- Entrou
- Mai 1, 2007
- Mensagens
- 391
- Gostos Recebidos
- 0
Este manual não é da minha autoria apenas o encontrei na net e decidi partilhá-lo convosco. Penso que pode ser util.
Ainda não testei mas vou testar durante este fim de semana.
Further to my fool-proof guide to installing MultiCs, today I would like to share some useful tips on how to install a firewall on your VPS server, so as to secure the data.
First of all, you may wonder: why do I need to install a firewall on my VPS with MultiCS if everything is working fine?
Well, for a simple reason: having a VPS running without a firewall is very much like leaving the front door of your house open, hoping that no thieves passing by will enter and steal your valuables. A firewall simply tells your system who and where can get into your VPS, sealing all other doors, rather than leaving them all open.
So, in order to install a firewall, we need a little bit of practice on working from Linux shell, but I guess if you have installed MultiCS and it's up and running then that would not be an issue at all. So, are you ready? Let's proceed.
1) First of all, you need to know EXACTLY ALL THE PORTS your server is using. Open a text file in your PC and ensure that you list all the ports you are using. YEs, I said "THE SERVER", not just MultiCS! If the server is also running other services such as MySQL, Mail, and anything else, then you need to know the ports and add them too, otherwise those services will stop working!!!
In this guide, I will assume, for simplicity, that our VPS server, instead, is running JUST MultiCS, on the following standard ports (you need, of course, to adapt this to your particular case).
SSH PORT: 22 (TCP)
HTTP SERVER: port 5500 (TCP)
CACHE: port 4444 (UDP)
CCCAM SERVER 1: port 18000 (TCP)
CCCAM SERVER 2: port 19000 (TCP)
MGCAMD SERVER: port 23000 (TCP)
PROFILES: port range 10000-10049 (TCP) >> we assume we use 50 profiles, use more or less ports as you deem appropriate.
2) Now, it's time to download and install the firewall. I strongly recommend APF, from R-XF Networks, a free product. So, let's start. Enter this commands in shell one after the other:
http://www.rfxn.com/downloads/apf-current.tar.gz
this will download the firewall install package.
tar xzvf apf-current.tar.gz
this will extract the files in a subfolder of tempinstall
cd apf-9.7-2/
lets move into the newly extracted subfolder
sh install.sh
This command installs the firewall, ignore any errors you see, they are not applicable to us.
3) Now we need to know what name the ethernet adapter of your VPS server has been given (usually it is "venet0" as in "virtual ethernet"). To find out, we launch this command:
ifconfig
In my case, the server responds as follows:
root@multics:/tempinstall/apf-9.7-2# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10563 errors:0 dropped:0 overruns:0 frame:0
TX packets:10563 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:834216 (834.2 KB) TX bytes:834216 (834.2 KB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:69474385 errors:0 dropped:0 overruns:0 frame:0
TX packets:57196192 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4462380474 (4.4 GB) TX bytes:3554140007 (3.5 GB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:37.59.199.214 P-t-P:37.59.199.214 Bcast:37.59.199.214 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
As you can see, the server's LAN Ethernet port is indeed called "venet0" by the system. We will need this bit of information for our configuration.
4) Now, it's time to configure the firewall and include our ports. We do everything by editing with nano editor the following file:
nano /etc/apf/conf.apf
We need to now add our ports, so we scroll down until we see this line:
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="22"
We need to change it, in our case, as follows:
IG_TCP_CPORTS="22,5500,10000_10049,18000,19000,23000"
Then, we need to scroll down to this line here:
# Common inbound (ingress) UDP ports
IG_UDP_CPORTS=""
We need to change it and add our cache port like this:
IG_UDP_CPORTS="4444"
Now we add the virtual ethernet port we saw at point 3), by also editing the line below:
IFACE_IN="venet0"
IFACE_OUT="venet0"
As our Ubuntu server is a VPS server, we also need to edit this line here:
SET_MONOKERN="1"
If you are happy with all the configuration details you entered, it's time to disable the firewall test mode, as it's going to be switched on. We do that by editing this line:
DEVEL_MODE="0"
Let's save the document by using the nano key combination CTRL + X. Say "Yes" to save the changes.
Now, let's clean up the temporary folder by entering these two commands:
cd ../
rm -Rf apf*
5) Finally, it's time to launch our firewall:
apf -r
You will see that the rules we entered will be executed and the firewall will be operational.
Test your MUltiCS for proper working order.
OPTIONAL:
If you want to learn how to whitelist or blacklist IP addresses, as well as learning the syntax of other useful APF commands, we can type "apf" for a list of accepted commands.
Ainda não testei mas vou testar durante este fim de semana.
Further to my fool-proof guide to installing MultiCs, today I would like to share some useful tips on how to install a firewall on your VPS server, so as to secure the data.
First of all, you may wonder: why do I need to install a firewall on my VPS with MultiCS if everything is working fine?
Well, for a simple reason: having a VPS running without a firewall is very much like leaving the front door of your house open, hoping that no thieves passing by will enter and steal your valuables. A firewall simply tells your system who and where can get into your VPS, sealing all other doors, rather than leaving them all open.
So, in order to install a firewall, we need a little bit of practice on working from Linux shell, but I guess if you have installed MultiCS and it's up and running then that would not be an issue at all. So, are you ready? Let's proceed.
1) First of all, you need to know EXACTLY ALL THE PORTS your server is using. Open a text file in your PC and ensure that you list all the ports you are using. YEs, I said "THE SERVER", not just MultiCS! If the server is also running other services such as MySQL, Mail, and anything else, then you need to know the ports and add them too, otherwise those services will stop working!!!
In this guide, I will assume, for simplicity, that our VPS server, instead, is running JUST MultiCS, on the following standard ports (you need, of course, to adapt this to your particular case).
SSH PORT: 22 (TCP)
HTTP SERVER: port 5500 (TCP)
CACHE: port 4444 (UDP)
CCCAM SERVER 1: port 18000 (TCP)
CCCAM SERVER 2: port 19000 (TCP)
MGCAMD SERVER: port 23000 (TCP)
PROFILES: port range 10000-10049 (TCP) >> we assume we use 50 profiles, use more or less ports as you deem appropriate.
2) Now, it's time to download and install the firewall. I strongly recommend APF, from R-XF Networks, a free product. So, let's start. Enter this commands in shell one after the other:
http://www.rfxn.com/downloads/apf-current.tar.gz
this will download the firewall install package.
tar xzvf apf-current.tar.gz
this will extract the files in a subfolder of tempinstall
cd apf-9.7-2/
lets move into the newly extracted subfolder
sh install.sh
This command installs the firewall, ignore any errors you see, they are not applicable to us.
3) Now we need to know what name the ethernet adapter of your VPS server has been given (usually it is "venet0" as in "virtual ethernet"). To find out, we launch this command:
ifconfig
In my case, the server responds as follows:
root@multics:/tempinstall/apf-9.7-2# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10563 errors:0 dropped:0 overruns:0 frame:0
TX packets:10563 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:834216 (834.2 KB) TX bytes:834216 (834.2 KB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:69474385 errors:0 dropped:0 overruns:0 frame:0
TX packets:57196192 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4462380474 (4.4 GB) TX bytes:3554140007 (3.5 GB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:37.59.199.214 P-t-P:37.59.199.214 Bcast:37.59.199.214 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
As you can see, the server's LAN Ethernet port is indeed called "venet0" by the system. We will need this bit of information for our configuration.
4) Now, it's time to configure the firewall and include our ports. We do everything by editing with nano editor the following file:
nano /etc/apf/conf.apf
We need to now add our ports, so we scroll down until we see this line:
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="22"
We need to change it, in our case, as follows:
IG_TCP_CPORTS="22,5500,10000_10049,18000,19000,23000"
Then, we need to scroll down to this line here:
# Common inbound (ingress) UDP ports
IG_UDP_CPORTS=""
We need to change it and add our cache port like this:
IG_UDP_CPORTS="4444"
Now we add the virtual ethernet port we saw at point 3), by also editing the line below:
IFACE_IN="venet0"
IFACE_OUT="venet0"
As our Ubuntu server is a VPS server, we also need to edit this line here:
SET_MONOKERN="1"
If you are happy with all the configuration details you entered, it's time to disable the firewall test mode, as it's going to be switched on. We do that by editing this line:
DEVEL_MODE="0"
Let's save the document by using the nano key combination CTRL + X. Say "Yes" to save the changes.
Now, let's clean up the temporary folder by entering these two commands:
cd ../
rm -Rf apf*
5) Finally, it's time to launch our firewall:
apf -r
You will see that the rules we entered will be executed and the firewall will be operational.
Test your MUltiCS for proper working order.
OPTIONAL:
If you want to learn how to whitelist or blacklist IP addresses, as well as learning the syntax of other useful APF commands, we can type "apf" for a list of accepted commands.