ConfigServer Security & Firewall (CSF) on KeyHelp - GUIDE: PART 1

Locked
User avatar
george
Posts: 87
Joined: Fri 3. Jan 2020, 05:53
Location: AUSTRALIA

ConfigServer Security & Firewall (CSF) on KeyHelp - GUIDE: PART 1

Post by george »

PART 1: OVERVIEW
PART 2: INSTALL & CONFIGURE
PART 3: SECURITY ADMIN
PART 4: SECURITY EXTRAS

########################
### PART 1: OVERVIEW ###
########################

CONTENT
- INTRODUCTION
- NOTE TO ADMINS
- NOTE TO BEGINNERS
- REQUIREMENTS
- FEATURES: STANDARD
- FEATURES: CUSTOM
- PRECAUTIONS: CSF BLOCKS!

csf homepage
Image

INTRODUCTION
This is NOT an official KeyHelp guide, and due caution is advised. By proceeding, you agree to full responsibility for your own actions, and your own server. Having said that, help is available here if you get stuck.
KeyHelp comes well secured by default: firewall, fail2ban, anti-virus, anti-spam, and loads of configurations to keep things secure. If you are happy, there is no need to install CSF or any other security software, you are covered by KeyHelp!
For those who want (or need) to push their security that bit further, or those experiencing nasty persistent attacks, or those who just like to learn/experiment - this one is for you.
Read through this guide before doing anything, to make sure it is for you.
I have tried to keep this guide minimal, prompting the user to learn more by reading the config files - there is good information in them.
This guide will cover the basics on how to install, configure, and maintain ConfigServer Security & Firewall on a KeyHelp powered server. The initial install & configure process, should take ~ 30-60 minutes. Further configuration and reading are optional, but recommended.
Any suggestions, corrections or improvements are welcome.

NOTE TO ADMINS
If anything posted here may compromise KeyHelp security, you have my full consent to edit/redact any portion of this post, or the entire post if necessary. Private message me if required. Enjoy the Guide!

NOTE TO BEGINNERS
If you regard yourself as a beginner, in terms of Linux server usage, this guide may not be for you - best to stick with the available KeyHelp server security. As a beginner, I would focus first on securing any web application, especially those running on php (see Guide Part 4: Security Extras). Secure htaccess directives may help, configuring Fail2ban to suit, then progress further with knowledge and confidence.
If you are running your own server and take full responsibility, you could have a go at this, its not too hard. The concepts at least, should be understood.

REQUIREMENTS
1. Ability to use a Terminal and SSH as root
- necessary to issue commands
2. KeyHelp on Ubuntu 18.04
- Debian should work, you may need to modify paths/regex for logs

FEATURES: STANDARD
All CSF features are available on a KeyHelp powered server - with exception of some panel-specific features that don't apply. Once the configs here are added, all available features are enabled. Too many to list here...
Features list: https://www.configserver.com/cp/csf.html
Learn more: https://download.configserver.com/csf/readme.txt
LFD is the Login Failure Daemon, which comes installed with CSF.
Includes:
- Login Failure blocking and alerts for:
--- SSH, FTP, SMTP-AUTH, SASL, POP, IMAP
--- APACHE_HTPASSWD, APACHE_403, APACHE_404, APACHE_401
Email notifications are sent for all blocks (optional/recommended)

FEATURES: CUSTOM
These customisations work fine on KeyHelp.
CSF User Interface (UI)
CSF can be configured by command line OR by CSF User Interface (UI). The CSF UI is accessed using a browser, great for doing quick edits, adding or removing blocks, changing settings, etc. We will configure it for secure TLS connection with the host's certificate. The CSF UI works 99% ok - it may drop the connection after applying some configs (rarely) - just login again. For this reason I prefer to do CSF update from command line:

Code: Select all

csf -u
Ports settings
All required ports for services work, including FTPS. The csf.conf included here specifies ports used by KeyHelp. Custom SSH port is automatically recognised and protected upon CSF installation.
CSF Configs
I include copies of csf.conf and other CSF config files (based on mine), so you can get up and running fast and easy. They include informative comments that explain the settings.

Regex
The regex feature is powerful - used to block an IP, based on matching strings found in the log entry. CSF uses perl regex.
I include my best regex's here, for the following protections:
- Mailserver exploits - spammers, scanners, etc. annihilated!
- Host login
- phpMyAdmin login
- Webmail login (Rainloop)
- DNS Zone protection
- Other vhosts exploits and bad requests
- IP access log (CustomLog) for Domains - exploits and bad requests
- PHP and Wordpress - common attempts
Email notifications are sent for all blocks (optional/recommended).
* Some of these regex are pretty tough on blocking. They can be modified or removed individually. See Guide Part 3 - Section: REGEX MODIFY/REMOVE & CREATE

csf.deny
Image

PRECAUTIONS: CSF BLOCKS!
### IF YOU DON'T UNDERSTAND THESE PRECAUTIONS, DO NOT PROCEED ###
I have aimed to keep the configurations presented here, as safe and generic as possible, to avoid any serious issues. They should work fine with a default install of KeyHelp. If your server setup/usage is unique (customised), you may need to modify the configuration to suit your purpose. The configurations are commented, with the reason behind the settings.
Be aware of the following precautions, to avoid possible loss of access (blocks) or functionality. CSF can and will, block anything it is instructed to - even if the instruction given results in unintended consequences. Now for the precautions...

False-positives
With inappropriate settings, undesired blocks may occur, known as false-positives:
- A valid user may get blocked
- A search engine/bot may get blocked
- Your IP address (or subnet) may get blocked - locked out of your own server!
Avoid getting blocked
If you have a static IP address that you connect from, it should be added to csf.allow and csf.ignore, this will guarantee that you never get locked out. For dynamic IP see below.

User or Search-bot Blocked
If a user or search-bot gets blocked, you can easily unblock them using the CSF UI - under "Temporary IP Entries". It is then wise to modify any relevant settings, to minimize the risk of another false-positive. Major search engine/bots should be fine, lfd process tracking will ignore them based on reverse and forward DNS lookups - see file /etc/csf/csf.rignore.
If you play enough with CSF (and your IP is not in csf.allow/ignore) you may get blocked out yourself. On a browser, you will notice the loading icon keeps spinning "Waiting for...". At this point, you are locked out, with no access, even SSH is blocked!

Unblock your IP
- Dynamic IP: If the IP address you are connecting from, is a dynamic IP (not static), simply reconnect to your internet service (or restart modem) to get allocated another IP address. You will then have normal access to the server. You could add your subnet/s to csf.allow, but take care with csf.ignore, only add trusted addresses there.
- Static IP: If you have a static IP address that you connect from, it should be added to csf.allow and csf.ignore, this will guarantee you never get locked out. Do this ASAP, otherwise:
If you are locked out, you will need to access your Hosting provider SSH console. Most hosts have this facility. Login to the Hosting SSH console, issue the following command to unblock your IP address (replace "ipaddress" with your real IP):

Code: Select all

csf -a ipaddress
You will then have normal access to the server. That command adds your IP to csf.allow, to allow access. Then you could remove your IP from the Temporary IP Entries (blocks), by clicking the green button next to your IP entry:

csf temporary ip entries
Image

Next:
In Part 2, we will install and configure CSF. I have tried to keep it as simple as possible (but detailed), to help you get up and running fast.

##################################
NEXT::: PART 2: INSTALL & CONFIGURE
##################################
Locked