#echo "yusufhadiwinata.com" > /etc/hostname

Linux Kernel Hacking and Optimize

Thu, 02 Sep 2010 03:38:16 +0000

#swapnpiness makin kecil makin di matiin swap
vm.swappiness=50
vm.overcommit_memory=2
vm.overcommit_ratio=80


## rh default ## vm.dirty_background_ratio = 10
## ubu default ## vm.dirty_background_ratio = 5
vm.dirty_background_ratio=2
# 10
## rh default ## vm.dirty_ratio = 40
## ubu default ## vm.dirty_ratio = 10
vm.dirty_ratio=8
# 40

#---------------------------- semaphore limitasi
#    * SEMMSL - the maximum number of semaphores per semaphore set.
#    * SEMMNS - a system-wide limit on the number of semaphores in all semaphore sets.
#    * SEMOPM - the maximum number of operations that may be specified in a semop(2) call.
#    * SEMMNI - a system-wide limit on the maximum number of semaphore identifiers.
#            SEMMSL SEMMNS SEMMNS  SEMMNI
kernel.sem = 250 32000 100 128

#This file contains the system-wide limit on the total number of pages of System V IPC shared memory. The default value is 2097152.
kernel.shmall = 2097152

# default nya 32 mb , dibawah ini di set 2048
#This file can be used to query and set the run time limit on the maximum System V IPC shared memory segment size that can be created. Shared memory segments up to 1GB are now supported in the kernel. This value defaults to 33554432 (32MB).
kernel.shmmax = 2147483648

#This file specifies the system-wide maximum number of System V IPC shared memory segments that can be created. The default value is 4096.
kernel.shmmni = 4096
# 10 % dari total physical memorynya
fs.file-max = 409600
vm.vfs_cache_pressure = 50

#The default setting of the socket receive buffer in bytes.
# 16 mb
net.core.rmem_default = 16777216

#The maximum receive socket buffer size in bytes. The default value is 131072 bytes.
# 16 mb
net.core.rmem_max = 16777216

# The default setting of the socket send buffer in bytes.
# 16 mb
net.core.wmem_default = 16777216

# The maximum send socket buffer size in bytes. The default value is 131072 bytes.
net.core.wmem_max = 16777216

#Vector of 3 integers: min, default, max.
#   * min - minimal size of receive buffer used by TCP sockets. It is guaranteed to each TCP socket, even under moderate memory pressure. The default value is 4096 bytes.
#    * default - default size of receive buffer used by TCP sockets. This value overrides rmem_default used by other protocols. The default value is 87380 bytes. This value results in window of 65535 with default setting of tcp_adv_win_scale and tcp_app_win is 0, and a bit less for default tcp_app_win.
#    * max - maximal size of receive buffer allowed for automatically selected receiver buffers for TCP socket. This value does not override rmem_max, "static" selection via SO_RCVBUF does not use this. The default value is 4194304 bytes.
#                    min    default  max
net.ipv4.tcp_rmem = 10240 87380 16777216
net.ipv4.tcp_wmem = 10240 87380 16777216

# Normally, TCP will remember some characteristics about the last connection in the flow cache. If tcp_no_metrics_save is set, then it doesn't. Useful for benchmarks or other tests.
net.ipv4.tcp_no_metrics_save = 1

# Enable window scaling as defined in RFC1323. Enabled (1) by default.
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1

# Maximum number of packets, queued on the input side, when the interface receives packets faster than kernel can process them. Applies to non-NAPI devices only. The default value is 1000.
net.core.netdev_max_backlog = 5000

securelevel openbsd

Fri, 21 May 2010 04:08:57 +0000

securelevel -1 : There’s no additional kernel security and many of the normal security features, such as permissions, are functional. Use this level for machines not in production use.
securelevel 0 : When OpenBSD first boots up securelevel 0 is used. If this level is set in your rc.securelevel file securelevel 1 will actually be used when the boot process is finished. There are no added features of securelevel 0.
securelevel 1 : OpenBSD’s default securelevel. Writing to /dev/mem and /dev/kmem won’t work. Raw disk devices are read-only. Schg and sappnd flags cannot be removed. Kernel modules cannot be loaded or unloaded ‘on the fly’.
securelevel 2 : Includes all securelevel 1 features plus: Limited setting of the system clock. pfctl cannot change PF or NAT rules. DDB kernel debugger sysclt values cannot be changed.

The end of the boot process will show what security level you are at.

Or at a prompt

# sysctl kern.securelevel

To adjust to a higher security level at the command prompt

# sysctl kern.securelevel=2

Using Kernel Flags

Setting kernel flags is like setting permissions but with an added twist. With the setting of some flags, not even root can make changes. Changes can only be made by booting into a lower securelevel or booting into single user mode.

Common used flags

sappnd : Can only be set or removed by root. Files set with this flag can be added to but not removed or edited. Good for log files. This flag cannot be removed with the system running in securelevel 1 or greater.
schg : Can only be set or removed by root. Files set with this flag cannot be changed, moved or replaced. This flag cannot be removed with the system running in securelevel 1 or greater.
uappnd : Can be set or removed by user or root. Files can be added to but not edited or removed by the average user (prevents accidental removal). The user or root may remove this flag at any time.

Using kernel flags can become addicting. Just make sure you know the overall outcome of using flags and realize that improper use may cause some serious system problems.

Checking to see if a file has a flag set

# ls -lo /bsd
-rw-r--r--  1 root  wheel  schg 5358488 Mar 30 11:47 /bsd

The schg text is the evidence of a flag being set.

Two popular flag settings

Disallowing changes to the kernel

# chflags schg /bsd

Disallowing changes to the binaries

# chflags -R schg /bin

You might want to set a sappnd flag to root’s history file. If there is a remote root compromise of the system then looking over the tamperproof history file will help in tracing the intruder’s movements.

Also, setting the sappnd flag to a user’s history file will also prevent the old script kiddie trick of covering their tracks by sending shell history output to /dev/null via a soft link.

Removing a flag

Removing a flag set to the kernel file

# chflags noschg /bsd

You must be in securelevel 0 or -1 to remove this flag.

Kernel Flags for the Paranoid

What follows are some kernel flag suggestions for the paranoid. I recommend these changes only after you are done setting up your OBSD server.

Flag settings for the kernel and configuration files

# chflags schg /bsd
# chflags schg /etc/changelist
# chflags schg /etc/daily
# chflags schg /etc/inetd.conf
# chflags schg /etc/netstart
# chflags schg /etc/pf.conf
# chflags schg /etc/rc
# chflags schg /etc/rc.conf
# chflags schg /etc/rc.local
# chflags schg /etc/rc.securelevel
# chflags schg /etc/rc.shutdown
# chflags schg /etc/security
# chflags schg /etc/mtree/special

Flag settings for system binaries

# chflags -R schg /bin # chflags -R schg /sbin # chflags -R schg /usr/bin # chflags -R schg /usr/libexec # chflags -R schg /usr/sbin

Encrypt the Swap Partition

Encrypting your swap partition is mainly done to prevent any local user from potentially abusing the system. By default OpenBSD 4.7 will encrypt the swap partition. To turn this on for OpenBSD versions 3.7 and below:

step 1 - Enable this feature without a reboot
step 2 - Edit the sysctl config file, so that after a reboot the swap partition will be encrypted

1. As root change the kernel state variable

# sysctl vm.swapencrypt.enable=1

2. Edit /etc/sysctl.conf from

#vm.swapencrypt.enable=1

to:

vm.swapencrypt.enable=1

and to check if the kernel state is set:

# sysctl vm.swapencrypt.enable

Disable Inetd

On a default install inetd is enabled. On my OpenBSD server at home I only run sshd, ntpd, syslogd, and httpd. None of which run off of inetd. But for the paranoid disabling inetd will usually cause no problems. Disable inetd by editing the /etc/rc.conf file from

inetd=YES

to:

inetd=NO

and to stop inetd without a reboot:

# kill `cat /var/run/inetd.pid`

Note: It isn't inetd that has had past security problems but rather the services it controls.

Ssh Over Telnet

Telnet will not be running on a default OpenBSD install. I'm not sure there are any good arguments to running the telnet service. As most know the telnet login process uses plain text authentication, which makes sniffing a practical attack to gaining illegal remote access to a system. Then next on the menu would be performing a local exploit. Ssh not only encrypts the login (authentication) process but the entire ssh session is encrypted. Almost all Linux distros and BSD flavors include the OpenSSH server and client. And for Windows, Putty would be the equivalent to a free client. To disable telnet in OBSD 3.9 and below (4.7 does not have a telnet entry): Edit the /etc/inetd.conf file from

telnet

to:

#telnet

SFTP over FTP

Sftp will be running on a default install. Sftp will prevent the problem of sniffing ftp passwords which are transmitted in plain text. You might be surprised how easy it is to use sftp. Almost all Linux distros and BSD flavors come with a sftp client. And for Windows there is the freeware program WinSCP.

Note: There are performance issues when using sftp. You will notice transfer speeds to be slower than ftp speeds. This can be 'blamed' on the fact that sftp communication is encrypted thus adding to the transfer time.

Mounting Partitions

The way partitions are mounted can greatly affect system security. How partitions are mounted at boot time is controlled by the fstab file. Two examples of a /etc/fstab file with security in mind: 1. The following layout shows an average paranoid setup

/dev/wd0a / ffs rw 1 1
/dev/wd0h /home ffs rw,nodev,nosuid 1 2
/dev/wd0d /tmp ffs rw,nodev,nosuid,noexec 1 2
/dev/wd0g /usr ffs ro,nodev 1 2
/dev/wd0e /var ffs rw,nodev,nosuid,noexec 1 2

The difference between the two, the below has the root (/) partition set to read-only and the /home partition set to noexec.
2. More paranoia added to the mix with a dash of less usability

/dev/wd0a / ffs ro 1 1
/dev/wd0h /home ffs rw,nodev,nosuid,noexec 1 2
/dev/wd0d /tmp ffs rw,nodev,nosuid,noexec 1 2
/dev/wd0g /usr ffs ro,nodev 1 2
/dev/wd0e /var ffs rw,nodev,nosuid,noexec 1 2

Using rm with the -P Option

Most of the Linux distros ship with a nice file wiping utility called shred. Using the command rm with the -P option will overwrite regular files 3 times before deleting them.
Using rm with -P option

# rm -P filename

Or add a command alias for BASH

# echo "alias rm='rm -P' " >> .bash_profile

Increase Minimum Password Length

The default minimum length for OpenBSD login passwords is 6 characters. To increase this to 10 characters, simply edit the /etc/login.conf file.
Edit the /etc/login.conf file

default:\
    :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin:\
    :umask=022:\
    :datasize-max=512M:\
    :datasize-cur=512M:\
    :maxproc-max=128:\
    :maxproc-cur=64:\
     penfiles-cur=128:\
    :stacksize-cur=4M:\
    :localcipher=blowfish,6:\
    :ypcipher=old:\
    :tc=auth-defaults:\
    :minpasswordlen=10:\
    :tc=auth-ftp-defaults:

Adding the :minpasswordlen=10:\ line under the default class.

Note: login.conf does not have to be converted (cap_mkdb) to a database file, unlike FreeBSD.

If you notice any errors, please let me know.

Updating OBSD 4.7 ke versi Stable dengan Cvsup

Fri, 21 May 2010 02:59:50 +0000

Install CVSUP paketnya dl

# pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/4.7/packages/i386/cvsup-16.1hp2-no_x11.tgz

step 1. Membuat CVSUP Configuration File
step 2. Run cvsup with the configuration file
step 3. Rebuild and install your kernel
step 4. Rebuild and install your system

1. Gunakan text editor favorit anda untuk create file cvsup-file-src dan isikan dengan di bawah ini

# Defaults that apply to all the collections *default release=cvs *default delete use-rel-suffix *default umask=002 *default host=anoncvs3.usa.openbsd.org *default base=/usr *default prefix=/usr *default tag=OPENBSD_4_7 # jika network anda adalah T1 / lebih cepat, berikan commnet line di bawah ini. # *default compress #OpenBSD-ports #OpenBSD-all OpenBSD-src #OpenBSD-www #OpenBSD-x11 #OpenBSD-xenocara 2. Updating source tree dengan cvsup-file-src file

# cvsup -g -L 2 cvsup-file-src 3. Compiling dan installing kernel Backup kernel yang berjalan

# cp /bsd /bsd.old configure kernel baru # cd /usr/src/sys/arch/i386/conf/

# config GENERIC
Don't forget to run "make depend"

Finally compile dan install new kernel

# cd ../compile/GENERIC
# make clean && make depend && make && make install

Reboot server untuk mencoba kernel baru
4. Rebuilding the system

# rm -rf /usr/obj/*

# cd /usr/src
# make obj
# cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
# cd /usr/src
# make build

DOne openbsd 4.7 anda sekarang sudah stable

tapi tunggu dl, port anda masih versi lama, saatnya mengupdate port

1. Gunakan text editor favorit anda untuk create file cvsup-file-ports dan isikan dengan di bawah ini

# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=anoncvs3.usa.openbsd.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_7

OpenBSD-ports
#OpenBSD-all
#OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
#OpenBSD-xenocara

2. Updating source tree dengan cvsup-file-ports file

# cvsup -g -L 2 cvsup-file-ports

3. Checking ports kamu dengan script/command out-of-date

Output di bawah ini menjelaskan bahwa tidak membutuhkan update

# cd /usr/ports/infrastructure/build/
# ./out-of-date
Collecting installed packages
Collecting port versions: complete
Collecting port signatures: complete
Outdated ports:
#

Output di bawah menjelaskan bahwa paket membutuhkan update

# cd /usr/ports/infrastructure/build/
# ./out-of-date
Collecting installed packages
Collecting port versions: complete
Collecting port signatures: complete
Outdated ports:
www/mozilla-firefox         # 3.0.6 -> 3.0.7
#

The only port needing upgrading in this example is Firefox.

4. Updating/Rebuilding your ports

Locate the Firefox port directory

# find /usr/ports/ -name mozilla-firefox

Update the Firefox port to the latest release

# cd /usr/ports/www/mozilla-firefox/
# make update

3 of 3 - Updating and Building your Xenocara (X Window) System

step 1. Create a cvsup configuration file for the Xenocara (X Window) system
step 2. Run cvsup with the configuration file
step 3. Rebuild the Xenocara (X Window) system

1. Using your favorite text editor create a file called cvsup-file-xenocara

# Defaults that apply to all the collections

*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=cvsup.no.openbsd.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_7

# If your network link is a T1 or faster, comment out the following line.
# *default compress

#OpenBSD-ports
#OpenBSD-all
#OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
OpenBSD-xenocara

Change cvsup.no.openbsd.org to a server near you and uncomment the OpenBSD-xenocara line.

2. Updating your ports tree with the cvsup-file-xenocara file

# cvsup -g -L 2 cvsup-file-xenocara

The xenocara tree will be a 330 meg download the first time you run cvsup.

3. Rebuilding your Xenocara (X Window) system

# rm -rf /usr/xobj/* # cd /usr/xenocara # make bootstrap # make obj # make build

When Kernel Building Goes Bad

If the newly installed kernel will not boot then boot into a previous bootable kernel. When you restart the system wait until you see something similar to the below

Using drive 0, partition 3.
Loading...
probing : pc0 com0 apm mem[634K 319M a20=on]
disk: fd0 hd0+
>> OpenBSD/i386 BOOT 3.01
boot>

at this point boot into a previous bootable kernel:

Using drive 0, partition 3.
Loading...
probing : pc0 com0 apm mem[634K 319M a20=on]
disk: fd0 hd0+
>> OpenBSD/i386 BOOT 3.01
boot> bsd.old

“Mendietkan” Kernel OBSD

Fri, 21 May 2010 02:52:02 +0000

Kernel OBSD dan standar config kernel lainya cukup “gemuk” dan banyak makan resource jadi di butuhkan untuk mendietkan config kernel tersebut dan mengcompile ulang

berikut langkah2nya :

1. download kebutuhan file

Source code for the core system (128MB): ftp://ftp.openbsd.or.id/pub/OpenBSD/4.6/src.tar.gz
Source code for the kernel (20MB): ftp://ftp.openbsd.or.id/pub/OpenBSD/4.6/sys.tar.gz

When patching your port system or the Xenocara (X Window) system you will need these sources:

Source code for the port system (17MB): ftp://ftp.openbsd.or.id/pub/OpenBSD/4.6/ports.tar.gz
Source code for the Xenocara (X Window) system (103MB): ftp://ftp.openbsd.or.id/pub/OpenBSD/4.6/xenocara.tar.gz

2. Extrack File2nya

extrack system source files

# mv src.tar.gz /usr/src
# cd /usr/src
# tar -xvzf src.tar.gz

extrack kernel source files

# mv sys.tar.gz /usr/src
# cd /usr/src
# tar -xvzf sys.tar.gz

extrack port system source files

# mv ports.tar.gz /usr
# cd /usr
# tar -xvzf ports.tar.gz

extrack Xenocara (X Window) system source files

# mv xenocara.tar.gz /usr
# cd /usr
# tar -xvzf xenocara.tar.gz

3. backup kernel lama
# cp /bsd /bsd.old

4. Lets Do it
# cd /usr/src/sys/arch/i386/conf/
# cp GENERIC yusuf-kernel-config
# config yusuf-kernel-config
# cd ../compile/yusuf-kernel-config
# make clean && make depend && make && make install
# reboot

stelah reboot kernel baru telah terinstall, cek dengan mengetik
# uname -a
OpenBSD
yusuf-kernel-config.intranet.indolinux.com 4.6 yusuf-IDX#0 i386

Mirror OpenBSD yang ada di Indonesia

Wed, 12 May 2010 04:59:57 +0000

openbsd.biz.net.id
Location: Jakarta, Indonesia - BizNetwork.Com
Maintained by Yudhi Prasetyo 
Mirror Type : FTP (can be access via http://openbsd.biz.net.id, updated daily)
Mirror Type : CVSUP (update every 15 minutes from cvsup.jp.OpenBSD.org)


ftp.openbsd.or.id
Location: Jakarta, Indonesia - Nusa.net.id (ISP)
Maintained by Muhammad Rully Sumbayak 
Mirror Type : FTP (can be accessed via
ftp://ftp.openbsd.or.id/pub/OpenBSD, updated daily)

buntal.kebonbinatang.org
Location: Jakarta, Indonesia -
Maintained by Ozzie 
Mirror Type : CVSUP (update every 6 hours from cvsup.jp.OpenBSD.org)

cvsup.scbd.net.id
Location: Jakarta, Indonesia - SCBDNet
Maintained by Hardani 
Mirror Type : CVSUP

Securing CPanel

Wed, 12 May 2010 02:44:30 +0000

Berikut langkah – langkah yang dapat di gunakan untuk Mengamankan Server Cpanel dari RFI SQLI, Blind SQLI, Brute Froce, SYnc FLood, ICMP Flood, DDOS, XMAS Scanning, dll

1. Mod_security Digunakan untuk mencegah query dari sql injection dan blind sql injection pada applikasi web

aktifkan mod_security dengan default config yang telah di sediakan Main > Plugin > mod_security klik edit dan klik default configuration untuk generate default configuration dan klik Save
2. Apache Mod_userdir Protection mod_userdir apache yang memungkinkan pengguna untuk melihat situs mereka dengan memasukkan tilde (~) dan username mereka sebagai uri pada host tertentu. Misalnya http://test.cpanel.net/ ~ fred / akan memunculkan pengguna fred’s domain. Kerugian dari fitur ini adalah bahwa setiap penggunaan bandwidth yang digunakan oleh situs ini akan dimasukkan pada domain ini diakses bawah (dalam hal ini test.cpanel.net). perlindungan mod_userdir mencegah hal ini terjadi. Namun Anda mungkin ingin menonaktifkan pilihan ini virtual host tertentu (biasanya bersama host ssl.)

Main >> Security Center >> Apache mod_userdir Tweak Ceklist Enable mod_userdir Protection dan Save
3. cPHulk Brute Force Protection Untuk mencegah Brute Force aktifkan featur ini

Main >> Security Center >> cPHulk Brute Force Protection set to Enable
4. Host Access Control Pemberian batasan akses kepada service tertentu ke dalam file /etc/hosts atau TCP_wrapper

Main >> Security Center >> Host Access Control Sample Daemon Access List Action Comment sshd 192.168.0.0/255.255.255.0 allow Allow local SSH access sshd 198.66.254.254 allow Allow SSH from my specific IP sshd ALL deny Deny access from all other IPs
5. PHP open_basedir Tweak PHP’s open_basedir protection prevents users from opening files outside of their home directory with php.

klik Enable php open_basedir Protection dan save
6. Disable Function pada php.ini Beberapa attacker sering menggunakan php shell yang banyak di gunakan di internet yang function dari phpnya terlalu standart sehingga kita bisa mendisablenya

hati2 dalam mendisable_function, bisa2 website anda yang menggunakan fungsi tersebut tidak akan berjalan

berikut configurasi php.ini pada server saya

<pre>disable_functions = join_indobacktrack_or_id,maintenance_by_yusuf_indobacktrack_team,exec,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,popen,show_source,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,dl,symlink,shell_exec,system,dl,passthru,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_put,fpassthru,getdisfunc,fx29exec,fx29exec2,is_windows,disp_freespace,fx29sh_getupdate,fx29_buff_prepare,fx29_sess_put,fx29shexit,fx29fsearch,fx29ftpbrutecheck,fx29sh_tools,fx29sh_about,milw0rm,imagez,sh_name,myshellexec,checkproxyhost,dosyayicek,c99_buff_prepare,c99_sess_put,c99getsource,c99sh_getupdate,c99fsearch,c99shexit,view_perms,posix_getpwuid,posix_getgrgid,posix_kill,parse_perms,parsesort,view_perms_color,set_encoder_input,ls_setcheckboxall,ls_reverse_all,rsg_read,rsg_glob,selfURL,dispsecinfo,unix2DosTime,addFile,system,get_users,view_size,DirFiles,DirFilesWide,DirPrintHTMLHeaders,GetFilesTotal,GetTitles,GetTimeTotal,GetMatchesCount,GetFileMatchesCount,GetResultFiles,fs_copy_dir,fs_copy_obj,fs_move_dir,fs_move_obj,fs_rmdir,SearchText,getmicrotime display_errors = Off html_errors = Off display_startup_errors = Off log_errors = On allow_url_fopen = Off

7. Editing SSH – Gunakan SSH key untuk login ke ssh server dan disable password authentication – Edit sshd_config /etc/ssh/sshd_config Tambahakan AllowUsers yusuf admin1 admin2 PermitRootLogin no protocol 2 port 3333 dll

8. Install Config Security Firewall dan Login Failure Detection, pastikan semua ceklist di bawah ini OK

<pre>############################################################################### # Copyright 2006-2010, Way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ############################################################################### # Testing flag - enables a CRON job that clears iptables incase of # configuration problems when you start csf. This should be enabled until you # are sure that the firewall works - i.e. incase you get locked out of your # server! Then do remember to set it to 0 and restart csf when you're sure # everything is OK. Stopping csf will remove the line from /etc/crontab TESTING = "0" # The interval for the crontab in minutes. Since this uses the system clock the # CRON job will run at the interval past the hour and not from when you issue # the start command. Therefore an interval of 5 minutes means the firewall # will be cleared in 0-5 minutes from the firewall start TESTING_INTERVAL = "5" # Enabling auto updates creates a cron job called /etc/cron.d/csf_update which # runs once per day to see if there is an update to csf+lfd and upgrades if # available and restarts csf and lfd. Updates do not overwrite configuration # files or email templates. An email will be sent to the root account if an # update is performed AUTO_UPDATES = "0" # By default, csf will auto-configure iptables to filter all traffic except on # the loopback device. If you only want iptables rules applied to a specific # NIC, then list it here (e.g. eth1, or eth+) ETH_DEVICE = "eth0" # If you don't want iptables rules applied to specific NICs, then list them in # a comma separated list (e.g "eth1,eth2") ETH_DEVICE_SKIP = "" # Lists of ports in the following comma separated lists can be added using a # colon (e.g. 30000:35000). # Allow incoming TCP ports TCP_IN = "20,21,10022,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096" # Allow outgoing TCP ports TCP_OUT = "20,21,10022,25,37,43,53,80,110,113,443,587,873,2087,2089,2703" # Allow incoming UDP ports UDP_IN = "20,21,53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123,873,6277" # Allow incoming PING ICMP_IN = "1" # Set the per IP address incoming ICMP packet rate # To disable rate limiting set to "0" ICMP_IN_RATE = "1/s" # Allow outgoing PING ICMP_OUT = "1" # Set the per IP address outgoing ICMP packet rate (hits per second allowed), # e.g. "1/s" # # Recommend disabling on cPanel servers as cPanel uses ping test to determine # fastest mirrors for various functions # # To disable rate limiting set to "0" ICMP_OUT_RATE = "0" # Block outgoing SMTP except for root, exim and mailman (forces scripts/users # to use the exim/sendmail binary instead of sockets access). This replaces the # protection as WHM > Tweak Settings > SMTP Tweaks # # This option uses the iptables ipt_owner module and must be loaded for it to # work. It may not be available on some VPS platforms # # Note: Run /etc/csf/csftest.pl to check whether this option will function on # this server SMTP_BLOCK = "0" # If SMTP_BLOCK is enabled but you want to allow local connections to port 25 # on the server (e.g. for webmail or web scripts) then enable this option to # allow outgoing SMTP connections to the loopback device SMTP_ALLOWLOCAL = "1" # This is a comma separated list of the ports to block. You should list all # ports that exim is configured to listen on SMTP_PORTS = "25" # Always allow the following comma separated users and groups to bypass # SMTP_BLOCK # # Note: root (UID:0) is always allowed SMTP_ALLOWUSER = "cpanel" SMTP_ALLOWGROUP = "mail,mailman" # Drop target for iptables rules. This can be set to either DROP ot REJECT. # REJECT will send back an error packet, DROP will not respond at all. REJECT # is more polite, however it does provide extra information to a hacker and # lets them know that a firewall is blocking their attempts. DROP hangs their # connection, thereby frustrating attempts to port scan the server. DROP = "DROP" # Enable logging of dropped connections to blocked ports to syslog, usually # /var/log/messages. This option needs to be enabled to use Port Scan Tracking DROP_LOGGING = "1" # Enable logging of dropped connections to blocked IP addresses in csf.deny or # by lfd with temporary connection tracking blocks # # This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL) DROP_IP_LOGGING = "1" # Only log reserved port dropped connections (0:1023). Useful since you're not # usually bothered about ephemeral port drops DROP_ONLYRES = "0" # Commonly blocked ports that you do not want logging as they tend to just fill # up the log file. These ports are specifically blocked (applied to TCP and UDP # protocols) for incoming connections DROP_NOLOG = "67,68,111,113,135:139,445,513,520" # Enable packet filtering for unwanted or illegal packets PACKET_FILTER = "1" # Log packets dropped by the packet filtering option PACKET_FILTER. This will # show packet drops that iptables has deemed INVALID (i.e. there is no # established TCP connection in the state table), or if the TCP flags in the # packet are out of sequence or illegal in the protocol exchange. # # If you see packets being dropped that you would rather allow then disable the # PACKET_FILTER option above by setting it to "0" DROP_PF_LOGGING = "1" # Configure csf to watch IP addresses (with csf -w [ip]). This option will add # overhead to packet traversal through iptables and syslog logging, so should # only be enabled while actively watching IP addresses. See readme.txt for more # information on the use of this option WATCH_MODE = "0" # Enable SYN Flood Protection. This option configures iptables to offer some # protection from tcp SYN packet DOS attempts. You should set the RATE so that # false-positives are kept to a minimum otherwise visitors may see connection # issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables # man page for the correct --limit rate syntax SYNFLOOD = "1" SYNFLOOD_RATE = "100/s" SYNFLOOD_BURST = "150" # Port Flood Protection. This option configures iptables to offer protection # from DOS attacks against specific ports. This option limits the number of # connections per time interval that new connections can be made to specific # ports # # This feature does not work on servers that do not have the iptables module # ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS # server admins should check with their VPS host provider that the iptables # module is included # # For further information and syntax refer to the Port Flood section of the csf # readme.txt # # Note: Run /etc/csf/csftest.pl to check whether this option will function on # this server PORTFLOOD = "0" # Enable verbose output of iptables commands VERBOSE = "1" # Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the # perl module Sys::Syslog installed to use this feature SYSLOG = "1" # Enable this option if you wish to allow access from all IP's that have # authenticated using POP before SMTP (i.e. are valid clients). This option # checks for IP addresses in /etc/relayhosts, which last for 30 minutes in that # file after a successful POP authentication. # # Set the value to 0 to disable the feature RELAYHOSTS = "1" # Enable this option if you want lfd to ignore (i.e. don't block) IP addresses # listed in csf.allow in addition to csf.ignore (the default). This option # should be used with caution as it would mean that IP's allowed through the # firewall from infected PC's could launch attacks on the server that lfd # would ignore IGNORE_ALLOW = "1" # Enable the following option if you want to apply strict iptables rules to DNS # traffic (i.e. relying on iptables connection tracking). Enabling this option # could cause DNS resolution issues both to and from the server but could help # prevent abuse of the local DNS server DNS_STRICT = "0" # Limit the number of IP's kept in the /etc/csf/csf.deny file. This can be # important as a large number of IP addresses create a large number of iptables # rules (4 times the number of IP's) which can cause problems on some systems # where either the the number of iptables entries has been limited (esp VPS's) # or where resources are limited. This can result in slow network performance, # or, in the case of iptables entry limits, can prevent your server from # booting as not all the required iptables chain settings will be correctly # configured. The value set here is the maximum number of IPs/CIDRs allowed # if the limit is reached, the entries will be rotated so that the oldest # entries (i.e. the ones at the top) will be removed and the latest is added. # The limit is only checked when using csf -d (which is what lfd also uses) # Set to 0 to disable limiting DENY_IP_LIMIT = "300" # Limit the number of IP's kept in the temprary IP ban list. If the limit is # reached the oldest IP's in the ban list will be removed and allowed # regardless of the amount of time remaining for the block # Set to 0 to disable limiting DENY_TEMP_IP_LIMIT = "300" # Enable login failure detection daemon (lfd). If set to 0 none of the # following settings will have any effect as the daemon won't start. LF_DAEMON = "1" # By default, lfd will send alert emails using the relevant alert template to # the To: address configured within that template. Setting the following # option will override the configured To: field in all lfd alert emails # # Leave this option empty to use the To: field setting in each alert template LF_ALERT_TO = "" # By default, lfd will send alert emails using the relevant alert template from # the From: address configured within that template. Setting the following # option will override the configured From: field in all lfd alert emails # # Leave this option empty to use the From: field setting in each alert template LF_ALERT_FROM = "" # In addition to the standard lfd email alerts, you can additionally enable the # sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only # block alert messages will be sent. # # These reports are in a format accepted by many Netblock owners and should # help them investigate abuse. This option is not designed to automatically # forward these reports to the Netblock owners and should be checked for # false-positive blocks before reporting # # Note: The following block types are not reported through this feature: # LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT X_ARF = "1" # By default, lfd will send emails from the root forwarder. Setting the # following option will override this X_ARF_FROM = "" # By default, lfd will send emails to the root forwarder. Setting the following # option will override this X_ARF_TO = "" # Block Reporting. lfd can run an external script when it performs and IP # address block following for example a login failure. The following setting # is to the full path of the external script which must be executable. See # readme.txt for format details # # Leave this setting blank to disable BLOCK_REPORT = "" # Send an alert if log file flooding is detected which causes lfd to skip log # lines to prevent lfd from looping. If this alert is sent you should check the # reported log file for the reason for the flooding LOGFLOOD_ALERT = "1" # Temporary to Permanent IP blocking. The following enables this feature to # permanently block IP addresses that have been temporarily blocked more than # LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set # LF_PERMBLOCK to "1" to enable this feature # # Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be # at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting # (TTL) for blocked IPs, to be effective # # Set LF_PERMBLOCK to "0" to disable this feature LF_PERMBLOCK = "1" LF_PERMBLOCK_INTERVAL = "172800" LF_PERMBLOCK_COUNT = "1" LF_PERMBLOCK_ALERT = "1" # Permanently block IPs by network class. The following enables this feature # to permanently block classes of IP address where individual IP addresses # within the same class LF_NETBLOCK_CLASS have already been blocked more than # LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set # LF_NETBLOCK to "1" to enable this feature # # This can be an affective way of blocking DDOS attacks launched from within # the same networ class # # Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and # consideration is required when blocking network classes A or B # # Set LF_NETBLOCK to "0" to disable this feature LF_NETBLOCK = "0" LF_NETBLOCK_INTERVAL = "86400" LF_NETBLOCK_COUNT = "4" LF_NETBLOCK_CLASS = "C" LF_NETBLOCK_ALERT = "1" # Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*, # SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new # chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT # chain, then flush and delete the old dynamic chain and rename the new chain. # # This prevents a small window of opportunity opening when an update occurs and # the dynamic chain is flushed for the new rules. # # This option should not be enabled on servers with long dynamic chains (e.g. # CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on # Virtuozzo VPS servers with a restricted numiptent value. This is because each # chain will effectively be duplicated while the update occurs, doubling the # number of iptables rules SAFECHAINUPDATE = "0" # If you wish to allow access from dynamic DNS records (for example if your IP # address changes whenever you connect to the internet but you have a dedicated # dynamic DNS record from the likes of dyndns.org) then you can list the FQDN # records in csf.dyndns and then set the following to the number of seconds to # poll for a change in the IP address. If the IP address has changed iptables # will be updated. # # A setting of 600 would check for IP updates every 10 minutes. Set the value # to 0 to disable the feature DYNDNS = "0" # To always ignore DYNDNS IP addresses in lfd blocking, set the following # option to 1 DYNDNS_IGNORE = "0" # The follow Global options allow you to specify a URL where csf can grab a # centralised copy of an IP allow or deny block list of your own. You need to # specify the full URL in the following options, i.e.: # http://www.somelocation.com/allow.txt # # The actual retrieval of these IP's is controlled by lfd, so you need to set # LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd # will perform the retrieval when it runs and then again at the specified # interval. A sensible interval would probably be every 3600 seconds (1 hour) # # You do not have to specify both an allow and a deny file # # You can also configure a global ignore file for IP's that lfd should ignore LF_GLOBAL = "" GLOBAL_ALLOW = "" GLOBAL_DENY = "" GLOBAL_IGNORE = "" # Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set # this to the URL of the file containing DYNDNS entries GLOBAL_DYNDNS = "" # Set the following to the number of seconds to poll for a change in the IP # address resoved from GLOBAL_DYNDNS GLOBAL_DYNDNS_INTERVAL = "600" # To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following # option to 1 GLOBAL_DYNDNS_IGNORE = "0" # Country Code to CIDR allow/deny. In the following two options you can allow # or deny whole country CIDR ranges. The CIDR blocks are generated from the # Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry # and entirely relies on that service being available # # Specify the the two-letter ISO Country Code(s). The iptables rules are for # incoming connections only # # Warning: These lists are never 100% accurate and some ISP's (e.g. AOL) use # non-geographic IP address designations for their clients # # Warning: Some of the CIDR lists are huge and each one requires a rule within # the incoming iptables chain. This can result in significant performance # overheads and could render the server inaccessible in some circumstances. For # this reason (amongst others) we do not recommend using these options # # Warning: Due to the resource constraints on VPS servers this feature should # not be used on such systems unless you choose very small CC zones # # Warning: CC_ALLOW allows access through all ports in the firewall. For this # reason CC_ALLOW probably has very limited use # # If you use this feature you should consider a donation to: # http://iplocationtools.com/donate.php # # Each option is a comma separated list of CC's, e.g. "US,GB,DE" CC_DENY = "" CC_ALLOW = "" # An alternative to CC_ALLOW is to only allow access from the following # countries but still filter based on the port and packets rules. All other # connections are dropped CC_ALLOW_FILTER = "" # This option tells lfd how often to retrieve the Maxmind GeoLite Country # database for CC_ALLOW, CC_ALLOW_FILTER and CC_DENY (in days) CC_INTERVAL = "7" # Enable IP range blocking using the DShield Block List at # http://feeds.dshield.org/block.txt # To enable this feature, set the following to the interval in seconds that you # want the block list updated. The list is reasonably static during the length # of a day, so it would be appropriate to only update once every 24 hours, so # a value of "86400" is recommended LF_DSHIELD = "86400" # The DShield block list URL. If you change this to something else be sure it # is in the same format as the block list LF_DSHIELD_URL = "http://feeds.dshield.org/block.txt" # Enable IP range blocking using the Spamhaus DROP List at # http://www.spamhaus.org/drop/index.lasso # To enable this feature, set the following to the interval in seconds that you # want the block list updated. The list is reasonably static during the length # of a day, so it would be appropriate to only update once every 24 hours, so # a value of "86400" is recommended LF_SPAMHAUS = "86400" # The Spamhaus DROP List URL. If you change this to something else be sure it # is in the same format as the drop list LF_SPAMHAUS_URL = "http://www.spamhaus.org/drop/drop.lasso" # Enable IP range blocking using the BOGON List at # http://www.cymru.com/Bogons/ # To enable this feature, set the following to the interval in seconds that you # want the block list updated. The list is reasonably static during the length # of a day, so it would be appropriate to only update once every 24 hours, so # a value of "86400" is recommended # # Do NOT use this option if your server uses IP's on the bogon list (e.g. this # is often the case with servers behind a NAT firewall using ip routing) LF_BOGON = "86400" # The BOGON List URL. If you change this to something else be sure it # is in the same format as the drop list LF_BOGON_URL = "http://www.cymru.com/Documents/bogon-bn-agg.txt" # The following[*] triggers are application specific. If you set LF_TRIGGER to # "0" the value of each trigger is the number of failures against that # application that will trigger lfd to block the IP address # # If you set LF_TRIGGER to a value greater than "0" then the following[*] # application triggers are simply on or off ("0" or "1") and the value of # LF_TRIGGER is the total cumulative number of failures that will trigger lfd # to block the IP address # # Setting the application trigger to "0" disables it LF_TRIGGER = "0" # If LF_TRIGGER is > 1 then the following can be set to "1" to permanently # block the IP address, or if set to a value greater than "1" then the IP # address will be blocked temporarily for the value in seconds. For example: # LF_TRIGGER_PERM = "1" => the IP is blocked permanently # LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour # # If LF_TRIGGER is 0, then the application LF_[application]_PERM value works in # the same way as above LF_TRIGGER_PERM = "1" # To only block access to the failed application instead of a complete block # for an ip address, you can set the following to "1", but LF_TRIGGER must be # set to "0" with specific application[*] trigger levels also set LF_SELECT = "0" # Send an email alert if an IP address is blocked by one of the [*] triggers LF_EMAIL_ALERT = "1" # [*]Enable login failure detection of sshd connections LF_SSHD = "10" LF_SSHD_PERM = "1" # [*]Enable login failure detection of pure-ftpd connections LF_FTPD = "20" LF_FTPD_PERM = "1" # [*]Enable login failure detection of SMTP AUTH connections LF_SMTPAUTH = "20" LF_SMTPAUTH_PERM = "1" # [*]Enable login failure detection of courier pop3 connections. This will not # trap the older cppop daemon LF_POP3D = "20" LF_POP3D_PERM = "1" # [*]Enable login failure detection of courier imap connections. This will not # trap the older cpimap (uwimap) daemon LF_IMAPD = "20" LF_IMAPD_PERM = "1" # [*]Enable login failure detection of Apache .htpasswd connections # Due to the often high logging rate in the Apache error log, you might want to # enable this option only if you know you are suffering from attacks against # password protected directories LF_HTACCESS = "10" LF_HTACCESS_PERM = "1" # [*]Enable login failure detection of cpanel, webmail and whm connections LF_CPANEL = "5" LF_CPANEL_PERM = "1" # [*]Enable failure detection of repeated Apache mod_security rule triggers # Due to the often high logging rate in the Apache error log, you might want to # enable this option only if you know you are suffering from attacks against # web scripts LF_MODSEC = "20" LF_MODSEC_PERM = "1" # [*]Enable detection of repeated BIND denied requests # This option should be enabled with care as it will prevent blocked IPs from # resolving any domains on the server. You might want to set the trigger value # reasonably high to avoid this # Example: LF_BIND = "100" LF_BIND = "100" LF_BIND_PERM = "1" # [*]Enable detection of repeated suhosin ALERTs # Example: LF_SUHOSIN = "5" LF_SUHOSIN = "0" LF_SUHOSIN_PERM = "1" # Distributed Account Attack. This option will keep track of login failures # from distributed IP addresses to a specific application account. If the # number of failures matches the trigger value above, ALL of the IP addresses # involved in the attack will be blocked according to the temp/perm rules above # # Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, # LF_HTACCESS LF_DISTATTACK = "0" # Set the following to the minimum number of unique IP addresses that trigger # LF_DISTATTACK LF_DISTATTACK_UNIQ = "2" # Distributed FTP Logins. This option will keep track of successful FTP logins. # If the number of successful logins to an individual account is at least # LF_DISTFTP in LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, then # all of the IP addresses will be blocked # # This option can help mitigate the common FTP account compromise attacks that # use a distributed network of zombies to deface websites # # A sensible setting for this might be 5, depending on how many IP different # IP addresses you expect to an individual FTP account within LF_INTERVAL # # To disable set to "0" LF_DISTFTP = "1" # Set the following to the minimum number of unique IP addresses that trigger # LF_DISTATTACK. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work LF_DISTFTP_UNIQ = "3" # If this option is set to 1 the blocks will be permanent # If this option is > 1, the blocks will be temporary for the specified number # of seconds LF_DISTFTP_PERM = "1" # Check whether csf appears to have been stopped and restart if necessary, # unless TESTING is enabled above. The check is done every 300 seconds LF_CSF = "1" # If you enable this option then whenever a CLI request to restart csf is used # (i.e. -s, --start, -r, --restart, -q, --startq) then instead of csf # rebuilding the iptables rules, csf will indicate to lfd to rebuild them # instead, within LF_PARSE seconds # # This feature can be particularly helpful for (re)starting configurations with # a large number of rules, e.g. those using CC block/allow lists. It can also # speed up boot times by deferring csf startup to the lfd process rather than # the init process LF_QUICKSTART = "1" # Send an email alert if anyone logs in successfully using SSH LF_SSH_EMAIL_ALERT = "1" # Send an email alert if anyone uses su to access another account. This will # send an email alert whether the attempt to use su was successful or not LF_SU_EMAIL_ALERT = "1" # Send an email alert if anyone accesses WHM via root. An IP address will be # reported again 1 hour after the last tracked access (or if lfd is restarted) LF_CPANEL_ALERT = "1" # Enable scanning of the exim mainlog for repeated emails sent from scripts. # To use this feature you must add an extended email logging line to WHM > # Exim Configuration Editor > Switch to Advanced Mode > in the first textbox # add the following line (without the preceding #): # # log_selector = +arguments +subject +received_recipients # # If you already use extended exim logging, then you need to either include # +arguments +received_recipients or use +all # # This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines # appear with the same cwd= path in them within an hour. This can be useful in # identifying spamming scripts on a server, especially PHP scripts running # under the nobody account. The email that is sent includes the exim log lines # and also attempts to find scripts that send email in the path that may be the # culprit LF_SCRIPT_ALERT = "1" # The limit afterwhich the email alert for email scripts is sent. Care should # be taken with this value if you allow clients to use web scripts to maintain # pseudo-mailing lists which have large recipients LF_SCRIPT_LIMIT = "300" # If this option is enabled, the directory identified by LF_SCRIPT_ALERT will # be chmod 0 and chattr +i to prevent it being accessed. Set the option to 1 # to enable. # # WARNING: This option could cause serious system problems if the identified # directory is within the OS directory hierarchy. For this reason we do not # recommend enabling it unless absolutely necessary. LF_SCRIPT_PERM = "0" # Checks the length of the exim queue and sends an alert email if the value of # settings is exceeded. If the ConfigServer MailScanner configuration is used # then both the pending and delivery queues will be checked. # # Note: If there are problems sending out email, this alert may not be received # To disable set to "0" LF_QUEUE_ALERT = "2000" # The interval between mail queue checks in seconds. This should not be set too # low on servers that often have long queues as the exim binary can use # significant resources when checing its queue length LF_QUEUE_INTERVAL = "300" # Enable Directory Watching. This enables lfd to check /tmp and /dev/shm # directories for suspicious files, i.e. script exploits. If a suspicious # file is found an email alert is sent. One alert per file per LF_FLUSH # interval is sent # # To enable this feature set the following to the checking interval in seconds. # To disable set to "0" LF_DIRWATCH = "120" # To remove any suspicious files found during directory watching, enable the # following. These files will be appended to a tarball in # /etc/csf/suspicious.tar LF_DIRWATCH_DISABLE = "0" # This option allows you to have lfd watch a particular file or directory for # changes and should they change and email alert using watchalert.txt is sent # # To enable this feature set the following to the checking interval in seconds # (a value of 60 would seem sensible) and add your entries to csf.dirwatch # # Set to disable set to "0" LF_DIRWATCH_FILE = "60 " # This is the interval that is used to flush reports of usernames, files and # pids so that persistent problems continue to be reported, in seconds. # A value of 3600 seems sensible LF_FLUSH = "3600" # System Integrity Checking. This enables lfd to compare md5sums of the # servers OS binary application files from the time when lfd starts. If the # md5sum of a monitored file changes an alert is sent. This option is intended # as an IDS (Intrusion Detection System) and is the last line of detection for # a possible root compromise. # # There will be constant false-positives as the servers OS is updated or # monitored application binaries are updated. However, unexpected changes # should be carefully inspected. # # Modified files will only be reported via email once. # # To enable this feature set the following to the checking interval in seconds # (a value of 3600 would seem sensible). This option may increase server I/O # load onto the server as it checks system binaries. # # To disable set to "0" LF_INTEGRITY = "3600" # System Exploit Checking. This enables lfd to check for the Random JS Toolkit # and may check for others in the future: # http://www.cpanel.net/security/notes/random_js_toolkit.html # It compares md5sums of the binaries listed in the exploit above for changes # and also attempts to create and remove a number directory # # Modified files will only be reported via email once, though will be reset # after an hour # # To enable this feature set the following to the checking interval in seconds # (a value of 300 would seem sensible). # # To disable set to "0" LF_EXPLOIT = "300" # This comma separated list allows you to (de)select which tests LF_EXPLOIT # performs # # For the SUPERUSER check, you can list usernames in csf.suignore to have them # ignored for that test # # Valid tests are: # JS,SUPERUSER LF_EXPLOIT_CHECK = "JS,SUPERUSER" # Set the time interval to track login and other LF_ failures within (seconds), # i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds LF_INTERVAL = "300" # This is how long the lfd process sleeps (in seconds) before processing the # log file entries and checking whether other events need to be triggered LF_PARSE = "5" # Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour # per IP LT_EMAIL_ALERT = "1" # Block POP3 logins if greater than LT_POP3D times per hour per account per IP # address (0=disabled) # # This is a temporary block for the rest of the hour, afterwhich the IP is # unblocked LT_POP3D = "0" # Block IMAP logins if greater than LT_IMAPD times per hour per account per IP # address (0=disabled) - not recommended for IMAP logins due to the ethos # within which IMAP works. If you want to use this, setting it quite high is # probably a good idea # # This is a temporary block for the rest of the hour, afterwhich the IP is # unblocked LT_IMAPD = "0" # Relay Tracking. This allows you to track email that is relayed through the # server. There are also options to send alerts and block external IP addresses # if the number of emails relayed per hour exceeds configured limits. The # blocks can be either permanent or temporary. # # The following information applies to each of the following types of relay # check: # RT_[relay type]_ALERT: 0 = disable, 1 = enable # RT_[relay type]_LIMIT: the limit/hour afterwhich an email alert will be sent # RT_[relay type]_BLOCK: 0 = no block;1 = perm block;nn=temp block for nn secs # This option triggers for external email RT_RELAY_ALERT = "1" RT_RELAY_LIMIT = "100" RT_RELAY_BLOCK = "0" # This option triggers for email authenticated by SMTP AUTH RT_AUTHRELAY_ALERT = "1" RT_AUTHRELAY_LIMIT = "100" RT_AUTHRELAY_BLOCK = "0" # This option triggers for email authenticated by POP before SMTP RT_POPRELAY_ALERT = "1" RT_POPRELAY_LIMIT = "100" RT_POPRELAY_BLOCK = "0" # This option triggers for email sent via /usr/sbin/sendmail or /usr/sbin/exim RT_LOCALRELAY_ALERT = "1" RT_LOCALRELAY_LIMIT = "100" # This option triggers for email sent via a local IP addresses RT_LOCALHOSTRELAY_ALERT = "1" RT_LOCALHOSTRELAY_LIMIT = "100" # Connection Tracking. This option enables tracking of all connections from IP # addresses to the server. If the total number of connections is greater than # this value then the offending IP address is blocked. This can be used to help # prevent some types of DOS attack. # # Care should be taken with this option. It's entirely possible that you will # see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD # and HTTP so it could be quite easy to trigger, especially with a lot of # closed connections in TIME_WAIT. However, for a server that is prone to DOS # attacks this may be very useful. A reasonable setting for this option might # be arround 300. # # To disable this feature, set this to 0 CT_LIMIT = "300" # Connection Tracking interval. Set this to the the number of seconds between # connection tracking scans CT_INTERVAL = "30" # Send an email alert if an IP address is blocked due to connection tracking CT_EMAIL_ALERT = "1" # If you want to make IP blocks permanent then set this to 1, otherwise blocks # will be temporary and will be cleared after CT_BLOCK_TIME seconds CT_PERMANENT = "0" # If you opt for temporary IP blocks for CT, then the following is the interval # in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins) CT_BLOCK_TIME = "1800" # If you don't want to count the TIME_WAIT state against the connection count # then set the following to "1" CT_SKIP_TIME_WAIT = "0" # If you only want to count specific states (e.g. SYN_RECV) then add the states # to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT" # # Leave this option empty to count all states against CT_LIMIT CT_STATES = "" # If you only want to count specific ports (e.g. 80,443) then add the ports # to the following as a comma separated list. E.g. "80,443" # # Leave this option empty to count all ports against CT_LIMIT CT_PORTS = "" # Process Tracking. This option enables tracking of user and nobody processes # and examines them for suspicious executables or open network ports. Its # purpose is to identify potential exploit processes that are running on the # server, even if they are obfuscated to appear as system services. If a # suspicious process is found an alert email is sent with relevant information. # It is then the responsibility of the recipient to investigate the process # further as the script takes no further action # # The following is the number of seconds a process has to be active before it # is inspected. If you set this time too low, then you will likely trigger # false-positives with CGI or PHP scripts. # Set the value to 0 to disable this feature PT_LIMIT = "60" # How frequently processes are checked in seconds PT_INTERVAL = "60" # If you want process tracking to highlight php or perl scripts that are run # through apache then disable the following, # i.e. set it to 0 # # While enabling this setting will reduce false-positives, having it set to 0 # does provide better checking for exploits running on the server PT_SKIP_HTTP = "0" # If you want to track all linux accounts on a cPanel server, not just users # that are part of cPanel, then enable this option. This is recommended to # improve security from compromised accounts # # Set to 0 to disable the feature, 1 to enable it PT_ALL_USERS = "1" # lfd will report processes, even if they're listed in csf.pignore, if they're # tagged as (deleted) by Linux. This information is provided in Linux under # /proc/PID/exe. A (deleted) process is one that is running a binary that has # the inode for the file removed from the file system directory. This usually # happens when the binary has been replaced due to an upgrade for it by the OS # vendor or another third party (e.g. cPanel). You need to investigate whether # this is indeed the case to be sure that the original binary has not been # replaced by a rootkit or is running an exploit. # # To stop lfd reporting such process you need to restart the daemon to which it # belongs and therefore run the process using the replacement binary (presuming # one exists). This will normally mean running the associated startup script in # /etc/init.d/ # # If you don't want lfd to report deleted binary processes, set to 0 PT_DELETED = "1" # User Process Tracking. This option enables the tracking of the number of # process any given account is running at one time. If the number of processes # exceeds the value of the following setting an email alert is sent with # details of those processes. If you specify a user in csf.pignore it will be # ignored # # Set to 0 to disable this feature PT_USERPROC = "10" # This User Process Tracking option sends an alert if any cPanel user process # exceeds the memory usage set (MB). To ignore specific processes or users use # csf.pignore # # Set to 0 to disable this feature PT_USERMEM = "200" # This User Process Tracking option sends an alert if any cPanel user process # exceeds the time usage set (seconds). To ignore specific processes or users # use csf.pignore # # Set to 0 to disable this feature PT_USERTIME = "3600" # If this option is set then processes detected by PT_USERMEM, PT_USERTIME or # PT_USERPROC are killed # # Warning: We don't recommend enabling this option unless absolutely necessary # as it can cause unexpected problems when processes are suddenly terminated. # It can also lead to system processes being terminated which could cause # stability issues. It is much better to leave this option disabled and to # investigate each case as it is reported when the triggers above are breached # # Note: Processes that are running deleted excecutables (see PT_DELETED) will # not be killed by lfd PT_USERKILL = "0" # If you want to disable email alerts if PT_USERKILL is triggered, then set # this option to 0 PT_USERKILL_ALERT = "1" # Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and # defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the # load average is greater than or equal to PT_LOAD_LEVEL then an email alert is # sent. lfd then does not report subsequent high load until PT_LOAD_SKIP # seconds has passed to prevent email floods. # # Set PT_LOAD to "0" to disable this feature PT_LOAD = "30" PT_LOAD_AVG = "5" PT_LOAD_LEVEL = "6" PT_LOAD_SKIP = "3600" # If a PT_LOAD event is triggered, then if the following contains the path to # a script, it will be run in a child process. For example, the script could # contain commands to terminate and restart httpd, php, exim, etc incase of # looping processes. The action script must have the execute bit an # interpreter (shebang) set PT_LOAD_ACTION = "" # Port Scan Tracking. This feature tracks port blocks logged by iptables to # syslog. If an IP address generates a port block that is logged more than # PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked. # # This feature could, for example, be useful for blocking hackers attempting # to access the standard SSH port if you have moved it to a port other than 22 # and have removed 22 from the TCP_IN list so that connection attempts to the # old port are being logged # # This feature blocks all iptables blocks from the iptables logs, including # repeated attempts to one port or SYN flood blocks, etc # # Note: This feature will only track iptables blocks from the log file set in # IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will # cause redundant blocking with DROP_IP_LOGGING enabled # # Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's) # could very quickly fill the iptables rule chains and cause a DOS in itself. # The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks # and the DENY_TEMP_IP_LIMIT with temporary blocks # # Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300 # would be sensible to enable this feature PS_INTERVAL = "300" PS_LIMIT = "10" # You can specify the ports and/or port ranges that should be tracked by the # Port Scan Tracking feature. The following setting is a comma separated list # of those ports and uses the same format as TCP_IN. The default setting of # 0:65535,ICMP covers all ports PS_PORTS = "0:65535,ICMP" # You can select whether IP blocks for Port Scan Tracking should be temporary # or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent # blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to # temporarily block the IP address for PS_PERMANENT = "0" PS_BLOCK_TIME = "3600" # Set the following to "1" to enable Port Scan Tracking email alerts, set to # "0" to disable them PS_EMAIL_ALERT = "1" # Account Tracking. The following options enable the tracking of modifications # to the accounts on a server. If any of the enabled options are triggered by # a modifications to an account, an alert email is sent. Only the modification # is reported. The cause of the modification will have to be investigated # manually # # You can set AT_ALERT to the following: # 0 = disable this feature # 1 = enable this feature for all accounts # 2 = enable this feature only for accounts with uid 0 (e.g. root) AT_ALERT = "2" # This options is the interval between checks in seconds AT_INTERVAL = "60" # Send alert if a new account is created AT_NEW = "1" # Send alert if an existing account is deleted AT_OLD = "1" # Send alert if an account password has changed AT_PASSWD = "1" # Send alert if an account uid has changed AT_UID = "1" # Send alert if an account gid has changed AT_GID = "1" # Send alert if an account login directory has changed AT_DIR = "1" # Send alert if an account login shell has changed AT_SHELL = "1" # Display Country Code and Country for reported IP addresses CC_LOOKUPS = "1" # Messenger service. This feature allows the display of a message to a blocked # connecting IP address to inform the user that they are blocked in the # firewall. This can help when users get themselves blocked, e.g. due to # multiple login failures. The service is provided by two daemons running on # ports providing either an HTML or TEXT message. # # This feature does not work on servers that do not have the iptables module # ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS # server admins should check with their VPS host provider that the iptables # module is included. # # For further information on features and limitations refer to the csf # readme.txt # # Note: Run /etc/csf/csftest.pl to check whether this option will function on # this server # # 1 to enable, 0 to disable MESSENGER = "1" # Provide this service to temporary IP address blocks MESSENGER_TEMP = "1" # Provide this service to permanent IP address blocks MESSENGER_PERM = "1" # User account to run the service servers under. We recommend creating a # specific non-priv, non-shell account for this purpose MESSENGER_USER = "csf" # This is the maximum concurrent connections allowed to each service server MESSENGER_CHILDREN = "20" # Set this to the port that will receive the HTML message. You should configure # this port to be >1023 and different from the TEXT port. Do NOT enable access # to this port in TCP_IN MESSENGER_HTML = "8888" # This comma separated list are the HTML ports that will be redirected for the # blocked IP address. If you are using per application blocking (LF_TRIGGER) # then only the relevant block port will be redirected to the messenger port MESSENGER_HTML_IN = "80,2082,2095" # Set this to the port that will receive the TEXT message. You should configure # this port to be >1023 and different from the HTML port. Do NOT enable access # to this port in TCP_IN MESSENGER_TEXT = "8889" # This comma separated list are the TEXT ports that will be redirected for the # blocked IP address. If you are using per application blocking (LF_TRIGGER) # then only the relevant block port will be redirected to the messenger port MESSENGER_TEXT_IN = "21" # These settings limit the rate at which connections can be made to the # messenger service servers. Its intention is to provide protection from # attacks or excessive connections to the servers. If the rate is exceeded then # iptables will revert for the duration to the normal blocking actiity # # See the iptables man page for the correct --limit rate syntax MESSENGER_RATE = "30/m" MESSENGER_BURST = "5" # lfd Clustering. This allows the configuration of an lfd cluster environment # where a group of servers can share blocks and configuration option changes. # Included are CLI and UI options to send requests to the cluster. # # See the readme.txt file for more information and details on setup and # security risks. # # Comma separated list of cluster member IP addresses to send requests to CLUSTER_SENDTO = "" # Comma separated list of cluster member IP addresses to receive requests from CLUSTER_RECVFROM = "" # If this is a NAT server, set this to the public IP address of this server CLUSTER_NAT = "" # If a cluster member should send requests on an IP other than the default IP, # set it here CLUSTER_LOCALADDR = "" # Cluster communication port (must be the same on all member servers). There # is no need to open this port in the firewall as csf will automatically add # in and out bound rules to allow communication between cluster members CLUSTER_PORT = "7777" # This is a secret key used to encrypt cluster communications using the # Blowfish algorithm. It should be between 8 and 56 characters long, # preferably > 20 random characters # 56 chars: 012345678901234567890123456789012345678901234567890123456 CLUSTER_KEY = "" # This option allows the enabling and disabling of the Cluster configuration # changing options --cconfig and --cconfigr for security reasons # # For security reasons, we do not recommend leaving this option enabled CLUSTER_CONFIG = "0" # Maximum number of child processes to listen on. High blocking rates or large # clusters may need to increase this CLUSTER_CHILDREN = "10" # Statistics # # This option enabled statistical data gathering ST_ENABLE = "1" # This option determines how many iptables log lines to store for reports ST_IPTABLES = "100" # This option indicates whether rDNS and CC lookups are performed at the time # the log line is recorded (this is not performed when viewing the reports) # # Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits, # then enabling this setting could cause serious performance problems ST_LOOKUP = "0" # If you find ever increasing numbers of zombie lfd processes you may need to # revert to the old child reaper code by enabling this option OLD_REAPER = "0" # OS settings IPTABLES = "/sbin/iptables" MODPROBE = "/sbin/modprobe" IFCONFIG = "/sbin/ifconfig" SENDMAIL = "/usr/sbin/sendmail" PS = "/bin/ps" VMSTAT = "/usr/bin/vmstat" LS = "/bin/ls" MD5SUM = "/usr/bin/md5sum" TAR = "/bin/tar" CHATTR = "/usr/bin/chattr" UNZIP = "/usr/bin/unzip" # Log files HTACCESS_LOG = "# Messenger service. This feature allows the display of a message to a blocked # connecting IP address to inform the user that they are blocked in the # firewall. This can help when users get themselves blocked, e.g. due to # multiple login failures. The service is provided by two daemons running on # ports providing either an HTML or TEXT message. # # This feature does not work on servers that do not have the iptables module # ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS # server admins should check with their VPS host provider that the iptables # module is included. #" MODSEC_LOG = "/usr/local/apache/logs/error_log" SSHD_LOG = "/var/log/secure" SU_LOG = "/var/log/secure" FTPD_LOG = "/var/log/messages" SMTPAUTH_LOG = "/var/log/exim_mainlog" SMTPRELAY_LOG = "/var/log/exim_mainlog" POP3D_LOG = "/var/log/maillog" IMAPD_LOG = "/var/log/maillog" CPANEL_LOG = "/usr/local/cpanel/logs/login_log" CPANEL_ACCESSLOG = "/usr/local/cpanel/logs/access_log" SCRIPT_LOG = "/var/log/exim_mainlog" IPTABLES_LOG = "/var/log/messages" SUHOSIN_LOG = "/var/log/messages" BIND_LOG = "/var/log/messages" CUSTOM1_LOG = "/var/log/messages" CUSTOM2_LOG = "/var/log/messages" CUSTOM3_LOG = "/var/log/messages" CUSTOM4_LOG = "/var/log/messages" CUSTOM5_LOG = "/var/log/messages" CUSTOM6_LOG = "/var/log/messages" CUSTOM7_LOG = "/var/log/messages" CUSTOM8_LOG = "/var/log/messages" CUSTOM9_LOG = "/var/log/messages" # For internal use only. You should not enable this option as it could cause # instability in csf and lfd DEBUG = "0"
Firewall Check Status Check whether csf is enabled Check csf is running Check whether csf is in TESTING mode Check whether lfd is enabled Check incoming MySQL port Check csf SMTP_BLOCK option WARNING This option will help prevent the most common form of spam abuse on a server that bypasses exim and sends spam directly out through port 25. Enabling this option will prevent any web script from sending out using socket connection, such scripts should use the exim or sendmail binary instead Check csf LF_SCRIPT_ALERT option Check csf LF_SSHD option Check csf LF_FTPD option Check csf LF_SMTPAUTH option Check csf LF_POP3D option Check csf LF_IMAPD option Check csf LF_HTACCESS option Check csf LF_MODSEC option Check csf LF_CPANEL option Check csf LF_CPANEL_ALERT option Check csf LF_DIRWATCH option Check csf LF_INTEGRITY option Check csf PT_SKIP_HTTP option Check csf PT_ALL_USERS option Check csf SAFECHAINUPDATE option WARNING This option closes a window of opportunity that opens when dynamic chain updates occur Server Check Check /tmp permissions Check /tmp ownership Check /tmp is mounted as a filesystem Check /tmp is mounted noexec,nosuid Check /etc/cron.daily/logrotate for /tmp noexec workaround Check /var/tmp permissions Check /var/tmp ownership Check /var/tmp is mounted as a filesystem Check /var/tmp is mounted noexec,nosuid Check /usr/tmp permissions Check /usr/tmp ownership Check /usr/tmp is mounted as a filesystem or is a symlink to /tmp Check /dev/shm is mounted noexec,nosuid WARNING /dev/shm is not mounted with the noexec,nosuid options (currently: none). You should modify the mountpoint in /etc/fstab for /dev/shm with those options and remount Check /etc/named.conf for DNS recursion restrictions Check /etc/named.conf for DNS random query source port Check server runlevel Check nobody cron Check Operating System support Check perl version Check MySQL version Check MySQL LOAD DATA disallows LOCAL Check SUPERUSER accounts SSH/Telnet Check Check SSHv1 is disabled WARNING You should disable SSHv1 by editing /etc/ssh/sshd_config and setting: Protocol 2 Check SSH on non-standard port Check SSH PasswordAuthentication WARNING For ultimate SSH security, you should consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication Check SSH UseDNS WARNING You should disable UseDNS by editing /etc/ssh/sshd_config and setting: UseDNS no Otherwise, lfd will be unable to track SSHD login failures successfully as the log files will not report IP addresses Check telnet port 23 is not in use Check shell limits Check Background Process Killer Mail Check Check root forwarder Check exim for extended logging (log_selector) WARNING You should enable extended exim logging to enable easier tracking potential outgoing spam issues. Add: log_selector = +arguments +subject +received_recipients to the first textarea in the Advanced Mode Exim Configuration Editor Check exim weak SSL/TLS Ciphers (tls_require_ciphers) Check for maildir conversion Check Courier IMAP weak SSL/TLS Ciphers (TLS_CIPHER_LIST) Check Courier POP3D weak SSL/TLS Ciphers (TLS_CIPHER_LIST) Apache Check Status Comment Apache Check Check apache version Check suPHP Check Suexec Check apache for mod_security Check apache for FrontPage WARNING Microsoft Frontpage Extensions were EOL in 2006 and there is no support for bugs or security issues. For this reason, it should be considered a security risk to continue using them. You should rebuild apache through easyapache and deselect the option to build them Check apache for RLimitCPU WARNING You should set a value RLimitCPU to prevent runaway scripts from consuming server resources - DOS exploits can typically do this. A quick way to set this is to use WHM > Modify Apache Memory Usage Check apache for RLimitMEM WARNING You should set a value RLimitMEM to prevent runaway scripts from consuming server resources - DOS exploits can typically do this. A quick way to set this is to use WHM > Modify Apache Memory Usage Check Apache weak SSL/TLS Ciphers (SSLCipherSuite) Check mod_userdir protection PHP Check Check php version (/usr/local/bin/php) WARNING Any version of PHP (Current: v4.*) older that v5 is obsolete and should be considered a security threat. You should upgrade exclusively to PHP v5 Check php for enable_dl or disabled dl() Check php for disable_functions Check php for ini_set disabled WARNING You should consider adding ini_set to the disable_functions in the PHP configuration as this setting allows PHP scripts to override global security and performance settings for PHP scripts. Adding ini_set can break PHP scripts and commenting out any use of ini_set in such scripts is advised Check php for register_globals Check php for Suhosin Check php open_basedir protection WHM Settings Check Status Check cPanel version Check cPanel login is SSL only Check boxtrapper is disabled Check max emails per hour is set Check whether users can reset passwords via email Check whether native cPanel SSL is enabled Check compilers Check Anonymous FTP Logins Check Anonymous FTP Uploads Check pure-ftpd weak SSL/TLS Ciphers (TLSCipherSuite) Check FTP Logins with Root Password Check allow remote domains Check block common domains Check allow park domains Check cPAddons update email to owner Check cPAddons update email to root Check package updates Check security updates Check cPanel tree Check melange chat server Check root/reseller login to users cPanel Check cPanel php for register_globals Check cPanel php.ini file for register_globals Check cPanel passwords in email Check Coie IP Validation Check Referrer Blank Security Check Referrer Security Check Security Tens Check Parent Security Check Domain Loup Security Check SMTP Tweak Check nameservers WARNING At least one of the configured nameservers: ns1.grafindo.co.id ns2.grafindo.co.id should be located in a topologically and geographically dispersed location on the Internet - See RFC 2182 (Section 3.1) Server Services Check Status Check server startup for cups Check server startup for xfs Check server startup for atd Check server startup for nfslock Check server startup for canna Check server startup for FreeWnn Check server startup for cups-config-daemon Check server startup for iiim Check server startup for mDNSResponder Check server startup for nifd Check server startup for rpcidmapd Check server startup for bluetooth Check server startup for anacron Check server startup for gpm Check server startup for saslauthd Check server startup for avahi-daemon Check server startup for avahi-dnsconfd Check server startup for hidd Check server startup for pcscd Check server startup for sbadm

[/ccie]

ACL Description

Wed, 12 May 2010 02:41:51 +0000

             ACL Entry                         Description
    ___________________________________________________________________
    u[ser]::perms                 File owner permissions.
    g[roup]::perms                File group owner permissions.
    o[ther]:perms                 Permissions for users other than  the
                                  file  owner  or members of file group
                                  owner.
    m[ask]:perms                  The ACL mask. The  mask  entry  indi-
                                  cates the maximum permissions allowed
                                  for users (other than the owner)  and
                                  for  groups.  The mask is a quick way
                                  to  change  permissions  on  all  the
                                  users and groups.
    u[ser]:uid:perms              Permissions for a specific user.  For
                                  uid,  you  can  specify either a user
                                  name or a numeric UID.
    g[roup]:gid:perms             Permissions for a specific group. For
                                  gid,  you  can specify either a group
                                  name or a numeric GID.
    d[efault]:u[ser]::perms       Default file owner permissions.
    d[efault]:g[roup]::perms      Default file group owner permissions.

    d[efault]:o[ther]:perms       Default permissions for  users  other
                                  than the file owner or members of the
                                  file group owner.
    d[efault]:m[ask]:perms        Default ACL mask.
    d[efault]:u[ser]:uid:perms    Default permissions  for  a  specific
                                  user. For uid, you can specify either
                                  a user name or a numeric UID.
    d[efault]:g[roup]:gid:perms   Default permissions  for  a  specific
                                  group.   For  gid,  you  can  specify
                                  either a group name or a numeric GID.

Install RHEV-Manager

Wed, 12 May 2010 02:38:15 +0000

Instalasi RHEV manager di windows 2003 server

Requipment Software:
1. Windows 2003 Server SP1
2. Internet Information Service (IIS)
3. ASP.NET
4. Powershell
5. .NET SP1, .NET 2.0, .NET 3.5 SP1
6. Windows Active Directory

Requipment Hardware:
1. Minimum 1 GB Ram
2. 2 GB Free Hardisk

Lets Begin:
1. Install Windows 2003 server seperti biasa
2. Install IIS, ASP.NET, .NET 1.0 SP1, .NET 2.0, dan Active Direcktory dari CD Windows 2003
3. Install "Enable network DTC access" pada Add Remove Progam bagian Application Server
4. Restart
5. Install .NET 3.5 dan Powershell 1.0
6. Install Active Directory
- Click Start, click Run, type dcpromo, and then click OK.
- On the first page of the Active Directory Installation Wizard,
click Next.
- On the next page of the Active Directory Installation Wizard,
click Next.
- On the Domain Controller Type page, click Domain Controller
for a new domain, and then click Next.
- On the Create New Domain page, click Domain in a new forest,
and then click Next.
- On the New Domain Name page, in the Full DNS name for new
domain box, type corp.contoso.com, and then click Next.
- On the Database and Log Folders page, accept the defaults
in the Database folder box and the Log folder box, and then click Next.
- On the Shared System Volume page, accept the default in
the Folder location box, and then click Next.
- On the DNS Registration Diagnostics page, click Install and
configure the DNS server on this computer and set this computer
to use this DNS server as its preferred DNS Server, and then click Next.
- On the Permissions page, click Permissions compatible only
with Windows 2000 or Windows Server 2003 operating systems,
and then click Next.
- On the Directory Services Restore Mode Administrator Password page,
enter a password in the Restore Mode Password box, retype the password to confirm it in the Confirm password box, and then click Next.
- On the Summary page, confirm the information is correct,
and then click Next.
- When prompted to restart the computer, click Restart now.
- After the computer restarts, log on to CONT-CA01 as a member
of the Administrators group.

taken from : http://technet.microsoft.com/en-us/library/aa998088%28EXCHG.65%29.aspx

7. Add user di Active Directory untuk mengadd account Rhev Manager
8. Create permission pada user Rhev manager agar dapat membaca dan menulis di Active Directory, dalam hal ini saya samakan dengan permission administrator
9. Install RHEV-M software
- Klik Next
- Pilih pake yang ingin di install, dalam hal ini saya pilih semua paket dan klik Next
- Install SQL Server 2005 express Localy / jika anda sudah mempunya SQL Server sendiri, anda bisa set Use an exiting SQL Server 2005 Database
- Masukan password untuk user administrator database SQL Server 2005
- Klik Next
- Select Default Website
- Select Domain dan masukan domain yang telah di set pada active directory, dalam hal ini example.com
- Masukan user yang telah di create pada Active Directory
- Klik Next
- Masukan Informasi yang di butuhkan dan klik Next
- Tunggu sampai proses instalasi selesai dan RHEV-M sudah dapat di gunakan

Terima Kasih

Yusuf Hadiwinata

BGP di Juniper, Gimana sih?

Wed, 28 Apr 2010 03:09:42 +0000

Enabling BGP Routing

host1(config)#router bgp 100


Understanding BGP Command Scope

bgp advertise-inactive	bgp log-neighbor-changes
bgp always-compare-med	bgp maxas-limit
bgp bestpath med confed	bgp redistribute-internal
bgp bestpath missing-as-worst	bgp router-id
bgp client-to-client reflection	bgp shutdown
bgp cluster-id	ip bgp-community new-format
bgp confederation identifier	maximum-paths
bgp confederation peers	overload shutdown
bgp default local-preference	rib-out disable
bgp enforce-first-as	router bgp
bgp fast-external-fallover	timers bgp

The following commands configure router NY:

host1(config)#router bgp 300
host1(config-router)#neighbor 10.2.25.1 remote-as 100
host1(config-router)#neighbor 10.4.4.1 remote-as 400
host1(config-router)#network 192.168.33.0 mask 255.255.255.0

The following commands configure router Boston:

host2(config)#router bgp 100
host2(config-router)#neighbor 10.2.25.2 remote-as 300
host2(config-router)#neighbor 10.3.3.1 remote-as 400
host2(config-router)#network 172.19.0.0

Notice that a mask was not specified for the prefix originating with router Boston. The natural mask is assumed for networks without a mask.The following commands configure router LA:

host3(config)#router bgp 400 host3(config-router)#neighbor 10.3.3.2 remote-as 100 host3(config-router)#neighbor 10.4.4.2 remote-as 300 host3(config-router)#network 172.28.8.0 mask 255.255.248.0

Redistributing Routes into BGP

BGP can learn about routes from sources other than BGP updates from peers. Routes known to other protocols can be redistributed into BGP. Similarly, routes manually configured on a router—static routes—can be redistributed into BGP. Once redistributed, BGP advertises the routes. When you redistribute routes, BGP sets the origin attribute for the route to Incomplete. Refer to Understanding the Origin Attribute (p 1-99) for more information on origins.
The following commands configure three static routes on router Boston and configure router Boston to redistribute the static routes and routes from OSPF into BGP for the network structure shown in Figure 1-11:
host2(config)#ip route 172.30.0.0 255.255.0.0 192.168.10.12
host2(config)#ip route 172.16.8.0 255.255.248.0 10.211.5.7
host2(config)#ip route 192.168.4.0 255.255.254.0 10.14.147.2
host2(config)#router bgp 29
host2(config-router)#neighbor 10.1.1.2 remote-as 92
host2(config-router)#redistribute static
host2(config-router)#redistribute ospf


clear ip bgp redistribution

 Use to reapply policy to routes that have been redistributed into BGP.
 This command takes effect immediately.
 There is no no version.


  disable-dynamic-redistribute

 Use to halt the dynamic redistribution of routes that are initiated by changes to a route map.
 Dynamic redistribution is enabled by default.
 Example


host1(config-router)#disable-dynamic-redistribute


 This command takes effect immediately.
 Use the no version to reenable dynamic redistribution.

Redistributing Routes from BGP

bgp redistribute-internal

 Use to enable the redistribution of IBGP routes in addition to EBGP routes into IGPs configured for BGP route redistribution.
 Redistribution of IBGP routes is disabled by default, except within a VRF where IBGP routes are always redistributed.
 You must clear all BGP sessions after issuing this command for it to take effect.
 Example


host1(config-router)#bgp redistribute-internal
host1(config-router)#exit
host1(config)#exit
host1(config)#clear ip bgp *
Advertising Default Routes

To configure router NY:
host1(config)#router bgp 200
host1(config-router)#network 192.168.42.0 mask 255.255.254.0
host1(config-router)#neighbor 10.3.3.1 remote-as 300
host1(config-router)#neighbor 192.168.10.2 remote-as 100
host1(config-router)#neighbor 192.168.10.2 default-originate




Redistributing Default Routes

default-information originate

 Use to enable the redistribution of default routes into BGP.
 Example


host1(config)#router bgp 100
host1(config-router)#default-information originate
Setting a Static Default Route

Suppose that in Figure 1-13, router KC has been configured to advertise a default route to router Chicago:
host1(config)#router bgp 62
host1(config-router)#network 172.17.24.0 mask 255.255.248.0
host1(config-router)#neighbor 10.8.3.1 remote-as 21
host1(config-router)#neighbor 10.8.3.1 default-originate

 You prefer that router Chicago send traffic with unknown destinations to router StLouis, so you configure a static default route on router Chicago:
host2(config)#router bgp 21
host2(config-router)#network 192.168.48.0 mask 255.255.240.0
host2(config-router)#neighbor 10.8.3.4 remote-as 62
host2(config-router)#neighbor 10.24.5.1 remote-as 37
host2(config-router)#exit
host2(config)#ip route 0.0.0.0 0.0.0.0 172.25.122.0
  Router StLouis is configured to advertise network 172.25.122.0/23 to router Chicago:
host3(config)#router bgp 37 host3(config-router)#network 172.25.122.0 mask 255.255.254.0 host3(config-router)#neighbor 10.24.5.3 remote-as 21  
 
Setting the Minimum Interval Between Sending Routing Updates

In the following example, the minimum time between sending BGP routing updates is set to 5 seconds:
host1(config)#router bgp 100
host1(config-router)#neighbor 2.2.2.2
advertisement-interval 5


Aggregating Routes



To configure router LA:
host1(config)#router bgp 873
host1(config-router)#neighbor 10.2.2.4 remote-as 873
host1(config-router)#network 172.24.1.0 mask 255.255.255.0
host1(config-router)#network 172.24.2.0 mask 255.255.255.0

 To configure router SanJose:
host2(config)#router bgp 873


host2(config-router)#neighbor 10.2.2.3 remote-as 873 
host2(config-router)#neighbor 10.5.5.1 remote-as 17 
host2(config-router)#network 172.24.24.0 mask 255.255.248.0 
host2(config-router)#aggregate-address 172.24.0.0 255.255.224.0 



As configured above, router SanJose advertises the more specific routes as well as the aggregate route to router Boston. Alternatively, you can use the summary-only option to configure router SanJose to suppress the more specific routes and advertise only the aggregate route:
host2(config)#router bgp 873 

host2(config-router)#neighbor 10.2.2.3 remote-as 873

host2(config-router)#neighbor 10.5.5.1 remote-as 17 

host2(config-router)#network 172.24.24.0 mask 255.255.248.0

host2(config-router)#aggregate-address 172.24.0.0 255.255.224.0 summary-only 
Each of these configurations sets the atomic-aggregate attribute in the aggregate route. This attribute informs recipients that the route is an aggregate and should not be deaggregated into more specific routes. Aggregate routes discard the path information carried in the original routes. To preserve the paths, you must use the as-set option. This option creates an AS-Set that consists of all the AS numbers traversed by the summarized paths. The AS-Set is enclosed within curly brackets; for example, {3, 2}. Each AS number appears only once, even if it appears in more than one of the original paths. If you use the as-set option, the atomic-aggregate attribute is not set for the aggregated route. The following commands configure router SanJose to aggregate the routes while preserving the path information:
host2(config)#router bgp 873


host2(config-router)#neighbor 10.2.2.3 remote-as 873 
host2(config-router)#neighbor 10.5.5.1 remote-as 17


host2(config-router)#network 172.24.24.0 mask 255.255.248.0 
host2(config-router)#aggregate-address 172.24.0.0 255.255.224.0 summary-only as-set 



If you do not want to aggregate all more specific routes, you can use a route map to limit aggregation. Consider Figure 1-14 again. Suppose you do not want router SanJose to aggregate prefix 172.24.48.0/20. The following commands show how you can configure a route map on router SanJose to match this prefix, and how to invoke the route map with the advertise-map option:
host2(config)#router bgp 873  host2(config-router)#neighbor 10.2.2.3 remote-as 873 host2(config-router)#neighbor 10.5.5.1 remote-as 17  host2(config-router)#neighbor 10.2.2.3 route-map lmt_agg in host2(config-router)#network 172.24.24.0 mask 255.255.248.0  host2(config-router)#aggregate-address 172.24.0.0 255.255.224.0 advertise-map lmt_agg  host2(config-router)#exit host2(config)#route-map lmt_agg permit 10 host2(config-route-map)#match ip address 1  host2(config-route-map)#exit  host2(config)#access-list 1 permit 172.24.48.0 0.240.255.255  
You can use the attribute-map option to configure attributes for the aggregated route. In Figure 1-14, suppose that router LA has been configured to set the community attribute for route 172.24.160.0/19 to no-export. This attribute is passed along to router SanJose and preserved when the aggregate route is created. As a result, the aggregate route would not be advertised outside the AS. The following commands demonstrate how to configure router SanJose to prevent the aggregate from not being advertised:host2(config)#router bgp 873 
host2(config-router)#neighbor 10.2.2.3 remote-as 873


host2(config-router)#neighbor 10.5.5.1 remote-as 17 host2(config-router)#network 172.24.24.0 mask 255.255.248.0  host2(config-router)#aggregate-address 172.24.0.0 255.255.224.0 attribute-map conf_agg_att
 host2(config-router)#exit host2(config)#route-map conf_agg_att permit 10  host2(config-route-map)#set community no-export

BGP dengan quangga/ zebra

Wed, 28 Apr 2010 02:59:40 +0000

/etc/quagga/zebra.conf

hostname jandakot
! define password for bgpd daemon (for connecting to daemon via telnet)
password insertpasswordhere
! define enable password for bgpd daemon (for connecting to daemon via telnet)
enable password insertpasswordhere
!
! list interfaces
interface eth1
interface vlan0
interface vlan1
interface lo
!
! null route to consolidate all subnets in this /24
ip route 10.60.86.0/24 Null0 255
!
line vty

/etc/quagga/bgpd.conf:
hostname jandakot
! define password for bgpd daemon (for connecting to daemon via telnet)
password insertpasswordhere
! define enable password for bgpd daemon (for connecting to daemon via telnet)
enable password insertpasswordhere
!
! define router's BGP AS
router bgp 65086
! define ID of router - we use IP of the router
bgp router-id 10.60.86.1
! define network address that this router knows about
network 10.60.86.0/24
!
! armadale neighbour
neighbor 10.60.74.253 remote-as 65074
neighbor 10.60.74.253 soft-reconfiguration inbound
neighbor 10.60.74.253 distribute-list freenet in
neighbor 10.60.74.253 distribute-list freenet out
!
! willetton neighbour
neighbor 10.60.84.253 remote-as 65084
neighbor 10.60.84.253 soft-reconfiguration inbound
neighbor 10.60.84.253 distribute-list freenet in
neighbor 10.60.84.253 distribute-list freenet out
!
! ACLs to stop people from propagating routes to their own private networks
access-list freenet permit 10.48.0.0/12
access-list freenet deny any
!
line vty
exec-timeout 20160 0

Testing2
nc localhost 2605
Hello, this is Quagga (version 0.98.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

User Access Verification

Password: insertpasswordhere

jandakot>

BGP Routing on OpenWrt with Quagga

This page contains an overview on how to configure the Quagga BGP daemon on a Linksys WRT54GS wireless router that is running OpenWrt.

Introductory Information

On the WAFreeNet, we have been using BGP (Border Gateway Protocol) as our dynamic routing protocol (after initial unsuccessful attempts with OSPF due to stability issues with route flapping).

The Quagga Routing Suite is an opensource software suite, and provides a stable implementation of BGPv4 for Unix platforms. It consists of a core zebra daemon, and daemons for supporting various routing protocols, including RIP, OSPF and BGP.

Any BGP node only needs to be configured with details of its immediate neighbouring nodes, and will then start exchanging routes. This means adding a new node to a network only requires BGP configuration on the new node, and its immediate neighbours, and routes to the new node will then propagate through then entire network.

Note that Quagga requires reciprocal configuration on a neighbouring node, so you'll need to add neighbour configuration details to the nearest Quagga node before it'll start exchanging routes with your WRT.

The sample configuration shown below is for the Jandakot node on the WAFreeNet. This node uses a WRT54G running OpenWrt as a router, and the WRT provides routing, dns, dhcp and firewalling services for the node.
Jandakot has an uplink to the ArmadaleAP node, and Willetton has a client link to Jandakot.

Install Components on OpenWrt
Install IPK Packages
Install the appropriate Quagga packages on OpenWrt:
ipkg install quagga quagga-bgpd

Note that this assumes your WRT has internet access, and is able to download the package list to determine where it needs to download the specified packages.

If your WRT doesn't have internet access, you'll need to use a browser to view the package list list, manually download the specified packages, and transfer them to your WRT and install them.
Create Configuration Files

Firstly, create a directory for all Quagga configuration files on the WRT:
mkdir /etc/quagga

Create a configuration file for the Quagga zebra daemon, /etc/quagga/zebra.conf:
hostname jandakot
! define password for bgpd daemon (for connecting to daemon via telnet)
password insertpasswordhere
! define enable password for bgpd daemon (for connecting to daemon via telnet)
enable password insertpasswordhere
!
! list interfaces
interface eth1
interface vlan0
interface vlan1
interface lo
!
! null route to consolidate all subnets in this /24
ip route 10.60.86.0/24 Null0 255
!
line vty

The null route allows us to consolidate all routes for the /24 subnet that this router is responsible for, and will cause it to propagate a single route for the entire /24 subnet, rather than multiple routes for the smaller subnets inside 10.60.86.0/24.
Create a configuration file for the Quagga bgpd daemon, /etc/quagga/bgpd.conf:
hostname jandakot
! define password for bgpd daemon (for connecting to daemon via telnet)
password insertpasswordhere
! define enable password for bgpd daemon (for connecting to daemon via telnet)
enable password insertpasswordhere
!
! define router's BGP AS
router bgp 65086
! define ID of router - we use IP of the router
bgp router-id 10.60.86.1
! define network address that this router knows about
network 10.60.86.0/24
!
! armadale neighbour
neighbor 10.60.74.253 remote-as 65074
neighbor 10.60.74.253 soft-reconfiguration inbound
neighbor 10.60.74.253 distribute-list freenet in
neighbor 10.60.74.253 distribute-list freenet out
!
! willetton neighbour
neighbor 10.60.84.253 remote-as 65084
neighbor 10.60.84.253 soft-reconfiguration inbound
neighbor 10.60.84.253 distribute-list freenet in
neighbor 10.60.84.253 distribute-list freenet out
!
! ACLs to stop people from propagating routes to their own private networks
access-list freenet permit 10.48.0.0/12
access-list freenet deny any
!
line vty
exec-timeout 20160 0

As the Jandakot node has links to two other WAFreeNet nodes which also run bgpd, it'll be configured as a neighbour to each of these nodes, allowing it to exchange routes with each neighbour.
The IP address specified for each neighbour is that of the remote router's interface that connects to this node, ie, the IP address that the Jandakot WRT will see the bgpd traffic as originating from.

The BGP AS number of each neighbour must also be specified.
Each of the neighbours must also have reciprocal configuration in their bgpd configuration file for the router you're configuring (ie, the WRT).
Modify Init Script

The current quagga package for OpenWrt creates an init script, but if using older versions of the quagga package, you'll need to manually create the init script.
Edit the init script, /etc/init.d/S49quagga, and edit the following line, removing all daemons except those listed here:
DAEMONS="zebra bgpd"

Firewall Script

Depending on the firewall script on your WRT, you may need to modify it to allow bgpd traffic. Ensure that in and outbound traffic on TCP port 179 is allowed through the firewall.
Starting Quagga on OpenWrt

Starting Quagga

To manually start the zebra and bgpd daemons for the first time, you can either reboot the WRT, or manually run the init script:
/etc/init.d/S49quagga start

After making changes to bgpd.conf or zebra.conf, you'll need to restart the zebra and bgpd daemons. A reboot will certainly achieve this, but a quicker way is to terminate the daemons and restart them using the following syntax:
/etc/init.d/S49quagga restart

Debugging Quagga

Verifying BGP Operation

If Quagga is configured correctly at both ends, you should see the routing table of the WRT (viewable by running route -n from a command prompt) being populated with routes from its configured neighbour(s).
If routes are not showing up in the routing table, further debugging is required. While the Quagga daemons certainly can be configured to write status and debug information to log files, this isn't really a feasible option on a device such as the WRT, with flash memory.
Both the zebra and bgpd daemons provide local telnet access for monitoring and debugging.
Telnet to BGP Daemon

OpenWrt doesn't have a telnet client, and telnet support hasn't been compiled into busybox. Instead, we need to use Netcat, which is included in the standard OpenWrt build.

To telnet to the bgpd daemon, run:
nc localhost 2605

and you'll be prompted for a password.

(If you have the appropriate entries defined in /etc/services, you can also use nc localhost bgpd, and similarly for zebra.)
You need to enter the first password that was defined in /etc/quagga/bgpd.conf, and you'll then be rewarded with a prompt.
root@JANDAKOT-AP:~# nc localhost 2605

User Access Verification

Password: insertpasswordhere

jandakot>

To view the status of the bgpd neighbours, run the following:
jandakot> show ip bgp summary

and you should be rewarded with output similar to this:
BGP router identifier 10.60.86.1, local AS number 65086
6 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.60.74.253 4 65074 10525 10232 0 0 0 6d21h24m 4
10.60.84.253 4 65084 10013 10181 0 0 0 6d22h49m 2

Total number of neighbors 2

jandakot> show ip bgp

and you should get something similar to this output:
BGP table version is 0, local router ID is 10.60.86.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.60.68.0/24 10.60.74.253 0 65074 65068 i
*> 10.60.74.0/24 10.60.74.253 0 0 65074 i
*> 10.60.82.0/24 10.60.74.253 0 65074 65082 i
*> 10.60.84.0/24 10.60.84.253 0 0 65084 i
*> 10.60.86.0/24 0.0.0.0 0 32768 i
*> 10.60.113.0/24 10.60.84.253 0 65084 65113 i
*> 10.64.0.0/12 10.60.74.253 0 0 65074 i
Total number of prefixes 7

Telnet to Zebra Daemon
To telnet to the zebra daemon, run:
nc localhost 2601
root@JANDAKOT-AP:~# nc localhost 2601

User Access Verification

Password: insertpasswordhere

jandakot>

To view the status of the routing table, run the following:
jandakot> show ip route

and you should be rewarded with output similar to this:
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
B - BGP, > - selected route, * - FIB route

K>* 0.0.0.0/0 via 10.60.74.253, eth1
B>* 10.60.68.0/24 [20/0] via 10.60.74.253, eth1, 6d21h25m
B>* 10.60.74.0/24 [20/0] via 10.60.74.253, eth1, 6d21h25m
C>* 10.60.74.252/30 is directly connected, eth1
B>* 10.60.82.0/24 [20/0] via 10.60.74.253, eth1, 6d21h25m
B>* 10.60.84.0/24 [20/0] via 10.60.84.253, vlan1, 6d22h50m
C>* 10.60.84.252/30 is directly connected, vlan1
S 10.60.86.0/24 [255/0] is directly connected, Null0, bh
C>* 10.60.86.0/28 is directly connected, vlan0
C>* 10.60.86.252/30 is directly connected, vlan1
B>* 10.60.113.0/24 [20/0] via 10.60.84.253, vlan1, 6d22h50m
B>* 10.64.0.0/12 [20/0] via 10.60.74.253, eth1, 6d21h25m
C>* 127.0.0.0/8 is directly connected, lo