Pages

Thursday, November 29, 2012

Config-Server-Firewall

Installing CSF---config-server-firewall


Downloading the Packages

--------------->wget http://www.configserver.com/free/csf.tgz
--------------->tar zxvf csf.tgz

--------------->cd csf

This is where the paths diverge: cPanel server, or non-cPanel server.

--------------->./install.cpanel.sh

If you are running a non-cpanel redhat server:

--------------->./install.sh

---------------> /etc/init.d/csf restart


First run following command that you have all the required iptables modules available for running CSF full. Don’t worry if you cannot run all the features, so long as the script doesn’t report any FATAL errors
[root@desk csf]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing ipt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
RESULT: csf should function on this server
Looks 100% OK.


Here are the most common commands you will be using:

csf -d IPADDRESS will deny an IP.
csf -a IPADDRESS will allow an IP.
csf -r will reload all rules.
-dr, --denyrm ip    Remove and unblock an IP address in /etc/csf.deny
-t, --temp          Displays the current list of temporary IP bans and their TTL
-tr, --temprm ip    Remove an IP address from the temporary IP ban list


---------------------------
# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
TESTING = "1"

Edit the last line of that block of text so that it reflects testing being disabled:
TESTING = "0"

Finally, restart CSF:
---------------------------


More about csf
##############################
Now edit the /etc/csf/csf.conf
Put your all ports which you want to be open on your server for incoming traffic seperated by comma.
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995″
Also open any port you want for outgoing traffic
TCP_OUT = “20,21,22,25,53,80,110,113,443″
Same goes for UDP_IN and UDP_OUT, be remember if you are running DNS service, so you have to open port 53 in UDP_IN as DNS port 53 runs on udp rather than tcp
UDP_IN = “20,21,53″
To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123,33434:33523″
#############################
SYNFLOOD protection is already enabled and if you want to change the RATE or BURST value you can use following lines to match your traffic.
SYNFLOOD = “0″
SYNFLOOD_RATE = “100/s”
SYNFLOOD_BURST = “150″
currently the RATE is 100/s and BURST can upto 150. This can be varry from server to server.
i.e. if 100 connections are received from an IP/sec for 150 times, block it. Make sure don’t keep it too strict if you are not receiving an attack else it will generate false positives and will block legit connections.
############################
Search for “PORTFLOOD”
PORTFLOOD = “80;tcp;20;300″
This rule will block IPs that connects to port 80 via TCP more than 20 times within 300 seconds.  Once the attack is normal then remove this rule from the csf firewall.
############################
# To disable this feature, set this to 0
CT_LIMIT = Default: 50 (means 50 connections per ip address)
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = Default: 30
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = Default: 1
# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = Default: 0
# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = Default: 1800
# If you don’t want to count the TIME_WAIT state against the connection count
# then set the following to “1″
CT_SKIP_TIME_WAIT = Default: 0
# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT”
#
# Leave this option empty to count all states against CT_LIMIT
CT_STATES =
# If you only want to count specific ports (e.g. 80,443) then add the ports
# to the following as a comma separated list. E.g. “80,443″
#
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = 80,443
############################
CONNLIMIT is a comma separated list of:
port;limit
So, a setting of CONNLIMIT = "22;5,80;20" means:
1. Only allow up to 5 concurrent new connections to port 22 per IP address
2. Only allow up to 20 concurrent new connections to port 80 per IP address
Note: Existing connections are not included in the count, only new SYN packets,
i.e. new connections
############################
If you want to add some spam protection, CSF can help. Look in the configuration for the following:
LF_SCRIPT_ALERT = 0 change this to 1. This will send an email alert to the system administrator when the limit configured below is reached within an hour.
LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any scripts sends out 250 email messages in an hour.
Define email address to which you need to get alerts and define email address to which you want to get.
LF_ALERT_TO = “snipped@google.com”
LF_ALERT_FROM = “csf@google.com”
###########################

Gstreamer-ffmpeg Packages for rhel

1. Download the latest atrpms-repo rpm from

http://dl.atrpms.net/el6-x86_64/atrpms/stable/

2. Install atrpms-repo rpm:

# rpm -Uvh atrpms-repo*rpm

3. Install gstreamer-ffmpeg rpm package:

# yum install gstreamer-ffmpeg

[fusion]
name=fusion
baseurl=http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/
enabled=1
gpgcheck=0

[atrpms]
name=atrpms
baseurl=http://dl.atrpms.net/el6-x86_64/atrpms/stable/
enabled=1
gpgcheck=0

Tuesday, November 27, 2012

Creating a Certificate Authority OR Self Signing

To create the private Certificate Authority we could make one as below..
How the whole thing works

1.First create Certificate Authority with needed credentials as per needed certificate details.To sign a certificate signing request the authority must have a certificate with same credentials as that of certificate signing request . so after configuring /etc/pki/tls/openssl.cnf with needed credential we need to create a private key and a certificate in the certificate authority

2.create the private key and certificate signing request at client side as per needed credential.

3.scp the certificate signing request csr from the client to the server which is the certificate authority and sign the csr with the certificate authority and get the certificate and send the certificate back to client


Signing of the certificate will be successful only if the the credentials in the certificate authorities certificate and that in certificate signing request matches

Packages needed are openssl*

1.
In server where we need to create the certificate authority

cd /etc/pki/tls/openssl.cnf
In that file we need to change the following as per out need
#######
dir             = /etc/pki/CA ----------------------> root directory of Certificate  authority
certificate     = $dir/my-ca.crt  ------------------> Certificate of the CA which is used to check against the csr
crl             = $dir/crl.pem    ------------------> certificate revocation list if the certificate is compromised
private_key     = $dir/private/my-ca.key -----------> private key of Certificate authority used to create the CA's certificate

#######Basic Credentials that should be same in both csr and the certificate in CA

stateOrProvinceName_default     = North Carolina
localityName_default            = Raleigh
0.organizationName_default      = Example, Inc.

#######There are more credentials which are used in certificate creation

#######Make the needed directories in CA

mkdir /etc/pki/CA/{cert,crl,newcerts}
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial

NOW Creating the CA's private key and CERTIFICATE in corresponding places

cd /etc/pki/CA

openssl genrsa -out private/my-ca.key -des3 2048
openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt



2.
Creating privet key and Certificate Signing Request at client side
Creating private key

openssl genrsa -out private.key -des3 2048

Creating certificate sigining request with private key

openssl req -new -key private.key -out certificate.csr

here you will be asked for needed credentials ..Remember if the credentials are different in csr and ca the signing will be failure



3
With certificate.csr in Certificate Authority server we can sign the certificate

openssl ca -in certificatecsr.csr -out certificate.crt

here the ca implies that it will use the configuration from /etc/pki/tls/openssl.cnf to sign the signing request.

Or the other way is to self sign as follow after creating the private key and csr we could do self signing as follows

openssl  x509 -req -days 365 -in  certificate.csr -signkey private.key -out certificate.crt