DA-Kiss - DirectAdmin specific firewall based on Kiss v2.0

[ProWebUK]

All ports are closed besides what's in the configs at the top of the script

443 is the https://, so unless you dont use SSL you would be wanting that

 

[sander815]

does kiss have some sort of ddos protection like APF?

http://www.rfxnetworks.com/apf.php


- antidos subsystem to stop attacks before they become a significant threat

and does it support auto update for the dshield block list? kiss i mean

 

[vandal]

For those who use scripts that will message them by ICQ, AIM, or YAHOO (EG: system status monitor, ClientExec, etc)

^^ where can i get such scripts (the monitoring, clientexec and mostly the MSN script)

 

[deltaned]

maybe a bug in Kiss, bit with kiss on you can`t update DA.
Turn kiss off and update DA there is no problem.
my KISS details:
BLOCK_LIST="Some IP adresses"
TCP_IN="21 25 53 80 110 143 2222"
TCP_OUT="21 22 25 37 43 53 80"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="myIPadres/0"

Tips to update DA without closing the firewall?

 

[ProWebUK]

^^ where can i get such scripts (the monitoring, clientexec and mostly the MSN script)

You can use command line messenger clients I would assume, although I dont have the exact information.

Chris

 

[ProWebUK]

SERVER_IPS="0.0.0.0/0"

Try that...

Chris

 

[deltaned]

SERVER_IPS="0.0.0.0/0"

Try that...

Chris

I try but it doesent work.
Maybe because I blocked telnet?

 

[ProWebUK]

does kiss have some sort of ddos protection like APF?

http://www.rfxnetworks.com/apf.php


- antidos subsystem to stop attacks before they become a significant threat

and does it support auto update for the dshield block list? kiss i mean

It has its own way of preveting DOS attacks, although its of course not perfect, neither is the one for APF.

It doesnt have any support for dshield, you can incorporate it yourself if you wish, use any other block lists etc... as default the only blocks are what you specify.

Chris

 

[ProWebUK]

I try but it doesent work.
Maybe because I blocked telnet?

What error are you getting? Can you successfully connect to the DA website from your server? Can you update the license also...

Does it work when you turn the firewall off?

Chris

 

[sander815]

if i don't want people pinging my machine, what do i do?


##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done


TRUSTED_IPS="0.0.0.0/0" <-change this iin kiss?

 

[ProWebUK]

for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done

comment out the part ive quoted

Chris

 

[sander815]

if i want to block a certain port for a certain ip connecting, what do i do?

 

[ProWebUK]

if i want to block a certain port for a certain ip connecting, what do i do?

try:

iptables -I INPUT -s [B]111.111.111.111[/B] --destination-port [B]22[/B] -j DROP

ip/port

Chris

 

[sander815]

do i just execute that at the prompt?

i get an error
[root@server1 apf]# iptables -I INPUT -s 212.xx.xx.xx--destination-port 53 -j DROP
iptables v1.2.7a: Unknown arg `--destination-port'
Try `iptables -h' or 'iptables --help' for more information.
[

 

[deltaned]

On my fedor2 machine I get after command: kiss start
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Tips?
The default firewall of Fedora is off.

 

[nobaloney]

Do you have iptables implemented in your fedora core kernel?

Jeff

 

[sander815]

do i just execute that at the prompt?

i get an error
[root@server1 apf]# iptables -I INPUT -s 212.xx.xx.xx--destination-port 53 -j DROP
iptables v1.2.7a: Unknown arg `--destination-port'
Try `iptables -h' or 'iptables --help' for more information.
[

please anyone? how do i use this?
i need to block a certain ip thats keeps connecting to port 53, like every 4-5 seconds, constantly

 

[ProWebUK]

Try this one, again, untested

iptables -A INPUT -i eth0 -s *BLOCKIP* -d *SERVERIP* -p tcp -m state --state NEW --dport *PORT* -j DROP

Chris

 

[Exzee]

I'm running Fedora Core 1 with Direct Admin. I havent touched the server except for the DA installation.

This is the error I get when trying to run kiss:

Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Maybe Im going off topic with this post, but how exactly do I install those modules if they "dont exist"?

Thanks in advanced.

 

[nobaloney]

check the following, logged in as root:

$ rpm -qa | grep iptables

Here's my results when I do this on my local desktop system:

[jlasman@da1 nobaloney.net]$ rpm -qa | grep iptables
iptables-1.2.5-3
iptables-ipv6-1.2.5-3
[jlasman@da1 nobaloney.net]$

Your results may differ.

What do you get?

Jeff