Join the community today
Register Now

CSF CSF centmin mod defaults

Discussion in 'Other Centmin Mod Installed software' started by Zykov, May 29, 2014.

  1. Zykov

    Zykov Member

    31
    7
    8
    May 28, 2014
    Ratings:
    +7
    Local Time:
    8:40 PM
    Nginx 1.7.1
    MariaDB 10
    I want to protect my VDS from unnecessary scans of script kiddies.
    In csf.conf I see following opened ports:
    TCP_IN = "20,21,22,25,53,80,110,111,143,161,443,465,587,993,995,1110,1186,1194,2202,11211,11212,11213,11214,2049,2112,22000,22001,2222,3000,3334,8080,
    8888,81,9000,9001,9312,9418,10000,10500,10501,6081,6082,30865,3000:3050"

    Which of them I can safely cut off from there if I run only one server (no balancing), sshd, nginx (without and with ssl), mail and maybe DNS-server?
    It is absolutely neccesary for mysql to have port 9000 opened?

    Also can anyone point me to ready-made useragent-specified settings of nginx for same reason (to protect from known scanners)?

     
  2. Matt

    Matt Well-Known Member

    932
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    11:40 AM
    1.5.15
    MariaDB 10.2
    This is mine. I don't run DNS or mail server, so only have bare minimum open

    Code:
    [root@host public]# cat /etc/csf/csf.conf | grep TCP_IN
    TCP_IN = "25,80,443,SSH_PORT"
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:40 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    really depends on your services and what specific ports they are configured to run on, so I'd start with seeing what ports you are currently running stuff from for local address at least with netstat command

    Code:
    netstat -plant
    Definite ones usually are 22 (unless you change sshd port),25,53,80,443,9000,9001 and you'll need 9418 for Git.

    As to user agent blocks for Nginx, the default commented out /usr/local/nginx/conf/block.conf in each Nginx vhost already has some. May need tweaking for your specific app, can't help there you're on your own for that :)

    Code:
    # Blocking HTTP POST Attack
    
    limit_req_status 444;
    if ($args ~ CtrlFunc_* ) {   return 444; }
    set $my_var 0;
    set $the_var 2;
    if ($request_method = POST ) {    set $my_var 1; }
    if ($args = / ) {    set $the_var 1; }
    if ($my_var = $the_var ) { return 444; }
    
    # from
    # http://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc
    
        ## Block SQL injections
        set $block_sql_injections 0;
        if ($query_string ~ "union.*select.*\(") {
            set $block_sql_injections 1;
        }
        if ($query_string ~ "union.*all.*select.*") {
            set $block_sql_injections 1;
        }
        if ($query_string ~ "concat.*\(") {
            set $block_sql_injections 1;
        }
        if ($block_sql_injections = 1) {
            return 403;
        }
    
        ## Block file injections
        set $block_file_injections 0;
        if ($query_string ~ "[a-zA-Z0-9_]=http://") {
            set $block_file_injections 1;
        }
        if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
            set $block_file_injections 1;
        }
        if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
            set $block_file_injections 1;
        }
        if ($block_file_injections = 1) {
            return 403;
        }
    
        ## Block common exploits
        set $block_common_exploits 0;
        if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
            set $block_common_exploits 1;
        }
        if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
            set $block_common_exploits 1;
        }
        if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
            set $block_common_exploits 1;
        }
        if ($query_string ~ "proc/self/environ") {
            set $block_common_exploits 1;
        }
        if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
            set $block_common_exploits 1;
        }
        if ($query_string ~ "base64_(en|de)code\(.*\)") {
            set $block_common_exploits 1;
        }
        if ($block_common_exploits = 1) {
            return 403;
        }
    
        ## Block spam
        set $block_spam 0;
        if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
            set $block_spam 1;
        }
        if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
            set $block_spam 1;
        }
        if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
            set $block_spam 1;
        }
        if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
            set $block_spam 1;
        }
        if ($block_spam = 1) {
            return 403;
        }
    
        ## Block user agents
        set $block_user_agents 0;
    
        # Don't disable wget if you need it to run cron jobs!
        #if ($http_user_agent ~ "Wget") {
        #    set $block_user_agents 1;
        #}
    
        # Disable Akeeba Remote Control 2.5 and earlier
        if ($http_user_agent ~ "Indy Library") {
            set $block_user_agents 1;
        }
    
        # Common bandwidth hoggers and hacking tools.
        if ($http_user_agent ~ "libwww-perl") {
            set $block_user_agents 1;
        }
        if ($http_user_agent ~ "GetRight") {
            set $block_user_agents 1;
        }
        if ($http_user_agent ~ "GetWeb!") {
            set $block_user_agents 1;
        }
        if ($http_user_agent ~ "Go!Zilla") {
            set $block_user_agents 1;
        }
        if ($http_user_agent ~ "Download Demon") {
            set $block_user_agents 1;
        }
        if ($http_user_agent ~ "Go-Ahead-Got-It") {
            set $block_user_agents 1;
        }
        if ($http_user_agent ~ "TurnitinBot") {
            set $block_user_agents 1;
        }
        if ($http_user_agent ~ "GrabNet") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "dirbuster") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "nikto") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "SF") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "sqlmap") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "fimap") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "nessus") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "whatweb") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "Openvas") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "jbrofuzz") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "libwhisker") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "webshag") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "Acunetix-Product") {
            set $block_user_agents 1;
        }
    
        if ($http_user_agent ~ "Acunetix") {
            set $block_user_agents 1;
        }
    
        if ($block_user_agents = 1) {
            return 403;
        }