MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Tips and Tricks => Topic started by: chrisf on 2013-08-09, 21:24:52
-
Since a few users wanted to use CSF firewall with Kloxo MR I am writing detailed instructions on how to do so:
It is assumed you have KloxoMR installed and all is running properly first.
Install CSF Firewall
yum install perl-libwww-perl
cd /tmp
wget http://www.configserver.com/free/csf.tgz
tar zxvf csf.tgz
cd csf
./install.sh
Now we must edit some configuration options for CSF. The line numbers I am listing are reported from "vim" editor. You can go directly to that line by issuing ":#" where # is the actual line number.
cd /etc/csf/
vim csf.conf
If your line numbers are different just search for the option and set it.
Example "/TESTING" will search the file for TESTING.
Line 8:
TESTING="0"
Line 51:
TCP_IN="7777,7778,20:21,22,25,53,80,110,143,443,465,587,993,995,30000:50000"
Line 54:
TCP_OUT="7777,7778,20:21,22,25,53,80,110,143,443,43,30000:50000"
Line 57:
UDP_IN="53"
Line 61:
UDP_OUT="53,123"
If you use custom port for SSH (22) please change it to your port in lines 51 and 54.
Example: if you use 77722 for SSH - change 22 to 77722 in TCP_IN and TCP_OUT
If you do not use IPv6 change the following to "" or to the same as above.
Example: TCP6_IN same as TCP_IN.
Line 134: TCP6_IN, Line 137: TCP6_OUT, Line 140: UDP6_IN, Line 144: UDP6_OUT.
Line 303:
SYNFLOOD="1"
Line 431:
LF_ALERT_TO="youremail@somewhere.com"
Set this to the email you want all emails alerting you something is wrong or happening on your server. I WOULD not use an email located on your server. Use a gmail or other. I setup a gmail just for alerts. Be sure to check spam folder and set alerts from your server as "Not Spam".
Line 1103:
PT_LIMIT="180"
Line 1163:
PT_USERMEM="300"
Line 1170:
PT_USERTIME="2000"
That is it for csf.conf - save the file (:x or :w). REMEMBER all of the above options are in the conf file - do not add these - change the ones listed in the conf file :)
Next - csf.pignore file - this file keeps the firewall from complaining about some processes that are legitimate.
vim csf.pignore
ADD these lines to the end of the file:
exe:/usr/bin/tcpserver
exe:/var/qmail/bin/splogger
pexe:/var/qmail/bin/qmail.*
exe:/usr/bin/freshclam
exe:/usr/sbin/clamd
exe:/usr/libexec/mysqld
exe:/usr/sbin/httpd
exe:/usr/sbin/hiawatha
exe:/usr/sbin/nginx
exe:/bin/tinydns
pcmd:php-fpm: pool .*
cmd:spamd child
Save file (:x or :w)
Restart CSF and LFD service:
csf -r
service lfd restart
Done. :) To check, login to SSH - an alert will be sent to the email you setup letting you know someone accessed SSH.
If you get alerts DO NOT panic - sometimes you have to check, some processes trigger alerts but are safe. If you are unsure - post here with report: we will investigate together :)
There are ALOT of configuration options - I would suggest reading through csf.conf - it is very detailed. Some options are not available on some servers. If you have a question ask here.
Do:
csf --help
This will show you commands to add/deny an IP manually and other options.
If you have any questions, ASK. :)
-
Hi
thanks for your post :D
i already set this csf before :D
but i just want ask, maybe you have more knowledge about this
i had some issue with plugin (wordpress)
when i try enable some plugin , website will gave "Internal Server Error". but when i turnoff my CSF / plugin website will back normal
my question is, i want to exclude this user from csf, how to do that ?
or exclude some directory for thats plugin
example path of my user
/home/user/domain.com/wp-content/plugins/xxx
where xxx is plugin name
thanks in advance
-
Need port 7776 and 7779 open also.
-
Need port 7776 and 7779 open also.
You only need these two ports added to TCP_IN and TCP_OUT if you have a Kloxo Cluster - Master/Slave.
All localhost/127.0.0.1 connections to any port are never blocked by CSF.
@goblog:
I have no idea with the information you provided as to why CSF would cause such effect to a wordpress plugin. Please report the alert from CSF. What wordpress plugin? Did you change any of the advanced settings? Process Kill or Connection Limits?
Yes you can ignore any linux user (every client in Kloxo is a user) edit csf.pignore and add:
user:example
Change example to the user you want CSF to ignore.
This is NOT advised! This stops all watching of that user and if something gets hacked or something is wrong with that user you will never know.
-
It was me that ask for this tutorial to @chrisf... Many thanks for this very clean and detailed tutorial.
I have applied it very easily in Kloxo-Mr and in another open source panel 8-)
-
Once @chrisf already advise to change SYNFLOOD i think that for newbies will be good to know how it works ;)
SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
it means that:
1. if 100 connections per second happens more than 150 times, from the same IP, this IP will be blocked.
2. When SYNFLOOD is triggered, will slow down alll icoming connections from any IP, including legitm connections.
--------------------------------
I found also 2 other interesting settings:
CONNLIMIT
- find it around line 323
CONNLIMIT = ""
- change to:
CONNLIMIT = "22;5,80;20"
> it means that:
1. Only allow up to 5 concurrent new connections to port 22 per IP address
2. Only allow up to 20 concurrent new connections to port 80 per IP address
Note: Existing connections are not included in the count, only new SYN packets, i.e. new connections.
------------------------------------
PORTFLOOD
- find it around line 339
PORTFLOOD = ""
- change to:
PORTFLOOD = "22;tcp;5;300,80;tcp;20;5"
> it means that:
1. 22;tcp;5;300 - If more than 5 connections to tcp port 22 within 300 seconds, then block
that IP address from port 22 for at least 300 seconds after the last packet is
seen, i.e. there must be a "quiet" period of 300 seconds before the block is
lifted
2. 80;tcp;20;5 - If more than 20 connections to tcp port 80 within 5 seconds, then block
that IP address from port 80 for at least 5 seconds after the last packet is
seen, i.e. there must be a "quiet" period of 5 seconds before the block is
lifted
You can read more about it here http://configserver.com/free/csf/readme.txt (http://configserver.com/free/csf/readme.txt)
@chrisf do you agree with this settings?
-
No, some of them settings are way to restrictive and will cause problems.
Second, ALL of those configuration options rely on additional modules for iptables that not all servers have installed.
csf comes with a test script to know if all modules are installed and if you can use those options.
CONNLIMIT for port 80 should be set no lower than 50 - more like 75 or even 100. On a busy CMS site - say Joomla or Dolphin - every connection to the server is counted. UNDERSTAND - every picture - every .js file - every .css file - ajax requests. It is easy to reach 50 legitimately.
Same with PORTFLOOD - port 80 resitrictions are WAY to high for any dynamic site. On a Dolphin CMS site I have easily reached 60 in a second on page load (css, js, images, html, ajax) if the page has 100 pictures -- your settings with block every user who clicks that page.
-
Second, ALL of those configuration options rely on additional modules for iptables that not all servers have installed.
csf comes with a test script to know if all modules are installed and if you can use those options.
Thank you for the alert, but i have noticed that script and in my case i have all installed ;)
CONNLIMIT for port 80 should be set no lower than 50 - more like 75 or even 100. On a busy CMS site - say Joomla or Dolphin - every connection to the server is counted. UNDERSTAND - every picture - every .js file - every .css file - ajax requests. It is easy to reach 50 legitimately.
Same with PORTFLOOD - port 80 resitrictions are WAY to high for any dynamic site. On a Dolphin CMS site I have easily reached 60 in a second on page load (css, js, images, html, ajax) if the page has 100 pictures -- your settings with block every user who clicks that page.
Silly of me :geek: .... i must be very tired to don't remember tha i have client with stores that make more than 200 requests on load, therefore they should do around 60 to 70 requests per second.
Thank you very much to point me this out 8-)
-
In KloxoMR latest, one of the webmail clients is using the /tmp/ directory to compile and cache web output (smarty template system - I think).
CSF does not like php files being in the /tmp and will start sending you mass emails.
This will fix that :)
vim /etc/csf/csf.fignore
ADD this to the bottom
/tmp/%.*
Done.
-
Thanks to share this tip ;)
-
how to open "openvpn" server
-
I do not understand your question. How to open it how? The ports will be the same as any vps -- unless you have custom software needing other ports as well.
-
@chris
thanks for this guide
i followed this steps on my test vps i faced problems my own ip got blocked iam able to access site ,ssh etc..
when i use my vpn its worked all , can we have updated this tut if anything need update for latest version of Kloxo-MR
my version..
A. Kloxo-MR: 6.5.0.f-2014011001
B. OS: CentOS release 6.5 (Final) x86_64
C. Apps:
1. MySQL: mysql-5.5.34-1.el6.x86_64
2. PHP: php53u-5.3.28-1.ius.el6.x86_64
3. Httpd: httpd-2.2.26-1.el6.x86_64
4. Lighttpd: --uninstalled--
5. Nginx: --uninstalled--
6. Qmail: qmail-toaster-1.03-1.3.35.mr.el6.x86_64
- with: courier-imap-toaster-4.1.2-1.3.14.mr.el6.x86_64
7. Dns: bind-9.9.4-1.P2.el6.x86_64
D. Php-type (for Httpd/proxy): mod_php_ruid2
E. Memory:
total used free shared buffers cached
Mem: 6144 2040 4103 0 0 249
-/+ buffers/cache: 1791 4352
Swap: 0 0 0
-
I found chris's mail server reject email sending by this forum. I found this issue in 'qmail queue' of this server.
-
The installation has not changed, if you blocked yourself, it suspected you as doing something you shouldn't have. You can whitelist your own IP so that never happens.
Mustafa, that is interesting. That is not from CSF, that is from spamdyke. I just added spamcop, spamhaus, and another DNS blacklist to spamdyke. As well as turned on all the spamdyke features. I will check my maillogs. Are you blacklisted?
-
Email from this forum (pm from someone to you via PM).
-
I saw and fixed my mail server. It was spamdyke and the graylisting feature. I posted about it here
http://forum.mratwork.com/kloxo-mr-technical-helps/spamdyke-graylisting/ (http://forum.mratwork.com/kloxo-mr-technical-helps/spamdyke-graylisting/)
Please advise.
-
Do you think I ought to change my ssh login access too?
-
exe:/usr/bin/tcpserver
exe:/var/qmail/bin/splogger
pexe:/var/qmail/bin/qmail.* <---------------is this correct pexe:/var/qmail/bin/qmail.*
exe:/usr/bin/freshclam
exe:/usr/sbin/clamd
exe:/usr/libexec/mysqld
exe:/usr/sbin/httpd
exe:/usr/sbin/hiawatha
exe:/usr/sbin/nginx
exe:/bin/tinydns
pcmd:php-fpm: pool .*
cmd:spamd child
does it correct pexe:/var/qmail/bin/qmail.* on line 3 or should be exe:/var/qmail/bin/qmail.*
-
'pexe' as it is letting CSF know to use perl regex - hence the '.*' this matches qmail-remote, qmail-queue, qmail-smtp, etc....
If you use exe: it must be the actual file name without matching, therefore, we would have many entries for qmail.
;)
-
My kloxo IP tables has stopped and showing red light, is this normal?
-
Check iptables in SSH, it is probably running fine. Kloxo and KloxoMR both have always shown red for iptables.
-
I'm now getting a lot of suspicious file alerts, ?, 9in total since I installed CSF.
The latest one is File: /tmp/%%0B/0B2/0B2F7F61%%login.htm.php
Ive looked in tmp folder and they are other folders:
%%0B
%%47
%%76
%%BE
Does anybody know whats going on here?
-
I'm now getting a lot of suspicious file alerts, ?, 9in total since I installed CSF.
The latest one is File: /tmp/%%0B/0B2/0B2F7F61%%login.htm.php
Ive looked in tmp folder and they are other folders:
%%0B
%%47
%%76
%%BE
Does anybody know whats going on here?
It's normal because above code from afterlogic webmail.
-
If you look on page 1 of this post I already informed how to stop them, as Mustafa said, it is from webmail. Please read on page 1 for the ignore so you stop getting them.
-
Didn't see that, thanks.
-
Now nothing works, cant even SSH.
-
Is this a joke? That fix has broke my site, I cant even log in to SSH to change it.
-
What's you did until not able to ssh access?.
-
In KloxoMR latest, one of the webmail clients is using the /tmp/ directory to compile and cache web output (smarty template system - I think).
CSF does not like php files being in the /tmp and will start sending you mass emails.
This will fix that <!-- s:) -->:)<!-- s:) -->
vim /etc/csf/csf.fignore
ADD this to the bottom
/tmp/%.*
Done.
Everything was running fine until THIS.
-
I have no advice about it because I am always not using IPTables/CSF.
LxGuard (Kloxo/Kloxo-MR build-in) + nginx-proxy or hiawatha-proxy is enough for me.
-
Ive tried with 2 other IP's as you can see by my posts but still no luck.
-
In KloxoMR latest, one of the webmail clients is using the /tmp/ directory to compile and cache web output (smarty template system - I think).
CSF does not like php files being in the /tmp and will start sending you mass emails.
This will fix that <!-- s:) -->:)<!-- s:) -->
vim /etc/csf/csf.fignore
ADD this to the bottom
/tmp/%.*
Done.
@Farrow, you are mistaken, and obviously your inexperience has caused this issue, as this fix HAS NOTHING TO DO WITH BLOCKING IP OR SSH. The file fignore is for FILES that LFD should ignore as being threats, THAT IS IT!
If you are using SolusVM for vps, or if it is a dedicated server, either way, start a serial console, once logged into this console, issue this command: csf -x
-
In KloxoMR latest, one of the webmail clients is using the /tmp/ directory to compile and cache web output (smarty template system - I think).
CSF does not like php files being in the /tmp and will start sending you mass emails.
This will fix that <!-- s:) -->:)<!-- s:) -->
vim /etc/csf/csf.fignore
ADD this to the bottom
/tmp/%.*
Done.
@Farrow, you are mistaken, and obviously your inexperience has caused this issue, as this fix HAS NOTHING TO DO WITH BLOCKING IP OR SSH. The file fignore is for FILES that LFD should ignore as being threats, THAT IS IT!
If you are using SolusVM for vps, or if it is a dedicated server, either way, start a serial console, once logged into this console, issue this command: csf -x
It was running fine before you give your shitty advise.
I reinstalled and mirrored the same install on another VPS without your config and it runs fine.
-
you are disrespectful and an idiot. I don't believe you have done anything, I think you are just trying to be confrontational. Obviously you could get to the vps if you could mirror it, and secondly, this configuration is running for MANY users here.
Hire a system administrator to handle your servers.
-
Due to KloxoMR now using spawn-fcgi to run kloxo php52 under lxlabs, you will start to get alerts for excessive resource from lxlabs.
To fix.
vim /etc/csf.pignore
Add this line:
exe:/opt/php52s/bin/php-cgi
Issue command
csf -r;service lfd restart
Done.