KISS Version: 2
DA Specific version: 1
Release: 2

Over the past few weeks i have mentioned a firewall specific for use with DirectAdmin. If you have looked at the recent posts in the DA server checklist, you will have realised the Kiss link was recently updated to v2.0

I have modified the firewall to provide a simpe but very effective method for basic security on your server, I advise all who run Directdmin on RedHat to use this, or another firewall, if you know IPTables then that would also be fine.


IF YOU CURRENTLY HAVE A FIREWALL INSTALLED EITHER REMOVE IT FIRSTLY OR DO NOT INSTALL THIS FIREWALL

Installation does not get any simpler:

Moderator's Note:
The location below is no longer valid.

Try these locations:

The original one can be found here (http://www.geocities.com/steve93138/).

My modified version, modified to work with DirectAdmin and with Plesk PSA, and also with some optional changes (read the code) for ModernBill, can be found here (http://www.nobaloney.net/downloads/kiss/).

# cd /usr/bin
# wget http://optimum-servers.com/downloads/DirectAdmin/kiss2-1.2.tar.gz
# tar -zxvf kiss2-1.2.tar.gz
# rm -f kiss2-1.2.tar.gz

To configure any settings use top section of the KISS file

# pico -w kiss

Run the following commands *anywhere*:

To start KISS
kiss start

To stop KISS
kiss stop

To Restart
kiss restart

To check current status
kiss status

If you make any changes ensure you restart it for the chnages to take effect.

Once it is installed I suggest you double check websites, directadmin, mysql and also into SSH in another window to ensure that you are not locked out.

Once you are sure everything is ok, add the following line to the end of /etc/rc.d/rc.local

/usr/bin/kiss start

Any questions, problems or suggestions feel free to post here :)

nice, can you come on msn??

For those who use scripts that will message them by ICQ, AIM, or YAHOO (EG: system status monitor, ClientExec, etc)

You need these ports open for TCP_OUT:

ICQ Messengers: 4000
YAHOO Messengers: 5010
AIM Messengers: 5190


If you use MRTG or RRDTool to graph router info, you will need to open SMNP (port 161)



Run game servers?
{HL/CS/DOD/TFC/NS/etc}
Client: 27010
Game: 27015 (if you run more than 1 per IP, you might want 27016 27017 etc open)

{BF1942}
Game: 14567
GameSpy Query: 23000
ASE Query: 14690

{SOF2}
Game: 20100

{QUAKE 3}
Game: 27961

{UT/UT2003}
Game: 7777
Query: 7778

{Jedi Knight 2}
Game: 28070

You can find other games at my page here: http://www.playergraph.com/gamesupport

If you are unsure what a port is or need additional ports you can also check the following link:

http://forum.rackshack.net/showthread.php?s=&threadid=18618

Chris

The original geocities script start fine for me. However the DA modified script keeps giving me an error when I try to start it:

: bad interpreter: No such file or directory

I have changed permission etc, but without any luck. Is there any reason the regular kiss script would start fine but not this one? Thank you.

ensure you remove the previous version firstly, having 2 running will cause problems.

if you cant run kiss start run:

/usr/bin/kiss start

Chris

Chris, thanks for the quick reply...my post wasn't very clear. I actually tried the DA version first, with no other firewall running at all. After several unsuccessful attempts I downloaded the original KISS script which started on the first try. I then stopped and removed the original KISS script and went back to the DA modified one. No luck. I tried full paths, relative paths, changing to the /usr/bin directory, running from other directories. For now I have removed KISS and just gone back to the APF firewall. Is there any big advantage in running KISS instead of APF? Otherwise I will probably just leave it as is. Thanks again for the suggestions.

Kiss / APF both as good as each other. I personally prefer Kiss since that is what I have always used.

Are you using telnet or ssh to login? and also are you getting any errors / what does it say when you start it?

Chris

he said its saying this:

: bad interpreter: No such file or directory


Which usualy means bad permissions/bad ownership/bad feeding habits.

check the ownership (chown root.root /usr/bin/kiss/), try again.


Im going to put this on the servers at work today :)

Did anyone try this in a VPS? APF does not work, so I'm wondering if this one could give better results.

Don't add it to /etc/rc.local and if it doesnt work / you get locked out a restart will load up without starting the firewall. I believe Kiss V2.0 is set not to lock you out if its wrong anyway,just ensure you leave your current SSH window open whilst you get another window logged into SSH.

Chris

Could it be that this just plain wont work on a VPS?

I should have explained things better. Installation is not really a problem with APF, except that some kernel modules cannot be found at load times.
The problem is that Passive FTP and some apps like wget don't work anymore afterwards unless you leave every high port open which defeats the purpose of having a tight firewall.

Mark, I don't know, but it would be strange if nobody could install firewalls in VPS. I don't see why would anybody want to use a VPS in that case.

to be honest i dont actualy know how a VPS works, having always had the luxury of dedicated servers.. But your right, it does seem strange if it wouldnt work.

Anyway, enough spamming these forums for me, i gotta get ready for work :)

Quick note : Does not work in a Virtuozzo VPS.

Thanks for the notification. Can i ask if you get any errors anywhere when installing / running it?

Chris

When trying to tun it I get :
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Sounds like you problem is quite simple, IP tables does not exist within your VPS.

Are you sure you do have this installed?

Chris

Yes.
I get this :
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

when running iptables -L

and a lot more when starting apf.

APF is also complaining about a lot of missing modules but it does start and it does partially work. It's just unusable in a production server.

I can't find a working firewall

Could you run the following and paste the output:

/sbin/iptables -L -n

Chris

Exact same output

weird.... have you updated your kernel at all since you have had the VPS?

Chris

I can't update it myself, but it was updated recently.

2.4.20-020stab009.5.777-enterprise #1 SMP Wed Dec 3 13:30:08 MSK 2003 i686

It's a special version for Virtuozzo

I'm now thinking the problem may be that the kernel is compiled incorrectly, or alternatively not the same as a default RedHat compile with the modules.

You may also want to contact your provider since versions prior to 2.4.22 are vulnerable to the recent exploit allowing local attackers to gain root privileges.

Further information on that can be found at the following address:
https://rhn.redhat.com/network/errata/errata_details.pxt?eid=1888

Chris

Already contacted ;)
I was assured that the hole had been patched.

Hallo

Ive just followed the processes to install kiss 2.0. but when trying to start the firewall i receive this error

-bash: /usr/bin/kiss: Permission denied

ive tryed chmod to 777 but nothing.

any ideas

Originally posted by mega-hos
Hallo

Ive just followed the processes to install kiss 2.0. but when trying to start the firewall i receive this error

-bash: /usr/bin/kiss: Permission denied

ive tryed chmod to 777 but nothing.

any ideas

try doing an ls -l /usr/bin/kiss to verify that it does have execute permissions. If you did the chmod 777 then it should read -rwxrwxrwx , if it does, then that part is fine. The next thing to look at is the interpreter, which by default is /bin/bash make sure that exists and has execute permissions. The last thing to insure, is that you are executing this as root, I don't believe you can run the iptables command as a user, you need to be root to modify the firewall tables.

from root (you dont need the path), simply run:

kiss start
kiss stop
kiss status

you need to have an argument also (start, stop, status)

The chmod of the file *should* be -rwx------

Chris

when i type kiss start i receive that same error

/

also what OS are you running?

Chris

Reading the messages again, are you logged in as root through su -?

Chris

[root@subzero bin]# sh /usr/bin/kiss start
: command not found 9:
: command not found 22:
: command not found 30:
: command not found 44:
: command not found 45:
'usr/bin/kiss: line 311: syntax error near unexpected token `do
'usr/bin/kiss: line 311: `for blocked_ip in $BLOCK_LIST; do

OS RED HAT 9.0

iTS PROBABLY SOMETHING SIMPLE IM NEW TO DEDICATED SERVERS

Yes root access - im going to try a fresh installation

ensure you remove the file firstly, from root:

# rm -f /usr/bin/kiss

if you have not yet removed / reinstalled it try going directly into the folder then running it:

# cd /usr/bin
# /kiss start

I just tried installing it as well im running on a redhat 9 on a ded server. Installed as root no problems installing when i tried to run it for the first time i got an error about file permission so i look and the permission were set wrong on the file so i fixed them to read -rwx------ got rid of that error now everytime i try to start i get
bad interpreter: no such file or directory
i have tried running it with # /usr/bin/kiss start but still same thing. Any ideas?

Justin

... are you sure the file exists?

# pico -w /usr/bin/kiss

And check the contents is actually the firewall :p

Chris

Yes it is the filewall...... and it does exist.

I have tried removeing the file and redownloading it thinking maybe i got a bad download but still same thing

: Bad interpreter: No such file or directory

Give me an hour or two... will do some checking now.

Chris

Did you by any chance figure out anything? No rush i was just wondering. Also thanks for your help on this.

Justin

I have a rather standard IPtables and I'd like to switch to KISS. Can I just install KISS, which will overwrite the excisting IPtables or should I first delete all IPtables lines and then install KISS?

Thanks,
Kark

Flush all your current rules from iptables firtsly, you should be able to place kiss in place then run:

kiss stop

which should flush your existing rules.

Chris

I'll try that, thanks for the quick response!

I'm not a real firewall guru so I hope someone can help me?! :)

I have installed Kiss which went without any problem. But in my /etc/sysconfig/iptables are still the old rules (shouldn't be there something from KISS?). Should I delete the file or open the file and remove all lines ?

Thanks,
Kark

As mentioned above 'kiss stop' should flush your current rules.

Chris

Perhaps I don't understand the term "flush" correctly. If you say flush, you mean like "gone" or "deleted" right? At least, that is what I am thinking what flush means. If so; then it doesn't work. :)

Flush would mean.. flush your existing rules........ think of flushing it down your toilet - bad example :D

In seriousness its basically removing / dropping / flushing your current rules.

Chris

Hmm ... I still didn't understand it, so I googled a bit more. :)

So now I understand that if you 'Flush' IPtables the rules will be deleted but NOT from the file /etc/sysconfig/iptables. So if I want to use KISS I must call IPtables with the command KISS and not /etc/rc.d/init.d/iptables. Because at the moment when the server is rebooted /etc/rc.d/init.d/iptables is called (which is using the /etc/sysconfig/iptables rules). Am I correct on this ?

I'm a slow learner .. sorry :o

Thanks for the time,
Kamiel

Basically when you run 'kiss stop' it runs the following commands:

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F

That basically says accept all incoming connections and accept all outgoing conections then remove any rules currently being used.

When you run kiss start it basically just adds the rules specified in the script to iptables. Nothing else is called by kiss.

Chris

Ok ... now I got it. I think. :)

Thanks!
Kark

Is APF or Kiss better?

I prefer KISS...... although I would say the 2 best software firewalls that are free - certainly KISS and APF. Take your pick :)

Chris

Well do you know where i can get a list of their features like APF has an offical web site where they list it at?

http://rfxnetworks.net/apf.php

Chris

No i mean the offical web site for kiss i was using APF as an sample but thank you.

http://www.geocities.com/steve93138/

Not really a list of features, there is some commenting on general lines in the kiss source......... take a look through that to get an idea also :)

Chris

does kiss and/or APF run on FreeBSD?

If it has ifconfig iptables modprobe... (for KISS) you could try it and keep us informed with the results ;)

Chris

ok i been messing with it but i will let you know if i get it to work.

Yea the kiss firewall will not work in FreeBSd because their is no /etc/rc.d/rc.local dir, well the /etc is in all Unix OS acourse but not that hole path and when i did try to run it i got permission denied and i tryed changing the permission's and then it said unknown command. If any one has been successful at getting it to work or re wrote a kiss script let me know i would apprecate but for now i am going to try to get APF to work again.

Originally posted by ProHS
Yea the kiss firewall will not work in FreeBSd because their is no /etc/rc.d/rc.local dir

Its suppost to be a file, and that wouldnt really affect it anyway....... adding it in there simply gets it to start upon reboot (with redhat anyway).

Chris

that gives me ideas then, will with it some more then.

Kiss and APF are IPtable based firewalls. FreeBSD uses something called IPfirewall, so the rules syntax would be different. That would mean you can't really use them on FreeBSD.

Yea i try it i notice they were calling for different file paths and that it has to be wrote different. Do any of you know of a FreeBSD firewall?

For the redhat 9 problems:

chmod 755 /usr/bin/kiss
kiss start

Runs as expected :)

Chris

So how exactly does this block_list variable work?

if I want to block a certain IP I just add the ip to the block list? Or do I need to add a subnet mask as well?

And how about if I want to block more ip's, do I just add them there as well?

You can use it anyway you specify IPs in other areas

Multiple IP addresses (usually subnets)

Do not use the first example below (0.0.0.0/0))
BLOCK_LIST="0.0.0.0/0"

or you can use it with multiple IP addresses indivudually

BLOCK_LIST="0.0.0.0 1.1.1.1 2.2.2.2"

or just 1 single IP:

BLOCK_LIST="0.0.0.0"

Chris

Originally posted by ProWebUK
For the redhat 9 problems:

chmod 755 /usr/bin/kiss
kiss start

Runs as expected :)

Chris

Hate to say it but I still get the "bad interpreter message" on my RH9 system. I checked and iptables is installed, nothing in the config file.

Any other ideas?

What ownership does the kiss file have? have you tried running

/usr/bin/kiss start (rather than just kiss start)

Chris

Ownership was root. I say was because I finally uninstalled the "DA" version and installed the version direct from the KISS site and it worked fine.

The only difference between the one from the official page and this... is that a few variables are chnaged (ports added, and unwanted ports removed) - besides that the script is unchanged - you could just use the original and copy the ports list from this script over... that should work fine, if it doesn't then... i'm unsure!

Chris

I'd recommend everyone on RH9 getting regular KISS< and use

BLOCK_LIST=""
TCP_IN="21 25 53 80 110 143 443 2222"
TCP_OUT="21 22 25 37 43 53 80 443"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"


as config for ports


the one listed kept giving me permission + cant interpret errors as well.

Originally posted by ProHS
Yea i try it i notice they were calling for different file paths and that it has to be wrote different. Do any of you know of a FreeBSD firewall?

Their are 2 kernel level firewalls built into FBSD, IPfilter and ipfw. They are well covered in the handbook but if you want I will post a How-To in a seperate FBSD thread? I use ipfw more than I use IPfilter so it would be ipfw.

Basic rundown is you comment out the lines in the kernel for the firewall

Edit your /etc/rc.conf and turn on the firewall

Edit the /etc/rc.firewall and edit the rules.

That makes it seems easy but their is a TON more than that. Let me know I will write a How-To...

New release available - fix for previous DNS problem with earthlink DNS servers.

Link is available from the main post.

Chris

Chris,

Not to mess up your thread what turned out to be the problem with KISS? Just interested to know what he found...

I have not actually contacted the author as of yet. - what has been said is in the EV1 thread appears correct, I have seen a numerous amount of systems running kiss with them lines commented that have problems with earthlinks DNS servers.

He has given valid reasons why you should keep them commented, however, as much as them comments may be valid, it *does* affect some DNS servers which in my opinion shouldn't happen and therefore, that is my reasoning behind uncommenting the lines in the release I am offering.

I'm sure having the lines uncommented will provide advantages rather than disadvantages with KISS users here, and on EV1, since it's not my script nor do I have any contact withthe author I believe its his responsibility to update or leave the script as it is.

All servers I am currently working on have the lines uncommented to fix the problem, all servers I work on in the future will have the lines uncommented and of course, all releases of the software I provide from here on in, will have the lines uncommented :)

The *actual* problem is that earthlinks DNS servers appear to use port 53 as a source port for DNS... in depth details on the ev1 link :)

Chris

Hi,

Anyone know why KISS is blocking pings from all ips except for main IP? And how i can fix that? Thanks
:cool:

It's all commented in the script for you...

Chris

So where do i go to fix this? Can't seem to find it in pico..

##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done



Thanks for your help.

Replace:


for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done


with:


# comment out the previous setup if you want it in the future
#for trusted_ips in $TRUSTED_IPS; do
#$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
#done

# allow anyone to ping this system
$IPTABLES -A INPUT -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT


Chris

Hi,

I changed it to:

##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
# comment out the previous setup if you want it in the future
#for trusted_ips in $TRUSTED_IPS; do
#$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
#done

# allow anyone to ping this system
$IPTABLES -A INPUT -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT

##############################################################################



Kiss stop then start

I can still only ping MAIN Server IP, but the 2 DNS Ips and dedicated IPs i can't ping.

Any ideas? :confused:

Are you trying to ping your main ip or an additional IP?

Also make sure you dont have outgoing pings blocked on the machine you're pinging from.

Chris

Hi,

I can ping the main IP fine, i just want to be able to ping additional ips on server such as the ips used for separate accounts, dns ips etc..

:)

Replace the 1 line i specified above with:


for serverips in $SERVER_IPS; do
$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done


Let me know if it works ok :)

Chris

Originally posted by ProWebUK
Replace the 1 line i specified above with:


for serverips in $SERVER_IPS; do
$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done


Let me know if it works ok :)

Chris

I did:

##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
# comment out the previous setup if you want it in the future
#for trusted_ips in $TRUSTED_IPS; do
#$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
#done

# allow anyone to ping this system
for serverips in $SERVER_IPS; do
$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done

##############################################################################

Still nothing :\

Can you ping these IPs when KISS is disabled, can you access the IPs through http or any other protocol?

The IPs you want are listed in your SERVER_IPS variable aswell?

Chris

I can ping all ips when kiss is off
I can ping main ip only when kiss is on

I can access all ips via http,

The IPs you want are listed in your SERVER_IPS variable aswell?

All ips are added inside DA and 1 is main, 2 are DNS, 1 is dedicated ip for a site, 5th one is just not used.

At the top of the KISS file you should see a line

SERVER_IPS="0.0.0.0/0"

add your server ips there, seperated by a space "1.2.3.4 1.2.3.4"

Chris

k, i added ips and also:

# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
# comment out the previous setup if you want it in the future
#for trusted_ips in $TRUSTED_IPS; do
#$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state
NEW -p icmp --icmp-type ping -j ACCEPT
#done

# allow anyone to ping this system
$IPTABLES -A INPUT -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT



Now i ping again, still wont work. :confused:
It's no big deal if there aren't any fix for it I'll just live with it.

Once you add them to the SERVER_IPS variable use the 3 line script i provided rather than the other...

for serverips in $SERVER_IPS; do
$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done


Chris

great, working now.

One more thing, now when i start kiss i get an error:

kiss start
/usr/bin/kiss: line 469: NEW: command not found


Any idea?

pico -w +469

Paste that line and a few lines above it...

from the sounds of things you have added:

$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state
NEW -p icmp --icmp-type ping -j ACCEPT

rather than 1 line as it should be:

$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT

since the error says its trying to execute the command "NEW" which of course is just part of the --state flag used by iptables, not a bash command.

Chris

thanks i got it, there was space but somehow when i pasted it became 2 lines, now its fine.

if i use the default config, and don't add to /etc/rc.d/rc.local i will never be locked out of my box?

You should never be locked out of your box unless you take ssh out of the allowed ports, add your own IP to the blocklist or remove all IPs from the allowed IP list.

If you have SSH running on another port you will need to configure it, since its only allowing port 22 for SSH as default.

Chris

so, is it possible that you explain the kiss config a bit?

-BLOCK_LIST=""
block an ip from connecting to any port on the box?
-TCP_IN="21 25 53 80 110 143 443 2222"
?
-TCP_OUT="21 22 25 37 43 53 80 443"
?
-UDP_IN="53"
?
-UDP_OUT="53"
?
-TCP_IN_TRUSTED="22"
?
-TRUSTED_IPS="0.0.0.0/0"
can i enter here the ips i use to connect to the box?(or better not, cause my ip is not static)

-SERVER_IPS="0.0.0.0/0"
?

Originally posted by sander815
so, is it possible that you explain the kiss config a bit?

-BLOCK_LIST=""
block an ip from connecting to any port on the box?

-TCP_IN="21 25 53 80 110 143 443 2222"
TCP Inbound ports

-TCP_OUT="21 22 25 37 43 53 80 443"
TCP Outbound ports

-UDP_IN="53"
UDP Inbound ports

-UDP_OUT="53"
UDP Outbound ports

-TCP_IN_TRUSTED="22"
TCP Inbound ports only accessable by IP addresses listed in the TRUSTED_IPS var (22 - ssh)

-TRUSTED_IPS="0.0.0.0/0"
can i enter here the ips i use to connect to the box?(or better not, cause my ip is not static) Yes, or leave the current option to allow all IP addresses to connect

-SERVER_IPS="0.0.0.0/0"
All the IP addresses bound to your system can be listed here, although the current option works fine unless you want pings etc as discussed above.


?

All in the quote :)

Chris

is there an option to see KISS is working OK like an online scanner ore something?

I doesent link new not welcome visits...

ping / telnet

"I doesent link new not welcome visits..."

What do you mean?

Chris

@ ProWebUK: I send a PM

To close an port on what option do I need to add it?
Or can I remove the port number on:
TCP_IN="21 25 53 80 110 143 443 2222"
TCP_OUT="21 22 25 37 43 53 80 443"

I don`t use 443, so I linke to close that port

All ports are closed besides what's in the configs at the top of the script ;)

443 is the https://, so unless you dont use SSL you would be wanting that ;)

does kiss have some sort of ddos protection like APF?

http://www.rfxnetworks.com/apf.php


- antidos subsystem to stop attacks before they become a significant threat

and does it support auto update for the dshield block list? kiss i mean

Originally posted by phriendly-Mark
[B]For those who use scripts that will message them by ICQ, AIM, or YAHOO (EG: system status monitor, ClientExec, etc)

^^ where can i get such scripts (the monitoring, clientexec and mostly the MSN script)

maybe a bug in Kiss, bit with kiss on you can`t update DA.
Turn kiss off and update DA there is no problem.
my KISS details:
BLOCK_LIST="Some IP adresses"
TCP_IN="21 25 53 80 110 143 2222"
TCP_OUT="21 22 25 37 43 53 80"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="myIPadres/0"

Tips to update DA without closing the firewall?

Originally posted by vandal
^^ where can i get such scripts (the monitoring, clientexec and mostly the MSN script)

You can use command line messenger clients I would assume, although I dont have the exact information.

Chris

SERVER_IPS="0.0.0.0/0"

Try that...

Chris

Originally posted by ProWebUK
SERVER_IPS="0.0.0.0/0"

Try that...

Chris

I try but it doesent work.
Maybe because I blocked telnet?

Originally posted by sander815
does kiss have some sort of ddos protection like APF?

http://www.rfxnetworks.com/apf.php


- antidos subsystem to stop attacks before they become a significant threat

and does it support auto update for the dshield block list? kiss i mean

It has its own way of preveting DOS attacks, although its of course not perfect, neither is the one for APF.

It doesnt have any support for dshield, you can incorporate it yourself if you wish, use any other block lists etc... as default the only blocks are what you specify.

Chris

Originally posted by deltaned
I try but it doesent work.
Maybe because I blocked telnet?

What error are you getting? Can you successfully connect to the DA website from your server? Can you update the license also...

Does it work when you turn the firewall off?

Chris

if i don't want people pinging my machine, what do i do?


##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done


TRUSTED_IPS="0.0.0.0/0" <-change this iin kiss?

Originally posted by sander815

for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done

comment out the part ive quoted ;)

Chris

if i want to block a certain port for a certain ip connecting, what do i do?

Originally posted by sander815
if i want to block a certain port for a certain ip connecting, what do i do?

try:


iptables -I INPUT -s 111.111.111.111 --destination-port 22 -j DROP


ip/port

Chris

do i just execute that at the prompt?

i get an error
[root@server1 apf]# iptables -I INPUT -s 212.xx.xx.xx--destination-port 53 -j DROP
iptables v1.2.7a: Unknown arg `--destination-port'
Try `iptables -h' or 'iptables --help' for more information.
[

On my fedor2 machine I get after command: kiss start
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Tips?
The default firewall of Fedora is off.

Do you have iptables implemented in your fedora core kernel?

Jeff

Originally posted by sander815
do i just execute that at the prompt?

i get an error
[root@server1 apf]# iptables -I INPUT -s 212.xx.xx.xx--destination-port 53 -j DROP
iptables v1.2.7a: Unknown arg `--destination-port'
Try `iptables -h' or 'iptables --help' for more information.
[


please anyone? how do i use this?
i need to block a certain ip thats keeps connecting to port 53, like every 4-5 seconds, constantly

Try this one, again, untested


iptables -A INPUT -i eth0 -s *BLOCKIP* -d *SERVERIP* -p tcp -m state --state NEW --dport *PORT* -j DROP


Chris

I'm running Fedora Core 1 with Direct Admin. I havent touched the server except for the DA installation.

This is the error I get when trying to run kiss:
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Maybe Im going off topic with this post, but how exactly do I install those modules if they "dont exist"?

Thanks in advanced.

check the following, logged in as root:

$ rpm -qa | grep iptables

Here's my results when I do this on my local desktop system:

[jlasman@da1 nobaloney.net]$ rpm -qa | grep iptables
iptables-1.2.5-3
iptables-ipv6-1.2.5-3
[jlasman@da1 nobaloney.net]$

Your results may differ.

What do you get?

Jeff

[root@server root]# rpm -qa | grep iptables
iptables-1.2.8-13
iptables-1.2.9-1.0
[root@server root]#

Then I have no idea :( .

Have you tried asking on the Fedora users' list?

Jeff

Nope. I thought someone here would probably know what's wrong.

Perhaps, but since it's not DA specific, but Fedora specific, I'd think you'd stand a better chance there.

You can join here (http://www.redhat.com/mailman/listinfo/fedora-list).

Jeff

ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.o /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.o /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.o

Output?

Chris

[root@server root]# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.o /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.o /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.o
ls: /lib/modules/2.4.26-HN-1.6-i686/kernel/net/ipv4/netfilter/ip_tables.o: No such file or directory
ls: /lib/modules/2.4.26-HN-1.6-i686/kernel/net/ipv4/netfilter/ipt_state.o: No such file or directory
ls: /lib/modules/2.4.26-HN-1.6-i686/kernel/net/ipv4/netfilter/ipt_multiport.o: No such file or directory
[root@server root]#

i'll get you the information you need in the morning, but it will involve compiling a kernel, and adding specific modules... try using up2date to check if theres a new kernel there also, as the redhat kernels should already have the support... that may just be quick fix :)

Chris

I sent the problem to the Fedora list. I'm just waiting for their reply now.

Hi,

Do you have an reply from the list?
I have the same problem...

They suggested a kernel upgrade. It's quite a process (basically what ProWebUK said).

I try and update the new kernel, but no reaction of kiss.
I use the firewall of fedore core 2 and after "playing" with the options I get all working and secured now (I hope)

is the first post the latest available script or are there updates for de DA version? do i have to check things before i install ? (redhat9)

Hey,

These are the changes I made for RH9 to the kiss file:
The install puts it here: /usr/bin/kiss
Be sure to back it up before changing anything.

Under this section:

# ALL DONE WITH CONFIGURATIONS!

I added this line:

IFCONFIG="/sbin/ifconfig"

And under this section:

# Determine MAIN_IP & SERVER_IPS if needed

I changed this:

MAIN_IP=`ifconfig eth0 | grep inet | cut -d: -f2 | awk '{print $1}'`

to this:

MAIN_IP=`$IFCONFIG eth0 | grep inet | cut -d: -f2 | awk '{print $1}'`

Basically, just change ifconfig to be a variable so I could set it's path.

David

and you used the customized DA-kiss scipt? do i need to change anything else in the config file?

Hey,

Yes, I used the customized DA-kiss script...

Yes, that's the only changes I made.

David

since the problem is with the path (ifconfig rather than /sbin/ifconfig) my guess is you are logging in as root using:

su

rather than:

su -

Chris

Originally posted by skruf
The install puts it here: /usr/bin/kiss
That's not really a good place for it.

It's a local addition, designed to be run only by a systems administrator.

My guess is it should be in /usr/local/sbin.

But what do I know :) .

I admin a lot of systems and I don't want to install it each time.

So I have one copy on my desktop system, and I just copy it in, and install it on, each new server.

If you'd like a copy, let me know by email (NOT by private message). My email address is in my sig.

If you get it, be sure to read my notes; it may require changes depending on your environment, but they're all well documented.

I agree with Chris that if you're properly logged in as root (either by direct login, or by "su -" then you won't need the path to ifconfig.

Jeff

Hey,

since the problem is with the path (ifconfig rather than /sbin/ifconfig) my guess is you are logging in as root using:

su

rather than:

su -


Damn, hate when that happens... That was it.

That's not really a good place for it.

I just left it where it was placed...

This is the first time I used it and future use probably won't include tarring it on the server. (Like you mentioned.)

Obviously, there are no changes needed like I mentioned above...

Unless of course, like me, you're trying to learn a little script writing...

David

Is there a BFD equivalent for KISS?

Link is broken :(

Which link?

I have a copy of Kiss specifically designed to work on DA servers in a hosting environment.

If enough people need it and can't get it from the original site, I'll post it on my download pages.

Jeff

Thanks , first post link is dead.

But i'm download file from rfxnetwork then install everythink ok.

i still have probs with ftping when kiss is running, in passive mode, what am i doing wrong?


##############################################################################
#
# Optional KISS Configuration Variables:
#
BLOCK_LIST=""
TCP_IN="21 25 53 80 110 143 443 2222 10000"
TCP_OUT="21 22 25 37 43 53 80 443"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"

Kiss requires a module installed for your kernel:

if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o"
$MODPROBE ip_conntrack_ftp
fi

If ip_conntrack_ftp.o available for dynamic loading on your server?

Jeff

uhm, i think so?:
[root@server01 mysql]# locate ip_conntrack_ftp.o
/lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
[root@server01 mysql]#

What version of Linux?

Jeff

RH 9

At first glance I don't see any problem.

If you want a "free as in beer" solution you might want to post on a forum specializing in the kiss firewall, or contacting the author.

Of if you know or want to learn the details of iptables, you could try a good linux help group; isp-linux.com or isp-webhosting.com are probably good places to start.

Or perhaps use a consultant (hopefully one who guarantees results) to resolve the issue for you.

Jeff

Link is broken

What link?

What are you looking for?

Jeff

Hi Jeff,

They are referring to the link in the first post to download the Kiss Firewall. The link is no longer valid.

Regards,
Onno

Has anyone found another location, or should I post it and change the first post?

Jeff

any body have link :confused:

I found it at the original location here (http://www.geocities.com/steve93138/).

My version modified to work with DirectAdmin and with Plesk PSA, and also with some optional changes (read the code) for ModernBill, can be found here (http://www.nobaloney.net/downloads/kiss/).

Jeff

Thanks man :D

recommended configure the firewall to trusted IP addresses/subnets or no install it and finsh:confused:

A jlasman's kiss version don't run in fedora (core 3). I've modified the script to run on this os. If you want, download a jlasman's kiss version here :

http://www.avenueduweb.org/scripts/kiss

Bye.

I should probably do a diff and figure out what's wrong with the original.

I guess I'll have to take the time unless you can tell me in a few words what the differences were.

Since I'm busy as a ... (well you know what I mean), can you ?

Thanks :)

Jeff

The problem is the links for ip_tables, ipt_state, ipt_multiport. In your script you test if modules exists and the links are ip_tables.o or ipt_state.o or ipt_multiport.o, but for run on fedora the links must be ip_tables.ko, ipt_state.ko and ipt_multiport.ko, and with that it's running. My modification is :

# Note: KISS requires that ip_tables, ipt_state, and ipt_multiport exist:
if [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ] || [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ] || [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
echo "Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!"
exit 1
fi

# All is well, load modules:
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then
$MODPROBE ip_tables
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ]; then
$MODPROBE ipt_state
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
$MODPROBE ipt_multiport
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then
$MODPROBE ip_tables
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ]; then
$MODPROBE ipt_state
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
$MODPROBE ipt_multiport
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/iptable_filter.ko" ]; then
$MODPROBE iptable_filter
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_unclean.ko" ]; then
$MODPROBE ipt_unclean
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_limit.ko" ]; then
$MODPROBE ipt_limit
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_LOG.ko" ]; then
$MODPROBE ipt_LOG
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_REJECT.ko" ]; then
$MODPROBE ipt_REJECT
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack.ko" ]; then
$MODPROBE ip_conntrack
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_irc.ko" ]; then
$MODPROBE ip_conntrack_irc
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko" ]; then
$MODPROBE ip_conntrack_ftp
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/iptable_mangle.ko" ]; then
$MODPROBE iptable_mangle
fi

Sorry for my bad english, it's very difficult for me to explain that in english ;o). Thanks for your script jlasman. Bye.

It's not my script; I found it on the 'net after reading about it in these forums.

I made a few line changes.

Are you saying that by default Fedora doesn't load/install the proper kernel modules? That's the impression I get from your post.

I suppose I can try your fixes to see if they work with other flavors of Linux and if they do issue one fixed version, but I'd like to get your response first.

Thanks.

Jeff

I found the thread that mentions about the error Avenueduweb said ".o" and ".ko"

http://forum.ev1servers.net/showthread.php?t=36733&page=4&pp=25

has anyone managed to get KISS to work on a debian OS? im running debian 4.0 and every time i got to run it I get:

Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!


iptables is installed I think cause I get an output of the following when using iptables -L:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

any ideas?

ive played around with:



# Enabled this for Pre Fedora Core 2 or Red Hat
#EXTN="o"
# Enabled this for Fedore Core 2 or later
EXTN="ko"


still no joy :(

I think you may have to recompile the kernel with those modules compiled in.

But I'm not sure :(.

Jeff

I could try a different firewall, anything different other than kiss?

You can try APF, but thats iptables based aswell. I think you may have to compile a new kernel with the coorect modules.

hi, I have a problem with kiss. My OS is Fedora Core 6 and I fellow the first post to install kiss. When I try the Kiss start command, I received this message:

[root@220915 bin]# kiss start
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!
[root@220915 bin]#

When I do kiss stop to flush the rules I received this:

[root@220915 bin]# kiss stop
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


DA-KISS Firewall - Stopped!

I also add my 10 IP adress to the SERVER_IPS="0.0.0.0/0" like this: SERVER_IPS="ip1.ip1.ip1.ip1 ip2.ip2.ip2.ip2 ip3.ip3.ip3.ip3 ..." without the /0

Any solutions for this. Thx all :)

I will try to recompile the kernel with the ip_table :) thx for the support and the previous post :)

Hi there. After looking around i decided to try out KISS. But then i got this error.I'm running VPS using Centos 5.

Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Is it because my admin don't install it?

when i run iptables -L it gave me:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

How can i solve this problems. Thanks

You should contact your VPS provider to see if they offer support for those modules. Both KISS and APF require them.

Jeff

Tried it, getting the same issues about the ip_tables, ipt_state, and/or ipt_multiport modules. In the script it checks, for example, for existance of the file /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.o. I checked for it and the file exists. However, it has a .ko extention. I'm a bit shy to try and bluntly change .o into .ko in the config file, so I thought I'd ask it here first.

The latest version of KISS allows you to set once and it will work with either .ko or .o.

But you can safely change them.

KISS doesn't have a config file. All changes are made directly in the runfile.

Jeff

Jeff

So it's safe to say I don't have the latest version? Then where do I get that as KISS is now blocking my FTP traffic due to the fact that multiple .ko files are not where it expects them to be (in this case ip_conntrack_ftp.ko I guess)?

I can answer my own question. I seem to have the latest DA-KISS, but KISS is now in v2.1. It does still refer to the ip_conntrack_ftp file. I don't have it! I only have some nf_conntrack_ftp file, but I don't know whether that's the same.

It still doesn't work. I can't find a definitive answer on nf_conntrack_ftp.

Hello, i just installed KISS using jeff's version (http://www.nobaloney.net/downloads/kiss/kiss)
When trying to start it for the first time i got this error:

Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

iptables is there but stopped, i stopped it yesterday when i thought it might be blocking DA, iptstate i installed with "yum install iptstate" and it seems to have worked, ipt_multiport isnt something that yum can find to install.

i ran locate on it and found something so it seems to be installed:

[root@flipper ~]# locate ipt_multiport
/lib/iptables/libipt_multiport.so
/usr/include/linux/netfilter_ipv4/ipt_multiport.h


Any ideas why KISS wont start? iptables wont start now either, it doesnt give any errors when running start or restart but when i check its status it just says Firewall is stopped.

Any help appreciated here.

The contents of iptables may be deleted; in CentOS boxes the file is at /etc/sysconfig/iptables.

When kiss gives us that error it's always been on a VPS box.

VPS boxes often don't have the right kernal modules actually installed, but it could be an old or specially configured kernel as well.

Jeff

Yeah, theres no iptables file in that directory, there is a iptables-config file there tho.

Any solution to the problem? I found these files named iptables i tried copying the first one to the directory you said and now when i try to start iptables it at least gives an error :)


[root@flipper sysconfig]# service iptables start
Applying iptables firewall rules: iptables-restore: line 12 failed
[FAILED]


Files
/etc/rc.d/init.d/iptables
/lib/iptables
/sbin/iptables

You have iptables on your server. You need a set of rules that work. Mine won't work for you because they're created from kiss. Perhaps someone else can give you a set of rules that that you can try.

Anyone?

Jeff

Thanks for trying to help but I got some assistance from smtalk to install a firewall, he went with APF instead of KISS so i'm all set now. :)

I've found the issue; in the later kernel versions some modules have been replaced with newer ones: specifically modules beginning with ipt have been replaced with modules beginning with xt.

I've placed more recent versions at my download page, here (http://www.nobaloney.net/downloads/kiss/).

Jeff

kiss start
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

I get the above with a clean/fresh CentOS 5.2 64bit install

I've found the issue; in the later kernel versions some modules have been replaced with newer ones: specifically modules beginning with ipt have been replaced with modules beginning with xt.

I've placed more recent versions at my download page, here (http://www.nobaloney.net/downloads/kiss/).

Jeff

This script solved the problem for me. Thanks

We installed KISS on a CentOS 5.2 64 bit unmanaged server and received the "KISS is running message".

We then started to download DDOS Deflate and the server froze. Now we cannot connect to the server at all - DA or ssh. Reboot did not resolve the issue.

Any ideas before I have to ask the host to reinstall the OS? :(

edit: no ports are open when I scan the IP.

Why would you have your host reinstall the OS? Have them log in via the console and:

iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Have you tried sshing to the server with another IP address?

The host ran:

/etc/init.d/iptables stop

but the problem returned shorty afterwards *& I'm locked out again.

It sounds as though you're running two firewalls at once. That is not normal behavior for iptables. I recommend you get someone to take a look at your server.

I have iptables and KISS. Do I have to stop or flush iptables before using KISS?
(this my 1st dedicted)

No; the first thing KISS does is flush the tables.

Jeff