Results 1 to 18 of 18
-
03-01-2004, 08:17 PM #1WebHostingTalk Lover
- Join Date
- Mar 2003
- Location
- New York City
- Posts
- 7,406
KISS FireWall Installation [Easy]
Here's a very simple How-To, just follow the instructions and your KISS Firewall will be working in a min.
When logged in as root ( "su -" ):
1) cd /usr/bin
2) wget http://www.geocities.com/steve93138/kiss-2.0.1.tar.gz
3) tar -zxvf kiss2-1.0.tar.gz
4) rm -f kiss2-1.0.tar.gz
5) To configure any settings use top section of the KISS file
Type pico -w kiss
[Make sure you restart for changes to take effect.]
To start KISS
kiss start
To stop KISS
kiss stop
To restart KISS
kiss restart
To check current status
kiss status
6) Once you are sure everything is ok, add the following line to the end of /etc/rc.d/rc.local
/usr/bin/kiss start
Please feel free to post any questions or comments.
For more info, please visit:
http://www.geocities.com/steve93138/
-
03-02-2004, 12:15 AM #2Web Hosting Master
- Join Date
- Aug 2003
- Location
- USA
- Posts
- 1,036
Very nice setup and easy to use, so it seems...
Now those new to Linux won't have to wade through the documentation on IPTABLESLast edited by Akash; 03-08-2004 at 06:40 PM.
-
03-03-2004, 10:43 PM #3WebHostingTalk Lover
- Join Date
- Mar 2003
- Location
- New York City
- Posts
- 7,406
IMPORTANT MESSAGE
Hi,
You must change config from:
Code:############################################################################## # Uncomment to allow DNS zone transfers # #$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT #$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT #$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT #$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT --------------------------------------------------------------------------------
Code:############################################################################## # Uncomment to allow DNS zone transfers # $IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
This seems to be a problem for few ISPs in which they will not find your site unless this change is made.
Just cd /usr/bin
pico kiss
and its right at the bottom.
Hope this helps.Last edited by Akash; 03-08-2004 at 06:59 PM.
-
03-10-2004, 01:01 AM #4Web Hosting Evangelist
- Join Date
- Oct 2003
- Posts
- 460
Hi,
Now those new to Linux won't have to wade through the documentation on IPTABLES
Is KISS is a program that provide an user interface or GUI that allow us to set the rules of IPTABLES in a more easily way? If yes, I rather not to go through the boring documentation any more!
Thanks
<edit>signature removed</edit>Last edited by choon; 03-10-2004 at 08:00 AM.
-
04-01-2004, 08:04 PM #5WebHostingTalk Lover
- Join Date
- Mar 2003
- Location
- New York City
- Posts
- 7,406
No interface for editing the rules etc..
just do pico kiss
-
05-07-2004, 12:02 PM #6Newbie
- Join Date
- May 2004
- Posts
- 9
i just started using KISS.. but i face the problem of ssh dropping connections after i enter the correct password. any idea what's going on?
here's the verbose output from the ssh client
debug1: Next authentication method: password
xxxt@mydomain.com's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: ssh_session2_setup: id 0
debug1: channel 0: request pty-req
debug1: channel 0: request shell
debug2: callback done
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to mydomain.com closed by remote host.
Connection to mydomain.com closed.
debug1: Transferred: stdin 0, stdout 0, stderr 95 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 1280.5
debug1: Exit status -1
restarting sshd service will allow me to connect once. but once i disconnect that session and try to connect again from a different computer, the same problem comes back again. i can't keep going back to the server to restart sshd all the time. pls help. thanks.
-
05-07-2004, 01:36 PM #7Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
Well you problem is one thing but at least tell us your distribution plus version of the OS will let us understand better besides the description of your problem
-
05-07-2004, 02:18 PM #8Newbie
- Join Date
- May 2004
- Posts
- 9
i'm using fedora core 1
i'm suspecting the iptables is dropping outgoing tcp to the ssh client? but i'm not too sure about what needs to check or be done.
what does this channel 0 means? "debug1: channel_free: channel 0: client-session, nchannels 1"
-
06-18-2004, 07:28 AM #9WHT Addict
- Join Date
- Jun 2003
- Posts
- 167
if i want to block a certain ip connecting to a certain port, how can i do that in kiss?
-
06-20-2004, 05:50 AM #10WHT Addict
- Join Date
- Jun 2003
- Location
- HKSAR
- Posts
- 157
Does Kiss can run in every start up process ??
or .. we need to add KISS in cron to restart ( to ensure it can work at any time ? )
-
06-21-2004, 09:15 PM #11WebHostingTalk Lover
- Join Date
- Mar 2003
- Location
- New York City
- Posts
- 7,406
It runs every time your server starts i believe.
-
06-22-2004, 12:29 AM #12WHT Addict
- Join Date
- May 2003
- Posts
- 150
If you are looking for an easier firewall to use I recommend APF. You can drop very easiely from command like
apf -d <ipAddress>
You can see a how-to at: http://mycpadmin.com/index.php?showtopic=9
It has a config for cPanel, however it is an easy edit and u just port the port #'s you want to use.Linux/cPanel How-To's - cPanelPlanet.com
-
07-14-2004, 07:23 AM #13Web Hosting Master
- Join Date
- Dec 2000
- Posts
- 954
hi just installed kiss. Now i would like to block SMTP on port 25 in order to prevent user can send mails using: maildomain.com (i like they use mail.thereisp.com)
How do i block port 25 ?
I made the following config but it does not work or in other words i can still send e-mails by using maildomain.com
----------
BLOCK_LIST=""
TCP_IN="20 21 25 53 80 110 143 443 995 2082:2083 2086:2087 2089 2095:2096 3306 8443 10000 19638"
TCP_OUT="21 22 37 43 53 80 443 873 2089 55000"
-------
Thanks for advise
-
07-14-2004, 07:31 AM #14Web Hosting Master
- Join Date
- Dec 2000
- Posts
- 954
of course i would like customers can recive e-mails on port 25
-
07-14-2004, 09:11 AM #15Web Hosting Master
- Join Date
- Dec 2000
- Posts
- 954
not working. the mails will siple go into the queue... I have something that bocks the sende while sending the e-mails In that way customers think they sent a mail while really not sendin anything...
-
08-30-2004, 03:21 PM #16Newbie
- Join Date
- Aug 2004
- Posts
- 22
Better than that
Actually, just installing one Linksys Model BEFSX41 Firewall Router (less than US$99) per webserver is the better solution.
1) Issue the public IP address to the outside of the router (the one that was formerly used for the webserver)
2) Issue a static private address for the webserver from the safe side of the router. [As necessary, reconfigure virtual website bindings to the new IP address that's local.]
3) Set up a Static Route for port 80 to the private IP address of the webserver.
4) Optionally, open up the port for VNC or similar remote control software.
Benefits:
* At $100 each you've dedicated it to a single webserver. This is a very nice insurance policy, blocking all kinds of inbound stuff you and your software solution didn't think of.
* Since it's dedicated to one box, it can handle all the bandwidth your webserver can dish out.
* Since it's hardware, it's not robbing your webserver of processing time.
* You can't solve an upstream problem (DDoS) with a downstream solution (software-based firewall). Trust me on this.
* You can also throw database servers there on the private networks this now creates on your LAN and you can place them locally to where you need them. And they don't consume a valuable public IP address.
* I buy them in bulk so that I can have a few lying around in their packages. I bought a 30A DC power supply so that I can power several of them without taking up too much valuable "power strip" space.
* I use a laptop in the datacenter to configure them via a browser interface. Very little tweaking is required from the default setup. Max install time for one with me now is less than ten minutes total.
* With VNC installed on the webserver you as admin can remote control the webserver and use its browser to open up the HTTP-based interface for the router (since you're now on the trusted side of the router). By reconfiguring the default port for VNC you can minimize VNC hacking attempts.
Possible downside:
* You'd want to test this on a system that has an existing digital certificate applied to a secure webserver. I'm reasonably sure that the digital certificate has that original IP address bound into it. Nonetheless, the arriving SSL packet may still work out because that IP address arrived to the webserver.
-
12-09-2004, 04:23 PM #17WHT Addict
- Join Date
- Jun 2003
- Location
- HKSAR
- Posts
- 157
Kiss can not work with Fedora Core 2.....
-
03-19-2005, 05:53 PM #18Web Hosting Master
- Join Date
- May 2003
- Posts
- 1,069
Originally posted by Hoobastank68
IMPORTANT MESSAGE
Hi,
You must change config from:
Code:############################################################################## # Uncomment to allow DNS zone transfers # #$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT #$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT #$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT #$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT --------------------------------------------------------------------------------
Code:############################################################################## # Uncomment to allow DNS zone transfers # $IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
This seems to be a problem for few ISPs in which they will not find your site unless this change is made.
Just cd /usr/bin
pico kiss
and its right at the bottom.
Hope this helps.