I recently had a client that, because of constant security breaches, wanted me to block ftp access from everyone except his home country where all of his clients were located.
Wait a minute… did you say…
access… from everyone???
except your own country????
That fact was slow to dawn on me as the implications of this request slowly began to sink in. This basically meant blocking out the whoooooooole wiiiiiiiiiiiiiiiiide wooooooooooooorld except his home country. Nice huh?
I do understand his dilemma because the ftp scanners were hitting him pretty hard and compromising his clients accounts left and right because of insecure ftp passwords. He decided to try and disable ftp access and it was up to me to figure out how to do it.
I found using csf/lfd and adding the ip cidr notated list from Country IP Blocks to the
vim /etc/csf/csf.allow
file and then editing the
vim /etc/csf/csf.conf
and removing the port 21 entry from line 40 (default line location) will effectively shut down port 21 (ftp access) except for the IP ranges listed in the csf.allow file, all of which are listed for his own country!
You will also want to change the testing value in the csf.conf file (first entry) from 1 to 0 to enable the firewall. You will then be able to access the interface through WHM to make further configuration changes as needed.
To install csf/lfd simply run the following commands in order;
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
perl /etc/csf/csftest.pl
sh remove_apf_bfd.sh
This will install csf and uninstall apf
If you are using a VPS, please take note; adding 1000 lines to your csf.allow list may cause an error similar to this:
Error: The VPS iptables rule limit (numiptent) is too low (503/512) – stopping firewall to prevent iptables blocking all connections, at line 1294
You will need to modify this value in order to affect this change on the parent of your vps. To make the needed change, you will need to increase the “NUMIPTENT” value in the VPS configuration file which is located at /etc/sysconfig/vz-scripts/ directory and then reboot the instance for the changes to take effect.
