1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.


Discussion in 'Server Configuration and Hosting' started by Solidus, Nov 1, 2015.

  1. Solidus

    Solidus Well-Known Member


    Anyone ever use this? I'm giving it a try on a new server.
    Not sure if I should replace CSF with it, or run them together..
  2. Moscato

    Moscato Active Member

    It's a pretty popular host based intrusion *detection* system

    It does *not* fix intrusions, but it definitely does a good job at finding them when they happen.

    You can run them together.

    CSF does something entirely different. CSF manages a firewall.

    Honestly, firewall rules aren't that hard for a webserver, and you really don't need a special tool for it.

    660 is used for SSH, though you can change that to any port you want. I recommend against port 22. Literally any other unused port is better.

    I use SSH keys, so ssh doesn't require a password, and can't be brute forced.

    This is my *entire* iptables firewall ruleset. I made this by hand. You're welcome to copy it. Just make sure you make SSH function on the port you choose for SSH.

    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [1329:3824279]
    -A INPUT -m conntrack --ctstate INVALID -j DROP
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 80,443,660 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT

    I'll explain this, incase it doesn't make sense
    Line 1 sets up the next set of lines.
    Line 2 and 3 drop incoming traffic that isn't explicitly allowed.
    Line 3 allows all outgoing traffic.
    Line 5 drops malformed packets.
    Line 6 Allows incoming traffic related to outgoing traffic
    Line 7 opens ports 80, 443, and 660. 80 and 443 are used for http, and https traffic respectively. I used 660 for ssh.
    Line 8 allows loopback connections.
    Line 9 allows ICMP type 3.
    Line 10 allows ICMP type 4. These 2 ICMP types are necessary for effective TCP traffic.
    Line 11 pushes it into a functioning configuration.

    If you *really* want to up the ante on your web security, I'd consider using a WAF. The fastest and by far most secure WAF out there is naxsi, though it's fairly complicated to setup.
    Marcus likes this.

Share This Page