Re: [cobalt-users] Lost web interface w/ raq4

[Jim Dory <engineer@xxxxxxxxxxxxx>]

Jeff Lasman wrote:

> > I have a Watchguard firewall and two raqs, one on DMZ which I can access
> > via the web interface and one on trusted eth of firewll that I cannot.
> >    
>
> Do you have a hole in the firewall for port 81?
>  
Ok, I looked under the blocked ports and port 81 is not listed as a 
blocked port. But I'm curious if this could be the problem since I can 
log into the web gui of the other raq on a different subnet. The other 
raq is on the DMZ port of the firewall, and the problem raq is on a 
switch which is patched into the trusted interface of the firewall. Our 
lan is patched into this same switch.

> I sure hope you mean sash; telnet is a very dangerous way to log into a
> RaQ, or in fact any server, as it passes passwords in open text.
>  
Well, sheepishly, I have been telnetting. I didn't know it would not be 
safe within the little lan I have here.. about 14 users. I have not 
telnetted from outside the trusted part of the lan. But I will look into 
sash and begin using it. I'm not familiar with it, but have heard of 
things like openssh, ssh, etc. Then I will change passwords.

> It looks like you've added a nic card, and that it's bad.  You might try
> rebooting the RaQ without that card to see if it resolves anything.

Nope. The raq is brand new (couple months maybe) and I have not opened 
it up. The nic card in it is working fine for other duties, such as file 
sharing, SWAT, and Webmin.

> Often errors are on a line above the reported location; you might look
> there.
>
> Have you compared srm.conf with srm.conf.master to see if it's been
> changed?
>  

I looked at the first page or two, before all the icon stuff, and they 
were the same. There's also a srm.conf.orig that looks the same. There 
is probably a command or two that compares them and reports differences, 
but I don't know it.


> Have you installed and run chkrootkit to see if your RaQ may have been
> hacked?
>  

No, first I have heard of it. That will be the first order of business, 
then maybe the sash stuff..


> Have you used webmin to do anything?  Many of the things you can do with
> webmin will cause conflicts with how the RaQ works.
>  

Well, this could very well be the problem. I've used it to start up DNS 
and to configure DHCP. I'm pretty sure the Cobalt gui was still working 
after these tweaks. I've tried tweaking samba using it as well, though 
it seems like I have better success configuring samba manually. So I 
suppose if I search the archives about conflicts with webmin?


> Possibly someone else logging in as root?  Have you run chkrootkit? 
> There are other things which could cause a root partition to fill up,
> though.  Have you ever put anything else in the root directory? 

No one in the lan would be logging on, only a hacker I was unaware of. 
Will install and run chkrootkit... and the root partition has 567,260k 
used and 176,108k free - how does that sound for normal or not? I 
installed webmin, dhcpd, under /home/opt but do they install parts under 
/usr/whatever as well... The only partitions are /, /var, and /home.

I'll go through your suggestions and see what happens. Thanks a bunch.
Cheers,

--
Jim D.