Posts Tagged ‘server security’

CSF/LFD firewall installation guide for Plesk

Monday, April 25th, 2011

Config Server Firewall (csf) and Login Failure Daemon (lfd) is a robust firewall solution having Stateful Packet Inspection (SPI), Login/Intrusion Detection and Security application for Linux servers. Although it is more compatible with CPanel we have been able to use the same for the Plesk hosting control panel also and it is running fine. Please visit the below link for more information.

http://www.configserver.com

I have listed the installation steps for CSF / LFD.Login to your server with ‘root’ user and issue below commands :

Change directory to either /root or /usr/local/src , which ever you normally use for such installations

# cd /usr/local/src

[Remove any old source that might be present]

Download and untar the source for installation

# wget http://www.configserver.com/free/csf.tgz
# tar -xzf csf.tgz

Run installation script

# cd csf
# sh install.sh

Once the installation complete, you can run the below scripts provided by vendor to check if your server/vps has required iptables modules available :

# perl /etc/csf/csftest.pl

CSF provides the script to remove the other popular combination I talked about above i.e. apf/bfd, The below script will remove apf/bfd from your server/vps.

# sh /etc/csf/remove_apf_bfd.sh

Common setting for incoming/outgoing TCP/IP and UDP connection.

ETH_DEVICE = “eth1″

ETH_DEVICE_SKIP = “eth0″

# Allow incoming TCP ports
TCP_IN = “20,21,25,53,80,106,110,111,143,443,465,587,865,873,993,995,8443,8880″

# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,80,110,443,43,873,8443″

# Allow incoming UDP ports
UDP_IN = “53,111,123,230,631,859,862,2109,5353″

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123,2109″

# Allow incoming PING
ICMP_IN = “1″

# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to “0″
ICMP_IN_RATE = “0″

# Allow outgoing PING
ICMP_OUT = “1″

# Set the per IP address outgoing ICMP packet rate
# To disable rate limiting set to “0″
ICMP_OUT_RATE = “0″

# Enable login failure detection daemon (lfd).
LF_DAEMON = “1″

For allowing Qmail in CSF alter below setting(s)

SMTP_BLOCK = “1″
SMTP_ALLOWLOCAL = “1″
SMTP_PORTS = “25,587″
SMTP_ALLOWUSER = “qmaild,qmaill,qmailp,qmailq,qmailr,qmails”
SMTP_ALLOWGROUP = “qmail,nofiles,mail,mailman”

Set CSF/LFD reporting FROM/TO ID as below [**** Need to set for Plesk]

LF_ALERT_TO = “supportteam@diadem.co.in”
LF_ALERT_FROM = “csf_LFD@diadem.co.in”

Allowing third party block list checking

# Enable IP range blocking using the DShield Block List at
LF_DSHIELD = “86400″

# Enable IP range blocking using the Spamhaus DROP List at
LF_SPAMHAUS = “86400″

# Enable IP range blocking using the BOGON List at
LF_BOGON = “86400″

Now Add the LFD ignore list for qmail/plesk mail user/process in csf.pignore file.

# vim /etc/csf/csf.pignore

#### Custom for Plesk ####
user:admin
exe:/var/qmail/bin/qmail-smtpd
exe:/usr/bin/imapd
exe:/var/qmail/bin/qmail-queue
exe:/usr/bin/pop3d
exe:/var/qmail/bin/qmail-send
cmd:qmail-send
cmd:/usr/bin/pop3d Maildir
cmd:/var/qmail/bin/qmail-queue
cmd:/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
cmd:/usr/bin/imapd Maildir
exe:/var/qmail/bin/qmail-rspawn
cmd:qmail-rspawn
exe:/var/qmail/bin/qmail-clean
cmd:qmail-clean
exe:/usr/sbin/clamd
cmd:clamd
exe:/var/qmail/bin/splogger
cmd:splogger qmail
exe:/var/qmail/bin/qmail-remote.moved
user:qmaill
user:popuser
user:qmaild
user:qmails
user:qmailr
user:qmailq
user:qscand
exe:/usr/sbin/avahi-daemon
user:avahi
exe:/usr/local/sbin/zabbix_agentd
cmd:/usr/local/sbin/zabbix_agentd
user:zabbix
exe:/usr/bin/sw-engine-cgi
cmd:/usr/bin/sw-engine-cgi
user:sso
exe:/usr/sbin/sw-cp-serverd
cmd:/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config
user:sw-cp-server
exe:/usr/bin/sw-engine-cgi
cmd:/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm
user:psaadm
exe:/usr/libexec/mysqld
cmd:/usr/libexec/mysqld –basedir=/usr –datadir=/var/lib/mysql –user=mysql –pid-file=/var/run/mysqld/mysqld.pid –skip-external-locking –socket=/var/lib/mysql/mysql.sock
user:mysql
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
cmd:hald
user:haldaemon
exe:/usr/bin/postgres
user:postgres
exe:/sbin/portmap
cmd:portmap
user:rpc
exe:/usr/bin/xfs
cmd:xfs -droppriv -daemon
user:xfs
exe:/usr/bin/python
cmd:/usr/bin/python /usr/lib/mailman/bin/qrunner –runner=VirginRunner:0:1 -s
user:mailman
exe:/usr/java/jdk1.6.0_20/bin/java
user:tomcat

Note: You may need to add few more process/user as per your requirement.

Now start the CSF

# csf -s

Restart LFD

# service lfd restart

Installation is done, now check the website, mail  and other services(s) and disable TESTING mode and restart CSF/LFD

# csf -r
# service lfd restart

I will list below some of very common commands you will need to use/manage csf firewall :

Enabling the firewall

# csf –enable OR
# csf -e

Disabling the firewall

# csf –disable
# csf -x

Starting firewall / applying rules

# csf –start
# csf -s

Stopping firewall / flushing rules

# csf –stop
# csf -f

Adding an IP in firewall

# csf -d 2.3.4.5 “Reason for blocking the IP”
# csf –deny 2.3.4.5 “Reason for blocking the IP”
where 2.3.4.5 is the IP you want to block.

Removing IP from deny list

# csf -dr 2.3.4.5

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
 Loading ... Loading ...

Tags: , ,
Posted in Linux, Plesk Control Panel | 3 Comments »

Email and server security features on Diadem servers

Thursday, October 14th, 2010

Diagram of Various Tiers of security in datacenter network and at server level

security


At Diadem Technologies we take extreme precaution and safeguard of our mailing services to ensure continuous and reliable availability of our mailing services to our clients. We have all our servers located in the world’s leading datacenter which has a very secure environment with various levels of physical and hardware based protection to keep your data safe from different attacks and vulnerabilities. The servers have multi core Xeon processers and have RAID10 array of HDDs for complete data redundancy so that a hard disk crash would not affect the server operations and would not result in any loss of data on the server.

The servers are restricted to be accessed via the Public network so that no unauthorized access to the servers can be made. We use a secure encrypted VPN (virtual private network) connection that connects to the private backend network and hence the servers are only accessible to the legitimate admin users at our end.

For network level protection we have in place perimeter hardware firewalls by CISCO systems to block external threats along with CISCO GUARD DDOS (Distributed Denial of service) and CISCO Tipping point IPS (Intrusion prevention system). CISCO GUARD DDOS protects from requests that make a computer resource unavailable to its intended users and brings down the server to halt. CISCO Tipping point IPS is an advanced Intrusion prevention system that is used extensively in critical networks to monitor network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass.

After passing through the various levels of security mentioned above we have more additional security features on the physical server for protecting the server /server applications and the inbound and outbound mails.

  • At the server we have robust software based firewalls that have been customized to add another level of security in the server.
  • We have SMTP connection tracking system to check all the connections that are being made to the server for sending or receiving mails. At this level various parameters of a mail are checked like if the IP of the sender is blacklisted in any third party Anti SPAM website, if the sender has a valid mail server, if the reverse DNS of the sender email server is valid.
  • We have enabled greylisting on the server to cut down on SPAM mails before they can enter the server. We have advanced content filtering along with anti spam software, antivirus, malware and anti root kit signatures that are updated regularly to block emerging threats immediately.
  • Once the mail is scanned with the above filters, we implement a new and unique technique to authorize defined servers only to server your emails through the use of SPF records. Any other servers would not be able to send or receive any mail on behalf of your domain. This will cut down spoofing of your emails.
  • At the last stage we have SMTP authentication enabled that allows mails to be relayed through our servers only for those who are intended to send mails hence reducing the unwanted relaying of mails.

The above illustration highlights our commitment to ensure that we provide our clients with the best of breed technologies to ensure spam free, virus free, efficient and continuous availability of our mailing services for their operations.

If you are interested in knowing more about our web hosting services and plan details, you can look us up at www.diadem.co.in.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
 Loading ... Loading ...

Tags: ,
Posted in Linux, Web Hosting | 1 Comment »