Difference between revisions of "Managing Linux VPS Firewall Alerts"

From Hostek.com Wiki
Jump to: navigation, search
(Created page with "==Situation== You want to open up a custom TCP or UDP port on your VPS, but want to restrict it such that only a specific IP address can connect on that port. ==Solution== Yo...")
 
m (added TOC.JH)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
==Situation==
+
__FORCETOC__
You want to open up a custom TCP or UDP port on your VPS, but want to restrict it such that only a specific IP address can connect on that port.
+
==Managing Linux VPS Firewall Alerts==
 +
===lfd on VPS server: Excessive resource usage alerts===
 +
On a Linux VPS with cPanel you may receive alerts along the lines of the following:<pre style="white-space:pre-wrap">Time: <some specific time>
 +
Account: <Your cPanel user account>
 +
Resource: Virtual Memory Size
 +
Exceeded: 218 > 200 (MB)
 +
Executable: /usr/bin/php
 +
Command Line: /usr/bin/php /home/your_site/public_html/index.php
 +
PID: <some_number>
 +
Killed: No</pre>
  
==Solution==
+
This alert is an informational message. How you deal with these are a matter of personal preference and needs of your organization.
You will need to create an allow rule for your server's firewall. For example, you want to open TCP port 6201, but you only want the address 192.0.43.7 to have access. The rule would look like this:
+
  
:tcp|in|d=6201|s=192.0.43.7 #Some useful description
+
There is a daemon on your VPS, the lfd daemon, that will monitor processes and if a process' memory usage exceeds a defined threshold (in this case of the example above, 200MB), it sends an alert. That is all that is happening here. The server has no way of knowing if this is expected behavior or not, so it just sends an alert so the owner can decide whether to investigate.
  
Let's discuss each part of this sample rule.  The first part is the protocol: ''tcp''.  The next part is the direction, which is inbound traffic.  The next part is the port, ''6201''.  The next part is the source IP address that you want the rule to apply to, ''192.0.43.7''.  And finally, you can put some short worthwhile comment on the end to remind yourself later what the rule is for.
+
So, if the threshold is set to 200 MB and a script or process uses more than 200 MB memory, you will get an alert containing the name of the script, the time it occurred, and the amount of memory that it is consuming.
 +
<br />
 +
Here are some options you may want to consider for how to deal with these. This is not an exhaustive list but should give a good starting point:
  
Now, let's say for example that you want to allow inbound UDP port 6203, but you only want IP address 192.0.45.8 to have access. The appropriate command would look like this:
+
The '''first''' option is to do nothing. When you get the alerts, glance at them and see what script or process is triggering the alert. If your VPS is running particularly sluggish and you are getting alerts about a PHP script consuming large amounts of RAM, you can consider killing the script to return the server to normal responsiveness. Likewise, if you write some script and start getting alerts about the amount of RAM it is consuming, that might be a heads up to you that your script has problems.
  
:udp|in|d=6203|s=192.0.45.8 #Another useful description.
+
The '''second''' option is to increase the memory threshold for the alerts from 200 MB to say 300 MB. That will allow scripts and processes to consume more RAM before they trigger the alert. If you want to increase it much higher than 300MB, then you might be better off just turning this feature off altogether (see the next option).
 +
Turn off this feature entirely. If you are not interested in knowing when a process exceeds a defined threshold, then there is no need to get the alert and it can be turned off.
  
 +
To change the '''threshold''' that LFD alerts on:
  
==Steps for adding firewall allow rules==
+
#Log into WHM of your VPS at https://<your VPS IP address>:2087 with the root account.
 +
#Go to ConfigServer Security & Firewall --> Firewall Configuration
 +
#Change the value for PT_USERMEM to the threshold you want to report on.
  
Steps:
+
To turn '''off''' this feature, set the PT_USERMEM paramter to 0.
#Log into WHM on your server at https://your_server_IP:2087
+
 
#Once logged in, scroll down and click on ''ConfigServer Security&Firewall
+
There are other options but are only recommended for advanced users. For more details, read the [http://www.configserver.com/free/csf/readme.txt ConfigServer Security & Firewall (CSF) readme]
#Click on the ''Fireawll Allow IPs'' button
+
===lfd on Linus VPS: Script Alert===
#Add the rule you created
+
On a Linux VPS with cPanel you may receive alerts notifying you of scripts sending a large amount of emails. The alert will be similar to the following:<pre style="white-space:pre-wrap">Time:  Wed Nov 01 04:08:52 2012 -0600
 +
Path:  /home/cpaneluser/public_html/subdirectory
 +
Count: 101 emails sent
 +
 
 +
Sample of the first 10 emails:
 +
 
 +
2012-11-28 09:07:05 1TdjE9-0003tL-4a <= user@myserver.com U=adp P=local S=10381 T="Email subject" for destinationemail@domain.com
 +
2012-11-28 09:07:06 1TdjEA-0003ta-5H <= user@myserver.com U=adp P=local S=10381 T="Email subject" for destinationemail2@domain.com
 +
2012-11-28 09:07:07 1TdjEB-0003ti-60 <= user@myserver.com U=adp P=local S=10381 T="Email subject" for destinationemail3@domain.com
 +
2012-11-28 09:07:08 1TdjEC-0003uE-6k <= user@myserver.com U=adp P=local S=10381 T="Email subject" for destinationemail4@domain.com
 +
2012-11-28 09:07:09 1TdjED-0003uP-7L <= user@myserver.com U=adp P=local S=10381 T="Email subject" for destinationemail5@domain.com
 +
2012-11-28 09:07:10 1TdjEE-0003uX-86 <= user@myserver.com U=adp P=local S=10381 T="Email subject" for destinationemail6@domain.com
 +
 
 +
Possible Scripts:
 +
 
 +
/home/cpaneluser/public_html/subdirectory/script.php
 +
</pre>
 +
 
 +
This alert is informing you that a script on one of your server's sites is sending a lot of mail. You can ignore the alert if you recognize the script at the bottom of the alert, and you know it is used to send mail to an '''Opt-In''' mailing list.
 +
 
 +
In some cases though, the script will be a spam script that was uploaded to a site via a compromised upload form. You'll want to take immediate action if you do not recognize the script, and the subject line of the message looks suspicious. In this case, do the following:
 +
#Navigate to the directory on your server and remove the script and any other scripts that were uploaded by the spammer.
 +
#If you are running '''WordPress''', '''Joomla''', or any other 3rd-party software you will need to update it (and any templates/themes) ASAP.
 +
#If you are not running 3rd-party software, make sure any upload forms are password protected, and make sure any forms on the site properly sanitize input.
 +
#For good measure, you'll want to reset the cPanel user's password and any of its FTP accounts' passwords to very strong passwords. You can use our [https://hostek.com/password/ Password Generator] to create a strong password.
  
 
[[Category:Linux-VPS]]
 
[[Category:Linux-VPS]]

Latest revision as of 19:18, 28 November 2012

Managing Linux VPS Firewall Alerts

lfd on VPS server: Excessive resource usage alerts

On a Linux VPS with cPanel you may receive alerts along the lines of the following:
Time: <some specific time>
Account: <Your cPanel user account>
Resource: Virtual Memory Size
Exceeded: 218 > 200 (MB)
Executable: /usr/bin/php
Command Line: /usr/bin/php /home/your_site/public_html/index.php
PID: <some_number>
Killed: No

This alert is an informational message. How you deal with these are a matter of personal preference and needs of your organization.

There is a daemon on your VPS, the lfd daemon, that will monitor processes and if a process' memory usage exceeds a defined threshold (in this case of the example above, 200MB), it sends an alert. That is all that is happening here. The server has no way of knowing if this is expected behavior or not, so it just sends an alert so the owner can decide whether to investigate.

So, if the threshold is set to 200 MB and a script or process uses more than 200 MB memory, you will get an alert containing the name of the script, the time it occurred, and the amount of memory that it is consuming.
Here are some options you may want to consider for how to deal with these. This is not an exhaustive list but should give a good starting point:

The first option is to do nothing. When you get the alerts, glance at them and see what script or process is triggering the alert. If your VPS is running particularly sluggish and you are getting alerts about a PHP script consuming large amounts of RAM, you can consider killing the script to return the server to normal responsiveness. Likewise, if you write some script and start getting alerts about the amount of RAM it is consuming, that might be a heads up to you that your script has problems.

The second option is to increase the memory threshold for the alerts from 200 MB to say 300 MB. That will allow scripts and processes to consume more RAM before they trigger the alert. If you want to increase it much higher than 300MB, then you might be better off just turning this feature off altogether (see the next option). Turn off this feature entirely. If you are not interested in knowing when a process exceeds a defined threshold, then there is no need to get the alert and it can be turned off.

To change the threshold that LFD alerts on:

  1. Log into WHM of your VPS at https://<your VPS IP address>:2087 with the root account.
  2. Go to ConfigServer Security & Firewall --> Firewall Configuration
  3. Change the value for PT_USERMEM to the threshold you want to report on.

To turn off this feature, set the PT_USERMEM paramter to 0.

There are other options but are only recommended for advanced users. For more details, read the ConfigServer Security & Firewall (CSF) readme

lfd on Linus VPS: Script Alert

On a Linux VPS with cPanel you may receive alerts notifying you of scripts sending a large amount of emails. The alert will be similar to the following:
Time:  Wed Nov 01 04:08:52 2012 -0600
Path:  /home/cpaneluser/public_html/subdirectory
Count: 101 emails sent

Sample of the first 10 emails:

2012-11-28 09:07:05 1TdjE9-0003tL-4a <= user@myserver.com U=adp P=local S=10381 T="Email subject" for destinationemail@domain.com
2012-11-28 09:07:06 1TdjEA-0003ta-5H <= user@myserver.com U=adp P=local S=10381 T="Email subject" for destinationemail2@domain.com
2012-11-28 09:07:07 1TdjEB-0003ti-60 <= user@myserver.com U=adp P=local S=10381 T="Email subject" for destinationemail3@domain.com
2012-11-28 09:07:08 1TdjEC-0003uE-6k <= user@myserver.com U=adp P=local S=10381 T="Email subject" for destinationemail4@domain.com
2012-11-28 09:07:09 1TdjED-0003uP-7L <= user@myserver.com U=adp P=local S=10381 T="Email subject" for destinationemail5@domain.com
2012-11-28 09:07:10 1TdjEE-0003uX-86 <= user@myserver.com U=adp P=local S=10381 T="Email subject" for destinationemail6@domain.com

Possible Scripts:

/home/cpaneluser/public_html/subdirectory/script.php

This alert is informing you that a script on one of your server's sites is sending a lot of mail. You can ignore the alert if you recognize the script at the bottom of the alert, and you know it is used to send mail to an Opt-In mailing list.

In some cases though, the script will be a spam script that was uploaded to a site via a compromised upload form. You'll want to take immediate action if you do not recognize the script, and the subject line of the message looks suspicious. In this case, do the following:

  1. Navigate to the directory on your server and remove the script and any other scripts that were uploaded by the spammer.
  2. If you are running WordPress, Joomla, or any other 3rd-party software you will need to update it (and any templates/themes) ASAP.
  3. If you are not running 3rd-party software, make sure any upload forms are password protected, and make sure any forms on the site properly sanitize input.
  4. For good measure, you'll want to reset the cPanel user's password and any of its FTP accounts' passwords to very strong passwords. You can use our Password Generator to create a strong password.