can't establish a connection to the server at IP adress

Issues related to configuring your network
milos.vranic
Posts: 10
Joined: 2015/05/13 14:37:41

can't establish a connection to the server at IP adress

Post by milos.vranic » 2015/05/13 14:51:37

So I have a centOS machine and I want to permanently allow access to the phpMyadmin so that I (and anyone else) can target the MySql database (provided they have the already created username and pass). I cant seem to manage that.

On the machine when I go to localhost/phpmyadmin it works just fine. I set up http conf port to 80 and I unlocked the port 80 in the firewall, so what am I missing here?

When I target that with browser by typong <IP>/phpmyadmin- Any browser from any other machine says "can't establish a connection to the server at <IP>" (my actual IP is written but I dont want to give that away if I dont have to yet).

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: can't establish a connection to the server at IP adress

Post by TrevorH » 2015/05/13 15:03:05

Two things spring to mind: first you need to open iptables on port 80/443 to the ip address you are coming from and second, phpmyadmin as shipped by EPEL for example, has a restriction in the /etc/httpd/conf.d/phpmyadmin.conf file that locks it down to localhost only.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

milos.vranic
Posts: 10
Joined: 2015/05/13 14:37:41

Re: can't establish a connection to the server at IP adress

Post by milos.vranic » 2015/05/14 06:31:14

Here is the sysconfig iptables file:

# Generated by iptables-save v1.4.7 on Thu May 14 08:23:23 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [468:126993]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1026 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1028 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1028 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu May 14 08:23:23 2015

And here is the /etc/httpd/conf.d/phpmyadmin.conf file

# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8

# <IfModule mod_authz_core.c>
# Apache 2.4
# <RequireAny>
# Require ip 127.0.0.1
# Require ip ::1
# </RequireAny>
# </IfModule>
# <IfModule !mod_authz_core.c>
# Apache 2.2
# Order Deny,Allow
# Deny from All
# Allow from 127.0.0.1
# Allow from ::1
# </IfModule>
</Directory>

<Directory /usr/share/phpMyAdmin/setup/>
# <IfModule mod_authz_core.c>
# Apache 2.4
# <RequireAny>
# Require ip 127.0.0.1
# Require ip ::1
# </RequireAny>
# </IfModule>
# <IfModule !mod_authz_core.c>
# Apache 2.2
# Order Deny,Allow
# Deny from All
# Allow from 127.0.0.1
# Allow from ::1
# </IfModule>
</Directory>

# These directories do not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>

<Directory /usr/share/phpMyAdmin/setup/lib/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>

<Directory /usr/share/phpMyAdmin/setup/frames/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>

# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#<IfModule mod_security.c>
# <Directory /usr/share/phpMyAdmin/>
# SecRuleInheritance Off
# </Directory>
#</IfModule>


What should I change, comment or uncomment in those two files? Im still a linux newbie and i am sorry for my ignorance.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: can't establish a connection to the server at IP adress

Post by TrevorH » 2015/05/14 09:38:35

You have allowed port 80 multiple times in your iptables rule and you should probably only keep the second one of those. The lines in the config file that allow access all appear to be commented out - is that something you did in an attempt to fix this?

You don't have an iptables rule to allow port 443 so https access will not work. On CentOS 6, httpd is 2.2.x so you need to look at the commented out sections of the config that say they are for 2.2. The defaults there (currently commented) only allow access from 127.0.0.1. If you change the config file then you need to reload httpd to make the changes take effect.

You need to be very careful with phpmyadmin to make sure you are not exposing it to unnecessary places - it is extremely dangerous and gives unfettered access to your database.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

milos.vranic
Posts: 10
Joined: 2015/05/13 14:37:41

Re: can't establish a connection to the server at IP adress

Post by milos.vranic » 2015/05/14 10:06:34

I erased the last line where I allow port 80.

and in the phpmyadmin conf I changed fiirst Directory tag with

Order allow,deny
Allow from all

What else should I do? Since i still cant target phpmyadmin from another machine.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: can't establish a connection to the server at IP adress

Post by TrevorH » 2015/05/14 10:44:21

Once again, you want to be really careful with who you allow to access your phpmyadmin! Allow from all is a recipe for being hacked.
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
This is a very odd looking rule and you want to remove that. The very next one already does what you need.
and in the phpmyadmin conf I changed fiirst Directory tag with
Doesn't really tell me what you changed. What you quoted before looked like this
<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8

# <IfModule mod_authz_core.c>
# Apache 2.4
# <RequireAny>
# Require ip 127.0.0.1
# Require ip ::1
# </RequireAny>
# </IfModule>
# <IfModule !mod_authz_core.c>
# Apache 2.2
# Order Deny,Allow
# Deny from All
# Allow from 127.0.0.1
# Allow from ::1
# </IfModule>
</Directory>
In this, all of the access requirements are commented out completely. Uncomment them and in the second section, after the comment that says it it for Apache 2.2, you need to add something like Allow from my.specific.ip.address. If you open it to everyone then you will get hacked probably sooner rather than later. There are hundreds of bots crawling the web looking for exposed and unprotected phpmyadmin instances and it will be found very quickly.

You probably also need to make similar changes to the section for the next directory for <Directory /usr/share/phpMyAdmin/setup/> if you have not already gone through the phpmyadmin setup stage. Once that is done then you can probably remove it again - or better, restrict that bit to localhost so that you need to come from the local machine to initially set it up. The other directory entries almost certainly should stay with no access to stop people retrieving files from them entirely.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

milos.vranic
Posts: 10
Joined: 2015/05/13 14:37:41

Re: can't establish a connection to the server at IP adress

Post by milos.vranic » 2015/05/14 11:03:56

Deleted the rule as suggested.

The php config looks like this now:

# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8

<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip 192.168.1.45
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from 192.168.1.45
Allow from ::1
</IfModule>
# Order allow,deny
# Allow from all
</Directory>

<Directory /usr/share/phpMyAdmin/setup/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>

# These directories do not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>

<Directory /usr/share/phpMyAdmin/setup/lib/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>

<Directory /usr/share/phpMyAdmin/setup/frames/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>

# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#<IfModule mod_security.c>
# <Directory /usr/share/phpMyAdmin/>
# SecRuleInheritance Off
# </Directory>
#</IfModule>


And I am trying to access it from the machine 192.168.1.45 but I get
Not Found

The requested URL /phpmyadmin was not found on this server.
Apache/2.2.22 (Debian) Server at fiware.panonit.com Port 80

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: can't establish a connection to the server at IP adress

Post by TrevorH » 2015/05/14 11:06:50

You're not using CentOS.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

milos.vranic
Posts: 10
Joined: 2015/05/13 14:37:41

Re: can't establish a connection to the server at IP adress

Post by milos.vranic » 2015/05/14 11:14:01

Crap I just did a cat /etc/*-release in command and the output is:

CentOS release 6.6 (Final)

Does this change things a lot?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: can't establish a connection to the server at IP adress

Post by TrevorH » 2015/05/14 12:06:40

What changes things completely is the last line of your previous post...
Apache/2.2.22 (Debian) Server at fiware.panonit.com Port 80
Debian != CentOS.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply