Warnings after upgrading CSF to 7.52

[magicalwonders]

I have the following two warnings appearing at the end of a report, following CSF upgrade 7.52.

*WARNING* The option "WHM > Security Center > SMTP Tweak" is incompatible with this firewall. The option must be disabled in WHM and the SMTP_BLOCK alternative in csf used instead

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

SMTP Tweak doesn't seem to exist in WHM, so I'm not sure if I need to take any further action on that one?

On the second warning concerning RESTRICT_SYSLOG being disabled. I've had a look at csf.conf, and if I understand the issue correctly, I just need to edit the line - RESTRICT_SYSLOG = "0" and change to RESTRICT_SYSLOG = "3" ?

I'm running CENTOS 6.5 x86_64 virtuozzo – WHM 11.44.1 (build 18)

I hope someone can advise?

 

[PlotHost]

SMTP Tweak doesn't seem to exist in WHM, so I'm not sure if I need to take any further action on that one?

The path is WHM->Security Center ->SMTP Restrictions

 

[magicalwonders]

The path is WHM->Security Center ->SMTP Restrictions

I'm not sure. CSF has referenced the path as "WHM > Security Center > SMTP Tweak", and I can see from searching that some people have "SMTP Tweak" available in their WHM. It can't be exactly the same thing.

 

[triantech]

Hey,

SMTP tweak is now known as the option 'Restrict outgoing SMTP to root, exim, and mailman' which can be found from your

>> Home »Server Configuration »Tweak Settings >> under the section Mail or the same is found under security center.

This is what WHM reports :

//

Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) [?]
Enabling this feature will redirect outgoing SMTP connections to the local mail server. root, exim, and mailman are still allowed to make direct connections.

//

Also note, for this to work you would need the kernel module 'ipt_owner' enabled for your server.

 

[magicalwonders]

Hey,

SMTP tweak is now known as the option 'Restrict outgoing SMTP to root, exim, and mailman' which can be found from your

>> Home »Server Configuration »Tweak Settings >> under the section Mail or the same is found under security center.

This is what WHM reports :

//

Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) [?]
Enabling this feature will redirect outgoing SMTP connections to the local mail server. root, exim, and mailman are still allowed to make direct connections.

//

Also note, for this to work you would need the kernel module 'ipt_owner' enabled for your server.

OK thanks. So I need to find out if the kernel module 'ipt_owner' is enabled before doing anything.

Is it really important to restrict outgoing SMTP? Presumably my current mail will still work if I do? Or am I setting myself up for a load more problems, errors, and warning of impending doom!

 

[cPanelMichael]

Is it really important to restrict outgoing SMTP? Presumably my current mail will still work if I do? Or am I setting myself up for a load more problems, errors, and warning of impending doom!

Per it's description:

This feature prevents users from bypassing the mail server to send mail, a common practice used by spammers. It will allow only the MTA, mailman, and root to connect to remote SMTP servers.

You should not experience any load issues after enabling this option. To note, you can also enable/disable this option via:

"WHM Home » Security Center » SMTP Restrictions"

Thank you.

 

[magicalwonders]

Per it's description:

This feature prevents users from bypassing the mail server to send mail, a common practice used by spammers. It will allow only the MTA, mailman, and root to connect to remote SMTP servers.

You should not experience any load issues after enabling this option. To note, you can also enable/disable this option via:

"WHM Home » Security Center » SMTP Restrictions"

Thank you.

OK thanks, I've disabled the smtp restriction in WHM and edited CSF.conf to show SMTP_BLOCK="1"

What about the other warning? Should I just go ahead and edit CSF.conf to show RESTRICT_SYSLOG="3" ?
Do I need to do anything else?

 

[cPanelMichael]

What about the other warning? Should I just go ahead and edit CSF.conf to show RESTRICT_SYSLOG="3" ? Do I need to do anything else?

Please keep in mind that CSF is a third-party application, so you may want to post directly to their forums for this type of advice. If you open the /etc/csf/csf.conf file, you will see a full entry that explains how the RESTRICT_SYSLOG option works.

Thank you.

 

[dalem]

0 = Allow those options listed above to be used and configured
1 = Disable all the options listed above and prevent them from being used
2 = Disable only alerts about this feature and do nothing else
3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP

you will want to leave alone or options 2 or 3

 

[magicalwonders]

Please keep in mind that CSF is a third-party application, so you may want to post directly to their forums for this type of advice. If you open the /etc/csf/csf.conf file, you will see a full entry that explains how the RESTRICT_SYSLOG option works.

Thank you.

Yes, I had read that already, and although it recommends setting 3, that course of action throws up even more questions!

you will want to leave alone or options 2 or 3

The csf.conf says the following in regard to option 3 -

The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
# write access to the syslog/rsyslog unix socket(s). The group must not already
# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
# to a unique name for the server
#
# You can add users to this group by changing /etc/csf/csf.syslogusers and then
# restarting lfd afterwards. This will create the system group and add the
# users from csf.syslogusers if they exist to that group and will change the
# permissions on the syslog/rsyslog unix socket(s).

I'm not sure what I'm looking for in /etc/ to make sure "the group" doesn't exist? And I'm not sure what "so set the option to a unique name for the server" means???

When I look at /etc/csf/csf.syslogusers, it states - "Add any accounts that log through syslog that are not listed that you need". It then goes on to list a bunch of entries -

# OS application users:
daemon
dbus
haldaemon
messagebus
mysql
named
nfsnobody
ntp
polkitd
root
rpc
rpcuser
smmsp
statd

# cPanel application users:
cpanel
cpses
dovecot
dovenull
mailman
mailnull

# DirectAdmin application users:
dovecot
mail

# Other users:

How do I find out which accounts log through syslog that are not listed?