Koozali.org: home of the SME Server

Server Manager Local Networks

Offline Graham

  • ***
  • 105
  • +0/-0
Server Manager Local Networks
« on: April 07, 2017, 12:13:54 AM »
I've started using SME Server again and I'm looking for a way to stop some of the local networks being able to access /server-manager and SSH.

Is this possible?

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Server Manager Local Networks
« Reply #1 on: April 07, 2017, 01:18:10 AM »
Are you using SME 10?  Because that's in early Alpha, and shouldn't be used in anything remotely resembling a production environment.
......

Offline Graham

  • ***
  • 105
  • +0/-0
Re: Server Manager Local Networks
« Reply #2 on: April 07, 2017, 09:14:57 AM »
Post in the wrong place I'm using SME 9, can this be moved please

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Server Manager Local Networks
« Reply #3 on: April 07, 2017, 09:52:50 AM »
moving to 9.x section as requested

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Server Manager Local Networks
« Reply #4 on: April 07, 2017, 10:13:55 AM »
hi, welcome back :-)

try to play with this:
https://wiki.contribs.org/DB_Variables_Configuration#Additional_information_on_customizing_iptables

involved services are sshd and httpd-admin

HTH




Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Server Manager Local Networks
« Reply #5 on: April 07, 2017, 12:28:12 PM »
You say "networks", so here are some examples using network terminology.

Assumption: you want to block access to server-manager and ssh from 10.10.10.0/24

Code: [Select]
config setprop httpd-admin DenyHosts 10.10.10.0/24
config setprop sshd DenyHosts 10.10.10.0/24
signal-event remoteaccess-update

Undo using:
Code: [Select]
config delprop httpd-admin DenyHosts
config delprop sshd DenyHosts
signal-event remoteaccess-update

Offline Graham

  • ***
  • 105
  • +0/-0
Re: Server Manager Local Networks
« Reply #6 on: April 10, 2017, 09:19:47 PM »
Doesn't look like that works, I can see after doing

config setprop sshd DenyHosts 192.168.8.0/24
signal-event remoteaccess-update

The following is added to masq config

    # sshd: TCPPorts: 22, AllowHosts: , DenyHosts: 192.168.8.0/255.255.255.0
    /sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 22 \
   --destination $OUTERNET --src 192.168.8.0/255.255.255.0 --jump denylog

Which adds the following to iptables

-A InboundTCP_4881 -s 192.168.8.0/24 -d 192.168.8.12/32 -p tcp -m tcp --dport 22 -j denylog

However ssh is still able to be accessed from any IP on 192.168.8.0/24

my Local Networks are set as

192.168.6.0/24
192.168.8.0/24     ---- servers IP 192.168.8.12
« Last Edit: April 10, 2017, 10:09:53 PM by Graham »

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Server Manager Local Networks
« Reply #7 on: April 11, 2017, 03:28:57 PM »
Interesting.

It looks like you're specifically trying to deny access to your server from the server's own local network; I don't see any way to do that without custom templates.

If your server is currently in 'server-only' mode, you could put it in server-gateway mode and put the 192.168.8 network on the WAN -- then your issue is allowing the services you want accessible from 192.168.8.x rather than denying the services that are customarily assumed to be safe from the LAN.

If you want to pursue custom templates...

sshd
customize /etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundTCP07FilterSSH. 

Here I've taken the masq code from your last post and removed the "--destination $OUTERNET" bit.
note that the ssh port is hard coded - you'll have to change it here manually if you also change the ssh port in server-manager
Code: [Select]
#
#create custom template directory
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
#
# copy current ssh fragment
# (note the space and dot at the end of the next line)
cp /etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundTCP07FilterSSH .
#
# add a custom masq rule to the end of the template that does not reference "$OUTERNET"
# (this command adds content outside the perl braces {}, so is treated as plain text during template expansion)
echo '
# custom template
 /sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 22 \
  --src 192.168.8.0/255.255.255.0 --jump denylog
' >> 90InboundTCP07FilterSSH
#
#activate changes
signal-event remoteaccess-update

To disable/remove these changes:
Code: [Select]
#sshd
rm -f /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90InboundTCP07FilterSSH
#
# activate changes
signal-event remoteaccess-update


server-manager
My advice re 'httpd-admin' is/was misguided.  server-manager (httpd-admin) shares a port with httpd-e-smith - you probably didn't mean to block access to your SME web server as well as server-manager. 

To allow access to server-manager from 192.168.6.0 while denying it from 192.168.8.0 (the server's LAN), you'll need to copy and customize /etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/01localAccessString or /etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/90e-smithAccess20manager

(details left up to you...)


Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Server Manager Local Networks
« Reply #8 on: April 11, 2017, 03:42:18 PM »
regarding ssh, maybe a custom fragment for /etc/hosts.allow will do the trick

Offline Graham

  • ***
  • 105
  • +0/-0
Re: Server Manager Local Networks
« Reply #9 on: April 11, 2017, 09:02:30 PM »
I've given the SSH masq template a try and still seems to be letting SSH connection in from 192.168.8.0.

Below is the output of iptables the bold one is the rule that is being added.

What we are trying to have is only the IT department is able to access the management parts of SME who are on 192.168.6.0

Quote

[root@gws-alpha ~]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ForwardedTCP
-N ForwardedTCP_8442
-N ForwardedUDP
-N ForwardedUDP_8442
-N InboundICMP
-N InboundICMP_8442
-N InboundTCP
-N InboundTCP_8442
-N InboundUDP
-N InboundUDP_8442
-N PPPconn
-N PPPconn_1
-N SMTPProxy
-N SSH_Autoblock
-N denylog
-N gre-in
-N local_chk
-N local_chk_8442
-N state_chk
-A INPUT -j state_chk
-A INPUT -j local_chk
-A INPUT -j PPPconn
-A INPUT -s 224.0.0.0/4 -j denylog
-A INPUT -d 224.0.0.0/4 -j denylog
-A INPUT -p icmp -j InboundICMP
-A INPUT -p icmp -j denylog
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j InboundTCP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j denylog
-A INPUT -i bond0 -p udp -j InboundUDP
-A INPUT -i bond0 -p udp -j denylog
-A INPUT -p gre -j gre-in
-A INPUT -p gre -j denylog
-A INPUT -j denylog
-A FORWARD -j state_chk
-A FORWARD -p tcp -m tcp --dport 25 -j SMTPProxy
-A FORWARD -j local_chk
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ForwardedTCP
-A FORWARD -p udp -j ForwardedUDP
-A FORWARD -j denylog
-A OUTPUT -j PPPconn
-A OUTPUT -s 224.0.0.0/4 -j denylog
-A OUTPUT -d 224.0.0.0/4 -j denylog
-A OUTPUT -j ACCEPT
-A ForwardedTCP -j ForwardedTCP_8442
-A ForwardedTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j denylog
-A ForwardedUDP -j ForwardedUDP_8442
-A ForwardedUDP -p udp -j denylog
-A InboundICMP -j InboundICMP_8442
-A InboundICMP -p icmp -j denylog
-A InboundICMP_8442 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A InboundICMP_8442 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A InboundICMP_8442 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A InboundICMP_8442 -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A InboundICMP_8442 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A InboundICMP_8442 -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A InboundICMP_8442 -j denylog
-A InboundTCP -j InboundTCP_8442
-A InboundTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j denylog
-A InboundTCP_8442 ! -d 192.168.8.12/32 -j denylog
-A InboundTCP_8442 -d 192.168.8.12/32 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A InboundTCP_8442 -s 192.168.8.0/24 -p tcp -m tcp --dport 22 -j denylog
-A InboundTCP_8442 -d 192.168.8.12/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A InboundTCP_8442 -d 192.168.8.12/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A InboundTCP_8442 -d 192.168.8.12/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A InboundTCP_8442 -d 192.168.8.12/32 -p tcp -m tcp --dport 465 -j ACCEPT
-A InboundUDP -j InboundUDP_8442
-A InboundUDP -p udp -j denylog
-A InboundUDP_8442 ! -d 192.168.8.12/32 -j denylog
-A PPPconn -j PPPconn_1
-A SSH_Autoblock -m recent --set --name SSH --rsource
-A SSH_Autoblock -m recent --rcheck --seconds 900 --hitcount 4 --rttl --name SSH --rsource -j denylog
-A denylog -p udp -m udp --dport 520 -j DROP
-A denylog -p udp -m udp --dport 137:139 -j DROP
-A denylog -p tcp -m tcp --dport 137:139 -j DROP
-A denylog -j ULOG --ulog-prefix "denylog:"
-A denylog -j DROP
-A gre-in ! -d 192.168.8.12/32 -j denylog
-A gre-in -j denylog
-A local_chk -j local_chk_8442
-A local_chk_8442 -i lo -j ACCEPT
-A local_chk_8442 -s 192.168.8.0/24 -j ACCEPT
-A local_chk_8442 -s 192.168.6.0/24 -j ACCEPT
-A local_chk_8442 -s 192.168.12.0/24 -j ACCEPT
-A state_chk -m state --state RELATED,ESTABLISHED -j ACCEPT


Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Server Manager Local Networks
« Reply #10 on: April 12, 2017, 07:54:31 AM »
Graham

Is this as simple as "Can you change the root/admin password & only let those who should have access know the new password".
Perhaps even configure different passwords for root & admin.
Further to that create the user permissions file for ssh to control access rights per user.

You need to provide more info on which user login(s) you are trying to block.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Graham

  • ***
  • 105
  • +0/-0
Re: Server Manager Local Networks
« Reply #11 on: April 19, 2017, 08:48:41 PM »
regarding ssh, maybe a custom fragment for /etc/hosts.allow will do the trick

Thanks that did the trick for SSH.

Create Custom template /etc/e-smith/templates-custom/etc/hosts.allow/sshd

Quote
sshd: 192.168.6.0/255.255.255.0

followed by
signal-event remoteaccess-update

For Server Manager I ended doing

Create Custom template /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/27ManagerProxyPass

Quote
{
    # vim: ft=perl:

    $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ?  'yes' : 'no';
    $plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no';
    $plainPort = ${'httpd-e-smith'}{TCPPort} || '80';
    $sslPort = ${modSSL}{TCPPort} || '443';

    $OUT = '';
    foreach $place ('server-manager','server-common','user-password')
    {
        if (($port eq $plainPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
        {
            $OUT .= '    RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$' . "\n";
            $OUT .= "    RewriteRule ^/$place(/.*|\$)    https://%{HTTP_HOST}/$place\$1 [L,R]\n";
        }
   if ($port eq $sslPort)
   {
            # mod_auth_tkt needs to know the protocol to write  307 redirection
       $OUT .= "    RequestHeader set X-Forwarded-Proto \"https\"\n";
   }
        $OUT .= "    ProxyPass /$place http://127.0.0.1:${'httpd-admin'}{TCPPort}/$place\n";
        $OUT .= "    ProxyPassReverse /$place http://127.0.0.1:${'httpd-admin'}{TCPPort}/$place\n";

        $OUT .= "    <Location /$place>\n";
        $OUT .= "        order deny,allow\n";
        $OUT .= "        deny from all\n";
        if ($port eq $plainPort)
        {
            $OUT .= '        allow from 127.0.0.1' . "\n";
        }
        elsif (($haveSSL eq 'yes') && (($port eq $sslPort) || ($plainTextAccess ne 'yes')))
        {
            $OUT .= "        allow from 127.0.0.1 192.168.6.0/255.255.255.0 $externalSSLAccess\n";
        } else {
            $OUT .= "        allow from 127.0.0.1 192.168.6.0/255.255.255.0\n";
        }
        $OUT .= "    </Location>\n";
    }
}

followed by
expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith/