HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
BIND_ADDRESS problem http://havp.hege.li/forum/viewtopic.php?f=3&t=364 |
Page 1 of 1 |
Author: | jackdragma [ 26 May 2008 02:38 ] |
Post subject: | BIND_ADDRESS problem |
Hi, I have one question. When I run the next command, [root@pruebas ~]# netstat -nltp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1760/portmap tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 2740/dansguardian tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 2287/perl tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2015/cupsd tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN 2671/(squid) tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2056/sendmail: acce tcp 0 0 0.0.0.0:8090 0.0.0.0:* LISTEN 2701/havp tcp 0 0 0.0.0.0:699 0.0.0.0:* LISTEN 1789/rpc.statd tcp 0 0 :::22 :::* LISTEN 2004/sshd I want that HAVP listen only in localhost. In havp.config I have modified, # # Port HAVP is listening on. # # Default: PORT 8090 # # IP address that HAVP listens on. # Let it be undefined to bind all addresses. # # Default: NONE BIND_ADDRESS 127.0.0.1 I have saved it and I have restarted HAVP but, it still listening for all IPs. Any solution? Thanks. |
Author: | hege [ 26 May 2008 10:28 ] |
Post subject: | Re: BIND_ADDRESS problem |
First time I hear a problem about this.. are you sure HAVP was really restarted and that you modified right config file? No errors in logs? |
Author: | jackdragma [ 26 May 2008 14:36 ] |
Post subject: | Re: BIND_ADDRESS problem |
My distro is a CentOS 5.1. I have restarted the PC and it is the same result, listening for all IPs. [root@pruebas]# netstat -nltp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1762/portmap tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 2755/dansguardian tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 2308/perl tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2018/cupsd tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN 2674/(squid) tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2077/sendmail: acce tcp 0 0 0.0.0.0:8090 0.0.0.0:* LISTEN 2724/havp tcp 0 0 0.0.0.0:701 0.0.0.0:* LISTEN 1791/rpc.statd tcp 0 0 :::22 :::* LISTEN 2007/sshd This is the havp.config [root@pruebas]#vi /etc/havp/havp.config # # This is the configuration file for HAVP # # All lines starting with a hash (#) or empty lines are ignored. # Uncomment parameters you want to change! # # All parameters configurable in this file are explained and their default # values are shown. If no default value is defined "NONE" is specified. # # General syntax: Parameter Value # Value can be: true/false, number, or path # # Extra spaces and tabs are ignored. # # You must remove this line for HAVP to start. # This makes sure you have (hopefully) reviewed the configuration. # Hint: You must enable some scanner! Find them in the end.. # # For reasons of security it is recommended to run a proxy program # without root rights. It is recommended to create user that is not # used by any other program. # # Default: USER havp GROUP havp # If this is true HAVP is running as daemon in background. # For testing you may run HAVP at your text console. # # Default: DAEMON true # # Process id (PID) of the main HAVP process is written to this file. # Be sure that it is writeable by the user under which HAVP is running. # /etc/init.d/havp script requires this to work. # # Default: PIDFILE /var/run/havp/havp.pid # # For performance reasons several instances of HAVP have to run. # Specify how many servers (child processes) are simultaneously # listening on port PORT for a connection. Minimum value should be # the peak requests-per-second expected + 5 for headroom. For best # performance, you should have atleast 1 CPU core per 16 processes. # # For single user home use, 8 should be minimum. # For 500+ users corporate use, start at 40. # # Value can and should be higher than recommended. Memory and # CPU usage is only affected by the number of concurrent requests. # # More childs are automatically created when needed, up to MAXSERVERS. # # Default: # SERVERNUMBER 8 # MAXSERVERS 100 # # Files where to log requests and info/errors. # Needs to have write permission for HAVP user. # # Default: ACCESSLOG /var/log/havp/access.log ERRORLOG /var/log/havp/havp.log # # Syslog can be used instead of logging to file. # For facilities and levels, see "man syslog". # # Default: # USESYSLOG false # SYSLOGNAME havp # SYSLOGFACILITY daemon # SYSLOGLEVEL info # # true: Log every request to access log # false: Log only viruses to access log # # Default: LOG_OKS true # # Level of HAVP logging # 0 = Only serious errors and information # 1 = Less interesting information is included # # Default: LOGLEVEL 0 # # Temporary scan file. # This file must reside on a partition for which mandatory # locking is enabled. For Linux, use "-o mand" in mount command. # See "man mount" for details. Solaris does not need any special # steps, it works directly. # # Specify absolute path to a file which name must contain "XXXXXX". # These characters are used by system to create unique named files. # # Default: SCANTEMPFILE /var/tmp/havp/havp-XXXXXX # # Directory for ClamAV and other scanner created tempfiles. # Needs to be writable by HAVP user. Use ramdisk for best performance. # # Default: TEMPDIR /var/tmp # # HAVP reloads scanners virus database by receiving a signal # (send SIGHUP to PID from PIDFILE, see "man kill") or after # a specified period of time. Specify here the number of # minutes to wait for reloading. # # This only affects library scanners (clamlib, trophie). # Other scanners must be updated manually. # # Default: DBRELOAD 60 # # Run HAVP as transparent Proxy? # # If you don't know what this means read the mini-howto # TransparentProxy written by Daniel Kiracofe. # (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html) # Definitely you have more to do than setting this to true. # You are warned! # # Default: # TRANSPARENT false # # Specify a parent proxy (e.g. Squid) HAVP should use. # # Default: NONE PARENTPROXY 127.0.0.1 PARENTPORT 3128 # # Write X-Forwarded-For: to log instead of connecters IP? # # If HAVP is used as parent proxy by some other proxy, this allows # to write the real users IP to log, instead of proxy IP. # # Default: #FORWARDED_IP false # # Send X-Forwarded-For: header to servers? # # If client sent this header, FORWARDED_IP setting defines the value, # then it is passed on. You might want to keep this disabled for security # reasons. Enable this if you use your own parent proxy after HAVP, so it # will see the original client IP. # # Disabling this also disables Via: header generation. # # Default: #X_FORWARDED_FOR false # # Port HAVP is listening on. # # Default: PORT 8090 # # IP address that HAVP listens on. # Let it be undefined to bind all addresses. # # Default: NONE BIND_ADDRESS 127.0.0.1 # # IP address used for sending outbound packets. # Let it be undefined if you want OS to handle right address. # # Default: NONE # SOURCE_ADDRESS 1.2.3.4 # # Path to template files. # # Default: TEMPLATEPATH /etc/havp/templates/es # # Set to true if you want to prefer Whitelist. # If URL is Whitelisted, then Blacklist is ignored. # Otherwise Blacklist is preferred. # # Default: # WHITELISTFIRST true # # List of URLs not to scan. # # Default: # WHITELIST /usr/local/etc/havp/whitelist # # List of URLs that are denied access. # # Default: # BLACKLIST /usr/local/etc/havp/blacklist # # Is scanner error fatal? # # For example, archive types that are not supported by scanner # may return error. Also if scanner has invalid pattern files etc. # # true: User gets error page # false: No error is reported (viruses might not be detected) # # Default: FAILSCANERROR true # # When scanning takes longer than this, it will be aborted. # Timer is started after HAVP has fully received all data. # If set too low, complex files/archives might produce timeout. # Timeout is always a fatal error regardless of FAILSCANERROR. # # Time in minutes! # # Default: SCANNERTIMEOUT 10 # # Allow HTTP Range requests? # # false: Broken downloads can NOT be resumed # true: Broken downloads can be resumed # # Allowing Range is a security risk, because partial # HTTP requests may not be properly scanned. # # Whitelisted sites are allowed to use Range in any case. # # Default: RANGE false # # If you really need more performance, you can disable scanning of # JPG, GIF and PNG files. These are probably the most common files # around, so it will save lots of CPU. But be warned, image exploits # exist and more could be found. Think twice if you want to disable! # # Default: SCANIMAGES true # # Temporary file will grow only up to this size. This means scanner # will scan data until this limit is reached. # # There are two sides to this setting. By limiting the size, you gain # performance, less waiting for big files and less needed temporary space. # But there is slightly higher chance of virus slipping through (though # scanning large archives should not be gateways function, HAVP is more # geared towards small exploit detection etc). # # VALUE IN BYTES NOT KB OR MB!!!! # 0 = No size limit # # Default: # MAXSCANSIZE 5000000 # # Amount of data going to browser that is held back, until it # is scanned. When we know file is clean, this held back data # can be sent to browser. You can safely set bigger value, only # thing you will notice is some "delay" in beginning of download. # Virus found in files bigger than this might not produce HAVP # error page, but result in a "broken" download. # # VALUE IN BYTES NOT KB OR MB!!!! # # Default: # KEEPBACKBUFFER 200000 # # This setting complements KEEPBACKBUFFER. It tells how many Seconds to # initially receive data from server, before sending anything to client. # Even trickling is not done before this time elapses. This way files that # are received fast are more secure and user can get virus report page for # files bigger than KEEPBACKBUFFER. # # Setting to 0 will disable this, and only KEEPBACKBUFFER is used. # # Default: # KEEPBACKTIME 5 # # After Trickling Time (seconds), some bytes are sent to browser # to keep the connection alive. Trickling is not needed if timeouts # are not expected for files smaller than KEEPBACKBUFFER, but it is # recommended to set anyway. # # 0 = No Trickling # # Default: # TRICKLING 30 # # Send this many bytes to browser every TRICKLING seconds, see above # # Default: # TRICKLINGBYTES 1 # # Downloads larger than MAXDOWNLOADSIZE will be blocked. # Only if not Whitelisted! # # VALUE IN BYTES NOT KB OR MB!!!! # 0 = Unlimited Downloads # # Default: # MAXDOWNLOADSIZE 0 # # Space separated list of strings to partially match User-Agent: header. # These are used for streaming content, so scanning is generally not needed # and tempfiles grow unnecessary. Remember when enabled, that user could # fake header and pass some scanning. HTTP Range requests are allowed for # these, so players can seek content. # # You can uncomment here a list of most popular players. # # Default: NONE # STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS # # Bytes to scan from beginning of streams. # When set to 0, STREAMUSERAGENT scanning will be completely disabled. # It is not recommended as there are some exploits for players. # # Default: # STREAMSCANSIZE 20000 # # Disable mandatory locking (dynamic scanning) for certain file types. # This is intended for fixing cases where a scanner forces use of mmap() # call. Mandatory locking might not allow this, so you could get errors # regarding memory allocation or I/O. You can test the "None" option # anyway, as it might even work depending on your OS (some Linux seems # to allow mand+mmap). # # Allowed values: # None # ClamAV:BinHex (mmap forced in all versions, no ETA for fix) # ClamAV:PDF (mmap forced in all versions, no ETA for fix) # ClamAV:ZIP (mmap forced in 0.93.x, should work in 0.94) # # Default: # DISABLELOCKINGFOR ClamAV:BinHex ClamAV:PDF ClamAV:ZIP # # Whitelist specific viruses by case-insensitive substring match. # For example, "Oversized." and "Encrypted." are good candidates, # if you can't disable those checks any other way. # # Default: NONE # IGNOREVIRUS Oversized. Encrypted. Phishing. ##### ##### ClamAV Library Scanner (libclamav) ##### ENABLECLAMLIB true # HAVP uses libclamav hardcoded pattern directory, which usually is # /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are # using non-default DatabaseDirectory setting in clamd.conf. # # Default: NONE CLAMDBDIR /var/lib/clamav # Should we block broken executables? # # Default: # CLAMBLOCKBROKEN false # Should we block encrypted archives? # # Default: # CLAMBLOCKENCRYPTED false # Should we block files that go over maximum archive limits? # # Default: # CLAMBLOCKMAX false # Scanning limits? # You can find some additional info from documentation or clamd.conf # # Stop when this many total bytes scanned (MB) (only for 0.93+ !) # CLAMMAXSCANSIZE 20 # # Stop when this many files have been scanned # CLAMMAXFILES 50 # # Don't scan files over this size (MB) # CLAMMAXFILESIZE 100 # # Maximum archive recursion # CLAMMAXRECURSION 8 # # Maximum compression ratio for a file (setting deprecated in 0.93+ !) # CLAMMAXRATIO 250 The last lines of havp.log 26/05/2008 13:11:54 === Starting HAVP Version: 0.88 26/05/2008 13:11:54 Running as user: havp, group: havp 26/05/2008 13:11:54 Use parent proxy: 127.0.0.1:3128 26/05/2008 13:11:54 --- Initializing ClamAV Library Scanner 26/05/2008 13:11:54 ClamAV: Using database directory: /var/clamav 26/05/2008 13:11:58 ClamAV: Loaded 298659 signatures (engine 0.93) 26/05/2008 13:11:58 ClamAV Library Scanner passed EICAR virus test (Eicar-Test-Signature) 26/05/2008 13:11:58 --- All scanners initialized 26/05/2008 13:11:58 Process ID: 2724 I don't see any problem but I am a newbie Thanks. |
Author: | hege [ 26 May 2008 14:43 ] |
Post subject: | Re: BIND_ADDRESS problem |
Can you try this command to start HAVP: Code: strace -f /usr/local/sbin/havp 2>&1 |grep bind You should see a line like this, paste it here: Quote: bind(3, {sa_family=AF_INET, sin_port=htons(8090),sin_addr=inet_addr("127.0.0.1")}, 16) = 0 You can stop HAVP after 10 seconds with Ctrl-C. |
Author: | jackdragma [ 26 May 2008 15:19 ] |
Post subject: | Re: BIND_ADDRESS problem |
I have restarted the PC again and I have tried your command (alls services are stopped) [root@pruebas ~]# service squid start Iniciando squid: . [ OK ] [root@pruebas ~]# strace -f /usr/local/sbin/havp 2>&1 |grep bind *no result [root@pruebas ~]# strace -f /usr/local/sbin/havp 2>&1 bash: strace: command not found [root@pruebas ~]# [root@pruebas ~]# service havp start Starting HAVP ... Starting HAVP Version: 0.88 [root@pruebas ~]# |
Author: | hege [ 26 May 2008 17:04 ] |
Post subject: | Re: BIND_ADDRESS problem |
jackdragma wrote: [root@pruebas ~]# strace -f /usr/local/sbin/havp 2>&1 bash: strace: command not found Please install strace first.. try yum install strace |
Author: | jackdragma [ 26 May 2008 18:02 ] |
Post subject: | Re: BIND_ADDRESS problem |
Thank you for your patience. I have installed strace and this is the result [root@pruebas ~]# strace -f /usr/local/sbin/havp 2>&1 |grep bind bind(3, {sa_family=AF_INET, sin_port=htons(8090), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 |
Author: | hege [ 26 May 2008 18:07 ] |
Post subject: | Re: BIND_ADDRESS problem |
Ok this confirms it's not even trying to bind 127.0.0.1. Please edit /etc/init.d/havp and see that HAVP_CONFIG points to the file you are editing. You must have multiple copies somewhere. Or try running "havp -c /path/to/havp.config". |
Author: | jackdragma [ 26 May 2008 18:38 ] |
Post subject: | Re: BIND_ADDRESS problem |
Perfect!! I have reviewed /etc/init.d/havp #!/bin/sh # # #### # This init-script tries to be LSB conform but platform independent. # # Therefore check the following two variables to fit to your requests: # HAVP_BIN HAVP_CONFIG PIDFILE # Any configuration of HAVP is done in havp.config # Type havp --help for help and read havp.config you should have received. HAVP_BIN=/usr/local/sbin/havp HAVP_CONFIG=/usr/local/etc/havp/havp.config PIDFILE=/var/run/havp/havp.pid When I have change /usr/local/etc/havp/havp.config, the result has been [root@pruebas share]# netstat -nltp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1764/portmap tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 2420/perl tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2130/cupsd tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN 2927/(squid) tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2189/sendmail: acce tcp 0 0 127.0.0.1:8090 0.0.0.0:* LISTEN 3390/havp tcp 0 0 0.0.0.0:703 0.0.0.0:* LISTEN 1793/rpc.statd tcp 0 0 :::22 :::* LISTEN 2119/sshd The mistake was that I worked in /etc/havp/havp.config because when I installed HAVP with the help of this how to http://www.linux-magazine.com/w3/issue/ ... Column.pdf I copied in /etc/ Hege the best. Thank you, very grateful. |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |