DA-Kiss - DirectAdmin specific firewall based on Kiss v2.0

ProWebUK

Verified User
Joined
Jun 9, 2003
Messages
2,326
Location
UK

KISS Version: 2
DA Specific version: 1
Release: 2

Over the past few weeks i have mentioned a firewall specific for use with DirectAdmin. If you have looked at the recent posts in the DA server checklist, you will have realised the Kiss link was recently updated to v2.0

I have modified the firewall to provide a simpe but very effective method for basic security on your server, I advise all who run Directdmin on RedHat to use this, or another firewall, if you know IPTables then that would also be fine.


IF YOU CURRENTLY HAVE A FIREWALL INSTALLED EITHER REMOVE IT FIRSTLY OR DO NOT INSTALL THIS FIREWALL

Installation does not get any simpler:

Moderator's Note:
The location below is no longer valid.

Try these locations:

The original one can be found here.

My modified version, modified to work with DirectAdmin and with Plesk PSA, and also with some optional changes (read the code) for ModernBill, can be found here.


# cd /usr/bin
# wget http://optimum-servers.com/downloads/DirectAdmin/kiss2-1.2.tar.gz
# tar -zxvf kiss2-1.2.tar.gz
# rm -f kiss2-1.2.tar.gz

To configure any settings use top section of the KISS file

# pico -w kiss

Run the following commands *anywhere*:

To start KISS
kiss start

To stop KISS
kiss stop

To Restart
kiss restart

To check current status
kiss status

If you make any changes ensure you restart it for the chnages to take effect.

Once it is installed I suggest you double check websites, directadmin, mysql and also into SSH in another window to ensure that you are not locked out.

Once you are sure everything is ok, add the following line to the end of /etc/rc.d/rc.local

/usr/bin/kiss start

Any questions, problems or suggestions feel free to post here :)
 
For those who use scripts that will message them by ICQ, AIM, or YAHOO (EG: system status monitor, ClientExec, etc)

You need these ports open for TCP_OUT:

ICQ Messengers: 4000
YAHOO Messengers: 5010
AIM Messengers: 5190


If you use MRTG or RRDTool to graph router info, you will need to open SMNP (port 161)



Run game servers?
{HL/CS/DOD/TFC/NS/etc}
Client: 27010
Game: 27015 (if you run more than 1 per IP, you might want 27016 27017 etc open)

{BF1942}
Game: 14567
GameSpy Query: 23000
ASE Query: 14690

{SOF2}
Game: 20100

{QUAKE 3}
Game: 27961

{UT/UT2003}
Game: 7777
Query: 7778

{Jedi Knight 2}
Game: 28070

You can find other games at my page here: http://www.playergraph.com/gamesupport
 
The original geocities script start fine for me. However the DA modified script keeps giving me an error when I try to start it:

: bad interpreter: No such file or directory

I have changed permission etc, but without any luck. Is there any reason the regular kiss script would start fine but not this one? Thank you.
 
Last edited:
ensure you remove the previous version firstly, having 2 running will cause problems.

if you cant run kiss start run:

/usr/bin/kiss start

Chris
 
Chris, thanks for the quick reply...my post wasn't very clear. I actually tried the DA version first, with no other firewall running at all. After several unsuccessful attempts I downloaded the original KISS script which started on the first try. I then stopped and removed the original KISS script and went back to the DA modified one. No luck. I tried full paths, relative paths, changing to the /usr/bin directory, running from other directories. For now I have removed KISS and just gone back to the APF firewall. Is there any big advantage in running KISS instead of APF? Otherwise I will probably just leave it as is. Thanks again for the suggestions.
 
Kiss / APF both as good as each other. I personally prefer Kiss since that is what I have always used.

Are you using telnet or ssh to login? and also are you getting any errors / what does it say when you start it?

Chris
 
he said its saying this:
: bad interpreter: No such file or directory

Which usualy means bad permissions/bad ownership/bad feeding habits.

check the ownership (chown root.root /usr/bin/kiss/), try again.


Im going to put this on the servers at work today :)
 
Don't add it to /etc/rc.local and if it doesnt work / you get locked out a restart will load up without starting the firewall. I believe Kiss V2.0 is set not to lock you out if its wrong anyway,just ensure you leave your current SSH window open whilst you get another window logged into SSH.

Chris
 
I should have explained things better. Installation is not really a problem with APF, except that some kernel modules cannot be found at load times.
The problem is that Passive FTP and some apps like wget don't work anymore afterwards unless you leave every high port open which defeats the purpose of having a tight firewall.
 
Mark, I don't know, but it would be strange if nobody could install firewalls in VPS. I don't see why would anybody want to use a VPS in that case.
 
to be honest i dont actualy know how a VPS works, having always had the luxury of dedicated servers.. But your right, it does seem strange if it wouldnt work.

Anyway, enough spamming these forums for me, i gotta get ready for work :)
 
Thanks for the notification. Can i ask if you get any errors anywhere when installing / running it?

Chris
 
When trying to tun it I get :
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!
 
Sounds like you problem is quite simple, IP tables does not exist within your VPS.

Are you sure you do have this installed?

Chris
 
Yes.
I get this :
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

when running iptables -L

and a lot more when starting apf.

APF is also complaining about a lot of missing modules but it does start and it does partially work. It's just unusable in a production server.

I can't find a working firewall
 
Back
Top