PrackHost : Hosting Premium Web LiteSpeed

CIF Firewall

ConfigServer Firewall

The CIF Firewall is a basic of security, very versatile tool and very recognized in the scope of the Web servers. It is fire-guards concerning software, very easy to manage unlike other solutions, that the malicious traffic will block that we receive in our servant. It detects all the intrusions and it protects our Linux servant of numbers attacks, of illegal accesses and attempts of access by brute force. In combination with other commercial tools that later we will see we made sure that our servant is protected of all the attacks that are received on a daily basis in the servers.

Between the most important characteristics of ours firewall we can emphasize: management of iptables, fraudulent attempts of login (ssh, cpanel, webmail, accounts FTP, folders with htaccess, accounts of mail, etc.), alert of hardware overloads, monitoring of suspicious processes, blockade of accesses by countries, bathes you of ips permanent or temporary, support for mod_security, etc. Are a true suite of security that will protect our servant to the 100%.

We are going to summarize some of the functionalities of this software of Web servers who you already enjoy in your VPS and Dedicated Servant and to see how form the CIF.

1. Alert of the CIF Firewall

The CIF Firewall sends by email diverse types of alert so that we know in real time what it is happening in the servant. These alert will allow to take part quickly in case of detecting some anomaly us (attacks, overloads, shipment of Spam, etc.). These alert is sent to the mail root (root) that we have defined previously in the servant and the contacts that we have added in field €œLF_ALERT_TO€ of the configuration of the Firewall.

In PrackHost we installed, we formed and we updated CIF WHM Firewall regularly to protect in one first instance all the servers of our clients. In addition, we complemented it with an additional service of administration of the CIF Firewall so that our equipment is in charge of the monitorings and interventions in case attacks take place.

This service you can contract in the section €œExtra€ of our called Web €œTotal Security to it with Monitoring€. When contracting this service, our client will forget of the management firewall and the possible attacks and will delegate this work to our Department of Support. If you need more information about this service you do not doubt in consulting to us.

To receive alert of the CIF Firewall

1.1 Alertas more common

These are the alert by email more common that you can receive in your mailbox of mail. Send a support ticket to us before any doubt in relation to these alert or if you want to receive more information on some email that you have received.

€“ Blockade of an IP (lfd on tu-dominio.net: blocked xx.xx.xx.xx) This email has an informative function merely and indicates that an IP has been blocked. It will detail the reason to us by which that one IP has been blocked. Basically usually it is by some of these three reasons:

  • We have badly introduced the password of mail of some account.
  • Error in the password of access to cPanel.
  • Because we have qualified .htaccess in some folder of our Web (normally the access to the administration Web) and the keys have not been introduced correctly.

€“ Alert of access root to the WHM (lfd on tu-dominio.net: WHM/cPanel root Access alert from xx.xx.xx.xx) This alert is important and is necessary to investigate it if you receive it. It informs that from the indicated IP root of the servant has been acceded correctly to the WHM/cPanel with the keys. From PrackHost we frequently accede to the WHM with keys root for maintenance, updates, improvements or to investigate possible problems, and so you will receive one from these alert having indicated some of our IPs. If you received an entrance alert from an IP that is not Spanish, you must contact immediately with us.

€“ Alert of great shipments by email (lfd on tu-dominio.net: LOCALRELAY for Alert €œthe-user-of-cpanel€). This alert warns us that the domain of the headed one has sent an equal amount or 100 superior to emails. Normally it is possible to be dealed with a hackeo of the account of Cpanel since the shipments take place through user of cPanel. He is advisable not to let pass these alert and investigate if the shipment is legitimate or no.

€“ Alert of suspicious great shipments by account email (lfd on tu-dominio.net: AUTHRELAY for Alert xx.xx.xx.xx). Similar to the previous one but shows in addition the account to e-mail that is sending the email, as well as the IP from which it has been acceded to make the shipment. In this occasion, a third party has been able to guess the password of the mail account that it is sending and it is taking advantage of it to send Spam.

Also usually it happens that the computers that they have formed this account of e-mail are infected with virus or Trojans that are taken advantage of to realise the shipments. An investigation of this email is necessary since our servant can fall in Spam lists if fraudulent post office are sent and did not stop the problem in time. A good technique in this case, is to review the directions of where they go directed these shipments and if we observed that they are directions of foreign adressees is presumably Spam. Also we can observe the title of the email of that massive shipment, which will help to detect a Spam shipment us.

€“ Alert of shipments through archives or scripts (lfd on tu-dominio.net:: Script for Alert €œroute of the file€). The shipments have been realised from the Web that we have lodged in that domain through any form of shipment of emails (as the massive tool of shipment of mail of Joomla). Nevertheless also it can have been a illegal shipment through some malicious file raised by a third party. It is essential to investigate this log presumably since real.< is an attack

€“ Suspicious processes (Suspicious process running to under€¦). In this case one inquires to us that there has been a process in the servant who is due to consider suspect. One inquires to us into the date, user, YOU GO of the process and the runtime of the process.

2. To add IP as Safe

Sometimes we will want to add an IP as safe, of this form will not be baneada by ours firewall. This IP can be ours or the one of some client who has an IP fixes well-known and reliable. In order to add it to the system, that firewall recognizes it as safe and not it banee, we will visit the section of ours firewall in WHM/Cpanel > Accessories (or Plugins) > ConfigServer Security&Firewall and in the detailed field as €œAllow IP address€ we introduce the IP and we puncture in the button €œQuick Allow €œ.

If we want in addition to add to a description future consultations and knowledge because that IP was added as safe, we will down add a descriptive text in the field of call €œfor Comment Allow€. We can consult the listing of ips safe in our servant if we opened the option €œFirewall Allow Ips€. Here also will be to us the reason of because that IP it was introduced as safe if we filled up the corresponding commentary at the time.

To add safe IP as the CIF Firewall

3. To unblock IP

If we want to unblock some IP because firewall has blocked it by some of the reasons explained in our introduction, we will have to clear that IP of the listing of ips blocked. We accede to the WHM with our keys and go to > Accessories (or Plugins) > ConfigServer Security&Firewall. Here we will be able to clear the blockade to an IP of three forms:

  • If we have the baneada IP of the user, we will introduce it in the field €œAllow IP address €œand will make click in the button €œQuick Allow€. The Firewall will introduce in its data base the safe IP as and immediately will lenvantará the blockade of the same. It is an instantaneous operation that does not need time propagation. This option is the described one in the previous section of this called tutorial €œTo add IP as Safe€.
  • If we want to investigate the reasons by as an IP could have been baneada and to lift the blockade, we will introduce the IP in this occasion in the iptables field €œSearch for IP address €œand click in the button €œfor Search IP€. We will observe a screen where we will make click in the icon of the padlock to lift the blockade immediately.
  • We will directly clear the blockade of the IP from the listing of ips blocked. Last the 200 ips baneadas will be to us if we punctured in the button €œFirewall Deny Ips€. This new listing of ips goes continuously rotating and at the same time as they add ips to the listing (the last ones baneadas) they are eliminated oldest so that a registry of last the 200 always exists. In order to lift the blockade in this case, we will eliminate with well-taken care of the line (not to annul to the blockade of the other ips of the list) where it is listed the IP and the reason for blockade and we will keep the changes from the button €œChange€.

IMPORTANT NOTE: One fourth option exists in addition. If by some reason the IP that has been baneada is yours, and you do not have access to your servant to be able to unblock it, you can make it from our zone of clients in the section €œUnblock IP€. Without the intervention of our technical service you will be able to do it of immediate form. Also from this section of the Web of PrackHost you will be able to desbanear ips of your clients, not only yours.

To unblock IP blocked in the CIF Firewall

4. To add Process as insurance

Sometimes, some process generated by some application can happen that (mainly if it has been developed by you and it is not a well-known application), it can give a false positive and you receive continuous warnings of which that application, process or file are suspicious. You will have entondes to add that process as insurance not to receive those warnings and that the fire-guards see it as a reliable execution. For it, you will have to go to the section €œlfd €“ Login Failure Daemon€, search in the deplegable the option €œcsf.pignore, Process Tracking€, to puncture in €œedit€ and to add the process to the listing that appears: €“ To add the new process as insurance, you will have to add new line with the value:

exe: /ruta/hacia/archivo

(Being this absolute route with respect to the servant. Example: exe: /usr/sbin/exim) €“ If you try to add a commando of linux as insurance:

cmd: nombrecomando process

(We will only introduce the name of the commando and its process Here. Example: cmd: spamd child) €“ It exists other options, following the type of process that we want to add as insurance (archives Perl or cgi, we can isolate users, etc.). If you have difficulty with the routes or some archives we recommended to you that you we manage it better.

To ignore process in CIF Firewall

5. To open port as insurance

  1. If we have the necessity to add as insurance some port of our servant because some application therefore demands it to us, we will have to add it in the configuration of firewall. We will puncture in the button of configuration €œFirewall Configuration€ and will look for options €œTCP_IN€ and TCP_OUT€ to add our port. If we erased some of the ports that there are already formed in this section, all the services of our servant can be innacesibles reason why it is necessary to be the maximum careful when we add some additional port.

It is necessary to consider that puertode entered is the €œTCP_IN€ and the one of exit the €œTCP_OUT€. We keep the new configuration and we reinitiated the services of firewall in the screen that is to us.

To open port as insurance in the CIF Firewall

6. To annul the Firewall temporarily

You can annul the CIF Firewall temporarily if you need by some reason that the system does not block the connections. This is not recommendable but it can have precise cases that you need to deactivate it. For it, you will only need to qualify the option of €œFirewall Disable€ to stop it. In order to continue with the protection it punctures in €œFirewall Inable€. You must very consider that while the protection is deshabilitada, your servant is exhibited to attacks more easily.

To annul the CIF Firewall temporarily

Published in ,
Transformation for PrackHost

PrackHost

Hosting specialized in Joomla! , Wordpress, Prestashop and Moodle. Services of hosting in the cloud. Dedicated servers VPS and.

Categories