Dev {Tricks}

You are here: Home / Archives for Server and Hosting / Security

by Leave a Comment

How to install CSF with Brute Force Monitor (BFM) on DirectAdmin

CSF with Brute Force Monitor (BFM) will provide extra benefit of BFM to find some extra cases which triggers the blocks using CSF.

It will use the iptables configuration, and all features of CSF, plus the added benefit of the BFM

wget http://files.directadmin.com/services/all/csf/csf_install.sh
/bin/sh ./csf_install.sh

 

by Leave a Comment

How to create One-Click login to RoundCube and phpMyAdmin ?

To enable one-click login for RoundCube

cd /usr/local/directadmin/
./directadmin set one_click_webmail_login 1
service directadmin restart
cd custombuild
./build update
./build dovecot_conf
./build exim_conf
./build roundcube

To enable one-click login for phpMyAdmin

cd /usr/local/directadmin/
./directadmin set one_click_pma_login 1
service directadmin restart
cd custombuild
./build update
./build phpmyadmin

To disable browser access to phpMyAdmin

cd /usr/local/directadmin/custombuild
./build update
./build set phpmyadmin_public no
./build phpmyadmin

 

 

by Leave a Comment

ConfigServer Security & Firewall, CSF basic commands, advanced configurations and settings

Basic CSF commands

  • Enable CSF 
    csf -e
  • Disable CSF 
    csf -x
  • Start CSF 
    csf -s
  • Flush/Stop CSF 
    csf -f
  • Reload CSF 
    csf -r
  • Allow an IP and add it to csf.allow – /etc/csf/csf.allow 
    csf -a 162.162.1.219
  • Remove and delete an IP from csf.allow – /etc/csf/csf.allow 
    csf -ar 162.162.1.209
  • Place an IP on temporary deny list in /var/lib/csf/csf.tempban 
    csf -td
  • Remove an IP from the temporary IP ban or allow list 
    csf -tr 162.162.1.209
  • Flush all IPs from the temporary IP entries 
    csf -tf
  • Deny an IP and add to csf.deny 
    csf -d 162.162.1.209
  • Remove and Unblock an IP from csf.deny 
    csf -dr 162.162.1.209
  • Remove and Unblock all entries from csf.deny 
    csf -df
  • Search for a pattern match on iptables e.g : IP, CIDR, Port Number 
    csf -g 152.167.1.118

Advanced Configuration to csf.conf at /etc/csf/csf.conf

  • Add root and admin notification email addresses at /etc/aliases. 
    root: root@domain.com
admin: admin@domain.com
  • Add email address to get all notifications – /etc/csf
    (csf > firewall configuration > Reporting Settings > LF_ALERT_TO = alert@domain.com)

    LF_ALERT_TO = "alert@domain.com"
  • Stop or disable “excessive resource usage” change PT_USERTIME = 0 
    PT_USERTIME = "0"

    Under Process Tracking at /etc/csf

  • Don’t Block IP addresses that are in the csf.allow files 
    IGNORE_ALLOW = "1"
  • Allow Incoming and Outgoing ICMP 
    ICMP_IN = "1"
    ICMP_OUT = "1"
  • Block Certain Countres 
    CC_DENY = "CA,CN,US"
    CC_ALLOW = "IN,ME,DE"
  • Send the Su and SSH Login log by Email 
    LF_SSH_EMAIL_ALERT = "1"
    LF_SU_EMAIL_ALERT = "1"
  •  Get alert or notification 
    LF_ALERT_TO = "email@domain.tld"

Warning in CSF

  • SYSLOG_CHECK option check
    (This option helps prevent brute force attacks on your server services)

    • Open /etc/csf/csf.conf
    • Search for “SYSLOG_CHECK”
    • Put value between 300 and 3600 seconds 
      SYSLOG_CHECK = "600"
    • Restart CSF firewall 
      #csf -r
  • Check for DNS recursion restrictions
    (You have a local DNS server running but do not appear to have any recursion restrictions set. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only)
    • Add following options to /etc/named.conf 
      options {        
   allow-recursion {
   localhost;
};
    • Restart named 
      service named restart
  • Check for cxs
    (You should consider using cxs to scan web script uploads and user accounts for exploits uploaded to the server)

    ConfigServer eXploit Scanner (cxs) - from $60/server

    https://configserver.com/cp/cxs.html

  • Check for osm
    (You should consider using osm to provide protection from spammers exploiting the server)

    Outgoing Spam Monitor (osm) - $40/server

    https://www.configserver.com/cp/osm.html

  • Check for swap file
    (The server appears to have no swap file. This is usually considered a stability and performance risk. You should either add a swap partition, or create one via a normal file on an existing partition)
  • SSH/Telnet Check
    • Check SSH PasswordAuthentication
      (You should disable PasswordAuthentication and only allow access using PubkeyAuthentication to improve brute-force SSH security)
    • Check SSH UseDNS
      (You should disable UseDNS by editing /etc/ssh/sshd_config. Otherwise, lfd will be unable to track SSHD login failures successfully as the log files will not report IP addresses)

      UseDNS no