The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

firewalls

Discussion in 'General Discussion' started by annualhost, Nov 22, 2002.

  1. annualhost

    annualhost Member

    Joined:
    Nov 22, 2002
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Is anyone running a firewall like PMFirewall or Bastille?

    Any how-to's for firewall setup on cPanel?

    Thanks,

    Nathan
     
  2. netarus

    netarus Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    This is what we did. (From another post in these forums). We denied all ports coming in except:

    20 ---& FTP ---& TCP
    20 ---& FTP ---& UDP
    21 ---& FTP ---& TCP
    21 ---& FTP ---& UDP
    22 ---& SSH ---& TCP
    25 ---& SMTP ---& TCP
    53 ---& DNS ---& TCP & UDP
    80 ---& HTTP ---& TCP
    110 ---& POP3 ---& TCP
    143 ---& IMAP ---& TCP
    443 ---& HTTPs ---& TCP
    465 ---& sSMTP ---& TCP
    993 ---& sIMAP ---& TCP
    995 ---& sPOP3 ---& TCP
    2082 ---& Cpanel ---& TCP
    2083 ---& secure Cpanel
    2086 ---& WHM ---& TCP
    2087 ---& secure WHM
    2095 ---& WebMail ---& TCP
    2096 ---& secure WebMail
    3306 ---& MySQL ---& TCP
    7786 ---& Ichange ---& TCP
    6666 ---& Melange ---& TCP
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    It would be great if someone could post an iptables howto for closing all the ports except the above mentioned.

    I played around with iptables somewhat, but I'm not an expert.

    I would like to secure the server somewhat better.
     
  4. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    [quote:e91819050b][i:e91819050b]Originally posted by netarus[/i:e91819050b]

    This is what we did. (From another post in these forums). We denied all ports coming in except:

    20 ---& FTP ---& TCP
    20 ---& FTP ---& UDP
    21 ---& FTP ---& TCP
    21 ---& FTP ---& UDP
    22 ---& SSH ---& TCP
    25 ---& SMTP ---& TCP
    53 ---& DNS ---& TCP & UDP
    80 ---& HTTP ---& TCP
    110 ---& POP3 ---& TCP
    143 ---& IMAP ---& TCP
    443 ---& HTTPs ---& TCP
    465 ---& sSMTP ---& TCP
    993 ---& sIMAP ---& TCP
    995 ---& sPOP3 ---& TCP
    2082 ---& Cpanel ---& TCP
    2083 ---& secure Cpanel
    2086 ---& WHM ---& TCP
    2087 ---& secure WHM
    2095 ---& WebMail ---& TCP
    2096 ---& secure WebMail
    3306 ---& MySQL ---& TCP
    7786 ---& Ichange ---& TCP
    6666 ---& Melange ---& TCP
    [/quote:e91819050b]
    Where did you do this blocking?
     
  5. annualhost

    annualhost Member

    Joined:
    Nov 22, 2002
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    can anyone explain better how to do this...

    Just a quick example of one or two ports would be great ;)

    Thanks,

    Nathan
     
  6. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    I saw this posted.. I think it was on webhostingtalk.com and I haven't tried it yet, but its install instructions for Bastille on cpanel servers: http://www.section5.valcato.net/Bastille_Cpanel_HowTo.txt

    If anyone cares to try and let us know how it goes, that would be great.
     
  7. annualhost

    annualhost Member

    Joined:
    Nov 22, 2002
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    looks pretty straight forward I did a similar install on Ensim and it worked great.

    I will give it a try today and let you know how it goes... ;)
     
  8. annualhost

    annualhost Member

    Joined:
    Nov 22, 2002
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    ran pretty well, no major issues...

    there were 2 things I noticed...

    1) in between the following two questions there was a question that was left out of the instructions...

    Q: Would you like to set more restrictive permissions on the administration utilities?

    Choose 'yes', press [RETURN], select 'next' then press [RETURN] again.

    Q: Should Bastille disable clear-test r-protocols that use IP-based authentication?

    Choose 'yes' then press [RETURN].


    There was a question that asked about setting SUID status for tracert. I just accepted the default and it seems OK. I am not sure of the exact wording of the question, it threw me off when I hit it so I forgot to write the whole thing down. :p

    2) The other thing I noticed was the PSAD warnings were set at 1 I moved it to 5. If you set it at 1 you will get a million emails a day from PSAD for every little thing. If it is not level 5 I don't care about it. THAT IS JUST ME.... YOU HAVE TO DO WHAT YOU ARE COMFORTABLE WITH!!!!

    iminteractive...

    Thanks for digging this up. I was getting ready to take the Ensim version of this and change the ports on my own. Good thing this came first because I think I would have missed one or two.

    Nathan
     
  9. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    annualhost,

    Thanks for being the guinea pi;) for this install. Hope everything goes well. Once Bastille is in, do you get rid of portsentry? In terms of being effective what's the ratio between these two?

    Regards,

    Norman
     
  10. annualhost

    annualhost Member

    Joined:
    Nov 22, 2002
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    moronhead,

    I don't think I can answer the portsentry question...

    I am not running portsentry. I have a new box so I am just tightening it up before I put clients on it


    Is cPanel running portsentry by default?

    I am a noob to cPanel


    Nathan
     
  11. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    cpanel installs and runs portsentry.
     
  12. annualhost

    annualhost Member

    Joined:
    Nov 22, 2002
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    I have not noticed any conflicts...

    Looks like I have double protection :)
     
  13. netarus

    netarus Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    What is the difference between using native RedHat IPCHAINS/IPTABLES versus Bastille? Is Bastille more efficient than the other two?

    I really like the email alert features with it. :)

    Can anyone give an advice on using Bastille or not if we already have IPTABLES on all of our machines?
     
  14. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Bastille isn't a firewall, as far as I know it only helps manage a firewall ( ipchains or iptables ) or just makes the job a little easier. Same with PMFirewall.. not really a firewall at all.
     
  15. akfallin

    akfallin Member

    Joined:
    Jun 29, 2002
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Here is the iptables firewall we are using on some of our servers. You must already have iptables installed to use this. It is a shell script so chmod it 755 and then execute it as root to initialize the rules.

    #/bin/sh
    #FLUSH CHAINS AND ZERO COUNTS
    iptables -F
    iptables -t nat -F
    iptables -X
    iptables -Z

    #DROP FRAGMENTS
    iptables -A INPUT -f -j DROP

    #LOOPBACK
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    #DROP BAD ADDYS
    if [ -f /etc/firewall/firewall.banned ]; then
    while read BANNED; do
    iptables -A INPUT -s $BANNED -j DROP
    iptables -A INPUT -d $BANNED -j DROP
    iptables -A OUTPUT -s $BANNED -j DROP
    iptables -A OUTPUT -d $BANNED -j DROP
    done & /etc/firewall/firewall.banned
    fi

    #FTP
    iptables -A INPUT -p TCP --dport 20 -j ACCEPT
    iptables -A INPUT -p UDP --dport 20 -j ACCEPT
    iptables -A INPUT -p TCP --dport 21 -j ACCEPT
    iptables -A INPUT -p UDP --dport 21 -j ACCEPT

    #SSH
    iptables -A INPUT -p TCP --dport 22 -j ACCEPT
    iptables -A INPUT -p TCP --dport 25 -j ACCEPT

    #DNS
    iptables -A INPUT -p TCP --dport 53 -j ACCEPT
    iptables -A INPUT -p UDP --dport 53 -j ACCEPT

    #HTTP
    iptables -A INPUT -p TCP --dport 80 -j ACCEPT

    #POP3
    iptables -A INPUT -p TCP --dport 110 -j ACCEPT

    #IMAP
    iptables -A INPUT -p TCP --dport 143 -j ACCEPT

    #HTTPS
    iptables -A INPUT -p TCP --dport 443 -j ACCEPT

    #sSMTP
    iptables -A INPUT -p TCP --dport 465 -j ACCEPT

    #sIMAP
    iptables -A INPUT -p TCP --dport 993 -j ACCEPT

    #sPOP3
    iptables -A INPUT -p TCP --dport 995 -j ACCEPT

    #Cpanel
    iptables -A INPUT -p TCP --dport 2082 -j ACCEPT

    #sCpanel
    iptables -A INPUT -p TCP --dport 2083 -j ACCEPT

    #WHM
    iptables -A INPUT -p TCP --dport 2086 -j ACCEPT

    #sWHM
    iptables -A INPUT -p TCP --dport 2087 -j ACCEPT

    #WebMail
    iptables -A INPUT -p TCP --dport 2095 -j ACCEPT

    #sWebmail
    iptables -A INPUT -p TCP --dport 2096 -j ACCEPT

    #REMOTE MySQL
    #iptables -A INPUT -p TCP --dport 3306 -j ACCEPT

    #Ichange
    iptables -A INPUT -p TCP --dport 7786 -j ACCEPT

    #Melange
    iptables -A INPUT -p TCP --dport 6666 -j ACCEPT

    #syn-flood / dos protection
    iptables -t nat -N syn-flood
    iptables -t nat -A syn-flood -m limit --limit 2/s --limit-burst 2 -j RETURN
    iptables -t nat -A syn-flood -j DROP
    # Check for DoS attack
    iptables -t nat -A PREROUTING -i eth0 -p TCP --syn -j syn-flood

    #SET DEFAULT POLICY TO EXCEPT OUTPUT
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD DROP
     
  16. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    Akfallin,

    Thanks for posting this. Some questions:

    * Are you running this side by side with portsentry?

    * Is it just a matter of putting the script in rc.local to initialize it at reboot?

    * How do you ensure iptables are first activated before loading the rules at reboot?

    Regards,

    Norman
     
  17. YukFoo

    YukFoo Well-Known Member

    Joined:
    Sep 1, 2002
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    some beginne instructions would be helpful for this. thanks
     
  18. perlchild

    perlchild Well-Known Member

    Joined:
    Sep 1, 2002
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    firewalls, etc

    there are many options for &hardening& a linux machine, such as bastille, portsentry also comes to mind, at least in a limited fashion, depending on your kernel version, OS version, linux knowledge, many options come to mind. On top of that, a linux distribution often comes with more than one tool for firewalling, you might wish to contact an experienced systems administrator, depending on what other services you run on your box, as there is NO one size fits all in firewalls. Think of it as asking for that skinny woman police officer's bulletproof vest, it would be uncomfy to wear unless you're both 1) skinny 2) a woman
    wouldn't it? (disclaimer I do offer firewalling advice to those that desire it, please take my advice with a grain of salt)
     
Loading...

Share This Page