I coundn't deploy from Laravel Forge when I set ufw like below.
$ sudo ufw status
Status: active
To Action From
-- ------ ----
80 ALLOW Anywhere
443 ALLOW Anywhere
22 LIMIT Anywhere
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
22 (v6) LIMIT Anywhere (v6)
I need security measures and I don't want to change the ufw setting every deploy. I suppose I can set up whitelist if I can see IPs. Any help will be appreciated.
Thanks.
Update
It works if I remove "limit" setting but I need to avoid DOS attack.
$ sudo ufw status
Status: active
To Action From
-- ------ ----
80 ALLOW Anywhere
443 ALLOW Anywhere
22 ALLOW Anywhere
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
Related
Apparently, my EC2 instance can’t access the internet properly. Here is what happens when I try to install a Python module:
[ec2-user#ip-172-31-90-31 ~]$ pip3 install flask
Defaulting to user installation because normal site-packages is not writeable
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7fab198cbe10>: Failed to establish a new connection: [Errno 101] Network is unreachable')': /simple/flask/
etc.
However, the website that is hosted on the same EC2 instance can be accessed using both http and https.
The security group is configured as follows:
Port range
Protocol
Source
80
TCP
0.0.0.0/0
22
TCP
0.0.0.0/0
80
TCP
::/0
22
TCP
::/0
443
TCP
0.0.0.0/0
443
TCP
::/0
The ACL inbound rules are:
Type
Protocol
Port range
Source
Allow/Deny
HTTP (80)
TCP (6)
80
0.0.0.0/0
Allow
SSH (22)
TCP (6)
22
0.0.0.0/0
Allow
HTTPS (443)
TCP (6)
443
0.0.0.0/0
Allow
All ICMP - IPv4
ICMP (1)
All
0.0.0.0/0
Allow
All trafic
All
All
0.0.0.0/0
Deny
and the outbound rules are:
Type
Protocol
Port range
Source
Allow/Deny
Custom TCP
TCP (6)
1024 - 65535
0.0.0.0/0
Allow
HTTP (80)
TCP (6)
80
0.0.0.0/0
Allow
SSH (22)
TCP (6)
22
0.0.0.0/0
Allow
HTTPS (443)
TCP (6)
443
0.0.0.0/0
Allow
All ICMP - IPv4
ICMP (1)
All
0.0.0.0/0
Allow
All trafic
All
All
0.0.0.0/0
Deny
This is what the route table associated with the subnet looks like:
Destination
Target
Status
Propagated
172.31.0.0/16
local
Active
No
0.0.0.0/0
igw-09b554e4da387238c
Active
No
(no explicit or edge associations).
As for the firewall, executing sudo iptables –L results in
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and sudo iptables -L -t nat gives
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
What am I missing here? Any suggestions or ideas on this would be greatly appreciated.
Thanks
You did not list your settings for the Outbound rules of the security group(s) attached to the instance. You should keep the "Allow All" outbound rules to allow the instance to access the Internet.
In general, you should not modify the ACL rules away from their default "Allow All" setting unless you have a very specific need (eg creating a DMZ). I recommend that you start by removing all custom rules from the ACLs and set the 'All traffic' option to "Allow". At least try this temporarily to try and identify the problem.
For example, when establishing a connection to the Internet, traffic will come from a randomly-assigned port. Your ACL is currently blocking all such ports. (To clarify: You might be connecting to port 80 on a remote computer, but that request is not coming from port 80 on your own computer. It is coming from a randomly-assigned port.)
Using the Client on HIVEMQ when I try to connect my mqtt server, I get the following error:
Firefox can’t establish a connection to the server at ws://xxx.com:8083/mqtt.
Connect failed: AMQJS0007E Socket error:undefined.
I'm using the following parameters:
Host: xxx.com
Port: 8083
Running Command mosquitto, I get the response:
[ 1615.745348]~DLT~ 1670~INFO ~FIFO /tmp/dlt cannot be opened. Retrying later...
1608926628: mosquitto version 1.6.9 starting
1608926628: Config loaded from /etc/mosquitto/conf.d/default.conf.
1608926628: Opening ipv4 listen socket on port 1883.
1608926628: Opening ipv4 listen socket on port 8883.
1608926628: Opening ipv6 listen socket on port 8883.
1608926628: Opening websockets listen socket on port 8083.
and My Mosquitto conf file is:
allow_anonymous false
password_file /etc/mosquitto/passwd
listener 1883 localhost
listener 8883
certfile /etc/letsencrypt/live/burooq.com/cert.pem
cafile /etc/letsencrypt/live/burooq.com/chain.pem
keyfile /etc/letsencrypt/live/burooq.com/privkey.pem
listener 8083
protocol websockets
certfile /etc/letsencrypt/live/burooq.com/cert.pem
cafile /etc/letsencrypt/live/burooq.com/chain.pem
keyfile /etc/letsencrypt/live/burooq.com/privkey.pem
Looking for all port opened, I get:
To Action From
-- ------ ----
[ 1] Apache Full ALLOW IN Anywhere
[ 2] 22/tcp ALLOW IN Anywhere
[ 3] 22 ALLOW IN Anywhere
[ 4] 80/tcp ALLOW IN Anywhere
[ 5] 80 ALLOW IN Anywhere
[ 6] 443/tcp ALLOW IN Anywhere
[ 7] 443 ALLOW IN Anywhere
[ 8] 80,443/tcp ALLOW IN Anywhere
[ 9] 8883 ALLOW IN Anywhere
[10] 8083 ALLOW IN Anywhere
[11] 2222 ALLOW IN Anywhere
[12] Apache Full (v6) ALLOW IN Anywhere (v6)
[13] 22/tcp (v6) ALLOW IN Anywhere (v6)
[14] 22 (v6) ALLOW IN Anywhere (v6)
[15] 80/tcp (v6) ALLOW IN Anywhere (v6)
[16] 80 (v6) ALLOW IN Anywhere (v6)
[17] 443/tcp (v6) ALLOW IN Anywhere (v6)
[18] 443 (v6) ALLOW IN Anywhere (v6)
[19] 80,443/tcp (v6) ALLOW IN Anywhere (v6)
[20] 8883 (v6) ALLOW IN Anywhere (v6)
[21] 8083 (v6) ALLOW IN Anywhere (v6)
[22] 2222 (v6) ALLOW IN Anywhere (v6)
Mosquitto version 1.6.9
Ubuntu version 20.04.1 LTS
You can't use the IP address, you have to use the hostname that you got the certificate issued for e.g. burooq.com
The reason is that the browser will not be able to validate the certificate from the broker because it will not have an CN or SAN entry for the IP address.
You will also need to ensure that the firewall is configured to allow external access on port 8083
EDIT:
Also having just double checked the HiveMQ Websocket showcase page, it does not look to support connecting to a TLS secured MQTT over Websockets broker.
I had to create the file location for logs
$ mkfifo /tmp/dlt
change the listening port in your Mosquitto config file
$ vim /etc/mosquitto/mymosqui.conf
Listeners 8443
Restart Mosquitto:
$ sudo service mosquitto restart
Check the status:
$ sudo service mosquitto status
Check the ports if they are listening:
$ netstat -tulpn | grep mos
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 148132/mosquitto
tcp6 0 0 :::8443 :::* LISTEN
148132/mosquitto
I've been desperately trying to setup squid on a virtual machine (hosted by digital ocean) for the past day or so. I've set up the machine which has Ubuntu operating system, installed Squid and modified the config as I'm trying to grant access to my home PC (as obviously they aren't on the same LAN net work). I thought this was done by making the edits I've shown below,
acl myips src MYPUBLICIP
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow myips
http_access allow manager localhost
http_access allow manager myips
http_access allow purge localhost
http_access allow purge myips
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localhost manager
http_access deny manager
from my limited understanding I've allowed access to the top IP - should I be using my Laptops IPv4 address here (10.213.111.121)?
If someone could talk me through this I was be SO grateful as I'm really not getting anywhere...
Thanks!
I have a product form Symantec and their help is...less than helpful, including a nice message that says "Contact your reseller" in the "Contact Us" link. My reseller says to contact them. How? Anyways, it's a repackaged version if Squid for Windows. When I point IE to the proxy running locally I get "Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect." However, when I point IE on another machine to the server running Squid everything works fine.
I have zero experience with Squid or proxies. I tried some different configs based on searches here but nothing worked. I'm sure it's something simple. Here is the config:
digest_generation off
hierarchy_stoplist cgi-bin ?
acl all src 0.0.0.0/0.0.0.0
cache deny all
maximum_object_size 0 KB
emulate_httpd_log on
debug_options ALL,1
cache_store_log none
access_log none
useragent_log none
auth_param ntlm program c:/clientsiteproxy/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 80
auth_param ntlm keep_alive on
auth_param negotiate children 80
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_ip_shortcircuit_ttl 30 seconds
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
read_timeout 15 minutes
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Smartconnect dstdomain ned.webscanningservice.com
acl CONNECT method CONNECT
acl authproxy proxy_auth REQUIRED
acl our_networks src 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16
acl HEAD method HEAD
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow HEAD
http_access deny !our_networks
http_access allow Smartconnect
http_access allow authproxy
http_access deny all
icp_access allow all
httpd_suppress_version_string on
visible_hostname ClientSiteProxy
forwarded_for off
header_access Via deny all
never_direct allow all
cache_dir null c:/ClientSiteProxy
coredump_dir c:/clientsiteproxy/var/cache
http_port 3128
This is most likely the culprit: http_access deny !our_networks. This statement denies outbound access for all source IPs apart from 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16.
When you browse from the same machine, browser would bind on localhost, so you can try expanding the our_networks definition with 127.0.0.1.
I followed Make Localhost a Custom Domain in IIS Express to run my website in custom domain. When I tried to run the application in Port 80, I got an error from Visual studio saying 'Port 80 already in use. Cannot start IISExpress'
Is there any extra step that has to be done for port 80? (I was able to run the application in some other ports, but I want to run it on 80)
You have to change the port from 80 to say 82 or 83 and then you won't run into any conflicts.
So in the instructions where it references the port number as 61156:
Find <IISUrl>http://localhost:61156/</IISUrl> and change it to <IISUrl>http://devserver.com:61156/</IISUrl>
Simply change those to 82 or 83 where it references the 61156 port number and that should avoid any conflicts with the oft used port 80.
D