MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Tips and Tricks => Topic started by: MRatWork on 2014-03-12, 05:01:07
-
Many peoples still using IPTables or CSF as firewall in their Kloxo-MR server. Need it?.
Look at the fact:
1. Try running 'nmap YOURPUBLICIP' or 'nmap localhost' (need install nmap with 'yum install nmap'). Possible we will see:
[root@dev /]# nmap localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2014-03-12 03:34 UTC
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1666 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
7777/tcp open cbt
7778/tcp open interwise
Nmap finished: 1 IP address (1 host up) scanned in 0.256 seconds
2. Explanation:
- Port 21/22 already 'protect' by lxguard (built-in firewall in Kloxo/Kloxo-MR)
- Port 25/110/143/465/597/993/995 is not open-port (need login) and use/handle by qmail-toaster
- - Port 53 is DNS port and use/handle by DNS server
- Port 80/443 is http/https ports and use/handle web server. Nginx/hiawatha (that mean include in their -proxy) have 'ban' mechanism for prevent DDOS attack. For Apache alone need mod_security (or similar modules; need remove/disable if using nginx-/hiawatha-proxy)
- Port 336 is mysql port and better disable network with add 'skip-networking' or pointing to certain IP with'bind-address = 127.0.0.1'
- Port 7777/7778 is Kloxo/Kloxo-MR panel ports and not open-port (need login). Because using hiawatha for running also have 'ban' mechanism
3. In my decision:
- Always disable IPtables (except for routing purpose)
- Not install another firewall (like CSF)
-
I think this is horrible advice. Lxguard is not a firewall.
-
If you fail ssh and ftp login in certain times, lxguard will be blocked your IP!. Try it.
-
That is nothing! Firewall protect's against all kinds of attacks. Lxguard is a login failure log reader. And it sucks! I have CSF set to 10 incorrect and lxguard to 10. CSF always catches it first.
What is protecting your mail ports? If I sent multiple requests from multiple ip's per second I could flood your mail server into DOS. CSF watches my mail ports, allows only 10 concurrent connections from one IP, if flooding, temp blocks for 3600 seconds. 4 temp blocks in 24 hours, permanent block. This is for almost ALL my ports.
FTP, SSH, KloxoMR login failures, vpopmail failures protected by CSF.
My CSF is clustered across 6 servers, all temp/permanent blocks on any server is immediately done across the cluster.
Suspicious process watching, system file changes (immediate alerts), directiory/file watching, CPU overload alerts, SSH login alerts, and so much more.
You are advising people to not protect themselves. As a system admin that is irresponsible.
I would remove this post altogether.
-
Also, in a large scale DDOS attack, using the webserver, -proxy, with a ban feature, still stresses the webserver, and essentially the ban mechanism itself becomes the DOS. Your websites go down, as the webserver is too busy playing firewall.
CSF is a much better choice.
Also, let it be known, NO software based protection can stop a large scale DDOS attack, it can only help to mitigate.
-
see test result, while under attack https://www.hiawatha-webserver.org/weblog/64
I think additional security is needed, but not for me in the present
-
Hello Chris,
You are advising people to not protect themselves. As a system admin that is irresponsible.
I would remove this post altogether.
I AM SHOCKED TO SEE THIS POST BY MUSTAFA!
You, Chris, are totally irresponsible to call an irresponsible person that he is irresponsible.
Mustafa should have known that his attempt to convince this world about his attitudes shall never be successful. I took a long time to grasp Mustafa's attitudes in the recent months.
Because Mustafa is sufficiently responsible (!!!) to know about his irresponsibility, he has knowigly placed this post.
So, sarcastically speaking, you, Chris, should be more responsible and stop informing him (!!!) on his irresponsibility and let him remain as well as fully enjoy his irresponsibility, (which is temporary, anyway)!!!
-
hI cHRIS;
Also, in a large scale DDOS attack, using the webserver, -proxy, with a ban feature, still stresses the webserver, and essentially the ban mechanism itself becomes the DOS. Your websites go down, as the webserver is too busy playing firewall.
CSF is a much better choice.
May I share my observation on what you presented:
I have configured csf for port scan on Port=21,22,25 (plus some other ports). I have setup PS_LIMIT=1, PS_INTERVAL=600, PS_DIVERSITY=1.
Further, I configured CT_LIMIT=1 and CT_PORTS=21,22,25!
This captured all smtp connections so vigorously!
I block all offending connections for 6 hours on post scan and connection tracking for 24 hours with temporary. After 4 temporary, they are blocked with PERMBLOCK for a week.
This has "cooled down" the server processes and made resources available for other services.
Csf is just an amazing invention, as good as spamdyke, and has become an inevitable tool for server administrators.
-
I don't advice to others to not using firewall.
I am just show the fact that I am not using firewall.
That it.
-
Hi Mustafa,
I don't advice to others to not using firewall.
I am just show the fact that I am not using firewall.
That it.
The difference is that we all see how our servers remained under attacks. Those are really scary.
In the past, csf provided an extraordinary prevention against constant attacks from the spammer, while this community seriously attempted to convince you to recompile the Qmailtoaster.
Had I not use csf, I would be thrown at disposal to any security holes in the future. You may not be scared but we all are and csf is like a pullover in winter protecting us.
While you may not use it, or find the need to, it would be worth to integrate this wonder of protection in Kloxo-MR with very tight integration. This anhancement helps the entire community as against you not using it.
-
Don't discuss about firewall.
Discuss where ports (like port 80) must prevent with firewall.
That it.
I didn't found I must use firewall because every open ports protecting enough.
-
Many peoples still using IPTables or CSF as firewall in their Kloxo-MR server. Need it?.
2. Explanation:
- Port 21/22 already 'protect' by lxguard (built-in firewall in Kloxo/Kloxo-MR)
- Port 25/110/143/465/597/993/995 is not open-port (need login) and use/handle by qmail-toaster
- - Port 53 is DNS port and use/handle by DNS server
- Port 80/443 is http/https ports and use/handle web server. Nginx/hiawatha (that mean include in their -proxy) have 'ban' mechanism for prevent DDOS attack. For Apache alone need mod_security (or similar modules; need remove/disable if using nginx-/hiawatha-proxy)
- Port 336 is mysql port and better disable network with add 'skip-networking' or pointing to certain IP with'bind-address = 127.0.0.1'
- Port 7777/7778 is Kloxo/Kloxo-MR panel ports and not open-port (need login). Because using hiawatha for running also have 'ban' mechanism
3. In my decision:
- Always disable IPtables (except for routing purpose)
- Not install another firewall (like CSF)
OK, Mustafa, we understand. BUT, in my decision:
- Always enable IPtables
- Always install another firewall (like CSF)
HERE is Explanation:
- Port 21/22 already 'protect' by lxguard (built-in firewall in Kloxo/Kloxo-MR)
Yes and no. This is only partly true.
Lxguard does not protect "attempts" to login on Port 21 as well as 22 in diversity. An attempt to login on Port 21 as well as Port 22 for x times is allowed.
Further, it will require more time or resources, being mysql based, than firewalls, which are based on different platform other than mysql.
- Port 25/110/143/465/597/993/995 is not open-port (need login) and use/handle by qmail-toaster
Yes and no. This is only partly true. Ports 25/110/143/465/597/993/995 are open ports "to make attempts" for receiving and sending emails.
Anyone could make an attempt. As these ports are known to the world and open, they remain open to make attempts to use their function. The question is, thus, not "but Qmailtoaster can handle?" but "why should the Qmailtoaster handle?".
With csf, although spamdyke could capture a lot, Qmailtoaster _MUST_ not handle thousands of connections upon very effective and optimized configuration of csf. Without, it must as there may be authentic connections which spamdyke may allow them. This releives server resources.
Other connection qualities, on which csf is specialized on, like tracking of connections "even before login proccedure is invoked" or "attempts to connect" are not available in spamdyke.
Spamdyke specializes on parameters focused on properties of a connection to work good with MTA as against csf, which specialises on all ports, diversity, time, etc. Both domains of technology overlap, though, as well as their functional aspects.
- - Port 53 is DNS port and use/handle by DNS server
Yes and no. This is only partly true. Why should the Port 53 constantly remain under attack from idiots to allow make an attepmt of an update of a DNS zone, although it is handled by DNS server? So use csf to block attempts to update DNS zone files, which is not handled by a DNS server.
- Port 80/443 is http/https ports and use/handle web server. Nginx/hiawatha (that mean include in their -proxy) have 'ban' mechanism for prevent DDOS attack. For Apache alone need mod_security (or similar modules; need remove/disable if using nginx-/hiawatha-proxy)
Here, mod_security is much better than csf. I agree with you.
- Port 3306 is mysql port and better disable network with add 'skip-networking' or pointing to certain IP with'bind-address = 127.0.0.1'
Yes and no. This is only partly true. With skip-networking, many tools that connects mysql by first connectiong to SSH port WILL NOT WORK! You need to have it removed from my.conf. Here, bind-address = 127.0.0.1 allows making SSH tunnels, although skip-networking parameter does not exists.
- Port 7777/7778 is Kloxo/Kloxo-MR panel ports and not open-port (need login). Because using hiawatha for running also have 'ban' mechanism
Here, you are right. Changing Kloxo-MR port to a non-default and have Kloxo-MR lock itself or the offending Ip after x attempts would result in the same effect as in csf.
Overall you miss a very important point: Csf enhances extraordinary protection compared to protection available in Kloxo-MRas well as protects OVERALL way far beyond any other such tool and does releive resources.
If there is a change in spamdyke.conf, shadow, password, group files, or many other such reporting mechanisms, csf will immediately bark on those changes.
Kloxo-MR sleeps at this point leaving administrator to sleep further. And thats what we do not like.
-
What's you set to protect port 21 and 22 with firewall. With this protection still able access to port 21 and 22?.
-
This discussion is RIDICULOUS. Mustafa, because a lot of KloxoMR community are new to system admin, or just weekend hobbyist, they trust your posts, as 'leader' in KloxoMR. It truly is irresponsible to advise someone not to secure their server with every available option, PERIOD.
-
Like my post above, no reason to use firewall. So, other peoples can say otherwise.
My argument is clear. All ports in my servers protect enough without using firewall.
If something think otherwise, please proof if lxguard (in context port ssh and ftp), login in mail server, protect in panel login (with hiawatha 'ban' mechanism and blocked if login failed in certain times), prevent mysql access from public and 'ban' mechanism in nginx and hiawatha IS NOT SECURE.
That it.
-
I suggest delete this thread
-
Agreed
-
Hello MRatWork,
So, if I install only Kloxo-MR on CentOS 6.x minimal installation, will Kloxo-MR provide all types of security regarding Sql Injection, Brute Force Attacks, DDos, Buffer Overflow, Session Hacking, Cross site Scripting etc. automatically? And I do not need to configure anything?
I am a beginner, want to start working with CentOS server.
-
Hello MRatWork,
So, if I install only Kloxo-MR on CentOS 6.x minimal installation, will Kloxo-MR provide all types of security regarding Sql Injection, Brute Force Attacks, DDos, Buffer Overflow, Session Hacking, Cross site Scripting etc. automatically? And I do not need to configure anything?
I am a beginner, want to start working with CentOS server.
In context to Kloxo-MR panel the answer is YES. For application in your website depend on what's you do (the same condition for all control panel, including CPanel).
-
The server will host some drupal website, database, emails and reseller account.
1) Can you please recommend some security tips, I have to care about after installing Kloxo-MR?
2) As the server will be use for hosting reseller account, is it possible to know automatically / notify me, if someone upload malicious files in their account?