jackwan1

Members
  • Posts

    11
  • Joined

  • Last visited

jackwan1's Achievements

Newbie

Newbie (1/14)

1

Reputation

  1. The ssh login attempts described in my previous post is recorded in my edge router logs. Edge router from Ubiquiti is an industrial router, it has lot more functions than those of commercial grade. My old netgear routers for example, will never record such so you will never know.
  2. @mgutt thanks so much for your help. Yes the edge router is my only router which also is my firewall. The webmin, if it is hacked, could create havocs to my ubuntu server. After all these days of work, i am going to close down the services. Its a bad idea to begin with, not knowing the consequences of doing so.
  3. side effect on opening external access to edgerouter ui using reverse proxy. As stated before, I have no problem to access the router from external, however, I found the following side affect which is described by op in this thread. Edgerouter Lite Logs Show Someone Trying to SSH into UniFi AC : Ubiquiti (reddit.com) I thought I had set up the firewall rules on my edgerouter correctly to drop the packets to prevent someone from accessing my unifi AP AC Lite via ssh from outside of the network. Looking at the logs on my router today it seems as if that isn't the case. My question is, what do I have to change? I have setup a static DNS (via duckdns) service to remotely access the edgerouter and have the AP connected to my UniFi account. That is all I need. SSH can be from inside the network only. Port forwarding is disabled. Snippet of my logs: Jan 19 19:13:17 ubnt sshd[9296]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=153.99.182.4 user=root Jan 19 19:13:12 ubnt sshd[9263]: PAM service(sshd) ignoring max retries; 6 > 3 Jan 19 19:13:12 ubnt sshd[9263]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=153.99.182.4 user=root Jan 19 19:13:05 ubnt sshd[9267]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.181 user=root Jan 19 19:12:58 ubnt sshd[9267]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.181 user=root Jan 19 19:12:55 ubnt sshd[9263]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=153.99.182.4 user=root Jan 19 19:12:51 ubnt sshd[9232]: PAM service(sshd) ignoring max retries; 6 > 3 I can disable ssh in my Router UI, but based on the post below, it did not really solve the problem That disables ssh access to your ERL. Your AP isn't getting any SSH attempts, your ERL is. If you've set it up properly then this shouldn't be a concern. The way it should be done is that WAN_LOCAL only allows established and related in and SSH. SSH should be configured to only allow public key authentication, no password authentication. The webui will always only authenticate with a password so make it listen only on some management IP and restrict access as you see fit, maybe even only allow access from the ERL itself and use SSH tunneling to log into the webui. You certainly don't have to set it up this way but you need to secure any outside access such that anything on the internet can't connect without an authorized public key. From what you've told us you left the webui totally open to the world so blocking just ssh doesn't help anything, you need to block the webui from remote attackers as well. Is there any thing Nginx can do on this, or I have to configure ssh public key? What if I forwarded to a non standard port locally. In the same token, am I also subject to these attempts by opening webmin?
  4. @mgutt I forwarded the https to 443 on my router, no conflict of ports, its not running in a container. what I failed to do is turn-on websocket support in NGM, once I did that, everything worked fine. Incidentally when I put this into the advanced section "proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1;" The NPM entry for the edgerouter went off line, so I took it out and its all good.
  5. @mgutt Here is another intersting problem, this time involves Edgerouter empty GUI behind nginx reverse proxcy. The problem manifested just as described by the op in the following thread. Basically I CAN Login to the edgerouter, but when I get there the WebGUI is empty. There were many discussions but I can't get any out of it. There is a suggestion on a websocket fix on ubiquiti community forum. Access Edgemax gui via nginx reverse proxy - websocket problem | Ubiquiti Community by gainfulshrimp "server { listen 80; server_name ubnt.mydomain.com; return 301 https://$host$request_uri; } upstream erl { server 192.168.1.1:443; keepalive 32; } server { listen 443 ssl http2; include /etc/nginx/snippets/letsencryptcerts.conf; server_name ubnt.mydomain.com; include /etc/nginx/snippets/letsencryptauth.conf; client_max_body_size 512m; location / { include /etc/nginx/snippets/localonly.conf; proxy_pass https://erl; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; } } " But I do not know enough of it to implement in the NPM. There was also a post indicated that haproxy will fix the problem, why there is a difference. I added the folowing in the advanced section but it did not work proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $Host(or the domain-name); proxy_set_header X-Real-IP $remote_addr(or the ip address:443); proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; Please help.
  6. First u need to find out the http error code when they block your port 80, then you can add port 80 redirection in config. Json with some thing like this server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; }
  7. OK @mgutt Your solution a. works, however I have to modify it as follows: proxy_redirect https://webmin4.dns:10000 https://webmin4.dns; Notice both urls uses https not one http and the other https. Once it passed the webmin login, the url became internal to the webmin, so it was https://dns:10000 all we have to tell nginx is to redirect it to https://dns, problem solved. And my external http to https Json conversion also works. so now all I have to do is type in a web browser the dns without http or https and it will reach the webmin login page and when I login, it goes to the dash board.
  8. Hi @mgutt I have a few elementary questions about setting up https in proxy-manager. 1. Does every dns require a separate ssl certificate? 2. Does the server has to listen on port 443 for https? I am trying to setup webmin access via proxy-manager, as you know webmin default port is 10000 and the default access scheme is https. so here is my setting in proxy-mgr, I also ran a ssl certificate in proxy-mgr for that. my config.json autoindex_localtime on; autoindex on; server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; } location / { try_files $uri /index.html; } when I enter in the browser webmin4.dns name It has no problem to connect to the login page of webmin@192.168.x,x (see photo) However, after I login I got a page like this. Note the url has port 10000 defined and it returns a bad connection error. If I remove the port designation(10000) on that error page, I will be directed to the webmin dash board, no problem defind https://webmin4.dns name wont help What did I do wrong?
  9. thanks @mgutt I see what you are saying and the RTMP server concept is too complicated for a home setting. I also see the nginx streaming port setting but that is the same as a simple port fowarding in my router which is the current setup and its been working for years. I guess for constant streaming video, we can only use one port for each host. I also tried rtsp on port 554, the vlc player will work only for one camera and will not work with other brands/model. Lots to learn and explore.
  10. Dear @mgutt Thank you for your help. Did a little research on the net and found NGINX RTMP Streaming Server Installation Guide (bartsimons.me) perhaps that is the way to go. because right now nginx proxy manager (as I know and my host setup) can handle http(s) very well, but it is lacking of ability to handle streaming service in h.264 or h.265 format and the newer cameras and nvrs are no longer use RTSP streaming in their app. If I go with the installation of RTMP streaming server, what should I do with the nginx config in the proxy manager? do I add the "rtmp" set of the config in the "advanced" section?
  11. Hello, I hope I am on the right thread, if not, free to move me around. I am new to NPM, however, I have made 7 proxy hosts already and most of them are working including all web server redirects using "A" or "CNAME". I have a problem to set up proxy for camera streaming. I was successful streaming an old Foscam camera by simply set the IP and port XXX. For all newer cameras or nvrs where http webserver and the image streaming (in onvif or rtsp format), I am not getting it. I am using an app called "IP CAM Viewer" and in that, I could easily view the camera by defining the http port(port forwarding and ddns), id and password to view the cameras. With the reverse proxy server, I can define the dn and port 80 to be redirected for the Foscam Camera, however, when I tried to do the same for others, I do not get the steams. Any help is appreciated.