cannot access webpage through WAN

 
Post new topic   Reply to topic    Aprelium Forum Index -> Networking Issues
View previous topic :: View next topic  
Author Message
tanglang
-


Joined: 10 Mar 2004
Posts: 2

PostPosted: Wed Mar 10, 2004 9:42 am    Post subject: cannot access webpage through WAN Reply with quote

Dear Sir/Madam

I have successfully installed the Abyss WebServer software in one of my LAN pc (LAN IP: 192.9.200.252). The webserver work properly and I can access the webpage through my LAN pc. I have a fixed IP, which is 219.94.xx.yy. My LAN pc are connected to a router, which is 3Com OfficeConnect Cable/DSL Gateway.

When I surf the http://219.94.xx.yy. The IE will shown the 3Com router's login webpage.

My problem: What should I do for the configuration in the router or the Abyss Webserver so that when I surf http://219.94.xx.yy, it will shown my webpage, which is in the Abyss webserver?

Hopefully to hear from you soon.

Thank you very much.

Regards
Tang
Back to top View user's profile Send private message Send e-mail
olly86
-


Joined: 25 Apr 2003
Posts: 993
Location: Wiltshire, UK

PostPosted: Wed Mar 10, 2004 11:38 am    Post subject: Reply with quote

try reading http://www.aprelium.com/forum/viewtopic.php?t=3806

you need to check you port fowarding setup as it appers to be wrong
_________________
Olly
Back to top View user's profile Send private message
CapFusion
-


Joined: 18 May 2003
Posts: 617
Location: Lost in Abyss' Dungeon

PostPosted: Wed Mar 10, 2004 9:06 pm    Post subject: Re: cannot access webpage through WAN Reply with quote

tanglang wrote:
Dear Sir/Madam

I have successfully installed the Abyss WebServer software in one of my LAN pc (LAN IP: 192.9.200.252). The webserver work properly and I can access the webpage through my LAN pc. I have a fixed IP, which is 219.94.xx.yy. My LAN pc are connected to a router, which is 3Com OfficeConnect Cable/DSL Gateway.

When I surf the http://219.94.xx.yy. The IE will shown the 3Com router's login webpage.

My problem: What should I do for the configuration in the router or the Abyss Webserver so that when I surf http://219.94.xx.yy, it will shown my webpage, which is in the Abyss webserver?

Hopefully to hear from you soon.

Thank you very much.

Regards
Tang

Since you did not indicate what router you are using, I take Linksys router for example.
When trying to connect with your public IP [ISP provided], you will be point to your router before it can go inside your LAn. If the router enable "Remote Management" it will provide you a User / Password to enter. It assume you are trying to login to the router. You will need to disable "Remote Management".
For example:
ftp://ftp.linksys.com/pdf/befsr11_befsr41ug.pdf
Goto page 65 in the manual or 36 of 66 from the PDF file. Look for "Remote Management".

You can also reassign the port 80 to another port like 8080 insterad so when you enter your WAN IP, it will default to port 80. When you want to access your Router, you will enter your IP + port [ie 8080] to access your router.

From your post, sound like your router is set to port 80 for "remote management".

Or simply disable "Remove Mamagement" instead. This will be one less security issue you will be facing.
_________________
CapFusion,...
Back to top View user's profile Send private message
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Thu Mar 11, 2004 12:27 am    Post subject: Reply with quote

He stated exactly what router he is using... "is 3Com OfficeConnect Cable/DSL Gateway"...

Also, as I have said before, most routers will not allow you to access your own site via the WAN IP when you're connecting from a machine on the LAN - they cannot handle port forwarding of local traffic.
Back to top View user's profile Send private message
CapFusion
-


Joined: 18 May 2003
Posts: 617
Location: Lost in Abyss' Dungeon

PostPosted: Thu Mar 11, 2004 6:42 pm    Post subject: Reply with quote

Quote:
He stated exactly what router he is using... "is 3Com OfficeConnect Cable/DSL Gateway"...

Ooops, I did not realize this part. I was looking everywhere for the model but did not see it until you mention it. Under my nose. :)

Quote:
Also, as I have said before, most routers will not allow you to access your own site via the WAN IP when you're connecting from a machine on the LAN - they cannot handle port forwarding of local traffic.

From his original post, he indicate he can see from within his LAN [192.9.200.252] but can not view his page from remote or his public IP.

Possible reason:
1. Did not set his router to point or direct default port 80 to his LAN IP
2. His LAN IP still at that same LAN IP 192.9.200.252? If not, maybe it have change to something else.
3. If router is set correctly to his LAN IP 192.9.200.252 and port 80 from his router but still can not view his page, then I would assume ISP port 80 is block.
3a. If it is block at port 80, then try changing to other odd port like 82 etc...
_________________
CapFusion,...
Back to top View user's profile Send private message
iNaNimAtE
-


Joined: 05 Nov 2003
Posts: 2381
Location: Everywhere you're not.

PostPosted: Fri Mar 12, 2004 1:53 am    Post subject: Reply with quote

Have you tried using DMZ?
_________________
Bienvenidos!
Back to top View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3714
Location: USA, GA

PostPosted: Fri Mar 12, 2004 5:32 am    Post subject: Reply with quote

You should never use DMZ Host in my opinion due to the
fact that DMZ opens all ports on your router , I figured that
out by talking to my brother in law that is a network admin. 8O

Use port forwarding only , I think its more safer !
_________________
Computer Programmer & Networking Specialist

Back to top View user's profile Send private message Visit poster's website MSN Messenger
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Fri Mar 12, 2004 9:48 am    Post subject: Reply with quote

Quote:
When I surf the http://219.94.xx.yy. The IE will shown the 3Com router's login webpage.


I was reading this as meaning that when he is on the LAN machine, entering the public IP gives the router login page - this is normal, most routers which have their own IP (rather than just acting as a direct connection to the net via your machine) cannot handle port forwarding for traffic which would remain on the LAN - e.g viewing your own website via the public IP. Even with port forwarding set up correctly, you're not likely to be able to view your site this way - others may be able to view the site correctly. That said, if he hasn't set up any port forwarding at all then the site will not be accessible from the internet yet.

Regarding the DMZ, as I said before, DMZ doesn't open all ports, it just forwards all unrecognised traffic to whichever machine you've put in the DMZ. If a port is closed on that machine, it will appear closed to anyone scanning you. The only ports that will appear open are those which have services/applications running them.

There is no danger in putting your machine in the DMZ if you are confident you have set up your personal firewall correctly, eg. blocking ports 135-139 from outside your LAN, dropping ICMP pings etc. The machine is only as secure as the programs running on it - if any of the programs with ports open have vulnerabilities, you are in trouble regardless of if the ports are forwarded or the machine is in a DMZ. Putting an unpatched, unfirewalled Windows 2K/XP machine in a DMZ would be virtually suicidal 8O I wouldn't recommend anyone who is unsure how well they have configured their security uses the DMZ option.
Back to top View user's profile Send private message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3714
Location: USA, GA

PostPosted: Fri Mar 12, 2004 1:11 pm    Post subject: Reply with quote

The MyDoom I here has its own SMTP engine
and can open a port for smtp and send out
more harmfull e-mails to people , if DMZ is
turned on , I believe that person becomes
Vulnerable so thats why I say leave it off
but firewalls should do the trick like you said.
_________________
Computer Programmer & Networking Specialist

Back to top View user's profile Send private message Visit poster's website MSN Messenger
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Fri Mar 12, 2004 2:25 pm    Post subject: Reply with quote

If you don't have a software firewall or hardware firewall with stateful packet inspection, MyDoom's SMTP engine will be able to send outbound email regardless of whether you're in the DMZ or just behind port forwarding. The only thing that being behind the port forwarding would stop is scans from the later MyDoom variants looking to connect to the backdoor it opens.
Back to top View user's profile Send private message
CapFusion
-


Joined: 18 May 2003
Posts: 617
Location: Lost in Abyss' Dungeon

PostPosted: Fri Mar 12, 2004 6:28 pm    Post subject: Reply with quote

For those who opt for DMZ, it the same as putting your rig infront or direct connect to your boardband modem. All traffic will hit this box. Adding software firewall to this box will help but will add extra another load to your box. So why not let the router [appliance] handle the load instead.

For entering the WAN IP and get a login /PW, this simply mean that the port is mostly likely set to port 80 for the administration. Change the admin port to something else.

As for directing the incoming web, find the LAN IP of the Abyss box and forwarding that IP and port to the Abyss LAN IP.
_________________
CapFusion,...
Back to top View user's profile Send private message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3714
Location: USA, GA

PostPosted: Sat Mar 13, 2004 2:45 am    Post subject: Reply with quote

I guess your right , it will send e-mails as
if its from outlook express where you don't
need a port forwarded to send an e-mail out.
_________________
Computer Programmer & Networking Specialist

Back to top View user's profile Send private message Visit poster's website MSN Messenger
iNaNimAtE
-


Joined: 05 Nov 2003
Posts: 2381
Location: Everywhere you're not.

PostPosted: Sat Mar 13, 2004 4:12 am    Post subject: Reply with quote

Yes, I am aware that DMZ can sometimes be more vulnerable than basic port forwarding.

The only problem is NetBIOS, though. If you just disable all shares, you will basically be protected from average attacks.

Please Remember: If someone wants to get into your system, regardless of the security, they will (if they have the skills). The only completely secure computer is the one that is unplugged.
_________________
Bienvenidos!
Back to top View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Sat Mar 13, 2004 10:42 am    Post subject: Reply with quote

Quote:
Please Remember: If someone wants to get into your system, regardless of the security, they will (if they have the skills).


Not true. If you have a single port forwarded to your PC from your router you are only exposing 1 service to the internet for attack. If that service does not have a vulnerability, e.g. current version of Abyss, they will not be able to attack your system.

If you move it into the DMZ and don't have a personal firewall, or have set your firewall up badly, you are exposing every single unblocked service on your PC to the internet. If you don't have a personal firewall this is almost suicidal, most MS exploits appear before MS provide patches for them - you could be scanned and infected before MS have even acknowledged a problem exists... NetBIOS is certainly not the only problem, although out of the box it's one of the most obvious.
Back to top View user's profile Send private message
iNaNimAtE
-


Joined: 05 Nov 2003
Posts: 2381
Location: Everywhere you're not.

PostPosted: Sun Mar 14, 2004 7:42 am    Post subject: Reply with quote

I hope you honestly don't think that a computer with only one port forwarded and a hardware router is 100% secure.

If you have the skills, you can find a vulnerability in the firmware of the router, and take that down. Also, you can try various common exploits, like buffer overflow, DDoS (or maybe even DoS) and see what the result is. I don't think there has ever been an incident when Abyss has experienced a [D]DoS.

I only listed methods that came off the top of my head. If I sat down and thought about it, I'm sure I could come up with ten different creative methods (that may take some serious skill).

My point is: there is no way, other than turning a computer off, to guarantee it 100% secure.
_________________
Bienvenidos!
Back to top View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Sun Mar 14, 2004 11:12 am    Post subject: Reply with quote

:roll:

I didn't say 100% secure I said they have only 1 initial attack vector, Abyss. Unless someone is determined to attack you specifically rather than just generally looking for a website to deface and piss someone off, they're pretty much going to give up as soon as they see only the web port open and a server with no known exploits running. Yes, they could sit down and experiment with bof's, directory traversal etc, but they're far more likely to just move on and try someone else. Compare this to if you've moved your PC into the DMZ and they have 10+ exposed services to work on - if your patches aren't bang up to date there are some very nasty MS remote vulnerabilites.

Quote:
If you have the skills, you can find a vulnerability in the firmware of the router, and take that down.


You can only find a vulnerability in the firmware of the router if one exists to find. They also first have to identify what router you have, a fairly massive task in itself. If they manage to find that, how long do you think they'll spend poking through the firmware code ? Be realistic for a second. The people who are likely to try hack your site because you pissed them off at MSN/beat them at counterstrike/whatever are not going to be security experts, they're going to search packetstorm/google for exploits, find nothing and give up...

Quote:
Also, you can try various common exploits, like buffer overflow, DDoS (or maybe even DoS) and see what the result is. I don't think there has ever been an incident when Abyss has experienced a [D]DoS


Version v1.1.2 of Abyss had a DoS vulnerability, v1.0.3 and below had some directory traversal problems...

You will always be vulnerable to a DDoS unless you have an insane amount of bandwidth. Anyone who is controlling a reasonable number of zombie machines will be able to slow your machine's net connection to a crawl regardless of what security you've set up - on a personal level, not considering businesses who can ask their ISP to tweak upstream routers etc. DoS isn't a security risk so much as an inconvenience though.

What exactly were you suggesting you could attack with a bof, the router, or Abyss ?
Back to top View user's profile Send private message
iNaNimAtE
-


Joined: 05 Nov 2003
Posts: 2381
Location: Everywhere you're not.

PostPosted: Mon Mar 15, 2004 3:23 am    Post subject: Reply with quote

I do understand that some of these tasks can take a strenuous amount of effort, but the overall point I am trying to prove is that no machine is 100% secure.

Yes, having one port forwarded is a lot different (and harder to crack) than the total system "DMZ'ed," but there are still ways in.

About the buffer overflow: I was just listing a possible suggestion. If you were to attempt one, my guess would be that it should be directed toward Abyss. I don't know if it would work, but it was just an idea that came to mind.
_________________
Bienvenidos!
Back to top View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Tue Mar 16, 2004 2:02 pm    Post subject: Reply with quote

iNaNimAtE wrote:
About the buffer overflow: I was just listing a possible suggestion. If you were to attempt one, my guess would be that it should be directed toward Abyss. I don't know if it would work, but it was just an idea that came to mind.

There was a buffer overflow problem in the earlier versions but it was fixed and all the code that could be vulnerable to buffer overflows was rewritten in a more secure manner. If you discovered a new one, please let us know.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
iNaNimAtE
-


Joined: 05 Nov 2003
Posts: 2381
Location: Everywhere you're not.

PostPosted: Tue Mar 16, 2004 11:30 pm    Post subject: Reply with quote

Well that's good to know. I trust your coding, but if I find a new problem, I will definitely tell you.
_________________
Bienvenidos!
Back to top View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
tanglang
-


Joined: 10 Mar 2004
Posts: 2

PostPosted: Thu Mar 18, 2004 9:08 am    Post subject: cannot surf the website through domain name Reply with quote

Dear Sir/Madam

Thanks for your all helps. Now I have managed to access my website through my fixed IP address (http://219.94.xx.yy), which is provided by the ISP from the WAN environment.

But however, the other problem that I meet right now is I could not access my website or homepage through my domain name, which is www.xxx.com.my even though I could access it through the fixed IP address. Besides that, I have already request my ISP to point my fixed IP 219.94.xx.yy to www.xxx.com.my.

For your information, my Abyss webserver is running properly.

Please provide me some guidances on how to solve the above problem.

Thank you very much.

Best Regards
TangLang
Back to top View user's profile Send private message Send e-mail
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Thu Mar 18, 2004 5:55 pm    Post subject: Re: cannot surf the website through domain name Reply with quote

tanglang,

Read the answer to the second question in http://www.aprelium.com/abyssws/faq.html for the common causes of connection problems.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> Networking Issues All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group