Fedora Security :: Why Is Httpd Allowed To Start Binded To Port That's Not Explicitly Allowed?
May 28, 2010
While reading some papers on securing apache with selinux, I have tried to bind httpd to port 3000 expecting to be blocked by the selinux, since port tcp 3000 isn't on the http_port_t list. However I was able to start the service...
I'm preety sure selinux is enforcing. Also, if I bind httpd to tcp 81 selinux denies the start of the service, as expected!Did I miss something? Why is httpd allowed to start binded to a port that's not explicitly allowed?
View 12 Replies
ADVERTISEMENT
Jan 22, 2011
I had just got Arch up and running a couple weeks back, and I was following a random user's guide (previous Ubuntu user and newb to Linux in general)-- I think it may have been a mistake. When I was configuring my iptables/ufw, I'd added a rule to iptables allowing ssh to be used from anywhere (I think so anyhow); it came up as something along the lines of 'ALLOW: IN : ANYWHERE: ssh 22' in red font on gufw.
This had been open for about a few days, and I didn't realize the security risk until I learned what ssh is. So is it likely that my system is compromised and needs a full hard drive wipe? hosts.deny remained in its default state, so wouldn't that override the iptables configuration or no? Could my router have kept any potential threats out like it has before despite the rule?
View 4 Replies
View Related
Jun 5, 2010
I'm using a local proxy server VPN'd to another network.
How do I setup either Firestarter or Gufw/ufw to ONLY allow in/out from ONE port? (The one port the proxy uses)
Ex: Firefox is proxied to 127.0.0.1, all ports, and then the proxy picks it up, and sends out on port xxxx, and recieves on port xxxx, then sends back thru 127.0.0.1, back to Firefox.
Any setting/rules I've treid on either Firestarter or Gufw kills the proxy>VPN (Proxy won't connect to remote network)
Addendum: If I start the proxy FIRST, then the firewall, all is good. I'm thinking the proxy uses a port to connect with remote network first, then switches to my configured xxxx port...hmmm
View 1 Replies
View Related
Aug 23, 2010
I want to check if a port is allowed in iptables. How to do this?
View 5 Replies
View Related
Mar 23, 2010
In the firewall, I opened port 5900 for TCP traffic. Now the console is displaying packet information whenever a connection is made. Why does it send a message to stdout/stderr for an allowed connection? How can I stop it? Logging level is set to critical only, and not-accepted packets should only be logged for the internal and DMZ zones.
View 1 Replies
View Related
Aug 10, 2010
Squid acl rules can be configured to allow specific ip's to get full access, or rather skips the blocked site list.
acl <tag> src x.x.x.x
http_access allow <tag>
http_access deny blocksites
From all the ways i tried, squid does not log these urls. Is there a way to have squid log the urls requested from allowed ip's?
Specs:
squid ver : (squid/2.6.STABLE21)
OS : CentOS 5.5
View 1 Replies
View Related
Feb 28, 2011
I use Ubuntu 10.10 with encrypted home. I'm new with apparmor. My firefox-3.6.13 is now in enforce mode - with standard profile. With this profile it should have write access only to:
owner @{HOME}/Downloads/* rw,
But I can save files (with standard downloadmanager of firefox) e.g. in $HOME itself and I can't find any other rule, which could allow that. I have thing, that ecryptfs workaround just affects the eCryptFS "part of things" and limitations of normal filenames/paths (in mounted ecryptfs) are still possible. Why can firefox write elsewhere as in to ${HOME}/Downloads? I get also this in kern.log (but not by saving a file as wrote above):
Feb 27 05:49:30 duron650 kernel: [ 2284.886631] type=1400 audit(1298782170.190:4: apparmor="DENIED" operation="open" parent=1782 profile="/usr/lib/firefox-3.6.13/firefox-*bin" name="/home/.ecryptfs/hugo/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWY1tHLaOszg1UQTPB2f1Zq7Xu 0xztwk9hVX6-OCUaSGk2nU5ADkJx.rdk--/ECRYPTFS_FNEK_ENCRYPTED.FWY1tHLaOszg1UQTPB2f1Zq7Xu 0xztwk9hVXFlmP1qlJBZ2eq7XFiWljUE--" pid=2209 comm="firefox-bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Why do firefox try to write to it and why do it fail even with #13 workaround?
Feb 27 06:03:23 duron650 kernel: [ 3118.231818] type=1400 audit(1298783003.534:49): apparmor="DENIED" operation="open" parent=1782 profile="/usr/lib/firefox-3.6.13/firefox-*bin" name="/tmp/.X0-lock" pid=2304 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Why try firefox to access X lock?
View 4 Replies
View Related
May 22, 2011
I have the Shorewall firewall running on Ubuntu 10.10 server and the issue I am having is the firewall is blocking traffic from my transmission-daemon even though I have allowed it in the /etc/shorewall/rules.
the rules file has the following lines
Code:
ACCEPT$FWnettcp60000:60035
ACCEPTnet$FWtcp60000:60035
ACCEPT$FWnetudp51413
ACCEPTnet$FWudp51413
[Code]...
as you can see, Shorewall is rejecting packets with source and destination port 51413 on incoming net2fw and outgoing fw2net even though the rules are set to accept.
View 7 Replies
View Related
Jul 29, 2011
I am using FF ver 5.0.1 from here After reading [URL] I did Code: sudo aa-logprof /path to firefox Allowed all when asked. But when I try to start FF in enforce mode I get
[Code]....
View 9 Replies
View Related
Feb 19, 2011
I have a Macbook Air that I want to print to a computer running Fedora or another running Ubuntu, where each has a connected printer. Both printers are shared. It seemed that, since all three computers run CUPS, you would think it was a no brainer to set up printing. Maybe my brain's too small. Would some one get me out of my misery? Where does one start? The Air's already set to "sharing printers".
View 3 Replies
View Related
May 25, 2011
What we have learned from gnome3? Right click on desktop is not allowed
View 10 Replies
View Related
Nov 25, 2009
As waht it says above. I can't access public wifi as any browser on every single distro i've tried (15+) won't load just stuck in perpetual loading. No error message or nothing.
Also the browser wouldn't work until i disabled ipv6 in about:config. All browsers do this. is there something i could do to disable it completely so i have a browser choice?
View 5 Replies
View Related
Apr 20, 2010
I have a problem with export a secret key with Fedora 12.
When i did this command:
Code:
I had an error:
Code:
View 1 Replies
View Related
Oct 1, 2010
I try to shutdown a box running Fedora (fc12, all updates applied) remotely. From various threats I selected the following way that suits best to my needs: I edited the entry for shutdown in /etc/passwd:
shutdown:x:6:0:shutdown:/sbin:/usr/bin/sudo /sbin/shutdown -h +1
Logging in from a tty with shutdown gives the desired result: The computer does the shutdown. Then I tried the same using sshd and plink:
plink -t -l shutdown -pw xxx 10.0.0.123
As a result I get:
Using username "shutdown".
Access denied
Access denied
shutdown@10.0.0.123's password:
The /var/log/secure shows the following entry:
Oct 2 00:40:46 rotgschirr sshd[6841]: User shutdown not allowed because shell /usr/bin/sudo /sbin/shutdown -h +1 does not exist
Oct 2 00:40:46 rotgschirr sshd[6846]: input_userauth_request: invalid user shutdown
Oct 2 00:40:46 rotgschirr unix_chkpwd[6847]: password check failed for user (shutdown)
Oct 2 00:40:46 rotgschirr sshd[6841]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rotgschirr.totes-gebirge user=shutdown
Oct 2 00:40:48 rotgschirr sshd[6841]: Failed password for invalid user shutdown from 10.0.0.123 port 37195 ssh2
Oct 2 00:40:50 rotgschirr sshd[6846]: Connection closed by 10.0.0.123
Somehow when using ssh the shell /usr/bin/sudo /sbin/shutdown -h +1 cannot be found.
View 5 Replies
View Related
Mar 29, 2010
I am fairly new to Fedora or rather use it only for some school exercises I get. I have to setup a Samba server with some basic settings and it doesn't want to work. I first tried it on the Fedora VM I got from school (version 11). It somehow worked, but extremely bad ... the Windows client had to wait for over a minute to get either access or an errormessage, that the server was not found (but when entered the ip in the adressfield on top it worked (with a minute or more to wait)). I tried updating the VM - no improvement. So I decided to download Fedora 12, installed it and the Windows client gains instant access on first glance. But when I try to get access to a specific share, it only tells me, that I am not allowed to access it Oo.
Here is my config:
Code:
I even turned off iptables and Windows firewall.
The funny thing is: I tried exactly the same config on my homeserver (copy and paste), which runs Arch, and it works with no problem. But on Fedora I cant access it from nowhere. Not from WinXP, Win7 or any Linux. Simply won't work.
I dont have any gui on Fedora
View 5 Replies
View Related
Mar 7, 2009
I have downloaded and installed Fedora 10.Now I am setting up the network and in the 'network configuration' it finds the wireless device (ralink) in the 'hardware' section of the configuration - I set this to eth0 (it originally set itself to wan0 and I still had the same problems, now it doesn't give me the option to put it back to wan0).Now I goto the devices tab and try to set up the device with eth0 - which it seems to find.But when I goto activate the device it tells me that eth0 cannot be found
View 2 Replies
View Related
Jan 11, 2011
I recently switched my desktop from Fedora to CentOS. On Fedora it auto detects my refresh rate at 85 Hz. On CentOS by default it only allowed 60 Hz. I looked at the /etc/X11/xorg.conf file and the display settings were:
[Code]....
View 1 Replies
View Related
Sep 19, 2010
I have installed fedora 13 in my system. httpd server is also installed. when I tried to start the service of httpd, following error message displayed: Starting httpd: (98)Address already in use: make_sock: could not bind to address [::]:80
View 1 Replies
View Related
May 25, 2010
I have a sitution that I am trying to set up.
I have 2 email servers that run on Windows: one is for internal purposes, the other is external purposes.
The external one will receive e-mail from the outside world, clean it up and forward it to the internal one.
There are 2 Windows Vista machines and 2 Unix (OpenSuse Linux) machines.
Since there can be only 1 email server per domain, I thought I would:
-> set up a local domain with ALL of the machines in it
-> set up a DNS server for the local domain
-> set up a MX record in the DNS server for the email
For the external machine, just have a Dynamic IP point to the Windows machine holding the external email server.
Does this sound plausible? Does this make sense?
View 9 Replies
View Related
Feb 21, 2010
I installed OpenSUSE 11.2-KDE about 2 weeks ago, and have been pretty satisfied with it so far. Apart from one niggling little problem. When I went to the 'Password and User Account' page (Configure Desktop>About Me) and tried to change from the default image to something more personal, I got a message box saying "Your administrator has disallowed changing your image." However, on the same page I was allowed to enter personal details and could, if I wished, have changed my password. I logged in as root to see if I could change it from there, but I got the same message. As this is a single-user machine, where I am effectively root/administrator, it would appear I am banning myself from changing my image. So far, I've been allowed to change anything else.
View 4 Replies
View Related
Feb 8, 2010
I have the following share setup on my Ubuntu machine
# From /etc/fstab
//192.168.1.13/media /home/USER/SHARE/media cifs username=USERNAME,password=PASSWORD,_netdev,uid=USER,gid=users 0 0
[code]....
View 1 Replies
View Related
Nov 24, 2010
for some reason i am not allowed to change the permissions on my hhd i have a 3G partitioned off of it but i cant acess the other 290G what i can do to get permission
View 2 Replies
View Related
Mar 26, 2011
Ubuntu does not allow me to save in /home. It says: You don't have the rights to save the file. Check if you entered the location correctly and try again./home is an 850 GB partition which I mounted there at the installation of Ubuntu. It was meant to save personal data on, but now I can't save anything on it.I can only open what's on it, but I can't save anything
View 3 Replies
View Related
Dec 22, 2010
What is your favorite font that is available for Linux (anything but M$ fonts)? They can be monospaced or non-monospaced, unlike the font thread in General that only accepts monospaced ones. However, they *must* be Linux fonts; no M$ or Apple fonts allowed.
View 2 Replies
View Related
Jun 10, 2010
my Linux does not workDoes not accept incoming connectionsiptable disabledping is a network but cannot nor at 22 nor at any other connectsHow do I check what is blocking the connection
thnx alot.OS Ubuntu 9.4
View 4 Replies
View Related
Jan 13, 2010
I have a RHEL FTP server, which i'm told is setup to only allow certain IPs to connect to the FTP site. I have two questions though.1) what file would show what IPs are currently allowed?2) what command do I do to add another IP to it?
View 6 Replies
View Related
Feb 25, 2010
I have a problem where I have certain foo.tgz files that are to big to gunzip in a directory, the box that it is on has limited space in /var/tmp for all intents and purposes. I did the standard gunzip -l to see how big the file was.
How can I look in the .tgz to see what files are there and pull out only the ones that I need. tar -t foo.tgz doesn't seem to work or am I doing something wrong?
Once I do find the file how do I only extract the one file from the .tgz, remember I can't uncompress the entire foo.tgz
View 14 Replies
View Related
Mar 24, 2011
I tried to log in into squeeze as root, hoping to improve the system's fonts, but it is showing root login is not allowed!
View 14 Replies
View Related
Jan 12, 2011
I tried Suse five or six years ago and ran into an issue that was not comfortable to work with so I went back to windows. The problem was open spaces between words was not permitted with my music files. I have transferred all of my CDs and LPs to MP3 and have a tremendous number of them and the Suse of five years ago required I convert a title like Foggy Mountain Special.mp3 into something resembling Foggy_Mountain_Special.mp3
I don't care to convert literally a hundred thousand titles to fit the latter format. Does the current version of Suse allow the use of spaces between the words or is the 'no open space' convention still required?
View 9 Replies
View Related
Oct 18, 2010
whent to switch to root in KDE, and at the login attempt I got the above message.Any clue on to why?. I can logon to root from the shell, but not KDE.Will be poking around a bot more tonight and keeping an eye on here.
View 7 Replies
View Related
