If there's a demand. That and cmq could probably be reasonably easily adapted.
The only issue would be the Virtual Console in cse might have to go due to the mod_perl apache process issues.
[PLUGIN] ConfigServer Security & Firewall
- Thread starter chirpy
- Start date
The only issue would be the Virtual Console in cse might have to go due to the mod_perl apache process issues.
cyberneticos
Verified User
I recommend this plugin,
Using it on about 15 servers (including Xen vms.)
Using it on about 15 servers (including Xen vms.)
winger
Verified User
hello,
csf is blocking the backups:
Falling back to PORT instead of PASV mode.
Could not read reply from control connection -- timed out.
ncftpput /home/tmp/admin/admin.tar.gz: timed out while waiting for server response.
if I stop csf, the backups works.
any help to fix that?
thanks!
csf is blocking the backups:
Falling back to PORT instead of PASV mode.
Could not read reply from control connection -- timed out.
ncftpput /home/tmp/admin/admin.tar.gz: timed out while waiting for server response.
if I stop csf, the backups works.
any help to fix that?
thanks!
winger
Verified User
I've add 35000:35999 in TCP/UDP IN/OUT and still not working, do I need any other?
tillo
Verified User
Make sure the ip_conntrack_ftp kernel module has been loaded (run "lsmod"). It should take care of it without messing with the open ports (which shouldn't list non-listening ports for security reasons).
If anyone opens a set of standard non-privileged non-listening ports the firewall becomes much less useful. The way to go is to compile and load the ip_conntrack_ftp module.
CSF is loading it in my system, those with problems probably don't have it.
If anyone opens a set of standard non-privileged non-listening ports the firewall becomes much less useful. The way to go is to compile and load the ip_conntrack_ftp module.
CSF is loading it in my system, those with problems probably don't have it.
winger
Verified User
sure, I've just add this ports to check if this was the problem. the VPS was working fine fine APF...
when I run lsmod:
[root@srv11 ~]# lsmod
[root@srv11 ~]#
what does it means?
tillo
Verified User
It may mean two separate things: your server has a monolithic kernel (no modules) or it's a VPS (no direct access to kernel settings).
In the first case you may want to recompile the kernel to have ip_conntrack_ftp built in, in the second it depends on which kind of VPS, either the hoster can help you or it's not possible.
Maybe it was working on APF because you didn't set it to block outgoing connections; you can do it on CSF too, by setting TCP_OUT to "0:65535". Remember to set TESTING=1 when modifying a delicate setting like TCP_OUT, then revert it back to 0 if it's working.
This will definitely lower the efficiency of the firewall, but probably be the only solution if you can't have ip_conntrack_ftp on a VPS.
Regarding this last suggestion, it would be better to set a custom range of ports for FTP transfers, like 35000:35999, but this requires access to the ftp server settings on the other end (for passive transfers) or to the client in your system (for active transfers), and then just add them to TCP_OUT (for passive) or TCP_IN (for active). It's complicated, I know, but that's the way FTP has been designed... messy
In the first case you may want to recompile the kernel to have ip_conntrack_ftp built in, in the second it depends on which kind of VPS, either the hoster can help you or it's not possible.
Maybe it was working on APF because you didn't set it to block outgoing connections; you can do it on CSF too, by setting TCP_OUT to "0:65535". Remember to set TESTING=1 when modifying a delicate setting like TCP_OUT, then revert it back to 0 if it's working.
This will definitely lower the efficiency of the firewall, but probably be the only solution if you can't have ip_conntrack_ftp on a VPS.
Regarding this last suggestion, it would be better to set a custom range of ports for FTP transfers, like 35000:35999, but this requires access to the ftp server settings on the other end (for passive transfers) or to the client in your system (for active transfers), and then just add them to TCP_OUT (for passive) or TCP_IN (for active). It's complicated, I know, but that's the way FTP has been designed... messy
winger
Verified User
It may mean two separate things: your server has a monolithic kernel (no modules) or it's a VPS (no direct access to kernel settings).
In the first case you may want to recompile the kernel to have ip_conntrack_ftp built in, in the second it depends on which kind of VPS, either the hoster can help you or it's not possible.
Maybe it was working on APF because you didn't set it to block outgoing connections; you can do it on CSF too, by setting TCP_OUT to "0:65535". Remember to set TESTING=1 when modifying a delicate setting like TCP_OUT, then revert it back to 0 if it's working.
This will definitely lower the efficiency of the firewall, but probably be the only solution if you can't have ip_conntrack_ftp on a VPS.
Regarding this last suggestion, it would be better to set a custom range of ports for FTP transfers, like 35000:35999, but this requires access to the ftp server settings on the other end (for passive transfers) or to the client in your system (for active transfers), and then just add them to TCP_OUT (for passive) or TCP_IN (for active). It's complicated, I know, but that's the way FTP has been designed... messy
thank you for you help and informations, I've fixed that with something "simple", I've just add the ftp server at the ALLOWED IPs, and it is working fine now
Hi there
I have just installed CSF on my DA VPS
But it seems not running on my server
I can see the link of Config Server as plugin in my admin section
After clicking it I can only see ConfigServer Security & Firewall - csf v4.56 with the logo and nothing below it
Any suggestion
Rizwan
I have just installed CSF on my DA VPS
But it seems not running on my server
I can see the link of Config Server as plugin in my admin section
After clicking it I can only see ConfigServer Security & Firewall - csf v4.56 with the logo and nothing below it
Any suggestion
Rizwan
winger
Verified User
thank you for that - can we use this also in a VPS?
tillo
Verified User
From the chmod man page:
It's very, very important for the security of your server. Otherwise any user in the system can for example DoS your MySQL daemon by removing /tmp/mysql.sock, or even gain privileged access by exploiting a temporary file race condition.
The friendly command is "chmod a+rwxt /tmp".
It's very, very important for the security of your server. Otherwise any user in the system can for example DoS your MySQL daemon by removing /tmp/mysql.sock, or even gain privileged access by exploiting a temporary file race condition.
The friendly command is "chmod a+rwxt /tmp".
chow
Verified User
Hi,
Does anyone successfully installed this on an openvz vps? And furthermore I guess securing /tmp can't be done in an openvz vps??
Thnx
Does anyone successfully installed this on an openvz vps? And furthermore I guess securing /tmp can't be done in an openvz vps??
Thnx
winger
Verified User
hello,
I did it, in two openvz VPSs without problens.
About the /tmp I am also looking for this answer.
tillo
Verified User
cyberneticos
Verified User
we have over 20 vms with xen using csf,. Work perfectly,. just a pain in the ass when we console in and see few hundred lines of firewall log.
Other than that, gonna get a tattoo with CSF this weekend,. jejeje just kidding,. but really happy we are using them.
I donated a subscription
Other than that, gonna get a tattoo with CSF this weekend,. jejeje just kidding,. but really happy we are using them.
I donated a subscription