Firewall

[DReade83]

Can anyone recommend any decent firewalls that use minimal CPU/memory, that run on CentOS 4.4?

[jayh38]

CSF is excellent.

[DTmonk]

hay bro,

I found this 2 days back, and its works great for WHM/scpanel servers.
athou its a lil tricky if you have a vps server, but i got myn to work on my real servers and my vps servers

My WHM/CPanel versions.
WHM 10.8.0 cPanel 10.9.0-R47
CentOS 4.4 i686 - WHM X v3.1.0

Firewall url.
http://www.configserver.com/cp/csf.html

Enjoy!!

DTmonk
-----------
-----------

[DTmonk]

Oh’ and one last thing, when you are configuring your firwall, be carfull of this option (LF_PARSE = ??)

If you set this option higher than 59 seconds, then youll find your server using 20-50% of its cpu,,,, but if you set it to 59 seconds like I have’ then your server wont even feel any stress. I think it’s a bug or something, other than that,,,, I’m smiling all the way, specially with the auto blocking features.

[DReade83]

Right, I have CSF installed and I'm nearly done with correcting all the warnings in the Security Check screen. The LF_PARSE setting is set to 5. Is this OK?

[DTmonk]

Nop, cos that meens that its going to read the logs every 5 secounds, and thats no good as this is to streesfull,, rather you set it to 59 second like i have.

i will see if i can post my config file for you then you can see what work for me.

back in a 15min.

chow!!

[DTmonk]

Copyright 2006, Way to the Web Limited
# URL: http://www.waytotheweb.com
# Email: sales@waytotheweb.com
###############################################################################


TESTING = 0


TESTING_INTERVAL = 1


AUTO_UPDATES = 0


ETH_DEVICE =

# Unfiltered ethernet devices in a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP =

# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).

# Allow incoming TCP ports
TCP_IN = 20,21,22,25,53,80,110,143,443,465,953,993,995,2082,2083,2086,2087,2095,2096

# Allow outgoing TCP ports
TCP_OUT = 20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703

UDP_IN = 20,21,53,953


UDP_OUT = 20,21,53,113,123,873,953,6277
ICMP this settings will alow ping to enter and answer to retern, but will still provent my server
to participte in a dos attck, cos the server may not start the ping (I did this cos the data center is monitoring my server with pings.)
# Allow incoming PING
ICMP_IN = 1

# Allow outgoing PING
ICMP_OUT = 0


SMTP_BLOCK = 1

SMTP_ALLOWLOCAL = 1


this for VPS servers only
MONOLITHIC_KERNEL = 0


DROP_LOGGING = 1

DROP_IP_LOGGING = 1


DROP_ONLYRES = 1


DROP_NOLOG = 67,68,111,113,135:139,445,513,520,1026,1027,1234,1433,1434,1524,3127

PACKET_FILTER = 1


VERBOSE = 1

DYNDNS = 0


ALLOW_RES_PORTS = 0


DENY_IP_LIMIT = 250


GLOBAL_ALLOW =
GLOBAL_DENY =
LF_GLOBAL =

LF_DAEMON = 1

This is vey important, cos my options was to stop script brutu force, but not lock myself out or my users,,,, if you use my settings below, then if you are cought by logfile Demon,, then your only blocked from that port. I think this is best, as I usaly go an inspect the bloked IP's, and then add them MANUALY to my perminent deny list!!



from here,, down ,

LF_TRIGGER = 0

LF_SELECT = 1


LF_SSHD = 7

LF_FTPD = 20

LF_POP3D = 20

LF_IMAPD = 20


LF_HTACCESS = 1


LF_MODSEC = 1

LF_CPANEL = 20

LF_CSF = 1


LF_SSH_EMAIL_ALERT = 1


LF_SU_EMAIL_ALERT = 1

To here,,,, all the above very important,

[DTmonk]

LF_SCRIPT_ALERT = 1


LF_SCRIPT_LIMIT = 300


LF_SCRIPT_PERM = 0


LF_DIRWATCH = 300


LF_DIRWATCH_DISABLE = 1


LF_DIRWATCH_FILE = 0

Last Edit: 23/10/2006
best you follow chirpys advise and set LF parser



LF_INTERVAL = 180

very important that you not set this value to (low) or any higher than 59 seconds, as it seem to be bugy and then youll be using +-50%cpu whenst LFD is in sleep mode,,, you can verify for your self by looking at your current cpu usage

Last Edit: 23/10/2006
best you follow chirpys advise and set LF parser to[5] seconds
LF_PARSE = 59 <------------------ correction please set to five [5]
LF_EMAIL_ALERT = 1


LT_EMAIL_ALERT = 1


LT_POP3D = 60


LT_IMAPD = 0


LF_DSHIELD = 7200

LF_DSHIELD_URL = http://feeds.dshield.org/block.txt


LF_SPAMHAUS = 7200

LF_SPAMHAUS_URL = http://www.spamhaus.org/drop/drop.lasso

also becarfull with this next few options, this because i think if you set it to low then you could disterb chat software, as the members may be blocked,,, so if you using chat software then play around with this nex few settings,,, this is with regard to (anty Dos) & connection tracking, (chating software) & (google spiders),,, Ive set myn high below.

CT_LIMIT = 300


CT_INTERVAL = 300


CT_EMAIL_ALERT = 1

CT_PERMANENT = 0

CT_BLOCK_TIME = 300


PT_LIMIT = 300

PT_INTERVAL = 300


PT_SKIP_HTTP = 0


PT_USERPROC = 10


PT_SMTP = 0

# OS settings

[DTmonk]

Hay bro, I hope that will help you,, cos I have tested that settings my self and have also tested the brute force protecton myself,,,,, every day sofare, this firewall has saved me bandwith & personal stress,,,, because within a 2minits of a brutus force password attcks on my servers,,,, then this firwall is stoping and blocking the attckers,,,

I smile every day whenst i look at my logs and see another one added to my bloklist.
my setting realy work,,, althou i still bissy to tweek more.

chow!!


DTmonk
----------
----------

[DReade83]

Cool, thanks for the info. The software appears to do a real good job, so thank you for recommending it.

[rikgarner]

Chirpy's CSF is by far the best firewall and set of security-related tools I have seen for Cpanel, and he is a valued member of the Cpanel community.

Rich

[chirpy]

Nop, cos that meens that its going to read the logs every 5 secounds, and thats no good as this is to streesfull,, rather you set it to 59 second like i have.

That's no accurate as I mentioned in the main CSF thread. You should leave it at 5 seconds for very good performance reasons.