[mythtv-users] ssh attack
Mike
stuff at dustsmoke.com
Mon Jan 2 23:27:20 UTC 2006
Lee wrote:
>
>> not that I leave mythtv open to the outside anyways, I use mod_proxy
>> from an external apache system to forward requests to and from the
>> myth backends web interface. I always have to get around via that one
>> gateway machine that I have hardened.
>
>
> Mike,
>
> What did you do in the external Apache config to get this to work?
> I've been playing with reverse proxies but can't get it to work...
>
> Lee
>
I basically have mine setup so internally i can get to it without a
username and password then i have the hardened box ask for a password
externally. I actually bounce it twice from one hardened server over a
high port to another hardened server that passes it back internally on
the normal port. thats because at home cox blocks 80 incoming on me and
I cant get out on very many ports at work. I also only respond on a name
based virtual domain at that. So anything looking to get in on the
default site or 'ip' won't be able to forward to it anyways.
But this would be the configuration I'd do if I were only bouncing it
from one hardened server to an internal server. This would let you keep
internal wide open but make external authenticate with a typical apache
htpasswd hash.
##################################################################################
LoadModule cache_module /usr/lib/apache2/modules/mod_cache.so
LoadModule disk_cache_module /usr/lib/apache2/modules/mod_disk_cache.so
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
<IfModule mod_proxy.c>
#turning ProxyRequests on and allowing proxying from all may allow
#spammers to use your proxy to send email.
ProxyRequests Off
<Proxy *>
Order deny,allow
#Deny from all
Allow from all
#Allow from .your_domain.com
</Proxy>
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing
Via: headers)
# Set to one of: Off | On | Full | Block
ProxyVia On
# To enable the cache as well, edit and uncomment the following
lines:
# (no cacheing without CacheRoot)
CacheRoot "/var/cache/apache2/proxy"
CacheSize 5
CacheGcInterval 4
CacheMaxExpire 24
CacheLastModifiedFactor 0.1
CacheDefaultExpire 1
# Again, you probably should change this.
#NoCache a_domain.com another_domain.edu joes.garage_sale.com
</IfModule>
<Location /mythweb/>
AuthName "MythWeb"
AuthType Basic
# this file contains the username password
AuthUserFile /etc/apache2/mythwebpasswd
Require valid-user
</Location>
ProxyPass /mythweb http://192.168.1.20/mythweb
ProxyPassReverse /mythweb http://192.168.1.20/mythweb
################################################################
-Mike
More information about the mythtv-users
mailing list