1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Firewall configuration

Discussion in 'Plesk for Linux - 8.x and Older' started by baravalle, Jul 12, 2006.

  1. baravalle

    baravalle Guest

    0
     
    Hi,
    can anyone suggest a safe firewall configuration using the plesk interface?

    At the present time I have:
    -disabled the FTP server
    -allowed Mail password service, Mysql service and Postgres service only from 127.0.0.1
    -Blocked Tomcat, Samba, Plesk VPN, Ping

    I'm not sure about the DNS server. I suppose it should be enabled for the local host only?

    What about the SMTP server? Looks like if I block it the mail doesn't arrive. What I want is to forbid other users from using my SMTP server.

    Any suggestions?

    Thanks in advance,
    Andres
     
  2. jamesyeeoc

    jamesyeeoc Guest

    0
     
    Of course you won't get any incoming emails if you block the SMTP port 25.

    There is no 'easy' answer to prevent 'others' (meaning spammers?) from making use of your mail server and from other attacks. However, the following couple of suggestions will greatly help in most cases: (this is not a complete list, just a beginning)

    1. Atomic Secured Linux (ASL) Kernel (www.atomicrocketturtle.com/subscribe)
    (fee based, includes mod_security)

    2. mod_security (www.atomicrocketturtle.com or gotroot.com)
    (free)

    3. Bind/DNS configuration to serve only the local hosted domains, no forwarding or recursion.

    4. RKHunter and CHKRootkit packages - cronjob them to update, run, email you the results

    5. OS dependent - go through and make sure all other distro installed services which are not critical (needed) to proper operation are also disabled or removed.

    6. Make sure there are no exploitable script packages (such as some phpBB versions) or formmail scripts on any of the hosted domains.

    7. Things to do which may not be very effective (noexec /tmp, prevent things like wget usage), but may help prevent inexperienced script kiddies from having an easy time of it.

    8. Make sure your Plesk server is set for SMTP Auth only, no POP lock

    many many hundreds of other things...
     
  3. baravalle

    baravalle Guest

    0
     
    mod_security already installed, but I don't like it too much. The name is a bit ambitious for what it does. I don't like the idea of using it for general protection against applications that might be installed in the server, or against poor coding.

    that should be done at configuration level, for PHP (as I have just PHP-based domains in my server) and at coding level.

    Trying to do that - I'll have to check if my configuration is working

    Thanks, I'll have a look at those

    Always a good point - but quite time intensive. Apparently I do not have any useless services running, but I had some not really usefull services installed but not running. Removed distcache, distcache-devel, tux, nscd, ntpd.

    I'm quite sure that the horde running with PLESK is exploitable... but not sure of how to overcome the problem. The update script is broken in my server, because I have my custom PHP and MySQL, which make the script break. I'll try to update the packages one by one.

    can't do that at the moment - I do not have an indipendent /tmp partition. But I suppose a good point would be having a better partition layout.

    already done

    thanks for your comments - always working on the many hundreds things. And trying to keep the server secure and up to date.

    Andres
     
  4. jamesyeeoc

    jamesyeeoc Guest

    0
     
    I agree with you about config and coding. If you have that much control over what the clients put onto the server, that's wonderful. Many or most admins may not have the time or expertise to constantly check what the clients may put on the server, so as a general stop-gap measure, things such as mod_security can be useful / helpful. [IMO] I know there are some who do not like mod_security, but I also know many servers which have greatly benefited from it. Every server and admin is different, no 'one size fits all'. Peace.
     
Loading...