apf firewall
 

I have Virtualmin installed in a dedicated server in other country. Operating system CentOS Linux 5.9 Webmin version 1.620 Virtualmin version 3.99.gpl GPL I installed apf-bfd firewall to automatically and manually add unwanted IPs Behavior is odd. Domains with external nameservers are accessed from everywhere but those having local NS cannot be accessed from several IPs I've tested. From my country I was able to navigate one of almost not accessible domain websites and SOME of its subdomains.

Some settings BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778" BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127"
Common inbound (ingress) TCP ports

IG_TCP_CPORTS="21,22,25,53,80,110,143,443,10000,20000,30000_32000,465,587,995,10031"
Common outbound (egress) TCP ports

EG_TCP_CPORTS="21,25,80,443,43,587,465,995"
Common outbound (egress) UDP ports

EG_UDP_CPORTS="20,21,53"

I need a clue on what to check/test to get it work. Thank you, M

PS: I did some silly things like to add some ips to allow.hosts like 127.0.0.1 and host and dns IPs. After that some extra domains were accessible

Maybe
 

Check and make sure the host you want connect to are listed in the hosts file in /etc/hosts

Hello Rocketrrt,

my /etc/hosts just contains

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 mydomain.com host localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

Thanks

Web-based management panels should be used by people who already have practical admin level knowledge of the OS, it's inner workings and the services it provides. So my first advice, and this understandably is more generic than you would have hoped for, would be to stop relying on User Interfaces and learn to admin a server "the right way". (And yes, that means reading the documentation and using the command line.)


The easiest way to understand and "debug" Netfilter rule sets is to save your firewall rule set ('iptables-save'), review those rules, find the right spot to add rules and add then add the appropriate "-j LOG" logging rules. If unsure log in (over SSH but never as root user) and run and attach the file as plain text.

Hello unSpawn, thanks for your advice.

My iptables-save
# Generated by iptables-save v1.3.5 on Sat Apr 20 10:18:53 2013
*nat
:PREROUTING ACCEPT [708614:41550173]
:POSTROUTING ACCEPT [1591343:81159062]
:OUTPUT ACCEPT [1591343:81159062]
COMMIT
# Completed on Sat Apr 20 10:18:53 2013
# Generated by iptables-save v1.3.5 on Sat Apr 20 10:18:53 2013
*mangle
:PREROUTING ACCEPT [29693194:4328132232]
:INPUT ACCEPT [29693194:4328132232]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [25642587:18856862712]
:POSTROUTING ACCEPT [25642587:18856862712]
COMMIT
# Completed on Sat Apr 20 10:18:53 2013
# Generated by iptables-save v1.3.5 on Sat Apr 20 10:18:53 2013
*filter
:INPUT ACCEPT [14412:2109643]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12628:9019428]
COMMIT
# Completed on Sat Apr 20 10:18:53 2013

Maybe I don't really need to use apf and bfd just to ban ALL those IP disturbing the server like 96.47.225.* and 110.89.58.* and those selected by bdf

What I performed was
iptables -A INPUT -s 96.47.225.0/24 -j DROP
iptables -A OUTPUT -d 96.47.225.0/24 -j DROP
service iptables save
but accesses from that range are still logged

Thank you

Your machine is currently completely unprotected as your active rule set allows all traffic to pass through.
I don't know what you did but this is not even the stock rule set that comes with CentOS.
Please attach your /etc/sysconfig/iptables rule set as plain text file.

Last major upgrade was in 2010, new server. Centos 5 was intalled by default in my dedicated server. Then I installed webmin-virtualmin. Developers say that "Linux Firewall" is fairly enough.
As you could see my network knowledge is poor. I don't understand Webmin firewall menu-rules, this is not my speciality, I had to enter in dedicated servers by necessity and my budget is very small to hire someone.

I've installed apf-bfd and I see bfd adding unwanted 'visitors' to deny.hosts but disabling debug mode I came into problems I described before.
Thank you

0. If with "was installed by default" you mean you have not invested time properly hardening the machine then that should be the first issue to address.
1. For future reference this is how a stock CentOS 5 rule set looks like: http://www.linuxquestions.org/questi...5/#post4869324. Note it does allow inbound SSH (so you can access your machine as unprivileged non-root user) and HTTP requests but you will not want to load without knowing what other services you need to provide. If you attach the output of these commands we should be able to craft you a reasonably simple firewall rule set:
*Do obfuscate the IP address of your server (replace with say "n.n.n.n") and the machine you're connecting from (replace with say "x.x.x.x") before attaching. Example:

That it is.


/etc/hosts.{allow,deny} (aka tcp_wrappers, see 'man 5 hosts_access') is an application layer mechanism. Most of the time you'll want to start with network layer mechanisms instead. See Denyhosts vs Fail2ban aka tcp_wrappers vs iptables.


While this isn't a Linux Security topic I've entered in that particular discussion often enough, so let me see if I can convince you of the right mindset.
- First of all, with all due respect, it is not a valid excuse. Especially if you're looking to make money off of it. Making money means having customers. For customers to part with their money (apart from offering enticing goods or services) they have be able to depend on and trust your business. As you well know trust is difficult to gain and easy to lose. Flaky services or worse, a compromised server, ain't exactly good for the image of your business.
- Secondly there is the "problem" with GNU/Linux itself as a business offering. The choice for running GNU/Linux should be a based on strenghts: practical knowledge and an understanding of what the platform offers (in terms of performance, protection of assets and how it provides services in a continuous, stable and secure way) and not, like many unfortunately choose, the weakest argument: just because it was the cheapest alternative available. Linux may be free to use but using it is not free of responsibilities.
- This ties in with the third point: you are a netizen. This means you are responsible for keeping your machine(s) and services from (doing) harm. Not only for your own benefit but for the whole community.

I'm hesitant to say "reap what you sow" because that could be explained both in a bad or a good way ;-p It's probably easier to say that you know you have to invest before you can reap any rewards. In short: if you won't buy admin services then you will have to gain the required knowledge yourself. I hope you understand that what I wrote above is not optional. Do know I well realize the implications of what I wrote above and I wish you good luck with it.


*BTW to, among other reasons, address your original question of blocking IP addresses conveniently I just wrote Blocking lists of IP addresses using the iptables recent module or ipset and make fail2ban use it.
HTH

Hello unSpawn,

0) This is what Webmin-Virtualmin primarily does, say the developers.

1) When I create a new user I have the option to disallow ssh access (/bin/false) I always pay attention on it.

I agree with all what you say. I trusted Webmin-Virtualmin since 2005 in the understanding I was able to get some kind of control and protection on issues I am a neophyte.

Here's the file you requested. I changed first part of server and client IPs and usernames. If I have forgotten something sensitive to be hidden please let me know to change the attachment (if I am able to do this)

Thank you very much again for your help and advices.

No, that's not what the developers say:
- Webmin is a web-based admin-level tool, a system control panel,
- Usermin provides access to user-level tasks and
- Virtualmin is a web hosting control panel.
Securing, hardening, auditing start right at installing the OS and are continuous processes.


OK, yet you yourself apparently have no qualms logging in as root directly:
That's not a security best practice.


That's OK if you know (and know how to check) how to things work.


That said here's an example rule set according to what nfo you provided. The thread I linked to before should provide a good read containing explanation and resources:
*Note the -s x.52.0.0/16 and -s y.134.0.0/16 represent the IPv4 ranges you log in from and should be changed to actual ranges.
**Do ensure you can gain access if something goes awry when testing this rule set. Probably easiest way is to save the above rule set as say "/tmp/iptables.txt", set both IPTABLES_SAVE_ON_STOP="no" and IPTABLES_SAVE_ON_RESTART="no" in /etc/sysconfig/iptables-config, ensure the at service is running and then add a one-off before testing things:

HTH

Hello unSpawn,

Before changing my iptables I am reading your other post and wiki.centos.com/HowTos/Network/IPTables
I need some extra explanation please. What for is this?
Would you please explain "you log in"?
I login from ssh, ftp, https (Webmin, Usermin). Other users also log in those services from ranges that could change.
What if I log in from another country (IP)? Would I be able to add the new IP, for example from https to accept that IP for ssh?
Thanks a lot

This would be a better example:
It means that these services are only accessible from specific networks (white listing). The reason for that is that some services shouldn't be exposed to the 'net unnecessarily. For example MySQL by default it uses a UNIX socket so it can't be accessed tru the 'net anyway. Webmin and Usermin are admin(-ish) tools no ordinary user should have access to (and if exposed they should use SSL anyway). If you don't want to use white listing just add the ports to the "-m tcp -m multiport --dports" rule and comment out these "-s x.52.0.0/16" and "-s y.134.0.0/16" rules.


It's not about the service you use but the network you connect from. Depending on the type of service (xDSL, cable, etc, etc) you may have a static IP address or a dynamic one. In the latter case you'd use a /24 or /16 range. That isn't much protection (you should SSL'ize services as well) but it's better than exposing for example Webmin to world unprotected IMHO.


It's not about other common users but about you in your role as server admin.


It would require service that doesn't use white listing. (For services like SSH you could use what they call port knocking but that's too much for now.)

unSpawn: I got an error executing
/sbin/iptables-restore < /tmp/iptablesNEW.txt
iptables-restore: line 56 failed
This is the last line "COMMIT"
The attached file is iptablesNEW.txt
I changed IP. x and y are not the same in all lines.
Thank you

Try this:

unSpawn, same problem at last line COMMIT (after changing -J to -j at line 19).
Thanks

PS: just to clarify.
I already had IPTABLES_SAVE_ON_STOP="no" and IPTABLES_SAVE_ON_RESTART="no" in /etc/sysconfig/iptables-config
From command line
# /sbin/service atd start
# echo "/etc/rc.d/init.d/iptables stop" | /usr/bin/at now +5 minutes
# /sbin/iptables-restore < /tmp/iptablesNEW.txt

I edited iptablesNEW.txt in gedit plain text and then uploaded to server (and chmod 600)