apf firewall
I have Virtualmin installed in a dedicated server in other country. Operating system CentOS Linux 5.9 Webmin version 1.620 Virtualmin version 3.99.gpl GPL I installed apf-bfd firewall to automatically and manually add unwanted IPs Behavior is odd. Domains with external nameservers are accessed from everywhere but those having local NS cannot be accessed from several IPs I've tested. From my country I was able to navigate one of almost not accessible domain websites and SOME of its subdomains.
Some settings BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778" BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127" Common inbound (ingress) TCP ports IG_TCP_CPORTS="21,22,25,53,80,110,143,443,10000,20000,30000_32000,465,587,995,10031" Common outbound (egress) TCP ports EG_TCP_CPORTS="21,25,80,443,43,587,465,995" Common outbound (egress) UDP ports EG_UDP_CPORTS="20,21,53" I need a clue on what to check/test to get it work. Thank you, M PS: I did some silly things like to add some ips to allow.hosts like 127.0.0.1 and host and dns IPs. After that some extra domains were accessible |
Maybe
Check and make sure the host you want connect to are listed in the hosts file in /etc/hosts
|
Hello Rocketrrt,
my /etc/hosts just contains # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 mydomain.com host localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 Thanks |
Web-based management panels should be used by people who already have practical admin level knowledge of the OS, it's inner workings and the services it provides. So my first advice, and this understandably is more generic than you would have hoped for, would be to stop relying on User Interfaces and learn to admin a server "the right way". (And yes, that means reading the documentation and using the command line.)
Quote:
Code:
(sudo) iptables-save > /tmp/iptables.txt |
Hello unSpawn, thanks for your advice.
My iptables-save # Generated by iptables-save v1.3.5 on Sat Apr 20 10:18:53 2013 *nat :PREROUTING ACCEPT [708614:41550173] :POSTROUTING ACCEPT [1591343:81159062] :OUTPUT ACCEPT [1591343:81159062] COMMIT # Completed on Sat Apr 20 10:18:53 2013 # Generated by iptables-save v1.3.5 on Sat Apr 20 10:18:53 2013 *mangle :PREROUTING ACCEPT [29693194:4328132232] :INPUT ACCEPT [29693194:4328132232] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [25642587:18856862712] :POSTROUTING ACCEPT [25642587:18856862712] COMMIT # Completed on Sat Apr 20 10:18:53 2013 # Generated by iptables-save v1.3.5 on Sat Apr 20 10:18:53 2013 *filter :INPUT ACCEPT [14412:2109643] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [12628:9019428] COMMIT # Completed on Sat Apr 20 10:18:53 2013 Maybe I don't really need to use apf and bfd just to ban ALL those IP disturbing the server like 96.47.225.* and 110.89.58.* and those selected by bdf What I performed was iptables -A INPUT -s 96.47.225.0/24 -j DROP iptables -A OUTPUT -d 96.47.225.0/24 -j DROP service iptables save but accesses from that range are still logged Thank you |
Your machine is currently completely unprotected as your active rule set allows all traffic to pass through.
I don't know what you did but this is not even the stock rule set that comes with CentOS. Please attach your /etc/sysconfig/iptables rule set as plain text file. |
2 Attachment(s)
Last major upgrade was in 2010, new server. Centos 5 was intalled by default in my dedicated server. Then I installed webmin-virtualmin. Developers say that "Linux Firewall" is fairly enough.
As you could see my network knowledge is poor. I don't understand Webmin firewall menu-rules, this is not my speciality, I had to enter in dedicated servers by necessity and my budget is very small to hire someone. I've installed apf-bfd and I see bfd adding unwanted 'visitors' to deny.hosts but disabling debug mode I came into problems I described before. Thank you |
Quote:
1. For future reference this is how a stock CentOS 5 rule set looks like: http://www.linuxquestions.org/questi...5/#post4869324. Note it does allow inbound SSH (so you can access your machine as unprivileged non-root user) and HTTP requests but you will not want to load without knowing what other services you need to provide. If you attach the output of these commands we should be able to craft you a reasonably simple firewall rule set: Code:
( /sbin/ip link show|awk '/eth[0-9]/{print $2}'; /sbin/runlevel; /sbin/chkconfig --list; /bin/netstat -antulpe; /bin/ps axf -eo pid,ppid,uid,gid,nice,pri,pcpu,args --sort=pid; /usr/bin/last -wai30 ) > /tmp/output Code:
sed -i "s|1.2.3.4|n.n.n.n|g" /tmp/output Quote:
Quote:
Quote:
- First of all, with all due respect, it is not a valid excuse. Especially if you're looking to make money off of it. Making money means having customers. For customers to part with their money (apart from offering enticing goods or services) they have be able to depend on and trust your business. As you well know trust is difficult to gain and easy to lose. Flaky services or worse, a compromised server, ain't exactly good for the image of your business. - Secondly there is the "problem" with GNU/Linux itself as a business offering. The choice for running GNU/Linux should be a based on strenghts: practical knowledge and an understanding of what the platform offers (in terms of performance, protection of assets and how it provides services in a continuous, stable and secure way) and not, like many unfortunately choose, the weakest argument: just because it was the cheapest alternative available. Linux may be free to use but using it is not free of responsibilities. - This ties in with the third point: you are a netizen. This means you are responsible for keeping your machine(s) and services from (doing) harm. Not only for your own benefit but for the whole community. I'm hesitant to say "reap what you sow" because that could be explained both in a bad or a good way ;-p It's probably easier to say that you know you have to invest before you can reap any rewards. In short: if you won't buy admin services then you will have to gain the required knowledge yourself. I hope you understand that what I wrote above is not optional. Do know I well realize the implications of what I wrote above and I wish you good luck with it. *BTW to, among other reasons, address your original question of blocking IP addresses conveniently I just wrote Blocking lists of IP addresses using the iptables recent module or ipset and make fail2ban use it. HTH |
1 Attachment(s)
Hello unSpawn,
0) This is what Webmin-Virtualmin primarily does, say the developers. 1) When I create a new user I have the option to disallow ssh access (/bin/false) I always pay attention on it. I agree with all what you say. I trusted Webmin-Virtualmin since 2005 in the understanding I was able to get some kind of control and protection on issues I am a neophyte. Here's the file you requested. I changed first part of server and client IPs and usernames. If I have forgotten something sensitive to be hidden please let me know to change the attachment (if I am able to do this) Thank you very much again for your help and advices. |
Quote:
- Webmin is a web-based admin-level tool, a system control panel, - Usermin provides access to user-level tasks and - Virtualmin is a web hosting control panel. Securing, hardening, auditing start right at installing the OS and are continuous processes. Quote:
Code:
5097 1 0 0 0 24 0.0 /usr/sbin/sshd Quote:
That said here's an example rule set according to what nfo you provided. The thread I linked to before should provide a good read containing explanation and resources: Code:
*filter **Do ensure you can gain access if something goes awry when testing this rule set. Probably easiest way is to save the above rule set as say "/tmp/iptables.txt", set both IPTABLES_SAVE_ON_STOP="no" and IPTABLES_SAVE_ON_RESTART="no" in /etc/sysconfig/iptables-config, ensure the at service is running and then add a one-off before testing things: Code:
vi /etc/sysconfig/iptables-config HTH |
Hello unSpawn,
Before changing my iptables I am reading your other post and wiki.centos.com/HowTos/Network/IPTables I need some extra explanation please. What for is this? Quote:
I login from ssh, ftp, https (Webmin, Usermin). Other users also log in those services from ranges that could change. What if I log in from another country (IP)? Would I be able to add the new IP, for example from https to accept that IP for ssh? Thanks a lot |
Quote:
Code:
# Restricted access: NTP,MySQL,AppMan(?),WebMin,UserMin Quote:
Quote:
Quote:
|
1 Attachment(s)
unSpawn: I got an error executing
/sbin/iptables-restore < /tmp/iptablesNEW.txt iptables-restore: line 56 failed This is the last line "COMMIT" The attached file is iptablesNEW.txt I changed IP. x and y are not the same in all lines. Thank you |
Try this:
Code:
*filter |
1 Attachment(s)
unSpawn, same problem at last line COMMIT (after changing -J to -j at line 19).
Thanks PS: just to clarify. I already had IPTABLES_SAVE_ON_STOP="no" and IPTABLES_SAVE_ON_RESTART="no" in /etc/sysconfig/iptables-config From command line # /sbin/service atd start # echo "/etc/rc.d/init.d/iptables stop" | /usr/bin/at now +5 minutes # /sbin/iptables-restore < /tmp/iptablesNEW.txt I edited iptablesNEW.txt in gedit plain text and then uploaded to server (and chmod 600) |
All times are GMT -5. The time now is 06:36 PM. |