Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #21  
Old 4th January 2007, 07:45
smartcall smartcall is offline
Senior Member
 
Join Date: Nov 2006
Posts: 116
Thanks: 10
Thanked 7 Times in 3 Posts
Default subdirectory and the file gone

The howto is good and working, but at some point ISPConfig deleted the subdirectory and the post-rule-setup.sh file.

Most probably after the upgrade from 2.2.8 to 2.2.9

Regards,

Apostol
Reply With Quote
Sponsored Links
  #22  
Old 5th January 2007, 15:44
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

During an update ISPConfig renames /etc/Bastille to /etc/Bastille_somedate and creates a new /etc/Bastille directory, that's why the subdirectory is missing now.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #23  
Old 26th April 2008, 21:49
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by falko
During an update ISPConfig renames /etc/Bastille to /etc/Bastille_somedate and creates a new /etc/Bastille directory, that's why the subdirectory is missing now.

Sorry to drag up a old thread, but I would like to add some rules to the firewall, such as IP blocking and stuff. However it would seem from Falko's comments here that if I do it this way after each upgrade, then I have to fix the firewall again?

I also have Webmin installed on a development server along side ISPconfig, and when I go to edit the firewall in there, it gives me the option of converting the existing ISPconfig firwall to the webmin managed one, then you can edit the webmin one from there. I've tested it and it seems ok, is there any problems with using it this way instead? Of course I did turn off the ispconfig firewall in services after I've converted it. But it seems after this is done, I can now upgrade ispconfig without having to redo the firewall additions each time?

Thanks
Reply With Quote
  #24  
Old 27th April 2008, 19:48
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Quote:
Originally Posted by tal56
Sorry to drag up a old thread, but I would like to add some rules to the firewall, such as IP blocking and stuff. However it would seem from Falko's comments here that if I do it this way after each upgrade, then I have to fix the firewall again?
Yes.

Quote:
Originally Posted by tal56
I also have Webmin installed on a development server along side ISPconfig, and when I go to edit the firewall in there, it gives me the option of converting the existing ISPconfig firwall to the webmin managed one, then you can edit the webmin one from there. I've tested it and it seems ok, is there any problems with using it this way instead? Of course I did turn off the ispconfig firewall in services after I've converted it. But it seems after this is done, I can now upgrade ispconfig without having to redo the firewall additions each time?
I think this is ok as long as you tell ISPConfig not to start the ISPConfig firewall.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #25  
Old 27th April 2008, 21:37
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

I have a set of rules I use in /etc/Bastille/firewall.d/post-rule-setup.sh.
Since the release of 2.2.16 or so my rules in post-rule-setup.sh are kept after the update.
Reply With Quote
  #26  
Old 28th April 2008, 19:21
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
Default

I've found this on another site to reduce brute force hacking using only iptables :

Quote:
here's an easy fix. It drops new ssh connections coming from the same IP with less than 15s intervals (or any timeout you want). In my server, this has shown to stop the automated attempts on the first failed connection - and even if the attacker waits for the 15s, it makes brute-force attempts not practical.

For legit sessions, 15s is reasonable (at least for me) between session starts.

It's just two lines on the iptables configuration. No other change required:

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

(eth0 is my external interface; I'm not limiting intranet connections)

This assumes you already have
iptables -A INPUT -j ACCEPT -p tcp ! --syn -s[ R E M O T E N E T] -d[ OUTERNET]
above that, to accept established connection packets.
And would like to add it to the firewall rules. Would the two lines just replace the existing reference to Port 22 on the default ISPconfig firewall rules? This seems like a good way to slow down the brute force attacks on servers.

Also I've seen this code from the comments on the Denyhost howto. :

Quote:
Another approach that is more generic (can be used with any port/service) is to use the IPT_RECENT module that comes with netfilter:

For example I have the following lines in my iptables config:

iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m state --state NEW -m recent --set --name SSH
iptables -A SSH_CHECK -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH
iptables -A SSH_CHECK -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name SSH -j DROP

which basically kick-bans the source IP for 60 seconds if more than 3 connections are attempted in a 60 second limit.

I've found this to be 100% effective.
Both seem like good methods without having to install any seperate software. From looking at them, which would you suggest to be the better method to add?

Thanks
Reply With Quote
  #27  
Old 28th April 2008, 20:05
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

Here is what I added to my post-rule-setup.sh for ssh.
Code:
/sbin/iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
/sbin/iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
Reply With Quote
  #28  
Old 30th April 2008, 07:15
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by daveb
Here is what I added to my post-rule-setup.sh for ssh.
Code:
/sbin/iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
/sbin/iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
Where did you add those 2 lines to the existing ispconfig firewall rule? Did you just replace the line that refers to port 22 for ssh? Thanks
Reply With Quote
  #29  
Old 30th April 2008, 07:16
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

I added them to /etc/Bastille/firewall.d/post-rule-setup.sh
Reply With Quote
  #30  
Old 30th April 2008, 07:19
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
 
Default

Quote:
Originally Posted by daveb
I added them to /etc/Bastille/firewall.d/post-rule-setup.sh
I see. So if I just put only those 2 lines in the post-rule-setup.sh file, it should work? I need to test this out soon as I'm getting a lot of hack attemts and don't really want to disable root on ssh. Thanks
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
High Availability (Load Balancing) behind a firewall geek.de.nz Server Operation 7 4th January 2011 13:58
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 21:42
Firewall script ColdDoT Server Operation 1 8th May 2006 23:50
The Perfect Setup - SUSE 9.3 (firewall?!) bogdinator HOWTO-Related Questions 7 12th December 2005 12:31
I need a suitable firewall. agul Server Operation 4 23rd November 2005 00:12


All times are GMT +2. The time now is 23:04.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.