The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables/firewall

Discussion in 'General Discussion' started by allpar, Sep 17, 2005.

  1. allpar

    allpar Active Member

    Joined:
    Sep 16, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    When I used Webmin, I was able to easily set rules for iptables - I don't see any controls in CPanel for this. It would be desirable to block off, for example, SSH access to certain domains due to regular breakin attempts (a couple of thousand per day). How can I do this? I looked at apf but it doesn't look any less impenetrable than playing with the actual iptables.

    BTW I'm also still bemused by webalizer...though I'm starting to figure that one out.
     
  2. MMarko

    MMarko Well-Known Member

    Joined:
    Apr 18, 2005
    Messages:
    316
    Likes Received:
    0
    Trophy Points:
    16
    Install APF.

    Change SSH port to something different from default.

    Enter it in APF rules.

    Restart APF and SSHD.


    You have option in WHM to allow/disallow shell access for specific user.
     
  3. shashank

    shashank Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Cpanel or WHM is something which does not control any firewall rules. You need to either have webmin installed again if you want an interface for firewall management of have apf or manual Iptables rules manage it for you.
     
  4. abubin

    abubin Well-Known Member

    Joined:
    Dec 7, 2004
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    just install and use APF. It's simple to setup and you don't really need to fiddle much with it as your firewall ports does not change often.
     
  5. allpar

    allpar Active Member

    Joined:
    Sep 16, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    So...

    APF is as easy as it gets? Gak. I had earlier shut off several countries that I get no real traffic from, just hacking attempts; and limited port 22 access to my own ISP, which dramatically cut back the random-attempts. Doing that in APF looks...hard. Unless there's something I'm missing about APF?
     
  6. abubin

    abubin Well-Known Member

    Joined:
    Dec 7, 2004
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    for APF, there is another product called BFD (brute force detection) that can automatically ban ip address that tried to hack your box. That is a much better way to counter hacking.

    If you insist on using your method, you can add the banlist into APF's blacklist. On top of that, you can actually add your own iptables rules into APF easily.
     
  7. gunmuse

    gunmuse Well-Known Member

    Joined:
    Jul 3, 2003
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Mexico
    Why use APF? IPTables are faster and don't go nuts by automatically locking down ip's. If your running a production server IMHO and from experience APF will start costing you business. Use the IPTables iptablesrock.org has a great setup procedure.
     
  8. abubin

    abubin Well-Known Member

    Joined:
    Dec 7, 2004
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    it's just personal preference. You should know that most of the firewall products out there for linux are only some frontend for iptables.

    If you prefer hardcoding iptables then that's the best way to go. As for me, I do know about iptables but since apf can do the job of providing me some generic iptables scripts, i am more than happy to use it.

    Most of the time, for a production webserver, you only use it for simple port forwarding and ip redirection. APF is more than enough to do the job. You probably are doing something more complicated that requires more powerful frontend tool.

    BTW, would you care elaborating what this means? "If your running a production server IMHO and from experience APF will start costing you business"
     
  9. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
    FYI .. APF uses iptables.
     
  10. allpar

    allpar Active Member

    Joined:
    Sep 16, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
  11. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Hey that's what we use! Being around the unix world for several decades, I'm a lot more comfortable
    entering rules from the command shell directly than from some web interface anyway.

    The common SSH brute force attacks can be cured with 1 simple rule ....

    iptables -A INPUT -s ! xx.xx.xx.xx -p tcp --dport 22 -j DROP

    ... where "xx.xx.xx.xx" above is the IP address or CIDR network range of your own
    computer at home that you want to use to access your server machine.

    The rule above basically tells your server to drop the packets of anyone attempting
    to connect to SSH with the sole exception of the address or range you specified in
    the "xx.xx.xx.xx" above which is permitted to connect via SSH.

    PS: DO NOT FORGET THE EXCLAMATION POINT IN THE RULE ABOVE OR THE RULE
    WILL HAVE JUST THE OPPOSITE EFFECT AND ALLOW EVERYONE TO SSH EXCEPT YOU!
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You've misunderstood what APF is. It's a configuration utility for iptables. If you configure it incorrectly, of course you'll have problems, however it is a good tool, though some of the features are most likely overkill and there was a buggy release recently which has thankfully been addressed.
     
  13. MattGetWeb

    MattGetWeb Well-Known Member

    Joined:
    Aug 4, 2005
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Forget APF for 5 minutes. How do I go about /keeping/ my manually added (and saved) iptables rules? Every 5 minutes or so, they seem to be flushed out. If I "/etc/init.d/iptables restart", they are back until ~5 minutes passes.. :confused:

    --Matt ;^]
     
  14. MattGetWeb

    MattGetWeb Well-Known Member

    Joined:
    Aug 4, 2005
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Update: I realised it's a cronjob in /etc/crontab that was attempting to stop apf. All is well. :eek:
     
    #14 MattGetWeb, Oct 25, 2005
    Last edited: Oct 25, 2005
  15. allpar

    allpar Active Member

    Joined:
    Sep 16, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    I used to use a rule such as 192.168.14.0/8 or 192.168.0.0/16 becasue my IP address does change. In fact I had to have several such "open" rules before the "everyone else closed" rule because my ISP has such a wide range of ports and they change every day. Just a thought for that vast majority of people WITHOUT static IP addresses. ... at least I could restrict hackers to the millions who share my ISP! (And exclude everyone from Russia, China, India, etc...no offense to those who live there but since I don't, there's no legit. SSH traffic coming in!)

    I did that with Webmin - I would install it but I doubt it would play nice with CPanel. It's a shame there's such a HUGE gap in Cpanel there - Webmin has a decent way to deal with iptables, though it could be far better (e.g. building in a GUI for dealing with just the first 3/6/9 digits of the IP.)
     
  16. abubin

    abubin Well-Known Member

    Joined:
    Dec 7, 2004
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    that's because you did not turn off the debug feature in APF.

    Did you even read the config file?

    -----
    # [Dev. Mode]
    # !!! Do not leave set to (1) !!!
    # When set to enabled; 5 minute cronjob is set to flush the firewall; set
    # this mode off (0) when firewall determined to be operating as desired.
    ##

    # Set firewall dev cronjob
    # 1 = enabled / 0 = disabled
    DEVM="1" <----- by default this is ON
    -----

    This is also stated in the readme if I am not mistaken.
     
  17. abubin

    abubin Well-Known Member

    Joined:
    Dec 7, 2004
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    You can add custom rules into APF. Like had been stated before, APF or webmin are all just a frontend for iptables. Those rules can be added easily into APF. Also, if I am correct, cpanel does not support dynamic IPs.
     
  18. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I've seen APF leave that behind in /etc/crontab on numerous occassions in some of the older releases where it has been quite buggy on occasion. The latest APF release (where that variable you quoted has changed) seem much more stable, thankfully.
     
Loading...

Share This Page