Recently I've set up an Amazon EC2 instance of Ubuntu 16.04 that was authorized to scan an IP block. The version of GSA that I have installed is 7.0.3. Currently, I can locally access GSA through the EC2 instance or remotely using my public Amazon elastic IP.
Additionally, I've allowed external access to GSA's listening port from my IP block. Currently, I can access GSA without any problems using my instances static public IP over HTTPS.
The problem that I'm currently running into is accessing GSA using a FQDN.
For example, I want to be able to use https://gsa.mydomain.com
My local DNS server has an A record with the FQDN and my EC2 instances public IP.
On my instance, I ran the following command.
sudo gsad --allow-header-host gsa.mydomain.com
However, browsing to https://gsa.mydomain.com produces the following error.
"The request contained an unknown or invalid Host header. If you are trying to access GSA via its hostname or a proxy, make sure GSA is set up to allow it."
Neither restarting GSA services or my instance had no effect.
Clearly, DNS is working but the host header command is not.
Any thoughts on how I can make this happen?
Additionally, for reference, I used the following URL
https://github.com/greenbone/gsa/pull/318
In ubuntu/debian edit /etc/default/openvas-gsa file and set ALLOW_HEADER_HOST=HOSTNAME
where HOSTNAME is your host name in the browser address line.
I'm using Kali and was able to figure this out my modifying the systemd service files. Modify the file /lib/systemd/system/greenbone-security-assistant.service, adding the --allow-header-host gsa.mydomain.com to the end of the ExecStart line.
For example, change the line from:
ExecStart=/usr/sbin/gsad --foreground --listen=<internal IP> --port=<configured web server port> --mlisten=<internal IP> --mport=<configured management port>
to:
ExecStart=/usr/sbin/gsad --foreground --listen=<internal IP> --port=<configured web server port> --mlisten=<internal IP> --mport=<configured management port> --allow-header-host gsa.mydomain.com
Then run:
systemctl daemon-reload
systemctl restart greenbone-security-assistant.service openvas-manager.service openvas-scanner.service
Related
I am using Spring Boot admin version 2.6.9 and using
spring.boot.admin.client.instance.prefer-ip=true
to register to admin server via an IP address. Now since I am running my apps inside Docker containers, the admin server receives Docker IP addresses and not the public IP addresses
of the applications.
I have tried changing management.address, but that does not work.
I can not use the Docker network to connect to these machines and I can not change the server.address property. I have tried the below properties as well, but they don’t show anything on the admin server apart from online status.
spring.boot.admin.client.instance.service-url=http://11.0.134.202:9999
spring.boot.admin.client.instance.management-url=http://11.212.134.202:9999
I got it working using
spring.boot.admin.client.instance.prefer-ip=true
spring.boot.admin.client.instance.service-url=http://127.0.0.1:9999
spring.boot.admin.client.instance.management-url=http://127.0.0.1:9999/actuator
I was actually doing some quick labs exercise when I noticed this issue where is ping to an internal IP works but if I ping with machine name it does not work. Here is what I did:
a.) Create a GCP project. Leave all the default firewall rules in place
b.) Create a VM in us-central-1 (any region) call it - mynet-us-vm
c.) Create a VM in eu-west-1 (any region) - call it - mynet-eu-vm
d.) SSH to mynet-us-vm from the console
e.) Run this commands : ping -c 3 <Enter mynet-eu-vm's internal IP here>- It works
f.) Run this command: ping -c 3 mynet-eu-vm - Does not work! Getting below error
Getting Error:
"ping: mynet-eu-vm: Name or service not known"
For Internal DNS resolution to work there are multiple factors that affect this:
On the client Instance running ping the resolv.conf file must have the metadata server (169.254.169.254) as it’s nameserver and the search domains must be set similarly to the example on the documentation, if using a Google provided image this configuration should already be set correctly.
Additionally, verify the hostname registered for the Instance “mynet-eu-vm” this can be done by running curl against the metadata server, the output to this will be the full FQDN which will confirm whether the resolv.conf file should be set to Zonal DNS or Global DNS and if the hostname for the Instance is the same as the one being used with ping.
If running “dig FQDN #169.254.169.254” works but ping still fails this would mean that the Instance is trying to resolve against a different nameserver, or that the search list on resolv.conf is incorrect.
If the above steps fail I suggest raising a support case with Google Cloud Platform or opening a new Public Issue Tracker since following the steps provided does not result in the same behavior and likely it’s something specific to your setup.
If you deleted a VM on Google Compute Engine on a Centos 6 Cpanel server and then create it with the same disk, you often are assigned a new local IP address even if you kept the static IP. This does not properly update in the NAT configuration on Cpanel/WHM servers.
This stops any sites from working and the only way to fix it is manually edit the http.conf file. Inside Web Host Manager you can fix the public facing IP, but there is no place to edit the local IP. Does anyone know how to edit the nat configuration on centos 6 on Google Compute Engine to fix the local IP so that all new sites created will have the correct local IP in the http.conf?
Here is a pic of the current nat configuration on my Centos 6 server.
Here is a pic showing my correct local IP in Compute Engine, you can see it does not match the one Cpanel has, which causes the http.conf file to generate new virtual hosts with the wrong IP.
Its a configuration issue within WHM/Cpanel that can not be corrected with any configuration settings in the interfaces. I contacted Cpanel Support and they provided me with a command line shell script to run from root to fix the issue. It worked flawlessly:
# /scripts/build_cpnat
This resolved the issue, but they gave this additional info if that does not solve your problem:
If this does not resolve your issue, please review our NAT
documentation and ensure that your server is configured in a supported
1:1 NAT configuration:
http://documentation.cpanel.net/display/ALD/1%3A1+NAT
The Compute Engine does not allow you to create an instance with a specific network IP address. You will have to use a combination of routes and an instance's --can-ip-forward ability to add an IP address as a static network IP address that then maps to your desired virtual machine instance.
For example, if you want to assign 10.1.1.1 specifically as a network IP address to a virtual machine instance, you can create a static route that sends traffic from 10.1.1.1 to your instance, even if the instance's network IP address assigned by Compute Engine doesn't match your desired network IP address.
Take a look at this link: https://cloud.google.com/compute/docs/instances-and-network#staticnetworkaddress
The best and the simplest solution for this is to use the WHM/Cpanel IP Migration Wizard option to change the existing Private IP with the new one and then wait for few hours to make those changes propagate and you will see the new Private IP and Public IP in sync in your WHM platform.
I had the same issue with AWS and CentOS 7 hosting latest WHM/ cPanel. each time the instance restarts then a new private/ local IP address. I deleted cpnat from /var/cpanel/.
So I disabled the NAT, then I created another eth so I can configure it with static IP which is the Public IP, then for the main account only which own the hostname and domain name for WHM I assigned it to the local IP address, but as the local IP address keep changing so I created a script fires up at the start after each boot collecting the new local IP address and assign it automatically to the main account and if there is no new local IP address then the script exit without doing anything.
here are the steps been done:
nano /etc/sysconfig/network-scripts/ifcfg-eth0:cp1
and inside that file put the following: (change IPADDR & DNS)
DEVICE="eth0:cp1"
BOOTPROTO="static"
ONBOOT="yes"
IPADDR="13.54.100.XX"
NETMASK="255.255.255.0"
DNS1="172.31.0.2"
TYPE="Ethernet"
IPV6INIT="no"
now we would like this interface to stay upon reboot and start on the reboot so run:
ifup eth0:cp1
then restart the network service by:
service network restart
now disable NAT mode by deleting the file cpnat in /var/cpanel
now check the file /var/cpanel/mainip and make sure our external ip is there 13.54.100.XX
create the following file with nano:
nano /etc/init.d/fixdhcp
add the following to the file and save it:
#!/bin/bash
# # This script assigns available DHCP IP to ACCOUNT-NAME user on Reboot or Restart, please change ACCOUNT-NAME to the main WHM domain account name
# apache service will restart when done.
/scripts/rebuildippool
export mydhcp10=$(cat /etc/ipaddrpool)
echo $mydhcp10
# Exit if no available IPs
if [ "${mydhcp10}" == "" ]; then
echo "ipaddrpool is empty" && exit 1
else
echo "ipaddrpool is not empty"
fi
/usr/local/cpanel/bin/setsiteip -u ACCOUNT-NAME $mydhcp10
chmod +x /etc/rc.d/rc.local
echo finished now restarting services
/scripts/rebuildhttpdconf
/scripts/rebuildippool
/scripts/cleandns
/scripts/fixvaliases
/scripts/modify_accounts --theme=paper_lantern --all-users
/usr/local/cpanel/scripts/updateuserdomains
service httpd restart
make the file excutable:
chmod +x /etc/init.d/fixdhcp
add it to rc.d
nano /etc/rc.local
then add it like this:
/etc/init.d/fixdhcp
save then run:
chmod +x /etc/rc.d/rc.local
If it still won't change, try this:
(i.e. when you List Accounts you see the old internal IP listed for each account)
WHM -> List Accounts expand desired account (+)
=> Change IP Address
=> select the IP address (even if it is the same external IP)
=> click change.
repeat for each affected account.
output:
The remote dns zone is not consistent with the httpd.conf.
The current ip in httpd.conf is: 10.240.0.3.
The current ip in the dns zone is: 104.154.68.68!
104.154.68.68 will be switched to the new ip as well!
The local dns zone is not consistent with the httpd.conf.
The current ip in httpd.conf is: 10.240.0.3.
The current ip in the dns zone is: 10.240.0.2!
10.240.0.2 will be switched to the new ip as well!
Warning, serious database inconsistency. httpd.conf, local dns, and remote dns all
have different ideas about what the ip address of this site really is. They will now all be changed
to the new ip: 10.240.0.2!
Changed all instances of [10.240.0.3,104.154.68.68] -> [104.154.68.68] in dcmetroc.kellen.hosting
Changed all instances of [10.240.0.3,104.154.68.68] -> [104.154.68.68] in dcmetrocollaborative.org
Updating httpd.conf....Done
System has 0 free ips.
if you're using nginx, don't forget to rebuild vhosts in ngnix plugin!
I just needed to change the local IP with the new one in:
/var/cpanel/cpnat
/etc/hosts
/etc/ips.dnsmaster
I created a test JBOSS web service and there is only one test method in it. I access this using http://localhost:8070/MyWebService/MyRESTApplication
and it shows the result from the web service. I tried this in both Eclipse and Browser and it works.
But when i want to access this web service using IP address of my system then it shows ERROR message that Page cannot be displayed (in fact browser is not able to find this web service).
I want to access like this http://IPaddress:8070/MyWebService/MyRESTApplication
what should i do so that i can access it using my IP from some computer
You have to start JBoss using :
./run.sh -b [your_IPaddress]
On windows:
start run.bat -b 0.0.0.0
This will tell it to start and bind to all network interfaces. You can also replace 0.0.0.0 with your actual IP if you only want it to bind to that network interface.
I find it easier for debugging to have it come up on all network interfaces because this will work when you are running a virtual machine to debug something like Internet Explorer.
Open your server setting in Eclipse and set Host name as your IP address or 0.0.0.0
My JBoss server is running in my system and trying to access it from other system using ip address of my system, but its not accessible and even from my own system i am not able to access using ip.
How can i make jboss enable using ip address.
Thanks
We can run JBoss as ./run.sh -b 127.0.0.1 or run.bat -b 127.0.0.1
This will make JBoss accessible using ip.
If the JBoss is running on your machine you can access it using this URL
http://localhost:<portnumber>
If you have started the JBoss using the command
run.bat>
then you can access the JBoss through above URL only.
If you use this command to start the JBoss :
run –b 0.0.0.0.>
then you can access the JBoss using this URL also
http://<ipaddress>:<portnumber>
In addition to this, if in place of IP address if you want to use some domain name then add that domain name
<IP address> <domain name>
into the host file at this path:
C:\WINDOWS\system32\drivers\etc>
then you can access your jboss through this url
http://<domain name>:<portnumber>
For more details you can check this blog http://tarunjain-jaintarun.blogspot.com/2012/08/acessing-jboss-using-ipaddress.html