Blocked ports on a hardened box?

Message

CoderMan · Post by **CoderMan** » Tue Apr 06, 2010 7:52 pm

Hi. I'm trying to set up a hardened amd64 Gentoo system, serving primarily as a web server. I used the hardened Gentoo stage3, and set up grsecurity following this guide. (The RBAC functionality is still running in learning mode.) This is my first time working with a hardened system. I just installed apache2, for the purpose of seeing if I could view the default web page. If that had worked, my next step would have been to install iptables and set up a firewall.

However, even before installing iptables, I can't seem to connect on port 80. If I try to view it from a web browser on a different computer, I get an "unable to connect error". If I try to view it on the web server itself with "links http://localhost" or "links http://127.0.0.1" I get a "connection refused" error.

I don't think this is an external network problem, for one because I can't connect locally, and two, because I can ssh into the server just fine.

Apache give one weird error at start up, but it does actually start:

Code: Select all

voltron etc # apache2ctl start
 * Starting apache2 ...
apache2: apr_sockaddr_info_get() failed for voltron
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName                                   [ ok ]
voltron etc # apache2ctl configtest
 * Checking apache2 configuration ...                                                                                                            [ ok ]
voltron etc # apache2ctl virtualhosts
apache2: apr_sockaddr_info_get() failed for voltron
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443          localhost (/etc/apache2/vhosts.d/00_default_ssl_vhost.conf:11)
*:80                   is a NameVirtualHost
         default server localhost (/etc/apache2/vhosts.d/00_default_vhost.conf:38)
         port 80 namevhost localhost (/etc/apache2/vhosts.d/00_default_vhost.conf:38)
Syntax OK

The apache config files are all the defaults the come with the installation, and /etc/conf.d/apache2 and /etc/apache2/httpd.conf and the default vhost files in /etc/apache2/vhosts.d all seem to be set correctly to point to the right place.

So, my question: Does the hardened version of Gentoo have some kind of default firewall system that is blocking port 80? If so, how do I adjust it? I don't want to get into setting up iptables until I've figured out what is going on here.

Code: Select all

voltron apache2 # emerge --info apache
Portage 2.1.7.17 (hardened/linux/amd64/10.0, gcc-4.3.4, glibc-2.10.1-r1, 2.6.28-hardened-r9 x86_64)
=================================================================
                        System Settings
=================================================================
System uname: Linux-2.6.28-hardened-r9-x86_64-Intel-R-_Core-TM-_i7_CPU_860_@_2.80GHz-with-gentoo-1.12.13
Timestamp of tree: Thu, 01 Apr 2010 23:45:02 +0000
app-shells/bash:     4.0_p35
dev-lang/python:     2.6.4-r1
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.10.3
sys-devel/binutils:  2.18-r3
sys-devel/gcc:       4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -msse4 -mcx16 -msahf -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=core2 -msse4 -mcx16 -msahf -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://gentoo.arcticnetwork.ca/pub/gentoo/"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j7"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="acl amd64 bash-completion berkdb bzip2 cli cracklib crypt cups cxx dri emacs gdbm gpm hardened iconv justify mmx modules mudflap multilib ncurses nls nptl nptlonly openmp pam pcre perl pic pppd python readline reflection session spl sse sse2 ssl sysfs tcpd urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

=================================================================
                        Package Settings
=================================================================

www-servers/apache-2.2.15 was built with the following:
USE="(multilib) ssl -debug -doc -ldap (-selinux) -static -suexec -threads" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias -asis -auth_digest -authn_dbd -cern_meta -charset_lite -dbd -dumpio -ident -imagemap -log_forensic -proxy -proxy_ajp -proxy_balancer -proxy_connect -proxy_ftp -proxy_http -substitute -version" APACHE2_MPMS="-event -itk -peruser -prefork -worker" 
LDFLAGS="-Wl,-O1 -Wl,--no-as-needed"

bendeguz · Post by **bendeguz** » Tue Apr 06, 2010 8:07 pm

Did you check with nmap? Is it listening on port 80?

CoderMan · Post by **CoderMan** » Tue Apr 06, 2010 8:22 pm

bendeguz wrote:Did you check with nmap? Is it listening on port 80?

To be honest, I didn't even know what nmap was. However, I just installed it, and it gave me this output:

Code: Select all

voltron rcdp # nmap -v -A localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-06 12:17 AKDT
Initiating SYN Stealth Scan at 12:17
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Completed SYN Stealth Scan at 12:17, 0.05s elapsed (1000 total ports)
Initiating Service scan at 12:17
Scanning 1 service on localhost (127.0.0.1)
Completed Service scan at 12:17, 0.00s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against localhost (127.0.0.1)
Host localhost (127.0.0.1) is up (0.000015s latency).
Interesting ports on localhost (127.0.0.1):
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.3 (protocol 2.0)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.27
Uptime guess: 0.822 days (since Mon Apr  5 16:34:04 2010)
Network Distance: 0 hops
TCP Sequence Prediction: Difficulty=197 (Good luck!)
IP ID Sequence Generation: All zeros

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.66 seconds
           Raw packets sent: 1019 (45.598KB) | Rcvd: 2042 (86.944KB)

I don't know how to tell it to list closed ports, but it seems from this output that nothing is listing on port 80, which doesn't make sense because apachectl says the service is running.

CoderMan · Post by **CoderMan** » Tue Apr 06, 2010 10:30 pm

I uninstalled Apache and installed lighttpd, and things seems to be working fine under lighttpd. I can view the web page locally or from an external browser.

So... This would seem to suggest that the problem was with Apache, rather than some more generic aspect of network configuration. The only two possible explanations that come to mind are either...

A) I had some how messed up the Apache configuration without realizing it, or
B) I remember reading in the grsecurity documentation that some applications don't work well with PaX. I guess there are PaX utilities to fix this, but I didn't think to try them before uninstalling Apache.

I'm on a tight work deadline, though, and I don't have time to look into this any more. So I'm just going to stick with what seems to be working (lighttpd).

bendeguz · Post by **bendeguz** » Wed Apr 07, 2010 1:35 pm

Hmm, while hardened profile is made for servers and apache is a server application i think they should work together. Maybe it's harder to configure.

Sadako · Post by **Sadako** » Wed Apr 07, 2010 2:48 pm

CoderMan; with apache running, you should check the output of `netstat -nlp` to see if apache is indeed listening on port 80 first.

If hardened is the underlying cause, I'd imagine it's more likely that it's preventing apache from binding to that port rather than preventing clients from connecting to it.