Results 1 to 2 of 2
  1. #1

    Installing firewall for cPanel installed dedicated server.

    Hi,
    I have a dedicated server.
    Since I'm running a hosting service I need to install firewall softwares.
    I have some questions about it.

    1. Do I need to write a iptables script?
    2. Thinking about installing APF and BFD but those need the ports specified. What should I do about FTP PASV ports?

    For ports, I'm planing to open up these ports:
    Inboud:
    TCP
    20 FTP
    21 FTP
    22 SSH
    25 SMTP
    26 SMTP
    53 DNS
    80 HTTP
    110 POP3
    143 IMAP4
    443 HTTPS
    465 SMTP (TLS/SSL)
    993 IMAP4 (SSL)
    995 POP3 (SSL)
    2082 CPANEL
    2083 CPANEL (SSL)
    2086 WHM (Web Host Manager)
    2087 WHM (SSL)
    2095 WEBMAIL
    2096 WEBMAIL (SSL)
    3306 MYSQL (ONLY IF YOU WANT TO ALLOW INCOMING MYSQL CONNECTIONS)
    6666 - CHAT
    UDP
    21 FTP
    53 DNS
    465 SMTP (TLS/SSL)

    OUTPUT
    TCP
    20 FTP
    21 FTP
    25 SMTP
    26 SMTP
    37 RDATE
    43 WHOIS
    53 DNS
    80 HTTP
    113 IDNET
    465 SMTP (TLS/SSL)
    873 RSYNC
    2089 CPANEL LICENSE
    3306 MYSQL (ONLY IF YOU NEED TO CONNECT TO REMOTE MYSQL SERVER)
    UDP
    21 FTP
    53 DNS
    465 SMTP (TLS/SSL)
    873 RSYNC

    Current IPTABLES Script:
    Code:
    #!/bin/bash
    
    
    #---------------------------------------#
    # Begin Setting                         #
    #---------------------------------------#
    
    # Interface Name
    LAN=eth0
    
    #---------------------------------------#
    # Finish Setting                        #
    #---------------------------------------#
    
    # Grab Internal Network Mask
    LOCALNET_MASK=`ifconfig $LAN|sed -e 's/^.*Mask:\([^ ]*\)$/\1/p' -e d`
    
    
    # Add FTP Helper Module tp all other IPTables Modules
    sed -i '/IPTABLES_MODULES/d' /etc/sysconfig/iptables-config
    echo "IPTABLES_MODULES=\"ip_conntrack_ftp\"" >> /etc/sysconfig/iptables-config
    
    # Stop IPTables to clear out the settings
    /etc/rc.d/init.d/iptables stop
    
    # Set Default Rule
    iptables -P INPUT   DROP   # Drop all imcomings
    iptables -P OUTPUT  ACCEPT # Accept all outgoings
    iptables -P FORWARD DROP   # Drop all fowarding packets
    
    # Enable SYN Cookie
    # Defece from TCP SYN Flood Attack
    sysctl -w net.ipv4.tcp_syncookies=1 > /dev/null
    sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.conf
    echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
    
    # Do not answer ping request to global address
    # Defence from Smurf Attack
    sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 > /dev/null
    sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.conf
    echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf
    
    # Block ICMP Redirect Packets
    sed -i '/net.ipv4.conf.*.accept_redirects/d' /etc/sysctl.conf
    for dev in `ls /proc/sys/net/ipv4/conf/`
    do
        sysctl -w net.ipv4.conf.$dev.accept_redirects=0 > /dev/null
        echo "net.ipv4.conf.$dev.accept_redirects=0" >> /etc/sysctl.conf
    done
    
    # Block Source Routed Packets
    sed -i '/net.ipv4.conf.*.accept_source_route/d' /etc/sysctl.conf
    for dev in `ls /proc/sys/net/ipv4/conf/`
    do
        sysctl -w net.ipv4.conf.$dev.accept_source_route=0 > /dev/null
        echo "net.ipv4.conf.$dev.accept_source_route=0" >> /etc/sysctl.conf
    done
    
    # Log and drop fragmentted packets.
    iptables -N LOG_FRAGMENT
    iptables -A LOG_FRAGMENT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FRAGMENT] : '
    iptables -A LOG_FRAGMENT -j DROP
    iptables -A INPUT -f -j LOG_FRAGMENT
    
    # Block and log Ping of Death Attack (No more then 4 pings in one sec)
    iptables -N LOG_PINGDEATH
    iptables -A LOG_PINGDEATH -m limit --limit 1/s --limit-burst 4 -j ACCEPT
    iptables -A LOG_PINGDEATH -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES PINGDEATH] : '
    iptables -A LOG_PINGDEATH -j DROP
    iptables -A INPUT -p icmp --icmp-type echo-request -j LOG_PINGDEATH
    
    # Allow all connections from localhost
    iptables -A INPUT -i lo -j ACCEPT
    
    # Allow all connections from localnet
    iptables -A INPUT -s $LOCALNET -j ACCEPT
    
    # Inside > Outside OK
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Block 255.255.255.255 and 224.0.0.1
    iptables -A INPUT -d 255.255.255.255 -j DROP
    iptables -A INPUT -d 224.0.0.1 -j DROP
    
    # Block connections to IDENT (113)
    iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
    
    #----------------------------------------------------------#
    # Services Settings                                        #
    #----------------------------------------------------------#
    
    # Allow SSH connections
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    
    # Allow HTTP connections
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    
    # Allow HTTPS Connections
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    
    # Allow FTP(21) Connections
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT
    
    # Allow FTP(20) Connections
    iptables -A INPUT -p tcp --dport 20 -j ACCEPT
    
    # Allow FTP(UDP) Connections
    iptables -A INPUT -p udp --dport 21 -j ACCEPT
    
    # Allow SMTP Connections
    iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    iptables -A INPUT -p tcp --dport 26 -j ACCEPT
    
    # Allow DNS Connections
    iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    
    # Allow POP3 Connections
    iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    
    # Allow SMTP(TLS/SSL) Connections
    iptables -A INPUT -p tcp --dport 465 -j ACCEPT
    
    # Allow IMAP4(SSL) Connections
    iptables -A INPUT -p tcp --dport 993 -j ACCEPT
    
    # Allow IMAP4 Connections
    iptables -A INPUT -p tcp --dport 143 -j ACCEPT
    
    # Allow POP3(SSL) Connections
    iptables -A INPUT -p tcp --dport 995 -j ACCEPT
    
    # Allow cPanel Connections
    iptables -A INPUT -p tcp --dport 2082 -j ACCEPT
    
    # Allow cPanel(SSL) Connections
    iptables -A INPUT -p tcp --dport 2083 -j ACCEPT
    
    # Allow WHM Connections
    iptables -A INPUT -p tcp --dport 2086 -j ACCEPT
    
    # Allow WHM(SSL) Connections
    iptables -A INPUT -p tcp --dport 2087 -j ACCEPT
    
    # Allow WEBMAIL Connections
    iptables -A INPUT -p tcp --dport 2095 -j ACCEPT
    
    # Allow WEBMAIL(SSL) Connections
    iptables -A INPUT -p tcp --dport 2096 -j ACCEPT
    
    # Allow MySQL Connetions
    iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
    
    # Allow Chat Connections
    iptables -A INPUT -p tcp --dport 6666 -j ACCEPT
    
    # Allow DNS(UDP) Connections
    iptables -A INPUT -p udp --dport 53 -j ACCEPT
    
    # Allow SMTP(TLS/SSL, UDP) Connections
    iptables -A INPUT -p udp --dport 465 -j ACCEPT
    
    # Allow OUTPUTS
    iptables -A OUTPUT -p tcp --dport 20 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 26 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 37 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 43 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 113 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 465 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 2089 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 21 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 465 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 873 -j ACCEPT
    
    
    #----------------------------------------------------------#
    # End All Sevice Settings                                  #
    #----------------------------------------------------------#
    
    # Block and don't log connections from all blocked IPs
    if [ -s /root/deny_ip ]; then
        for ip in `cat /root/deny_ip`
        do
            iptables -I INPUT -s $ip -j DROP
        done
    fi
    
    # Block and don't log connections from all blocked countries
    # Blocked Countries: Korea
    COUNTRYLIST='KR'
    wget -q http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
    iptables -N OTHERFILTER
    iptables -A OTHERFILTER -j DROP
    for country in $COUNTRYLIST
    do
        for ip in `cat delegated-apnic-latest | grep "apnic|$country|ipv4|"`
        do
            FILTER_ADDR=`echo $ip |cut -d "|" -f 4`
            TEMP_CIDR=`echo $ip |cut -d "|" -f 5`
            FILTER_CIDR=32
            while [ $TEMP_CIDR -ne 1 ];
            do
                TEMP_CIDR=$((TEMP_CIDR/2))
                FILTER_CIDR=$((FILTER_CIDR-1))
            done
            iptables -I INPUT -s $FILTER_ADDR/$FILTER_CIDR -j OTHERFILTER
        done
    done
    rm -f delegated-apnic-latest
    
    # Log and block all connections that are undefined
    iptables -A INPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES INPUT] : '
    iptables -A INPUT -j DROP
    iptables -A FORWARD -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FORWARD] : '
    iptables -A FORWARD -j DROP
    
    # Save rule
    /etc/rc.d/init.d/iptables save
    
    # Start Firewall
    /etc/rc.d/init.d/iptables start
    Thanks

  2. #2
    Join Date
    Mar 2002
    Location
    Austin, TX
    Posts
    112
    Here are the default APF rules for a cPanel install:

    http://faq.cpanel.net/show.cgi?qa=108499296901804

    Please note that ou may not need to open all these ports depending on what services you have running. The best method to prevent unwanted access is to ensure that there are no services runnning on ports you do not wish people to connect to. I'd start at the Service Manager in WHM and disable any services you won't be using. Then check netstat -anp to see if anything is bound to ports that you want closed. If nothing's on a port, there's no way to gain access, and that's much more secure than having something exist and blocking it.
    -Dave Koston
    Koston Consulting

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •