Is it possible with Apptainer/Singularity to restrict which network interfaces can be used from within a container?
In my specific use-case I want to allow access to the internet but block access to some SocketCAN interfaces that are available on the host system. Is this possible?
I saw the --net/--network options but the documentation on this option not very detailed so I'm not sure how to use it (or if it can solve my problem at all).
I got the answer from the Apptainer Slack channel (thanks to Cedric Clerget!):
In my specific case (allowing normal network access but hiding the SocketCAN interfaces), it is actually enough to add
--dns <IP of DNS server> --net --network=bridge # or --network=ptp
Specifying the DNS server is needed when using systemd resolved. In other cases it may work without.
Related
I have the task to create a listener to a local computer inside a network. This computer takes POST from a web application and prints some stuff.
What I have done until now is to create an httpListener in a specific port and when the POST is received I send things to printer. That's works fine but only when the user has admin rights because the "netsh http..." needs admin rights to be executed.
Is there a way to bypass this restrictions somehow, because the computer is a simple pc and it couldn't has admin rights?
The app is written in VB.NET and will be run in a windows10 PC in a WindowsServer network.
netsh http add urlacl url="http://127.0.0.1:1234/" user=DOMAIN\USER
From what I've read, the backslash is important (trailing the port number). You could also replace 127.0.0.1 with + or * (being wildcards). Oddly enough, I had localhost listening on two different ports, and once I added one both were allowed to listen. It also seems possible to specify a group for user parameter. (In most examples, they demonstrate user=Everyone which I definitely wouldn't advise, if you can help it. Lock it down to a single account, acting like a service account.)
In my case, I'm using Grapevine. It wraps HttpListener, but giving you an example of that wouldn't be too relevant. (I'd highly recommend checking it out, especially if you're creating an API. It's been updated for years, and the developer is still responsive to feedback, and would save you a ton of work.) Just be mindful to mirror the prefix string you use for HttpListener in the netsh command. (Listening via wildcard is definitely different than localhost, and vice versa.)
https://serverfault.com/questions/273875/can-we-use-wildcards-with-netsh-http-add-urlacl-in-windows-7-2008r2
https://github.com/sukona/Grapevine
https://msdn.microsoft.com/en-us/library/windows/desktop/cc307223(v=vs.85).aspx
I'd check out the MSDN link for other parameters. It seems you may be able to lock down the ACL command even further.
(I also have no idea why you were down voted. Your question was perfectly fine, and I found it as one of the top results, as I had the same question.)
I am having a java based application running in tomcat. It is an online app, the request first goes to apache and then redirects to tomcat.
Today I was not able to log into my application and I noticed warnings at catalina.out file. They said "An attempt was made to authenticate the locked user "root" "and "An attempt was made to authenticate the locked user "manager" "
In my localhost_access_log.2015-07-07.txt I found the below IP addresses trying to access the system.
83.110.99.198
117.21.173.36
I need to block these 2 IPS from accessing my system. The first IP is a well known blacklisted according to the anti-hacker-alliance. How can I do this thing?
FYI I am using apache 2, so the main configuration file is apache2.conf
(Please don't remove the IP addreses I listed above, as I need other developers to be aware of the threat as well)
If you're using VPC:
The best way to block traffic from particular IPs to your resources is using NACLs (Network Access Control Lists).
Do a DENY for All protocols INGRESS for these IPs. This is better than doing it on the server itself as it means traffic from these IPs will never even get as far as your instances. They will be blocked by your VPC.
NACLs are on the subnet level, so you'll need to identify the subnet your instance is in and then find the correct NACL. You can do all of this using the VPC Dashboard on the AWS console.
This section of the documentation will help you:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
Note that you will need to give the rule numbers for these 2 rules to block these 2 IPs a rule number that is less than the default rule number (100). Use 50 and 51 for example.
You can use an .htaccess file:
Order Deny,Allow
Deny from 83.110.99.198
Deny from 117.21.173.36
It's probably better to add this as a firewall rule though. are you using any firewall service now?
Ok so I have a number of CMSs and eCommerce applications, that require the correct URL (otherwise the links will not work). Of course in my development server, the domain name cannot be the same as the production server... do you guys just do an edit/replace on all files and edit the mysql entries before pushing the development to production server environment? Or is there a better way to do this?
You could just place everything in a directory with a random hex or other valid characters as the name like:
yourdomain.com/XHTEDD12222-112KJK
You might also want to include an entry in your robots.txt file to exclude this directory. This isn't 100% safe, and it is best to use a local server or access the site via IPv6. IPv6 is suggested over IPv4 for security with crawlers. Anything you put up publicly isn't exactly safe.
Once you change the name with one of the above options, you could just refactor your project with the name change. If you go with IP and or local server, you can refactor to that number and it should still work.
You may also look into editing host files to achieve a similar workaround without redirecting DNS servers to point at your development server, but this is OS dependent. Comment your OS and I might be able to help with that.
Lastly, for security, you could include a PHP wrapper for all of your pages that look for a specific IP address in $_SERVER['REMOTE_ADDR'] global variable, but this could get really complicated to implement and I'm unaware of any currently available components that do this.
follow this link:https://developer.android.com/guide/google/gcm/demo.html
At home i can run the gcm demo successfully.
But in the company, it runs failed with ‘authentication failed’
I think there is something wrong with the networks in my workplace(blocked ip or Protocol).
Because i cant find the source code of gcm jars.
So,does anyone know what happened when the client invoke the ‘GCMRegsistrar.register’?
I want to ask our network admin to help me to solve this problem.
I've got the Answer:https://groups.google.com/forum/#!topic/android-gcm/7qPUp0Ym3Ak
Note:
If your organization has a firewall that restricts the traffic to or from the Internet, you'll need to configure it to allow connectivity with GCM. The ports to open are: 5228, 5229, and 5230. GCM typically only uses 5228, but it sometimes uses 5229 and 5230. GCM doesn't provide specific IPs. It changes IPs frequently. We recommend against using ACLs but if you must use them, take a broad approach such as the method suggested in this support link.
It is helpful to me.
You can find this kind of answers in the offical documentation, here.
Considering this, register() method is the one responsible for
Initiate messaging registration for the current application.
You should take a look at method description, here.
I am trying to achieve the following:
when a user types "print" (or "http://print") in the address-bar of the browser :
I want the user to be re-directed to a page : www.abc.com/print/
How can one achieve this ? I tried to lookup some squid configurations but was unable to find the same.
Thanks!
Edit : I do not understand the deal with down votes, this is a perfectly valid question.
If you want to enable a user on your LAN to type "print" in the address bar and be redirected to a given hostname, you'll have to supply a DNS record to that effect. This is not accomplished on a web server, nor is it web development in any respect.
There are several methods to resolving a given hostname to a given IP or to another hostname. One way is to edit the client hosts file, as described in another answer. One could also, if you have a DNS server running within your LAN environment, add A records to this effect.
You must understand how hostname lookups work from a browser. When you type something in the address bar, your browser uses your operating system to resolve the hostname to an IP address. Your operating system uses its hosts file, internet connection, and other mechanisms to accomplish this. This process itself has several tiers and steps that are outside the scope of the browser and which cannot be influenced by the browser. Nor will arbitrary web servers be consulted in this process. Your aim is to inject something in this process that resolves the hostname "print" to the webserver of your choosing - THEN web development might come in to play.
See: http://www.quackit.com/how-websites-work/how-dns-works.cfm