We Keep Coding

Fix IP with port to IP without port

I have a website.example.com The website is hosted on OVH I would like to point a sub domain shop.example.com to another website hosted on another server
(95.110.189.135:8069) the problem is that I can't c name to an IP with a port.
I used Ubuntu for my odoo server
I've got odoo on my vps server with database. Now, It's working on IP with port (example: 55.55.55.55:8069). So now,
How can I change it to IP without port?
If I want a domain name - how can I do this?

I found the solution it's easy to redirect to port 80
to do that add a line of code in the file
etc/rc.local
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8069
then the file will become like this
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8069
exit 0
save and then restart the server

You cannot use plain DNS to transfer traffic to another port. This is not possible with either canonical name (CNAME record) or address (A record). These DNS services are only used for address resolution.
To solve your configuration issue you can use reverse proxy, e.g. Nginx. You can find example configurations from the Odoo.com site at https://www.odoo.com/documentation/11.0/setup/deploy.html#https. This is describing how to use https in port 443 to proxy Odoo in upstream service at port 8069. For public services you should use encrypted https, not http. Point your show.example.com in DNS to your "another" server ip address and on that server have Odoo and Nginx running. Your Odoo can run on port 8069 and your Nginx would run on https 443 and proxy connections to Odoo upstream service on localhost 8069.
Hope this helps you forward. Please check your configuration with someone who have experience with this kind of setups before you go production. This will make sure your configuration is secure.

Prevent access from outside, mongodb

Got a server exposed to the recent MongoDB ransom scam. https://www.bleepingcomputer.com/news/security/mongodb-databases-held-for-ransom-by-mysterious-attacker/
I closed it down until I fixed this.
What's the easiest way to fix this? Is to add a user?
mongo
use admin
db.createUser( { user: "root", pwd: "password", roles: [ "root" ] } )
Is this enough to avoid getting hacked?

Expanding on #Sammye's comment mongodb has often no password for a database user. This is especially problematic if the database is facing the public internet because, just by trying the right port on the ip adress of your server everyone in the internet could theoretically connect to the database server.
To prevent this it is always a good idea to limit the traffic that can reach your server and its ports by a firewall.
Here is a sample iptables configuration (for ubuntu):
the following commands allow all traffic to localhost and to the ports 22 (ssh), 80 (http) and 443 (https)
# accept local traffic
sudo iptables -A INPUT -i lo -j ACCEPT
# allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow connections to ports 22, 80, 443
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
these commands block the rest of the traffic:
# drops the rest of the traffic to the server
# sudo iptables -P INPUT DROP
# disables the possibility to route traffic through the server (you may or may not want to use this)
# sudo iptables -P FORWARD DROP
# makes it possible to send data from the server
# sudo iptables -P OUTPUT ACCEPT
Before running any of these iptables commands it is always a good idea to set up a cronjob that resets your iptables configuration every 5 minutes. In that case if something goes wrong (you lock yourself out of the server for example because you forgot to enable port 22 in your firewall) the rules get reset and you can fix the issue.
this is a script from the iptables ubunt wiki to reset the firewall:
https://help.ubuntu.com/community/IptablesHowTo
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
when everything is finished and seems to be working do not forget to install the package iptables-persistent (by default the iptables rules only exist until the server is restarted)
sudo apt-get install iptables-persistent
this is by far not a complete guide on how to secure your server with iptables as firewall but I hope that it can get you started.
Now the database is only reachable from the server on not from the public internet anymore. To access your database from the public internet anyways you will have to create a ssh tunnel to your server:
ssh youruser#yourdomain_or_ip_adress -f -N -L 27019:yourdomain_or_ip_adress:27019
-f -N -L 27019 <-- here you define the port that should be used on your machine for the database traffic
yourdomain_or_ip_adress:27019 <-- this is the port that the database runs on on your server
When this is done you should be able to access the database from your server at your local machine at 127.0.0.1:27019.
This is a more general way to secure any application that runs on a server that is exposed to the internet.
There is also an official guide on how to specifically secure mongodb internally you can find it here: https://docs.mongodb.com/manual/administration/security-checklist/

Redirecting filtered requests to second web server

What I want to do is setup two web servers. One will simply deliver normal content to people that request it and one will put minimal strain on the system and strictly deliver an access denied type of message for hackers.
I looked at http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/ for ideas on how to create this redirection based on a bad IP address and its suggesting:
iptables -t nat -A PREROUTING --src <source address> -p tcp --dport <new server port number> -j REDIRECT --to-port <new server port number>
I then tested that theory by trying the following on a computer without internet but with apache server running on port 80 and nothing on port 81:
iptables -t nat -A PREROUTING --src 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-port 81
I then typed in 127.0.0.1 in my web browser and received the same apache response as usual. Instead, I expected a browser message that it could not connect to the remote server.
How to I adjust the iptables command to make computers from listed IP in --src redirect from 127.0.0.1 port 80 to 127.0.0.1 port 81?
I understand I can use apache or php and even apache modules and all that for the redirection but I'm trying to use the least system-intensive approach and I want hackers to have the least amount of system resources available to them so that real visitors can enjoy a quality website, however
I want them to be able to see a message because if a real person gets blocked by accident then at least they can understand what's going on from an error message instead of a connection drop.

Packets on the loopback interface (127.0.0.0/8) don't pass through the NAT tables. Try using an external computer for the test.

How to configure buildbot slave to run from behind a firewall?

Is it possible to run a buildbot-slave from inside a corporate firewall where you are allowed to create only outgoing connection on standard HTTP(s) ports?
How can I achieve that?

In this case you should run your master to use exactly these ports, i.e. running web interface on HTTP(80) port while using HTTPS(443) port for slaves' connections. However this would require master to run with root privileges which is bad. In this case you could redirect traffic from these ports to the actual used in master with iptables. With default master ports for web interface(8010) and slave connections(9989) you'll get something like:
# iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:9989
The same goes for web interface in case you're not using any proxy HTTP server (like nginx, haproxy, lighthttpd, etc).

Cannot access an application hosted on jBoss remotely

I have hosted an application in a machine running Red Hat Enterprise Linux 5. I started the jBoss AS using the command.
./run.sh -b 0.0.0.0
and
./run.sh -Djboss.bind.address=<<server_address>>
and
./run.sh --host=<<ipaddress>>
but using any of these commands i cannot access the application remotely. Using the the above commands I cannot even access the application on the host machine itself, using localhost as well as ip address. I am not able to figure out the problem here. I can ping the linux machine from the other windows machines.

Check iptables rules are not blocking firstly
Also are you running as a user? If so, you will not have permission to bind to a port number less than 1024.
try telneting the port from the server itself to check the service is responding e.g.
telnet localhost 8080
presuming that you are running on 8080 in the example above.
you can drop your iptables temporarily for testing if it is safe to do so by:
/etc/init.d/iptables stop
and restart them when you've finished with
/etc/init.d/iptables start
you can make a permanent change to your iptables config by adding the following line to /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT