disable telnet on http port?_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-02-16 14:22 出处：网络

I might be asking wrong questions now but bear with me. I have a Linux system with a daemon and a web front end to it. The daemon accepts socket request on a certain port and receive commands. Normal

相关专题：sockets

I might be asking wrong questions now but bear with me.

I have a Linux system with a daemon and a web front end to it. The daemon accepts socket request on a certain port and receive commands. Normally, such commands are issued by the web front end, which has it's secure login procedure. However, as HTTP allows anybody from telnet-ing onto that port and issue raw commands, I need a way of protecting the system from abuse.

I actually don't think there is a way to configure apache to no allow telnet because then the开发者_运维技巧 whole thing probably wouldn't work any more.

So is there any way to only allow socket created from local host?

ps. I know there is local version of socket but I'd like to avoid it - reason is that I've written an automated testing framework depending on remote connection.

Thanks,

Use iptables to restrict access to port 80 only to connections from localhost

iptables -I INPUT -j ACCEPT -p tcp --destination-port 80 -i lo
iptables -A INPUT -j DROP -p tcp --destination-port 80 -i eth0

Have your daemon bind() to the local host(127.0.0.1) only, and your web server make calls to 127.0.0.1. That way noone outside the box can make direct connections to it.

struct inaddr_in listen_addr = {0};

listen_addr.sin_family = AF_INET;
listen_addr.sin_port = htons(my_port);
listen_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);

Alternativly, add a firewall/iptables rule that blocks your daemon port from anything but localhost.

Your daemon could keep a list of allowed IPs, preferably in a config file, and immediately disconnect any connections that are not on the allowed list. Use the getpeername() function to get the connecting IP.

struct sockaddr_in sin;
socklen_t slen = sizeof(sin);
bzero(&sin, sizeof(sin));
if (getpeername(sock, (struct sockaddr *) &sin, &slen) != 0) {
  /* getpeername failed */
  close(sock);
  return;
}
char * c = inet_ntoa(sin.sin_addr);
/* Now loop through your list of permitted addresses and compare to c */

Disclaimer: Code not compiled or tested, but should give you an idea of how to implement it.

If you don't want to alter your app, you could configure the firewall to restrict access to the appropriate port number, so that only that machine, and your test machine can connect to the port.