Fedora Linux Support Community & Resources Center
  #1  
Old 10th February 2005, 04:13 AM
lothario Offline
Registered User
 
Join Date: Jun 2004
Posts: 130
turn off http port 80, keep https port 443

With a fresh FC3 install, the system has both ports working:
port 80 = http://192.168.5.100
port 443 = https://192.168.5.100

How can I stop port 80 and
continue secure access on port 443 only?



Under Security Level Configuration, I un-checked WWW (HTTP)
But the system still responds to both:
http://192.168.5.100
https://192.168.5.100

Last edited by lothario; 10th February 2005 at 04:19 AM.
Reply With Quote
  #2  
Old 10th February 2005, 05:31 AM
Void Main Offline
Registered User
 
Join Date: Jan 2005
Posts: 355
After unchecking www and reloading iptables you can still get to 80 from an outside machine? If so something is broken. At any rate, on machines I want ssl (https) traffic only on I like to also leave port 80 open but use a redirect in the apache config to automatically redirect anything coming in on 80 to 443:

Code:
RewriteEngine   on
RewriteCond     %{SERVER_PORT} ^80$
RewriteRule     ^/(.*)$ https://%{SERVER_NAME}/$1 [L,R,NC]
Of course you can also just comment out the "Listen 80" line in your httpd.conf which will cause Apache to not open a socket on 80 at all, only on 443.
__________________
voidmain.is-a-geek.net
82.94 BogoMIPS, 125Mhz MIPS, 16MB RAM, 0GB HDD, Linux 2.4.20
$ echo '[q]sa[ln0=aln128%Pln128/snlbx]sb25384035327623601753454966742snlbxq'|dc
Reply With Quote
  #3  
Old 11th February 2005, 03:46 AM
lothario Offline
Registered User
 
Join Date: Jun 2004
Posts: 130
Ridirecting http to https is fine.
I am told that I can also comment out the port in the "httpd.conf" file.
These are good options to have.

I am concerned, how is port 80 traffic getting through.
Reply With Quote
  #4  
Old 11th February 2005, 03:49 AM
lothario Offline
Registered User
 
Join Date: Jun 2004
Posts: 130
I even reboot the system.

But the system still responds to:
http://192.168.5.100

Here is the "/etc/sysconfig/iptables"
Code:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
As you can see port 80 is no longer there.
But http traffic is still some how getting through to Apache.
Reply With Quote
  #5  
Old 11th February 2005, 03:49 AM
Void Main Offline
Registered User
 
Join Date: Jan 2005
Posts: 355
Quote:
Originally Posted by lothario
Ridirecting http to https is fine.
I am told that I can also comment out the port in the "httpd.conf" file.
Hmmm, I thought that is what I also suggested when I said that you can also comment out the "Listen 80" line.

Quote:
I am concerned, how is port 80 traffic getting through.
I don't understand what you mean here.
__________________
voidmain.is-a-geek.net
82.94 BogoMIPS, 125Mhz MIPS, 16MB RAM, 0GB HDD, Linux 2.4.20
$ echo '[q]sa[ln0=aln128%Pln128/snlbx]sb25384035327623601753454966742snlbxq'|dc
Reply With Quote
  #6  
Old 11th February 2005, 03:52 AM
Void Main Offline
Registered User
 
Join Date: Jan 2005
Posts: 355
Is that address on eth0? If so you are allowing everything on eth0 according to your iptables rules:

Quote:
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
__________________
voidmain.is-a-geek.net
82.94 BogoMIPS, 125Mhz MIPS, 16MB RAM, 0GB HDD, Linux 2.4.20
$ echo '[q]sa[ln0=aln128%Pln128/snlbx]sb25384035327623601753454966742snlbxq'|dc
Reply With Quote
  #7  
Old 11th February 2005, 03:55 AM
lothario Offline
Registered User
 
Join Date: Jun 2004
Posts: 130
About commenting out port 80.
I am sorry - I got the same suggestions from someone else. I got confused.
Reply With Quote
  #8  
Old 11th February 2005, 03:58 AM
lothario Offline
Registered User
 
Join Date: Jun 2004
Posts: 130
Quote:
Is that address on eth0? If so you are allowing everything on eth0 according to your iptables rules:

Quote:
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
Yes, it is.
If I un-check eth0 under Security Level Configuration, what are the consequences of that?

Last edited by lothario; 11th February 2005 at 04:00 AM.
Reply With Quote
  #9  
Old 11th February 2005, 04:00 AM
Void Main Offline
Registered User
 
Join Date: Jan 2005
Posts: 355
Quote:
Originally Posted by lothario
Yes, it is.
If I un-check eth0 under Security Level Configuration, what are the consequences of that?
The consequences of unchecking it would mean that your firewall will actually start acting like a firewall.
__________________
voidmain.is-a-geek.net
82.94 BogoMIPS, 125Mhz MIPS, 16MB RAM, 0GB HDD, Linux 2.4.20
$ echo '[q]sa[ln0=aln128%Pln128/snlbx]sb25384035327623601753454966742snlbxq'|dc
Reply With Quote
  #10  
Old 11th February 2005, 04:02 AM
awdac Offline
Registered User
 
Join Date: Feb 2005
Location: Athens, GA
Posts: 352
Quote:
Originally Posted by lothario
Yes, it is.
If I un-check eth0 under Security Level Configuration, what are the consequences of that?
You won't be letting every packet and its brother through your ethernet interface. Do it.
__________________
Registered Linux User #240607
2001-11-02 03:17:23
Reply With Quote
  #11  
Old 11th February 2005, 04:28 AM
lothario Offline
Registered User
 
Join Date: Jun 2004
Posts: 130
Ok. That was the culprit.
Thanks.
Reply With Quote
  #12  
Old 11th February 2005, 04:32 AM
lothario Offline
Registered User
 
Join Date: Jun 2004
Posts: 130
Un-checking eth0 does take care of it.
What is sit0 ?
Reply With Quote
Reply

Tags
443, http, https, port, turn

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
https AND ssh on port 443 w/ proxy scruffy72 Servers & Networking 3 21st March 2008 07:42 PM
apache port 443 not HTTPS... :? mikecurry Servers & Networking 1 5th August 2005 09:00 PM
The Real http-alt port? Firewing1 Servers & Networking 5 12th April 2005 09:50 PM
How Turn Off Port 111 pmconway Security and Privacy 7 15th November 2004 12:09 PM


Current GMT-time: 18:53 (Thursday, 24-04-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat