[PLUGIN] ConfigServer Security & Firewall

21secolo

Verified User
Joined
Aug 8, 2007
Messages
33
Location
Italy - Rome
Havig a problem now. When I disable the firewall, I can't enable it again from within DA because I get this message:

Is there a way to fix restrictions so I don't need to login to the root shell to enable it again?
same message if you try to update it... I need fix too!
 

Arieh

Verified User
Joined
May 27, 2008
Messages
1,200
Location
The Netherlands
I doubt someone knows a simple fix, I think its just build this way and you have to run it from commandline.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
I just got a reply from the Configserver crew. It's not possible due to the DA use of mod_perl so you have to start it again from console. So there is no fix or other way.
 

ErBergez

Verified User
Joined
Dec 20, 2009
Messages
11
Location
Los Angeles, CA
CSF -u Command Not Found - Help

Hi -

I have installed and I have been running CSF for many years; however, this evening I went to upgrade CSF by logging into the server via SSH --> su to Root and entered the command:

[root@server ~]$ csf -u

However, my server replied: -bash: csf: command not found.

Am I missing something? Should I be in a particular directory?

I have a 2nd server and successfully upgrade CSF with the above process. So now I'm totally lost...

I'm not an expert Linux user so any help or suggestions would be greatly appreciated.

Thank you,

Eric
BCN, Inc.
 

nadlerz

Verified User
Joined
Apr 29, 2012
Messages
142
How to fix?

Code:
Check /tmp is mounted as a filesystem	WARNING	/tmp should be mounted as a separate filesystem with the noexec,nosuid options set
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
@nadlerz:

Post the output of running thes on your server:
Code:
$ df -h
and
Code:
$ cat /etc/fstab
Jeff
 

polad

New member
Joined
May 19, 2012
Messages
2
I recive this error in check security whith CSF
Unable to resolve nameserver [ns2.***.com] within 5 seconds
AND
At least one of the configured nameservers:
ns1.***.com
ns2.***.com
should be located in a topologically and geographically dispersed location on the Internet - See RFC 2182 (Section 3.1)
how to resolve this?
Same issue here, any solution?
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
For the first error, figure out why your nameserver isn't responding. If it's on the same server as your first nameserver, then the IP# may not be resolving.

For the second error, either rent a small VPS somewhere else to use for Slave DNS, make an arrangement with someone else using DirectAdmin to share DNS services, or buy slaveDNS from me or someone else who offers it.

Note if you're going to contact me, please use email (address below in my siglines) rather than PM as I answer email more quickly.

Jeff
 

Anton

Verified User
Joined
Oct 6, 2010
Messages
104
Location
Iceland
Thank you very much for this plugin this has stopped allot of unwanted ip's to my server
 

groomy

Verified User
Joined
Dec 16, 2011
Messages
261
Location
AUGNY (France)
Hi, in Centos i have this problem :
# sh install.sh

Configuring for OS

Running csf DirectAdmin installer

Installing csf and lfd

Check we're running as root

Checking Perl modules...
Can't locate LWP/UserAgent.pm in @INC (@INC contains: /etc/csf /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at (eval 19) line 2.
BEGIN failed--compilation aborted at (eval 19) line 2.
Using configuration defaults

You need to install the missing perl modules and then install csf
Thanks...
 

webquarry

Verified User
Joined
Mar 19, 2004
Messages
177
Just added this to one of my servers and initial impressions is that it is great. Should be part of DA's standard install in my opinion.

I notice that I am getting a ton of warning emails like this one:

----------------

Subject: lfd on one.of.my.servers.com: Suspicious process running under user xxxxx
Date: October 7, 2012 3:44:07 PM PDT
To: root@one.of.my.servers.com


Time: Sun Oct 7 15:44:07 2012 -0700
PID: 13424
Account: xxxxx
Uptime: 77 seconds


Executable:

/usr/libexec/dovecot/imap


Command Line (often faked in exploits):

dovecot/imap [user@theirdomain.com xxx.xxx.xxx.xxx]


Network connections by the process (if any):

tcp: xxx.xxx.xxx.xxx:143 -> xxx.xxx.xxx.xxx:55236


Files open by the process (if any):

/dev/null
/dev/null
anon_inode:[eventpoll]
/home/xxxxx/imap/theirdomain.com/sbj/Maildir/dovecot.index.log (deleted)
/home/xxxxx/imap/theirdomain.com/sbj/Maildir/dovecot.index (deleted)
/home/xxxxx/imap/theirdomain.com/sbj/Maildir/dovecot-uidlist
/home/xxxxx/imap/theirdomain.com/sbj/Maildir/dovecot.index.log


Memory maps by the process (if any):

00110000-00111000 r-xp 00000000 00:00 0 [vdso]
00111000-00164000 r-xp 00000000 fd:00 57674090 /usr/lib/libssl.so.1.0.0
00164000-00166000 r--p 00052000 fd:00 57674090 /usr/lib/libssl.so.1.0.0
00166000-00169000 rw-p 00054000 fd:00 57674090 /usr/lib/libssl.so.1.0.0
00169000-0016c000 r-xp 00000000 fd:00 36701070 /lib/libdl-2.12.so
0016c000-0016d000 r--p 00002000 fd:00 36701070 /lib/libdl-2.12.so
0016d000-0016e000 rw-p 00003000 fd:00 36701070 /lib/libdl-2.12.so
0016e000-00175000 r-xp 00000000 fd:00 36701118 /lib/librt-2.12.so
00175000-00176000 r--p 00006000 fd:00 36701118 /lib/librt-2.12.so
00176000-00177000 rw-p 00007000 fd:00 36701118 /lib/librt-2.12.so
00177000-0018c000 r-xp 00000000 fd:00 36701140 /lib/libresolv-2.12.so
0018c000-0018d000 ---p 00015000 fd:00 36701140 /lib/libresolv-2.12.so
0018d000-0018e000 r--p 00015000 fd:00 36701140 /lib/libresolv-2.12.so
0018e000-0018f000 rw-p 00016000 fd:00 36701140 /lib/libresolv-2.12.so
0018f000-00191000 rw-p 00000000 00:00 0
00191000-001a8000 r-xp 00000000 fd:00 36701078 /lib/libpthread-2.12.so
001a8000-001a9000 r--p 00016000 fd:00 36701078 /lib/libpthread-2.12.so
001a9000-001aa000 rw-p 00017000 fd:00 36701078 /lib/libpthread-2.12.so
001aa000-001ac000 rw-p 00000000 00:00 0
001ac000-001c9000 r-xp 00000000 fd:00 36701120 /lib/libselinux.so.1
001c9000-001ca000 r--p 0001c000 fd:00 36701120 /lib/libselinux.so.1
001ca000-001cb000 rw-p 0001d000 fd:00 36701120 /lib/libselinux.so.1
0022e000-0024c000 r-xp 00000000 fd:00 36701041 /lib/ld-2.12.so
0024c000-0024d000 r--p 0001d000 fd:00 36701041 /lib/ld-2.12.so
0024d000-0024e000 rw-p 0001e000 fd:00 36701041 /lib/ld-2.12.so
00254000-003e4000 r-xp 00000000 fd:00 36701044 /lib/libc-2.12.so
003e4000-003e6000 r--p 0018f000 fd:00 36701044 /lib/libc-2.12.so
003e6000-003e7000 rw-p 00191000 fd:00 36701044 /lib/libc-2.12.so
003e7000-003ea000 rw-p 00000000 00:00 0
003ea000-0055f000 r-xp 00000000 fd:00 57673522 /usr/lib/libcrypto.so.1.0.0
0055f000-00560000 ---p 00175000 fd:00 57673522 /usr/lib/libcrypto.so.1.0.0
00560000-0056e000 r--p 00175000 fd:00 57673522 /usr/lib/libcrypto.so.1.0.0
0056e000-00574000 rw-p 00183000 fd:00 57673522 /usr/lib/libcrypto.so.1.0.0
00574000-00577000 rw-p 00000000 00:00 0
0059c000-005a8000 r-xp 00000000 fd:00 36701079 /lib/libnss_files-2.12.so
005a8000-005a9000 r--p 0000b000 fd:00 36701079 /lib/libnss_files-2.12.so
005a9000-005aa000 rw-p 0000c000 fd:00 36701079 /lib/libnss_files-2.12.so
0061a000-0061d000 r-xp 00000000 fd:00 36701150 /lib/libcom_err.so.2.1
0061d000-0061e000 r--p 00002000 fd:00 36701150 /lib/libcom_err.so.2.1
0061e000-0061f000 rw-p 00003000 fd:00 36701150 /lib/libcom_err.so.2.1
00621000-0064a000 r-xp 00000000 fd:00 36701149 /lib/libk5crypto.so.3.1
0064a000-0064b000 ---p 00029000 fd:00 36701149 /lib/libk5crypto.so.3.1
0064b000-0064c000 r--p 00029000 fd:00 36701149 /lib/libk5crypto.so.3.1
0064c000-0064d000 rw-p 0002a000 fd:00 36701149 /lib/libk5crypto.so.3.1
0064f000-00658000 r-xp 00000000 fd:00 36701148 /lib/libkrb5support.so.0.1
00658000-00659000 r--p 00008000 fd:00 36701148 /lib/libkrb5support.so.0.1
00659000-0065a000 rw-p 00009000 fd:00 36701148 /lib/libkrb5support.so.0.1
0065c000-00699000 r-xp 00000000 fd:00 36701156 /lib/libgssapi_krb5.so.2.2
00699000-0069a000 r--p 0003c000 fd:00 36701156 /lib/libgssapi_krb5.so.2.2
0069a000-0069b000 rw-p 0003d000 fd:00 36701156 /lib/libgssapi_krb5.so.2.2
006e2000-007c4000 r-xp 00000000 fd:00 57806007 /usr/lib/dovecot/libdovecot-storage.so.0.0.0
007c4000-007c6000 r--p 000e1000 fd:00 57806007 /usr/lib/dovecot/libdovecot-storage.so.0.0.0
007c6000-007ca000 rw-p 000e3000 fd:00 57806007 /usr/lib/dovecot/libdovecot-storage.so.0.0.0
00800000-0087b000 r-xp 00000000 fd:00 57806001 /usr/lib/dovecot/libdovecot.so.0.0.0
0087b000-0087d000 rw-p 0007b000 fd:00 57806001 /usr/lib/dovecot/libdovecot.so.0.0.0
0087d000-0087f000 rw-p 00000000 00:00 0
00884000-00953000 r-xp 00000000 fd:00 36701152 /lib/libkrb5.so.3.3
00953000-00959000 r--p 000ce000 fd:00 36701152 /lib/libkrb5.so.3.3
00959000-0095a000 rw-p 000d4000 fd:00 36701152 /lib/libkrb5.so.3.3
0095c000-0095e000 r-xp 00000000 fd:00 36701147 /lib/libkeyutils.so.1.3
0095e000-0095f000 r--p 00001000 fd:00 36701147 /lib/libkeyutils.so.1.3
0095f000-00960000 rw-p 00002000 fd:00 36701147 /lib/libkeyutils.so.1.3
00aad000-00ac0000 r-xp 00000000 fd:00 57677888 /usr/local/lib/libz.so.1.2.3
00ac0000-00ac1000 rw-p 00012000 fd:00 57677888 /usr/local/lib/libz.so.1.2.3
00efb000-00ff1000 r-xp 00000000 fd:00 57677937 /usr/local/lib/libiconv.so.2.5.1
00ff1000-00ff2000 rw-p 000f6000 fd:00 57677937 /usr/local/lib/libiconv.so.2.5.1
08048000-08064000 r-xp 00000000 fd:00 57952133 /usr/libexec/dovecot/imap
08064000-08065000 r--p 0001b000 fd:00 57952133 /usr/libexec/dovecot/imap
08065000-08066000 rw-p 0001c000 fd:00 57952133 /usr/libexec/dovecot/imap
0818a000-0820a000 rw-p 00000000 00:00 0 [heap]
b7819000-b7831000 r--s 00000000 fd:00 28198865 /home/xxxxx/imap/theirdomain.com/sbj/Maildir/dovecot.index.log (deleted)
b7831000-b7836000 rw-p 00000000 00:00 0
b7846000-b7847000 rw-p 00000000 00:00 0
bff0a000-bff1f000 rw-p 00000000 00:00 0 [stack]

---------------
Now I like the idea of something that looks for suspicious processes but obviously this is just some user communicating with their mailbox and I don't need to be warned about it.

Is there a way to exempt proceses like this from being reported on without disabling the email notifications entirely?
 

webquarry

Verified User
Joined
Mar 19, 2004
Messages
177
Just added this to one of my servers and initial impressions is that it is great. Should be part of DA's standard install in my opinion.

I notice that I am getting a ton of warning emails like this one:

----------------

Subject: lfd on one.of.my.servers.com: Suspicious process running under user xxxxx
Date: October 7, 2012 3:44:07 PM PDT
To: root@one.of.my.servers.com


Time: Sun Oct 7 15:44:07 2012 -0700
PID: 13424
Account: xxxxx
Uptime: 77 seconds


Executable:

/usr/libexec/dovecot/imap


Command Line (often faked in exploits):

dovecot/imap [user@theirdomain.com xxx.xxx.xxx.xxx]


Network connections by the process (if any):

tcp: xxx.xxx.xxx.xxx:143 -> xxx.xxx.xxx.xxx:55236


Files open by the process (if any):

/dev/null
/dev/null
anon_inode:[eventpoll]
/home/xxxxx/imap/theirdomain.com/sbj/Maildir/dovecot.index.log (deleted)
/home/xxxxx/imap/theirdomain.com/sbj/Maildir/dovecot.index (deleted)
/home/xxxxx/imap/theirdomain.com/sbj/Maildir/dovecot-uidlist
/home/xxxxx/imap/theirdomain.com/sbj/Maildir/dovecot.index.log


Memory maps by the process (if any):

00110000-00111000 r-xp 00000000 00:00 0 [vdso]
00111000-00164000 r-xp 00000000 fd:00 57674090 /usr/lib/libssl.so.1.0.0
00164000-00166000 r--p 00052000 fd:00 57674090 /usr/lib/libssl.so.1.0.0
00166000-00169000 rw-p 00054000 fd:00 57674090 /usr/lib/libssl.so.1.0.0
00169000-0016c000 r-xp 00000000 fd:00 36701070 /lib/libdl-2.12.so
0016c000-0016d000 r--p 00002000 fd:00 36701070 /lib/libdl-2.12.so
0016d000-0016e000 rw-p 00003000 fd:00 36701070 /lib/libdl-2.12.so
0016e000-00175000 r-xp 00000000 fd:00 36701118 /lib/librt-2.12.so
00175000-00176000 r--p 00006000 fd:00 36701118 /lib/librt-2.12.so
00176000-00177000 rw-p 00007000 fd:00 36701118 /lib/librt-2.12.so
00177000-0018c000 r-xp 00000000 fd:00 36701140 /lib/libresolv-2.12.so
0018c000-0018d000 ---p 00015000 fd:00 36701140 /lib/libresolv-2.12.so
0018d000-0018e000 r--p 00015000 fd:00 36701140 /lib/libresolv-2.12.so
0018e000-0018f000 rw-p 00016000 fd:00 36701140 /lib/libresolv-2.12.so
0018f000-00191000 rw-p 00000000 00:00 0
00191000-001a8000 r-xp 00000000 fd:00 36701078 /lib/libpthread-2.12.so
001a8000-001a9000 r--p 00016000 fd:00 36701078 /lib/libpthread-2.12.so
001a9000-001aa000 rw-p 00017000 fd:00 36701078 /lib/libpthread-2.12.so
001aa000-001ac000 rw-p 00000000 00:00 0
001ac000-001c9000 r-xp 00000000 fd:00 36701120 /lib/libselinux.so.1
001c9000-001ca000 r--p 0001c000 fd:00 36701120 /lib/libselinux.so.1
001ca000-001cb000 rw-p 0001d000 fd:00 36701120 /lib/libselinux.so.1
0022e000-0024c000 r-xp 00000000 fd:00 36701041 /lib/ld-2.12.so
0024c000-0024d000 r--p 0001d000 fd:00 36701041 /lib/ld-2.12.so
0024d000-0024e000 rw-p 0001e000 fd:00 36701041 /lib/ld-2.12.so
00254000-003e4000 r-xp 00000000 fd:00 36701044 /lib/libc-2.12.so
003e4000-003e6000 r--p 0018f000 fd:00 36701044 /lib/libc-2.12.so
003e6000-003e7000 rw-p 00191000 fd:00 36701044 /lib/libc-2.12.so
003e7000-003ea000 rw-p 00000000 00:00 0
003ea000-0055f000 r-xp 00000000 fd:00 57673522 /usr/lib/libcrypto.so.1.0.0
0055f000-00560000 ---p 00175000 fd:00 57673522 /usr/lib/libcrypto.so.1.0.0
00560000-0056e000 r--p 00175000 fd:00 57673522 /usr/lib/libcrypto.so.1.0.0
0056e000-00574000 rw-p 00183000 fd:00 57673522 /usr/lib/libcrypto.so.1.0.0
00574000-00577000 rw-p 00000000 00:00 0
0059c000-005a8000 r-xp 00000000 fd:00 36701079 /lib/libnss_files-2.12.so
005a8000-005a9000 r--p 0000b000 fd:00 36701079 /lib/libnss_files-2.12.so
005a9000-005aa000 rw-p 0000c000 fd:00 36701079 /lib/libnss_files-2.12.so
0061a000-0061d000 r-xp 00000000 fd:00 36701150 /lib/libcom_err.so.2.1
0061d000-0061e000 r--p 00002000 fd:00 36701150 /lib/libcom_err.so.2.1
0061e000-0061f000 rw-p 00003000 fd:00 36701150 /lib/libcom_err.so.2.1
00621000-0064a000 r-xp 00000000 fd:00 36701149 /lib/libk5crypto.so.3.1
0064a000-0064b000 ---p 00029000 fd:00 36701149 /lib/libk5crypto.so.3.1
0064b000-0064c000 r--p 00029000 fd:00 36701149 /lib/libk5crypto.so.3.1
0064c000-0064d000 rw-p 0002a000 fd:00 36701149 /lib/libk5crypto.so.3.1
0064f000-00658000 r-xp 00000000 fd:00 36701148 /lib/libkrb5support.so.0.1
00658000-00659000 r--p 00008000 fd:00 36701148 /lib/libkrb5support.so.0.1
00659000-0065a000 rw-p 00009000 fd:00 36701148 /lib/libkrb5support.so.0.1
0065c000-00699000 r-xp 00000000 fd:00 36701156 /lib/libgssapi_krb5.so.2.2
00699000-0069a000 r--p 0003c000 fd:00 36701156 /lib/libgssapi_krb5.so.2.2
0069a000-0069b000 rw-p 0003d000 fd:00 36701156 /lib/libgssapi_krb5.so.2.2
006e2000-007c4000 r-xp 00000000 fd:00 57806007 /usr/lib/dovecot/libdovecot-storage.so.0.0.0
007c4000-007c6000 r--p 000e1000 fd:00 57806007 /usr/lib/dovecot/libdovecot-storage.so.0.0.0
007c6000-007ca000 rw-p 000e3000 fd:00 57806007 /usr/lib/dovecot/libdovecot-storage.so.0.0.0
00800000-0087b000 r-xp 00000000 fd:00 57806001 /usr/lib/dovecot/libdovecot.so.0.0.0
0087b000-0087d000 rw-p 0007b000 fd:00 57806001 /usr/lib/dovecot/libdovecot.so.0.0.0
0087d000-0087f000 rw-p 00000000 00:00 0
00884000-00953000 r-xp 00000000 fd:00 36701152 /lib/libkrb5.so.3.3
00953000-00959000 r--p 000ce000 fd:00 36701152 /lib/libkrb5.so.3.3
00959000-0095a000 rw-p 000d4000 fd:00 36701152 /lib/libkrb5.so.3.3
0095c000-0095e000 r-xp 00000000 fd:00 36701147 /lib/libkeyutils.so.1.3
0095e000-0095f000 r--p 00001000 fd:00 36701147 /lib/libkeyutils.so.1.3
0095f000-00960000 rw-p 00002000 fd:00 36701147 /lib/libkeyutils.so.1.3
00aad000-00ac0000 r-xp 00000000 fd:00 57677888 /usr/local/lib/libz.so.1.2.3
00ac0000-00ac1000 rw-p 00012000 fd:00 57677888 /usr/local/lib/libz.so.1.2.3
00efb000-00ff1000 r-xp 00000000 fd:00 57677937 /usr/local/lib/libiconv.so.2.5.1
00ff1000-00ff2000 rw-p 000f6000 fd:00 57677937 /usr/local/lib/libiconv.so.2.5.1
08048000-08064000 r-xp 00000000 fd:00 57952133 /usr/libexec/dovecot/imap
08064000-08065000 r--p 0001b000 fd:00 57952133 /usr/libexec/dovecot/imap
08065000-08066000 rw-p 0001c000 fd:00 57952133 /usr/libexec/dovecot/imap
0818a000-0820a000 rw-p 00000000 00:00 0 [heap]
b7819000-b7831000 r--s 00000000 fd:00 28198865 /home/xxxxx/imap/theirdomain.com/sbj/Maildir/dovecot.index.log (deleted)
b7831000-b7836000 rw-p 00000000 00:00 0
b7846000-b7847000 rw-p 00000000 00:00 0
bff0a000-bff1f000 rw-p 00000000 00:00 0 [stack]

---------------
Now I like the idea of something that looks for suspicious processes but obviously this is just some user communicating with their mailbox and I don't need to be warned about it.

Is there a way to exempt proceses like this from being reported on without disabling the email notifications entirely?


Wouldn't you know it. I found the answer to my own question just minutes after posting it.... D'oh!

I didn't see the dropdown menu in the "lfd - Login Failure Daemon" section...

I noticed that in the csf.pignore file, there are these two lines:

exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login

on my system (A virgin DA on centOS 6 install using all the defaults) it needed to be changed to:

exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3

Hope that helps someone else...
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
Yep, you might encounter also other kindlike notices.
You can disable the notices by excluding them in the csf.pignore if necessary. Sometimes it's also good not to exclude, depends on what it is and what's it doing.

We are using CSF already serveral years on all our servers, it's great, because you can also minimize or maximize the behaviour as you want due to the various configuration options possible.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Just added this to one of my servers and initial impressions is that it is great. Should be part of DA's standard install in my opinion.
Can't do it because it's Linux specific. Won't work with FreeBSD.

Jeff
 

saosangmo

Verified User
Joined
Oct 3, 2012
Messages
120
Location
Hanoi
hi,
After secure my /tmp dir, the maillog warn 2 lines:
Oct 13 02:49:02 csrv01 dovecot: master: Dovecot v2.1.10 starting up (core dumps disabled)
Oct 13 02:49:02 csrv01 dovecot: master: Warning: /tmp is no longer mounted. See http://wiki2.dovecot.org/Mountpoints
How I can solve it?

Code:
[root@csrv01 ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
                       50G  4.9G   42G  11% /
none                  4.9G     0  4.9G   0% /dev/shm
/dev/mapper/ddf1_4c53492020202020808627c3000000004711471100001450p1
                      485M   60M  400M  13% /boot
/dev/mapper/VolGroup-lv_home
                      168G  934M  159G   1% /home
[root@csrv01 ~]#
many thanks
 
Top