CentOS5.5 64bit + Cpanel needs security help!!! « vpsBible Forums

CentOS5.5 64bit + Cpanel needs security help!!!

(4 posts) (3 voices)

Started 1 year ago by bb
Latest reply from the_guv

Topic Tags:-

bb
Member

Hi,

I just got a freshly brewed 64bit CentOS5.5 server and installed the wonderful Cpanel/WHM and needs help with securing the server.

I specifically need help with Firewall setup and other few things. I already know about SSH private/public key security but needs help with other things like firewall and others.

Thanks in advance.

Posted 1 year ago #
the_guv
Key Master

hey bb,

the iptables guide here will work for that setup equally well:-

Harden the Secure Shell (SSH) & Create a Firewall

Posted 1 year ago #
tallship
Member

I went through the link here: http://vpsbible.com/security/harden-ssh-create-firewall/, having come to this site directly from the video at youtube.

I know my particular issue is very common - it must be, since about a kajillion folks have OpenVZ VPS's.

I'm not a big fan of OpenVZ, or virtuozzo, etc., since Most of my vm's are on vmware.

But I needed some cheap machines in other places of the world for various, minimal things like DNS and a couple of other services.

Well, I'm having problems with my firewall scripts blowing up on my w/OpenVZ VPS's.

I'll go ahead and post a sample firewall script that I typically use in my hosts, and the main problems are that I get all kinds of errors about modules and stuff that I never get on regular hosts or my vmware vm's.

Again, this is just a basic, yet completely plug and play example that I build my bastions from, with a tweak here and there, so aside from changing the IP address and choosing my SSH port (or adding another one if I need an admin door), this script can lock down a machine real quick - but it is blowing up on my OpenVZ vps's and I would really appreciate it if you all could give it a gander.

1.) I'm pretty sure that I need to match my interface in the firewall script to that which is reported by ifconfig - which on all three of these VPS's is venet0, venet1, etc., but I'm kinda freaked out when loading standard modules blows up in my face.

2.) How do I determine, what modules are loaded by the HN or whatever I need to know in order to understand what modules I shouldn't load, which one's I should, etc...???

Okay, here's a boilerplate. I'll just direct your collective attention to the first third of the script where I'm loading modules and defining rules, because I know whatever you guys suggest I'm going to need to address those issues with regards to OpenVZ HNs (I think, anyway), and it is perhaps going to be different with each different provider.

I was able to find some tutorials concerning HNs, but nothing really useful for the VE's, as they seem to be calling the actual VPS instances.

#!/bin/sh #
# Stuff particular to this box (Starts blowing up here on OpenVZ) # sysctl location. If set, it will use sysctl to adjust the kernel parameters. # If this is set to the empty string (or is unset), the use of sysctl # is disabled. SYSCTL="/sbin/sysctl -w" # To echo the value directly to the /proc file instead # SYSCTL="" # IPTables Location - adjust if needed IPT="/usr/sbin/iptables" IPTS="/usr/sbin/iptables-save" IPTR="/usr/sbin/iptables-restore" # Internet Interface #INET_IFACE="eth0" # Change "eth0" to "venet0" as I did below INET_IFACE="venet0" INET_ADDRESS="1.2.3.4" # Whatev the IPv4 Addy is # Localhost Interface LO_IFACE="lo" # This iface is present on OpenVZ VPS's. LO_IP="127.0.0.1" # Save and Restore arguments handled here if [ "$1" = "save" ] then echo -n "Saving firewall to /etc/sysconfig/iptables ... " $IPTS > /etc/sysconfig/iptables echo "done" exit 0 elif [ "$1" = "restore" ] then echo -n "Restoring firewall from /etc/sysconfig/iptables ... " $IPTR < /etc/sysconfig/iptables echo "done" exit 0 fi # # Load Modules # echo "Loading kernel modules ..." # /sbin/depmod -a # I usually run this once to check, but on OpenVZ... Boom! # Okay, now for the million dollar Questions wrt OpenVZ... # Unless you have kernel module auto-loading disabled, you should not # need to manually load each of these modules. Other than ip_tables, # ip_conntrack, and some of the optional modules, I've left these # commented by default. Uncomment if you have any problems or if # you have disabled module autoload. Note that some modules must # be loaded by another kernel module. # core netfilter module /sbin/modprobe ip_tables # the stateful connection tracking module /sbin/modprobe ip_conntrack # filter table module # /sbin/modprobe iptable_filter # mangle table module # /sbin/modprobe iptable_mangle # nat table module # /sbin/modprobe iptable_nat # LOG target module # /sbin/modprobe ipt_LOG # This is used to limit the number of packets per sec/min/hr # /sbin/modprobe ipt_limit # masquerade target module # /sbin/modprobe ipt_MASQUERADE # filter using owner as part of the match # /sbin/modprobe ipt_owner # REJECT target drops the packet and returns an ICMP response. # The response is configurable. By default, connection refused. # /sbin/modprobe ipt_REJECT # This target allows packets to be marked in the mangle table # /sbin/modprobe ipt_mark # This target affects the TCP MSS # /sbin/modprobe ipt_tcpmss # This match allows multiple ports instead of a single port or range # /sbin/modprobe multiport # This match checks against the TCP flags # /sbin/modprobe ipt_state # This match catches packets with invalid flags # /sbin/modprobe ipt_unclean # The ftp nat module is required for non-PASV ftp support /sbin/modprobe ip_nat_ftp # the module for full ftp connection tracking /sbin/modprobe ip_conntrack_ftp # the module for full irc connection tracking /sbin/modprobe ip_conntrack_irc # # Kernel Parameter Configuration # # See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html # for a detailed tutorial on sysctl and the various settings # available. # This enables SYN flood protection. # The SYN cookies activation allows your system to accept an unlimited # number of TCP connections while still trying to give reasonable # service during a denial of service attack. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/tcp_syncookies else $SYSCTL net.ipv4.tcp_syncookies="1" fi # This enables source validation by reversed path according to RFC1812. # In other words, did the response packet originate from the same interface # through which the source packet was sent? It's recommended for single-homed # systems and routers on stub networks. Since those are the configurations # this firewall is designed to support, I turn it on by default. # Turn it off if you use multiple NICs connected to the same network. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter else $SYSCTL net.ipv4.conf.all.rp_filter="1" fi # This kernel parameter instructs the kernel to ignore all ICMP # echo requests sent to the broadcast address. This prevents # a number of smurfs and similar DoS nasty attacks. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts else $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1" fi # This option can be used to accept or refuse source routed # packets. It is usually on by default, but is generally # considered a security risk. This option turns it off. if [ "$SYSCTL" = "" ] then echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route else $SYSCTL net.ipv4.conf.all.accept_source_route="0" fi # This option can disable ICMP redirects. ICMP redirects # are generally considered a security risk and shouldn't be # needed by most systems using this generator. #if [ "$SYSCTL" = "" ] #then # echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects #else # $SYSCTL net.ipv4.conf.all.accept_redirects="0" #fi # However, we'll ensure the secure_redirects option is on instead. # This option accepts only from gateways in the default gateways list. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects else $SYSCTL net.ipv4.conf.all.secure_redirects="1" fi # This option logs packets from impossible addresses. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians else $SYSCTL net.ipv4.conf.all.log_martians="1" fi # Now just the standard firewall rule stuff... # # If I can get to this part, everything should # fine as far as OpenVZ is concerned, but I'm # using a lot of stuff above with respect to # enabling the capability to use some of the # rules below. # Someone once told me, with regards to OpenVZ, # No Kernel, no problem. # Well, all I want to do is run a simple firewall # and that is apparently a problem! # # Flush Any Existing Rules or Chains # echo "Flushing Tables ..." # Reset Default Policies $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT # Flush all rules $IPT -F $IPT -t nat -F $IPT -t mangle -F # Erase all non-default chains $IPT -X $IPT -t nat -X $IPT -t mangle -X if [ "$1" = "stop" ] then echo "Firewall completely flushed! Now running with no firewall." exit 0 fi ############################################################################### # # Rules Configuration # ############################################################################### # # Filter Table # ############################################################################### # Set Policies $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP ############################################################################### # # User-Specified Chains # # Create user chains to reduce the number of rules each packet # must traverse. echo "Create and populate custom rule chains ..." # Create a chain to filter INVALID packets $IPT -N bad_packets # Create another chain to filter bad tcp packets $IPT -N bad_tcp_packets # Create separate chains for icmp, tcp (incoming and outgoing), # and incoming udp packets. $IPT -N icmp_packets # Used for UDP packets inbound from the Internet $IPT -N udp_inbound # Used to block outbound UDP services from internal network # Default to allow all $IPT -N udp_outbound # Used to allow inbound services if desired # Default fail except for established sessions $IPT -N tcp_inbound # Used to block outbound services from internal network # Default to allow all $IPT -N tcp_outbound # Autoban rule for h4x0rb0is - mostly for ssh probes on port 22 # so I don't have to launch the CounterTerrorist daemon against # them and ruin their whole fricken' day - s/day/week/ $IPT -N AUTOBAN ############################################################################### # # Populate User Chains # # bad_packets chain # # Drop INVALID packets immediately $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \ --log-prefix "fp=bad_packets:1 a=DROP " $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP # Then check the tcp packets for additional problems $IPT -A bad_packets -p tcp -j bad_tcp_packets # All good, so return $IPT -A bad_packets -p ALL -j RETURN # bad_tcp_packets chain # # All tcp packets will traverse this chain. # Every new connection attempt should begin with # a syn packet. If it doesn't, it is likely a # port scan. This drops packets in state # NEW that are not flagged as syn packets. $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "fp=bad_tcp_packets:1 a=DROP " $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \ --log-prefix "fp=bad_tcp_packets:2 a=DROP " $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \ --log-prefix "fp=bad_tcp_packets:3 a=DROP " $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \ --log-prefix "fp=bad_tcp_packets:4 a=DROP " $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \ --log-prefix "fp=bad_tcp_packets:5 a=DROP " $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \ --log-prefix "fp=bad_tcp_packets:6 a=DROP " $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \ --log-prefix "fp=bad_tcp_packets:7 a=DROP " $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # All good, so return $IPT -A bad_tcp_packets -p tcp -j RETURN # icmp_packets chain # # This chain is for inbound (from the Internet) icmp packets only. # Type 8 (Echo Request) is not accepted by default # Enable it if you want remote hosts to be able to reach you. # 11 (Time Exceeded) is the only one accepted # that would not already be covered by the established # connection rule. Applied to INPUT on the external interface. # # See: http://www.ee.siue.edu/~rwalden/networking/icmp.html # for more info on ICMP types. # # Note that the stateful settings allow replies to ICMP packets. # These rules allow new packets of the specified types. # ICMP packets should fit in a Layer 2 frame, thus they should # never be fragmented. Fragmented ICMP packets are a typical sign # of a denial of service attack. $IPT -A icmp_packets --fragment -p ICMP -j LOG \ --log-prefix "fp=icmp_packets:1 a=DROP " $IPT -A icmp_packets --fragment -p ICMP -j DROP # Echo - uncomment to allow your system to be pinged. # Uncomment the LOG command if you also want to log PING attempts # # $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \ # --log-prefix "fp=icmp_packets:2 a=ACCEPT " $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT # By default, however, drop pings without logging. Blaster # and other worms have infected systems blasting pings. # Comment the line below if you want pings logged, but it # will likely fill your logs. $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP # Time Exceeded $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # Not matched, so return so it will be logged $IPT -A icmp_packets -p ICMP -j RETURN # TCP & UDP # Identify ports at: # http://www.chebucto.ns.ca/~rakerman/port-table.html # http://www.iana.org/assignments/port-numbers # udp_inbound chain # # This chain describes the inbound UDP packets it will accept. # It's applied to INPUT on the external or Internet interface. # Note that the stateful settings allow replies. # These rules are for new requests. # It drops netbios packets (windows) immediately without logging. # Drop netbios calls # Please note that these rules do not really change the way the firewall # treats netbios connections. Connections from the localhost and # internal interface (if one exists) are accepted by default. # Responses from the Internet to requests initiated by or through # the firewall are also accepted by default. To get here, the # packets would have to be part of a new request received by the # Internet interface. You would have to manually add rules to # accept these. I added these rules because some network connections, # such as those via cable modems, tend to be filled with noise from # unprotected Windows machines. These rules drop those packets # quickly and without logging them. This prevents them from traversing # the whole chain and keeps the log from getting cluttered with # chatter from Windows systems. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP # Ident requests (Port 113) must have a REJECT rule rather than the # default DROP rule. This is the minimum requirement to avoid # long delays while connecting. Also see the tcp_inbound rule. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT # A more sophisticated configuration could accept the ident requests. # $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j ACCEPT # Network Time Protocol (NTP) Server $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT # DNS Server # Configure the server to use port 53 as the source port for requests # Note, if you run a caching-only name server that only accepts queries # from the private network or localhost, you can comment out this line. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT # If you don't query-source the server to port 53 and you have problems, # uncomment this rule. It specifically allows responses to queries # initiated to another server from a high UDP port. The stateful # connection rules should handle this situation, though. # $IPT -A udp_inbound -p UDP -s 0/0 --source-port 53 -j ACCEPT # Network File System (NFS) Server # Please note that additional services must # be configured in order to support an NFS Server through # the firewall. Read the help in the generator or this site: # http://www.lowth.com/LinWiz/nfs_help.html # NFS Server - portmapper $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 111 -j ACCEPT # NFS Server - statd $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 9400 -j ACCEPT # NFS Server - NFS daemon $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 2049 -j ACCEPT # NFS Server - lockd $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 9401 -j ACCEPT # NFS Server - mountd $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 9402 -j ACCEPT # NFS Server - quotad $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 9403 -j ACCEPT # User specified allowed UDP protocol $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 70:70 -j ACCEPT # Not matched, so return for logging $IPT -A udp_inbound -p UDP -j RETURN # udp_outbound chain # # This chain is used with a private network to prevent forwarding for # UDP requests on specific protocols. Applied to the FORWARD rule from # the internal network. Ends with an ACCEPT # No match, so ACCEPT $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT # tcp_inbound chain # # This chain is used to allow inbound connections to the # system/gateway. Use with care. It defaults to none. # It's applied on INPUT from the external or Internet interface. # Ident requests (Port 113) must have a REJECT rule rather than the # default DROP rule. This is the minimum requirement to avoid # long delays while connecting. Also see the tcp_inbound rule. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT # A more sophisticated configuration could accept the ident requests. # $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j ACCEPT # DNS Server - Allow TCP connections (zone transfers and large requests) # This is disabled by default. DNS Zone transfers occur via TCP. # If you need to allow transfers over the net you need to uncomment this line. # If you allow queries from the 'net, you also need to be aware that although # DNS queries use UDP by default, a truncated UDP query can legally be # submitted via TCP instead. You probably will never need it, but should # be aware of the fact. # $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT # Web Server # HTTP $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT # HTTPS (Secure Web Server) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT # FTP Server (Control) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT # FTP Client (Data Port for non-PASV transfers) $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT # Passive FTP # # With passive FTP, the server provides a port to the client # and allows the client to initiate the connection rather # than initiating the connection with the client from the data port. # Web browsers and clients operating behind a firewall generally # use passive ftp transfers. A general purpose FTP server # will need to support them. # # However, by default an FTP server will select a port from the entire # range of high ports. It is not particularly safe to open all # high ports. Fortunately, that range can be restricted. This # firewall presumes that the range has been restricted to a specific # selected range. That range must also be configured in the ftp server. # # Instructions for specifying the port range for the wu-ftpd server # can be found here: # http://www.wu-ftpd.org/man/ftpaccess.html # (See the passive ports option.) # # Instructions for the ProFTPD server can be found here: # http://proftpd.linux.co.uk/localsite/Userguide/linked/x861.html $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 62000:64000 -j ACCEPT # Email Server (SMTP) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT # Email Server (POP3) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT # Email Server (IMAP4) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT # SSL Email Server (POP3) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT # SSL Email Server (IMAP4) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT # sshd $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT # Network File System (NFS) Server # Please note that additional services must # be configured in order to support an NFS Server through # the firewall. Read the help in the generator or this site: # http://www.lowth.com/LinWiz/nfs_help.html # NFS Server - portmapper $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 111 -j ACCEPT # NFS Server - statd $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 9400 -j ACCEPT # NFS Server - NFS daemon $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 2049 -j ACCEPT # NFS Server - lockd $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 9401 -j ACCEPT # NFS Server - mountd $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 9402 -j ACCEPT # NFS Server - quotad $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 9403 -j ACCEPT # That's right folks... I run lots and lots of Gopher Servers! ;) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 70:70 -j ACCEPT # Not matched, so return so it will be logged $IPT -A tcp_inbound -p TCP -j RETURN # tcp_outbound chain # # This chain is used with a private network to prevent forwarding for # requests on specific protocols. Applied to the FORWARD rule from # the internal network. Ends with an ACCEPT # No match, so ACCEPT $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT # AUTOBAN those zaney script kiddies for a very long time # by actually not destroying their parents machine's with # CounterTerrorist daemon - Doing them a big fav by only # Autobanning them here. This would be their final, silent, # warning ;) No fail2ban required - No Quarter, No Mercy, No Prisoners. # $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j AUTOBAN $IPT -A AUTOBAN -m recent --set --name SSH $IPT -A AUTOBAN -m recent --update --seconds 3924 --hitcount 4 --name SSH -j DROP ############################################################################### # # INPUT Chain # echo "Process INPUT chain ..." # Allow all on localhost interface $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT # Drop bad packets $IPT -A INPUT -p ALL -j bad_packets # DOCSIS compliant cable modems # Some DOCSIS compliant cable modems send IGMP multicasts to find # connected PCs. The multicast packets have the destination address # 224.0.0.1. You can accept them. If you choose to do so, # Uncomment the rule to ACCEPT them and comment the rule to DROP # them The firewall will drop them here by default to avoid # cluttering the log. The firewall will drop all multicasts # to the entire subnet (224.0.0.1) by default. To only affect # IGMP multicasts, change '-p ALL' to '-p 2'. Of course, # if they aren't accepted elsewhere, it will only ensure that # multicasts on other protocols are logged. # Drop them without logging. $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP # The rule to accept the packets. # $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT # Inbound Internet Packet Rules # Accept Established Connections $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT # Route the rest to the appropriate user chain $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # Drop without logging broadcasts that get this far. # Cuts down on log clutter. # Comment this line if testing new rules that impact # broadcast protocols. $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP # Log packets that still don't match $IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP " ############################################################################### # # FORWARD Chain # echo "Process FORWARD chain ..." # Used if forwarding for a private network ############################################################################### # # OUTPUT Chain # echo "Process OUTPUT chain ..." # Generally trust the firewall on output # However, invalid icmp packets need to be dropped # to prevent a possible exploit. $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP # Localhost $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT # To internet $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # Log packets that still don't match $IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP " echo "Okay we should be kewl for a while now..." echo "" echo " Starting PortSentry and CounterTerrorist daemons now..." # This is the end of the firewall portion, and # the only part that I'm having problems with # on OpenVZ VPS's. # Any help and suggestions for just getting this # very basic and elementary firewall to load # is most appreciated :) # Thanks!

Thank you so much, and I look forward to all of your responses and feedback.

Posted 11 months ago #
the_guv
Key Master

@tallship .. "problems are that I get all kinds of errors about modules and stuff"

what are the errors? thar be the clues.

Posted 11 months ago #

RSS feed for this topic

Reply

You must log in to post.

Want HTML?

a blockquote code em strong ul ol li

Place code between backticks `codeHere`

You've got it.

Unmanaged VPS Forum

CentOS5.5 64bit + Cpanel needs security help!!!

Reply

Topics by Niche

Choose a Language

Forum Search

VPS Forum Tags