I have a VPS(Xen powered) where i have installed Debian 7 + ISPConfig + Nginx following this tutorial http://www.howtoforge.com/perfect-server-debian-wheezy-nginx-bind-dovecot-ispconfig-3-p3 According to http://configserver.com/cp/csf.html it is possible to use this firewall in Debian 7. My question is how to use CSF firewall in ISPConfig 3 ? It can be without a UI... just powered by command line will be good Any good tutorial to accomplish this?
Try webmin You could possibly install webmin, which is compatible with CSF, and hence will have a GUI plugin. I think Webmin can sit alongside ISPConfig without draining resources, although I've never tried both myself. It's something you could experiment with. Install webmin 1st i think. http://www.webmin.com/ then http://configserver.com/free/csf/install.txt Hope that helps.
You can use any Firewall with ispconfig but only Bastille Firewall and UFW in ispconfig. So asl long as you dont activate the firewall in ispconfig, you can use the csf firewall on your server. webmin is not required if you want to configure csf on the shell.
If you're happy with the Command prompt. Simply follow the instructions from here to install.. http://configserver.com/free/csf/install.txt You can edit /etc/csf/csf.allow in order to add your IP address or range. You can edit /etc/csf/csf.conf in order to improve security. try changing some of the following settings (not all will apply to all systems):- [I have written with RHEL/Centos in mind] Check csf SYSLOG_CHECK option -------------------------------- nano /etc/csf/csf.conf Search for "SYSLOG_CHECK" and turn it on writing something like "600". The 600 means 600 seconds for each check. Check for DNS recursion restrictions ------------------------------------- nano /etc/named.conf In options { Add this... allow-recursion { localnets; }; ... and restart server Check SSH UseDNS ----------------- You should disable UseDNS by editing nano /etc/ssh/sshd_config and setting: UseDNS no Otherwise, lfd will be unable to track SSHD login failures successfully as the log files will not report IP addresses /sbin/service sshd restart Mail Check ----------- [Check exim for extended logging (log_selector)] nano /etc/exim.conf add following line under log_selector = \ +arguments +subject +received_recipients \ PHP Check --------- Check php for disable_functions -------------------------------- nano /usr/local/lib/php.ini or maybe found at /etc/php.ini search for "disable_functions" and change to... disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen Check php for ini_set disabled ------------------------------- nano /usr/local/lib/php.ini [or maybe found at /etc/php.ini] *** DRUPAL needs init_set, so I did not add it to disable_functions line above *** Check php for Suhosin --------------------- You should recompile PHP with Suhosin to add greater security to PHP Check VPS FTP PASV hole on some systems ------------------------------------------------------ Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. See the csf readme.txt under 'A note about FTP Connection Issues' on how to do this Check /tmp is mounted as a filesystem ---------------------------------------- typing nano /etc/fstab ...add following line... none /tmp tmpfs nodev,nosuid,noexec 0 0 reboot server Check /var/tmp is mounted as a filesystem ------------------------------------------ typing nano /etc/fstab ...add following line... none /var/tmp tmpfs nodev,nosuid,noexec 0 0 reboot server Check /dev/shm is mounted noexec,nosuid ----------------------------------------- typing nano /etc/fstab ...find the following line... none /dev/shm tmpfs default 0 0 change to... none /dev/shm tmpfs noexec,nosuid 0 0 reboot server
There are many great functions in the newest CSF version 6.4. It allows DDNS hostname, checks apache mod_security log and blocks malicious hacker, plus many good old things! Works with ISPConfig 3!
