The installer will automatically handle most configration tasks but its recommended that you familiarize yourself with the tasks below for to enable the full functionality of Juggernaut Firewall.
To enable successful SSHD login tracking you should disable ssh reverse DNS lookups. Edit the file /etc/ssh/sshd_config
and change the following:
UseDNS no
Reload the sshd daemon
service sshd reload
Some operating systems log iptables warnings directly to the console. Run this command to permanently disable all low level kernel messages (iptables etc) from flooding the console:
echo "kernel.printk = 4 1 1 7" > /etc/sysctl.d/juggernaut.conf
The above changes will be effective at reboot or immediately using the following command:
sysctl -p /etc/sysctl.d/juggernaut.conf
You can check the current status with the following command:
cat /proc/sys/kernel/printk
• You must make sure that your FTP users connect to your server using FTP passive mode (PASV).
• Passive mode is used in situations where the FTP server is not able to establish the data channel because of a firewall.
• Passive mode requiresip_conntrack
andip_conntrack_ftp
iptables kernel modules to be available and fully functional.
• Passive mode will usually fail if you are using FTP over SSL/TLS.
If FTP passive mode fails you can open a small hole in your firewall to get it working. Run this command to set the passive port range:
echo "PassivePorts 30000 35000" > /etc/proftpd.d/juggernaut.conf
After making the changes make sure to restart xinetd services:
service xinetd restart
Add the new port range 30000:35000
to TCP_IN
in /etc/csf/csf.conf
:
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,8443,8447,8880,30000:35000"
Restart the firewall:
csf -r
Enable the Apache mod_status module. Create the file /etc/httpd/conf.d/server-status.conf
and add the following:
<IfModule mod_status.c>
ExtendedStatus on
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1 ::1
</Location>
</IfModule>
Restart Apache web server:
service httpd restart
You can check to see if Nginx is enabled via the command:
/usr/local/psa/admin/sbin/nginxmng -s
If the reverse proxy server (Nginx) service is enabled then edit the file /etc/csf/csf.conf
and change the config item PT_APACHESTATUS
in /etc/csf/csf.conf
to the following:
PT_APACHESTATUS = "http://localhost:7080/server-status"
Restart the login failure daemon:
service lfd restart
It is very easy to get yourself blocked by CSF while testing your modsecurity rules. Be sure to whitelist your IP in CSF by added it to the file
/etc/csf/csf.ignore
. Configuring modsecurity correctly and working out any false positives will take some time.
You can install modsecurity on the command line using the Plesk installer:
plesk installer add --components modsecurity
After modsecurity is installed login to Plesk and go to Tools and Settings -> Web Application Firewall (ModSecurity)
to initially configure it.
If setting up modsecurity for the first time we recommend setting "Web application firewall mode" to "Detection only" so that you can work out any false positives.
Remember to switch it on after your testing is done.
We recommend setting "Predefined set of values" to "Thorough" unless you have an busy server where you might want to use "Tradeoff".
For dedicated servers with only a few domains we recommend using the OWASP ModSecurity Core Rule Set (CRS). For shared hosting servers with a lot of domains we recommend using the Atomic Basic or Atomic Subscription rulesets.
Configure modsecurity "Custom directives" section in the "Web Application Firewall" settings page. This will enable concurrent logging and set the correct audit log storage directory:
SecAuditLogType Concurrent
SecAuditLogStorageDir /var/log/modsecurity/audit
Create the SecAuditLogStorageDir directory and will make sure that your web server has write permissions to it:
mkdir -p /var/log/modsecurity/audit
chown apache:apache /var/log/modsecurity/audit
// If you have selinux enabled allow write access to it
semanage fcontext -a -t httpd_sys_rw_content_t "/var/log/modsecurity/audit(/.*)?"
restorecon -RF /var/log/modsecurity/audit
Restart the web service
service httpd restart
Edit the file /etc/csf/csf.conf
and change the config item MODSEC_LOG
to point to the new SecAuditLog location.
MODSEC_LOG = "/var/log/modsec_audit.log"
Restart the login failure daemon
service lfd restart