The CIF Firewall is a basic of security, very versatile tool and very recognized in the scope of the Web servers. It is fire-guards concerning software, very easy to manage unlike other solutions, that the malicious traffic will block that we receive in our servant. It detects all the intrusions and it protects our Linux servant of numbers attacks, of illegal accesses and attempts of access by brute force. In combination with other commercial tools that later we will see we made sure that our servant is protected of all the attacks that are received on a daily basis in the servers.
Between the most important characteristics of ours firewall we can emphasize: management of iptables, fraudulent attempts of login (ssh, cpanel, webmail, accounts FTP, folders with htaccess, accounts of mail, etc.), alert of hardware overloads, monitoring of suspicious processes, blockade of accesses by countries, bathes you of ips permanent or temporary, support for mod_security, etc. Are a true suite of security that will protect our servant to the 100%.
Index of this article
1. Alert of the CIF Firewall
The CIF Firewall sends by email diverse types of alert so that we know in real time what it is happening in the servant. These alert will allow to take part quickly in case of detecting some anomaly us (attacks, overloads, shipment of Spam, etc.). These alert is sent to the mail root (root) that we have defined previously in the servant and the contacts that we have added in field LF_ALERT_TO of the configuration of the Firewall.
In PrackHost we installed, we formed and we updated CIF WHM Firewall regularly to protect in one first instance all the servers of our clients. In addition, we complemented it with an additional service of administration of the CIF Firewall so that our equipment is in charge of the monitorings and interventions in case attacks take place.
This service you can contract in the section Extra of our called Web Total Security to it with Monitoring. When contracting this service, our client will forget of the management firewall and the possible attacks and will delegate this work to our Department of Support. If you need more information about this service you do not doubt in consulting to us.
1.1 Alertas more common
These are the alert by email more common that you can receive in your mailbox of mail. Send a support ticket to us before any doubt in relation to these alert or if you want to receive more information on some email that you have received.
Blockade of an IP (lfd on tu-dominio.net: blocked xx.xx.xx.xx) This email has an informative function merely and indicates that an IP has been blocked. It will detail the reason to us by which that one IP has been blocked. Basically usually it is by some of these three reasons:
- We have badly introduced the password of mail of some account.
- Error in the password of access to cPanel.
- Because we have qualified .htaccess in some folder of our Web (normally the access to the administration Web) and the keys have not been introduced correctly.
Alert of access root to the WHM (lfd on tu-dominio.net: WHM/cPanel root Access alert from xx.xx.xx.xx) This alert is important and is necessary to investigate it if you receive it. It informs that from the indicated IP root of the servant has been acceded correctly to the WHM/cPanel with the keys. From PrackHost we frequently accede to the WHM with keys root for maintenance, updates, improvements or to investigate possible problems, and so you will receive one from these alert having indicated some of our IPs. If you received an entrance alert from an IP that is not Spanish, you must contact immediately with us.
Alert of great shipments by email (lfd on tu-dominio.net: LOCALRELAY for Alert the-user-of-cpanel). This alert warns us that the domain of the headed one has sent an equal amount or 100 superior to emails. Normally it is possible to be dealed with a hackeo of the account of Cpanel since the shipments take place through user of cPanel. He is advisable not to let pass these alert and investigate if the shipment is legitimate or no.
Alert of suspicious great shipments by account email (lfd on tu-dominio.net: AUTHRELAY for Alert xx.xx.xx.xx). Similar to the previous one but shows in addition the account to e-mail that is sending the email, as well as the IP from which it has been acceded to make the shipment. In this occasion, a third party has been able to guess the password of the mail account that it is sending and it is taking advantage of it to send Spam.
Also usually it happens that the computers that they have formed this account of e-mail are infected with virus or Trojans that are taken advantage of to realise the shipments. An investigation of this email is necessary since our servant can fall in Spam lists if fraudulent post office are sent and did not stop the problem in time. A good technique in this case, is to review the directions of where they go directed these shipments and if we observed that they are directions of foreign adressees is presumably Spam. Also we can observe the title of the email of that massive shipment, which will help to detect a Spam shipment us.
Alert of shipments through archives or scripts (lfd on tu-dominio.net:: Script for Alert route of the file). The shipments have been realised from the Web that we have lodged in that domain through any form of shipment of emails (as the massive tool of shipment of mail of Joomla). Nevertheless also it can have been a illegal shipment through some malicious file raised by a third party. It is essential to investigate this log presumably since real.< is an attack
Suspicious processes (Suspicious process running to under¦). In this case one inquires to us that there has been a process in the servant who is due to consider suspect. One inquires to us into the date, user, YOU GO of the process and the runtime of the process.
2. To add IP as Safe
Sometimes we will want to add an IP as safe, of this form will not be baneada by ours firewall. This IP can be ours or the one of some client who has an IP fixes well-known and reliable. In order to add it to the system, that firewall recognizes it as safe and not it banee, we will visit the section of ours firewall in WHM/Cpanel > Accessories (or Plugins) > ConfigServer Security&Firewall and in the detailed field as Allow IP address we introduce the IP and we puncture in the button Quick Allow .
If we want in addition to add to a description future consultations and knowledge because that IP was added as safe, we will down add a descriptive text in the field of call for Comment Allow. We can consult the listing of ips safe in our servant if we opened the option Firewall Allow Ips. Here also will be to us the reason of because that IP it was introduced as safe if we filled up the corresponding commentary at the time.
3. To unblock IP
If we want to unblock some IP because firewall has blocked it by some of the reasons explained in our introduction, we will have to clear that IP of the listing of ips blocked. We accede to the WHM with our keys and go to > Accessories (or Plugins) > ConfigServer Security&Firewall. Here we will be able to clear the blockade to an IP of three forms:
- If we have the baneada IP of the user, we will introduce it in the field Allow IP address and will make click in the button Quick Allow. The Firewall will introduce in its data base the safe IP as and immediately will lenvantarÃ¡ the blockade of the same. It is an instantaneous operation that does not need time propagation. This option is the described one in the previous section of this called tutorial To add IP as Safe.
- If we want to investigate the reasons by as an IP could have been baneada and to lift the blockade, we will introduce the IP in this occasion in the iptables field Search for IP address and click in the button for Search IP. We will observe a screen where we will make click in the icon of the padlock to lift the blockade immediately.
- We will directly clear the blockade of the IP from the listing of ips blocked. Last the 200 ips baneadas will be to us if we punctured in the button Firewall Deny Ips. This new listing of ips goes continuously rotating and at the same time as they add ips to the listing (the last ones baneadas) they are eliminated oldest so that a registry of last the 200 always exists. In order to lift the blockade in this case, we will eliminate with well-taken care of the line (not to annul to the blockade of the other ips of the list) where it is listed the IP and the reason for blockade and we will keep the changes from the button Change.
IMPORTANT NOTE: One fourth option exists in addition. If by some reason the IP that has been baneada is yours, and you do not have access to your servant to be able to unblock it, you can make it from our zone of clients in the section Unblock IP. Without the intervention of our technical service you will be able to do it of immediate form. Also from this section of the Web of PrackHost you will be able to desbanear ips of your clients, not only yours.
4. To add Process as insurance
Sometimes, some process generated by some application can happen that (mainly if it has been developed by you and it is not a well-known application), it can give a false positive and you receive continuous warnings of which that application, process or file are suspicious. You will have entondes to add that process as insurance not to receive those warnings and that the fire-guards see it as a reliable execution. For it, you will have to go to the section lfd Login Failure Daemon, search in the deplegable the option csf.pignore, Process Tracking, to puncture in edit and to add the process to the listing that appears: To add the new process as insurance, you will have to add new line with the value:
(Being this absolute route with respect to the servant. Example: exe: /usr/sbin/exim) If you try to add a commando of linux as insurance:
cmd: nombrecomando process
(We will only introduce the name of the commando and its process Here. Example: cmd: spamd child) It exists other options, following the type of process that we want to add as insurance (archives Perl or cgi, we can isolate users, etc.). If you have difficulty with the routes or some archives we recommended to you that you we manage it better.
5. To open port as insurance
- If we have the necessity to add as insurance some port of our servant because some application therefore demands it to us, we will have to add it in the configuration of firewall. We will puncture in the button of configuration Firewall Configuration and will look for options TCP_IN and TCP_OUT to add our port. If we erased some of the ports that there are already formed in this section, all the services of our servant can be innacesibles reason why it is necessary to be the maximum careful when we add some additional port.
It is necessary to consider that puertode entered is the TCP_IN and the one of exit the TCP_OUT. We keep the new configuration and we reinitiated the services of firewall in the screen that is to us.
6. To annul the Firewall temporarily
You can annul the CIF Firewall temporarily if you need by some reason that the system does not block the connections. This is not recommendable but it can have precise cases that you need to deactivate it. For it, you will only need to qualify the option of Firewall Disable to stop it. In order to continue with the protection it punctures in Firewall Inable. You must very consider that while the protection is deshabilitada, your servant is exhibited to attacks more easily.