FAQ

The hosts.xml files are used to allow/deny access to different products from some IPs or classes of IPs. The client’s IP is tested against the rules in the hosts.xml file and the first one that matches is applied – all the following rules are ignored. When getting the hostname related to a given IP the Java mechanism has a spoof protection that, sometimes, will not give optimal results. The following situation will not give the expected results: 1. Java asks the DNS server for the hostname related to an IP address (reverse DNS) 2. When the DNS server replies with the hostname, Java asks the same DNS server for the IP address of that particular hostname 3. If the initial IP address and the one returned as the result of request #2 above do not match, then Java returns the initial IP address. This process may interfere with the way we compare the client IP address against the ones stored in the hosts.xml file. Due to the above Java protection, some IP addresses will not match against a given domain even if their reverse DNS name belongs to that particular domain.

This FAQ has been created for partners to check the Muse Proxy configuration ($MUSE_HOME/proxy/hosts.xml file) to make sure they are not open proxies, and therefore prone to illegal usage.

RULES TO MODIFY:
1.) In the hosts.xml under the default user, there should be no * rule:


default
*

The default user allows the ICE Servers to access Muse Proxy. If the * rule is entered, the wildcard character, or *, will allow any IP to access the proxy via the default user. This could cause abuse of the proxy from remote IPs.  It is recommended that the IPs, or IP ranges, that will access the proxy via ICE are put in.

2.) In the hosts.xml under the administrator user, there should be no * rule:


administrator
*

Like the default user above, if the * statement is put in under this , it could potentially allow remote users to abuse muse proxy via the administrator user. It is recommended to only allow the IP (or IP ranges)  of computers that you expect to use to administrate the proxy.

RULES TO KEEP IN PLACE:
1.) For Muse Proxies above the 2.2.2.0 version, there is the following rule for the default.mnm user:

default.mnm
*

This must be kept in place, so that end users will able to navigate to links rewritten via Muse Navigation Manager.

2.)Under the section for every user, there is a * rule:


20
21
22
23
25
*


This must be kept in place. The REMOTE_PORTS section specifies the outgoing access port rules of the Muse proxy, i.e. to what remote ports the Muse Proxy is allowed to connect to. By default, we block access to the following remote ports:
20,21: File Transfer Protocol (FTP)
22: Secure Shell (SSH)
23: Telnet
25: Simple Mail Transfer Protocol (SMTP)
and allow access to the rest of the ports. Meaning that the Muse Proxy can connect to data services on any other ports except the ones listed above.

The *  was set to cover all possible ports used by service providers such as 80, 8080, 443, 210,etc.

3.) It is also recommended that if an rule is entered for Muse Global support (secure.museglobal.com or secure.museglobal.ro) that these are not taken out. These are in so that Muse support can properly troubleshoot the proxy.?