Pc_Madness Posted November 13, 2008 Share Posted November 13, 2008 Bah, got abit of a tricky one. We've setup our machines so that they can be remotely accessed when they're inside of a firewall by having them tunnel out via SSH to a central server. Which is all working, and you can access the web interface on those machines by doing http://sshserver:port. What we wanted to do was have a little interface on the SSH server which displays a list of machines and links to their tunnels, and of course you have to be logged in and can only see machines which you own. The problem is that the tunnels aren't managed by PHP/Apache, they're setup by the SSH server and forward port 80 on the machines to port say 9000 on the SSH server, so we can't restrict access to it, which makes me alittle nervous as this server is going to be sitting on the internet and if someone managed to exploit a hole in those machines it wouldn't look to great. :\ Is there a way to somehow prevent access to a certain port unless your logged in in PHP? Or I spose another alternative might be only to query the database over the tunnel, but that means I need a copy of every interface running on the SSH server (so much pain to manage!), and I write to files on the harddisk as well which I'm not sure if I'll have permission to do over an SSH tunnel? Any help oh clever people? :( Link to comment Share on other sites More sharing options...
Vlad Posted December 26, 2008 Share Posted December 26, 2008 Not quite sure I completely get what you're trying to do, but I'll give it a shot anyways. Is there a way to somehow prevent access to a certain port unless your logged in in PHP? Yes, although there are serious security implementations. One way would be to let your PHP script modify iptables rules to allow access to a port; but this requires that PHP be running with root privileges (not safe). To get around this, it might be possible to get apache to authenticate through pam and let pam handle running a script to alter firewall permissions (this might be easy or hard, I've never looked into it). Another way might be using hosts.allow to explicitly allow connections to sshd instead of worrying about a firewall. I think you'll need to post a slightly clearer explanation of what you're trying to do to get a better answer (at least from me). Sorry. Link to comment Share on other sites More sharing options...
Recommended Posts