![[ User ]](images/avatar.png){kind=avatar}
Bug 194: OPEN
By default, port 80 is not restricted to connections from localhost
Date: 2018-03-24 - Creator: bernhard - Priority standard - 3 messages
I am testing a SliTaz 5.0 from another computer in the same network. I connect to the slitazhost:80/ page from the outside, and it says:Welcome to the SliTaz Busybox HTTP web server. You can delete or modify this page to put your own xHTML pages, web sites, CGI or PHP scripts. The server configuration file is /etc/httpd.conf. CGI support is activated by default using the SHell interpreter for *.sh and bugs.cgi config.cgi index.cgi files. This page is located in the server root directory /var/www. The default configuration is to allow connections only from localhost so port 80 is not open for security reasons.I have not changed the web server configuration /etc/httpd.conf. So it seems that the assertion contained in the page that port 80 is available only from localhost is not correct.
Affected package(s): default/httpd
Messages
By: hgt on 2018-03-29 07:54
With SliTaz rolling I get: The default configuration is to allow connections only from LAN, so port 80 is not open to the web for security reasons. So it would be correct to accept connections from the same network.
By: metalx1000 on 2019-03-27 19:21
I can confirm this is still happening. It seems that Slitaz Panel runs on port 82, which gives the correct '403 Forbidden' message when connecting from remote machines. So there isn't any reason for the server that is running on port 80. It is running as root, and although isn't doing anything could be a security issue. It seems that the busybox httpd that is running on port 80 is started by the "/usr/sbin/inetd" process. It's set to run on line #32 of /etc/inetd.conf http stream tcp nowait root /usr/sbin/httpd httpd -i -u 80:80 If there is no reason for this server to be running on port 80, I believe that commenting out this line would stop the un-needed server from running. I'm currently running as a live CD, and having done an install to confirm this. If the server is needed, perhaps editing /etc/httpd.conf will stop the remote access. Line #7 might be changed to only allow 127.0.0.1 or maybe adding a Deny line to deny all incoming connections.
By: pankso on 2021-01-22 21:22
Anyone to fix that ?