Go Back   Singapore Web Hosting Talk > LEARNING CENTER > 1-2-3 Linux/Unix > Hardening

Hardening Main steps in hardening your server.

Reply
 
Thread Tools
Old 15-08-2004, 16:12   #1
shawnho
SGWHT Premium Member
 
Join Date: 24-07-2003
Location: Singapore
Posts: 1,541
shawnho is a jewel in the roughshawnho is a jewel in the roughshawnho is a jewel in the roughshawnho is a jewel in the rough
Step 1 - Installation of APF Firewall

APF Firewall

Code:
cd /usr/local/
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf-0.9.3_3
./install.sh
You will see the following output:
Code:
.: APF installed
Install path: /etc/apf
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf

edit /etc/apf/conf.apf

Note: IG means incoming ports, EG means outgoing ports ;)
I am not using EG(ports) now, perhaps after I am fully satisfied and get good feebdack, I will update this.


For CPanel, use:
Code:
DEVM="0"
FWPATH="/etc/apf"
IF="eth0"
MONOKERN="0"
TCP_STOP="DROP"
UDP_STOP="DROP"
DSTOP="DROP"
ICMP_LIM="60/m"
BLK_MCATNET="1"
BLK_PRVNET="1"
BLK_RESNET="1"
USE_DS="1"
USE_AD="1"
CDPORTS="135_139,111,161,199,513,445,1434,1234,1524"
IG_TCP_CPORTS="21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,7786" IG_UDP_CPORTS="53"
IG_ICMP_TYPES="3,5,11,0,30,8"
EGF="0"
EG_TCP_CPORTS="21,25,80,443"
EG_UDP_CPORTS="20,21,53"
EG_ICMP_TYPES="all"
IPTLOG="/var/log/apf_log"
DROP_LOG="1"
LRATE="60"
CNFINT="$FWPATH/internals/internals.conf"
. $CNFINT

For Ensim, use:
Code:
DEVM="0"
FWPATH="/etc/apf"
IF="eth0"
MONOKERN="0"
TCP_STOP="DROP"
UDP_STOP="DROP"
DSTOP="DROP"
ICMP_LIM="60/m"
BLK_MCATNET="1"
BLK_PRVNET="1"
BLK_RESNET="1"
USE_DS="1"
USE_AD="1"
CDPORTS="135_139,111,161,199,513,445,1434,1234,1524"
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638" IG_UDP_CPORTS="53"
IG_ICMP_TYPES="3,5,11,0,30,8"
EGF="0"
EG_TCP_CPORTS="21,25,80,443"
EG_UDP_CPORTS="20,21,53"
EG_ICMP_TYPES="all"
IPTLOG="/var/log/apf_log"
DROP_LOG="1"
LRATE="60"
CNFINT="$FWPATH/internals/internals.conf"
. $CNFINT

For Plesk, use:
Code:
DEVM="0"
FWPATH="/etc/apf"
IF="eth0"
MONOKERN="0"
TCP_STOP="DROP"
UDP_STOP="DROP"
DSTOP="DROP"
ICMP_LIM="60/m"
BLK_MCATNET="1"
BLK_PRVNET="1"
BLK_RESNET="1"
USE_DS="1"
USE_AD="1"
CDPORTS="135_139,111,161,199,513,445,1434,1234,1524"
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,8443"
IG_UDP_CPORTS="53"
IG_ICMP_TYPES="3,5,11,0,30,8"
EGF="0"
EG_TCP_CPORTS="21,25,80,443"
EG_UDP_CPORTS="20,21,53"
EG_ICMP_TYPES="all"
IPTLOG="/var/log/apf_log"
DROP_LOG="1"
LRATE="60"
CNFINT="$FWPATH/internals/internals.conf"
. $CNFINT

Backup/Secure Server {backup done via rsync using SSH}
I am using EG port here, so that packets going outside are also filtered.
Code:
DEVM="0"
FWPATH="/etc/apf"
IF="eth0"
MONOKERN="0"
TCP_STOP="DROP"
UDP_STOP="DROP"
DSTOP="DROP"
ICMP_LIM="60/m"
BLK_MCATNET="0"
BLK_PRVNET="0"
BLK_RESNET="0"
USE_DS="0"
USE_AD="0"
CDPORTS="135_139,111,161,199,513,445,1434,1234,1524"
IG_TCP_CPORTS="22"
IG_UDP_CPORTS=""
IG_ICMP_TYPES="3,5,11,0,30,8"
EGF="1"
EG_TCP_CPORTS="21,,22,25,80,443,"
EG_UDP_CPORTS="20,21,53"
EG_ICMP_TYPES="all"
IPTLOG="/var/log/apf_log"
DROP_LOG="1"
LRATE="60"
CNFINT="$FWPATH/internals/internals.conf"
. $CNFINT

Code:
  /etc/init.d/apf start 
__________________________________________________ _______________




Courtesy of admin0
shawnho is offline   Reply With Quote

Old 07-09-2006, 11:48   #2
memoriess
SGWHT Newbie
 
Join Date: 03-09-2006
Posts: 50
memoriess is on a distinguished road
Hi,

I have problems installing APF, able to advice? Thanks ;)

=========================================
Starting APFevelopment mode enabled!; firewall will flush every 5 minutes.
Unable to load iptables module (ipt_state), aborting.
memoriess is offline   Reply With Quote
Old 07-09-2006, 12:05   #3
tanfwc
SGWHT Premium Member
 
Join Date: 12-12-2003
Location: Singapore
Posts: 2,350
tanfwc has a spectacular aura abouttanfwc has a spectacular aura abouttanfwc has a spectacular aura about
What is your error message? I can assist you
__________________
tanfwc
tanfwc is offline   Reply With Quote
Old 07-09-2006, 13:34   #4
memoriess
SGWHT Newbie
 
Join Date: 03-09-2006
Posts: 50
memoriess is on a distinguished road
Hi tanfwc, thanks for the previous help.

I'm running on Ensim and i need to install a firewall. I have followed the steps above, however, it prompt me the error "Unable to load iptables module (ipt_state), aborting."

Any idea how to solve this?

Very much thanks
memoriess is offline   Reply With Quote
Old 07-09-2006, 14:21   #5
tanfwc
SGWHT Premium Member
 
Join Date: 12-12-2003
Location: Singapore
Posts: 2,350
tanfwc has a spectacular aura abouttanfwc has a spectacular aura abouttanfwc has a spectacular aura about
Edit file
Code:
pico -w /etc/apf/internals/functions.apf

Search for line
Code:
ml ipt_state 1

Change it to
Code:
ml xt_state
Google is your solution
__________________
tanfwc
tanfwc is offline   Reply With Quote
Old 25-11-2006, 13:23   #6
memoriess
SGWHT Newbie
 
Join Date: 03-09-2006
Posts: 50
memoriess is on a distinguished road
Hi,

I need some assistance from you guy's expertise.
Inside my APF firewall logs, I keep seeing it the firewall ban by IP top level range. How do I set it by IP address only and not by range? Thanks

# added 182 on 10/30/06 22:04:01
182
memoriess is offline   Reply With Quote
Old 25-11-2006, 18:08   #7
tanfwc
SGWHT Premium Member
 
Join Date: 12-12-2003
Location: Singapore
Posts: 2,350
tanfwc has a spectacular aura abouttanfwc has a spectacular aura abouttanfwc has a spectacular aura about
what is your APF version?

run this command and look at the first 3 line
apf
__________________
tanfwc
tanfwc is offline   Reply With Quote
Old 25-11-2006, 18:31   #8
memoriess
SGWHT Newbie
 
Join Date: 03-09-2006
Posts: 50
memoriess is on a distinguished road
Quote:
Originally Posted by tanfwc
what is your APF version?

run this command and look at the first 3 line
apf
Hi, it's APF version 0.9.6.
memoriess is offline   Reply With Quote
Old 25-11-2006, 18:41   #9
tanfwc
SGWHT Premium Member
 
Join Date: 12-12-2003
Location: Singapore
Posts: 2,350
tanfwc has a spectacular aura abouttanfwc has a spectacular aura abouttanfwc has a spectacular aura about
APF will not block ip address by range. It will only block by IP address, have you change any configuration to the APF recently?
__________________
tanfwc
tanfwc is offline   Reply With Quote
Old 25-11-2006, 20:01   #10
memoriess
SGWHT Newbie
 
Join Date: 03-09-2006
Posts: 50
memoriess is on a distinguished road
Quote:
Originally Posted by tanfwc
APF will not block ip address by range. It will only block by IP address, have you change any configuration to the APF recently?
Hmm i changed alot of settings, any idea where to locate the line where i can configure this settings?
memoriess is offline   Reply With Quote
Old 26-11-2006, 01:19   #11
tanfwc
SGWHT Premium Member
 
Join Date: 12-12-2003
Location: Singapore
Posts: 2,350
tanfwc has a spectacular aura abouttanfwc has a spectacular aura abouttanfwc has a spectacular aura about
Don't think there is any settings for this. But is it just one entry or alot?
__________________
tanfwc
tanfwc is offline   Reply With Quote
Old 22-05-2008, 13:04   #12
CoolRock
SGWHT Veteran Member
 
Join Date: 18-08-2006
Posts: 782
CoolRock has a spectacular aura aboutCoolRock has a spectacular aura about
How about installation of APF firewall on a normal testing webserver running webmin? Whereby ports like 80, 1234, 5678, etc are used?
__________________
Be a man, do the right thing. But only at the right time.

IT Show 2010

Looking for Microsoft Exchange Account
CoolRock is offline   Reply With Quote
Old 22-05-2008, 13:45   #13
tanfwc
SGWHT Premium Member
 
Join Date: 12-12-2003
Location: Singapore
Posts: 2,350
tanfwc has a spectacular aura abouttanfwc has a spectacular aura abouttanfwc has a spectacular aura about
I would suggest using ConfigServer Firewall. You can just open the necessary port as needed and close the rest if not needed
__________________
tanfwc
tanfwc is offline   Reply With Quote
Old 22-05-2008, 14:21   #14
CoolRock
SGWHT Veteran Member
 
Join Date: 18-08-2006
Posts: 782
CoolRock has a spectacular aura aboutCoolRock has a spectacular aura about
Quote:
Originally Posted by tanfwc
I would suggest using ConfigServer Firewall. You can just open the necessary port as needed and close the rest if not needed
Roger that. Tango Yankee.
__________________
Be a man, do the right thing. But only at the right time.

IT Show 2010

Looking for Microsoft Exchange Account
CoolRock is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +8. The time now is 01:32.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright (C) 2002-2015 Brought to you by Singapore Web Hosting Talk (SGWHT). All Rights Reserved.