[mythtv-users] ssh attack

Mike stuff at dustsmoke.com
Mon Jan 2 23:27:20 UTC 2006 

Lee wrote:

>
>> not that I leave mythtv open to the outside anyways, I use mod_proxy 
>> from an external apache system to forward requests to and from the 
>> myth backends web interface. I always have to get around via that one 
>> gateway machine that I have hardened. 
>
>
> Mike,
>
> What did you do in the external Apache config to get this to work?
> I've been playing with reverse proxies but can't get it to work...
>
> Lee
>

I basically have mine setup so internally i can get to it without a 
username and password then i have the hardened box ask for a password 
externally. I actually bounce it twice from one hardened server over a 
high port to another hardened server that passes it back internally on 
the normal port. thats because at home cox blocks 80 incoming on me and 
I cant get out on very many ports at work. I also only respond on a name 
based virtual domain at that. So anything looking to get in on the 
default site or 'ip' won't be able to forward to it anyways.

But this would be the configuration I'd do  if I were only bouncing it 
from one hardened server to an internal server. This would let you keep 
internal wide open but make external authenticate with a typical apache 
htpasswd hash.


##################################################################################
LoadModule cache_module /usr/lib/apache2/modules/mod_cache.so
LoadModule disk_cache_module /usr/lib/apache2/modules/mod_disk_cache.so
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so

<IfModule mod_proxy.c>

        #turning ProxyRequests on and allowing proxying from all may allow
        #spammers to use your proxy to send email.

        ProxyRequests Off

        <Proxy *>
                Order deny,allow
                #Deny from all
                Allow from all
                #Allow from .your_domain.com
        </Proxy>

        # Enable/disable the handling of HTTP/1.1 "Via:" headers.
        # ("Full" adds the server version; "Block" removes all outgoing 
Via: headers)
        # Set to one of: Off | On | Full | Block

        ProxyVia On

        # To enable the cache as well, edit and uncomment the following 
lines:
        # (no cacheing without CacheRoot)

        CacheRoot "/var/cache/apache2/proxy"
        CacheSize 5
        CacheGcInterval 4
        CacheMaxExpire 24
        CacheLastModifiedFactor 0.1
        CacheDefaultExpire 1
        # Again, you probably should change this.
        #NoCache a_domain.com another_domain.edu joes.garage_sale.com

</IfModule>

<Location /mythweb/>
    AuthName "MythWeb"
    AuthType Basic
    # this file contains the username password
    AuthUserFile /etc/apache2/mythwebpasswd
    Require valid-user
</Location>

ProxyPass        /mythweb http://192.168.1.20/mythweb
ProxyPassReverse /mythweb http://192.168.1.20/mythweb

################################################################

-Mike

More information about the mythtv-users mailing list