - 1) Install SMTP server. 2) SMTP server Properties General Tab - IP address is set to 'All Unassigned'. Access Tab - Authentication is anonymous access. Everything else is left to Default settings. Delivery Tab - Outbound security is anonymous access. In Advance section, entered the domain name in the FQDN field, and localhost in Smart host field. 3) Created an Inbound Rule for SMTP service to allow connections to Port 25. When I try to telnet, everything works up until the point the mail has to be send. Now, the sender's domain is different to the receiver's domain. Not sure if settings have to be changed to allow that? I had set the Relay restrictions on SMTP server, but because I couldn't send the mails, I thought I might as well make it work without the relay first. The error I see while sending the mail is 451 Timeout waiting for client input. I used to get some other error before when I had Relay restrictions on. Can anyone please point me in the right direction? Please let me know if you need more information. Thanks.

Read the article
Can't connect to localhost via browser. Can ping localhost.

- by Sceptre

I'm trying to connect to localhost through my browser to learn some apache tomcat stuff. When I tried to connect to localhost through Firefox, I couldn't; when I tried through IE, I could the first time, but not after that. I'm using Windows 7, and changed the hosts file to point localhost to 127.0.0.1. I can successfully ping localhost and 127.0.0.1. I have tried turning off my antivirus and my Windows Firewall, but to no avail. What am I doing wrong?

Read the article
Remove folder structure from archive, ignore folder while archiving and fix error

- by Michael

I am trying to make a script to backup each of my plesk hosts to individual files, I am having two problems: I would like to remove the folder structure from archive, the tar is 3 folders deep I am getting this error: tar: Removing leading `/' from member names I need my archive to ignore folders named "catch" because I don't need them in my archive. The code: FILES=/var/www/vhosts/* FNAME="" for f in $FILES do FNAME=`basename $f` tar cfv "/root/backup/ftp/$FNAME.tar" $f done Sample output: tar: Removing leading `/' from member names /var/www/vhosts/mydomain.com/ /var/www/vhosts/mydomain.com/conf /var/www/vhosts/mydomain.com/etc/ /var/www/vhosts/mydomain.com/etc/group /var/www/vhosts/mydomain.com/etc/termcap /var/www/vhosts/mydomain.com/etc/passwd /var/www/vhosts/mydomain.com/usr/

Read the article
Firefox unable to load SSL Certificate Chain, while Chrome, IE do

- by FryBurger

I created a certificate for our IIS 6 by sending a request (created with openssl) to our organization's CA. I already had trouble to integrate the private key into that certificate, that has been solved, see SO question IIS 6.0 now uses the certificate (with TSL v1 and SSL v3), that is the 4th in cert hierarchy. Now, if I access the intranet site, chrome accepts the certificate, so does IE, but Firefox complains about an insecure connection and wants me to add an exceptional rule. If I look into the certificate, how FF presents it to me, I cannot see any of the three issuers. How can this be? If I connect via openssl s_client -showcerts -connect... I only see my own certificate too, which is said to be not verified. I am quite confused now. Where's the mistake and how can I make FF accept certificate without forcing our users to add that exceptionrule? Maybe do I have to add all the three issuer certificates into cert store of the win2003 server that hosts IIS 6.0 ??

Read the article
Directories Throwing 404 Errors - Virtual Host Configuration and mod_rewrite

- by nicorellius

On my production server, things are fine: PHP extension removal and trailing slash rules are in place in my .htaccess file. But locally, this isn't working (well, partially, anyway). I'm running Apache2 with a virtual host for the site in question. I decided to not use the .htaccess file in this case and just add the rules to the httpd-vhosts.conf file instead, which, I've heard, if possible on your server, is a better way to go. The virtual host is working and the URL I use for my site is like this: devserver:9090 Here is my httpd-vhosts.conf file: NameVirtualHost *:9090 # for stuff other than this site <VirtualHost *:9090> ServerAdmin admin@localhost DocumentRoot "/opt/lampstack/apache2/htdocs" ServerName localhost </VirtualHost> # for site in question <VirtualHost *:9090> ServerAdmin admin@localhost DocumentRoot "/opt/lampstack/apache2/htdocs/devserver" ServerName devserver <Directory "/opt/lampstack/apache2/htdocs/devserver"> Options Indexes FollowSymLinks Includes AllowOverride None Order allow,deny Allow from all </Directory> <IfModule rewrite_module> RewriteEngine ON # remove PHP extension and add trailing slash # note - this doesn't work for directories, and throws 404 # TODO - fix so directories use index.php RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{THE_REQUEST} ^GET\ /[^?\s]+\.php RewriteRule (.*)\.php$ /$1/ [R=302,L] RewriteCond %{REQUEST_FILENAME} !-d RewriteRule (.*)/$ /$1.php [L] RewriteCond %{REQUEST_FILENAME}.php -f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule .*[^/]$ /$0/ [R=302,L] </IfModule> # error docs ErrorDocument 404 /errors/404.php </VirtualHost> The problem I'm facing is that when I go to directories on the site, I get a 404 error. So for example, this: devserver:9090/page.php goes to devserver:9090/page/ but going to a directory (that has an index.php): devserver:9090/dir/ throws 404 error page. If I type in devserver:9090/dir/index.php I get devserver:9090/dir/index/ and the contents I want appear... Can anyone help me with my rewrite rules?

Read the article
CNAME vs A records

- by deb

I built a small rails app that allow users to make a simple site. It uses subdomain accounts ex: deb.myapp.com Whenever an user wanted to have a domain name associated with their site, they would change their NS records to point to slicehost where the application is hosted and I would manage the DNS records myself. However, as more people are using the application this is not an option for me anymore. I prefer users to keep their nameservers at goddady, register.com, etc, so they can log in and manage their own MX records or whatever else they need to change. My question is, should I have them change the A records to point to my server's ip, or should I have them create a CNAME record? Do they need to delete the default A records to allow the CNAME record to work? Will the A record take precedence and overrule the CNAME record? Thanks in advance. Sorry if this is a very basic question. I've read other posts and I can't find a definite answer.

Read the article
Run a script as root from apache

- by Lord Loh.

I would like to update my hosts file and restart dnsmasq from a web interface (php/apache2). I tried playing around with suid bits (the demonstaration). I have both apache and dnsmasq running on an EC2 instance. I understand that Linux ignores the setuid bit on text scripts, but works on binary files. (Have I got something wrong?). I added exec("whoami"); to the example C program in Wikipedia. Although the effective UID of the C program is 0, whoami does not return root :-( I would thoroughly like to avoid echo password | sudo service dnsmasq restart or adding apache to the sudoers without password! Is there a way out? How does webmin do such things?

Read the article
Looking for concise set of instructions for upgrading Vmware 5.1 to 5.5

- by Michael Martinez

I'm trying to find a set of instructions for upgrading Vmware (ESXi and Vsphere) from 5.1 to 5.5, but all I'm finding online is a bunch of separate, incomplete knowledgebase articles which is making it difficult to get an overview of what's involved. What I'd like is a single, concise document that lists the steps involved. It could be a free online article, someone's blog, a small booklet, someone here who takes the trouble to write it out. Does such a thing exist? If so, can you provide the reference or even provide the text here. I'm running a very small, simple environment consisting of two ESXi hosts and Vsphere Standard edition. Thanks.

Read the article
Is it possible to use the same MAC address for an entire subnet?

- by Bruce

I wish to add static entries to the ARP table of my machine so that it uses a dummy MAC 00:11:22:33:44:55 for any IP address within the subnet 10.0.0.0/8 Using arp -s 10.0.0.0/8 00:11:22:33:44:55 does not work. What can I do? PS - I know it might sound strange why anyone would want to do this but kindly bear with me here. EDIT: I am using this so that the hosts do not send a broadcast ARP message. I route the packets to the appropriate last hop router which changes the dst MAC from the fake MAC to the MAC of the dst IP address. I can get everything working except I have to manually enter the fake MAC for each subnet IP address.

Read the article
Cisco ASA Multiple Public IP

- by KGDI

I have a Cisco ASA5510 and articles related to ASA and mulitple Public IP says this cant be done. My question is how to best solve a scenario like this: I have 3 zones, Outside, Inside and DMZ Outside is Internet Inside is Client machines DMZ is a zone for servers related to external and internal services. My scenario is a bit more complex, but to keep things simple this will do: I want to place an Exchange server and a web server (externally reachable in the DMZ zone) The webserver uses both TCP80/443, the Exchange server uses 443 So to the problem: With the ASA only having one public IP, how would you make a DNAT to port 443 on both the internal hosts behind 1 Public IP? Usually, when i do this kind of scenario With Linux boxes i use alias Interfaces like eth0:0, eth0:1 and set 1 Public IP on each. To me this must be a pretty common scenario, any ideas on how to solve it With ASA? /KGDI

Read the article
Can OpenVPN be set up so the server doesn't have interface that is part of the VPN?

- by BCS

I'm looking to set up a VPN (OpenVPN is my first choice but I'm not stuck with it) in such a way that the server that hosts the VPN is not visible from within the VPN. That is; any packet that a client sends via the VPN interface will get delivered to another client's VPN interface or get dropped. In the other direction, the server shouldn't have a VPN interface at all and normal network operations shouldn't be able to send packets on the network. Can this be done? All the docs I have found have assumed that clients will connect via DHCP (this requiring that the server connect at least to that extent) but I can't think of any reason that a VPN couldn't use static IP's or that the DHCP server couldn't be implemented inside the VPN (see edit) server without setting up a VPN interface on the server. Edit: Based on the link on bridged mode from Phil Hollenback's answer it seems that OpenVPN does in fact have the "internal DHCP server" that I'm thinking of.

Read the article
Ignore Apache Default Server?

- by Jakobud

I run several vhosts on our Apache server. Whenever browse the server using either it's IP address or some other name that resolves to that address, but where a virtual host entry doesn't exist for that address I get the generic Apache test page: I want to change the server so I can specify a Virtual Host to see by default instead of the Apache Default Server page. I don't want to just modify the Default Server page either. I just need to be able to specify a Virtual Host to use instead. I added the following Virtual Host: <VirtualHost _default_:*> DocumentRoot /vhosts/default/public </VirtualHost> What I am reading is supposed to take priority over all other Virtual Hosts as the default. But this doesn't seem to take priority over the Apache Default Server/Host. What do I need to do here?

Read the article
Is it possible to redirect/bounce TCP traffic to an external destination, based on rules?

- by xfx

I'm not even sure if this is possible... Also, please forgive my ignorance on the subject. What I'm looking for is for "something" that would allow me to redirect all TCP traffic arriving to host A to host B, but based on some rules. Say host A (the intermediary) receives a request (say a simple HTTP request) from a host with domain X. In that case, it lets it pass through and it's handled by host A itself. Now, let's suppose that host A receives another HTTP request from a host with domain Y, but this time, due to some customizable rules, host A redirects all the traffic to host B, and host B is able to handle it as if came directly from domain Y. And, at this point, both host B and the host with domain Y are able to freely communicate (of course, thought host A). NOTE: All these hosts are on the Internet, not inside a LAN. Please, let me know if the explanation is not clear enough.

Read the article
Iptables and counters

- by mehturt

I'm trying to use iptables counters with munin to monitor traffic of hosts on my local subnet. For each host I set up a rule like this: iptables -I OUTPUT -d $ip This should count the packets going from firewall to $ip, correct? I found out that this does not seem to count all packets. I start tcpdump on my router (Linux) and I see packets to $ip that are not counted. For example I check number of packets for rule to my phone IP. I start tcpdump, refresh Gmail on my phoone, I see packets in tcpdump's output but iptables rule counters are not incremented. Then I open a web page on the same phone and the counters are incremented. What could be the reason?

Read the article
Getting much higher than usual brute-force attempts on cPanel

- by UserZer0

Although I have many client accounts on my cPanel based server I'm really the only one who has login information to any of the accounts. I have cPhulk setup to alert me and blocking after 4 failed attempts. I usually have only a handful of bots trying to get in each day(2 hosts ago I never had any), but Today the rate has significantly increased, every 10 minutes or so(no not like clockwork, just averaging). Should I be concerned? Is there anything extra I should be doing, is there any automated reporting services I can use? Thanks.

Read the article
how to stop deferred emails

- by Will K

I have a postfix mail gateway. At the same time, every other host is set to use this gateway as the relay. We have some automated outgoing emails sent from some hosts. I believe the gateway trys to send a deferred status back to the system started this. But that system is a null client, which sends but not receive any email Is there anyway to stop sending the deferred status? e.g. postfix/smtp[35725]: 2F6A155C256: to=, relay=none, delay=260862, delays=260862/0.01/0/0, dsn=4.4.1, status=deferred (connect to orange.mydom.com[192.168.1.5]:25: Connection refused) Thanks

Read the article
svn:externals cache and stale URLs

- by dcaunt

I have a subversion externals entry in a library folder which looks like this: Z https://svn/Z/trunk/library/Z Fetching external item into '/home/releases/50/library/Z' svn: OPTIONS of 'http://svn/repo/trunk/library/Z': could not connect to server (http://svn) The externals URL was the same, but over the HTTP protocol. Having changed the externals to point to the HTTPS, I can't figure out why subversion is still trying to use the old URL. Does subversion cache the externals path, and if so how can I clear this? If not, what else could be causing this? I can check out from the correct (HTTPS) URL fine from the server. NOTE: svn is an entry in the server's local hosts file, pointing to our subversion server's IP.

Read the article

< Previous Page | 180 181 182 183 184 185 186 187 188 189 190 191 | Next Page >