Main Page
MediaWiki has been installed.
Consult the User's Guide for information on using the wiki software.
Contents
Wiki
Firewalls/Blocked IPs
APF
Blacklist
vim /etc/apf/deny_hosts.rules
Whitelist
vim /etc/apf/allow_hosts.rules
Config file
vim /etc/apf/conf.apf
Restart
/etc/init.d/apf restart
Flush IP Tables
iptables -F
CSF
Use CSF to grep the current rules for an IP
csf -g ip.add.re.ss
CSF uses maxmind geoip free databass to add Geo info to the logs. You can also manually query what CSf has stored locally, from command line:
csf -i ip.add.re.ss
Blacklist
vim /etc/csf/csf.deny
Whitelist
vim /etc/csf/csf.allow
Restart (both CSF and LFD)
csf -ra
Configuration
vim /etc/csf/csf.conf
login failure log
/var/log/lfd.log
Fun output, IP address and the LFD trigger that got it blocked:
grep "*Blocked in csf*" /var/log/lfd.log | egrep -o '( (([0-9]{1,3}\.){3})[0-9]{1,3}|\[LF_.*)' | sed -e :a -e '$!N;s/\n\[/ \t==blocked for==\> \t\[/;ta' -e 'P;D'
looks like
118.98.66.56 ==blocked for==> [LF_SMTPAUTH] 92.38.233.191 ==blocked for==> [LF_SSHD] 104.167.104.147 ==blocked for==> [LF_SSHD] 73.179.232.255 ==blocked for==> [LF_CPANEL] 118.163.76.38 ==blocked for==> [LF_SMTPAUTH]
cPHulk
Brute Force Protection deny/allow list edited through WHM
Main >> Security Center >> cPHulk Brute Force Protection
command line
Is it running?
/usr/local/cpanel/scripts/restartsrv_cphulkd --status
stop and disable it
/usr/local/cpanel/etc/init/stopcphulkd /usr/local/cpanel/bin/cphulk_pam_ctl --disable
Host Access Control
GUI in WHM (along with syntax/instructions):
Main >> Security Center >> Host Access Control
or edit the file directly:
/etc/hosts.allow
keep in mind that there is
/etc/hosts.deny
which WHM does not not touch, but this is another place IPs can be manually blocked
FTP
Passive mode issues
Determine which ftp service is in use; PureFTPd or proFTPd Then enable the use of passive ports for the FTP service being used.
By default the FTP configs will show/suggest using 30000 to 50000 this is an unnecessarily large range of ports to use open. Determine whether APF or CSF is in use. Then make sure the ports are open in the firewall. Restart the services updated. Make sure that passive mode is open in the ftp config
For PureFTPd
backup the existing conf
cp -va /etc/pure-ftpd.conf{,.$(date +"%m-%d-%Y").bak} vim /etc/pure-ftpd.conf
add or modify to look something like this
#Port range for passive connections replies. - for firewalling. PassivePortRange 30000 35000
xor
For proFTPd
backup the existing conf
cp -va /etc/proftpd.conf{,.$(date +"%m-%d-%Y").bak} vim /etc/proftpd.conf
add or modify to look something like this:
PassivePorts 30000 35000
Then open those ports in the firewall For CSF backup the existing conf cp -va /etc/csf/csf.conf{,.$(date +"%m-%d-%Y").bak} vim /etc/csf/csf.conf
add
30000:35000
(CSF's range syntax is a colon)
to the end of
- Allow incoming TCP ports
TCP_IN = "ports,moreports,otherports,30000:35000"
xor
For APF backup the existing conf
cp -va /etc/apf/conf.apf{,.$(date +"%m-%d-%Y").bak}
vim /etc/apf/conf.apf
add
30000_35000
(APF's range syntax is an underscore)
to the end of
- Common inbound (ingress) TCP ports
IG_TCP_CPORTS="ports,moreports,otherports,30000_35000"
check storm / smart server firewall! this might be blocking ports as well As always remember to restart the services /etc/init.d/pure-ftpd restart or /etc/init.d/proftpd restart As well as APF or CSF