Archive

Posts Tagged ‘vps’

CSF firewall for your CPanel VPS and FTP issue

August 22nd, 2011 No comments

When you have a CPanel VPS, you may also want to have a way to manage firewall easily and effectively. I found that CSF is a good option here. It is free and has UI integration with Web Host Manager. Its features and performance are not so bad. It is recommended in many VPS forums.

http://configserver.com/cp/csf.html

Installation is straightforward: download the package, execute install command.

However after you secure your VPS with CSF, you may encounter following issue when you ftp to the server:

Command:    PASV
Response:    227 Entering Passive Mode (69,73,143,39,137,1)
Command:    MLSD
Error:    Connection timed out
Error:    Failed to retrieve directory listing

That means, your FTP client opens data connection in passive mode and tries to MLSD (list content of a given directory) on server, but it fails. The issue lies between CSF configuration and FTP server configuration: passive ports configured in FTP server are not opened in CSF firewall. So one way to fix is:

1. identify passive ports configured in FTP server

- check your /etc/pure-ftpd.conf (if you use Pure-FTP)

- find this line:

# Port range for passive connections replies. – for firewalling.
PassivePortRange 35000 36000

2. add these ports in CSF at TCP_IN entry

- restart CSF and test FTP again.

This solution can be derived from the point 13 in CSF readme content:

13. A note about FTP Connection Issues
######################################

It is important when using an SPI firewall to ensure FTP client applications
are configured to use Passive (PASV) mode connections to the server.

On servers running Monolithic kernels (e.g. VPS Virtuozzo/OpenVZ and custom
built kernels) ip_conntrack and ip_conntrack_ftp iptables kernel modules may
not be available or fully functional. If this happens, FTP passive mode (PASV)
won’t work. In such circumstances you will have to open a hole in your firewall
and configure the FTP server to use that same hole.

For example, with pure-ftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/pure-ftpd.conf and then restart pure-ftpd:
PassivePortRange 30000 35000

For example, with proftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/proftpd.conf and then restart proftpd:
PassivePorts 30000 35000

FTP over SSL/TLS will usually fail when using an SPI firewall. This is because
of the way the FTP protocol established a connection between client and server.
iptables fails to establish a related connection when using FTP over SSL
because the FTP control connection is encrypted and so cannot track the
relationship between the connection and the allocation of an ephemeral port.

If you need to use FTP over SSL, you will have to open up a passive port block
in both csf and your FTP server configuration (see above).

Perversely, this makes your firewall less secure, while trying to make FTP
connections more secure.

Hope this solution works for you.

Please share with me your feedback or another solution. Many thanks!

Some quick steps to secure your VPS

August 10th, 2011 1 comment

This article describes standard Security Best Practices for Linux servers and provides basic instructions for securing a virtual private server against most common attacks.

User Accounts

  • Observe the Password Security recommendations for your root account
  • Create a user account for any trusted users who should have access to the VPS – do not share your root login
  • Eliminate unnecessary user accounts and disable shell access for daemons
    1. Run cat /etc/passwd and identify unnecessary user accounts
    2. Remove unnecessary users with userdel <username>
    3. Disable interactive logins for daemon accounts by specifying /bin/false for the user’s shell

SSH Configuration

  • Change the SSH port
    1. Open your sshd_config file for editing
    2. Locate the Port directive
    3. Change the default SSH port – any port above the 1-1024 range is preferable (check theInternet Assigned Numbers Authority site for unassigned port numbers if you want to ensure no conflicts are encountered)
    4. Restart SSH and connect to your VPS using the new port
  • Restrict SSH users and hosts in sshd_config
    • Use the PermitRootLogin no directive to disable root logins over SSH (if you have created a user account for yourself and plan to use su to administer your VPS)
    • Use the AllowUsers directive to specify which user accounts may be used to log in
  • Additional Recommendations
    • Limit SSH access to trusted IPs only (iptables example):
      1. -A INPUT -p tcp -m tcp --dport XXXX --source x.x.x.x -j ACCEPT (where XXXX is the port SSH is listening on and x.x.x.x is the trusted source IP)
      2. Prior to closing the established SSH session, test the SSH access rule: Create an additional SSH session from the trusted source IP. Test a non-trusted IP as well. If the non-trusted IP is unable to connect and the trusted IP is allowed, the rule is working as intended.
    • Use the DenyHosts script to block malicious users (if restricting access to a single trusted IP is not practical)
    • Configure your VPS to use public key authentication instead of password authentication

Additional Linux Security Resources

See the Security category for security guides on the VPSLink Wiki.

Linux Distribution Security

If you have an active interest in securing your VPS, you should follow up with recommendations specific to your distribution and recommendations for any daemons or applications which you use.

Security Applications

Applications geared toward security are an invaluable asset – consider installing an auditing tool and an intrusion detection system to automate monitoring and test your system’s configuration.

  • Bastille – Security auditing and configuration tool
  • Samhain – File integrity checker and intrusion detection system
  • SentryTools – A host-level security suite used to protect against port scans, automate log file auditing, and detect suspicious login activity

(Source: http://wiki.vpslink.com/Security_Best_Practices)

Categories: Máy tính Tags: , , , ,

Instant web proxy on a Linux VPS server

August 10th, 2011 2 comments

If you are unable to access a website because your computer is behind a firewall, with a VPS server you can make an instant SOCKS proxy for you to bypass the firewall in few minutes. Such a useful guide that I’ve found out from the net. Enjoy!

Introduction

There are many situations which call for a higher level of security and privacy than the immediate network provides: having a SOCKS proxy at your disposal is often the quickest and most convenient solution.

If you have ever checked POP3 e-mail, accessed an account on an FTP server, or encountered a website which was blocked by the local network administrator, this guide will explain how to protect your passwords over the local network and maintain access to the sites you frequent, regardless of local restrictions.

This guide will explain how to configure your VPS to act as a proxy server and configure your Linux or Windows client software to use the SOCKS proxy.

Note: The VPSLink Acceptable Use Policy expressly prohibits the operation of a public proxy. Please limit user accounts to trusted users to ensure the security of your VPS.

VPS Configuration

No special configuration is required – your VPS will be running an SSH daemon by default.

Note: We strongly recommend that you review our Linux security best practices to change the port which SSH is listening on as a security precaution.

Client Configuration

Considerations:

  • Ensure that the port which will act as your local proxy port is not presently active or listening for connections
  • Despite common port restrictions, most networks will allow traffic over port 80 (HTTP) and port 443 (SSL) – because encrypted traffic is expected over port 443, this port makes an ideal local proxy port
  • Client software (web browsers, e-mail clients, chat clients) must be configured to use the SOCKS proxy and perform DNS lookups over the SOCKS proxy (if you wish to keep the domains which you browse private)

Linux

  1. Open a local console
  2. Enter the following command:

    ssh -p VPS_SSH_PORT -D LOCAL_PROXY_PORT USERNAME@VPS_IP_ADDRESS

    where:

    • VPS_SSH_PORT – The port on your VPS which is listening for SSH connections
    • LOCAL_PROXY_PORT – The port on your local machine which will accept SOCKS connections
    • USERNAME – The username for an account with SSH login capabilities on your VPS
    • VPS_IP_ADDRESS – The IP address of your VPS
  3. Log in with your user account password
  4. Open your client applications and enable proxy use on your local SOCKS proxy port

Windows

  1. Open the PuTTY SSH client
  2. Complete the following fields under the Session category:
    • Host Name (or IP Address) – Enter the IP address for your VPS
    • Port – Enter the port which the SSH daemon is listening on
  3. Navigate to the ConnectionSSHTunnels category
  4. Complete the following fields under the Tunnels category:
    • Source port – Enter the port on your local machine which will accept SOCKS connections
    • Destination – Enter the IP address for your VPS
    • Select the Dynamic radio button
  5. Click the Add button to add the source port association
  6. If you would like to save your SOCKS proxy settings:
    1. Navigate back to the Session category
    2. Enter a label for your settings in the Saved Sessions field
    3. Click the Save button
  7. Click the Open button to initiate a connection with your VPS
  8. Log in with your username and password
  9. Open your client applications and enable proxy use on your local SOCKS proxy port

Application Configuration

Keep in mind that you will need to have an open an SSH connection to your VPS in order to use application SOCKS proxy settings. If your local machine is no longer listening for connections or your connection to your VPS is interrupted, SOCKS-enabled applications will report that no connection exists.

FireFox

The FireFox browser can easily be configured to make use of a SOCKS proxy – additionally, the FoxyProxy FireFox extension allows for domain-specific proxying rules.

Use the following steps to modify your FireFox settings to route all browsing over your proxy:

  1. Open FireFox and select the Tools option from the menu bar
  2. Switch to the Advanced section and select the Network tab, then click the Settings button
  3. Select the Manual proxy configuration option
  4. Enter localhost in the SOCKS Host field and your LOCAL_PROXY_PORT in the correspondingPort field
  5. Browse to WhatIsMyIP.com to confirm that the IP address for your VPS appears

(Source: http://wiki.vpslink.com/Instant_SOCKS_Proxy_over_SSH)