More than 1 webserver behind DD-WRT

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Author Message
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Fri Jul 31, 2009 13:13    Post subject: Reply with quote
Because of the recent exposure of the httpd exploit on dd-wrt I took another look on the config of my reverse proxy.
Because the proxy is running as root a potential exploit would give a hacker root credentials. I therefore decided to run my reverse proxy as a different user. It is already running for a while and didn't notice any differences, so I thought it was time to post the changes....

I also tested to see which damage a potential hacker could use a potential exploit of pound. I'm sure I can improve on the privileges I gave pound, but my focus was on getting it to run properly... Suggestions are welcome.


This is the modified startup script:
# cat /opt/etc/init.d/S80pound
Code:
#!/bin/sh

prefix="/usr"
cfg=/tmp/pound/pound.cfg

PATH=${prefix}/bin:${prefix}/sbin:/sbin:/bin:/usr/sbin:/usr/bin
NAME=pound
AS_USER=pound
DAEMON=${prefix}/sbin/${NAME}
POUND_CTL_DIR="/tmp"
POUNDCTL_BIN="${prefix}/sbin/poundctl"

test -x $DAEMON || exit 0

if [ -z "$1" ] ; then
    case `echo "$0" | sed 's:^.*/\(.*\):\1:g'` in
        S??*) rc="start" ;;
        K??*) rc="stop" ;;
        *) rc="usage" ;;
    esac
else
    rc="$1"
fi

grep -q ${AS_USER} /etc/passwd || echo "${AS_USER}:x:33:33:${AS_USER}:/opt:" >> /etc/passwd
grep -q ${AS_USER} /etc/group  || echo "${AS_USER}:x:33:" >> /etc/group

case "$rc" in
    start)
        echo "Writing $cfg"
        /opt/sbin/write_pound_cfg
        echo "Starting $NAME"
        if [ -n "`pidof $NAME`" ]; then
            echo "$NAME already running"
        else
            if [ ! -e $cfg ]; then
              echo "missing $cfg"
              exit 1
            fi
            $DAEMON -v -f $cfg
        fi
        ;;
    stop)
        if [ -n "`pidof $NAME`" ]; then
            echo "Stopping $NAME"
            killall $NAME 2> /dev/null
        else
            echo "$NAME already stopped"
            exit 1
        fi
        ;;
    restart)
        "$0" stop
        sleep 1
        "$0" start
        ;;
    status)
        if [ -n "`pidof $NAME`" ]; then
            $POUNDCTL_BIN -c /tmp/pound.ctl
        else
            echo "$NAME is not running"
            exit 1
        fi
        ;;
    *)
        echo "Usage: $0 (start|stop|restart|usage|status)"
        ;;
esac

exit 0

The three lines with "AS_USER" are added.

And this is the change in the 1st part of the config
# cat /opt/etc/pound/pound.pt1
Code:
User            "pound"
Group           "pound"
TimeOut         120
Alive           30
Control         "/tmp/pound.ctl"

ListenHTTP
        Address 0.0.0.0
        Port 8080


As you can see as this less privileged user you can't see the /etc/passwd file nor can you reboot or login as root.

Code:
root@WAN:/# su pound

BusyBox v1.13.4 (2009-07-21 03:02:22 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
@WAN:/tmp$
@WAN:/tmp$ reboot
@WAN:/tmp$
@WAN:/tmp$
@WAN:/tmp$ echo "" >>/tmp/hosts
sh: can't create hosts: Permission denied
@WAN:/etc$ su -
Password:
incorrect password
@WAN:/tmp$

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
Sponsor
fullspam
DD-WRT User


Joined: 14 Oct 2007
Posts: 62

PostPosted: Thu Oct 01, 2009 14:35    Post subject: Reply with quote
I have a landisk attached to dd-wrt router (192.168.10.1), and I have this configuration

acces over internet (mydomain.org with zoneedit):
-http://publicip -> web page thanks lighttpd
-http://publicip:81 -> configuration web menu

LAN
-http://192.168.10.11 -> configuration web menu
-ftp://192.168.10.11 -> ftp to the directory configured

the question is I want to acces to my lan over internet, and I read this topic (before, I have tried with a port forward in the nat menu, but it doesn´t work Sad ).

I have follow all the setps (copy paste)
/opt/etc/init.d/S80pound
/opt/sbin/write_pound_cfg
/opt/etc/pound/pound.pt1

and in /opt/etc/pound/pound.pt2 I have write
Code:
        Service "landisk"
                HeadRequire "^Host:[\t ]*landisk\.mydomain\.org$"
                BackEnd
                        Address 192.168.10.11
                        Port 80
                End
        End
        Service "ftp"
                HeadRequire "^Host:[\t ]*ftp\.mydomain\.org$"
                BackEnd
                        Address 192.168.10.11
                        Port 21
                End
        End
End


In web menu I have add this rule in Port forwarding
Landisk
from 80
protocol both
ip adress 192.168.10.11
port to 8080
enable checked

and finally
Code:
/opt/etc/init.d/S80pound start
iptables -I INPUT 1 -p tcp --dport 8080 -j ACCEPT


I tried landisk.mydomain.org, but I don´t have any response :S

¿I have done any mistake?
¿must I include a aliases or webforward in the zoneedit configuration?

thanks in advance
syale
DD-WRT Novice


Joined: 09 Oct 2006
Posts: 7

PostPosted: Sat Oct 10, 2009 9:19    Post subject: Reply with quote
Trying to setup subdomains. Getting this error trying to install optware:

Code:
root@ddwrt:/tmp# sh /tmp/optware-install.sh
Checking system config ...
Using xxx.xxx.xxx.xxx as default gateway.
Using the following nameserver(s):
nameserver 192.168.5.1
Installing package uclibc-opt_0.9.28-12_mipsel.ipk ...
Connecting to ipkg.nslu2-linux.org (140.211.169.169:80)
Installing package ipkg-opt_0.99.163-9_mipsel.ipk ...
Connecting to ipkg.nslu2-linux.org (140.211.169.169:80)
/tmp/optware-install.sh: line 90: /opt/sbin/ldconfig: not found
/tmp/optware-install.sh: line 91: /opt/bin/ipkg: not found
/tmp/optware-install.sh: line 92: /opt/bin/ipkg: not found
/tmp/optware-install.sh: line 93: /opt/bin/ipkg: not found


Any suggestions?
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Sat Oct 10, 2009 9:34    Post subject: Reply with quote
I have improved the S80pound script.
Please download this script so I can give you proper support....
Your config will be written to /tmp/pound/pound.cfg

pound.pt1 and pound.pt2 are replaced by /opt/etc/pound/pound.header and /opt/etc/pound/pound.tail

pound.pt1 is not the same as pound.header. Just don't create pound.header for the time being.....

Code:
wget -O /opt/etc/init.d/S80pound http://wd.mirmana.com/S80pound
chmod +x /opt/etc/init.d/S80pound
ln -s S80pound /opt/etc/init.d/K20pound

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
fseka
DD-WRT User


Joined: 02 Dec 2009
Posts: 75

PostPosted: Mon Jan 25, 2010 7:57    Post subject: Reply with quote
frater wrote:
Hi Graegos....
If so, I can write a tutorial that doesn't need optware....


Hi frater,

that's exactly what I'm looking for, because I have enough space in my wrt54gs v1.1.
The problem is that I haven't found the binary of pound Sad
Are you sure is is included in the mega version?

Many thanks in advance
--
fSeka

_________________
E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Mon Jan 25, 2010 17:19    Post subject: Reply with quote
Yes, it should be in the mega-version.
What's the output of:

Code:
which pound

or
Code:
find / -name pound


btw.. Just found out it's not in Eko's 'big'.

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
fseka
DD-WRT User


Joined: 02 Dec 2009
Posts: 75

PostPosted: Mon Jan 25, 2010 21:20    Post subject: Reply with quote
Both commands bring nothing :-(

meaning that the binary is not included.

Do you think it was removed?

I've configured pound on a ubuntu machine, so if the binary was there it would be easy to run it. I don't want to install optware only for pound.

regards,
--
fSeka

_________________
E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)
fseka
DD-WRT User


Joined: 02 Dec 2009
Posts: 75

PostPosted: Tue Jan 26, 2010 20:01    Post subject: Reply with quote
Hi,
I've just installed DD-WRT v24-sp2 (12/28/09) mega
(SVN revision 13525) (dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/12-28-09-r13525/broadcom/dd-wrt.v24_mega_generic.bin) and now when I type which pound dd-rt respond /usr/sbin/pound.
So I think that pound is finnaly there :-)

@frater, do you have a tutorial to use pound without optware?

Many thanks in advance and best regards.
--
fSeka

_________________
E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)
fseka
DD-WRT User


Joined: 02 Dec 2009
Posts: 75

PostPosted: Wed Jan 27, 2010 14:32    Post subject: Reply with quote
Hi,

I asume I've to add a line in the startup to lunch pound ,create a pound.cfg and open the port on the router.

@frater my last question: what are the command line parameters of the dd-wrt pound version and where should I put the pound config file?

Many thanks in advance and kind regards
--
fSeka

_________________
E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Wed Jan 27, 2010 19:31    Post subject: Reply with quote
I haven't got much time this month...
Check out this script...
It may need some changes to work....
Code:
wget http://wd.mirmana.com/S80pound

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
fseka
DD-WRT User


Joined: 02 Dec 2009
Posts: 75

PostPosted: Thu Jan 28, 2010 9:12    Post subject: Reply with quote
The service is not available. Please try again later. :-(

Do you have another url?

regards,
--
fSeka

_________________
E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Thu Jan 28, 2010 17:31    Post subject: Reply with quote
Just tested it from a remote location and it works. I don't think you used "wget".

My apache-server wasn't working today, but this file is not on my apache-server. If you connect with wget instead of a normal browser you will get my WD Worldbook who's at your disposal to send you that file.


If you try it the same way again, you will get another error-message (from my Apache-server) which tells you to use "wget"

This is a demonstration of what pound can do for you....

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
fseka
DD-WRT User


Joined: 02 Dec 2009
Posts: 75

PostPosted: Fri Jan 29, 2010 12:21    Post subject: Reply with quote
Thanks frater, it's working now.

I just have to enable jffs to store the pound.cfg and then it should work.

Thanks alot again for your support.
--
fSeka

_________________
E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)
fseka
DD-WRT User


Joined: 02 Dec 2009
Posts: 75

PostPosted: Fri Jan 29, 2010 13:49    Post subject: Reply with quote
I've enabled jffs on my wrt54gs, but it seems that there is no more space :(

Total / Free Size 256.00 KB / 0

Is it normal with the mega version? How can I put pound.cfg on my device without having to add an usb device or a memory card?

Many thnaks in advance,
--
fSeka

_________________
E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)
fseka
DD-WRT User


Joined: 02 Dec 2009
Posts: 75

PostPosted: Tue Feb 02, 2010 13:29    Post subject: Reply with quote
Pound is finally working by me with the mega version of dd-wrt and without optware Laughing

I'll write a tutorial if someone is interested.

cheers
--
fSeka

_________________
E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next Display posts from previous:    Page 3 of 8
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum