ASL 3.2.8 Firewall changes (alpha)

scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

ASL 3.2.8 Firewall changes (alpha)

Unread post by scott »

* Firewall changes (alpha)
Basic ACL list support is being evaluated in ASL, these lists allow IP addresses to be included in a port access list. For example, you could create an access list for SSH that would only allow 3 IPs to connect. As this is an alpha feature, it is prone to change without notice, and currently there is no web based interface to this function.

Lists are stored in this directory:

/etc/asl/firewall

1) create a file in /etc/asl/firewall directory using the format in #2 below

2) Naming convention for file is: INPUT-<name>-<protocol>-<port>-any

example: INPUT-sshd-tcp-22-any

3) list IP's, one pre line in this file

1.2.3.4
5.6.7.8

4) Ensure that you are not overriding this ACL with FW_INBOUND_TCP_SERVICES, if you allow a port in that option that will override the ACL. If you want to use an ACL for a port, do NOT list the port in FW_INBOUND_TCP_SERVICES

5) reload the firewall policy with:

/etc/init.d/asl-firewall restart
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by prupert »

Is this feature (still) working?

We have tried to set it up on a pristine ASL firewall (no custom adjustments at all). Created the file /etc/asl/firewall/INPUT-mysqld-tcp-3306-any, and placed three IP addresses, each on their own line. Restarting the asl-firewall service does not place ANY rules that mention port 3306.

# asl -v
ASL Version 3.2.11-28.el5.art: CentOS 5 (SUPPORTED)

We certainly like it if there was a possibility to manage basic additional firewall rules (such as only allowing a couple of IP's for mysql, snmpd etc.) without having to go through ASL web.
Lemonbit Internet Dedicated Server Management
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by mikeshinn »

Whats the output of "iptables -L -n"
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by prupert »

mikeshinn wrote:Whats the output of "iptables -L -n"

Code: Select all

# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ASL-GEO-BLACKLIST  all  --  0.0.0.0/0            0.0.0.0/0
ASL-BLACKLIST  all  --  0.0.0.0/0            0.0.0.0/0
ASL-SMALLPACKETS  ah   --  0.0.0.0/0            0.0.0.0/0           length 0:35
ASL-SMALLPACKETS  esp  --  0.0.0.0/0            0.0.0.0/0           length 0:49
ASL-SMALLPACKETS  47   --  0.0.0.0/0            0.0.0.0/0           length 0:39
ASL-SMALLPACKETS  30   --  0.0.0.0/0            0.0.0.0/0           length 0:31
ASL-SMALLPACKETS  icmp --  0.0.0.0/0            0.0.0.0/0           length 0:27
ASL-SMALLPACKETS  tcp  --  0.0.0.0/0            0.0.0.0/0           length 0:39
ASL-SMALLPACKETS  udp  --  0.0.0.0/0            0.0.0.0/0           length 0:27
ASL-BADPACKETS  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp option=128
ASL-BADPACKETS  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp option=64
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x37
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x2B
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x1A
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x0A
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x0D
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x1C
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x03
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x01
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x29/0x29
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x22/0x22
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x11/0x01
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x18/0x08
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x05/0x05
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03
ASL-IGNORE-BC  all  --  0.0.0.0/0            224.0.0.0/24
ASL-IGNORE-BC  udp  --  0.0.0.0/0            255.255.255.255
ASL-IGNORE-BC  tcp  --  0.0.0.0/0            255.255.255.255
ASL-FRAGMENTS  all  -f  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 state NEW
ASL-TORTIXD-ACL  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 state NEW
ASL-Firewall-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ASL-SMTP_OUT  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465
ASL-SMTP_OUT  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ASL-PLESK-UPDATES  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5224 state NEW
ASL-UPDATES  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 state NEW
ASL-FRAGMENTS  all  -f  0.0.0.0/0            0.0.0.0/0
ASL-SPAMASSASSIN-UPDATES  all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-BADPACKETS (2 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `ASL_BADPACKET '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-BLACKLIST (1 references)
target     prot opt source               destination

Chain ASL-BLACKLIST-DROP-LOG (0 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_BLACKLIST_BLOCK '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-FRAGMENTS (2 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `ASL_FRAGMENT '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-Firewall-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:30000
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_INPUT '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-GEO-BLACKLIST (1 references)
target     prot opt source               destination

Chain ASL-GEO-BLACKLIST-DROP-LOG (0 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_GEO_BLOCK '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-IGNORE-BC (3 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-PLESK-UPDATES (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            77.245.23.80        tcp dpt:5224 state NEW

Chain ASL-PORTSCAN (21 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_PORTSCAN '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-SMALLPACKETS (7 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_TOOSMALL '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-SMTP_OUT (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 owner UID match 2521
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465 owner UID match 2521
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 owner UID match 89
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465 owner UID match 89
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 owner UID match 0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465 owner UID match 0
ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1           tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1           tcp dpt:465
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 15 level 6 prefix `ASL_SMTP_OUT '
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain ASL-SPAMASSASSIN-UPDATES (1 references)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:24441 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:24441 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2703 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:6277 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:6277 state NEW

Chain ASL-TORTIXD-ACL (1 references)
target     prot opt source               destination

Chain ASL-UPDATES (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            80.82.124.228       tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            69.20.6.166         tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.195.110      tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            208.68.233.251      tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.112.216      tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.166.51       tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            198.71.51.132       tcp dpt:443 state NEW

# ll /etc/asl/firewall/
total 8
-rw-r--r-- 1 root   root 44 Apr 16 19:09 INPUT-mysqld-tcp-3306-any
-rwx------ 1 tortix root 20 Apr 15 21:42 mta-output-acl

#  grep FW_ /etc/asl/config
FW_INBOUND_TCP_SERVICES="22,25,80,443,465,110,143,993,995,587,8443,30000"
FW_INBOUND_UDP_SERVICES=""
FW_OUTPUT_MTA="yes"
FW_OUTPUT_TCP_SERVICES="no"
FW_OUTPUT_UDP_SERVICES="no"
FW_LASSO="no"
FW_LASSO_LOG="yes"
FW_DSHIELD="no"
FW_DSHIELD_LOG="yes"
FW_TOR="no"
FW_TOR_LOG="yes"
FW_PORTSCAN="yes"
FW_BAD_PACKETS="yes"
FW_SMALL_PACKETS="yes"
FW_FRAGMENTS="yes"
FW_DROP_INVALID="yes"
FW_DROP_INVALID_LOG="no"
FW_LOG_BLACKLIST_DROP="yes"
FW_LOG_GEOBLOCK_DROP="yes"
FW_IGNORE_BROADCASTS="yes"
FW_ACCEPT_REDIRECTS="no"
FW_ACCEPT_SOURCE_ROUTE="no"
FW_ICMP_IGNORE_ALL="no"
FW_ICMP_IGNORE_BROADCASTS="yes"
FW_IGNORE_ICMP_BOGUS="yes"
FW_IPV4_FORWARD="no"
FW_IPV6_FORWARD="no"
FW_PROXY_ARP="no"
FW_RP_FILTER="no"
FW_SYN_COOKIES="yes"
FW_TCP_ECN="no"
FW_TCP_TIMESTAMPS="yes"
FW_TCP_WINDOW_SCALING="yes"
FW_PLESK_UPDATES="yes"
FW_SPAMASSASSIN_UPDATES="yes"

# cat /etc/asl/firewall/INPUT-mysqld-tcp-3306-any
1.2.3.4
2.3.4.5
3.4.5.6
Redacted to remove identifiable information.

Verified from remote host (i.e. "1.2.3.4") that connecting to MySQL is not allowed:

Code: Select all

remotehost# telnet aslhost 3306
Trying <ip>...
telnet: connect to address <ip>: Connection timed out
When stopping the firewall, the connection is allowed, i.e. I am positive that it is the firewall.
Lemonbit Internet Dedicated Server Management
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by scott »

Example of it in use:

# cat /etc/asl/firewall/INPUT-mysql-tcp-3306-any-acl

1.2.3.4
4.5.6.7

# /etc/init.d/asl-firewall restart

# iptables-save |grep mysql
-A LOCAL-3-mysql-ACL -s 1.2.3.4/32 -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT
-A LOCAL-3-mysql-ACL -s 4.5.6/7/32 -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT
-A LOCAL-3-mysql-ACL -j DROP
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by mikeshinn »

That doesnt look like, what version of ASL is installed on the system? And is this a virtual machine or dedicated? And if the former, what virtualization solution is installed?
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by prupert »

mikeshinn wrote:That doesnt look like, what version of ASL is installed on the system? And is this a virtual machine or dedicated? And if the former, what virtualization solution is installed?
What do you mean by "that doesn't look like"?
This machine is a Xen virtual server with CentOS 5 64-bit and ASL 3.2.11-28 running the ASL kernel 2.6.32.59-28.
Lemonbit Internet Dedicated Server Management
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by mikeshinn »

What do you mean by "that doesn't look like"?
That doesnt look right.

Can you reset your firewall for me, just run these commands:

mv /etc/asl/firewall/running.fw /root
asl -s -f

And post the output of these:

asl -s -f

iptables -L -n
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by prupert »

Code: Select all

# mv /etc/asl/firewall/running.fw ~
# ll /etc/asl/firewall/
total 8
-rw-r--r-- 1 root   root 44 Apr 16 21:26 INPUT-mysql-tcp-3306-any
-rwx------ 1 tortix root 20 Apr 15 21:42 mta-output-acl

Code: Select all

# asl -s -f
Starting Atomic Secured Linux scan, please be patient...

Checking Kernel security settings
  ASL kernel: detected                                     [OK]
  KERNEXEC protections: not detected                       [HIGH]
  UDEREF protections: not detected                         [HIGH]
  Runtime module loading: disabled                         [OK]
  GRsecurity administrative password: not set              [INFO]
  GRsecurity ACL database: not found                       [INFO]
  Executable anonymous mapping: no                         [OK]
  Executable bss: no                                       [OK]
  Executable data: no                                      [OK]
  Executable heap: no                                      [OK]
  Executable stack: no                                     [OK]
  Executable anonymous mapping (mprotect): no              [OK]
  Executable bss  (mprotect): no                           [OK]
  Executable data  (mprotect): no                          [OK]
  Executable heap  (mprotect): no                          [OK]
  Executable shared library bss (mprotect): no             [OK]
  Executable shared library data (mprotect): no            [OK]
  Executable stack (mprotect): no                          [OK]
  Anonymous mapping randomisation test: no                 [OK]
  Heap randomisation test (ET_EXEC): no                    [OK]
  Heap randomisation test (ET_DYN): no                     [OK]
  Main executable randomisation (ET_EXEC): no              [OK]
  Shared library randomisation test: no                    [OK]
  Stack randomisation test (SEGMEXEC): no                  [OK]
  Stack randomisation test (PAGEEXEC): no                  [OK]
  Executable shared library bss: no                        [OK]
  Executable shared library data: no                       [OK]
  Writable text segments: no                               [OK]

  Kernel Enforced Security Policies
  Trusted Path Execution(TPE): enforced                    [OK]
    TPE Mode: Unless Deny, Allow                           [INFO]
  Disable Privileged I/O: enforced                         [OK]
  Audit mount() events: not enforced                       [INFO]
  Audit chdir() events: not enforced                       [INFO]
  Audit ptrace() events: enforced                          [OK]
  Audit text relocation events: not enforced               [INFO]
  Restrict chroot() capabilities: enforced                 [OK]
  Chroot restrictions, deny chmod(): enforced              [OK]
  Chroot restrictions, deny chroot(): enforced             [OK]
  Chroot restrictions, deny fchdir(): enforced             [OK]
  Chroot restrictions, deny mknod(): enforced              [OK]
  Chroot restrictions, deny mount(): enforced              [OK]
  Chroot restrictions, deny pivot(): enforced              [OK]
  Chroot restrictions, deny external shmem access: enforced[OK]
  Chroot restrictions, deny sysctl: enforced               [OK]
  Chroot restrictions, deny unix domain sockets: enforced  [OK]
  Chroot restrictions, set cwd to chroot dir: enforced     [OK]
  Chroot restrictions, process controls: enforced          [OK]
  Restrict dmesg: enforced                                 [OK]
  Enhanced FIFO restrictions: enforced                     [OK]
  Fork() failure logging: enforced                         [OK]
  Harden ptrace(): not enforced                            [MODERATE]
  Network Stack, IP Blackhole policy: enforced             [OK]
  Linking Restrictions: enforced                           [OK]
  Resource Logging: enforced                               [OK]
  RWX map Logging: enforced                                [OK]
  Signal Logging: enforced                                 [OK]
  Timechange Logging: enforced                             [OK]

Checking General security settings
  Checking for unnecessary services
    Service FreeWnn: disabled                              [OK]
    Service annacron: disabled                             [OK]
    Service apmd: disabled                                 [OK]
    Service autofs: disabled                               [OK]
    Service avahi-daemon: disabled                         [OK]
    Service avahi-dnsconfd: disabled                       [OK]
    Service bluetooth: disabled                            [OK]
    Service canna: disabled                                [OK]
    Service cups: disabled                                 [OK]
    Service cups-config-daemon: disabled                   [OK]
    Service gpm: disabled                                  [OK]
    Service haldaemon: disabled                            [OK]
    Service hidd: disabled                                 [OK]
    Service hplip: disabled                                [OK]
    Service iiim: disabled                                 [OK]
    Service isdn: disabled                                 [OK]
    Service kdump: disabled                                [OK]
    Service mDNSResponder: disabled                        [OK]
    Service mcstrans: disabled                             [OK]
    Service nfs: disabled                                  [OK]
    Service nfslock: disabled                              [OK]
    Service nifd: disabled                                 [OK]
    Service pcscd: disabled                                [OK]
    Service portmap: disabled                              [OK]
    Service rpcidmapd: disabled                            [OK]
    Service sbadm: disabled                                [OK]
    Service xfs: disabled                                  [OK]
    Service X11: disabled                                  [OK]

Checking for End of Life (EOL) operating systems
    centos/5: Supported                                    [OK]
Checking for POSIX ACL support: detected                   [OK]

Checking for updater: yum detected                         [OK]
Checking for updates: 1 found                              [CRITICAL]

Checking for Superuser accounts (UID0)

Checking for Suspicious cron jobs

Checking for non-secure services
  Telnet: not detected                                     [OK]
  Rlogin: not detected                                     [OK]
  Rsh: not detected                                        [OK]

Checking system logging
  Syslogd: detected                                        [OK]
  Klogd: detected                                          [OK]

Checking General Plesk settings
  Plesk SQL Injection vulnerability SA26741: not detected  [OK]
  Plesk SQL Injection vulnerability CVE-2011-4734: not dete[OK]
  Proftp Vulnerability SA33842: not detected               [OK]
  Proftp Vulnerability SA42052: not detected               [OK]
  Verify SSLv2 disabled in Plesk Daemon: verified          [OK]
  Verify TLS enabled in proftp: enabled                    [OK]
  Verify ClamAV enabled in proftp: enabled                 [OK]
  Set proftp scoreboard to default: yes                    [OK]
  Checking for weak SMTP_AUTH passwords: 0 found           [OK]
  Verify SSLv2 disabled in Qmail: verified                 [OK]
  Verify SSLv2 disabled in Courier IMAP: verified          [OK]
  Verify SSLv2 disabled in Courier POP3d: verified         [OK]
  Verify expose_php set to off: enforced                   [OK]

Checking mod_security settings
  Checking for mod_security installation: installed        [OK]
  mod_security set to: enabled                             [OK]
  Server signature set to: Apache                          [OK]
  SecUploadDir set to: /var/asl/data/suspicious            [OK]
  SecUploadKeepFiles set to: off                           [OK]
  Logfile set to: audit_log                                [OK]
  Logging set to: Concurrent                               [OK]
  Audit Logging to: /var/asl/data/audit                    [OK]
  Logging elements set to: ABIFHZ                          [OK]
  SecRequestBodyInMemoryLimit set to: 131072               [OK]
  SecRequestBodyLimit set to: 134217728                    [OK]
  SecResponseBodyLimitAction set to: ProcessPartial        [OK]
  SecDataDir set to: /var/asl/data/msa                     [OK]
  SecTmpDir set to: /tmp                                   [OK]

  Checking rule class settings
    RBL Ruleset: off                                       [LOW]
    Bogus Search Engine Ruleset: off                       [HIGH]
    Autowhitelist Search Engine Ruleset: off               [LOW]
    Antievasion Ruleset: on                                [OK]
    Strict Multiform Ruleset: off                          [MODERATE]
    Whitelist Ruleset: off                                 [OK]
    Advanced Antievasion Ruleset: off                      [HIGH]
    Slow Denial of Service Protection: on                  [OK]
    Exclude Ruleset: on                                    [OK]
    Anti-Malware Ruleset: on                               [OK]
    Generic Attack Ruleset: on                             [OK]
    Advanced Attack Ruleset: on                            [OK]
    Data Loss Protection Ruleset: off                      [MODERATE]
    Brute Force Protection Ruleset: on                     [OK]
    Malicious Useragents Ruleset: on                       [OK]
    Anti-Spam Ruleset: on                                  [OK]
    Anti-Spam URI RBL Ruleset: off                         [LOW]
    Rootkit Detection Ruleset: on                          [OK]
    Reconnaissance Attacks Ruleset: on                     [OK]
    Data Leak Prevention Ruleset: on                       [OK]
    Just In Time Patches: on                               [OK]
    Malicious Output Removal Ruleset: on                   [OK]
    Malicious Output Detector: on                          [OK]
    Web Malware Upload Scanner: on                         [OK]

  Checking for disabled rules

Checking php settings
  Checking for php installation: installed                 [OK]
  Enforce safe_mode: enforced                              [OK]
  Disable register_globals: enforced                       [OK]
  Disable URL fopen: enforced                              [OK]
  Disable URL include: enforced                            [OK]
  Disable expose_php: not enforced                         [HIGH]

Checking for High-Risk functions
  Function curl_exec: not allowed                          [OK]
  Function curl_multi_exec: not allowed                    [OK]
  Function dl: not allowed                                 [OK]
  Function exec: not allowed                               [OK]
  Function fsockopen: allowed                              [HIGH]
  Function passthru: not allowed                           [OK]
  Function pcntl_exec: not allowed                         [OK]
  Function pfsockopen: not allowed                         [OK]
  Function popen: not allowed                              [OK]
  Function posix_kill: not allowed                         [OK]
  Function posix_mkfifo: not allowed                       [OK]
  Function posix_setuid: not allowed                       [OK]
  Function proc_close: not allowed                         [OK]
  Function proc_open: not allowed                          [OK]
  Function proc_terminate: not allowed                     [OK]
  Function shell_exec: not allowed                         [OK]
  Function system: not allowed                             [OK]

Checking for Moderate-Risk functions
  Function ftp_exec: not allowed                           [OK]
  Function leak: not allowed                               [OK]
  Function posix_setpgid: not allowed                      [OK]
  Function posix_setsid: not allowed                       [OK]
  Function proc_get_status: not allowed                    [OK]
  Function proc_nice: not allowed                          [OK]
  Function show_source: not allowed                        [OK]

Checking for Low-Risk functions
  Function escapeshellcmd: allowed                         [LOW]
  Function phpinfo: not allowed                            [OK]

 Checking executable stack flag on PHP extensions
  /usr/lib64/php/ioncube/ioncube_loader_lin_5.3.so :       [OK]

Checking ossec-hids settings
  Checking for ossec-hids installation: installed          [OK]
  ossec-hids set to: enabled                               [OK]
  OSSEC is configured in server mode.
    Checking for server installation: installed            [OK]
    Enable email notification: enabled                     [OK]
    Notifications to address: redacted   [OK]
    Notifications from address: redacted 	[OK]
    SMTP server: 127.0.0.1                                 [OK]
    Max email per hour setting: 1                          [OK]
    Active Response: enabled                               [OK]
    Active Response timeout: 600                           [OK]

    Verifying OSSEC whitelists
      checking: redacted                            [OK]
    Excessive whitelists not detected: redacted                  [OK]

    Checking for monitored log files
      /var/log/messages: monitored                         [OK]
      /var/log/secure: monitored                           [OK]
      /var/log/maillog: monitored                          [OK]
      /usr/local/psa/var/log/maillog: monitored            [OK]
      /var/log/httpd/access_log: monitored                 [OK]
      /usr/local/psa/admin/logs/httpsd_access_log: monitore[OK]
      /var/log/httpd/audit_log: monitored                  [OK]
      /var/log/httpd/error_log: monitored                  [OK]
      /var/log/mysqld.log: monitored                       [OK]

Reloading ossec-hids:                                      [  OK  ]

Checking rkhunter settings
  Checking for rkhunter installation: installed            [OK]
  rkhunter set to: enabled                                 [OK]
  Notifications sent to: redacted                          [OK]
  SSH root login check: enabled                            [OK]
  Detected Plesk Environment
    ftp_psa : enabled                                      [OK]
    poppassd_psa : enabled                                 [OK]
    smtp_psa : enabled                                     [OK]
    smtps_psa : enabled                                    [OK]
    submission_psa : enabled                               [OK]

Checking ssh settings
  Enforce Protocol Version 2: enforced                     [OK]
  Strict modes enabled: enforced                           [OK]
  Ignore .rhosts: enforced                                 [OK]
  Enforce Public Key authentication for users: enforced    [OK]
  Checking Admin users
    Checking redacted directory                            [OK]
    Checking redacted authorized_keys: found               [OK]
  Disable Root Logins: no                                  [HIGH]
  Disable Password Authentication: yes                     [OK]
  Enable Privilege separation: enabled                     [OK]
  Disallow GSSAPIAuthentication: enforced                  [OK]
  Disallow GSSAPICleanupCredentials: enforced              [OK]
  SSH Banner: disabled                                     [INFO]
  Enable UseDNS: enforced                                  [OK]
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]



Checking httpd settings
  Verify HTTP TRACE disabled: verified                     [OK]
  Verify SSLv2 disabled: verified                          [OK]

Checking mod_evasive settings
  Checking for mod_evasive installation: installed         [OK]
  mod_evasive set to: enabled                              [OK]
  DOSHashTableSize set to: 4096                            [OK]
  DOSPageCount set to: 5                                   [OK]
  DOSSiteCount set to: 200                                 [OK]
  DOSPageInterval set to: 2                                [OK]
  DOSSiteInterval set to: 2                                [OK]
  DOSBlockingPeriod set to: 25                             [OK]
      checking: redacted                                   [OK]

Checking Mysql security settings
  mysql security policy set to: enforced                   [OK]
  Mysql Local LOAD DATA: disabled                          [OK]
  Mysql Log Errors: enabled                                [OK]
  Mysql Log authentication failures: enabled               [OK]
  Mysql symbolic links : disabled                          [OK]
  Mysql query caching: enabled                             [OK]

Restarting clamav, this could take a moment...

Checking clamav settings
  Checking for clamav installation: installed              [OK]
  ClamAV set to: enabled                                   [OK]
  Clamd listen address: 127.0.0.1                          [OK]
  Clamd log to syslog: yes                                 [OK]

  Clamav is in: application-only mode

Stopping Clam AntiVirus Daemon:                            [  OK  ]
Starting Clam AntiVirus Daemon:                            [  OK  ]

Checking psmon settings
  Checking for psmon installation: installed               [OK]
  psmon set to: enabled                                    [OK]
  Notifications to: redacted             [OK]
  From line set to: redacted         [OK]

Checking System services monitored by psmon
  clamd: monitored                                         [OK]
  courier-imap: monitored                                  [OK]
  crond: monitored                                         [OK]
  httpd: monitored                                         [OK]
  mysqld: monitored                                        [OK]
  named: monitored                                         [OK]
  spamassassin: monitored                                  [OK]
  sshd: monitored                                          [OK]
  xinetd: monitored                                        [OK]
  tortixd: monitored                                       [OK]
  ossec-dbd: monitored                                     [OK]
Stopping psmon:                                            [  OK  ]
Starting psmon:                                            [  OK  ]

Generating Report: Complete

Code: Select all

# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ASL-GEO-BLACKLIST  all  --  0.0.0.0/0            0.0.0.0/0
ASL-BLACKLIST  all  --  0.0.0.0/0            0.0.0.0/0
ASL-SMALLPACKETS  ah   --  0.0.0.0/0            0.0.0.0/0           length 0:35
ASL-SMALLPACKETS  esp  --  0.0.0.0/0            0.0.0.0/0           length 0:49
ASL-SMALLPACKETS  47   --  0.0.0.0/0            0.0.0.0/0           length 0:39
ASL-SMALLPACKETS  30   --  0.0.0.0/0            0.0.0.0/0           length 0:31
ASL-SMALLPACKETS  icmp --  0.0.0.0/0            0.0.0.0/0           length 0:27
ASL-SMALLPACKETS  tcp  --  0.0.0.0/0            0.0.0.0/0           length 0:39
ASL-SMALLPACKETS  udp  --  0.0.0.0/0            0.0.0.0/0           length 0:27
ASL-BADPACKETS  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp option=128
ASL-BADPACKETS  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp option=64
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x37
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x2B
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x1A
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x0A
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x0D
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x1C
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x03
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x01
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x29/0x29
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x22/0x22
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x11/0x01
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x18/0x08
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x05/0x05
ASL-PORTSCAN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03
ASL-IGNORE-BC  all  --  0.0.0.0/0            224.0.0.0/24
ASL-IGNORE-BC  udp  --  0.0.0.0/0            255.255.255.255
ASL-IGNORE-BC  tcp  --  0.0.0.0/0            255.255.255.255
ASL-FRAGMENTS  all  -f  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 state NEW
ASL-TORTIXD-ACL  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:30000 state NEW
ASL-Firewall-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ASL-SMTP_OUT  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465
ASL-SMTP_OUT  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ASL-PLESK-UPDATES  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5224 state NEW
ASL-UPDATES  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 state NEW
ASL-FRAGMENTS  all  -f  0.0.0.0/0            0.0.0.0/0
ASL-SPAMASSASSIN-UPDATES  all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-ACTIVE-RESPONSE (0 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-BADPACKETS (2 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `ASL_BADPACKET '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-BLACKLIST (1 references)
target     prot opt source               destination

Chain ASL-BLACKLIST-DROP-LOG (0 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_BLACKLIST_BLOCK '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-FRAGMENTS (2 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `ASL_FRAGMENT '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-Firewall-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:30000
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_INPUT '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-GEO-BLACKLIST (1 references)
target     prot opt source               destination

Chain ASL-GEO-BLACKLIST-DROP-LOG (0 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 2 LOG flags 7 level 6 prefix `ASL_GEO_BLOCK '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-IGNORE-BC (3 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-PLESK-UPDATES (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            77.245.23.80        tcp dpt:5224 state NEW

Chain ASL-PORTSCAN (21 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_PORTSCAN '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-SMALLPACKETS (7 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 6 prefix `DROP_ASL_TOOSMALL '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain ASL-SMTP_OUT (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 owner UID match 2521
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465 owner UID match 2521
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 owner UID match 89
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465 owner UID match 89
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 owner UID match 0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465 owner UID match 0
ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1           tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            127.0.0.1           tcp dpt:465
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 15 level 6 prefix `ASL_SMTP_OUT '
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain ASL-SPAMASSASSIN-UPDATES (1 references)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:24441 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:24441 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2703 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:6277 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:6277 state NEW

Chain ASL-TORTIXD-ACL (1 references)
target     prot opt source               destination

Chain ASL-UPDATES (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            80.82.124.228       tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            69.20.6.166         tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.195.110      tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            208.68.233.251      tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.112.216      tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            74.208.166.51       tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            198.71.51.132       tcp dpt:443 state NEW
Lemonbit Internet Dedicated Server Management
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by mikeshinn »

OK, I think I know what it is, the filename convention:

Change this:

INPUT-mysql-tcp-3306-any

To this:

INPUT-mysql-tcp-3306-any-acl

You must have "-acl" at the end, or it wont process it. The naming convention has changed (this is an alpha feature afterall and it wouldnt be any fun if we didnt change things. No seriously, the name needed to change so we could support other chain types and easily identify these files):

Naming convention for file is now:

INPUT-<name>-<protocol>-<port>-any-acl

Example:

INPUT-mysql-tcp-3306-any-acl

Fields in filename you can change:

INPUT - this defines the chain it goes into, INPUT is the only supported chain right now. In the future we will add support for other chains.

name - an arbitrary alpha numeric name, this must be unique as this will be used to name the chain and you cant have duplicate chain names. Example: smtp1

protocol - any supported iptables protocol on the system that takes a port as an argument.

port - 1-65535
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by prupert »

mikeshinn wrote:OK, I think I know what it is, the filename convention:
Change this:
INPUT-mysql-tcp-3306-any
To this:
INPUT-mysql-tcp-3306-any-acl
Great, that was it. Thank you for your help, I didn't know the file name convention changed.

Wouldn't it be a good idea to create a wiki page about this feature to prevent situations like these? Of course, I'd be glad to contribute to the wiki page once I've tested more with this feature.

Just one thing, you've said that the firewall rules "didn't look right", what exactly didn't look right according to you? Since you are THE firewall guru on this forums I am very interested to read your reply. This is a test setup with a 'standard' ASL firewall (the only customizations that were made, were made by switching FW_* settings in the ASL configuration).
Lemonbit Internet Dedicated Server Management
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by prupert »

I noticed that you will also need to add the local IP's in the INPUT ACL for MySQL, otherwise applications such as ASL Web that use TCP mysql connections won't be able to connect.
Lemonbit Internet Dedicated Server Management
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by mikeshinn »

Just one thing, you've said that the firewall rules "didn't look right", what exactly didn't look right according to you? Since you are THE firewall guru on this forums I am very interested to read your reply. This is a test setup with a 'standard' ASL firewall (the only customizations that were made, were made by switching FW_* settings in the ASL configuration).
The invalid rules were missing, so my guess is a stored config existed.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by scott »

Well theres no point on making a wiki page for this since I know its going to change again. More needs to be sorted out here, like multiple interface/multiple port tuples, chains, policies etc. This was really an exercise in trying to find a more intuitive way to work with policies.
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: ASL 3.2.8 Firewall changes (alpha)

Unread post by prupert »

scott wrote:Well theres no point on making a wiki page for this since I know its going to change again. More needs to be sorted out here, like multiple interface/multiple port tuples, chains, policies etc. This was really an exercise in trying to find a more intuitive way to work with policies.
Alright. How do you suggest I keep myself informed about changes to this feature? I really welcome this feature and would be glad to contribute (by testing etc.), since it is a great and intuitive way to deal with simple custom firewall rules, and it doesn't make you dependent on the Web GUI.
Lemonbit Internet Dedicated Server Management
Post Reply