ConfigServer Security & Firewall (CSF) on KeyHelp - GUIDE: PART 2

Discussions about the usage of KeyHelp.
Post Reply
User avatar
george
Posts: 87
Joined: Fri 3. Jan 2020, 05:53
Location: AUSTRALIA

ConfigServer Security & Firewall (CSF) on KeyHelp - GUIDE: PART 2

Post by george »

PART 1: OVERVIEW
PART 2: INSTALL & CONFIGURE
PART 3: SECURITY ADMIN
PART 4: SECURITY EXTRAS

##################################
### PART 2: INSTALL & CONFIGURE ###
##################################

CONTENT
- EASY SETUP
- INSTALLATION: CSF
- TEST
- CSF USER INTERFACE (UI): SETUP
- SSL CERTIFICATE
- COUNTRY CODES & BLOCKLISTS: IPSET (optional)
- CUSTOM CONFIGS: DOWNLOAD & ADD
- CUSTOM CONFIGS: PERSONALISE
- IP ACCESS LOG (optional/recommended)
- RAINLOOP LOG
- TESTING = "1"
- ACTIVATE CONFIGS
- ACCESS CSF UI
- CLEAN UP

EASY SETUP
Estimated Time Required: ~ 30-60 minutes
Optional: allow more time for reading config files
This installation & configuration of CSF, has been tailored to suit KeyHelp. Reading all the CSF documentation/comments can take forever, then the trial and error...
This guide makes things much easier, as I have already preconfigured everything, with safe defaults. All main configs are included here, for download and easy setup!

INSTALLATION: CSF
https://download.configserver.com/csf/install.txt

Install CSF
Installation is quite straightforward.
Open a Terminal as root, and keep it open.
Issue these commands to install CSF:

Code: Select all

cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
TEST
Next, test whether you have the required iptables modules, they should all show OK:

Code: Select all

perl /usr/local/csf/bin/csftest.pl
CSF USER INTERFACE (UI): SETUP
Install the following, which are required to run the User Interface (UI) and related functions.

Code: Select all

apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libwww-perl liblwp-protocol-https-perl
SSL CERTIFICATE
CSF UI connection should use TLS with the host's certificate. We will add the certificate to CSF, using the following commands (replace "host.domain.com" with your hostname):

Code: Select all

cp /etc/ssl/keyhelp/letsencrypt/keyhelp/host.domain.com/cert.pem /etc/csf/ui/server.crt
cp /etc/ssl/keyhelp/letsencrypt/keyhelp/host.domain.com/private.pem /etc/csf/ui/server.key
To make sure the certificate remains valid (after a certificate update), we will add those 2 commands as cronjobs, to run just after the Letsencrypt update. I run them at 1.02am everyday.
Add the 2 commands as cronjobs here:
KeyHelp > SETTINGS > Configuration > Scheduled tasks

COUNTRY CODES & BLOCKLISTS: IPSET (Optional)
http://ipset.netfilter.org/
To complete the installation side of things, this is the last one, and it is optional.
If you intend to block or allow IP based on Country Codes (CC) or blocklists (csf.blocklist), which are long lists of IP addresses, to improve performance it is recommended to install IPSET.
"Using ipset moves the onus of ip matching against large lists away from iptables rules and to a purpose built and optimised database matching utility. It also simplifies the switching in of updated lists"
[/b]Install IPSET[/b]

Code: Select all

apt-get install ipset
Then ensure the following is set in /etc/csf/csf.conf: LF_IPSET = "1"

CUSTOM CONFIGS: DOWNLOAD & ADD
The CSF configuation files reside in the directory /etc/csf
1. Download the custom config files attached to this post (below)
2. Extract the files (uncompress)
3. Copy the file "regex.custom.pm" to /usr/local/csf/bin/regex.custom.pm
4. Copy all the rest (incl. /ui/ui.allow) to /etc/csf directory
- alternately, you could copy/paste the text, and gain a better understanding.

CUSTOM CONFIGS: PERSONALISE
Include details specific to you:
1. Add your IP address or subnet/s to /etc/csf/ui/ui.allow
- only addresses in ui.allow are allowed access to UI login
2. Add your IP address or subnet/s to /etc/csf/csf.allow
- this should always allow you access
3. Add your IP address or trusted subnet/s to /etc/csf/csf.ignore
- this will prevent LFD from ever blocking you; take care as any address added to ignore, will never get blocked - add trusted IPs only!
4. Add a username and password, anything you like, you will be logging in to CSF UI using these details.
-- Open /etc/csf/csf.conf
-- Scroll down to SECTION:Integrated User Interface
-- Find the following 2 entries and edit to include your details:

Code: Select all

UI_USER = "ADD-Username-here"
UI_PASS = "ADD-PASSWORD-here"
IP ACCESS LOG (optional/recommended)
The default access.log for Domains uses the client hostname - if available - in the first field; otherwise IP address is used. The hostname can be spoofed, so for our purposes it is preferable to use the IP address.
I decided to setup a CustomLog with the desired format, that would log access to any Domain. The only side effect noticed, is the Apache Status page in KeyHelp, now only shows IP addresses (no hostnames) - I can live with that. For more information on logging, see Guide Part 3 - Section: LOGS WATCHED.
This CustomLog is optional, highly recommended, and used to effectively block exploits on domains.

[/b]Create log[/b]
Create the log file, with correct owner/permissions:

Code: Select all

cd /var/log/apache2/keyhelp
touch ipaccess.log
chmod 640 ipaccess.log
chown root:adm ipaccess.log
This log is already enabled in csf.conf as CUSTOM7_LOG.
As a bonus, KeyHelp rotates this log for us.

CustomLog to Apache settings
Next, we need to include in Apache settings our CustomLog directive.
Add the CustomLog directive (below) to "Apache settings", on each Domain you want to monitor.
KeyHelp > DOMAINS > Domains / Edit domain > Apache settings
# Additional Apache directives:

Code: Select all

<IfModule mod_logio.c>
CustomLog "${APACHE_LOG_DIR}/keyhelp/ipaccess.log" "%a %v %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O"
</IfModule>
Image

RAINLOOP LOG
If you use Rainloop for Webmail, let's enable auth logging for it. This is to monitor Rainloop logins, and then block abusers.

Edit: /home/keyhelp/www/rainloop/data/_data_/_default_/configs/application.ini

Make these changes in application.ini:

Code: Select all

...
[logs]
; Enable logging
enable = On
...
;NOTE: Replace X with your timezone offset from GMT (+or-)
time_offset = "X"
...
; Enable auth logging in a separate file (for fail2ban)
auth_logging = On
auth_logging_filename = "webmail-auth.log"
Save the file.

As I remember, the webmail-auth.log will be created upon next Rainloop login attempt. Check to make sure, it resides at:
/home/keyhelp/www/rainloop/data/_data_/_default_/logs/webmail-auth.log

If not, just create it like we did the custom log:

Code: Select all

cd /home/keyhelp/www/rainloop/data/_data_/_default_/logs/
touch webmail-auth.log
chmod 644 webmail-auth.log
chown keyhelp:keyhelp webmail-auth.log
Note: The Rainloop config "application.ini" is watched by CSF Directory Watch; included in /etc/csf/csf.dirwatch
After an update, the file may change, you will be notified. Then Rainloop configs (application.ini) may need to be edited again as above. The webmail-auth.log remains untouched.

TESTING = "1"
Before we restart the services (to activate), CSF recommends to enable "Testing" mode, incase of configuration problems when you start CSF - in which case, just reboot. I never bother with this, but if you are cautious...

Edit: /etc/csf/csf.conf

Modify the first setting to:

Code: Select all

TESTING = "1"
Save the file.

Note: LFD will not start while testing is enabled.
When you are ready, go back to SET TESTING = "0"

ACTIVATE CONFIGS
Now the install and configs are done, let's make them active:

Code: Select all

service apache2 restart
service csf restart
service lfd restart
service lfd status
Make sure LFD is running OK.

Code: Select all

root@host:~# service lfd status
● lfd.service - ConfigServer Firewall & Security - lfd
   Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-03-15 18:08:58 AEDT; 2s ago
  Process: 5148 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
 Main PID: 5187 (lfd - sleeping)
    Tasks: 2 (limit: 4660)
   CGroup: /system.slice/lfd.service
           ├─5187 lfd - sleeping
           └─5196 lfd UI

Mar 15 18:08:58 host.domain.com systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Mar 15 18:08:58 host.domain.com systemd[1]: Started ConfigServer Firewall & Security - lfd.
Everthing is mostly done.
Now go ahead and login to the UI, then take a look around.

ACCESS CSF UI
To login to CSF UI, enter into browser (replace "host.domain.com" with your hostname):
https://host.domain.com:8080

csf ui login
Image

csf homepage
Image

For more on UI usage, see Guide Part 3: Section: USING THE CSF USER INTERFACE (UI)

CLEAN UP
At anytime you feel happy, that everything works ok...

Disable fail2ban & KeyHelp firewall (recommended)
After full setup and testing, these should be disabled as they are no longer required, and may cause conflict.
CSF recommends "You should not run any other iptables firewall configuration script."
CSF also does the job of fail2ban, so it's now redundant.

Disable KeyHelp firewall
This is simple, and easily reversible.
1. Navigate to:
KeyHelp > SECURITY > Firewall
2. Click "Settings" button (top-right of page)
3. Uncheck the following setting:
Load on server startup [_] <--Uncheck
4. Click "Save"
- Next time the server boots, it won't be loaded.

Disable Fail2ban
One easy command:

Code: Select all

systemctl disable fail2ban
Looking ahead, we should modify the fail2ban log rotate setting, or the system will try to rotate an empty log.

Edit: /etc/logrotate.d/fail2ban
- it contains a list of directives

1. Insert the following line to top of that list:

Code: Select all

    notifempty
2. Save the file

The top of the file, should look like this:

Code: Select all

/var/log/fail2ban.log {
   
    notifempty
    weekly
    rotate 4
    compress
...
Now it's all done! Next is fine tuning...

Next:
In Part 3 Security Admin, we look at security administration, as related to CSF on a KeyHelp powered server. This includes CSF usage, UI, customisations, logs, regex, etc...


#############################
NEXT::: PART 3: SECURITY ADMIN
#############################
Attachments
etc-csf.tar.gz
(37.85 KiB) Downloaded 266 times
majorboobage
Posts: 37
Joined: Thu 26. Jul 2018, 08:51

Re: ConfigServer Security & Firewall (CSF) on KeyHelp - GUIDE: PART 2

Post by majorboobage »

Thank you

one note:
Disable KeyHelp firewall
There is no such setting. And as far as I remember for a long time.
User avatar
Enigma
Posts: 258
Joined: Thu 2. Aug 2018, 19:18

Re: ConfigServer Security & Firewall (CSF) on KeyHelp - GUIDE: PART 2

Post by Enigma »

majorboobage wrote: Mon 20. Apr 2020, 11:18 one note:
Disable KeyHelp firewall
There is no such setting. And as far as I remember for a long time.
This is just a heading. Below it, there are instructions on how to achieve it, and it works quite well.

Cheers
Jan
This message has been ROT-13 encrypted twice for higher security.
User avatar
george
Posts: 87
Joined: Fri 3. Jan 2020, 05:53
Location: AUSTRALIA

Re: ConfigServer Security & Firewall (CSF) on KeyHelp - GUIDE: PART 2

Post by george »

UPDATE May 2022
This update to configuration applies to Debian 11 (Bullseye), which I recently installed on server with latest Keyhelp 22.

Due to "nftables" framework being default, not the standard iptables, the few steps below are required to disable the Keyhelp firewall setup, and properly activate the CSF Firewall. Install CSF as per instructions above, then...

Check nftables is active:

Code: Select all

systemctl status nftables
This should be disabled when Keyhelp firewall is disabled. Then masked so it won't load at boot. iptables (legacy) will be used by CSF/LFD.

Disable Keyhelp firewall in conrol panel:
- Menu > Security > Firewall
- Status: Firewall is enabled > Click button > Firewall is disabled

Mask nftables to prevent at boot:

Code: Select all

systemctl mask nftables

Update alternatives to iptables (legacy):

Code: Select all

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
source: https://wiki.debian.org/iptables


CSF Firewall:

Code: Select all

systemctl enable csf
systemctl enable lfd

Check iptables status:

Code: Select all

iptables -L -v

IPSET (optional):
- I set LF_IPSET_HASHSIZE = 4096 in csf.conf to optimize for bigger sets.


Restart/Reload CSF & LFD:

Code: Select all

csf -ra

Done!
Post Reply