Difference between revisions of "Main Page"

From Wiki.onotech.org
Jump to: navigation, search
(backup the existing conf)
(backup the existing conf)
Line 98: Line 98:
 
Make sure that passive mode is open in the ftp config
 
Make sure that passive mode is open in the ftp config
 
====For PureFTPd====
 
====For PureFTPd====
=====backup the existing conf=====
+
backup the existing conf
 
  cp -va /etc/pure-ftpd.conf{,.$(date +"%m-%d-%Y").bak}
 
  cp -va /etc/pure-ftpd.conf{,.$(date +"%m-%d-%Y").bak}
 
  vim /etc/pure-ftpd.conf  
 
  vim /etc/pure-ftpd.conf  
Line 107: Line 107:
  
 
xor
 
xor
 +
 
====For proFTPd====
 
====For proFTPd====
 
backup the existing conf
 
backup the existing conf

Revision as of 18:41, 1 October 2017

MediaWiki has been installed.

Consult the User's Guide for information on using the wiki software.

Wiki

Firewalls/Blocked IPs

APF

Blacklist

vim /etc/apf/deny_hosts.rules 

Whitelist

vim /etc/apf/allow_hosts.rules 

Config file

vim /etc/apf/conf.apf 

Restart

/etc/init.d/apf restart 

Flush IP Tables

iptables -F

CSF

Use CSF to grep the current rules for an IP

csf -g ip.add.re.ss

CSF uses maxmind geoip free databass to add Geo info to the logs. You can also manually query what CSf has stored locally, from command line:

csf -i ip.add.re.ss

Blacklist

vim /etc/csf/csf.deny 

Whitelist

vim /etc/csf/csf.allow 

Restart (both CSF and LFD)

csf -ra 

Configuration

vim /etc/csf/csf.conf 

login failure log

/var/log/lfd.log 

Fun output, IP address and the LFD trigger that got it blocked:

grep "*Blocked in csf*" /var/log/lfd.log | egrep -o '( (([0-9]{1,3}\.){3})[0-9]{1,3}|\[LF_.*)' | sed -e :a -e '$!N;s/\n\[/ \t==blocked for==\> \t\[/;ta' -e 'P;D' 


looks like

118.98.66.56    ==blocked for==> [LF_SMTPAUTH]
92.38.233.191   ==blocked for==> [LF_SSHD]
104.167.104.147 ==blocked for==> [LF_SSHD]
73.179.232.255  ==blocked for==> [LF_CPANEL]
118.163.76.38   ==blocked for==> [LF_SMTPAUTH]


cPHulk

Brute Force Protection deny/allow list edited through WHM

 Main >> Security Center >> cPHulk Brute Force Protection 

command line

Is it running?

/usr/local/cpanel/scripts/restartsrv_cphulkd --status 

stop and disable it

/usr/local/cpanel/etc/init/stopcphulkd
/usr/local/cpanel/bin/cphulk_pam_ctl --disable


Host Access Control

GUI in WHM (along with syntax/instructions):

Main >> Security Center >> Host Access Control

or edit the file directly:

/etc/hosts.allow 

keep in mind that there is

/etc/hosts.deny 

which WHM does not not touch, but this is another place IPs can be manually blocked


FTP

Passive mode issues

Determine which ftp service is in use; PureFTPd or proFTPd Then enable the use of passive ports for the FTP service being used.

By default the FTP configs will show/suggest using 30000 to 50000 this is an unnecessarily large range of ports to use open. Determine whether APF or CSF is in use. Then make sure the ports are open in the firewall. Restart the services updated. Make sure that passive mode is open in the ftp config

For PureFTPd

backup the existing conf

cp -va /etc/pure-ftpd.conf{,.$(date +"%m-%d-%Y").bak}
vim /etc/pure-ftpd.conf 

add or modify to look something like this

#Port range for passive connections replies. - for firewalling. 
PassivePortRange 30000 35000 

xor

For proFTPd

backup the existing conf

cp -va /etc/proftpd.conf{,.$(date +"%m-%d-%Y").bak}
vim /etc/proftpd.conf 

add or modify to look something like this:

PassivePorts 30000 35000 

Then open those ports in the firewall For CSF backup the existing conf

cp -va /etc/csf/csf.conf{,.$(date +"%m-%d-%Y").bak}
vim /etc/csf/csf.conf 


add

30000:35000 


(CSF's range syntax is a colon) to the end of

  1. Allow incoming TCP ports

TCP_IN = "ports,moreports,otherports,30000:35000"


xor For APF backup the existing conf cp -va /etc/apf/conf.apf{,.$(date +"%m-%d-%Y").bak} vim /etc/apf/conf.apf


add 30000_35000


(APF's range syntax is an underscore) to the end of

  1. Common inbound (ingress) TCP ports

IG_TCP_CPORTS="ports,moreports,otherports,30000_35000"


check storm / smart server firewall! this might be blocking ports as well As always remember to restart the services /etc/init.d/pure-ftpd restart or /etc/init.d/proftpd restart As well as APF or CSF