Install Configserver firewall (CSF)

Install csf on the server.

cd /usr/src
wget http://www.configserver.com/free/csf.tgz
tar -zvxf csf.tgz
cd csf
sh install.sh

Open any custom ports running in the file /etc/csf/csf.conf. You can add the port number in the section TCP_IN.

start csf with TESTING = “0” in the file /etc/csf/csf.conf. Once the csf is running, try logging into the server ssh from another terminal. Do a basic check of all services and if all are listening fine and can be accessed from outside, edit TESTING = “1” in /etc/csf/csf.conf and restart csf.

Start csf

csf -s

retart csf

csf -r

Flush/Stop csf

csf -f

Disable csf

csf -x

Enable csf

csf -e

Check for server security from the WHM csf area. The following steps should not show warning. If you see warning here, do the steps told there.

Check SSH UseDNS
Check Background Process Killer
Check exim for extended logging (log_selector)
Check apache for mod_security
Check Apache weak SSL/TLS Ciphers (SSLCipherSuite)
Check apache for TraceEnable
Check apache for ServerSignature
Check apache for ServerTokens
Check apache for FileETag
Check mod_userdir protection
Check php for disable_functions
Check php for ini_set disabled
Check php for register_globals
Check php open_basedir protection
Check Anonymous FTP Logins
Check Anonymous FTP Uploads
Check block common domains
Check package updates --> Here if there is custom config for AMP, the update config should be set to manual updates.
Check server startup for xfs
Check server startup for atd
Check server startup for nfslock
Check server startup for rpcidmapd
Check server startup for bluetooth
Check server startup for canna
Check server startup for FreeWnn
Check server startup for cups-config-daemon
Check server startup for iiim
Check server startup for mDNSResponder
Check server startup for nifd
Check server startup for anacron
Check server startup for gpm
Check server startup for saslauthd
Check server startup for avahi-daemon
Check server startup for avahi-dnsconfd
Check server startup for hidd
Check server startup for pcscd
Check server startup for sbadm
  • CSF variables that have some control over Mail Server Abuse.
################################################################################
# Relay Tracking. This allows you to track email that is relayed through the
# server. There are also options to send alerts and block external IP addresses
# if the number of emails relayed per hour exceeds configured limits. The
# blocks can be either permanent or temporary.
# The following information applies to each of the following types of relay
# check:
# RT_[relay type]_ALERT: 0 = disable, 1 = enable
# RT_[relay type]_LIMIT: the limit/hour afterwhich an email alert will be sent
# RT_[relay type]_BLOCK: 0 = no block;1 = perm block;nn=temp block for nn secs


# This option triggers for external email
RT_RELAY_ALERT = "1"
RT_RELAY_LIMIT = "100"
RT_RELAY_BLOCK = "0"

# This option triggers for email authenticated by SMTP AUTH
RT_AUTHRELAY_ALERT = "1"
RT_AUTHRELAY_LIMIT = "100"
RT_AUTHRELAY_BLOCK = "0"

# This option triggers for email authenticated by POP before SMTP
RT_POPRELAY_ALERT = "1"
RT_POPRELAY_LIMIT = "100"
RT_POPRELAY_BLOCK = "0"

# This option triggers for email sent via /usr/sbin/sendmail or /usr/sbin/exim
RT_LOCALRELAY_ALERT = "1"
RT_LOCALRELAY_LIMIT = "100"

# This option triggers for email sent via a local IP addresses
RT_LOCALHOSTRELAY_ALERT = "1"
RT_LOCALHOSTRELAY_LIMIT = "100"


# This is a temporary block for the rest of the hour, afterwhich the IP is
# unblocked
LT_POP3D = "60"

# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
# address (0=disabled) - not recommended for IMAP logins due to the ethos
# within which IMAP works. If you want to use this, setting it quite high is
# probably a good idea
#
# This is a temporary block for the rest of the hour, afterwhich the IP is
# unblocked
LT_IMAPD = "60"

# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
# per IP
LT_EMAIL_ALERT = "1"

# If LF_PERMBLOCK is enabled but you do not want this to apply to
# LT_POP3D/LT_IMAPD, then enable this option
LT_SKIPPERMBLOCK = "0"

SMTP_BLOCK = "1"

# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
# on the server (e.g. for webmail or web scripts) then enable this option to
# allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL = "1"

# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on
SMTP_PORTS = "25,26"

# Always allow the following comma separated users and groups to bypass
# SMTP_BLOCK
#
# Note: root (UID:0) is always allowed
SMTP_ALLOWUSER = "cpanel"
SMTP_ALLOWGROUP = "mail,mailman"


# [*]Enable login failure detection of pop3 connections
LF_POP3D = "10"
LF_POP3D_PERM = "1"

# [*]Enable login failure detection of imap connections
LF_IMAPD = "10"
LF_IMAPD_PERM = "1"

#This option will notify you when a large amount of email is sent from a  particular 
#script on the server, helping track down spam scripts

 LF_SCRIPT_ALERT = 1

# The limit afterwhich the email alert for email scripts is sent. Care should
# be taken with this value if you allow clients to use web scripts to maintain
# pseudo-mailing lists which have large recipients

LF_SCRIPT_LIMIT = "100"

# Checks the length of the exim queue and sends an alert email if the value of
# settings is exceeded.

LF_QUEUE_ALERT = "2000"

# The interval between mail queue checks in seconds.

LF_QUEUE_INTERVAL = "300"
################################################################################
Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: