Centos / RHEL Config Tasks

The installer will automatically handle most configration tasks but its recommended that you familiarize yourself with the tasks below for to enable the full functionality of Juggernaut Firewall.

SSH Configuration (Recommended)

To enable successful SSHD login tracking you should disable ssh reverse DNS lookups. Edit the file /etc/ssh/sshd_config and change the following:

UseDNS no

Reload the sshd daemon

service sshd reload

Kernel Messages Configuration (Done by the installer)

Some operating systems log iptables warnings directly to the console. Run this command to permanently disable all low level kernel messages (iptables etc) from flooding the console:

echo "kernel.printk = 4 1 1 7"  > /etc/sysctl.d/juggernaut.conf

The above changes will be effective at reboot or immediately using the following command:

sysctl -p /etc/sysctl.d/juggernaut.conf

You can check the current status with the following command:

cat /proc/sys/kernel/printk

Proftpd Configuration (Done by the installer)

• You must make sure that your FTP users connect to your server using FTP passive mode (PASV).
• Passive mode is used in situations where the FTP server is not able to establish the data channel because of a firewall.
• Passive mode requires ip_conntrack and ip_conntrack_ftp iptables kernel modules to be available and fully functional.
• Passive mode will usually fail if you are using FTP over SSL/TLS.

If FTP passive mode fails you can open a small hole in your firewall to get it working. Run this command to set the passive port range:

echo "PassivePorts 30000 35000"  > /etc/proftpd.d/juggernaut.conf

After making the changes make sure to restart xinetd services:

service xinetd restart

Add the new port range 30000:35000 to TCP_IN in /etc/csf/csf.conf:

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,8443,8447,8880,30000:35000"

Restart the firewall:

csf -r

Apache Connection Tracking (Done by the installer)

Enable the Apache mod_status module. Create the file /etc/httpd/conf.d/server-status.conf and add the following:

<IfModule mod_status.c>
ExtendedStatus on
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from ::1

Restart Apache web server:

service httpd restart

You can check to see if Nginx is enabled via the command:

/usr/local/psa/admin/sbin/nginxmng -s

If the reverse proxy server (Nginx) service is enabled then edit the file /etc/csf/csf.conf and change the config item PT_APACHESTATUS in /etc/csf/csf.conf to the following:

PT_APACHESTATUS = "http://localhost:7080/server-status"

Restart the login failure daemon:

service lfd restart

ModSecurity Configuration (Done by the installer if modsecurity is already installed)

It is very easy to get yourself blocked by CSF while testing your modsecurity rules. Be sure to whitelist your IP in CSF by added it to the file /etc/csf/csf.ignore. Configuring modsecurity correctly and working out any false positives will take some time.

You can install modsecurity on the command line using the Plesk installer:

plesk installer add --components modsecurity

After modsecurity is installed login to Plesk and go to Tools and Settings -> Web Application Firewall (ModSecurity) to initially configure it. If setting up modsecurity for the first time we recommend setting "Web application firewall mode" to "Detection only" so that you can work out any false positives. Remember to switch it on after your testing is done.

We recommend setting "Predefined set of values" to "Thorough" unless you have an busy server where you might want to use "Tradeoff".

For dedicated servers with only a few domains we recommend using the OWASP ModSecurity Core Rule Set (CRS). For shared hosting servers with a lot of domains we recommend using the Atomic Basic or Atomic Subscription rulesets.

Configure modsecurity "Custom directives" section in the "Web Application Firewall" settings page. This will enable concurrent logging and set the correct audit log storage directory:

SecAuditLogType Concurrent
SecAuditLogStorageDir /var/log/modsecurity/audit

Create the SecAuditLogStorageDir directory and will make sure that your web server has write permissions to it:

mkdir -p /var/log/modsecurity/audit
chown apache:apache /var/log/modsecurity/audit

// If you have selinux enabled allow write access to it
semanage fcontext -a -t httpd_sys_rw_content_t "/var/log/modsecurity/audit(/.*)?"
restorecon -RF /var/log/modsecurity/audit

Restart the web service

service httpd restart

Edit the file /etc/csf/csf.conf and change the config item MODSEC_LOG to point to the new SecAuditLog location.

MODSEC_LOG = "/var/log/modsec_audit.log"

Restart the login failure daemon

service lfd restart