Installing CSF alongside KloxoMR (how to)

[chrisf]

Since a few users wanted to use CSF firewall with Kloxo MR I am writing detailed instructions on how to do so:
It is assumed you have KloxoMR installed and all is running properly first.
Install CSF Firewall

Code: [Select]

yum install perl-libwww-perl
cd /tmp
wget http://www.configserver.com/free/csf.tgz
tar zxvf csf.tgz
cd csf
./install.sh
Now we must edit some configuration options for CSF. The line numbers I am listing are reported from "vim" editor. You can go directly to that line by issuing ":#" where # is the actual line number.

Code: [Select]

cd /etc/csf/
vim csf.conf
If your line numbers are different just search for the option and set it.
Example "/TESTING" will search the file for TESTING.

Code: [Select]

Line 8:
TESTING="0"
Line 51:
TCP_IN="7777,7778,20:21,22,25,53,80,110,143,443,465,587,993,995,30000:50000"
Line 54:
TCP_OUT="7777,7778,20:21,22,25,53,80,110,143,443,43,30000:50000"
Line 57:
UDP_IN="53"
Line 61:
UDP_OUT="53,123"
If you use custom port for SSH (22) please change it to your port in lines 51 and 54.
Example: if you use 77722 for SSH - change 22 to 77722 in TCP_IN and TCP_OUT
If you do not use IPv6 change the following to "" or to the same as above.
Example: TCP6_IN same as TCP_IN.
Line 134: TCP6_IN, Line 137: TCP6_OUT, Line 140: UDP6_IN, Line 144: UDP6_OUT.

Code: [Select]

Line 303:
SYNFLOOD="1"
Line 431:
LF_ALERT_TO="youremail@somewhere.com"
Set this to the email you want all emails alerting you something is wrong or happening on your server. I WOULD not use an email located on your server. Use a gmail or other. I setup a gmail just for alerts. Be sure to check spam folder and set alerts from your server as "Not Spam".

Code: [Select]

Line 1103:
PT_LIMIT="180"
Line 1163:
PT_USERMEM="300"
Line 1170:
PT_USERTIME="2000"
That is it for csf.conf - save the file (:x or :w). REMEMBER all of the above options are in the conf file - do not add these - change the ones listed in the conf file
Next - csf.pignore file - this file keeps the firewall from complaining about some processes that are legitimate.

Code: [Select]

vim csf.pignore
ADD these lines to the end of the file:

Code: [Select]

exe:/usr/bin/tcpserver
exe:/var/qmail/bin/splogger
pexe:/var/qmail/bin/qmail.*
exe:/usr/bin/freshclam
exe:/usr/sbin/clamd
exe:/usr/libexec/mysqld
exe:/usr/sbin/httpd
exe:/usr/sbin/hiawatha
exe:/usr/sbin/nginx
exe:/bin/tinydns
pcmd:php-fpm: pool .*
cmd:spamd child
Save file (:x or :w)
Restart CSF and LFD service:

Code: [Select]

csf -r
service lfd restart
Done. To check, login to SSH - an alert will be sent to the email you setup letting you know someone accessed SSH.
If you get alerts DO NOT panic - sometimes you have to check, some processes trigger alerts but are safe. If you are unsure - post here with report: we will investigate together
There are ALOT of configuration options - I would suggest reading through csf.conf - it is very detailed. Some options are not available on some servers. If you have a question ask here.
Do:

Code: [Select]

csf --help
This will show you commands to add/deny an IP manually and other options.

If you have any questions, ASK.

[prandah]

Hi
thanks for your post
i already set this csf before
but i just want ask, maybe you have more knowledge about this

i had some issue with plugin (wordpress)
when i try enable some plugin , website will gave "Internal Server Error". but when i turnoff my CSF / plugin website will back normal

my question is,  i want to exclude this user from csf, how to do that ?
or exclude some directory for thats plugin
example path of my user

/home/user/domain.com/wp-content/plugins/xxx

where xxx is plugin name

thanks in advance

[MRatWork]

Need port 7776 and 7779 open also.

[chrisf]

Need port 7776 and 7779 open also.

You only need these two ports added to TCP_IN and TCP_OUT if you have a Kloxo Cluster - Master/Slave.

All localhost/127.0.0.1 connections to any port are never blocked by CSF.

@goblog:
I have no idea with the information you provided as to why CSF would cause such effect to a wordpress plugin.  Please report the alert from CSF.  What wordpress plugin?  Did you change any of the advanced settings?  Process Kill or Connection Limits?

Yes you can ignore any linux user (every client in Kloxo is a user) edit csf.pignore and add:

Code: [Select]

user:example

Change example to the user you want CSF to ignore.

This is NOT advised!  This stops all watching of that user and if something gets hacked or something is wrong with that user you will never know.

[prgs1971]

It was me that ask for this tutorial to @chrisf... Many thanks for this very clean and detailed tutorial.

I have applied it very easily in Kloxo-Mr and in another open source panel 8-)

[prgs1971]

Once @chrisf already advise to change SYNFLOOD i think that for newbies will be good to know how it works

Code: [Select]

SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
                 
it means that:
     1. if 100 connections per second happens more than 150 times, from the same IP, this IP will be blocked.
     2. When SYNFLOOD is triggered, will slow down alll icoming connections from any IP, including legitm connections.
--------------------------------

I found also 2 other interesting settings:

CONNLIMIT        
    - find it around line 323
 

Code: [Select]

CONNLIMIT = ""    - change to:
                   

Code: [Select]

CONNLIMIT = "22;5,80;20"                        > it means that:
                            1. Only allow up to 5 concurrent new connections to port 22 per IP address
                            2. Only allow up to 20 concurrent new connections to port 80 per IP address
                            Note: Existing connections are not included in the count, only new SYN packets, i.e. new connections.
------------------------------------

PORTFLOOD    
   - find it around line 339

Code: [Select]

PORTFLOOD = ""   - change to:
                   

Code: [Select]

PORTFLOOD = "22;tcp;5;300,80;tcp;20;5"                        > it means that:
                            1. 22;tcp;5;300 - If more than 5 connections to tcp port 22 within 300 seconds, then block
                            that IP address from port 22 for at least 300 seconds after the last packet is
                            seen, i.e. there must be a "quiet" period of 300 seconds before the block is
                            lifted
                            2. 80;tcp;20;5 - If more than 20 connections to tcp port 80 within 5 seconds, then block
                            that IP address from port 80 for at least 5 seconds after the last packet is
                            seen, i.e. there must be a "quiet" period of 5 seconds before the block is
                            lifted

You can read more about it here http://configserver.com/free/csf/readme.txt

@chrisf do you agree with this settings?

[chrisf]

No, some of them settings are way to restrictive and will cause problems.

Second, ALL of those configuration options rely on additional modules for iptables that not all servers have installed.

csf comes with a test script to know if all modules are installed and if you can use those options.

CONNLIMIT for port 80 should be set no lower than 50 - more like 75 or even 100.  On a busy CMS site - say Joomla or Dolphin - every connection to the server is counted.  UNDERSTAND - every picture - every .js file - every .css file - ajax requests.  It is easy to reach 50 legitimately.

Same with PORTFLOOD - port 80 resitrictions are WAY to high for any dynamic site.  On a Dolphin CMS site I have easily reached 60 in a second on page load (css, js, images, html, ajax)  if the page has 100 pictures -- your settings with block every user who clicks that page.

[prgs1971]

Second, ALL of those configuration options rely on additional modules for iptables that not all servers have installed.

csf comes with a test script to know if all modules are installed and if you can use those options.

Thank you for the alert, but i have noticed that script and in my case i have all installed

CONNLIMIT for port 80 should be set no lower than 50 - more like 75 or even 100. On a busy CMS site - say Joomla or Dolphin - every connection to the server is counted. UNDERSTAND - every picture - every .js file - every .css file - ajax requests. It is easy to reach 50 legitimately.

Same with PORTFLOOD - port 80 resitrictions are WAY to high for any dynamic site. On a Dolphin CMS site I have easily reached 60 in a second on page load (css, js, images, html, ajax) if the page has 100 pictures -- your settings with block every user who clicks that page.

Silly of me  :geek: .... i must be very tired to don't remember tha i have client with stores that make more than 200 requests on load, therefore they should do around 60 to 70 requests per second.

Thank you very much to point me this out  8-)

[chrisf]

In KloxoMR latest, one of the webmail clients is using the /tmp/ directory to compile and cache web output (smarty template system - I think).

CSF does not like php files being in the /tmp and will start sending you mass emails.

This will fix that

Code: [Select]

vim /etc/csf/csf.fignore

ADD this to the bottom

Code: [Select]

/tmp/%.*

Done.

[prgs1971]

Thanks to share this tip

[ibuxxi]

how to open  "openvpn" server

[chrisf]

I do not understand your question.  How to open it how?  The ports will be the same as any vps -- unless you have custom software needing other ports as well.

[cmdman]

@chris

thanks for this guide

i followed this steps on my test vps  i faced problems my own ip got blocked iam able to access site ,ssh etc..

when i use my vpn its worked all  , can we have  updated this tut if anything need update for latest version of Kloxo-MR

my version..

A. Kloxo-MR: 6.5.0.f-2014011001

B. OS: CentOS release 6.5 (Final) x86_64

C. Apps:
   1. MySQL: mysql-5.5.34-1.el6.x86_64
   2. PHP: php53u-5.3.28-1.ius.el6.x86_64
   3. Httpd: httpd-2.2.26-1.el6.x86_64
   4. Lighttpd: --uninstalled--
   5. Nginx: --uninstalled--
   6. Qmail: qmail-toaster-1.03-1.3.35.mr.el6.x86_64
      - with: courier-imap-toaster-4.1.2-1.3.14.mr.el6.x86_64
   7. Dns: bind-9.9.4-1.P2.el6.x86_64

D. Php-type (for Httpd/proxy): mod_php_ruid2

E. Memory:
                total       used       free     shared    buffers     cached
   Mem:          6144       2040       4103          0          0        249
   -/+ buffers/cache:       1791       4352
   Swap:            0          0          0

[MRatWork]

I found chris's mail server reject email sending by this forum. I found this issue in 'qmail queue' of this server.

[chrisf]

The installation has not changed, if you blocked yourself, it suspected you as doing something you shouldn't have.  You can whitelist your own IP so that never happens.

Mustafa, that is interesting.  That is not from CSF, that is from spamdyke.  I just added spamcop, spamhaus, and another DNS blacklist to spamdyke.  As well as turned on all the spamdyke features.  I will check my maillogs.  Are you blacklisted?