Archive for the ‘Firewall’ Category

Today one of our domain was facing slowness issue. Domain response time is bit slow than earlier.

Here is the script to check the domain response time.
[root@server02 ~]# cat /root/

#echo -n “Please pass the url you want to measure: ”
read url
result=`$CURL -o /dev/null -s -w %{time_connect}:%{time_starttransfer}:%{time_total} $URL`
echo “Time_Connect — Time_start_transfer — Time_total ”
echo $result | $GAWK -F: ‘{ print $1″ “$2” “$3}’

For checking the domain slowness we can put a php test page. Here it is “testdb.php”. After executing the script the domain is responding faster.

[root@server02 ~]# for i in {1..15}; do echo “” | /root/; done
Time_Connect — Time_start_transfer — Time_total
0.339 0.484 0.488
Time_Connect — Time_start_transfer — Time_total
0.185 0.332 0.336

Then you need to load the domain, this will load slowly.

[root@server02 ~]# for i in {1..15}; do echo “” | /root/; done
Time_Connect — Time_start_transfer — Time_total
0.185 63.641 63.779
Time_Connect — Time_start_transfer — Time_total
0.184 63.655 63.728

Try to stop the CSF Firewall and load the domain this will be faster. Now you can see the domain is loading faster than earlier.

[root@server02 ~]# for i in {1..15}; do echo “” | /root/; done
Time_Connect — Time_start_transfer — Time_total
0.189 0.515 0.669
Time_Connect — Time_start_transfer — Time_total
0.187 0.512 0.668

If you are experiencing the same issue we can conclude that there was some issues with the server firewall. So we need investigate why the domain is caught on firewall. Here we have checked the firewall logs in /var/log/messages. But we can’t see any IP address is blocked from the source server.

To see the IP address we need to enable inbound and outbound blocks logs in CSF firewall.

# vim /etc/csf/csf.conf

# Enable logging of dropped connections to blocked ports to syslog, usually
# /var/log/messages. This option needs to be enabled to use Port Scan Tracking


After editing save and exit, also restart the CSF Firewall.

Then try to reload the domain and check the logs /var/log/messages. Then you can see the DST= IP address was blocked on CSF Firewall go and remove the IP adress from CSF.

Jul 23 22:43:01 lithium kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41190 DF PROTO=TCP SPT=59262 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=32359 GID=32361

For deleting IP address from CSF use this commands.

#csf -a 69.58.xx.xx
#csf -r

After restarting the CSF Firewall check the domain response time using script. Now we can see that the domain is loading much faster than earlier.

[root@server02 ~]# for i in {1..15}; do echo “” | /root/; done
Time_Connect — Time_start_transfer — Time_total
0.189 0.515 0.669
Time_Connect — Time_start_transfer — Time_total
0.187 0.512 0.668

Today I got the above error while entering to “ConfigServer Security & Firewall” in WHM.


1. Login to WHM

2.Home » Plugins » ConfigServer Security & Firewall

3.set RESTRICT_SYSLOG to 3 , which is the default value

# 0 = Allow those options listed above to be used and configured
# 1 = Disable all the options listed above and prevent them from being used
# 2 = Disable only alerts about this feature and do nothing else
# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP


Add the following line in your /etc/csf/csf.allow


Restart csf with : csf -r

This will allow incoming/outgoing connections to port 3306

Some useful tweak settings on CSF Configuration File

IP Limit in Permanent “Deny” File
A higher number here will obviously screen out more IP addresses in csf.deny.

IP Limit in Temporary “Deny” File
Similar to DENY_IP_LIMIT, the DENY_TEMP_IP_LIMIT represents the maximum number of IPs that can be stored in the temporary ban list.

SMTP Blocking
When set to “1″, SMTP_BLOCK does not completely block outbound SMTP, but it does block it for most users. This will prevent malicious scripts and compromised users from making outbound connections from unauthorized mail clients on the server. SMTP_BLOCK doesn’t stop those scripts from running, but it does stop them from functioning. Mail sent through the proper channels will still be delivered normally.

Allowing SMTP on localhost
Custom Mail Port Designation

SMTP_PORTS = “25,465,587”
Allowing SMTP Access to Users/Groups

SMTP_ALLOWGROUP = “mail,mailman”

SYN Flood Protection

Per the documentation, you should only enable SYN flood protection (SYNFLOOD= “1″) if you are currently under a SYN flood attack.

Concurrent Connections Limit
CONNLIMIT = “22;5,80;20”
PORTFLOOD = “22;tcp;5;300,80;tcp;20;5

These options allow you to add customized DoS protection. CONNLIMIT handles the number of concurrent connections, and in this example, we’re limiting port 22 to 5 connections and port 80 to 20 connections.

Dropping v. Rejecting Packets

This configuration allows you to either DROP or REJECT packets. REJECT tells the sender that the packet has been blocked by the firewall. DROP just drops the packet and does not send a response. I like DROP better for regular use, but REJECT might be more helpful if you need to diagnose a connectivity issue.

Logging Dropped Connections

This option logs dropped connections to syslog. I don’t see any reason to turn this off unless your hard drive is getting full.


This option enables the SPAMHAUS blocklist. Specify the number of seconds between refreshes. Recommended setting is 86400 (1 day).

Blocking TOR Exit IP Addresses
LF_TOR = “0”

Enabling this option will block TOR exit IP addresses. If you are not familiar with TOR, it is a completely anonymous proxy network. This could block some legitimate users who are trying to protect their anonymity, so I would recommend only turning this on if you are already under attack from a TOR exit address.

Blocking Bogon Addresses
LF_BOGON = “0”

Blocking bogon addresses (addresses that should not be possible) is usually a good decision. To enable, set the number of seconds between refreshes. I recommend enabling this option and setting the refresh at 86400 (1 day). If you do so, be sure to add your private network adapters to the skip list.

Country-Specific Access to Your Server
CC_DENY = “”

With these options, you can block or allow entire countries from accessing your server. To do so, enter the country codes in a comma separated list.

Alternatively, you can set your server to exclusively accept traffic from a list of country codes. All other countries not listed will have their traffic dropped.

Blocking Login Failures

This enables blocking of login failures (per service). There are a lot of great customization options in this section.

Scanning Directories for Malicious Files

This feature scans /tmp and /dev/shm for potentially malicious files and alerts you to their presence based on the interval you designate. You can also have CSF automatically quarantine malicious files with this option:

Distributed Attack Protection

By enabling this option, you activate additional protection against distributed attacks.

Blocking Based on Abusive Email Usage
LT_POP3D = “0”
LT_IMAPD = “0”

If a user checks email too many times per hour (more than the non-zero value specified), the user’s IP address is blocked.

Blocking IP Addresses Based on Number of Connections
CT_LIMIT = “0”

This feature tracks connections and blocks the IP if the number of connections is too high. Use caution because if you enable this option and set this value too low, it will block legitimate traffic.

Application-Level Protection
PT_LIMIT = “60”

This feature provides application level protection against malicious scripts that take a long time to execute.

Blocking Port Scanners
PS_LIMIT = “10”

Linux Malware Detect ( LMD )

Easy way to install LMD via root shell.

# vim

mkdir tmp
cd tmp
tar -xzvf maldetect-current.tar.gz
cd maldetect-*

Execute the Script.
# sh

Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks
(C) 2011, Ryan MacDonald
inotifywait (C) 2007, Rohan McGovern
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(26988): {sigup} performing signature update check…
maldet(26988): {sigup} local signature set is version 201205035915
maldet(26988): {sigup} new signature set (2012072417089) available
maldet(26988): {sigup} downloaded
maldet(26988): {sigup} downloaded
maldet(26988): {sigup} downloaded
maldet(26988): {sigup} downloaded
maldet(26988): {sigup} downloaded
maldet(26988): {sigup} signature set update completed
maldet(26988): {sigup} 9700 signatures (7833 MD5 / 1867 HEX)

If we wanted to scan all user public_html paths under /home*/ this can be done with:

maldet –scan-all /home?/?/public_html

Install ChkRootKit

Follow these steps to install ChkRootKit

cd /usr/local/src/

– Down load the chkrootkit.
# wget
# wget

– Unpack the chkrootkit you just downloaded.
# tar -xvzf chkrootkit.tar.gz

– Change to new directory
# cd chkrootkit-*
(select the version )

– Compile chkrootkit
# make sense

– Run chkrootkit
# ./chkrootkit

How to setup a daily scan report?

– Load crontab
# crontab -e

– Add this line to the top:
0 1 * * * (cd /usr/local/src/chkrootkit*; ./chkrootkit 2>&1 | mail -s “chkrootkit output”

CSF Installation

Posted: 4p in Firewall

CSF Installation

To install csf simply do the following from the root shell via SSH:

tar -xzf csf.tgz
cd csf
cd ..
rm -Rfv cse/ cse.tgz

You will have to edit csf.conf file. It’s located here: /etc/csf/csf.conf

You need to change the Testing mode.

Testing = “0”

And you need to configure open ports in csf.conf or you won’t be able to
access these ports. In most cases it should be configured like this if
you are using cP/WHM. If you are running something on some other port
you will have to enable it here. If you changed SSH port you will have
to add a new port here:

# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,207 7,2078,2082,2083,2086,2087,2095,2096”
# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,37,43,53,80,110,113,443,587,873,2087, 2089,2703”
6.2) CSF Connection Limit
There is in csf.conf CT option, configure it like this
CT_LIMIT = “200” ( It means every IP with more than 200 connections is going to be blocked )
CT_PERMANENT = “1” ( IP will blocked permanenty )
CT_BLOCK_TIME = “1800” ( IP will be blocked 1800 secs(1800 secs = 30 mins )
CT_INTERVAL = “60” ( Set this to the the number of seconds between connection tracking scans )

After editing you need to restart the csf firewall

csf -r

Usage: /usr/sbin/csf [option] [value]

Option Meaning
-h, –help Show this message
-l, –status List/Show iptables configuration
-l6, –status6 List/Show ip6tables configuration
-s, –start Start firewall rules
-f, –stop Flush/Stop firewall rules (Note: lfd may restart csf)
-r, –restart Restart firewall rules
-q, –startq Quick restart (csf restarted by lfd)
-sf, –startf Force CLI restart regardless of LF_QUICKSTART setting
-a, –add ip Allow an IP and add to /etc/csf.allow
-ar, –addrm ip Remove an IP from /etc/csf.allow and delete rule
-d, –deny ip Deny an IP and add to /etc/csf.deny
-dr, –denyrm ip Unblock an IP and remove from /etc/csf.deny
-df, –denyf Remove and unblock all entries in /etc/csf.deny
-g, –grep ip Search the iptables rules for an IP match (incl. CIDR)
-t, –temp Displays the current list of temp IP entries and their TTL
-tr, –temprm ip Remove an IPs from the temp IP ban and allow list
-td, –tempdeny ip ttl [-p port] [-d direction]
Add an IP to the temp IP ban list. ttl is how long to
blocks for (default:seconds, can use one suffix of h/m/d).
Optional port. Optional direction of block can be one of:
in, out or inout (default:in)
-ta, –tempallow ip ttl [-p port] [-d direction]
Add an IP to the temp IP allow list (default:inout)
-tf, –tempf Flush all IPs from the temp IP entries
-cp, –cping PING all members in an lfd Cluster
-cd, –cdeny ip Deny an IP in a Cluster and add to /etc/csf.deny
-ca, –callow ip Allow an IP in a Cluster and add to /etc/csf.allow
-car, –carm ip Remove allowed IP in a Custer and rem from /etc/csf.allow
-cr, –crm ip Unblock an IP in a Cluster and remove from /etc/csf.deny
-cc, –cconfig [name] [value]
Change configuration option [name] to [value] in a Cluster
-cf, –cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, –crestart Cluster restart csf and lfd
-m, –mail [addr] Display Server Check in HTML or email to [addr] if present
-lr, –logrun Initiate Log Scanner report via lfd
-c, –check Check for updates to csf but do not upgrade
-u, –update Check for updates to csf and upgrade if available
-uf Force an update of csf
-x, –disable Disable csf and lfd
-e, –enable Enable csf and lfd if previously disabled
-v, –version Show csf version

These options allow you to easily and quickly control and view csf. All the
configuration files for csf are in /etc/csf and include:

csf.conf – the main configuration file, it has helpful comments explaining
what each option does
csf.allow – a list of IP’s and CIDR addresses that should always be allowed
through the firewall
csf.deny – a list of IP’s and CIDR addresses that should never be allowed
through the firewall
csf.ignore – a list of IP’s and CIDR addresses that lfd should ignore and not
not block if detected
csf.*ignore – various ignore files that list files, users, IP’s that lfd
should ignore. See each file for their specific purpose and
Reference :