A firewall is a very good idea for a server. Though many people think that a firewall is instant protection that will do everything it really is not. A firewall will help prevent some things but it is not going to stop everything. It is just one piece of the security network that is being woven. I recommend advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing and incoming ports. It can also be configured to use information from some block lists. The below port list will work for cPanel. For the other control panels you will need to add in the administration ports.
http://www.rfxnetworks.com/apf.php
-----command-----
cd /usr/local/src
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxf apf-current.tar.gz
cd apf-0.*
./install.sh
-----command-----
Now edit config file
-----command-----
pico -w /etc/apf/conf.apf
-----command-----
Scroll down to the "Common ingress (inbound) TCP ports section. At this point you need to find the correct configuration for your control panel.
-----cPanel -----
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096"
IG_UDP_CPORTS="21,53,873"
EGF="1"
EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"
EG_UDP_CPORTS="20,21,37,53,873"
----Ensim -----
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
IG_UDP_CPORTS="53"
EGF="1"
EG_TCP_CPORTS="21,22,25,53,80,110,443"
EG_UDP_CPORTS="20,21,53"
----Plesk -----
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,8443"
IG_UDP_CPORTS="37,53,873"
EGF="1"
EG_TCP_CPORTS="20,21,22,25,53,37,43,80,113,443,465,873,5224"
EG_UDP_CPORTS="53,873"
Save the file and start apf via.
-----command-----
apf -s
-----command-----
If everything still works then edit the config file and turn dev mode off. Make
sure you can start a new ssh session before changing dev mode off. If you are
kicked out you need to go back and look at what caused the problem!
DEVEL_MODE="0"
Now restart APF
-----command-----
apf -r
-----command-----
Comments
add urchin ports
Remember to add to your apf configuration file the port for urchin (usually 9999) or any statistic software you use in non standard ports.
regards,
JLChafardet
blocking port issue
this is my nmap output
[code]
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1583 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
26/tcp open unknown
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
143/tcp open imap2
443/tcp open https
465/tcp open smtps
631/tcp open ipp
783/tcp open hp-alarm-mgr
953/tcp open rndc
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
[/code]
ports 631 and 3306 aren't in my apf config file but these ports are open how can i block these ports
this is my apf config file
[code]# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,873"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,37,53,873"
nmap
You need to do nmap from a remote host, nto localhost. The problem is the firewall is blocking connections from remote ips but not from localhost.
DEVEL_MODE="0"
Slight change:
DEVM="0"
Is now called
DEVEL_MODE="0"
Regards,
Craig craig@shadeaux.net
dev mode
Thanks again, guide updated.
What about DirectAdmin and
What about DirectAdmin and VHCS? :)
DA and VHCS
I have never used them, if I have time later I can go research the ports needed.
Lots of errors when entering apf -s
I installed exactly by the instuctsions above but am getting all kinds of errors when I run apf -s. I am running Suse 9.3
apf is looking for iptables in /sbin but I have it installed in /usr/sbin
Is there anyway to change this?
I installed apf before I installed iptables.
suse
never used it in suse but you can always just sym link them
ln -s /usr/sbin/iptables /sbin/iptables
(or it may be)
ln -s /sbin/iptables /usr/sbin/iptables
I always mess that up, one will work heh
DNS Clustering
Remember to add port 2087 to # Common egress (outbound) TCP ports,
otherwise you will not be able establish trust relationship / join Cpanel's DNS Cluster.
Problem! Server lock down
I Installed APF as the instruction for my Server with Plesk options.
After i restart or start apf. I got disconnected.
So how could i fix this issue?
I have RedhatES4 installed with Plesk 7.5 reloaded
And conf.apf:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,8443"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="37,53,873"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="20,21,22,25,53,37,43,80,113,443,465,873"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="53,873"
Thanks
make sure you configure the
make sure you configure the correct ethernet device... (u can check which one your server uses with
ifconfig)I got them running
i got APF running after changing the ethernet device
Thanks ;)
plesk licence key update port 5224
you need to add the port 5224 to EG_TCP_CPORTS to allow plesk to update its licence key
plesk port 5224
updated, thank you! :)
Egress filtering
If I turn on egress filtering, EGF="1" bind fails to start / restart correctly and shows this error:
"error sending response: host unreachable"
My apf.conf file:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,25,53,80,110,143,443,2083,2086,2087,2096,3000_5000,5432,22305"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Talk Jesus Forums & Live Chat!
www.talkjesus.com
pureftp and NAT
Hello,
First, add ports for pureftp in /etc/apf/conf.apf
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3000_3500,30000_35000"
Edit pureftp .conf :
pico /etc/pure-ftpd.confand
uncomment & change :
PassivePortRange 30000 35000This will allow you to connect using FTP PASV mode if you are using NAT.
DirectAdmin setup?
Does anyone has port setup for DirectAdmin
I know that I should unlock port 2222 for DirectAdmin, any other port?
thanks
Add new comment