Find the answer to your Linux question:
Results 1 to 3 of 3
Hi all - I'm looking for some best practices ideas - I have a Centos 5.5 system (soon to be upgraded to 6.3) It has a public IP on it, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2006
    Posts
    1

    System Access best practices - Admin/Monitoring web apps imap etc


    Hi all -

    I'm looking for some best practices ideas -

    I have a Centos 5.5 system (soon to be upgraded to 6.3)

    It has a public IP on it, and right now, I only
    allow port 80 from it on a few ip addresses (work, home)
    and Horde webmail.

    So what I'd like to do is extend that a bit -
    I run Nagios and Cacti on it, and I'd like to have
    double-authentication secured
    access to those from anywhere, and
    also possibly access to some code allowing me to ping,traceroute, etc


    Is there a way I could do something like
    browse to a hidden webpage perhaps on a nonstandard port, and once I've entered
    a correct password/challenge phrase on that webpage, then
    the system would allow connections from my current IP address to the Nagios/Cacti
    webpages, and I could then enter authentication to access the Nagios pages.


    I don't want to limit security to something as simple as a single layer of a .htpasswd file for accessing critical system info.
    I also don't want to just implement a VPN service on the server, since not everyone who might access would have a client or technical knowhow/skills,
    and I'm sometimes in environments that block outbound IPsec/SSL VPN traffic connections.



    Ideas?

    thanks...

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Hello and welcome!

    You could do something like that w/the Linux kernel firewall, i.e., a simple iptables rule will get you there. As the request will originate from a webpage, you'll just have to set up the user running the webserver (e.g., "apache" or "nobody") to be allowed to run the iptables command via sudo. Either that, or have a daemon/cronjob running that looks for a setting you set in a file somewhere. It might be better to write an iptables script that runs all the rules you need, taking ip addresses, etc. as arguments, then allow the apache user to run that script via sudo.

    You could also have a button on your page to "Log out/Forget me", so that the rule could then be removed.

    Let us know how you get on.

  3. #3
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    917
    I think the easiest / best way to do this would be with an ssh tunnel.

    Use port forwarding to forward a local port on your client machine, say 8888 or something like that. Then after the ssh tunnel is connected, browse to https://localhost:8888
    This may or may not work with named virtual hosts, by updating your hosts file, and then browsing to https://domain:8888

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •