Empowering you with the knowledge to master Linux web hosting, DevOps and Cloud

 Linux Web Hosting, DevOps, and Cloud Solutions

Tag: Directadmin

Installing and managing firewall using ConfigServer Firewall (CSF)

ConfigServer firewall is a popular Linux firewall security suite. It is easy to install, flexible to configure and secure with extra checks.
CSF is generally considered a more advanced firewall as there are more configuration options compared to other firewalls, while still being simple enough to install and configure that even novice administrators can use it. Some of the MANY functions of CSF are given below:-

  • Daemon process that checks for login authentication failures for:
  1. Courier imap, Dovecot, uw-imap, Kerio
  2.  openSSH
  3.  cPanel, WHM, Webmail (cPanel servers only)
  4. Pure-ftpd, vsftpd, Proftpd
  5. Password protected web pages (htpasswd)
  6. Mod_security failures (v1 and v2)
  7. Suhosin failures
  8. Exim SMTP AUTH
  9. Custom login failures with separate log file and regular expression matching

 

  • SSH login notification
  • SU login notification
  • SYN Flood protection
  • Ping of death protection
  • Port Scan tracking and blocking
  • IPv6 Support with ip6tables
  • …lots more!

Removing Your Current Firewall
To prevent any conflicts in operation we will need to remove your current firewall. The most common software firewalls on our dedicated servers are APF and CSF, so we have provided instructions on how to remove APF below. If you are using a different software firewall be sure to follow that programs uninstall directions before continuing. After completing the uninstall continue with the CSF installation below.
Using Yum to Remove APF
If it was installed via yum, which is most likely, you will first need to identify the name of your APF package:
rpm -qa |grep -i apf
In this case:
[root@host ~]# rpm -qa | grep apf
apf-9.6_5-1
In order to remove that package, and get your server ready for CSF installation, run the following command:
[root@host ~]# rpm -e apf-9.6_5-1
If you see this:
[root@host ~ ]# rpm -e apf-9.6_5-1
error: Failed dependencies:
apf >= 9.6_5-1 is needed by (installed) bfd-1.2-1.noarch
It means you have BFD installed, and it will need to be removed before you can proceed to removing APF:
[root@host ~ ]# rpm -e bfd-1.2-1.noarch
Then attempt to remove apf again:
[root@host ~ ]# rpm -e apf-9.6_5-1
Any further dependency errors can be handled in the same way as long as you are aware of what you are removing. If you have any questions or get stuck at any point feel free to contact me here.
Removing Source Installed APF
This can be a bit trickier, and if you are not sure what you’re doing you may want to contact me . If you are confident and wish to proceed you will find a list of commands below that you can use to remove APF if it is installed in the most common CentOS directories.
Stopping APF and iptables clears all of the rules from your firewall and ensures that removing the APF installation won’t cause access problems:
[root@host ~ ]# /etc/init.d/iptables stop

[root@host ~ ]# /etc/init.d/apf stop
Remove all of the APF related files:
[root@host ~ ]# rm -Rfv /etc/apf
[root@host ~ ]# rm -fv /etc/cron.daily/fw
[root@host ~ ]# rm -fv /etc/init.d/apf
Remove APF from the list of programs that start at boot:
[root@host ~ ]# chkconfig apf off

 

Installing CSF

So, login to your server via ssh and let’s start CSF installation by retrieving the package files using wget command:

# wget http://configserver.com/free/csf.tgz

Unpack the archive:

# tar xfvz csf.tgz
Navigate to the uncomperssed csf directory:

# cd csf

 

Check CSF will work on your server
CSF provides a test script. We can check whether CSF works with your Server or not prior to installing it.

#perl csftest.pl 

Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK

RESULT: csf should function on this server

If you get this output, you can proceed to installation. Otherwise you need to enable each missing modules and then install csf.

Run the installer:
Now there founr installation scripts
install.cpanel.sh For cPanel
install.directadmin.sh
install.generic.sh
install.sh

csf installation for cPanel and DirectAdmin is preconfigured to work on those servers with all the standard ports open.. So install as per your requirement.

#sh install.sh

csf auto-configures your SSH port on installation where it’s running on a non-standard port. CSF also auto-whitelists your connected IP address where possible on installation.
Configuration

By default CSF is in Test mode. So you need to disable the test mode once you configured the firewall correctly. Then only the lfd daemon starts.

“/etc/csf/csf.conf” is the main CSF configuration file.
TCP_IN/TCP_OUT/UDP_IN/UDP_OUT = : These are the ports you want to leave open for your server to operate. If you change the default SSH port make sure to add it here. Also add any other services you might have running such as Shoutcast or game servers. All the ports not mentioed here will be blocked.

LF_DSHIELD = 0: Change this option to 86400. This is an automatic updated list of known attacking IPs. Enabling this will stop them from being able to connect to your server.

Spam Protection Alerts
If you want to add some spam protection, CSF can help. Look in the configuration for the following:

LF_SCRIPT_ALERT = 0 change this to 1. This will send an email alert to the system administrator when the limit configured below is reached within an hour.

LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any scripts sends out 250 email messages in an hour.
Providing all the configuration options for CSF here is beyond the scope of the article. Please refer to this README from csf for more details

Note:

If you have installed CSF on cPanel/WHM, it also installs WHM plugin to manage CSF. You can access it from

WHM >> Home >> Plugins >> CnfigServer Firewall
Now TEST all your services to make sure everything is working – SSH, FTP, http. After you do a few quick tests go back into the Firewall Configuration page.

TESTING = 1 change this to 0 and click Change at the bottom. Then Restart csf+lfd using below commands

#csf -r
Or
#/etc/init.d/csf restart

That’s it, the firewall is successfully installed and running!!
Common commands:-

To block an IP Permenently
#csf -d IP

To allow or whitelist IP permenently.
#csf -a IP

To temporary block IP
#csf -td IP

To temporary allow an IP
#csf -ta IP

To check an IP is blocked in firewall
#iptables -nL | grep IP
or
# csf -g IP

To find Reason for block.

#grep IP /var/log/lfd.log

To remove a permanent block
#csf -dr IP

To remove IP from allow list
#csf -ar IP

To disable csf
#csf -x

To enable CSF
#csf -e

To restart
#csf -r
CSF is an increasingly popular alternative to the stock firewalls on some servers. Should you require any other help , please contact me.

 

Server migration

On occasion, you may want to move from one server to another. For example, you may be upgrading to a dedicated server or moving to a server with a different PHP deployment method. Server migration is a process in which data is moved from one server to another. Whatever the case, most people will agree that it is never a joyous event to switch server. Your sites will be down/unstable/inaccessible during the migration period and it could potentially lead to loss of sales. In this article, we are going to show you how you can migrate your site to a new server effortlessly and without any (or minimal) downtime. Below are the basic steps needs to be followed for a server migration with minimum downtime.

1. Prepare Your DNS

When you move your site(s) to a new server, you will likely get new IP addresses. The problem is that DNS servers cache domain name queries for as long as possible to provide the fastest response. Because of these DNS caching, once you change your IP, it can take up to three days before the changes propagate throughout the Internet. To keep this from happening, your first step in preparing for the migration is to change your DNS record TTL (Time To Live). This value designates how long your DNS entries should be cached. So the first thing you need to do before migrating is to lower the TTL to reasonable levels.

2. Set up Your New Server

Make sure your new server has the correct operating system installed and ready and that all hardware meets your applications specifications. Also setup the new IP addresses.

3. Tune Your Server

Check your file system and make sure your partitions are set up as you need them. Set up RAID if required. This is also the perfect time to implement any security practices within the OS and firewall (if installed). It’s important to complete these steps before you get too far because they’re much easier to do without content on the server.

4. Install Base Applications

Once you have installed the OS and setup the file system, you are ready to install the base applications, like the Web server, e-mail server, database server, PHP, etc.. Also verify the services are running fine on thr new server.

5. Begin Data Migration

Once the base applications are installed, you are ready to do the initial migration of your application data. This includes the database data, your application code files, mail server account configuration, logs, file caches, etc..

6. Bring your new server to life.

Once the data is migrated the server is configured to work everything correctly, you should change your sites domain DNS records to point to the new server address.

 

Data Migration

If you are using any Control Panels like cPanel, Plesk, etc., it rather easy to move data/accounts between servers as each control panel will give you option to move accounts.

cPanel Server to cPanel server migration

To migrate from one cPanel server to another, please do this:

1. Log into WHM as root on the new cPanel server

2. Click “Copy multiple accounts/packages from another server”

3. Fill in the required information like source server details and click “Fetch Account List”

You will then be given the option to choose which accounts and packages to transfer.

cPanel also does support migraring accounts from different control panel other than cPanel itself.

 

Server without a control panel

Rsync is a simple and very powerfull tools which can be used to transfer files between servers efficently.

First copy all the configurations files for the services like Webserver, Email server, etc. Then transfer the account data from old server.

Rsync example:-

#rsync -avz -e ssh /home root@remoteserverip:/home

-v: verbose, will tell you what file its on, how many left to check, etc.
-a: archive, will set most of the preferable options.
–progress: gives you per-file data transfer rates, and spinning progress bars if you’re into that sort of thing.
-z, –compress compress file data during the transfer

System files:-

Please note that we do not need to copy the server related files. We can exclude from the rync list. The most important excludes are the ones that reference hardware and system files that keep track of the server’s status while it’s running. That’s why directories like /boot, /proc, and /dev are essential excludes. The destination server should already have those directories and config files in place and they shouldn’t be overwritten.

Example
#rsync -avz -e ssh –exclude-from=”/home/exclude.txt” /home root@remoteserverip:/home

Finalizing the migration

Doing one pass got the more static files over to the new server. That’s good, but that may not be everything you needed to copy. An active database or a directory where a lot of files get created and deleted may have been copied but changed already. Or, more practically, they may have been in your exclude file.

To get those last files you’ll want to bring the services that use them down. That way you know the entire file will be migrated with no changes made after your last sync.

Edit your exclude file to remove references to the busy files you were holding off on then run the rsync command again.

Powered by WordPress & Theme by Anders Norén