Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Oct 2006
System Access best practices - Admin/Monitoring web apps imap etc
I'm looking for some best practices ideas -
I have a Centos 5.5 system (soon to be upgraded to 6.3)
It has a public IP on it, and right now, I only
allow port 80 from it on a few ip addresses (work, home)
and Horde webmail.
So what I'd like to do is extend that a bit -
I run Nagios and Cacti on it, and I'd like to have
access to those from anywhere, and
also possibly access to some code allowing me to ping,traceroute, etc
Is there a way I could do something like
browse to a hidden webpage perhaps on a nonstandard port, and once I've entered
a correct password/challenge phrase on that webpage, then
the system would allow connections from my current IP address to the Nagios/Cacti
webpages, and I could then enter authentication to access the Nagios pages.
I don't want to limit security to something as simple as a single layer of a .htpasswd file for accessing critical system info.
I also don't want to just implement a VPN service on the server, since not everyone who might access would have a client or technical knowhow/skills,
and I'm sometimes in environments that block outbound IPsec/SSL VPN traffic connections.
- Join Date
- May 2011
Hello and welcome!
You could do something like that w/the Linux kernel firewall, i.e., a simple iptables rule will get you there. As the request will originate from a webpage, you'll just have to set up the user running the webserver (e.g., "apache" or "nobody") to be allowed to run the iptables command via sudo. Either that, or have a daemon/cronjob running that looks for a setting you set in a file somewhere. It might be better to write an iptables script that runs all the rules you need, taking ip addresses, etc. as arguments, then allow the apache user to run that script via sudo.
You could also have a button on your page to "Log out/Forget me", so that the rule could then be removed.
Let us know how you get on.
- Join Date
- Apr 2012
- Virginia, USA
I think the easiest / best way to do this would be with an ssh tunnel.
Use port forwarding to forward a local port on your client machine, say 8888 or something like that. Then after the ssh tunnel is connected, browse to https://localhost:8888
This may or may not work with named virtual hosts, by updating your hosts file, and then browsing to https://domain:8888