[PLUGIN] ConfigServer Security & Firewall

Hello,

Is it stable and recommended product?

I would like to have something to improve apache 2.4 + php 5.4.7 security on CentOS 6.

Will i have problems installing it, could some guys share opinions?

Thanks!
 
Is a pretty nice product.

Ofc can help improove security but server-wide, is a firewall.

You'll need to set it up correctly (the default config is a good start) for get better security.

Got a nice Web interface integrated with DA with a security check in it aswell.

Regards
 
Thanks for recommendation.

Installed it without problems, but server is missing /etc/init.d/syslog .
I guess server does not have syslog installed ? It's centOS 6 .

Is syslog needed for CSF , should i install it and how?

Thanks
 
I dont' get any,
just reading readme i found out that :

To take advantage of kernel logging of iptables dropped connections you should
ensure that kernel logging daemon (klogd) is enabled. Typically, VPS servers
have this disabled and you should check /etc/init.d/syslog and make sure that
any klogd lines are not commented out. If you change the file, remember to
restart syslog.

And was wondering if i should have it.
 
It comes preinstalled with latest centOS and directadmin. Don't know why it isn't there.

How could i install it?
 
By the way, after installing CSF, i noticed:

2012:10:15-23:25:02: Error rereading service proftpd : uid 0 gid 0 : /sbin/service proftpd reread >>/dev/null 2>>/dev/null
2012:10:15-23:25:02: proftpd didn't reread properly, re-starting
2012:10:15-23:25:02: Error restarting service proftpd : uid 0 gid 0 : /sbin/service proftpd restart >>/dev/null 2>>/dev/null
in /var/log/directadmin/errortaskq.log

But i run only pureFTPD , ftp works correctly, no other errors. Who is making system believe there is proFTPD ?
 
Hm, yum says it's already installed. But i can't find it's configuration file, nor can CSF . Maybe directadmin / custombuild places in different place?
 
You dont have /etc/syslog.conf?

Regarding FTP is courios, i dont see how should be related to CSF, unless it expect just proFTPD... you should check csf.conf oO

Regards
 
Thanks for your help.
No, i haven't /etc/syslog.conf

About proFTPD it was only those 3 errors, i keep watching for more.
 
Doh, i somewhy have rsyslog:

[root@my~]# syslogd -v
-bash: syslogd: command not found
[root@my~]# rsyslogd -v
rsyslogd 5.8.10, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No

See http://www.rsyslog.com for more information.
That is solved.

I have another problem:
I get fail2ban errors like : fail2ban-SSH returned 200 or 100

After reading about it it seems like synchronization issues with ip tables

After thinking about it i have "Parse service logs for brute force attacks " in directadmin on. And CSF has it's own fail2ban.

Should i disable directadmin option?
 
mmmh, no you dont need to disable BFM, you need to integrate it.. but this SSh error is courios, Was you already using iptables without csf? Is iptables installed?

Regards
 
Yes, they are installed.
I think i solved that by changing SSH port, after reading some russian forum. Fail2ban stopped complaining about SSH.

After changing SSH port do i need open it in firewall? I chose 50000 but without opening it in firewall it still works.

However i see couple errors for dovecot:

¿<27>fail2ban.filter : ERROR No 'host' group in 'dovecot-auth: pam_unix\(dovecot:auth\):'
...
fail2ban.actions.action: ERROR iptables -N fail2ban-dovecot-pop3imap#012iptables -A fail2ban-dovecot-pop3imap -j RETURN#012iptables -I INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j fail2ban-dovecot-pop3imap returned 200

Is it anything i should worry about?

Thank you!
 
You IP is probably in whitelist cause is the IP that installed CSF. That's why still work for you.

Regarding the second problem, honestly i've no idea... Sorry

Regards
 
Ok, so errors is not stopping, i ran commands directly and this is what i found out.
Error log entry
Actual error message when typed directly

fail2ban.actions.action: ERROR iptables -N fail2ban-sasl#012iptables -A fail2ban-sasl -j RETURN#012iptables -I INPUT -p tcp --dport smtp -j fail2ban-sasl returned 200

iptables v1.4.7: Cannot use -A with -Z


fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j fail2ban-dovecot-pop3imap#012iptables -F fail2ban-dovecot-pop3imap#012iptables -X fail2ban-dovecot-pop3imap returned 100


iptables v1.4.7: Invalid target name `fail2ban-dovecot-pop3imap#012iptables' (31 chars max)


fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport smtp -j fail2ban-sasl#012iptables -F fail2ban-sasl#012iptables -X fail2ban-sasl returned 100

iptables v1.4.7: Cannot use -F with -D


fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ftp -j fail2ban-pure-ftpd#012iptables -F fail2ban-pure-ftpd#012iptables -X fail2ban-pure-ftpd returned 100

iptables v1.4.7: Cannot use -F with -D

fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH#012iptables -F fail2ban-SSH#012iptables -X fail2ban-SSH returned 100

iptables v1.4.7: Cannot use -F with -D

fail2ban.actions.action: ERROR iptables -N fail2ban-dovecot-pop3imap#012iptables -A fail2ban-dovecot-pop3imap -j RETURN#012iptables -I INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j fail2ban-dovecot-pop3imap returned 200

iptables v1.4.7: Cannot use -A with -Z

¿<27>fail2ban.filter : ERROR No 'host' group in 'dovecot-auth: pam_unix\(dovecot:auth\):'

...no command to run...

Is it bad naming in CSF?
maybe somebody could help?
 
I can report that this works great for us on centos 6. Saves a lot of hassle in the event a user is running a php script that isn't secure by giving us a heads up and preventing the php shell that gets installed from being usable.

Quick question that I haven't had time to figure out: I have the need to block access to port 25 on ONE IP address on a server. (I want to use that IP for no-listing purposes). Anyone know how/where I set that up in CFS?
 
Back
Top