[INFO] Need firewall in Kloxo-MR server?

[MRatWork]

Many peoples still using IPTables or CSF as firewall in their Kloxo-MR server. Need it?.

Look at the fact:

1. Try running 'nmap YOURPUBLICIP' or 'nmap localhost' (need install nmap with 'yum install nmap'). Possible we will see:

Code: [Select]

[root@dev /]# nmap localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2014-03-12 03:34 UTC
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1666 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
110/tcp   open  pop3
143/tcp   open  imap
443/tcp   open  https
465/tcp   open  smtps
587/tcp   open  submission
993/tcp   open  imaps
995/tcp   open  pop3s
3306/tcp  open  mysql
7777/tcp  open  cbt
7778/tcp  open  interwise


Nmap finished: 1 IP address (1 host up) scanned in 0.256 seconds

2. Explanation:

• Port 21/22 already 'protect' by lxguard (built-in firewall in Kloxo/Kloxo-MR)
• Port 25/110/143/465/597/993/995 is not open-port (need login) and use/handle by qmail-toaster
• - Port 53 is DNS port and use/handle by DNS server
• Port 80/443 is http/https ports and use/handle web server. Nginx/hiawatha (that mean include in their -proxy) have 'ban' mechanism for prevent DDOS attack. For Apache alone need mod_security (or similar modules; need remove/disable if using nginx-/hiawatha-proxy)
• Port 336 is mysql port and better disable network with add 'skip-networking' or pointing to certain IP with'bind-address  = 127.0.0.1'
• Port 7777/7778 is Kloxo/Kloxo-MR panel ports and not open-port (need login). Because using hiawatha for running also have 'ban' mechanism

3. In my decision:

• Always disable IPtables (except for routing purpose)
• Not install another firewall (like CSF)

[chrisf]

I think this is horrible advice.  Lxguard is not a firewall.

[MRatWork]

If you fail ssh and ftp login in certain times, lxguard will be blocked your IP!. Try it.

[chrisf]

That is nothing!  Firewall protect's against all kinds of attacks.  Lxguard is a login failure log reader.  And it sucks!  I have CSF set to 10 incorrect and lxguard to 10.  CSF always catches it first.

What is protecting your mail ports?  If I sent multiple requests from multiple ip's per second I could flood your mail server into DOS.   CSF watches my mail ports, allows only 10 concurrent connections from one IP, if flooding, temp blocks for 3600 seconds.  4 temp blocks in 24 hours, permanent block.  This is for almost ALL my ports.

FTP, SSH, KloxoMR login failures, vpopmail failures protected by CSF.

My CSF is clustered across 6 servers, all temp/permanent blocks on any server is immediately done across the cluster.

Suspicious process watching, system file changes (immediate alerts), directiory/file watching, CPU overload alerts, SSH login alerts, and so much more.

You are advising people to not protect themselves.   As a system admin that is irresponsible.

I would remove this post altogether.

[chrisf]

Also, in a large scale DDOS attack, using the webserver, -proxy, with a ban feature, still stresses the webserver, and essentially the ban mechanism itself becomes the DOS.  Your websites go down, as the webserver is too busy playing firewall.

CSF is a much better choice.

Also, let it be known, NO software based protection can stop a large scale DDOS attack, it can only help to mitigate.

[zenkul]

see test result, while under attack https://www.hiawatha-webserver.org/weblog/64

I think additional security is needed, but not for me in the present

[Kloxo-DR]

Hello Chris,

You are advising people to not protect themselves.   As a system admin that is irresponsible.
I would remove this post altogether.

I AM SHOCKED TO SEE THIS POST BY MUSTAFA!

You, Chris, are totally irresponsible to call an irresponsible person that he is irresponsible.

Mustafa should have known that his attempt to convince this world about his attitudes shall never be successful. I took a long time to grasp Mustafa's attitudes in the recent months.

Because Mustafa is sufficiently responsible (!!!) to know about his irresponsibility, he has knowigly placed this post.

So, sarcastically speaking, you, Chris, should be more responsible and stop informing him (!!!) on his irresponsibility and let him remain as well as fully enjoy his irresponsibility, (which is temporary, anyway)!!!

[Kloxo-DR]

hI cHRIS;

Also, in a large scale DDOS attack, using the webserver, -proxy, with a ban feature, still stresses the webserver, and essentially the ban mechanism itself becomes the DOS.  Your websites go down, as the webserver is too busy playing firewall.
CSF is a much better choice.

May I share my observation on what you presented:

I have configured csf for port scan on Port=21,22,25 (plus some other ports). I have setup PS_LIMIT=1, PS_INTERVAL=600, PS_DIVERSITY=1.
Further, I configured CT_LIMIT=1 and CT_PORTS=21,22,25!

This captured all smtp connections so vigorously!

I block all offending connections for 6 hours on post scan and connection tracking for 24 hours with temporary. After 4 temporary, they are blocked with PERMBLOCK for a week.

This has "cooled down" the server processes and made resources available for other services.

Csf is just an amazing invention, as good as spamdyke, and has become an inevitable tool for server administrators.

[MRatWork]

I don't advice to others to not using firewall.

I am just show the fact that I am not using firewall.

That it.

[Kloxo-DR]

Hi Mustafa,

I don't advice to others to not using firewall.
I am just show the fact that I am not using firewall.
That it.

The difference is that we all see how our servers remained under attacks. Those are really scary.

In the past, csf provided an extraordinary prevention against constant attacks from the spammer, while this community seriously attempted to convince you to recompile the Qmailtoaster.

Had I not use csf, I would be thrown at disposal to any security holes in the future. You may not be scared but we all are and csf is like a pullover in winter protecting us.

While you may not use it, or find the need to, it would be worth to integrate this wonder of protection in Kloxo-MR with very tight integration. This anhancement helps the entire community as against you not using it.

[MRatWork]

Don't discuss about firewall.

Discuss where ports (like port 80) must prevent with firewall.

That it.

I didn't found I must use firewall because every open ports protecting enough.

[Kloxo-DR]

Many peoples still using IPTables or CSF as firewall in their Kloxo-MR server. Need it?.
2. Explanation:

• Port 21/22 already 'protect' by lxguard (built-in firewall in Kloxo/Kloxo-MR)
• Port 25/110/143/465/597/993/995 is not open-port (need login) and use/handle by qmail-toaster
• - Port 53 is DNS port and use/handle by DNS server
• Port 80/443 is http/https ports and use/handle web server. Nginx/hiawatha (that mean include in their -proxy) have 'ban' mechanism for prevent DDOS attack. For Apache alone need mod_security (or similar modules; need remove/disable if using nginx-/hiawatha-proxy)
• Port 336 is mysql port and better disable network with add 'skip-networking' or pointing to certain IP with'bind-address  = 127.0.0.1'
• Port 7777/7778 is Kloxo/Kloxo-MR panel ports and not open-port (need login). Because using hiawatha for running also have 'ban' mechanism

3. In my decision:

• Always disable IPtables (except for routing purpose)
• Not install another firewall (like CSF)

OK, Mustafa, we understand. BUT, in my decision:

• Always enable IPtables
• Always install another firewall (like CSF)

HERE is Explanation:

• Port 21/22 already 'protect' by lxguard (built-in firewall in Kloxo/Kloxo-MR)

Yes and no. This is only partly true.

Lxguard does not protect "attempts" to login on Port 21 as well as 22 in diversity. An attempt to login on Port 21 as well as Port 22 for x times is allowed.

Further, it will require more time or resources, being mysql based, than firewalls, which are based on different platform other than mysql.

• Port 25/110/143/465/597/993/995 is not open-port (need login) and use/handle by qmail-toaster

Yes and no. This is only partly true. Ports 25/110/143/465/597/993/995 are open ports "to make attempts" for receiving and sending emails.

Anyone could make an attempt. As these ports are known to the world and open, they remain open to make attempts to use their function. The question is, thus, not "but Qmailtoaster can handle?" but "why should the Qmailtoaster handle?".

With csf, although spamdyke could capture a lot, Qmailtoaster _MUST_ not handle thousands of connections upon very effective and optimized configuration of csf. Without, it must as there may be authentic connections which spamdyke may allow them. This releives server resources.

Other connection qualities, on which csf is specialized on, like tracking of connections "even before login proccedure is invoked" or "attempts to connect" are not available in spamdyke.

Spamdyke specializes on parameters focused on properties of a connection to work good with MTA as against csf, which specialises on all ports, diversity, time, etc. Both domains of technology overlap, though, as well as their functional aspects.

• - Port 53 is DNS port and use/handle by DNS server

Yes and no. This is only partly true. Why should the Port 53 constantly remain under attack from idiots to allow make an attepmt of an update of a DNS zone, although it is handled by DNS server? So use csf to block attempts to update DNS zone files, which is not handled by a DNS server.

• Port 80/443 is http/https ports and use/handle web server. Nginx/hiawatha (that mean include in their -proxy) have 'ban' mechanism for prevent DDOS attack. For Apache alone need mod_security (or similar modules; need remove/disable if using nginx-/hiawatha-proxy)

Here, mod_security is much better than csf. I agree with you.

• Port 3306 is mysql port and better disable network with add 'skip-networking' or pointing to certain IP with'bind-address  = 127.0.0.1'

Yes and no. This is only partly true. With skip-networking, many tools that connects mysql by first connectiong to SSH port WILL NOT WORK! You need to have it removed from my.conf. Here, bind-address  = 127.0.0.1 allows making SSH tunnels, although skip-networking parameter does not exists.

• Port 7777/7778 is Kloxo/Kloxo-MR panel ports and not open-port (need login). Because using hiawatha for running also have 'ban' mechanism

Here, you are right. Changing Kloxo-MR port to a non-default and have Kloxo-MR lock itself or the offending Ip after x attempts would result in the same effect as in csf.

Overall you miss a very important point: Csf enhances extraordinary protection compared to protection available in Kloxo-MRas well as protects OVERALL way far beyond any other such tool and does releive resources.

If there is a change in spamdyke.conf, shadow, password, group files, or many other such reporting mechanisms, csf will immediately bark on those changes.

Kloxo-MR sleeps at this point leaving administrator to sleep further. And thats what we do not like.

[MRatWork]

What's you set to protect port 21 and 22 with firewall. With this protection still able access to port 21 and 22?.

[chrisf]

This discussion is RIDICULOUS.   Mustafa, because a lot of KloxoMR community are new to system admin, or just weekend hobbyist,  they trust your posts, as 'leader' in KloxoMR.   It truly is irresponsible to advise someone not to secure their server with every available option, PERIOD.

[MRatWork]

Like my post above, no reason to use firewall. So, other peoples can say otherwise.

My argument is clear. All ports in my servers protect enough without using firewall.

If something think otherwise, please proof if lxguard (in context port ssh and ftp), login in mail server, protect in panel login (with hiawatha 'ban' mechanism and blocked if login failed in certain times), prevent mysql access from public and 'ban' mechanism in nginx and hiawatha IS NOT SECURE.

That it.