[ User ] Login

Bug 194: OPEN

By default, port 80 is not restricted to connections from localhost

Date: 2018-03-24 - Creator: bernhard - Priority standard - 2 messages

I am testing a SliTaz 5.0 from another computer in the same network. I connect 
to the  slitazhost:80/ page from the outside, and it says:


Welcome to the SliTaz Busybox HTTP web server. You can delete or modify this 
page to put your own xHTML pages, web sites, CGI or PHP scripts. The server 
configuration file is /etc/httpd.conf. CGI support is activated by default 
using the SHell interpreter for *.sh and bugs.cgi config.cgi index.cgi files. 
This page is located in the server root directory /var/www. The default 
configuration is to allow connections only from localhost so port 80 is not 
open for security reasons.


I have not changed the web server configuration /etc/httpd.conf. So it seems 
that the assertion contained in the page that port 80 is available only from 
localhost is not correct.

Affected package(s): default/httpd

Messages

By: hgt on 2018-03-29 07:54

With SliTaz rolling I get:
The default configuration is to allow connections only from LAN, so port 80 is 
not open to the web for security reasons.
So it would be correct to accept connections from the same network.

By: metalx1000 on 2019-03-27 19:21

I can confirm this is still happening.
It seems that Slitaz Panel runs on port 82,
which gives the correct '403 Forbidden' message when connecting from 
remote machines.

So there isn't any reason for the server that is running on port 80.
It is running as root, and although isn't doing anything could be a 
security issue.

It seems that the busybox httpd that is running on port 80 is started by the 
"/usr/sbin/inetd" process. It's set to run on line #32 of /etc/inetd.conf

http stream tcp nowait root /usr/sbin/httpd httpd -i -u 80:80

If there is no reason for this server to be running on port 80, I believe that 
commenting out this line would stop the un-needed server from running.
I'm currently running as a live CD, and having done an install to confirm 
this.

If the server is needed, perhaps editing /etc/httpd.conf will stop the remote 
access.
Line #7 might be changed to only allow 127.0.0.1 or maybe adding a Deny line to 
deny all incoming connections.