Firewall/DOS protection guide?
- Thread starter svan
- Start date
I recommend installing CSF and LFD at a minimum. You can read about them at the ConfigServer website.
Installation is pretty simple:
cd /downloads (or any other folder you use to keep software downloads in)
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Then edit /etc/csf/csf.conf accordingly. Here's a list of ports that should work with a default DirectAdmin installation:
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,953,993,995,111,587,587953,2222,3306,32769"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,43,53,80,110,143,113,443,953,9999,587,111,587953,2222,3306,32769"
# Allow incoming UDP ports
UDP_IN = "20,21,22,53,953,143,111,631,724,5353,32768,32809,587"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,22,43,53,113,143,123,953,111,631,724,5353,32768,32809,587"
You'll want to customize these for your own setup. When you've set everything up, edit the conf file again so that
TESTING = "0"
Then
/usr/sbin/csf -r
Installation is pretty simple:
cd /downloads (or any other folder you use to keep software downloads in)
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Then edit /etc/csf/csf.conf accordingly. Here's a list of ports that should work with a default DirectAdmin installation:
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,953,993,995,111,587,587953,2222,3306,32769"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,43,53,80,110,143,113,443,953,9999,587,111,587953,2222,3306,32769"
# Allow incoming UDP ports
UDP_IN = "20,21,22,53,953,143,111,631,724,5353,32768,32809,587"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,22,43,53,113,143,123,953,111,631,724,5353,32768,32809,587"
You'll want to customize these for your own setup. When you've set everything up, edit the conf file again so that
TESTING = "0"
Then
/usr/sbin/csf -r
mikegrungey
Verified User
- Joined
- May 9, 2008
- Messages
- 23
Nice info chriswb. after the installation, how can we see the details on what's happening like the screenshot in http://www.configserver.com/images/csf/ScreenShot008.jpg. Sorry for my bad language.
Hope to get some brief info on this base on your current experienced chriswb & svan.
Hope to get some brief info on this base on your current experienced chriswb & svan.
Mike,
I believe that a browser-based interface is only available for cPanel and Webmin. You may be able to install Webmin on your DA server, but I wouldn't recommend it. I've never used the browser interface so I can't tell you how well it works. The configuration file is very detailed and easy to use. Each configuration setting has a description of what it does. Let me know if you get stuck and I'll help as best I can.
I believe that a browser-based interface is only available for cPanel and Webmin. You may be able to install Webmin on your DA server, but I wouldn't recommend it. I've never used the browser interface so I can't tell you how well it works. The configuration file is very detailed and easy to use. Each configuration setting has a description of what it does. Let me know if you get stuck and I'll help as best I can.
mikegrungey
Verified User
- Joined
- May 9, 2008
- Messages
- 23
Thanks crhiswb, I will installed it today and try configure it as you post here. If I've countered any problem then I'll let you know.
Thanks again.
But before that, does this installation required iptables. Because the last time I've check, my current VPS doesn't configure with iptables where i can't run KISS on my vps.
Thanks again.
But before that, does this installation required iptables. Because the last time I've check, my current VPS doesn't configure with iptables where i can't run KISS on my vps.
Last edited:
morfargekko
Verified User
- Joined
- Oct 21, 2007
- Messages
- 189
Hello, I am rumming CSF / LFD on 4 boxes with DirectAdmin and I use Webmin for a graphical interface. It works realy good. 
Scormen
Verified User
- Joined
- Jan 26, 2008
- Messages
- 55
You also could have a look to use:
- denyhosts: automatic add a IP to /etc/hosts.deny when a login failed e.g. 10 times.
- logwatch: automatic e-mail once a day with firewall info, executed cron's, ssh logins, etc.
- chkrootkit and rkhunter
Kris
- denyhosts: automatic add a IP to /etc/hosts.deny when a login failed e.g. 10 times.
- logwatch: automatic e-mail once a day with firewall info, executed cron's, ssh logins, etc.
- chkrootkit and rkhunter
Kris
Hello, I am rumming CSF / LFD on 4 boxes with DirectAdmin and I use Webmin for a graphical interface. It works realy good.
where i can find csf in webmin ?
tsiou
Verified User
You can also limit your ports as some services may not need to be opened to external connections.
In most cases mysql port don't need to be open as your client will use localhost to connect via his scripts to his database.
And if you dont give ssh access to your clients limit your ssh access to 2 hosts that you trust (if you can have 2 ssh accounts, or machines with static ips).
For example in my server i only allow 2 hosts to access port 22 and i connect through them.
Mod_evasive and mod_security are a good help to prevent dos attacks and exploits to your web server.
If you use *bsd (i dont know if iptables has this support now) you can use pf to limit connections to services (you can set how many connections per seconds you allow per ip etc)
The most important though is to keep your services up to date, i suggest that if you are experienced to linux to replace DA's services with your os's packages or even sources to have the updates as soon as possible they posted.
In most cases mysql port don't need to be open as your client will use localhost to connect via his scripts to his database.
And if you dont give ssh access to your clients limit your ssh access to 2 hosts that you trust (if you can have 2 ssh accounts, or machines with static ips).
For example in my server i only allow 2 hosts to access port 22 and i connect through them.
Mod_evasive and mod_security are a good help to prevent dos attacks and exploits to your web server.
If you use *bsd (i dont know if iptables has this support now) you can use pf to limit connections to services (you can set how many connections per seconds you allow per ip etc)
The most important though is to keep your services up to date, i suggest that if you are experienced to linux to replace DA's services with your os's packages or even sources to have the updates as soon as possible they posted.
RagekiJohn
Verified User
- Joined
- Mar 20, 2008
- Messages
- 7
I use APF and a DDOS Protection that is supposed to work together with APF. It uses IP tables and does a pretty decent job at blocking these kiddie scripts. You can set limits such as how many connections before banning and how long the ban period is. Maybe you should also look into Mod Evasive where you can set limits on how many pages a client views before his IP is blacklisted. I set my Mod Evasive limits pretty high but yet users are still getting blacklisted so it shows that some people do try to hack or overload my servers 
.
.any help ?
I use APF and a DDOS Protection that is supposed to work together with APF. It uses IP tables and does a pretty decent job at blocking these kiddie scripts. You can set limits such as how many connections before banning and how long the ban period is. Maybe you should also look into Mod Evasive where you can set limits on how many pages a client views before his IP is blacklisted. I set my Mod Evasive limits pretty high but yet users are still getting blacklisted so it shows that some people do try to hack or overload my servers
CSF does everything your described
But it is more easy and customisable.
any one ?
littleoak
Verified User
qwe, you have to install the Webmin module. It's located in the standard installation file. I believe the filename for the module is csfwebmin.tgz