Running a 2nd 2223 port for non-secure connections


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » DirectAdmin

Running a 2nd 2223 port for non-secure connectionsLast Modified: Jun 27, 2019, 8:20 pm
There could be various reasons you might need a non-secure (plaintext) connection to DA.
One is if you have a very old OS which doesn't speak the newer openssl versions, where the newer boxes no longer speak the old ones (really, your old box should be replaced with a more modern OS that supports newer openssl versions).

If you decide to use this method, we'll assume you still want SSL/https on port 2222, but will have a 2nd non-secure connection for ports 2223.

  1. In your directadmin.conf, you'd then use these settings:

    SSL=0
    port=2223
    ssl_port=2222

    where the plaintext port uses SSL=0 and port=2223, and the setting "ssl_port=2222" defines a 2nd port for secure connections, which is going to be the main one used for most things.

  2. In case it's not obvious, making connections over a plaintext connection is not secure and packets could be sniffed.
    Although it's not perfect, at a minimum, you'll want to be using the Login Key to allow dns to be copied around, but you should also restrict it to a given IP address, so in the even that the packet is sniffed and the login key is obtained, they could only use it by logging into the remote DA box from that specified IP address.   See Example C.

  3. It would also be recommended to setup your firewall on the remote server to only accept connection to port 2223 from that restricted client IP address.

  4. an extra measure (may be tricky for novices) to use iptables on the client server to only allow outbound connections to that remote box if the User is "nobody" (this likely needs to be done by someone experienced with your firewall)

    This is not tested, but an example on how to only allow "nobody" and root to access remote servers on port 2223:

    $IPTABLES -A OUTPUT -m owner --uid-owner nobody -p tcp --dport 2223 -j ACCEPT
    $IPTABLES -A OUTPUT -m owner --uid-owner root -p tcp --dport 25 -j ACCEPT

    The example would be inserted into your general iptables rules, but would likely need some tweaking depending on which firewall you're running.

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST