How to Install and Configure Config Server Firewall on a minimal VPS
CPanel and WHM, Linux Server Administration, OpenVZ April 2nd, 2012
The Config Server Firewall (CSF) is a popular alternative to APF and with it’s bundled-in Login Failure Daemon (LFD), you also get a great intrusion prevention system, with or without a graphical interface. There’s been a great deal written about using CSF and LFD with a typical CPanel server, but not as much information is available about using it on a minimally configured VPS. Something we do on a routine basis for name servers, monitoring nodes, game servers and pretty much any other application where a graphical interface just isn’t necessary.
Before you use CSF on a minimal VPS, there are a few things you have to take into consideration:
For starters, CSF allows easy and rapid integration of a number of popular block lists, as well as the ability to block entire countries by simply specifying their code in a comma separated list. A very attractive feature if your server seems to attact a lot of attention from port scanners and the like. The problem is that a VPS will typically provide only a fraction of the IP Packet Filtering (NUMIPTENT on OpenVZ) capability as compared with a true dedicated server. Thus, you’ll want to enable only the SPAMHAUS list (if you enable any of them) and leave the rest up to LFD to block dynamically. A task it does very well in a pretty much set-it-and-forget-it kind of way.
Next, CSF includes a handy feature to check security, and since a great deal of it’s output is directly related to CSF and LFD configuration, you’d be wise indeed to heed it’s advice. To run it on a minimal VPS, simply open up a shell and type: csf -m. It’s output is in html, so you can send it as a message or pipe it to a web page for extended viewing.
As I stated before, there’s been a great deal written about CSF and LFD configuration in general, so I’m not going to go into a lot of detail here. Suffice it to say, most minimal VPS are going to be a challenge when it comes to Firewall Configuration because of the sheer resources needed for a solid setup. The information I’ve given you so far will give you a good start, but if you want the ultimate in security, you’ll be wise to invest a few dollars in a professional installation. At least to get you started. A few bucks now may well save you an expensive server restoration later, and save you many frustrating hours of trial and error testing to boot.
Virtual Clone Drive for Windows 7
Uncategorized December 3rd, 2010
Great stuff. Freeware. Highly recommended.
Disabling Oplocks and SMB2 on Windows Servers
Uncategorized October 22nd, 2010
In order to disable oplocks, SMB2 must first be disabled.
To disable SMB2 on a Windows Server 2008 or Windows Vista PC hosting embedded database tables, change or add the following Registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters SMB2 = 0
To disable oplocks on a Windows server (a Windows PC that hosts an embedded database table accessed from another PC), change or add the following Registry values:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters EnableOplocks = 0
The following Microsoft Windows Vista Hotfix also applies: 935366
Windows Vista, Windows 7 and Intel igfxtray.exe, hkcmde.exe, igfxpers.exe
News and Announcements July 14th, 2010
After reinstalling a failed Windows Vista Business machine the other day, a series of annoying dialogs started popping up at start-up asking me if I wanted to run igfxtray.exe, hkcmde.exe, and igfxpers.exe. After a bit of research, I found that these programs are installed with the latest Intel Video Drivers for our Jetway I31GM4-L motherboards. (Same drivers are used in our Shuttle machines as well.) Intel has mistakenly installed these programs in the X86 programs folder without the necessary means of making them trusted by the operating system
Solution:
Since Windows provides a means of managing video, the Intel programs are not necessary and can be safely disabled. Just click start, search for and execute msconfig, click on the Start-up Tab and untick the check-box next to each program. Disabling the start-up of the programs has additional benefit as there are several widely known malware programs that use these program names as disguise.
Introduction
Turns out, this usually isn’t a problem with Visa or Windows 7 at all, but rather with the power saving functions of certain networking chipsets. These chipsets save power by turning themselves off during periods of inactivity, which in turn wreaks havok with any program that requires a persistent connection, most notably custom database applications like those written in Visual Foxpro and standard accounting applications like Peachtree.
Symptoms
The symptoms of this problem include instances of the “Windows has stopped working” dialog box accompanied by Network Locations showing up in the control panel with a red X through them. Double clicking on the Network Location will turn in green again and restore the connection as if nothing happened.
Solution
The solution is usually pretty simple, but can be a bit tricky due to the language translation involved. What you need to do is disable the power saving functions of the chipset and at first glance, it might appearĀ the function is already disabled. Be sure to look closely as here’s an example of what you might run into:
Auto Disable PCIe (Power Saving) = Disabled
To me, this meant the power saving features were already disabled. To the gentlemen that wrote the wording for this setting, it meant just the opposite. Once we changed the setting to Enabled on all our workstations, the problem went away and we haven’t encountered it since.
net user administrator /active:yes
Peachtree Missing Print Icon on the General Journal Entry Form
News and Announcements April 23rd, 2010
This function is included in the 2010 SR-1 release.
Windows Vista Mapped Drives Disconnecting
News and Announcements April 23rd, 2010
net config server /autodisconnect:-1
CPanel SSH Public Key Authenication Configuration
CPanel and WHM, Linux Server Administration December 17th, 2009
For best security, ssh should be moved to a non-standard port, and password authentication should be bypasswd in favor of public key authentication. It’s not at all hard to do and it makes me wonder why a lot of admins are reluctant to do so. Hopefully, once you finish reading this article, password authentication on your network will become a thing of the past and we’ll all be one step closer to a safer, more reliable internet as a whole. Let’s get started.
Begin by editing /etc/ssh/sshd_config. Find the following section and remove the preceeding hash marks so it looks exactly like the following text:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys2
Next, you’ll need to create the secure storage location you specified in your configuration:
cd /root
mkdir .ssh
chmod 700 .ssh
cd .ssh
nano authorized_keys2
Tags: Internet protocols, public key, Secure Shell, Ssh-agent
Xymon Server on an OpenVZ Container
OpenVZ, Xymon Network Monitor December 17th, 2009
This article will detail the steps required to set up a Xymon (formerly known as Hobbit) network monitoring server on a Fedora Core OpenVZ container. At first, I tried this on CentOS 5, but didn’t have much luck getting rrdtool installed. If anyone knows a work-around for this, I’d really like to hear from you as I use CentOS as the basis for just about everything else I do. See?
- Start by preparing a container with Fedora Core. I used the following template for my foundation:
- The next thing you should do is get a firewall up and running. You can get details on how do do this at the following URL:
- Now you need to set up all of Xymon’s prerequisites as well as those of the server itself. Please be sure to install the packages in the order presented or you may not get a complete installation:
- Xymon needs a standard, non-privledged user to keep your system safe and secure. This user should not belong to any other groups on the system and you should make a note of it as you’ll need it later on during the installation process:
- Now you’re ready to download, unpack and install Xymon. Be sure to fully read and understand the Xymon Server Installation Guide before getting started as there’s a lot of good information in there to make your installation go as quick and painless as possible:
- Before you can start Xymon, you’ll need to make a few simple changes to your web server configuration. Assuming you’re using a default installation for both Apache and Xymon, you can make those changes as follows:
vzctl create [id] --ostemplate [template_name] --config [config_name]
vzctl set [id] --onboot yes --save
vzctl set [id] --hostname [hostname] --save
vzctl set [id] --ipadd [ip_address] --save
vzctl set [id] --nameserver [ip_address]
vzctl set [id] --userpasswd root:[password]
vzctl start [id]
vzctl enter [id]
yum install nano
yum install make
yum install gcc
yum install compat-libstdc++-33
yum install compat-libstdc++-296
yum install ncftp
yum install links
yum install lynx
yum install libpng
yum install openssl
yum install openldap
yum install pcre-devel
yum install rrdtool-devel
yum install httpd
yum install cpan
yum update
cpan Bundle::CPAN
user add [user_name]
passwd [user_name]
cd/usr/local/src
wget http://sourceforge.net/projects/hobbitmon/files/hobbitserver/4.3.0-beta2/xymon-4.3.0-beta2.tar.gz/download
tar xvfz xymon-4.3.0-beta2.tar.gz
cd xymon-4.3.0-beta2
./configure
make
make install
cd /var/www
mv html html.orig
ln -s /home/[xymon_user]/server/www html
cd ~[xymon_user]
chmod 711 .
This procedure was written for a minimally installed server for best security. If you’re using something more elaborate (suexec, selinux, etc), then you’ll need to modify the server settings to suit your environment. I plan to implement suexec and other security enhancements in the future and I’ll update this article as appropriate when that happens.
About
