Tuesday, February 19, 2013

How To Install And Configure Advanced Policy Firewall (APF)

This tutorial explains how you can install and configure APF - an interface to IPTables which lets you easily configure a full featured firewall to secure servers and workstations connected to a network. This guide describes an example installation on a server with cPanel but it's only a matter of port numbers which must be open for everything to work. APF can be used on any system.
The makers of cPanel recommend CentOS to be the base for their software. That's why I've used this distribution for my example. Any distribution with IPTables will do.
From Advanced Policy Firewall's website:
"Advanced Policy Firewall (APF) is an IPTables(Netfilter) based firewall system designed around the essential needs of today's Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the 'apf' command, which includes detailed usage information on all the features."

Installation

We will begin with downloading and extracting the archive with APF:

wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz
cd apf-9.7-1

and installing it:

sh ./install.sh

After the installation finishes APF will display locations of it's executable and configuration files as well as ports detected as being used on our system. You have to verify that the numbers are correct to avoid mistakes.

More information about ports used by cPanel can be found here: http://docs.cpanel.net/twiki/bin/view/AllDocumentation/AllFAQ/LinuxFAQ#Which_ports_should_be_open_if_I


Configuration

APF's basic configuration file is /etc/apf/conf.apf so we edit it like this:

nano -w /etc/apf/conf.apf

The configuration file is pretty well commented so it's not hard to understand which options are responsible for certain functions. What You should remember is that by default everything is locked and You have to configure APF to open ports You need to use.

Let's get to work!

DEVEL_MODE="1" - be sure to set this option to 1 until You're satisfied with the settings.
Development mode sets a cron job to deactivate APF every 5 minutes. This really lets You install it on a remote machine without the risk of cutting Yourself out.

SET_MONOKERN="0" - APF supports monolithic kernels. If IPTables was not compiled as a module (APF then complains about IPTables even without setting up a firewall for example: Starting APF:Unable to load iptables module (ip_tables), aborting.)

IFACE_IN="eth0" and IFACE_OUT="eth0" - untrusted interfaces connected to the network, mostly the Internet

IG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,143,443,465,873,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,6666" - inbound TCP ports to open

IG_UDP_CPORTS="53,6277" - inbound UDP ports to open

IG_ICMP_TYPES="3,5,11,30" - inbound ICMP port numbers. I've removed ports 0 and 8 so the server won't answer any pings, what partially hides it on the network. Leave them in place if You or Your datacenter is using ping packets (ex. network monitoring).

EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703" - outbound TCP ports to open. At this point by blocking certain services like SSH we gain the possibility of stopping hackers that would break into our system and want to connect to other servers
EG_UDP_CPORTS="20,21,53,873,953,6277" - outbound UDP port numbers

TCP_STOP="DROP" - defines a reaction in case of TCP connections that violate the rules

UDP_STOP="DROP" - defines a reaction in case of UDP connections that violate the rules

ALL_STOP="DROP" - defines a reaction to any other connections

We can send a TCP/IP reset (RESET), drop the packet without answering (DROP), reject it (REJECT) or send icmp-host-prohibited answer (PROHIBIT) in case of UDP.

BLK_PRVNET="1" - blocks all private ipv4 addresses. If Your machine is behind NAT then set this to 0

It's worth spending some more time to get familiar with more configuration options as APF is very feature rich.


Testing

Keeping in mind the DEVEL_MODE option we start APF like that:

/usr/local/sbin/apf -s

We can use the following parameters:

-s - start APF

-r - restart APF

-f - stop APF

-l - list statistics

-st - status of APF

-a host - allow connections from "host"

-d host - deny connections from "host"

Now we can test our firewall with a port scanner like nmap or any other tool. If we run into any problems we will be able to fix it remotly because Cron will flush the rules every 5 minutes.


Final Preparation

Now that we are sure that the firewall is working and isn't blocking ports that we need, we can change DEVEL_MODE="1" option in the configuration file to 0 and restart APF.

Next we make sure APF is started at boot time, so using setup command we go to System Services, tick APF and save the settings. After restarting the system APF should start automatically.


Links

    CentOS - http://www.centos.org
    Advanced Policy Firewall - http://www.rfxn.com/projects/advanced-policy-firewall
    cPanel - http://www.cpanel.net

Friday, February 15, 2013

Install ConfigServer Apps On A cPanel/WHM Server

ConfigServer provide a range of paid and free applications, including a significantly more advanced firewall, that plug directly into WHM on your cPanel server. These applications are highly recommended for anyone who is serious about the security of their cPanel Server, as they not only provide enhanced security functionality, but also allow you to easily manage a number of other basic cPanel functions, such as mail settings, mail queues, and a more advanced ModSecurity tool.
Below is a list of the free applications that we will be providing the simple installation instructions for:
  1. CSF - this is an advanced firewall system utilising Linux ip tables
  2. Mail Manage – allows you to adjust mail settings, such as hourly limits and email forwarders, on a per account basis
  3. Mail Queues – easily manage your email queues with the ability to force run the queue and delete stuck messages
  4. ModSecurity Control – if you have installed ModSecurity on your cPanel Server, this provide an advanced management interface
  5. Explorer – This is a file system explorer web interface which allows you to also run basic shell commands within folders – WARNING: While this utility can be very useful it is also very dangerous indeed. You can easily render your server inoperable and unrecoverable by performing ill advised actions. No warranty or guarantee is provided with the product that protects against system damage.
NOTE: All of the installations below require you to be logged into SSH as root.
Install ConfigServer Security & Firewall
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Remove installation files:
cd ..
rm -Rfv csf/ csf.tgz
Install ConfigServer Mail Manage
rm -fv cmm.tgz
wget http://www.configserver.com/free/cmm.tgz
tar -xzf cmm.tgz
cd cmm
sh install.sh
Remove installation files:
cd ..
rm -Rfv cmm/ cmm.tgz
To uninstall:
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmm.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmmversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmm/
Install ConfigServer Mail Queues
rm -fv cmq.tgz
wget http://www.configserver.com/free/cmq.tgz
tar -xzf cmq.tgz
cd cmq
sh install.sh
Remove installation files:
cd ..
rm -Rfv cmq/ cmq.tgz
To uninstall:
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmq.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmqversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmq/
Install ConfigServer ModSecurity Control
rm -fv cmc.tgz
wget http://www.configserver.com/free/cmc.tgz
tar -xzf cmc.tgz
cd cmc
sh install.sh
Remove installation files:
cd ..
rm -Rfv cmc/ cmc.tgz
To uninstall:
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmc.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmcversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmc/
Install ConfigServer Explorer
rm -fv cse.tgz
wget http://www.configserver.com/free/cse.tgz
tar -xzf cse.tgz
cd cse
sh install.sh
Remove installation files:
cd ..
rm -Rfv cse/ cse.tgz
To uninstall:
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cse.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cseversion.txt
If you run into any issue with the install, just head over to the ConfigServer forums and you’ll find plenty of people who can assist you.

Tuesday, February 5, 2013

ERROR: SWKeyExFatalError

Errors when trying to open Parallels Plesk Panel

APPLIES TO:
  • Parallels Plesk Panel 9.x for Windows

Symptoms

It is not possible to access Parallels Plesk Panel. Browser displays one of the following errors:

ERROR: SWKeyExFatalError
xmlrpc error: XML parsing failed

0: common_func.php3:4523
of_get_key_by_product(string 'plesk-win')
1: common_func.php3:4523
getPleskKey()
2: common_func.php3:4602
getKeyProp(string 'demo')
3: auth.php3:54

Fatal error: Call to undefined function of_get_key_by_product() in C:\plesk\admin\plib\common_func.php3 on line 4501

It is also not possible to retrieve the key number with the utility keymng.exe, due to an unexpected error:
>"%plesk_bin%\keymng.exe" --get-key-number
Unexpected error


Cause

The above error indicates that registry.xml file may have gone corrupted.

Resolution

Check the size of the file %plesk_dir%\admin\repository\registry.xml. If the file is empty and equals 0KB, delete this file.
Once it is deleted, try to access Parallels Plesk Panel again. A new file should have been generated automatically.

Monday, February 4, 2013

How to install Linux Malware Detect (LMD)

How to install Linux Malware Detect (LMD)


Maldet also known as Linux Malware Detect virus scanner for Linux.

Download the tar file using the below link:

    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Extract the file using the below command

    tar -xzf maldetect-current.tar.gz

go to the maldet folder

    cd maldetect-*

Now, run the below command to install maldet.

    sh ./install.sh or sudo sh ./install.sh

It will give below output

    Linux Malware Detect v1.3.4
    (C) 1999-2010, R-fx Networks <proj@r-fx.org>
    (C) 2010, Ryan MacDonald <ryan@r-fx.org>
    inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
    This program may be freely redistributed under the terms of the GNU GPL

    installation completed to /usr/local/maldetect
    config file: /usr/local/maldetect/conf.maldet
    exec file: /usr/local/maldetect/maldet
    exec link: /usr/local/sbin/maldet
    cron.daily: /etc/cron.daily/maldet

    maldet(32517): {sigup} performing signature update check…
    maldet(32517): {sigup} local signature set is version 2010051510029
    maldet(32517): {sigup} latest signature set already installed

    

To update the maldet use the below commands.

    maldet –update-ver

    maldet –update[/i]

To scan the files.

    maldet -a /home/username/

It will scan all the files and provide you the output.



To scan all user uder public_html paths under /home*/ this can be done with:

    root@server[~]# maldet –scan-all /home?/?/public_html

To scan the same path but the content that has been created/modified in the last 5 days:

    root@server[~]# maldet –scan-recent /home?/?/public_html 5

To scan but forget to turn on the quarantine option, you could quarantine all malware results from a previous scan with:

    root@server[~]# maldet –quarantine SCANID

If you wanted to attempt a clean on all malware results from a previous scan that did not have the feature enabled, you would do with.

    root@server[~]# maldet –clean SCANID

If you had a file that was quarantined from a false positive or that you simply want to restore (i.e: you manually cleaned it), you can use the following:

    root@server[~]# maldet –restore config.php.2384
    root@server[~]# maldet –restore /usr/local/maldetect/quarantine/config.php.2384