ConfigServer Firewall on KeyHelp - is this of interest?
Posted: Fri 14. Feb 2020, 15:19
Hello all,
I was thinking of posting a guide for ConfigServer Firewall (CSF) on KeyHelp - it will be big. I noticed that Fail2ban is much loved in the KeyHelp community, but I could find very little on CSF in the forum. If there is interest here, I will post a guide, as I managed to get it working pretty good. My intention is to document, contribute, improve security awareness, and to present ideas for KeyHelp administrators.
CSF works on KeyHelp
Having previously used and loved CSF, I just had to give it a run on KeyHelp. After a bit of experimentation, all the good features of CSF were running on the server, in sweet harmony with KeyHelp.
CSF UI
CSF Ports Listening
Why?
I guess that most people here would ask: "Why use CSF, we have Fail2ban!?"
My first time experience with Fail2ban has been while using KeyHelp. ON by default, I did use it, then configure jails and regex in filters. Fail2ban does a good job.
BUT, CSF can do the same job, plus a whole lot more!
Check the features: https://configserver.com/cp/csf.html
CSF Blocks more offenders
There are far more blocking triggers available with CSF, so more spammers and exploits can be blocked by the firewall. The more of these that get blocked, the less load there is on the server, which in turn leads to better performance. It is far more efficient to just DROP the connection, than to go through all the processing. It is better in terms of security too, as offenders get less opportunities for exploits. As an added bonus, now my mail.log stays pretty clean, mostly consisting of legitimate emails and connections.
CSF Watch Logs
Fail2ban with CSF
I initially ran Fail2ban WITH CSF, which was ok, but there were enough quirks to bother me. So I decided to shift all functionality to CSF. With appropriate configuration, and by using custom regex, I was able to do it. I could then disable Fail2ban, which was no longer needed.
CSF UI on Keyhelp
Some web control panels have their own integrated UI for CSF, but not KeyHelp (yet). On KeyHelp, CSF can be configured by command line - OR - there is a generic UI that can be activated - and it works pretty good, including a TLS1.3 secured connection using the host's ssl certificate!
CSF Functionality
In brief, this is some of the functionality achieved:
- CSF installed and configured for high security.
- CSF UI configured and working 99%.
- All required ports (and custom ports) for services working, including FTPS.
- Login Failure blocking and alerts for:
--- SSH, FTP, SMTP-AUTH, SASL, POP, IMAP
--- APACHE_HTPASSWD, APACHE_403, APACHE_404, APACHE_401
--- KEYHELP-HOST-AUTH, PHPMYADMIN-AUTH, and WEBMAIL-AUTH with Rainloop!
### Some of these were done with custom regex, and they all work. The KEYHELP-HOST-AUTH I have questions about, but it seems to work ok.
Details and much more to be covered in the guide. All questions are welcome.
What do you think, is this of interest?
I was thinking of posting a guide for ConfigServer Firewall (CSF) on KeyHelp - it will be big. I noticed that Fail2ban is much loved in the KeyHelp community, but I could find very little on CSF in the forum. If there is interest here, I will post a guide, as I managed to get it working pretty good. My intention is to document, contribute, improve security awareness, and to present ideas for KeyHelp administrators.
CSF works on KeyHelp
Having previously used and loved CSF, I just had to give it a run on KeyHelp. After a bit of experimentation, all the good features of CSF were running on the server, in sweet harmony with KeyHelp.
CSF UI
CSF Ports Listening
Why?
I guess that most people here would ask: "Why use CSF, we have Fail2ban!?"
My first time experience with Fail2ban has been while using KeyHelp. ON by default, I did use it, then configure jails and regex in filters. Fail2ban does a good job.
BUT, CSF can do the same job, plus a whole lot more!
Check the features: https://configserver.com/cp/csf.html
CSF Blocks more offenders
There are far more blocking triggers available with CSF, so more spammers and exploits can be blocked by the firewall. The more of these that get blocked, the less load there is on the server, which in turn leads to better performance. It is far more efficient to just DROP the connection, than to go through all the processing. It is better in terms of security too, as offenders get less opportunities for exploits. As an added bonus, now my mail.log stays pretty clean, mostly consisting of legitimate emails and connections.
CSF Watch Logs
Fail2ban with CSF
I initially ran Fail2ban WITH CSF, which was ok, but there were enough quirks to bother me. So I decided to shift all functionality to CSF. With appropriate configuration, and by using custom regex, I was able to do it. I could then disable Fail2ban, which was no longer needed.
CSF UI on Keyhelp
Some web control panels have their own integrated UI for CSF, but not KeyHelp (yet). On KeyHelp, CSF can be configured by command line - OR - there is a generic UI that can be activated - and it works pretty good, including a TLS1.3 secured connection using the host's ssl certificate!
CSF Functionality
In brief, this is some of the functionality achieved:
- CSF installed and configured for high security.
- CSF UI configured and working 99%.
- All required ports (and custom ports) for services working, including FTPS.
- Login Failure blocking and alerts for:
--- SSH, FTP, SMTP-AUTH, SASL, POP, IMAP
--- APACHE_HTPASSWD, APACHE_403, APACHE_404, APACHE_401
--- KEYHELP-HOST-AUTH, PHPMYADMIN-AUTH, and WEBMAIL-AUTH with Rainloop!
### Some of these were done with custom regex, and they all work. The KEYHELP-HOST-AUTH I have questions about, but it seems to work ok.
Details and much more to be covered in the guide. All questions are welcome.
What do you think, is this of interest?