On Wed, Jun 1, 2022 at 11:21 john doe wrote:
> when does it actually start operating? Does it do so then, or does it take
>
> a reboot?
>
Apparently, if you 'enable' 'ufw', it will start and be enabled at boot.
Good, thanks.
According to (1), ufw should work with nftables, I did not follow th
On 6/1/2022 1:45 PM, Tom Browder wrote:
On Mon, May 30, 2022 at 19:46 Edwin Zimmerman wrote:
On 5/30/22 09:41, Greg Wooledge wrote:
On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote:
No worries. All those responses about the subject IP now are the norm
for a
bare-iron server read
On Mon, May 30, 2022 at 19:46 Edwin Zimmerman wrote:
> On 5/30/22 09:41, Greg Wooledge wrote:
> > On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote:
> >> No worries. All those responses about the subject IP now are the norm
> for a
> >> bare-iron server ready for use by a customer, your
On 5/30/22 09:41, Greg Wooledge wrote:
> On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote:
>> No worries. All those responses about the subject IP now are the norm for a
>> bare-iron server ready for use by a customer, yours truly. It is the same
>> server I messed up the firewall with a
On Mon, May 30, 2022 at 1:24 PM Tom Browder wrote:
> On Mon, May 30, 2022 at 09:03 IL Ka wrote:
>
>> IMHO: It is better to have a firewall and block (policy -- drop) INPUT
>> and FORWARD by default.
>> And open only ports that must be opened.
>> This will help if you install some software that l
On Mon, May 30, 2022 at 09:03 IL Ka wrote:
> IMHO: It is better to have a firewall and block (policy -- drop) INPUT and
> FORWARD by default.
> And open only ports that must be opened.
> This will help if you install some software that listens for 0.0.0.0 by
> accident
>
>From my limited researc
On Mon, May 30, 2022 at 08:42 Greg Wooledge wrote:
..
> Unless this machine is more than just a web server...?
It does serve other purposes.
IMHO: It is better to have a firewall and block (policy -- drop) INPUT and
FORWARD by default.
And open only ports that must be opened.
This will help if you install some software that listens for 0.0.0.0 by
accident
On Mon, May 30, 2022 at 4:42 PM Greg Wooledge wrote:
> On Mon, May 30, 2022 at
On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote:
> No worries. All those responses about the subject IP now are the norm for a
> bare-iron server ready for use by a customer, yours truly. It is the same
> server I messed up the firewall with and locked myself out of. The OS has
> been r
On Mon, May 30, 2022 at 02:13 john doe wrote:
> On 5/30/2022 12:26 AM, Tom Browder wrote:
> > On Sun, May 29, 2022 at 15:55 Greg Wooledge wrote:
No worries. All those responses about the subject IP now are the norm for a
bare-iron server ready for use by a customer, yours truly. It is the same
On 2022-05-29, Greg Wooledge wrote:
>
> Second, I cannot ping this IP address, nor can I telnet to port 80 of it.
> (Nor port 22.)
>
That's strange; I can ping it (I'm not in Kansas anymore):
curty@einstein:~$ ping 69.30.225.10
PING 69.30.225.10 (69.30.225.10) 56(84) bytes of data.
64 bytes fro
On 5/30/2022 12:26 AM, Tom Browder wrote:
On Sun, May 29, 2022 at 15:55 Greg Wooledge wrote:
...
Thanks, Greg. It looks like my server was blocked from ports 80 and 443
upstream from it (as you and others suspected), so I asked my provider to
reinstall the OS and ensure it has public access to
> Maybe I should remove all firewall progs and start from zero.
I would suggest you install Shorewall. it is not the pain in the arse that's
been the theme of this thread so far.
On Sun, May 29, 2022 at 8:13 PM Greg Wooledge wrote:
> On Sun, May 29, 2022 at 11:50:44PM +, Lee wrote:
> > On 5/29/22, Greg Wooledge wrote:
> > > Second, I cannot ping this IP address, nor can I telnet to port 80 of
> it.
> >
> > For whatever it's worth..
> >
> > Pinging 69.30.225.10 with 3
>
>
> ssh gives me a login prompt
>
>
Btw, I highly recommend:
* Block SSH access from any IP except one you are going to use to manage
this server
* If you have dynamic IP, you can add all your ISP network, or, at least,
your country: (list can be downloaded here
https://blog.ip2location.com/kno
On Sun, May 29, 2022 at 11:50:44PM +, Lee wrote:
> On 5/29/22, Greg Wooledge wrote:
> > Second, I cannot ping this IP address, nor can I telnet to port 80 of it.
>
> For whatever it's worth..
>
> Pinging 69.30.225.10 with 32 bytes of data:
> Reply from 69.30.225.10: bytes=32 time=43ms TTL=53
On 5/29/22, Greg Wooledge wrote:
> On Sun, May 29, 2022 at 03:39:05PM -0500, Tom Browder wrote:
>> I have not intentionally hidden anything, Greg--I just never saw the need
>> for
>> mentioning it given the dialogue--x.y.z.w is just shorthand. If you
>> must know the exact IP address, it is 69.30.
On Sun, May 29, 2022 at 15:55 Greg Wooledge wrote:
...
Thanks, Greg. It looks like my server was blocked from ports 80 and 443
upstream from it (as you and others suspected), so I asked my provider to
reinstall the OS and ensure it has public access to ports 80 and 443.
Best regards,
-Tom
On Sun, May 29, 2022 at 03:39:05PM -0500, Tom Browder wrote:
> I have not intentionally hidden anything, Greg--I just never saw the need for
> mentioning it given the dialogue--x.y.z.w is just shorthand. If you
> must know the exact IP address, it is 69.30.225.10.
OK. Now we can actually start he
On Sun, May 29, 2022 at 2:21 PM Greg Wooledge wrote:
>
> > > > btw, are you able to ping server?
> > >
> > > Yes.
> >
> > It is always better to show the command and the output instead of saying
> > yes/no! :)
>
> Except it should be abundantly clear by now that you're dealing with
> someone who b
> > > btw, are you able to ping server?
> >
> > Yes.
>
> It is always better to show the command and the output instead of saying
> yes/no! :)
Except it should be abundantly clear by now that you're dealing with
someone who believes that they must hide every single detail from
the ones who would
>
>
> I must say, I can not realy understand how you can ping and not
> telnet/access your web server.
>
>
Some router between OP and his server has something like
-I FORWARD -j REJECT --reject-with icmp-host-unreachable
On 5/29/2022 7:20 PM, Tom Browder wrote:
On Sun, May 29, 2022 at 11:39 IL Ka wrote:
btw, are you able to ping server?
Yes.
It is always better to show the command and the output instead of saying
yes/no! :)
I must say, I can not realy understand how you can ping and not
telnet/access yo
On Sun, May 29, 2022 at 11:39 IL Ka wrote:
> btw, are you able to ping server?
>
Yes.
On Sun, May 29, 2022 at 05:41:59AM -0500, Tom Browder wrote:
> On Sat, May 28, 2022 at 20:06 IL Ka wrote:
> ...
>
> 3. You should also check that Apache is running and listening to this port,
> > use ``ss -lt``.
> > For this command you _may_ use sudo to get process names (``sudo ss
> > -ltp``).
btw, are you able to ping server?
On Sun, May 29, 2022 at 7:26 PM Tom Browder wrote:
> On Sun, May 29, 2022 at 10:33 AM IL Ka wrote:
> >
> >
> >> When running those, I'm told neither the arptablrs nor the ebtables are
> registered (not installed). Should I install them?
> >
> > No.
> >
> > So,
>
>
> > and ``iptables -S`` ?
>
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A f2b-sshd -s 61.177.173.50/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 61.177.173.7/32 -j REJECT --reject-with
>
On Sun, May 29, 2022 at 10:33 AM IL Ka wrote:
>
>
>> When running those, I'm told neither the arptablrs nor the ebtables are
>> registered (not installed). Should I install them?
>
> No.
>
> So, you now have legacy (classic) iptables, right?
Yes.
> What is the output of ``iptables -L -v -n``
C
> When running those, I'm told neither the arptablrs nor the ebtables are
> registered (not installed). Should I install them?
>
No.
So, you now have legacy (classic) iptables, right?
What is the output of ``iptables -L -v -n`` and ``iptables -S`` ?
On Sun, May 29, 2022 at 09:51 IL Ka wrote:
>
>>> Do I have to switch all four *legacy *tables?
>>
>
> yes
>
When running those, I'm told neither the arptablrs nor the ebtables are
registered (not installed). Should I install them?
>
>
>
>> Do I have to switch all four *legacy *tables?
>
yes
On Sat, May 28, 2022 at 17:24 IL Ka wrote:
> ...
I am not familiar with nft, bit you can switch to iptables using
>> ``update-alternatives``
>>
>
> # update-alternatives --set iptables /usr/sbin/iptables-legacy
> # update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
> # update-alterna
Le 29/05/2022 à 13:22, Tom Browder a écrit :
On Sun, May 29, 2022 at 05:41 Tom Browder wrote:
Does anyone have a good reason for me to NOT install and enable UFW?
-Tom
good reason would be that thtere is obviously already something on
your server magaing the firewalling. Having 2 different
>
>
>
> Good to know. But does fail2ban require ipset?
>
No, but having several thousand rules is not convenient, so I prefer ipset
> They never have before in over 15 years, and, before I got this server
> started, its mate was serving fine. But if the ufw doesn't work, I'll ask
> them.
>
I'd s
On Sun, May 29, 2022 at 07:06 IL Ka wrote:
> Does anyone have a good reason for me to NOT install and enable UFW?
>>
>
> ufw can't be used with ipset AFAIK, and I use ipset for many reasons
> (fail2ban, block access outside of my country etc).
> But If you only SSH your host from one static IP, y
>
>
>
> Does anyone have a good reason for me to NOT install and enable UFW?
>
>
ufw can't be used with ipset AFAIK, and I use ipset for many reasons
(fail2ban, block access outside of my country etc).
But If you only SSH your host from one static IP, you probably do not need
fail2ban at all.
Anyw
>
> $ telnet x.y.z.w 80
> Trying x.y.z.w...
> telnet: Unable to connect to remote host: No route to host
>
But you can ssh to this host, right?
Well, that means the firewall blocks your request and sends the ICMP
message "no route to host".
Switch to the legacy iptables using ``update
On Sun, May 29, 2022 at 05:41 Tom Browder wrote:
Does anyone have a good reason for me to NOT install and enable UFW?
-Tom
On Sat, May 28, 2022 at 20:06 IL Ka wrote:
...
3. You should also check that Apache is running and listening to this port,
> use ``ss -lt``.
> For this command you _may_ use sudo to get process names (``sudo ss
> -ltp``). Read ``ss --help``
>
> If you were able to connect on this host, then try t
On Sat, May 28, 2022 at 20:06 IL Ka wrote:
>
>> $ sudo su
>> # telnet 80
>> Trying 0.0.0.80...
>>
>
> 1. You are using telnet wrong: it should be "telnet [host] [port]". Please
> read "man telnet".
> 2. You do not need sudo to use telnet, do not do that
> 3. You should also check that
>
>
> $ sudo su
> # telnet 80
> Trying 0.0.0.80...
>
1. You are using telnet wrong: it should be "telnet [host] [port]". Please
read "man telnet".
2. You do not need sudo to use telnet, do not do that
3. You should also check that Apache is running and listening to this port,
use ``ss
On Sat, May 28, 2022 at 19:10 Timothy M Butterworth <
timothy.m.butterwo...@gmail.com> wrote:
…
On the local host try running `telnet 127.0.0.1 80`
>
I was able to connect, thanks, Timothy!
Now what? I would really like to use ufw.
-Tom
On Sat, May 28, 2022 at 19:01 Greg Wooledge wrote:
> On Sat, May 28, 2022 at 05:51:38PM -0500, Tom Browder wrote:
> …
>
> ... wow. Just wow. How can such a short excerpt contain so many failures?
Greg, calm down. I get it, but I haven’t unlearned years of muscle
memory—sorry.
And the telnet
On Sat, May 28, 2022 at 7:52 PM Tom Browder wrote:
>
>
> On Sat, May 28, 2022 at 17:51 Tom Browder wrote:
>
>> On Sat, May 28, 2022 at 17:30 IL Ka wrote:
>>
>>> I am running an Apache server and using Qualys Lab’s server checker. It
shows no access to the server.
Have you tried t
On Sat, May 28, 2022 at 05:51:38PM -0500, Tom Browder wrote:
> $ sudo su
> # telnet 80
> Trying 0.0.0.80...
... wow. Just wow. How can such a short excerpt contain so many failures?
1) "sudo su" is stupid. You don't need TWO setuid programs to get a root
shell. Either use "sudo
On Sat, May 28, 2022 at 17:51 Tom Browder wrote:
> On Sat, May 28, 2022 at 17:30 IL Ka wrote:
>
>> I am running an Apache server and using Qualys Lab’s server checker. It
>>> shows no access to the server.
>>>
>>> Have you tried to telnet to port 80 from home? Do you see apache
>> listening this
On Sat, May 28, 2022 at 17:30 IL Ka wrote:
> I am running an Apache server and using Qualys Lab’s server checker. It
>> shows no access to the server.
>>
>> Have you tried to telnet to port 80 from home? Do you see apache
> listening this port using ``ss``?
>
On the new host I did:
$ sudo s
>
> I am running an Apache server and using Qualys Lab’s server checker. It
> shows no access to the server.
>
> Have you tried to telnet to port 80 from home? Do you see apache
listening this port using ``ss``?
>
> Whatever attempt I make to change the ports disappears when I reboot.
>
> Sure,
Tom Browder wrote:
> On Sat, May 28, 2022 at 14:11 Tom Browder wrote:
>
> > As the bare-iron server came from my long-time cloud provider (since
> > Debian 6), incoming ports 80 and 443 are blocked.
>
>
> A little more digging shows the new server is using fail2ban and nft
> tables, so I
> nee
On Sat, May 28, 2022 at 17:08 Dan Ritter wrote:
…
Therefore, something outside of your machine is blocking the
> ports, or you are misreading or misusing the tools that are
> telling you the ports are blocked.
Tell us how you are checking the ports
I am running an Apache server and using Qual
>
>
>
> A little more digging shows the new server is using fail2ban and nft
> tables, so I
> need help on how to properly allow https and http inbound.
>
>
I am not familiar with nft, bit you can switch to iptables using
``update-alternatives``
# update-alternatives --set iptables /usr/sbin/iptab
On Sat, May 28, 2022 at 14:11 Tom Browder wrote:
> As the bare-iron server came from my long-time cloud provider (since
> Debian 6), incoming ports 80 and 443 are blocked.
A little more digging shows the new server is using fail2ban and nft
tables, so I
need help on how to properly allow https
>
>
>
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N f2b-sshd
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with
> icmp-port-unreachable
> -A
On 5/28/22 22:11, Tom Browder wrote:
> As the bare-iron server came from my long-time cloud provider (since
> Debian 6), incoming ports 80 and 443 are blocked.
>
> I ran my usual iptables command for new servers from them, but this
> time the default settings were different so it didn't work.
Try
Tom Browder wrote:
> As the bare-iron server came from my long-time cloud provider (since
> Debian 6), incoming ports 80 and 443 are blocked.
>
> I ran my usual iptables command for new servers from them, but this
> time the default settings were different so it didn't work.
>
> Output from "sud
As the bare-iron server came from my long-time cloud provider (since
Debian 6), incoming ports 80 and 443 are blocked.
I ran my usual iptables command for new servers from them, but this
time the default settings were different so it didn't work.
Output from "sudo iptables -S" before my attempt:
56 matches
Mail list logo
