Basics Debian / Ubuntu Config Tasks

Debian / Ubuntu Config Tasks

The installer will automatically handle most configration tasks but its recommended that you familiarize yourself with the tasks below to enable the full functionality of Juggernaut Firewall.

SSH Configuration (Recommended)

To enable successful SSHD login tracking you should disable ssh reverse DNS lookups. Edit the file /etc/ssh/sshd_config and change the following:

UseDNS no

Reload the sshd daemon

service sshd reload

Kernel Messages Configuration (Done by the installer)

Some operating systems log iptables warnings directly to the console. Run this command to permanently disable all low level kernel messages (iptables etc) from flooding the console:

echo "kernel.printk = 4 1 1 7"  > /etc/sysctl.d/juggernaut.conf

The above changes will be effective at reboot or immediately using the following command:

sysctl -p /etc/sysctl.d/juggernaut.conf

You can check the current status with the following command:

cat /proc/sys/kernel/printk

Proftpd Configuration (Done by the installer)

• You must make sure that your FTP users connect to your server using FTP passive mode (PASV).
• Passive mode is used in situations where the FTP server is not able to establish the data channel because of a firewall.
• Passive mode requires ip_conntrack and ip_conntrack_ftp iptables kernel modules to be available and fully functional.
• Passive mode will usually fail if you are using FTP over SSL/TLS.

If FTP passive mode fails you can open a small hole in your firewall to get it working. Run this command to set the passive port range:

echo "PassivePorts 30000 35000"  > /etc/proftpd.d/juggernaut.conf

After making the changes make sure to restart xinetd services:

service xinetd restart

Add the new port range 30000:35000 to TCP_IN in /etc/csf/csf.conf:

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,8443,8447,8880,30000:35000"

Restart the firewall:

csf -r

Apache Connection Tracking (Done by the installer)

Enable the Apache mod_status module:

a2enmod status

View / Edit the file /etc/apache2/mods-enabled/status.conf. It should look like the example below allowing local connections.

Apache 2.4 Example:

<IfModule mod_status.c>
        # Allow server status reports generated by mod_status,
        # with the URL of http://servername/server-status
        # Uncomment and change the "192.0.2.0/24" to allow access from other hosts.

        <Location /server-status>
                SetHandler server-status
                Require local
                #Require ip 192.0.2.0/24
        </Location>

        # Keep track of extended status information for each request
        ExtendedStatus On

        # Determine if mod_status displays the first 63 characters of a request or
        # the last 63, assuming the request itself is greater than 63 chars.
        # Default: Off
        #SeeRequestTail On

        <IfModule mod_proxy.c>
                # Show Proxy LoadBalancer status in mod_status
                ProxyStatus On
        </IfModule>

</IfModule>

Apache 2.2 Example:

<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from localhost ip6-localhost
</Location>

Restart Apache web server:

service apache2 restart

Test with Lynx (You should be able to connect and see the Apache status information):

apt-get install lynx

// If your server has nginx enabled (Plesk default)
lynx http://localhost:7080/server-status

// If your server has nginx disabled
lynx http://localhost/server-status

You can check to see if Nginx is enabled via the command:

/usr/local/psa/admin/sbin/nginxmng -s

If reverse proxy server (Nginx) service is enabled then edit the file /etc/csf/csf.conf and change the config item PT_APACHESTATUS in /etc/csf/csf.conf to the following:

PT_APACHESTATUS = "http://localhost:7080/server-status"

Restart the login failure daemon:

service lfd restart

ModSecurity Configuration (Done by the installer if modsecurity is already installed)

It is very easy to get yourself blocked by CSF while testing your modsecurity rules. Be sure to whitelist your IP in CSF by added it to the file /etc/csf/csf.ignore. Configuring modsecurity correctly and working out any false positives will take some time.

You can install modsecurity on the command line using the Plesk installer:

plesk installer add --components modsecurity

After modsecurity is installed login to Plesk and go to Tools and Settings -> Web Application Firewall (ModSecurity) to initially configure it. If setting up modsecurity for the first time we recommend setting "Web application firewall mode" to "Detection only" so that you can work out any false positives. Remember to switch it on after your testing is done.

We recommend setting "Predefined set of values" to "Thorough" unless you have an busy server where you might want to use "Tradeoff".

For dedicated servers with only a few domains we recommend using the OWASP ModSecurity Core Rule Set (CRS). For shared hosting servers with a lot of domains we recommend using the Atomic Basic or Atomic Subscription rulesets.

Configure modsecurity "Custom directives" section in the "Web Application Firewall" settings page. This will enable concurrent logging and set the correct audit log storage directory:

SecAuditLogType Concurrent
SecAuditLogStorageDir /var/log/modsecurity/audit

Create the SecAuditLogStorageDir directory and will make sure that your web server has write permissions to it:

mkdir -p /var/log/modsecurity/audit
chown www-data:www-data /var/log/modsecurity/audit

Restart the web service:

service apache2 restart

Edit the file /etc/csf/csf.conf and change the config item MODSEC_LOG to point to the new SecAuditLog location.

MODSEC_LOG = "/var/log/modsec_audit.log"

Restart the login failure daemon:

service lfd restart