You need to move ssh away from 22, you probably don't need ftp exposed, do you have folks using you as a IMAP server, what is running on 2222 ? ( too obvious), WTF telnet!! immediately turn that off, Only allow https from trusted networks. you have FOP AMI MYSQL possibly exposed.

(back to the drawing board ? )

your FreePBX ARI/recordings is both broken and leaking, this is normal but very bad in Elastix, are you sure your very old vtiger login is secure?

I guess in other words, get your Firewall working first before you do the IDS thingy, try CSF it's easy as pie

I must have done something incorrectly, I thought I had moved from port 22, no one use machine for IMAP and was not aware that telnet was even on - never activated it, and 2222 ???? I've only had this box up and running for a week or so and this is the first time I have a chance to mess with it. As you say, back to the drawing board.

Thanks
Amphibian

I thought port 22 was changed under /etc/ssh/sshd_config by uncommetting "Port 22 and changing it to another value? I had changed it to 2222, not right???

Amphibian

I can only see you from the outside of your network,

netstat -aunt

will show you all the services you have running, each and every one presenting on 0.0.0.0 needs to be examined as to whether it should be allowed through your firewall, and if so to what address space should be allowed to access it.

don't forget that I also see the services running on your firewall, telnet is probably originating from there, it should not be.

I issued that command earlier when you maid mention of telnet running, I'm not showing telnet as active on machine or on firewall or router. I have even tried to telnet to all the machines on network and none are telnet active.

I'm also not sure I follow your directive to "your FreePBX ARI/recordings is both broken and leaking", have to research that one.


Amphibian

To audit your network it is necessary to do it from both sides, get an external shell login from someone and look back at your network.

Well, that's my prob, I don't have anyone to do that with that is why I'm so appreciative of your help this evening.

See, AH like me don't have very many friends you know, especially in the Tech department

The broken or leaky thingee looks like an upgrade requirement. Will do update and get back with you, been up 32 hours now, taking a break and will return in a few hours. Thanks once again you have been very helpful. I owe you big time.


Amphibian

Amphibian wrote:
I thought the 172 was an IP address. Since this box is on a DSL whom assigns different IP at times, I have gone with dyndns.org. Will this script accept the dyndns.org instead of a IP number?

Amphibian


If you need to allow your dyndns host you can use csf.

www.configserver.com/cp/csf.html

You can insert your dyndns host into /etc/csf/csf.dyndns


Happy Christmas to all!!!

Hey ramoncio,

Sorry I missed you, I called it a night just before your post. Thanks for the reply. I see I'm going to have to put a larger fuel tank on my Ultr-lite and fly down to Dicko's and Your place to take you guys to lunch, you both have been very helpful and knowledgeable, not only me, with this forum. It can't be stated enough how lost we all would be without you guys.

I looked CSF over earlier this morning after Dicko mentioned it in a post. I'm going to try to load CFS later today and see how knowledgeable I am to set it up.

I did read on the CFS site that "You should not run any other iptables firewall configuration script. For example, if you previously used APF+BFD you can remove the combination (which you will need to do if you have them installed otherwise they will conflict horribly): .....",

are there any scripts known (and where they are located) that I have to remove to prevent conflict?


Thanks again & Merry Christmas
Amphibian

Generally too many cooks will spoil the broth, but CSF and fail2ban will coexist quite easily, just

chkconfig fail2ban off
service fail2ban stop
make two executable scripts in /etc/csf directory:=

[root@pbx csf]# cat csfpre.sh
#!/bin/sh
/etc/init.d/fail2ban stop

[root@pbx csf]# cat csfpost.sh
#!/bin/sh
/etc/init.d/fail2ban start

this will start fail2ban afgetr csf starts and vece versa, the scripts do not conflict.

I posted a regex.custom.pm somewhere around here that will hopefully do the same for csf without fail2banbut am not sure if it as effective as fail2ban