What Firewall for VPS

[Garry]

Hi,

What do you recommend for a firewall for my new VPS.
In the pass I have used CSF (Config Security Firewall).

What do you use?

[chaloupe]

Garry,

I still use CSF on my side and would also advise you to use it.

The only downside is CSF is a software on the server and not a hardware before your server. Hardware are too expensive any way.

[Garry]

Thanks for the reply.
I have installed CSF and enabled it etc...

[chaloupe]

Garry,

Excellent choice!

If you have any issues with the CSF firewall, they are great threads on this forums. We will be glad to help you if you face any problems.

Regards,

[chaloupe]

CSF firewall are easier to manage or to change settings on the fly. Everything can be done in WHM control panel.

They also give you a lot of information to tweak your VPS for more robust protection (check server security button).

The CSF firewall does not only open or close port. It has many features which is far more than just a straight out of the box hardware or software firewall.

I've been using it since at least 2005 on many servers.

[chaloupe]

Here's a the list of what CSF will help you with:


Server Check
Check /tmp permissions
Check /tmp ownership
Check /tmp is mounted as a filesystem
Check /tmp is mounted noexec,nosuid
Check /etc/cron.daily/logrotate for /tmp noexec workaround
Check /var/tmp permissions
Check /var/tmp ownership
Check /var/tmp is mounted as a filesystem
Check /var/tmp is mounted noexec,nosuid
Check /usr/tmp permissions
Check /usr/tmp ownership
Check /usr/tmp is mounted as a filesystem or is a symlink to /tmp
Check /dev/shm is mounted noexec,nosuid
Check for DNS recursion restrictions
Check for DNS random query source port
Check server runlevel
Check nobody cron
Check Operating System support
Check perl version
Check MySQL version
Check MySQL LOAD DATA disallows LOCAL
Check SUPERUSER accounts
Check for cxs
Check for IPv6
Check for kernel logger


SSH/Telnet Check
Check SSHv1 is disabled
Check SSH on non-standard port
Check SSH UseDNS
Check telnet port 23 is not in use
Check shell limits
Check Background Process Killer


Mail Check
Check root forwarder
Check exim for extended logging (log_selector)
Check exim weak SSL/TLS Ciphers (tls_require_ciphers)
Check for maildir conversion
Check dovecot weak SSL/TLS Ciphers (ssl_cipher_list)


Apache Check
Check apache version
Check suPHP
Check Suexec
Check apache for mod_security
Check apache for FrontPage
Check Apache weak SSL/TLS Ciphers (SSLCipherSuite)
Check apache for TraceEnable
Check apache for ServerSignature
Check apache for ServerTokens
Check apache for FileETag
Check mod_userdir protection


PHP Check
Check php version (/usr/local/bin/php)
Check php for enable_dl or disabled dl()
Check php for disable_functions
Check php for ini_set disabled
Check php for register_globals
Check php for Suhosin
Check php open_basedir protection


WHM Settings Check
Check cPanel login is SSL only
Check boxtrapper is disabled
Check max emails per hour is set
Check whether users can reset passwords via email
Check whether native cPanel SSL is enabled
Check compilers
Check Anonymous FTP Logins
Check Anonymous FTP Uploads
Check pure-ftpd weak SSL/TLS Ciphers (TLSCipherSuite)
Check FTP Logins with Root Password
Check allow remote domains
Check block common domains
Check allow park domains
Check proxy subdomains
Check proxy subdomains for new users
Check cPAddons update email to owner
Check cPAddons update email to root
Check cPanel tree
Check cPanel updates
Check package updates
Check security updates
Check melange chat server
Check Accounts that can access a cPanel user account
Check cPanel php for register_globals
Check cPanel php.ini file for register_globals
Check cPanel passwords in email
Check core dumps
Check Cookie IP Validation
Check MD5 passwords with Apache
Check Referrer Blank Security
Check Referrer Security
Check HTTP Authentication
Check Security Tokens
Check Parent Security
Check Domain Lookup Security
Check SMTP Tweak
Check nameservers WARNING


Server Services Check
Check server startup for cups
Check server startup for xfs
Check server startup for atd
Check server startup for nfslock
Check server startup for canna
Check server startup for FreeWnn
Check server startup for cups-config-daemon
Check server startup for iiim
Check server startup for mDNSResponder
Check server startup for nifd
Check server startup for rpcidmapd
Check server startup for bluetooth
Check server startup for anacron
Check server startup for gpm
Check server startup for saslauthd
Check server startup for avahi-daemon
Check server startup for avahi-dnsconfd
Check server startup for hidd
Check server startup for pcscd
Check server startup for sbadm

[wesslayneb]

Using CFS now along with IPTables, working great.

[bcaa8ra]

chaloupe mentioned csf does not close ports. So do we leave HG firewall running and add csf?
Also, I am a VPS newbie do I put a ticket in to have csf installed?

Thanks...

[quietFinn]

Quote:

Originally Posted by bcaa8ra

chaloupe mentioned csf does not close ports. So do we leave HG firewall running and add csf?
Also, I am a VPS newbie do I put a ticket in to have csf installed?

Thanks...

You misundestood what he said.
CSF closes all ports, and in it's configuration you specify what ports to open.

[skyrim77]

Another vote for CSF.

[sorathia]

Could someone please point me in the right direction on how to install / configure CSF? If I open a ticket, can hostgator install CSF for me?

Thanks!

[quietFinn]

Quote:

Originally Posted by sorathia

Could someone please point me in the right direction on how to install / configure CSF? If I open a ticket, can hostgator install CSF for me?

Thanks!

http://www.configserver.com/free/csf/install.txt