[PLUGIN] ConfigServer Security & Firewall

Just a few questions regarding this.

I am thinking of installing this however we send an email newsletter to 14k every two weeks, Will this stop the emails with its advanced flood control or limit any email send?

Also will this by default disable the CentOS firewall?
 
Ya you disable the default CentOS firewall(s) and run csf. It's based on iptables.
 
will these steps for securing /tmp work for a vps?

my fstab is :
none /dev/pts devpts rw 0 0
 
will these steps for securing /tmp work for a vps?

my fstab is :
none /dev/pts devpts rw 0 0

A good VPS (with hardware virtualisation) should work the same way as a dedicated server when you are logged in. Ofcourse you need to compare it with something with similair RAM/CPU/harddisc capacity.
 
Code:
Jan  5 14:01:39 ln02 lfd[4885]: *Suspicious Process* PID:3137 User:avahi Uptime:78887 secs EXE:/usr/sbin/avahi-daemon\00\00\00\00\00\00\00\00\a1\01\00\00\00\00\00\00h (deleted) CMD:avahi-daemon: running [ln02.local]
Jan  5 14:01:40 ln02 lfd[4885]: *Suspicious Process* PID:3144 User:avahi Uptime:78887 secs EXE:/usr/sbin/avahi-daemon\00\00\00\00\00\00\00\00\a1\01\00\00\00\00\00\00h (deleted) CMD:avahi-daemon: chroot helper
Jan  5 14:01:40 ln02 lfd[4885]: *User Processing* PID:3168 Kill:0 User:clamav Time:78880 EXE:/usr/local/bin/freshclam CMD:/usr/local/bin/freshclam -d -c 6
Jan  5 14:04:40 ln02 lfd[4913]: *Suspicious Process* PID:2344 User:haldaemon Uptime:79090 secs EXE:/usr/sbin/hald\00]\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted) CMD:hald
Jan  5 14:04:40 ln02 lfd[4913]: *Suspicious Process* PID:2353 User:haldaemon Uptime:79089 secs EXE:/usr/libexec/hald-addon-acpi\00\00\00\00\00\04\00\00\00\00\00\00\00\90rL\0b (deleted) CMD:hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
Jan  5 14:04:40 ln02 lfd[4913]: *Suspicious Process* PID:2687 User:mysql Uptime:79081 secs EXE:/usr/sbin/mysqld\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted) CMD:/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --log-error=/var/lib/mysql/ln02.bsg.vn.err --pid-file=/var/lib/mysql/ln02.bsg.vn.pid --socket=/var/lib/mysql/mysql.sock --port=3306
Jan  5 14:04:40 ln02 lfd[4913]: *Suspicious Process* PID:3072 User:ftp Uptime:79068 secs EXE:/usr/sbin/proftpd\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted) CMD:proftpd: (accepting connections)
Jan  5 14:24:18 ln02 lfd[5188]: *SSH login* from 113.160.2.226 into the root account using password authentication
Jan  5 15:01:50 ln02 lfd[5741]: *Suspicious Process* PID:3137 User:avahi Uptime:82498 secs EXE:/usr/sbin/avahi-daemon\00\00\00\00\00\00\00\00\a1\01\00\00\00\00\00\00h (deleted) CMD:avahi-daemon: running [ln02.local]
Jan  5 15:01:51 ln02 lfd[5741]: *Suspicious Process* PID:3144 User:avahi Uptime:82497 secs EXE:/usr/sbin/avahi-daemon\00\00\00\00\00\00\00\00\a1\01\00\00\00\00\00\00h (deleted) CMD:avahi-daemon: chroot helper
Jan  5 15:01:51 ln02 lfd[5741]: *User Processing* PID:3168 Kill:0 User:clamav Time:82490 EXE:/usr/local/bin/freshclam CMD:/usr/local/bin/freshclam -d -c 6
Jan  5 15:04:51 ln02 lfd[5769]: *Suspicious Process* PID:2344 User:haldaemon Uptime:82701 secs EXE:/usr/sbin/hald\00]\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted) CMD:hald
Jan  5 15:04:51 ln02 lfd[5769]: *Suspicious Process* PID:2353 User:haldaemon Uptime:82700 secs EXE:/usr/libexec/hald-addon-acpi\00\00\00\00\00\04\00\00\00\00\00\00\00\90rL\0b (deleted) CMD:hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
Jan  5 15:04:51 ln02 lfd[5769]: *Suspicious Process* PID:2687 User:mysql Uptime:82692 secs EXE:/usr/sbin/mysqld\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted) CMD:/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --log-error=/var/lib/mysql/ln02.bsg.vn.err --pid-file=/var/lib/mysql/ln02.bsg.vn.pid --socket=/var/lib/mysql/mysql.sock --port=3306
Jan  5 15:04:51 ln02 lfd[5769]: *Suspicious Process* PID:3072 User:ftp Uptime:82679 secs EXE:/usr/sbin/proftpd\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted) CMD:proftpd: (accepting connections)
Jan  5 16:02:01 ln02 lfd[6661]: *Suspicious Process* PID:3137 User:avahi Uptime:86109 secs EXE:/usr/sbin/avahi-daemon\00\00\00\00\00\00\00\00\a1\01\00\00\00\00\00\00h (deleted) CMD:avahi-daemon: running [ln02.local]
Jan  5 16:02:01 ln02 lfd[6661]: *Suspicious Process* PID:3144 User:avahi Uptime:86108 secs EXE:/usr/sbin/avahi-daemon\00\00\00\00\00\00\00\00\a1\01\00\00\00\00\00\00h (deleted) CMD:avahi-daemon: chroot helper
Jan  5 16:02:01 ln02 lfd[6661]: *User Processing* PID:3168 Kill:0 User:clamav Time:86101 EXE:/usr/local/bin/freshclam CMD:/usr/local/bin/freshclam -d -c 6
Jan  5 16:05:01 ln02 lfd[6695]: *Suspicious Process* PID:2344 User:haldaemon Uptime:86311 secs EXE:/usr/sbin/hald\00]\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted) CMD:hald
Jan  5 16:05:01 ln02 lfd[6695]: *Suspicious Process* PID:2353 User:haldaemon Uptime:86310 secs EXE:/usr/libexec/hald-addon-acpi\00\00\00\00\00\04\00\00\00\00\00\00\00\90rL\0b (deleted) CMD:hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
Jan  5 16:05:01 ln02 lfd[6695]: *Suspicious Process* PID:2687 User:mysql Uptime:86302 secs EXE:/usr/sbin/mysqld\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted) CMD:/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --log-error=/var/lib/mysql/ln02.bsg.vn.err --pid-file=/var/lib/mysql/ln02.bsg.vn.pid --socket=/var/lib/mysql/mysql.sock --port=3306
Jan  5 16:05:01 ln02 lfd[6695]: *Suspicious Process* PID:3072 User:ftp Uptime:86289 secs EXE:/usr/sbin/proftpd\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted) CMD:proftpd: (accepting connections)
Jan  5 16:35:34 ln02 lfd[7110]: 5 (sshd) login failures from 58.61.149.213 in the last 300 secs - *Blocked in csf*
Jan  5 17:02:11 ln02 lfd[7546]: *Suspicious Process* PID:3137 User:avahi Uptime:89719 secs EXE:/usr/sbin/avahi-daemon\00\00\00\00\00\00\00\00\a1\01\00\00\00\00\00\00h (deleted) CMD:avahi-daemon: running [ln02.local]
Jan  5 17:02:11 ln02 lfd[7546]: *Suspicious Process* PID:3144 User:avahi Uptime:89718 secs EXE:/usr/sbin/avahi-daemon\00\00\00\00\00\00\00\00\a1\01\00\00\00\00\00\00h (deleted) CMD:avahi-daemon: chroot helper
Jan  5 17:02:11 ln02 lfd[7546]: *User Processing* PID:3168 Kill:0 User:clamav Time:89711 EXE:/usr/local/bin/freshclam CMD:/usr/local/bin/freshclam -d -c 6
Jan  5 17:05:11 ln02 lfd[7581]: *Suspicious Process* PID:2344 User:haldaemon Uptime:89921 secs EXE:/usr/sbin/hald\00]\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted) CMD:hald
Jan  5 17:05:11 ln02 lfd[7581]: *Suspicious Process* PID:2353 User:haldaemon Uptime:89920 secs EXE:/usr/libexec/hald-addon-acpi\00\00\00\00\00\04\00\00\00\00\00\00\00\90rL\0b (deleted) CMD:hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
Jan  5 17:05:11 ln02 lfd[7581]: *Suspicious Process* PID:2687 User:mysql Uptime:89912 secs EXE:/usr/sbin/mysqld\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted) CMD:/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --log-error=/var/lib/mysql/ln02.bsg.vn.err --pid-file=/var/lib/mysql/ln02.bsg.vn.pid --socket=/var/lib/mysql/mysql.sock --port=3306
Jan  5 17:05:11 ln02 lfd[7581]: *Suspicious Process* PID:3072 User:ftp Uptime:89899 secs EXE:/usr/sbin/proftpd\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted) CMD:proftpd: (accepting connections)


This is log of ldf on my server, so it sends many email to root.
How do i disable it?
Thanks.
 
In the file '/etc/csf.pignore' you can add ignores like

exe:link-to-executable
or
user:username (like: user:haldaemon)

After changing you need to restart csf/lfd to have effect.
 
This is content of csf.pignore in my server
Code:
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/libexec/gam_server
exe:/usr/sbin/named
exe:/usr/sbin/exim
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
exe:/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login
exe:/usr/local/directadmin/directadmin
exe:/usr/local/directadmin/dataskq
exe:/usr/sbin/httpd
exe:/usr/sbin/avahi-daemon

But every hours in Mail Queue Administration, there are many mails to root is queue.
 
hello
i have install csf on my openvz vps and after that solv passport and ... .
now when i try enable it we cant access to directadmin ...httpd...and all of protocol down.untill disable csf
 
hello.
when csf is enable.directadmin cant send backup via ftp to other server. i have this error:
User alex has been backed up.
Data connection timed out.
Data connection timed out.
Data connection timed out.
Falling back to PORT instead of PASV mode.
Could not read reply from control connection -- timed out.
ncftpput /home/tmp/admin/user.admin.alex.tar.gz: timed out while waiting for server response.

when i try to disable csf and run backup again.its ok and creat and send backup withut problem.

note:
i add 30000:35000 to TCP_IN and TCP_OUT
 
Personally if CSF doesn't allow passive (PASV) mode by default, I wouldn't use it; I hope someone more familiar than I with CSF can tell us how to set it up to add PASV connections.

My understanding is that to enable PASV connections you have to add the

ipv4/netfilter/ip_conntrack_ftp.ko

module to the kernel (it should be in modern kernels by default), and then set it to be used in the firewall with:
Code:
/sbin/modprobe ip_conntrack_ftp
(added as root).

but I don't know enought about csv to see if it's already there and if your problem is simply that your kernel doesn't have the module, nor do I know if any other code needs to be applied on your system.

As I've written previously, I use KISS precisely because it's so simple.
note:
i add 30000:35000 to TCP_IN and TCP_OUT
This is a simple workaround, but you also need to make changes to the ProFTPd configuration file to allow the use of these ports; it's not in the fault configuration. You need to add to your proftpd.conf file:
Code:
PassivePorts 30000 35000
and restart proftpd.

Jeff
 
i do it and then enable csf but it cant send backup again.

i try iptable modul test and its my output:

Testing iptables...

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing ipt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
 
I installed csf successfully and DA recgonized this plugin.

Then I try to remove some of the default ports say ftp - 20,21

and run csf -s

However, suppose I cannot access to ftp but it is not. Should I missed something else ?

update: It turns out that my ip will automatically add to the csf whitelist file.
 
Last edited:
yes, on install the ip you using in that moment is automatic on whitelist for security, if everything is ok you should just remove it from whitelist if you want (and if you useing a dynamic ip)
 
Is there a way we can export ALL the setting of CSF so i can have same setting for 3 servers.

This can also work as a backup of the settings
 
the conf files and messages files are in /etc/csf/ so, prolly you should just copy those files to the other server where csf is installed and restart csf (check the permission/owner of files beore restart csf)
 
Hello, I've succesfully installed CSF+LFD and it's working very well!

I've a question: have it sense to install mod_security and/or mod_evasive with CSF+LFD?

Thanks.
 
Back
Top