ConfigServer Security & Firewall (CSF) on KeyHelp - GUIDE: PART 3

Locked
User avatar
george
Posts: 87
Joined: Fri 3. Jan 2020, 05:53
Location: AUSTRALIA

ConfigServer Security & Firewall (CSF) on KeyHelp - GUIDE: PART 3

Post by george »

PART 1: OVERVIEW
PART 2: INSTALL & CONFIGURE
PART 3: SECURITY ADMIN
PART 4: SECURITY EXTRAS

##############################
### PART 3: SECURITY ADMIN ###
##############################

This part of the guide deals with security administration, as related to CSF on a KeyHelp powered server. I have kept it simple, leaving room for further research.

CONTENT
- CURRENT PROTECTIONS
- LOGS WATCHED
- CONFIGURATION CHANGES
- USING THE CSF USER INTERFACE (UI)
- CSF UPDATE
- REGEX MODIFY/REMOVE & CREATE
- UNINSTALL CSF

CURRENT PROTECTIONS
If you followed the instructions in this guide, your current configuration has ALL available protections enabled, plus more...
The custom regex gives greater scope for filtering and blocking. I have included sufficient regex's to cover most common exploit attempts. Some of them are executed with a one-hit knockout-punch!

Regex Protection
These are all protected by regex:
- Mailserver exploits - spammers, scanners, etc. annihilated!
- Host login
- phpMyAdmin login
- Webmail login (Rainloop)
- DNS Zone protection
- Other vhosts exploits and bad requests
- IP access log (CustomLog) for Domains - exploits and bad requests
- Wordpress/PHP - common attempts

Included Settings
- PORTFLOOD Protection
- LF_PERMBLOCK - Permanently block IPs
- LF_NETBLOCK - Permanently block IPs by network class
- LF_DIRWATCH - Directory Watching
- LF_DISTATTACK - Distributed Attack Protection
- Port Scan Tracking
Most main settings (csf.conf) all configured.

Notifications
All significant notifications are ON by default. This is desirable, even if you don't want to look at those emails, its good to have a record (like a log) of these events. It makes analysis easy - IPs appear in the Subject line, and offending log entries are included.
Here is an example notification:

Code: Select all

Time:     Wed Mar 16 10:39:20 2020 +1100
IP:       92.125.136.219 (RU/Russia/b-internet.92.125.136.219.snt.ru)
Failures: 1 (smtpaccessdenied)
Interval: 86400 seconds
Blocked:  Temporary Block for 86400 seconds [LF_CUSTOMTRIGGER]

Log entries:

Mar 16 10:39:16 host postfix/smtpd[29923]: NOQUEUE: reject: RCPT from b-internet.92.125.136.219.snt.ru[92.125.136.219]: 554 5.7.1 Service unavailable; Client host [92.125.136.219] blocked using zen.spamhaus.org; https://www.spamhaus.org/sbl/query/SBLCSS / https://www.spamhaus.org/query/ip/92.125.136.219; from=<ekizyagcom@market-team.de> to=<m21@domain.com> proto=ESMTP helo=<market-team.de>
It is wise to watch these notifications, in the beginning at least, to make sure there are no false positives.
To keep your Inbox clean (of notifications), create another folder under your email Inbox, lets call it lfd:
Email: me@domain.com
├─Inbox
└─lfd
Then create a rule (filter) to redirect lfd emails to that folder.
Match:
Subject begins with: lfd on
Action:
Move message to: lfd

More Notifications
CSF/LFD track a lot more, including things like changed system files. When server software or KeyHelp panel are updated, system files may be changed (updated). There will appear a warning email from lfd, stating that particular system files have changed.
No need to worry; check to see if those files were just updated by KeyHelp:
KeyHelp > SYSTEM STATUS > Logs
- serverupdate.log
- panelupdate.log

LOGS WATCHED
Good web/system administrators will keep an eye on logs, as an essential part of the job. Eyeballs on logs are good for noticing system problems, security issues, and potentially dangerous attack attempts. The logs watched by CSF/LFD include standard system logs, and custom logs.
The lists are found in csf.conf under:
SECTION:OS Specific Settings
There you can add any log you would like to monitor.
CUSTOM1_LOG to CUSTOM9_LOG (up to 9 logs)
UI
The UI has a feature (button), called "Watch System Logs". This is good for viewing recent entries on various system logs.

CONFIGURATION CHANGES
Main Settings
The CSF main settings are in /etc/csf/csf.conf which can be edited directly, or through the UI - see section below: USING THE CSF USER INTERFACE (UI).
Custom Regex is found in /usr/local/csf/bin/regex.custom.pm which must be edited directly - see section below: REGEX MODIFY/REMOVE & CREATE.
It is recommended to verify settings in those 2 config files - csf.conf & regex.custom.pm - making sure they look ok for your situation.
Other config files
There are other special purpose config files found in /etc/csf, some very interesting - more features!

USING THE CSF USER INTERFACE (UI)
Login to CSF UI, enter in browser (replace "host.domain.com" with your hostname):
https://host.domain.com:8080
Login
Image
You arrive at the homepage.
Image

Discover the UI
In the UI, scroll down and look at the buttons on the left. They are different features we can use, config changes, add temporary ip, add permanent block (csf.deny)
Check out the following, they are most commonly used:

Watch System Logs - Watch (tail) various system log files
Image

Firewall Configuration - Edit configuration file (csf.conf) for csf firewall and lfd
Image

Firewall Allow IPs - Edit csf.allow, the IP address allow file

Firewall Deny IPs - Edit csf.deny, the IP address deny file
Image

Temporary Allow/Deny - Temporarily Allow or Deny an IP - can specify ports & duration
Image

Temporary IP Entries - View/Remove the temporary IP entries
Image
Green button = Unblock, Red button = Permanently block

SAVE Changes in UI
After making changes in the UI:
1. Click "Change" button (bottom of page)
- wait for update as iptables reload.
2. Click "Return" button (bottom-left of page)
- returns to homepage
Image

Note: When saving changes, you may see a warning "sanity check" regarding the UI timeout, it can be ignored. The maximum recommended timeout for the UI is 300 seconds. A longer timeout allows time to do settings in the UI, without getting logged out. UI timeout can be changed in "Firewall Configuration" (csf.conf) SECTION:Integrated User Interface UI_TIMEOUT =

CSF UPDATE
Subscribe to the feed for latest updates
https://blog.configserver.com/?feed=rss2

You can update CSF manually in the UI, or even set it to auto-update.
I prefer to update by command line:

Code: Select all

csf -u
REGEX MODIFY/REMOVE & CREATE
This section is optional. You can do some of it, or none; either way its worth a read...

Custom Regex
File: /usr/local/csf/bin/regex.custom.pm
All our regex's are in regex.custom.pm which can only be edited directly.
Open the file regex.custom.pm and take a look, it explains the structure for the entries. These are also presented below.

The regex works on logs that are entered as CUSTOMx_LOG in csf.conf - SECTION:OS Specific Settings
CUSTOM1_LOG, CUSTOM2_LOG, CUSTOM3_LOG ... CUSTOM9_LOG

I constructed the custom regex's about 6 weeks ago, and have been improving them since then. They will likely be improved further, and added to. The process involves monitoring the logs, to find log lines that look spurious, then creating a regex to match. Anyone can do it, you just need to know a little perl regex. Even without regex know-how, it is easy to modify the values to suit.

Here is a typical regex entry, as LFD likes it:

Code: Select all

# SMTP Hostname unknown
	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: NOQUEUE: reject: RCPT from \S+\[(\S+)\]: 450 4\.7\.25 Client host rejected: cannot find your hostname/)) {
	return ("Client host rejected: hostname not found",$1,"smtphostname","4","","86400","0");
}
Remove Regex
If you want to disable/remove that regex, either remove the entire text as seen above, or comment out the lines (#). Then save the file, and restart lfd - see below: "Restart LFD"
Modify Regex
Notice the above entry contains a line like this:

Code: Select all

	return ("Client host rejected: hostname not found",$1,"smtphostname","4","","86400","0");
The in-quotes "values" in that line can be easily modified to suit.
Change them, Save the file, then restart lfd - see below: "Restart LFD"

Here's what each "value" means in order:

Code: Select all

"Client host rejected: hostname not found" = text for custom failure message
$1 = the offending IP address
"smtphostname" = unique identifier for custom rule, must be alphanumeric and have no spaces
"4" = the trigger level for blocking (hits/attempts)
"" = ports to block in a comma separated list, only used if LF_SELECT enabled (""=block all ports)
"86400" = number of seconds to temporarily block, or "1" = permanant IP block
"0" = trigger Cloudflare block if CF_ENABLE is set. "0" = disable, "1" = enable
Create Regex
Creating your own regex is not too hard.
Here are some tips on how:

1. Learn/know a little perl regex
2. Find the offending log entry you want to match, copy/paste it into a text file
3. Look at current regex entries that are constructed for that same log
4. Use one of those regex entries as a template, copy/paste to your text file
5. Using your text file containing pasted regex & log entry, and armed with your knowledge of perl regex, make the appropriate substitutions to the regex to make a match.
6. Test your regex here: https://regex101.com/
7. If tested good (regex matches log entry), insert your new regex into regex.custom.pm under the section for it's log.
8. Regex with small triggers (hits/attempts) should be matched first, put them at the top of their section.
9. After restarting lfd, go and check the normal functioning of your sites/resources, etc.
10. Monitor logs/notifications to see regex in action.

Custom Regex Warning
# If the matches in this file are not syntactically correct for perl then lfd
# will fail with an error. You are responsible for the security of any regex
# expressions you use. Remember that log file spoofing can exploit poorly
# constructed regex's

Restart LFD
For the above reason, after updating regex.custom.pm we must restart LFD...

Code: Select all

service lfd restart
service lfd status
...and make sure its running ok:

Code: Select all

root@host:~# service lfd status
● lfd.service - ConfigServer Firewall & Security - lfd
   Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-03-15 18:08:58 AEDT; 2s ago
  Process: 5148 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
 Main PID: 5187 (lfd - sleeping)
    Tasks: 2 (limit: 4660)
   CGroup: /system.slice/lfd.service
           ├─5187 lfd - sleeping
           └─5196 lfd UI

Mar 15 18:08:58 host.domain.com systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Mar 15 18:08:58 host.domain.com systemd[1]: Started ConfigServer Firewall & Security - lfd.
Error?
If you see errors, restart lfd and check again. If the error remains, for sure there is a mistake in your regex entries.
Check the recent edits you made, fix, or remove them one by one, then restart/check again.
Status 400's errors
Take care with the regex's that match status 400's errors, they block a lot, you need to make sure they suit your web applications. For websites running Wordpress, there is no need to make any changes, as included regex's will work fine.

UNINSTALL CSF
Not happy with the changes?
Removing CSF/LFD is too easy, then you can re-enable KeyHelp firewall & fail2ban:
1. Uninstall

Code: Select all

cd /etc/csf
sh uninstall.sh
2. Enable the KeyHelp firewall
- Navigate to: KeyHelp > SECURITY > Firewall
- Click "Settings" button (top-right of page)
- Check the following setting:
Load on server startup [_] <--Check
- Click "Save"
Next time the server boots, it will be loaded.
3. Enable fail2ban

Code: Select all

systemctl enable fail2ban

If you like CSF, and want to go further...

Next:
In Part 4 Security Extras, we will look at additional security measures to compliment CSF.
Part 4 is OPTIONAL, but recommended, to complete the picture...

###############################
NEXT::: PART 4: SECURITY EXTRAS
###############################
Locked