Iptables Best Rules for Kloxo-MR

[befree22]

I would suggest CSF and I can help you - the install process is easy and it watches everything.

And if you later have more servers you can configure it to cluster and block i.p.'s across your cluster.

It notifies you of ssh access, sudo su access.

I have directories that should never change (web) it watches them - if potential hack does occur I know in real time.

It beats LxGuard every time.  I have LxGuard set to 5 - CSF to 10.  CSF always blocks the i.p. before LxGuard.  I think it deals with when and how frequent it reads the logs.

Memory is minimal - processes are minimal. (although it is running so it does take a small footprint)

If you need help let me know.  There are some rules for csf.pignore Kloxo specific so you don't get a million emails about "suspicious process".

I learnt most from hours of research and trial and error.  But I know that CSF blocks about 10 i.p.'s a day (temporary blocks) for port scanning. (10 hits on ports not available)

I am interested in this one <!-- s;) --><!-- s;) -->

Do you have any tutorial?

Hi Christopher,

I have Kloxo-MR on Nginx.

1. Can you help me with CSF? Your tutorial link is dead.

2. In this thread, MRatwork stated that "All my servers not use IPTables/CSF because I think if using nginx-proxy we already have protect by nginx. Kloxo-MR panel (also Kloxo) have lxguard to protect ssh and ftp port."
On webhosting talk people say that you better have a good firewall if you disable IPtables. My IPtables are enabled and websites are on Cloudflare but that didn't prevent ddos attack.
I want to do everything I can to prevent ddos, especially after reading Mratwork's post at http://forum.mratwork.com/kloxo-mr-technical-helps/help-fix-admin-misconfiguration-to-protect-real-ip-address-on-cloudflare/msg27943/#msg27943

3. Can you use CSF as  as 'GUI for SSH' like Webmin?

FYI: I'm a total newbie to ssh and I'd like to run commands and fix problems myself (with forum users help). Mratwork told me that I have no ssh access because SolusVM java applet is not updated to use for ssh: "Latest java applet used by Kloxo-MR as the same as java applet by Virtualizor. Old java applet is 'sshterm-applet' and the new one is 'jcterm'. Only SolusVM able to change this applet in their product."

[MRatWork]

@befree22,

What's you think about 'DDOS'?. Please explain 'DDOS' and what's avidence DDOS attack to your VPS.

[befree22]

A forum post on webhostingtalk stated that "A DDoS attack does not lead to your sites being hacked, a DDoS attack can only take your server offline. Besides, a good DDoS attack generally means choking the network line before the server so it's nothing a web server can do something about. And I don't think a web server can prevent your sites from being hacked as well as that's generally due to shoddy code and weak passwords."

My server wasn't taken offline but I lost access to Kloxo-MR login panel and my sites were hacked.

Here is proof:

1. My site were hacked. The wp-config.php file for one file was BLANK, hence the white screen of death on the site. I restored the wp-config file and the site is working fine now.
The malicious hacker gained direct access to the server files. The other 2 sites blank page was caused by a plugin, namely Contact Form 7.

2. Please view the Lxguard image showing ip connections on this post: http://forum.mratwork.com/kloxo-mr-technical-helps/help-fix-admin-misconfiguration-to-protect-real-ip-address-on-cloudflare/msg28749/#msg28749

The webhostingtalk said that the hacker played with the firewall. He suggested purging rules and checking files for backdoors. And changing ssh port which I will do. The post is at http://www.webhostingtalk.com/showthread.php?s=83b40952a1aaab203dff36456ec85ed2&p=8989928#post8989928

3. I will apply the limit connection address code at http://forum.mratwork.com/kloxo-mr-technical-helps/help-fix-admin-misconfiguration-to-protect-real-ip-address-on-cloudflare/msg27943/#msg27943 

4. A few forum posters are against disabling ip tables. I will install CSF firewall when Christopher sends instructions specific to Kloxo-MR.

[MRatWork]

There are look like your website application (example wordpress) have plugin which content 'evil' code.

Lxguard work well where lxguard able to blocked 'illegal' access (try login until certain times).

Firewall (like iptables/csf; you can think lxguard as 'filewall' too because the same function) not able help you if your website have 'evil' code.

You can open 'rkhunter log' in 'log manager' to find out 'illegal' actions

[chrisf]

I disagree, I use CSF in a 6 server cluster.  CSF watches everything, in near real time, and alerts you for all kind of malicious intent.  The post is in tips and tricks.

[fossxplorer]

Unfortunately, the link doesn't work anymore. I think it got broken after the forum upgrade a while back.

[chrisf]

http://forum.mratwork.com/kloxo-mr-tips-and-tricks/installing-csf-alongside-kloxomr-(how-to)/

In reading your posts I am getting the impression you are very new at managing a server.  A DDOS attack has nothing to do with hacking.  You appear to have underwent a 'brute force attack' and a hacker obtained your passwords.

Root access had to be obtained to change iptable rules.  I hope you reinstalled the OS and reinstalled KloxoMR.

No, CSF is not a GUI for SSH.  It is a firewall.  I think you misunderstood Mustafa.  SSH java-applet in KloxoMR has nothing to do with solusVM.