[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] QUBE 2 Security issue with public page.....

On Tue, 16 May 2000 12:25:40 -0400, Hagen Schempf <hagen@xxxxxxxxxxxxxx>
wrote:

:>Folks,
:>
:>         I am new to this so please excuse my potentially ignorant question:

I am very new at this, but maybe something below will help or maybe point you
to something that does. Also, my thoughts are based on my understanding at
this point in time and may not necessarily be completely on the mark.

:>
:>         Setting: We have a QUBE 2 set up as a firewall and hooked up over 
:>the secondary interface through DSL (via RHTYMS.NET) to the world using a 
:>fixed IP address and an ISP-provided mask. The primary interface runs the 
:>LAN and all th ePCs and printers. The public WWW-page security issue I have 
:>has led me to the following desirable settings:

Pretty much the setting I have on one of my Qube2s.

:>         - I do NOT want to have the public page (i.e. 
:>www.hostname.com/cobalt) to be accessible by anybody from the outside (WAN 
:>that is)- not even with password access - I know I can deny access by 
:>requiring people to give their username and password but I do not even want 
:>that to be possible. I have been told that once I replace the default 
:>public page with my own, my new page will be the page people will see once 
:>they access www.hostname.com - I just want to completely remove outside 
:>WAN-access to the .../cobalt public page for outsiders; that includes 
:>removal of outside access even by the admin - all admin-related activities 
:>should be done and be allowed to proceed on the LAN (i.e. from inside the 
:>company).

You probably know this, but just in case ...  The directory /home/groups/home
contains the root web for the Qube2. It ships with an index.html file that
contains a redirect to 

<META HTTP-EQUIV="Refresh" CONTENT="0;URL=/cobalt/">

If you change this index.html, then all references to www.mydomain.com will
end up seeing the new index.html.

Now if you look in srm.conf, you will see that /cobalt/ is an alias:

Alias /cobalt/  /usr/admserv/html/.cobalt/public/ 

which contains some java script and gives the standard public page. The GUI
admin page is located in ..../.cobalt/sysManage/. 

If I read your statement correctly, you want to block outside access to ports
80 and 81 from the outside, but allow them from the inside. If I was trying to
do that, my first thought might be to try to set up appropriate allow and deny
ip filters to ports 80 and 81. 

If that did not work, I would try using the appropriate deny and allow
directives (see http://www.apache.org/docs/mod/mod_access.html for a
description of deny and allow). Your http access.conf file and .htacess files
can allow and deny by IP address or IP ranges. You can do that by file or
directory. That may be what you are looking for.

You might also experiment with changing the standard location of things so
that it is known to just you. I.e, rename and change the alias.

:>- I do want to retain internal LAN-access for the registered users to the 
:>.../cobalt page (i.e. company-internal access only!)

Me thinks that one or the other above MIGHT work. If it does, I would be
interesting in knowing, just for education purposes.

:>- I do not want to allow any registered users on the QUBE 2 to be able to 
:>view anything other than their own home/user-directory on the QUBE. The 
:>reasoning is that individual users should be allowed to place/backup 
:>personal/company-stuff onto the disk in the QUBE (that is why I bought a 
:>multi-gig drive), without any body else (except for the admin) to be able 
:>to get access to their own user directory. Is that at all possible?!

How exactly are you going to provide access? FTP? Unsecure (an experimental
SSH pkg for the Qube2 is available). Even so, it will take some configuration
changes to proftpd to prevent the user from navigating up from their home
directory. I would think SMB would or could be configured to do the same. If
you are talking about web pages, then they could always put their files in
home/users/userid/private and it would be protected from the world. They could
also password protect their own pages using .htaccess. Of course, they will
not be able to have FP extensions in their home directories. They can use the
built in page developer to create pages if that be needed. Just not sure what
you have in mind here.

:>         Do I have to go to COBALT's tech-support and pay to have this mod 
:>made or is there an easy work-around anyone knows about? I am not a LINUX 
:>guru, so ignorance is against me here. Thanks for any helpful pointers!

Easy. Not for me. However, I am trying to learn. It is just that Cobalt
designed the Qube2 to be a toaster and I am wanting it to act like a standard
Red Hat installation. Man have I voided the warranty on one of them. My advice
is to dig and experiment a bit (with adequate file back up) first.

I think most Qube2 users get things setup and then forget about it. I am about
ready to forget about it too!



-- 

  For information on the unofficial qube mailing list, see
  http://majordomo.email-lists.com/qube-users/