CSF

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#1
“/”, Question #1
Csf.conf has a lot of allows. If I change my SSH port to X, then only X should appear in the TCP in/out lists. No?

Would need to leave 443 for HTTPS in?
And 80 for HTTP?
Which ports really need to be there?
Perhaps leaving a random 4 or 5 for knocking"

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443"

# Allow incoming UDP ports
UDP_IN = "20,21,53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#2
Question #2: (at the bottom)
I ran /usr/sbin/csf –s
And then –a <one.public.ip.address>
This is in csf.allow
192.168.0.3 # csf SSH installation/upgrade IP address - Mon Mar 14 21:39:45 2011
<one.public.ip.address> # Manually allowed - Mon Mar 14 22:39:21 2011
And then –d 112.112.112.112
This is in csf.deny
112.112.112.112 # Manually denied - Mon Mar 14 23:01:07 2011

Question: If I wanted to deny the world, could I put /usr/sbin/csf –d 0.0.0.0/0.0.0.0 and then my csf.allow rules supercede that? What is the best way to lock the whole thing down to the knuckle draggers and then introduce allows?
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#3
Allow over deny,

but I suggest you install webmin and (then immediately chkconfig webmin off :) that makes it on only on demand service that you can start as necessary)

edit /etc/webmin/miniserv.conf to use another less well known port, restart webmin and install from webmin module manager the csf webmin interface now available locally at /etc/csf/csf/webmin.tgz.

This will allow you to easily manage the whole schemoozle, it wraps the whole config up in a Q and A type thingy,

Apart from obviously doing the always required RTFM thing, it really makes it very easy, there is even a good security audit and smartphone interface built in . . .

when you're done

service webmin stop



regards

dicko
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#4
"/", I'm a little confused on how to install webmin:
"To install or upgrade the csf webmin module:
Install csf as above
Install the csf webmin module in:
Webmin > Webmin Configuration > Webmin Modules >
From local file > /etc/csf/csfwebmin.tgz > Install Module"

from /etc/csf/ would I mkdir Webmin; cd /Webmin; mkdir Webmin Configuration: cd /Webmin Configuration; mkdir Webmin Modules and then untar csfwebmin.tgz to Webmin Modules? This seems screwy.

Searched all over FreePBX and don't see it there. I'm used to more clear install directions. Went to the forum. Not clear. Perhaps I need another lashing. You got your tongue wet with another tonight...
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#5
Briefly

http://www.webmin.com/download.html

which will largely explain how to:

wget http://prdownloads.sourceforge.net/weba ... noarch.rpm
rpm -Uhv webmin-1.530-1.noarch.rpm

Then the previous instructions should make sense

A hint, it's nothing to do with FreePBX or Asterisk, they just like each other and get on well.

There is a common belief that webmin has some insecurities, so don't leave it running, especially on udp/tcp/10000

Some say I am am don't bear a fool well, some might be right, so far you don't get close, I hope I don't scare you too much.

regards

dicko
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#6
Sorry for all this hand holding. I'm in at https://192.168.0.101:10000/

But I'll be damned if I can figure out what to do with csfwebmin.tgz in /etc/csf/.

I have up to /usr/libexec/webmin/Webmin. No Webmin Configuration or Webmin modules to unpack csfwebmin.tgz.
I just don't get the instructions
"Install the csf webmin module in:
Webmin > Webmin Configuration > Webmin Modules >
From local file > /etc/csf/csfwebmin.tgz > Install Module"
 

ramoncio

Joined
May 12, 2010
Messages
1,663
Likes
0
Points
0
#7
I franklin,

Now that webmin is installed, forget about the console for a while. That's what webmin is about. :)

Go to https://yourserverip:10000 and use the menus:

Webmin > Webmin Configuration > Webmin Modules >
From local file > (search in the file tree) /etc/csf/csfwebmin.tgz > Install Module"

This should install a new menu item called "ConfigServer Security & Firewall" into you webmin 'System' main menu.
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#8
Thanks, ramon. Gettting Failed to install module from /etc/csf/csfwebmin.tgz : Module Net is missing a module.info file Checking configs and the posts at their forum. Lots of other people get this, I saw from my perusing last night.
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#9
I think there may be a typo in what you are saying, dicko, but I get it. Never seen you put someone in a place they didn't deserve. If one can take it they will grow, as have I under your tutelage. It helps if one can read English, or Spanish, or Chinese, I guess...
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#10
In relation to the error "Failed to install module from /etc/csf/csfwebmin.tgz : Module Net is missing a module.info" I get when trying to perform "From local file > /etc/csf/csfwebmin.tgz > Install Module"

Someone posted at the CSF forum "The module is the tar file itself..."

The tar file is in /etc/csf/ -rw-r--r-- 1 root root 1028697 Mar 15 01:06 csfwebmin.tgz

I followed dicko's instructions: wget prdownloads.sourceforge.net/webadmin/webmin-1.530-1.noarch.rpm
rpm -Uhv webmin-1.530-1.noarch.rpm

At http://www.webmin.com/rpm.html they are suggesting
rpm -U webmin-1.530-1.noarch.rpm -- so a slight difference.

But I see at rpm --help | more that hv is only -h, --hash print hash marks as package installs (good with -v)

Not sure why she won't pick up the tar file...
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#11
So the directions are a bit misleading. I got it working. I uninstalled everything and reinstalled. And then after installing went to https://<myip>:10000 and did
Webmin > Webmin Configuration > Webmin Modules >
From local file > /etc/csf/csfwebmin.tgz > Install Module


The problem was, I believe, that I installed things twice. The directions in the install.txt should read:

Webmin Module Installation/Upgrade
==================================

To install or upgrade the csf webmin module:
Install csf as above
Then, from /etc/csf

wget prdownloads.sourceforge.net/webadmin/webmin-1.530-1.noarch.rpm
rpm -Uhv webmin-1.530-1.noarch.rpm


Go to https://<your.server.ip.address:10000
and then
Install the csf webmin module in:
Webmin > Webmin Configuration > Webmin Modules >
From local file > /etc/csf/csfwebmin.tgz > Install Module


At any rate, the result was a very pleasing message:
The following modules have been successfully installed and added to your access control list :

ConfigServer Security & Firewall in /usr/libexec/webmin/csf (48 kB) under category System
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#12
dicko, I have CSF successfully running on a 2.0.3 box. Got two addresses from the Russian Federation added to the blocked/deny iptables this AM.

When I turn on the firewall my calls don't work, though. I tried adding 5060,10000:20000 to UDP in/out. Phones get DHCP from a NetGear FVS338 (5060,10K-20K,22 forwarded to box) (Elastix DHCP is off) Box is on a static of 192.168.1.101. When I turn the CSF firewall off things are okay. Tried adding the address of one phone 192.168.1.5 to the allow. Doesn't work. Funny thing I can't SSH into the box via my wireless access point, but can through the Ethernet cable on my PC. It's almost like a double NATing issue I've experienced in the past.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#13
maybe

tailf /var/log/messages

will give a clue.
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#14
Thanks. Just loaded 1.6 over my 2.0. Forgot that Telephone Reminders suggests Asterisk 1.4. Found out it doesn't play 100% nice on Asterisk 1.6. Starting over. Plus, until you say you are going full bore with 2.0 I am putting it out of mind. Realizing the NIC card is not configured. I think I can get the drivers from the Rhino site. Any assistance would be greatly appreciated.

Going to get this security thing straight before I do anything. Have a few 1.6 boxes out there I need to protect.
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#15
ip addr show got me going. disregard driver question.
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#16
"/" can you advise me on what I am looking at below?

Changed SSH from 22. restart Changed Webmin from 10000. restart.

I keep getting hit with this same routine:
Mar 16 17:18:18 elastix ntpd[2327]: sendto(149.20.54.20) (fd=20): Invalid argume nt
Mar 16 17:19:00 elastix ntpd[2327]: sendto(140.99.51.114) (fd=20): Invalid argum ent
Mar 16 17:19:17 elastix ntpd[2327]: sendto(208.75.88.4) (fd=20): Invalid argumen t
Mar 16 17:19:22 elastix ntpd[2327]: sendto(149.20.54.20) (fd=20): Invalid argume nt
Mar 16 17:20:05 elastix ntpd[2327]: sendto(140.99.51.114) (fd=20): Invalid argum ent
Mar 16 17:20:21 elastix ntpd[2327]: sendto(208.75.88.4) (fd=20): Invalid argumen t
Mar 16 17:20:28 elastix ntpd[2327]: sendto(149.20.54.20) (fd=20): Invalid argume nt
Mar 16 17:21:11 elastix ntpd[2327]: sendto(140.99.51.114) (fd=20): Invalid argum ent
Mar 16 17:21:24 elastix ntpd[2327]: sendto(208.75.88.4) (fd=20): Invalid argumen t
Mar 16 17:21:31 elastix ntpd[2327]: sendto(149.20.54.20) (fd=20): Invalid argume nt
Mar 16 17:22:16 elastix ntpd[2327]: sendto(140.99.51.114) (fd=20): Invalid argum

My "View IP Tables Log" doesn't show the above, but does show this pernicious thing from Miami that keeps coming in:
Mar 16 17:25:28 elastix kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=<xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> SRC=38.126.208.225 DST=192.168.1.101 LEN=32 TOS=0x00 PREC=0x00 TTL=3 ID=12 PROTO=UDP SPT=10013 DPT=33437 LEN=12
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#17
that is your time server on udp/123 tcp/123 it needs both.

the other one is an attempt to traceroute you,
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#18
What purpose does the constant traceroute serve for the other party? is it perhaps my ISP doing a keep alive on the modem? DSL. Chap authentication.
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#19
"/"
What is the verdict on disabling the following:
avahi-daemon
saslauthd
rpcidmapd
nfslock
atd
xfs
MySQL LOAD DATA disallows LOCAL

After I square those, I need to do these, and I'm a bit unsure:

/tmp should be mounted as a separate filesystem with the noexec,nosuid options se

var/tmp should either be symlinked to /tmp or mounted as a filesystem

dev/shm is not mounted with the noexec,nosuid options (currently: none). You should modify the mountpoint in /etc/fstab for /dev/shm with those options and remount

Then enable IPv6, sounds easy enough

Pv6 appears to be enabled [ifconfig: fe80::21c:c0ff:fed5:20c0/64 Scope:Link, ::1/128 Scope:Host]. If ip6tables is installed, you should enable the csf IPv6 firewall (IPV6 in csf.conf)

and

I've seen you urge people to do this

For ultimate SSH security, you should consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication (I'll have to investigate how to do this.

Then I should be all green. Can you advise? Thanks.
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#20
dicko,

I get this on a who at root

pts/3 2011-03-18 11:24 (mailserv.tranquil-it.us)

It also shows up on a last periodically. Is this an internal signin?
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,888
Members
17,568
Latest member
mehdii_igi
Top