November 2005 - openSUSE Security - openSUSE Mailing Lists

problem with apache reverse proxy
by Dörfler Andreas 25 Nov '05

25 Nov '05

hi there, after many trys i hope the list can help me. becuase of security reasons i setup a reverse proxy for multible domains problem is, with the following config i only get the primary domain vhosts on reverse proxy: <VirtualHost *:80> ServerName dummy.domain.de ProxyPass / http://test.domain.lan/ ProxyPreserveHost On CacheDisable / ProxyPassReverse ^/(.*)$ http://test.domain.lan/$1 </VirtualHost> <VirtualHost *:80> ServerName dummy2.domain.de ProxyPass / http://test2.domain.lan/ ProxyPreserveHost On CacheDisable / ProxyPassReverse ^/(.*)$ http://test2.kempten.lan$1 </VirtualHost> /etc/hosts on both servers: 192.168.1.1 test.domain.lan test2.domain.lan vhosts on webserver: <VirtualHost test.domain.lan> User xxx Group xxx ServerAdmin xxx DocumentRoot /srv/www/test/ ServerName test.domain.lan ErrorLog xxx TransferLog xxx ScriptAlias xxx </VirtualHost> <VirtualHost test2.domain.lan> User xxx Group xxx ServerAdmin xxx DocumentRoot /srv/www/test/ ServerName test2.domain.lan ErrorLog xxx TransferLog xxx ScriptAlias xxx </VirtualHost> <VirtualHost www.domain.lan> User xxx Group xxx ServerAdmin xxx DocumentRoot /srv/www/test/ ServerName test.domain.lan ErrorLog xxx TransferLog xxx ScriptAlias xxx </VirtualHost> when i access the pages via test.domain.lan everything ok but when i try it via rev proxy dummy.domain.de i get www.domain.lan page (primary website) and not the from rev proxy requested test.domain.lan well, i can do it with squid too but i have no clue how to configure it for multible domains greetings andy --free your mind, use open source http://www.mono-project.com ASCII ribbon campaign ( ) - against HTML email X & vCards / \

2 1

Close all ssh sessions
by Miguel ALBUQUERQUE 24 Nov '05

24 Nov '05

Hi, How can one force closing an open ssh session ? I want to disconnect a user right after executing a script no waiting for a timeout. Is that possible ? Thanx Miguel Albuquerque Network Administrator CODaLIS SA Chemin de Trèfle-Blanc 18 1228 Plan-Les-Ouates / CH TEL : +41 22 827 30 80 FAX : +41 22 827 30 33 http://www.codalis.ch DISCLAIMER - This message is intended for the use of the named person only. The information contained in this E-mail is confidential and any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited. This message does not represent a formal commitment by Codalis SA. Codalis SA is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.

3 2

Martian source... Need to have route to other networks via internal interface. What to do?
by Sergei Keler 24 Nov '05

24 Nov '05

Hi! I have SLES9 and two interfaces eth0 & eth1. eth0 has real ip address like 217.x.x.x eth1 has local ip address 192.168.0.1/24 Default gateway on this system belongs to real ip address network 217.x.x.x via eth0. eth0 is described as External inteface in suse firewall. eth1 is described as Internal one. No NAT etc. Kernel security is on. LAN has several nets like 192.168.x.0/24. Accessing net like 192.168.1.0/24 i got 'martian source' kernel message. I tried to make route to 192.168.1.0/24 via 192.168.0.254 but still have same error log. Where to dig? I dont want to create aliases for each network (it works but too ugly). Is possible the pretty solution for me? Next, what you recommend as linux implementation of Cosco's EIGRP? Ciscos use EiGRP to keep routes between them using 192.168.0.254/24 net. Sergei Keler General DataComm IT-manager tel.: +7(812)325-1085 fax: +7(812)325-1086

5 8

SuSE Firewall/Router
by OIivier Grossmann 24 Nov '05

24 Nov '05

Hello, i've configured a suse 10.0 base machine with router functionality and a proxyserver (squid). I've activated package forwarding and have two network cards. The problem is i can specify the proxy server or i couldn't - it doesn't matter!! It is important that every client have to specify the proxyserver - only over the proxy! How can I do that? Greet Olivier

4 3

Re: [suse-security] SuSEfirewall2 - scripts (SuSE 9.3)
by Robert Uhl 23 Nov '05

23 Nov '05

Hi, > There is are 3rd Script "SuSEfirewall2_final" > > The firewall starts in 3 stages > > 1]init > > Description: SuSEfirewall2_init does some basic setup and is the phase 1 > of 3 of the SuSEfirewall initialization > > 2]setup > > Description: SuSEfirewall2_setup does some basic setup and is the phase > 2 of 3 of the SuSEfirewall initialization. > > 3]up and running > > Description: SuSEfirewall2_final does finally set all the firewalling > rules. Phase 3 of 3 of SuSEfirewall setup. > > All 3 scripts call /sbin/SuSEfirewall2 with different parameters. Okay, I think SuSE 9.3 does not really have the 3rd phase anymore since the script SuSEfirewall2_init and SuSEfirewall2_setup tell: ### BEGIN INIT INFO # Provides: SuSEfirewall2_init # Required-Start: $local_fs boot.localnet # Required-Stop: # Should-Stop: $network # Default-Start: B # Default-Stop: # Short-Description: SuSEfirewall2 phase 1 # Description: SuSEfirewall2_init does some basic setup and is the # phase 1 of 2 of the SuSEfirewall initialization ### END INIT INFO and### BEGIN INIT INFO # Provides: SuSEfirewall2_setup # Required-Start: SuSEfirewall2_init $network $local_fs # Should-Start: $ALL # Required-Stop: $local_fs # X-UnitedLinux-Should-Stop: # Default-Start: 3 4 5 # Default-Stop: 0 1 2 6 # Short-Description: SuSEfirewall2 phase 2 # Description: SuSEfirewall2_setup does some basic setup and is the # phase 2 of 2 of the SuSEfirewall initialization. ### END INIT INFO # X-SuSE-Dep-Only I just wanted to add that. Here is a locate of the SuSE firewall scripts bash:/etc # locate SuSEfirewall2_ /etc/init.d/boot.d/K11SuSEfirewall2_init /etc/init.d/boot.d/S11SuSEfirewall2_init /etc/init.d/rc3.d/K01SuSEfirewall2_setup /etc/init.d/rc3.d/S21SuSEfirewall2_setup /etc/init.d/rc4.d/K01SuSEfirewall2_setup /etc/init.d/rc4.d/S21SuSEfirewall2_setup /etc/init.d/rc5.d/K01SuSEfirewall2_setup /etc/init.d/rc5.d/S21SuSEfirewall2_setup /etc/init.d/SuSEfirewall2_init /etc/init.d/SuSEfirewall2_setup /etc/preload.d/SuSEfirewall2_final /etc/preload.d/SuSEfirewall2_init /etc/preload.d/SuSEfirewall2_setup /lib/scpm/resource_types/service/status/SuSEfirewall2_final /lib/scpm/resource_types/service/status/SuSEfirewall2_init There is just one SuSEfirewall2_final entry displayed which even calls the SuSEfirewall2_setup script. I can't find any reason to have this file? Does somebody do? Regards, Robert.

1 0

SuSEfirewall2
by Robert Uhl 23 Nov '05

23 Nov '05

Hi, I am currently dealing with the SuSEfirewall 9.3 and I hope that somebody knows more or figured out more about it then the pour documentation tries to do. I did work quiet a while on the iptables but this SuSE system really does not make a difference in terms of complexity. Sorry. Is there any better documentation about it then you can find in /usr/share/doc/packages/SuSEfirewall2 I found these two scripts e.g.: SuSEfirewall2_init SuSEfirewall2_setup Why does SuSE needs two scripts? Does SuSE plan to change main things on the firewall system in future? Since they did from version to version. Regards, Robert.

4 3

Re: [suse-security] SuSE Firewall/Router
by Polarizer 23 Nov '05

23 Nov '05

There is an alternative way. One can use Web Proxy Auto Discovery (WPAD) to provide proxy informations to clients. You can reach that aim by dhcp or DNS-HTTP combination. [1] http://wi-fiplanet.webopedia.com/TERM/W/WPAD.html The polarizer http://www.codixx.de/polarizer.html

1 0

Re: [suse-security] SuSEfirewall2
by Polarizer 23 Nov '05

23 Nov '05

> Is there any better documentation about it then you can find in /usr/share/doc/packages/SuSEfirewall2 Here[1] you'll find a Susefirewall2 documentation. Document is rather old, as Susefirewall2 itself is too. > I found these two scripts e.g.: > > SuSEfirewall2_init > SuSEfirewall2_setup > > Why does SuSE needs two scripts? > There is are 3rd Script "SuSEfirewall2_final" The firewall starts in 3 stages 1]init Description: SuSEfirewall2_init does some basic setup and is the phase 1 of 3 of the SuSEfirewall initialization 2]setup Description: SuSEfirewall2_setup does some basic setup and is the phase 2 of 3 of the SuSEfirewall initialization. 3]up and running Description: SuSEfirewall2_final does finally set all the firewalling rules. Phase 3 of 3 of SuSEfirewall setup. All 3 scripts call /sbin/SuSEfirewall2 with different parameters. [1] http://sourceforge.net/project/showfiles.php?group_id=42064 the polarizer http://www.codixx.de/polarizer.html

1 0

Re: [suse-security-announce] SUSE Security Announcement: phpMyAdmin remote code execution (SUSE-SA:2005:066)
by Scott Leighton 23 Nov '05

23 Nov '05

On Friday 18 November 2005 5:35 am, Marcus Meissner wrote: > ___________________________________________________________________________ >___ > > SUSE Security Announcement > > Package: phpMyAdmin > Announcement ID: SUSE-SA:2005:066 > Date: Fri, 18 Nov 2005 11:00:00 +0000 Anyone else having a problem after this YOU update? I have three boxes, all of them started crapping out with the following error message when trying to access phpMyAdmin, Fatal error: main(): Failed opening required './' (include_path='.:/usr/share/php') in /srv/www/htdocs/phpMyAdmin/libraries/grab_globals.lib.php on line 70 That file, grab_gobals.lib.php is one that was changed by the YOU update. Commenting out the 'require' on line 70 makes the error go away, but I'm sure that's not really the right solution. Scott -- POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.11.4-21.9-default x86_64 SuSE Linux 9.3 (x86-64)

3 4

Problems with latest SuSE apache2-mod_php5 from SuSE update
by suse＠weberhofer.at 23 Nov '05

23 Nov '05

I have encountered a problem with apache2-mod_php5-5.0.3-14.13.i586.rpm on SuSE 9.3. After installing the following mod_rewrite directive does not work anymore: RewriteRule ^(.*)(index|content)\.html myscript.php [PT] The script is no longer executed, but a empty response of (I think) type x-httpd-php is sent back. Rolling back to apache2-mod_php5-5.0.3-14.11.i586.rpm fixes that issuse. Best regards, Johannes Weberhofer -- |--------------------------------- | weberhofer GmbH | Johannes Weberhofer | information technologies, Austria | | phone : +43 (0)1 5454421 0 | email: office(a)weberhofer.at | fax : +43 (0)1 5454421 19 | web : http://weberhofer.at | mobile: +43 (0)699 11998315 |----------------------------------------------------------->>

3 2