If I buy a web server (Linux), Do I need to use iptables and create some security rules?
What types of rules?
Is it suggest use modsecurity for Apache?
If I host 2 sites (2 wordpress blog), what are better rules?
One of my low knowledge area's is Iptables Rule's I just normally use APF/CSF.
However on a VPS Host node, I basically want to block all access to a certain port let's say 1234 apart from a certain IP address.
However I don't want to block this port on any of the VPS's on the Node, so what Iptable Rule(s) would I need to put into a bash script on startup.
I had csf firewall installed, and due to my own stupidity, attempted to login with the wrong password one too many times, which added my IP to iptables, locking me out. I had to SSH into a linux box at school, and then ssh into my server to stop the iptables service so I could get into my server.
I removed every trace of my IP that I could find in csf, but sometime in the middle of the night, iptables reloads some rules from somewhere that blocks me again. I also tried doing iptables -F to clear all rules, but again, sometime in the middle of the night, rules are reloaded and I get blocked. I even uninstalled csf to no avail. I just want to remove my IP once and for all.
my server have problem with login to ftp
i ask of cpanel,cpanel answer :
Howdy,
Are you using any kind of external firewalling? I have enabled the passive
ports in pure-ftpd and attempted to connect in passive mode, but it still
fails.
and
Howdy,
You should allow connections on 30000 through 50000 for passive ftp
---
this is vps
how may i solved it?
i use of csf
I use APF and APF is working with iptables , when I define a large number of IPs in deny_hosts.rules or allow_hosts.rules and restart the APF , iptables begins to display errors after applying some number of rules , I have set SET_TRIM="0" in APF , so the number of APF rules is unlimited and the error is from iptables.
Is there any setting in iptables config files for maximum number of rules?
Is it unlimited and depends only on system available memory? O/S , ...?
I have a VPS (Virtuozzo) with cPanel installed. I notice that iptables running in the VPS had many DROP rules when I listed using iptables -nL command. So I flushed iptabled using "iptables -F" command and also "> /etc/sysconfig/iptables" command and restarted iptabled. When I try to list the rules it would show empty. However when I try to list after a few minutes it is showing the same old rules with many DROP rules yet again! Is there anyway to remove the rules completely?
View 2 Replies View RelatedOne of these rules is causing name server lookups to fail, but I can't seem to figure out which one, can anyone spot the problem?
Code:
[root@example ~]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INVDROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:953
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10023
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:953
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
LOGDROPIN all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
INVDROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:953
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10023
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9999
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:113
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:953
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
LOGDROPOUT all -- 0.0.0.0/0 0.0.0.0/0
Chain INVDROP (18 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPIN (1 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:113
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:513
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPOUT (1 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP all -- 0.0.0.0/0 0.0.0.0/0
i have server windows 2003.
ISS 6.
PHP 5.x
MySQL 5.0
how to create rules with ip/5hit/s is black list and auto ban ip with IPSec.
when test attack file .php
info test :
using code attack files.
attack file test.php ( code files : <?php echo "we are test" ; ?> )
Ex : attack files test.php ( http://mydomain.php/test.php )
attack 200hit/s ( all files .php is not run ) php application is hang.
also wherewith code attack. i tested asp, html. it isn't problem. ( 1879hit/s ) ( good working)
how to create rules ban ip with 5hit/s?
I really want to know some importent mod_security rules that can come in handy to avoide hackers
I am using apache1
any good rules will do just fine
Anyone can give me good rules for apache 2.2.6 / Cpanel , i'm new with this, i've use Apache 1.3.x before.
View 0 Replies View RelatedI see that mod security is an option in whm > apache compile. Is this a good (and improved way) of install modsecurity over the old cpanel add-on from back in the 10x versions?
Also, can someone point me to really tight, yet reasonable mod security rules for these server settings?
#1
centos
cpanel with phpsuexec
apache 2.2
php 5
mysql 5
a few shared domains (main business box)
#2
centos
same as above, but apache 1 / php 4 / mysql 4
(shared / reseller hosting server)
I have a problem with a hacker from China. He keeps uploading 4 files to my server:
mail.php
mysql.info.php
footer.txt
header.txt
He did this with 4 different accounts so far.
I have mod security installed with the ruleset from gotroot.com but it doesn't help. Now my questions:
1. Where can I download the mod security core ruleset (is it helpful anyway ?) I already found this page [url] but I do not see a "download here" link anywhere... I found the link that points to [url] but then I do not see the mod sec ruleset anywhere...
2. The rules on gotroot.com have not been updated for a long time. Are they still useful ? What do you think ?
3. Any other sources for good mod sec rules that may resolve my issues with PHP exploits.
i have installed a new mail server i.e. SmarterMail, and from past few days i have devoted much time to find "How to create Out Bound rules in Smarter Mail?" but unfortunately i ended up with no solution, hence here i am seeking help from all the member of WHT for my two questions:
1) Can we create an out bound rule in smartermail?
2)if yes, then what is the process for same?
I execute the following commands, in the following order:
iptables --flush
iptables --zero
iptables -A INPUT -s 218.65.12.161 -j DROP
will that last command successfully ban that IP until reboot?
If not, what needs to be done? I can't access my site if I don't flush + zero iptables first but I need to be able to ban with iptables.
Customer has requested the following:
"Create a zend id for your machine." This is apparently for them to create a product key for their software and have to bind to it?!
I have never heard of this and have been unable to locate any information on it.
This is a Centos box with php 5.2.5 installed:
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.0, Copyright (c) 1998-2007, by Zend Technologies
how to go about this or even what this is?
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
I signed up with Lunarpages a while back for a dedicated server for my business. Good price, managed hosting rocks, decent disk space... little problem once with a huge power outage, but **** happens, cool.
All is well until I wake up this morning to an email a minute about a failed cron job. It smells fishy, so I contact LUnar pages support to see whats up.
They inform me that some asswad had managed to brute force into my server using a temporary account I set up a while back for some tech support. (I prefaced this with 'im an idiot', so no you know why)
Either way, my server now has a rootkit, plus other **** im sure im not aware of... so they propose to move me to a brand new fresh box. im thinking they are gonna charge me a fee for this, a fee for that... no way. All is free of charge.
Im ****ting kittens now.
so im resetting everything up, and i manage to look myself out of my database...(i told you I was an idiot.. and this was a looooong day already)
they fix it. again. no problem...
If you are looking for a dedicated server, go to lunarpages. otherwise you are a freaking idiot as far as I am concerned...
Lunarpages, I love you, I want your babies...
PS: I am in no way affiliated with lunarpages... however, if they want to give me a free year on their servers, i wouldnt complain... *hint hint*
Is it possible to disable a particular mod_security rule for particular directory or the rules are global?
View 4 Replies View RelatedI want to block the icmp6 and traceroute on my ipv6 server,how can i do it?
View 1 Replies View RelatedI just installed mod_security via WHM, and want to know what rule should I enter to prevent some URLs from being opened.
For example, if URL contains word "abc" (like domain.com/some_folder/abc/file.php), it should not be opened.
how to set the rules of MOD_Security.
Another question for professionals:
Q: What are the best rules to secure my server? I'd appreciate if you managed to attach these rules to your replies. // FYI, I host VBulletin portals.
make this rules work on apache 2 mod_security 2?
View 4 Replies View RelatedAny good secure rules for mod_security 2 that work well for shared servers?
Can someone share what rules you are using to secure your shared servers. Have tried a few different sets of rules, but a few customers always end up with errors and disabling it for their domain name doesn't sound like a safer option for them or the server.
Share your mod_sec 2 rules.
Is there any difference with the old one?
I have a customized modsecurity.conf file in my old Apache 1.3 server. Is it ok to copy it to new modsec2.conf?
I'v just upgraded to apache2.2 and modsecurity2
there is a difference between modsec1 and 2 rules
so i can't use modsecurity1 rules
so can i have rules for modsecurity2
and can you tell me how do i create a new rules
in modsecuirty1 i just do this :
Code:
SecFilter "cmd"
in modsecurity2 i triad:
Code:
SecRule "cmd"
but it didn't work
How do I set up rewrite on lighttpd?
View 1 Replies View RelatedI got on one of my dedi server apf firewall installed and it keep reseting every 24 hours?
i put the devile mode to 0.
i have cpanel 11 and centos 4 runing
Does anyone know any good mod_evasive rules that pick up DoS, but not many false positives? Just looking to see what works for everyone out there, been having trouble.
Or if there is better apache module to combat DoS.
We were recently hacked on our dedicated server and the hacker managed to insert php files that generated thousands of doorway pages in one of our images folder on our site. We have done an extensive cleanup of our site, removing all malicious files and are locking down the server. We have already updated to the latest versions of PHP and Wordpress,not to mention change all database passwords and admin password. My question is about mod_security for apache.
We were told Mod_security can prevent this from happening again but it must be configured correctly.
We have already set rules for mod_security. The rules set up are in the files in the directory, /etc/httpd/modsecurity.d/modsec. We were told that the file 10_asl_rules.conf specifically has filters to prevent SQL injection attacks.
These are are current rules:
----------------------------------------------------------------------
/etc/httpd/modsecurity.d/modsec
# ls
05_asl_exclude.conf 30_asl_antispam.conf domain-blacklist-local.txt malware-blacklist.txt
05_asl_scanner.conf 30_asl_antispam_referrer.conf domain-blacklist.txt sql.txt
10_asl_antimalware.conf 40_asl_apache2-rules.conf domain-spam-whitelist.conf trusted-domains.conf
10_asl_rules.conf 50_asl_rootkits.conf domain-spam-whitelist.txt trusted-domains.txt
11_asl_data_loss.conf 60_asl_recons.conf malware-blacklist-high.txt whitelist.txt
20_asl_useragents.conf 99_asl_exclude.conf malware-blacklist-local.txt
30_asl_antimalware.conf 99_asl_jitp.conf malware-blacklist-low.txt
-----------------------------------------------------------------
I can do to prevent this or tune up apache mod_security from letting this happen again. We are so paranoid that we are now checking our access log files for POST commands every day?
Im using a vps with centos 5 and cpanel/whm with apache 2.2.
Im tring to figure out how to use the gotroot rules with mod_security. I had enabled mod_security with easy apache. I tried to follow some other post had I found around on other forums with no luck really, with that said I am a linux noob. I had tried to follow the wiki on atomic sites <-- not enof post so I cant do links sorry, but I found it hard to under stand cause I dont have a modsecurity.config file that I can find, also I cant find AddModule mod_security.c in my httpd.config, but I did find this line, Include "/usr/local/apache/conf/modsec2.conf". My thing is im looking for a complete noob guide on how to use gotroot rules with mod_security enabled through easy apache, or would it be easyer to manully install mod_security?
