[PLUGIN] ConfigServer Security & Firewall

simba

Verified User
Joined
Oct 13, 2012
Messages
48
Hello,

Is it stable and recommended product?

I would like to have something to improve apache 2.4 + php 5.4.7 security on CentOS 6.

Will i have problems installing it, could some guys share opinions?

Thanks!
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Is a pretty nice product.

Ofc can help improove security but server-wide, is a firewall.

You'll need to set it up correctly (the default config is a good start) for get better security.

Got a nice Web interface integrated with DA with a security check in it aswell.

Regards
 

simba

Verified User
Joined
Oct 13, 2012
Messages
48
Thanks for recommendation.

Installed it without problems, but server is missing /etc/init.d/syslog .
I guess server does not have syslog installed ? It's centOS 6 .

Is syslog needed for CSF , should i install it and how?

Thanks
 

simba

Verified User
Joined
Oct 13, 2012
Messages
48
I dont' get any,
just reading readme i found out that :

To take advantage of kernel logging of iptables dropped connections you should
ensure that kernel logging daemon (klogd) is enabled. Typically, VPS servers
have this disabled and you should check /etc/init.d/syslog and make sure that
any klogd lines are not commented out. If you change the file, remember to
restart syslog.
And was wondering if i should have it.
 

simba

Verified User
Joined
Oct 13, 2012
Messages
48
It comes preinstalled with latest centOS and directadmin. Don't know why it isn't there.

How could i install it?
 

simba

Verified User
Joined
Oct 13, 2012
Messages
48
By the way, after installing CSF, i noticed:

2012:10:15-23:25:02: Error rereading service proftpd : uid 0 gid 0 : /sbin/service proftpd reread >>/dev/null 2>>/dev/null
2012:10:15-23:25:02: proftpd didn't reread properly, re-starting
2012:10:15-23:25:02: Error restarting service proftpd : uid 0 gid 0 : /sbin/service proftpd restart >>/dev/null 2>>/dev/null
in /var/log/directadmin/errortaskq.log

But i run only pureFTPD , ftp works correctly, no other errors. Who is making system believe there is proFTPD ?
 

simba

Verified User
Joined
Oct 13, 2012
Messages
48
Hm, yum says it's already installed. But i can't find it's configuration file, nor can CSF . Maybe directadmin / custombuild places in different place?
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
You dont have /etc/syslog.conf?

Regarding FTP is courios, i dont see how should be related to CSF, unless it expect just proFTPD... you should check csf.conf oO

Regards
 

simba

Verified User
Joined
Oct 13, 2012
Messages
48
Thanks for your help.
No, i haven't /etc/syslog.conf

About proFTPD it was only those 3 errors, i keep watching for more.
 

simba

Verified User
Joined
Oct 13, 2012
Messages
48
Doh, i somewhy have rsyslog:

[root@my~]# syslogd -v
-bash: syslogd: command not found
[root@my~]# rsyslogd -v
rsyslogd 5.8.10, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No

See http://www.rsyslog.com for more information.
That is solved.

I have another problem:
I get fail2ban errors like : fail2ban-SSH returned 200 or 100

After reading about it it seems like synchronization issues with ip tables

After thinking about it i have "Parse service logs for brute force attacks " in directadmin on. And CSF has it's own fail2ban.

Should i disable directadmin option?
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
mmmh, no you dont need to disable BFM, you need to integrate it.. but this SSh error is courios, Was you already using iptables without csf? Is iptables installed?

Regards
 

simba

Verified User
Joined
Oct 13, 2012
Messages
48
Yes, they are installed.
I think i solved that by changing SSH port, after reading some russian forum. Fail2ban stopped complaining about SSH.

After changing SSH port do i need open it in firewall? I chose 50000 but without opening it in firewall it still works.

However i see couple errors for dovecot:

¿<27>fail2ban.filter : ERROR No 'host' group in 'dovecot-auth: pam_unix\(dovecot:auth\):'
...
fail2ban.actions.action: ERROR iptables -N fail2ban-dovecot-pop3imap#012iptables -A fail2ban-dovecot-pop3imap -j RETURN#012iptables -I INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j fail2ban-dovecot-pop3imap returned 200
Is it anything i should worry about?

Thank you!
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
You IP is probably in whitelist cause is the IP that installed CSF. That's why still work for you.

Regarding the second problem, honestly i've no idea... Sorry

Regards
 

simba

Verified User
Joined
Oct 13, 2012
Messages
48
Ok, so errors is not stopping, i ran commands directly and this is what i found out.
Error log entry
Actual error message when typed directly

fail2ban.actions.action: ERROR iptables -N fail2ban-sasl#012iptables -A fail2ban-sasl -j RETURN#012iptables -I INPUT -p tcp --dport smtp -j fail2ban-sasl returned 200

iptables v1.4.7: Cannot use -A with -Z


fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j fail2ban-dovecot-pop3imap#012iptables -F fail2ban-dovecot-pop3imap#012iptables -X fail2ban-dovecot-pop3imap returned 100


iptables v1.4.7: Invalid target name `fail2ban-dovecot-pop3imap#012iptables' (31 chars max)


fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport smtp -j fail2ban-sasl#012iptables -F fail2ban-sasl#012iptables -X fail2ban-sasl returned 100

iptables v1.4.7: Cannot use -F with -D


fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ftp -j fail2ban-pure-ftpd#012iptables -F fail2ban-pure-ftpd#012iptables -X fail2ban-pure-ftpd returned 100

iptables v1.4.7: Cannot use -F with -D

fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH#012iptables -F fail2ban-SSH#012iptables -X fail2ban-SSH returned 100

iptables v1.4.7: Cannot use -F with -D

fail2ban.actions.action: ERROR iptables -N fail2ban-dovecot-pop3imap#012iptables -A fail2ban-dovecot-pop3imap -j RETURN#012iptables -I INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j fail2ban-dovecot-pop3imap returned 200

iptables v1.4.7: Cannot use -A with -Z

¿<27>fail2ban.filter : ERROR No 'host' group in 'dovecot-auth: pam_unix\(dovecot:auth\):'

...no command to run...
Is it bad naming in CSF?
maybe somebody could help?
 

webquarry

Verified User
Joined
Mar 19, 2004
Messages
177
I can report that this works great for us on centos 6. Saves a lot of hassle in the event a user is running a php script that isn't secure by giving us a heads up and preventing the php shell that gets installed from being usable.

Quick question that I haven't had time to figure out: I have the need to block access to port 25 on ONE IP address on a server. (I want to use that IP for no-listing purposes). Anyone know how/where I set that up in CFS?
 
Top