CSF

Discussion in 'General' started by franklin, Mar 15, 2011.

  1. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    “/”, Question #1
    Csf.conf has a lot of allows. If I change my SSH port to X, then only X should appear in the TCP in/out lists. No?

    Would need to leave 443 for HTTPS in?
    And 80 for HTTP?
    Which ports really need to be there?
    Perhaps leaving a random 4 or 5 for knocking"

    # Allow incoming TCP ports
    TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

    # Allow outgoing TCP ports
    TCP_OUT = "20,21,22,25,53,80,110,113,443"

    # Allow incoming UDP ports
    UDP_IN = "20,21,53"

    # Allow outgoing UDP ports
    # To allow outgoing traceroute add 33434:33523 to this list
    UDP_OUT = "20,21,53,113,123"
     
  2. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    Question #2: (at the bottom)
    I ran /usr/sbin/csf –s
    And then –a <one.public.ip.address>
    This is in csf.allow
    192.168.0.3 # csf SSH installation/upgrade IP address - Mon Mar 14 21:39:45 2011
    <one.public.ip.address> # Manually allowed - Mon Mar 14 22:39:21 2011
    And then –d 112.112.112.112
    This is in csf.deny
    112.112.112.112 # Manually denied - Mon Mar 14 23:01:07 2011

    Question: If I wanted to deny the world, could I put /usr/sbin/csf –d 0.0.0.0/0.0.0.0 and then my csf.allow rules supercede that? What is the best way to lock the whole thing down to the knuckle draggers and then introduce allows?
     
  3. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Allow over deny,

    but I suggest you install webmin and (then immediately chkconfig webmin off :) that makes it on only on demand service that you can start as necessary)

    edit /etc/webmin/miniserv.conf to use another less well known port, restart webmin and install from webmin module manager the csf webmin interface now available locally at /etc/csf/csf/webmin.tgz.

    This will allow you to easily manage the whole schemoozle, it wraps the whole config up in a Q and A type thingy,

    Apart from obviously doing the always required RTFM thing, it really makes it very easy, there is even a good security audit and smartphone interface built in . . .

    when you're done

    service webmin stop



    regards

    dicko
     
  4. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    "/", I'm a little confused on how to install webmin:
    "To install or upgrade the csf webmin module:
    Install csf as above
    Install the csf webmin module in:
    Webmin > Webmin Configuration > Webmin Modules >
    From local file > /etc/csf/csfwebmin.tgz > Install Module"

    from /etc/csf/ would I mkdir Webmin; cd /Webmin; mkdir Webmin Configuration: cd /Webmin Configuration; mkdir Webmin Modules and then untar csfwebmin.tgz to Webmin Modules? This seems screwy.

    Searched all over FreePBX and don't see it there. I'm used to more clear install directions. Went to the forum. Not clear. Perhaps I need another lashing. You got your tongue wet with another tonight...
     
  5. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Briefly

    http://www.webmin.com/download.html

    which will largely explain how to:

    wget http://prdownloads.sourceforge.net/weba ... noarch.rpm
    rpm -Uhv webmin-1.530-1.noarch.rpm

    Then the previous instructions should make sense

    A hint, it's nothing to do with FreePBX or Asterisk, they just like each other and get on well.

    There is a common belief that webmin has some insecurities, so don't leave it running, especially on udp/tcp/10000

    Some say I am am don't bear a fool well, some might be right, so far you don't get close, I hope I don't scare you too much.

    regards

    dicko
     
  6. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    Sorry for all this hand holding. I'm in at https://192.168.0.101:10000/

    But I'll be damned if I can figure out what to do with csfwebmin.tgz in /etc/csf/.

    I have up to /usr/libexec/webmin/Webmin. No Webmin Configuration or Webmin modules to unpack csfwebmin.tgz.
    I just don't get the instructions
    "Install the csf webmin module in:
    Webmin > Webmin Configuration > Webmin Modules >
    From local file > /etc/csf/csfwebmin.tgz > Install Module"
     
  7. ramoncio

    Joined:
    May 12, 2010
    Messages:
    1,663
    Likes Received:
    0
    I franklin,

    Now that webmin is installed, forget about the console for a while. That's what webmin is about. :)

    Go to https://yourserverip:10000 and use the menus:

    Webmin > Webmin Configuration > Webmin Modules >
    From local file > (search in the file tree) /etc/csf/csfwebmin.tgz > Install Module"

    This should install a new menu item called "ConfigServer Security & Firewall" into you webmin 'System' main menu.
     
  8. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    Thanks, ramon. Gettting Failed to install module from /etc/csf/csfwebmin.tgz : Module Net is missing a module.info file Checking configs and the posts at their forum. Lots of other people get this, I saw from my perusing last night.
     
  9. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    I think there may be a typo in what you are saying, dicko, but I get it. Never seen you put someone in a place they didn't deserve. If one can take it they will grow, as have I under your tutelage. It helps if one can read English, or Spanish, or Chinese, I guess...
     
  10. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    In relation to the error "Failed to install module from /etc/csf/csfwebmin.tgz : Module Net is missing a module.info" I get when trying to perform "From local file > /etc/csf/csfwebmin.tgz > Install Module"

    Someone posted at the CSF forum "The module is the tar file itself..."

    The tar file is in /etc/csf/ -rw-r--r-- 1 root root 1028697 Mar 15 01:06 csfwebmin.tgz

    I followed dicko's instructions: wget prdownloads.sourceforge.net/webadmin/webmin-1.530-1.noarch.rpm
    rpm -Uhv webmin-1.530-1.noarch.rpm

    At http://www.webmin.com/rpm.html they are suggesting
    rpm -U webmin-1.530-1.noarch.rpm -- so a slight difference.

    But I see at rpm --help | more that hv is only -h, --hash print hash marks as package installs (good with -v)

    Not sure why she won't pick up the tar file...
     
  11. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    So the directions are a bit misleading. I got it working. I uninstalled everything and reinstalled. And then after installing went to https://<myip>:10000 and did
    Webmin > Webmin Configuration > Webmin Modules >
    From local file > /etc/csf/csfwebmin.tgz > Install Module


    The problem was, I believe, that I installed things twice. The directions in the install.txt should read:

    Webmin Module Installation/Upgrade
    ==================================

    To install or upgrade the csf webmin module:
    Install csf as above
    Then, from /etc/csf

    wget prdownloads.sourceforge.net/webadmin/webmin-1.530-1.noarch.rpm
    rpm -Uhv webmin-1.530-1.noarch.rpm


    Go to https://<your.server.ip.address:10000
    and then
    Install the csf webmin module in:
    Webmin > Webmin Configuration > Webmin Modules >
    From local file > /etc/csf/csfwebmin.tgz > Install Module


    At any rate, the result was a very pleasing message:
    The following modules have been successfully installed and added to your access control list :

    ConfigServer Security & Firewall in /usr/libexec/webmin/csf (48 kB) under category System
     
  12. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    dicko, I have CSF successfully running on a 2.0.3 box. Got two addresses from the Russian Federation added to the blocked/deny iptables this AM.

    When I turn on the firewall my calls don't work, though. I tried adding 5060,10000:20000 to UDP in/out. Phones get DHCP from a NetGear FVS338 (5060,10K-20K,22 forwarded to box) (Elastix DHCP is off) Box is on a static of 192.168.1.101. When I turn the CSF firewall off things are okay. Tried adding the address of one phone 192.168.1.5 to the allow. Doesn't work. Funny thing I can't SSH into the box via my wireless access point, but can through the Ethernet cable on my PC. It's almost like a double NATing issue I've experienced in the past.
     
  13. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    maybe

    tailf /var/log/messages

    will give a clue.
     
  14. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    Thanks. Just loaded 1.6 over my 2.0. Forgot that Telephone Reminders suggests Asterisk 1.4. Found out it doesn't play 100% nice on Asterisk 1.6. Starting over. Plus, until you say you are going full bore with 2.0 I am putting it out of mind. Realizing the NIC card is not configured. I think I can get the drivers from the Rhino site. Any assistance would be greatly appreciated.

    Going to get this security thing straight before I do anything. Have a few 1.6 boxes out there I need to protect.
     
  15. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    ip addr show got me going. disregard driver question.
     
  16. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    "/" can you advise me on what I am looking at below?

    Changed SSH from 22. restart Changed Webmin from 10000. restart.

    I keep getting hit with this same routine:
    Mar 16 17:18:18 elastix ntpd[2327]: sendto(149.20.54.20) (fd=20): Invalid argume nt
    Mar 16 17:19:00 elastix ntpd[2327]: sendto(140.99.51.114) (fd=20): Invalid argum ent
    Mar 16 17:19:17 elastix ntpd[2327]: sendto(208.75.88.4) (fd=20): Invalid argumen t
    Mar 16 17:19:22 elastix ntpd[2327]: sendto(149.20.54.20) (fd=20): Invalid argume nt
    Mar 16 17:20:05 elastix ntpd[2327]: sendto(140.99.51.114) (fd=20): Invalid argum ent
    Mar 16 17:20:21 elastix ntpd[2327]: sendto(208.75.88.4) (fd=20): Invalid argumen t
    Mar 16 17:20:28 elastix ntpd[2327]: sendto(149.20.54.20) (fd=20): Invalid argume nt
    Mar 16 17:21:11 elastix ntpd[2327]: sendto(140.99.51.114) (fd=20): Invalid argum ent
    Mar 16 17:21:24 elastix ntpd[2327]: sendto(208.75.88.4) (fd=20): Invalid argumen t
    Mar 16 17:21:31 elastix ntpd[2327]: sendto(149.20.54.20) (fd=20): Invalid argume nt
    Mar 16 17:22:16 elastix ntpd[2327]: sendto(140.99.51.114) (fd=20): Invalid argum

    My "View IP Tables Log" doesn't show the above, but does show this pernicious thing from Miami that keeps coming in:
    Mar 16 17:25:28 elastix kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=<xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> SRC=38.126.208.225 DST=192.168.1.101 LEN=32 TOS=0x00 PREC=0x00 TTL=3 ID=12 PROTO=UDP SPT=10013 DPT=33437 LEN=12
     
  17. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    that is your time server on udp/123 tcp/123 it needs both.

    the other one is an attempt to traceroute you,
     
  18. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    What purpose does the constant traceroute serve for the other party? is it perhaps my ISP doing a keep alive on the modem? DSL. Chap authentication.
     
  19. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    "/"
    What is the verdict on disabling the following:
    avahi-daemon
    saslauthd
    rpcidmapd
    nfslock
    atd
    xfs
    MySQL LOAD DATA disallows LOCAL

    After I square those, I need to do these, and I'm a bit unsure:

    /tmp should be mounted as a separate filesystem with the noexec,nosuid options se

    var/tmp should either be symlinked to /tmp or mounted as a filesystem

    dev/shm is not mounted with the noexec,nosuid options (currently: none). You should modify the mountpoint in /etc/fstab for /dev/shm with those options and remount

    Then enable IPv6, sounds easy enough

    Pv6 appears to be enabled [ifconfig: fe80::21c:c0ff:fed5:20c0/64 Scope:Link, ::1/128 Scope:Host]. If ip6tables is installed, you should enable the csf IPv6 firewall (IPV6 in csf.conf)

    and

    I've seen you urge people to do this

    For ultimate SSH security, you should consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication (I'll have to investigate how to do this.

    Then I should be all green. Can you advise? Thanks.
     
  20. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    dicko,

    I get this on a who at root

    pts/3 2011-03-18 11:24 (mailserv.tranquil-it.us)

    It also shows up on a last periodically. Is this an internal signin?
     

Share This Page