[PLUGIN] ConfigServer Security & Firewall

[simba]

Hello,

Is it stable and recommended product?

I would like to have something to improve apache 2.4 + php 5.4.7 security on CentOS 6.

Will i have problems installing it, could some guys share opinions?

Thanks!

 

[SeLLeRoNe]

Is a pretty nice product.

Ofc can help improove security but server-wide, is a firewall.

You'll need to set it up correctly (the default config is a good start) for get better security.

Got a nice Web interface integrated with DA with a security check in it aswell.

Regards

 

[simba]

Thanks for recommendation.

Installed it without problems, but server is missing /etc/init.d/syslog .
I guess server does not have syslog installed ? It's centOS 6 .

Is syslog needed for CSF , should i install it and how?

Thanks

 

[SeLLeRoNe]

What error does you got?

Regards

 

[simba]

I dont' get any,
just reading readme i found out that :

To take advantage of kernel logging of iptables dropped connections you should
ensure that kernel logging daemon (klogd) is enabled. Typically, VPS servers
have this disabled and you should check /etc/init.d/syslog and make sure that
any klogd lines are not commented out. If you change the file, remember to
restart syslog.

And was wondering if i should have it.

 

[SeLLeRoNe]

Yes, you should. Why dont you have that?

Regards

 

[simba]

It comes preinstalled with latest centOS and directadmin. Don't know why it isn't there.

How could i install it?

 

[SeLLeRoNe]

yum install syslog

Regards

 

[simba]

By the way, after installing CSF, i noticed:

2012:10:15-23:25:02: Error rereading service proftpd : uid 0 gid 0 : /sbin/service proftpd reread >>/dev/null 2>>/dev/null
2012:10:15-23:25:02: proftpd didn't reread properly, re-starting
2012:10:15-23:25:02: Error restarting service proftpd : uid 0 gid 0 : /sbin/service proftpd restart >>/dev/null 2>>/dev/null

in /var/log/directadmin/errortaskq.log

But i run only pureFTPD , ftp works correctly, no other errors. Who is making system believe there is proFTPD ?

 

[simba]

Hm, yum says it's already installed. But i can't find it's configuration file, nor can CSF . Maybe directadmin / custombuild places in different place?

 

[SeLLeRoNe]

You dont have /etc/syslog.conf?

Regarding FTP is courios, i dont see how should be related to CSF, unless it expect just proFTPD... you should check csf.conf oO

Regards

 

[simba]

Thanks for your help.
No, i haven't /etc/syslog.conf

About proFTPD it was only those 3 errors, i keep watching for more.

 

[SeLLeRoNe]

That's strange...

Check here: http://www.softpanorama.org/Logs/syslog.shtml

Regards

 

[simba]

Doh, i somewhy have rsyslog:

[root@my~]# syslogd -v
-bash: syslogd: command not found
[root@my~]# rsyslogd -v
rsyslogd 5.8.10, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No

See http://www.rsyslog.com for more information.

That is solved.

I have another problem:
I get fail2ban errors like : fail2ban-SSH returned 200 or 100

After reading about it it seems like synchronization issues with ip tables

After thinking about it i have "Parse service logs for brute force attacks " in directadmin on. And CSF has it's own fail2ban.

Should i disable directadmin option?

 

[SeLLeRoNe]

mmmh, no you dont need to disable BFM, you need to integrate it.. but this SSh error is courios, Was you already using iptables without csf? Is iptables installed?

Regards

 

[simba]

Yes, they are installed.
I think i solved that by changing SSH port, after reading some russian forum. Fail2ban stopped complaining about SSH.

After changing SSH port do i need open it in firewall? I chose 50000 but without opening it in firewall it still works.

However i see couple errors for dovecot:

¿<27>fail2ban.filter : ERROR No 'host' group in 'dovecot-auth: pam_unix\(dovecot:auth\):'
...
fail2ban.actions.action: ERROR iptables -N fail2ban-dovecot-pop3imap#012iptables -A fail2ban-dovecot-pop3imap -j RETURN#012iptables -I INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j fail2ban-dovecot-pop3imap returned 200

Is it anything i should worry about?

Thank you!

 

[SeLLeRoNe]

You IP is probably in whitelist cause is the IP that installed CSF. That's why still work for you.

Regarding the second problem, honestly i've no idea... Sorry

Regards

 

[simba]

Ok, so errors is not stopping, i ran commands directly and this is what i found out.
Error log entry
Actual error message when typed directly

fail2ban.actions.action: ERROR iptables -N fail2ban-sasl#012iptables -A fail2ban-sasl -j RETURN#012iptables -I INPUT -p tcp --dport smtp -j fail2ban-sasl returned 200

iptables v1.4.7: Cannot use -A with -Z


fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j fail2ban-dovecot-pop3imap#012iptables -F fail2ban-dovecot-pop3imap#012iptables -X fail2ban-dovecot-pop3imap returned 100


iptables v1.4.7: Invalid target name `fail2ban-dovecot-pop3imap#012iptables' (31 chars max)


fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport smtp -j fail2ban-sasl#012iptables -F fail2ban-sasl#012iptables -X fail2ban-sasl returned 100

iptables v1.4.7: Cannot use -F with -D


fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ftp -j fail2ban-pure-ftpd#012iptables -F fail2ban-pure-ftpd#012iptables -X fail2ban-pure-ftpd returned 100

iptables v1.4.7: Cannot use -F with -D

fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH#012iptables -F fail2ban-SSH#012iptables -X fail2ban-SSH returned 100

iptables v1.4.7: Cannot use -F with -D

fail2ban.actions.action: ERROR iptables -N fail2ban-dovecot-pop3imap#012iptables -A fail2ban-dovecot-pop3imap -j RETURN#012iptables -I INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j fail2ban-dovecot-pop3imap returned 200

iptables v1.4.7: Cannot use -A with -Z

¿<27>fail2ban.filter : ERROR No 'host' group in 'dovecot-auth: pam_unix\(dovecot:auth\):'

...no command to run...

Is it bad naming in CSF?
maybe somebody could help?

 

[SeLLeRoNe]

Honestly i dont know, maybe someone would have a fix for this.

Regards

 

[webquarry]

I can report that this works great for us on centos 6. Saves a lot of hassle in the event a user is running a php script that isn't secure by giving us a heads up and preventing the php shell that gets installed from being usable.

Quick question that I haven't had time to figure out: I have the need to block access to port 25 on ONE IP address on a server. (I want to use that IP for no-listing purposes). Anyone know how/where I set that up in CFS?