KISS Version: 2
DA Specific version: 1
Release: 2

Over the past few weeks i have mentioned a firewall specific for use with DirectAdmin. If you have looked at the recent posts in the DA server checklist, you will have realised the Kiss link was recently updated to v2.0

I have modified the firewall to provide a simpe but very effective method for basic security on your server, I advise all who run Directdmin on RedHat to use this, or another firewall, if you know IPTables then that would also be fine.


IF YOU CURRENTLY HAVE A FIREWALL INSTALLED EITHER REMOVE IT FIRSTLY OR DO NOT INSTALL THIS FIREWALL

Installation does not get any simpler:

Moderator's Note:
The location below is no longer valid.

Try these locations:

The original one can be found here (http://www.geocities.com/steve93138/).

My modified version, modified to work with DirectAdmin and with Plesk PSA, and also with some optional changes (read the code) for ModernBill, can be found here (http://www.nobaloney.net/downloads/kiss/).

# cd /usr/bin
# wget http://optimum-servers.com/downloads/DirectAdmin/kiss2-1.2.tar.gz
# tar -zxvf kiss2-1.2.tar.gz
# rm -f kiss2-1.2.tar.gz

To configure any settings use top section of the KISS file

# pico -w kiss

Run the following commands *anywhere*:

To start KISS
kiss start

To stop KISS
kiss stop

To Restart
kiss restart

To check current status
kiss status

If you make any changes ensure you restart it for the chnages to take effect.

Once it is installed I suggest you double check websites, directadmin, mysql and also into SSH in another window to ensure that you are not locked out.

Once you are sure everything is ok, add the following line to the end of /etc/rc.d/rc.local

/usr/bin/kiss start

Any questions, problems or suggestions feel free to post here :)

nice, can you come on msn??

For those who use scripts that will message them by ICQ, AIM, or YAHOO (EG: system status monitor, ClientExec, etc)

You need these ports open for TCP_OUT:

ICQ Messengers: 4000
YAHOO Messengers: 5010
AIM Messengers: 5190


If you use MRTG or RRDTool to graph router info, you will need to open SMNP (port 161)



Run game servers?
{HL/CS/DOD/TFC/NS/etc}
Client: 27010
Game: 27015 (if you run more than 1 per IP, you might want 27016 27017 etc open)

{BF1942}
Game: 14567
GameSpy Query: 23000
ASE Query: 14690

{SOF2}
Game: 20100

{QUAKE 3}
Game: 27961

{UT/UT2003}
Game: 7777
Query: 7778

{Jedi Knight 2}
Game: 28070

You can find other games at my page here: http://www.playergraph.com/gamesupport

If you are unsure what a port is or need additional ports you can also check the following link:

http://forum.rackshack.net/showthread.php?s=&threadid=18618

Chris

The original geocities script start fine for me. However the DA modified script keeps giving me an error when I try to start it:

: bad interpreter: No such file or directory

I have changed permission etc, but without any luck. Is there any reason the regular kiss script would start fine but not this one? Thank you.

ensure you remove the previous version firstly, having 2 running will cause problems.

if you cant run kiss start run:

/usr/bin/kiss start

Chris

Chris, thanks for the quick reply...my post wasn't very clear. I actually tried the DA version first, with no other firewall running at all. After several unsuccessful attempts I downloaded the original KISS script which started on the first try. I then stopped and removed the original KISS script and went back to the DA modified one. No luck. I tried full paths, relative paths, changing to the /usr/bin directory, running from other directories. For now I have removed KISS and just gone back to the APF firewall. Is there any big advantage in running KISS instead of APF? Otherwise I will probably just leave it as is. Thanks again for the suggestions.

Kiss / APF both as good as each other. I personally prefer Kiss since that is what I have always used.

Are you using telnet or ssh to login? and also are you getting any errors / what does it say when you start it?

Chris

he said its saying this:


: bad interpreter: No such file or directory


Which usualy means bad permissions/bad ownership/bad feeding habits.

check the ownership (chown root.root /usr/bin/kiss/), try again.


Im going to put this on the servers at work today :)

Did anyone try this in a VPS? APF does not work, so I'm wondering if this one could give better results.

Don't add it to /etc/rc.local and if it doesnt work / you get locked out a restart will load up without starting the firewall. I believe Kiss V2.0 is set not to lock you out if its wrong anyway,just ensure you leave your current SSH window open whilst you get another window logged into SSH.

Chris

Could it be that this just plain wont work on a VPS?

I should have explained things better. Installation is not really a problem with APF, except that some kernel modules cannot be found at load times.
The problem is that Passive FTP and some apps like wget don't work anymore afterwards unless you leave every high port open which defeats the purpose of having a tight firewall.

Mark, I don't know, but it would be strange if nobody could install firewalls in VPS. I don't see why would anybody want to use a VPS in that case.

to be honest i dont actualy know how a VPS works, having always had the luxury of dedicated servers.. But your right, it does seem strange if it wouldnt work.

Anyway, enough spamming these forums for me, i gotta get ready for work :)

Quick note : Does not work in a Virtuozzo VPS.

Thanks for the notification. Can i ask if you get any errors anywhere when installing / running it?

Chris

When trying to tun it I get :
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Sounds like you problem is quite simple, IP tables does not exist within your VPS.

Are you sure you do have this installed?

Chris

Yes.
I get this :
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

when running iptables -L

and a lot more when starting apf.

APF is also complaining about a lot of missing modules but it does start and it does partially work. It's just unusable in a production server.

I can't find a working firewall

Could you run the following and paste the output:

/sbin/iptables -L -n

Chris

Exact same output

weird.... have you updated your kernel at all since you have had the VPS?

Chris

I can't update it myself, but it was updated recently.

2.4.20-020stab009.5.777-enterprise #1 SMP Wed Dec 3 13:30:08 MSK 2003 i686

It's a special version for Virtuozzo

I'm now thinking the problem may be that the kernel is compiled incorrectly, or alternatively not the same as a default RedHat compile with the modules.

You may also want to contact your provider since versions prior to 2.4.22 are vulnerable to the recent exploit allowing local attackers to gain root privileges.

Further information on that can be found at the following address:
https://rhn.redhat.com/network/errata/errata_details.pxt?eid=1888

Chris

Already contacted ;)
I was assured that the hole had been patched.

Hallo

Ive just followed the processes to install kiss 2.0. but when trying to start the firewall i receive this error

-bash: /usr/bin/kiss: Permission denied

ive tryed chmod to 777 but nothing.

any ideas

Originally posted by mega-hos
Hallo

Ive just followed the processes to install kiss 2.0. but when trying to start the firewall i receive this error

-bash: /usr/bin/kiss: Permission denied

ive tryed chmod to 777 but nothing.

any ideas

try doing an ls -l /usr/bin/kiss to verify that it does have execute permissions. If you did the chmod 777 then it should read -rwxrwxrwx , if it does, then that part is fine. The next thing to look at is the interpreter, which by default is /bin/bash make sure that exists and has execute permissions. The last thing to insure, is that you are executing this as root, I don't believe you can run the iptables command as a user, you need to be root to modify the firewall tables.

from root (you dont need the path), simply run:

kiss start
kiss stop
kiss status

you need to have an argument also (start, stop, status)

The chmod of the file *should* be -rwx------

Chris

when i type kiss start i receive that same error

/

also what OS are you running?

Chris

Reading the messages again, are you logged in as root through su -?

Chris

[root@subzero bin]# sh /usr/bin/kiss start
: command not found 9:
: command not found 22:
: command not found 30:
: command not found 44:
: command not found 45:
'usr/bin/kiss: line 311: syntax error near unexpected token `do
'usr/bin/kiss: line 311: `for blocked_ip in $BLOCK_LIST; do

OS RED HAT 9.0

iTS PROBABLY SOMETHING SIMPLE IM NEW TO DEDICATED SERVERS

Yes root access - im going to try a fresh installation

ensure you remove the file firstly, from root:

# rm -f /usr/bin/kiss

if you have not yet removed / reinstalled it try going directly into the folder then running it:

# cd /usr/bin
# /kiss start

I just tried installing it as well im running on a redhat 9 on a ded server. Installed as root no problems installing when i tried to run it for the first time i got an error about file permission so i look and the permission were set wrong on the file so i fixed them to read -rwx------ got rid of that error now everytime i try to start i get
bad interpreter: no such file or directory
i have tried running it with # /usr/bin/kiss start but still same thing. Any ideas?

Justin

... are you sure the file exists?

# pico -w /usr/bin/kiss

And check the contents is actually the firewall :p

Chris

Yes it is the filewall...... and it does exist.

I have tried removeing the file and redownloading it thinking maybe i got a bad download but still same thing

: Bad interpreter: No such file or directory

Give me an hour or two... will do some checking now.

Chris

Did you by any chance figure out anything? No rush i was just wondering. Also thanks for your help on this.

Justin

I have a rather standard IPtables and I'd like to switch to KISS. Can I just install KISS, which will overwrite the excisting IPtables or should I first delete all IPtables lines and then install KISS?

Thanks,
Kark

Flush all your current rules from iptables firtsly, you should be able to place kiss in place then run:

kiss stop

which should flush your existing rules.

Chris

I'll try that, thanks for the quick response!

I'm not a real firewall guru so I hope someone can help me?! :)

I have installed Kiss which went without any problem. But in my /etc/sysconfig/iptables are still the old rules (shouldn't be there something from KISS?). Should I delete the file or open the file and remove all lines ?

Thanks,
Kark

As mentioned above 'kiss stop' should flush your current rules.

Chris

Perhaps I don't understand the term "flush" correctly. If you say flush, you mean like "gone" or "deleted" right? At least, that is what I am thinking what flush means. If so; then it doesn't work. :)

Flush would mean.. flush your existing rules........ think of flushing it down your toilet - bad example :D

In seriousness its basically removing / dropping / flushing your current rules.

Chris

Hmm ... I still didn't understand it, so I googled a bit more. :)

So now I understand that if you 'Flush' IPtables the rules will be deleted but NOT from the file /etc/sysconfig/iptables. So if I want to use KISS I must call IPtables with the command KISS and not /etc/rc.d/init.d/iptables. Because at the moment when the server is rebooted /etc/rc.d/init.d/iptables is called (which is using the /etc/sysconfig/iptables rules). Am I correct on this ?

I'm a slow learner .. sorry :o

Thanks for the time,
Kamiel

Basically when you run 'kiss stop' it runs the following commands:

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F

That basically says accept all incoming connections and accept all outgoing conections then remove any rules currently being used.

When you run kiss start it basically just adds the rules specified in the script to iptables. Nothing else is called by kiss.

Chris

Ok ... now I got it. I think. :)

Thanks!
Kark

Is APF or Kiss better?

I prefer KISS...... although I would say the 2 best software firewalls that are free - certainly KISS and APF. Take your pick :)

Chris

Well do you know where i can get a list of their features like APF has an offical web site where they list it at?

http://rfxnetworks.net/apf.php

Chris

No i mean the offical web site for kiss i was using APF as an sample but thank you.

http://www.geocities.com/steve93138/

Not really a list of features, there is some commenting on general lines in the kiss source......... take a look through that to get an idea also :)

Chris

does kiss and/or APF run on FreeBSD?

If it has ifconfig iptables modprobe... (for KISS) you could try it and keep us informed with the results ;)

Chris

ok i been messing with it but i will let you know if i get it to work.

Yea the kiss firewall will not work in FreeBSd because their is no /etc/rc.d/rc.local dir, well the /etc is in all Unix OS acourse but not that hole path and when i did try to run it i got permission denied and i tryed changing the permission's and then it said unknown command. If any one has been successful at getting it to work or re wrote a kiss script let me know i would apprecate but for now i am going to try to get APF to work again.

Originally posted by ProHS
Yea the kiss firewall will not work in FreeBSd because their is no /etc/rc.d/rc.local dir

Its suppost to be a file, and that wouldnt really affect it anyway....... adding it in there simply gets it to start upon reboot (with redhat anyway).

Chris

that gives me ideas then, will with it some more then.

Kiss and APF are IPtable based firewalls. FreeBSD uses something called IPfirewall, so the rules syntax would be different. That would mean you can't really use them on FreeBSD.

Yea i try it i notice they were calling for different file paths and that it has to be wrote different. Do any of you know of a FreeBSD firewall?

For the redhat 9 problems:

chmod 755 /usr/bin/kiss
kiss start

Runs as expected :)

Chris

So how exactly does this block_list variable work?

if I want to block a certain IP I just add the ip to the block list? Or do I need to add a subnet mask as well?

And how about if I want to block more ip's, do I just add them there as well?

You can use it anyway you specify IPs in other areas

Multiple IP addresses (usually subnets)

Do not use the first example below (0.0.0.0/0))
BLOCK_LIST="0.0.0.0/0"

or you can use it with multiple IP addresses indivudually

BLOCK_LIST="0.0.0.0 1.1.1.1 2.2.2.2"

or just 1 single IP:

BLOCK_LIST="0.0.0.0"

Chris

Originally posted by ProWebUK
For the redhat 9 problems:

chmod 755 /usr/bin/kiss
kiss start

Runs as expected :)

Chris

Hate to say it but I still get the "bad interpreter message" on my RH9 system. I checked and iptables is installed, nothing in the config file.

Any other ideas?

What ownership does the kiss file have? have you tried running

/usr/bin/kiss start (rather than just kiss start)

Chris

Ownership was root. I say was because I finally uninstalled the "DA" version and installed the version direct from the KISS site and it worked fine.

The only difference between the one from the official page and this... is that a few variables are chnaged (ports added, and unwanted ports removed) - besides that the script is unchanged - you could just use the original and copy the ports list from this script over... that should work fine, if it doesn't then... i'm unsure!

Chris

I'd recommend everyone on RH9 getting regular KISS< and use

BLOCK_LIST=""
TCP_IN="21 25 53 80 110 143 443 2222"
TCP_OUT="21 22 25 37 43 53 80 443"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"


as config for ports


the one listed kept giving me permission + cant interpret errors as well.

Originally posted by ProHS
Yea i try it i notice they were calling for different file paths and that it has to be wrote different. Do any of you know of a FreeBSD firewall?

Their are 2 kernel level firewalls built into FBSD, IPfilter and ipfw. They are well covered in the handbook but if you want I will post a How-To in a seperate FBSD thread? I use ipfw more than I use IPfilter so it would be ipfw.

Basic rundown is you comment out the lines in the kernel for the firewall

Edit your /etc/rc.conf and turn on the firewall

Edit the /etc/rc.firewall and edit the rules.

That makes it seems easy but their is a TON more than that. Let me know I will write a How-To...

New release available - fix for previous DNS problem with earthlink DNS servers.

Link is available from the main post.

Chris

Chris,

Not to mess up your thread what turned out to be the problem with KISS? Just interested to know what he found...

I have not actually contacted the author as of yet. - what has been said is in the EV1 thread appears correct, I have seen a numerous amount of systems running kiss with them lines commented that have problems with earthlinks DNS servers.

He has given valid reasons why you should keep them commented, however, as much as them comments may be valid, it *does* affect some DNS servers which in my opinion shouldn't happen and therefore, that is my reasoning behind uncommenting the lines in the release I am offering.

I'm sure having the lines uncommented will provide advantages rather than disadvantages with KISS users here, and on EV1, since it's not my script nor do I have any contact withthe author I believe its his responsibility to update or leave the script as it is.

All servers I am currently working on have the lines uncommented to fix the problem, all servers I work on in the future will have the lines uncommented and of course, all releases of the software I provide from here on in, will have the lines uncommented :)

The *actual* problem is that earthlinks DNS servers appear to use port 53 as a source port for DNS... in depth details on the ev1 link :)

Chris

Hi,

Anyone know why KISS is blocking pings from all ips except for main IP? And how i can fix that? Thanks
:cool:

It's all commented in the script for you...

Chris

So where do i go to fix this? Can't seem to find it in pico..

##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done



Thanks for your help.

Replace:



for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done


with:



# comment out the previous setup if you want it in the future
#for trusted_ips in $TRUSTED_IPS; do
#$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
#done

# allow anyone to ping this system
$IPTABLES -A INPUT -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT


Chris

Hi,

I changed it to:

##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
# comment out the previous setup if you want it in the future
#for trusted_ips in $TRUSTED_IPS; do
#$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
#done

# allow anyone to ping this system
$IPTABLES -A INPUT -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT

##############################################################################



Kiss stop then start

I can still only ping MAIN Server IP, but the 2 DNS Ips and dedicated IPs i can't ping.

Any ideas? :confused:

Are you trying to ping your main ip or an additional IP?

Also make sure you dont have outgoing pings blocked on the machine you're pinging from.

Chris

Hi,

I can ping the main IP fine, i just want to be able to ping additional ips on server such as the ips used for separate accounts, dns ips etc..

:)

Replace the 1 line i specified above with:



for serverips in $SERVER_IPS; do
$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done


Let me know if it works ok :)

Chris

Originally posted by ProWebUK
Replace the 1 line i specified above with:



for serverips in $SERVER_IPS; do
$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done


Let me know if it works ok :)

Chris

I did:

##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
# comment out the previous setup if you want it in the future
#for trusted_ips in $TRUSTED_IPS; do
#$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
#done

# allow anyone to ping this system
for serverips in $SERVER_IPS; do
$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done

##############################################################################

Still nothing :\

Can you ping these IPs when KISS is disabled, can you access the IPs through http or any other protocol?

The IPs you want are listed in your SERVER_IPS variable aswell?

Chris

I can ping all ips when kiss is off
I can ping main ip only when kiss is on

I can access all ips via http,


The IPs you want are listed in your SERVER_IPS variable aswell?

All ips are added inside DA and 1 is main, 2 are DNS, 1 is dedicated ip for a site, 5th one is just not used.

At the top of the KISS file you should see a line

SERVER_IPS="0.0.0.0/0"

add your server ips there, seperated by a space "1.2.3.4 1.2.3.4"

Chris

k, i added ips and also:

# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
# comment out the previous setup if you want it in the future
#for trusted_ips in $TRUSTED_IPS; do
#$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state
NEW -p icmp --icmp-type ping -j ACCEPT
#done

# allow anyone to ping this system
$IPTABLES -A INPUT -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT



Now i ping again, still wont work. :confused:
It's no big deal if there aren't any fix for it I'll just live with it.

Once you add them to the SERVER_IPS variable use the 3 line script i provided rather than the other...

for serverips in $SERVER_IPS; do
$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done


Chris

great, working now.

One more thing, now when i start kiss i get an error:

kiss start
/usr/bin/kiss: line 469: NEW: command not found


Any idea?

pico -w +469

Paste that line and a few lines above it...

from the sounds of things you have added:

$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state
NEW -p icmp --icmp-type ping -j ACCEPT

rather than 1 line as it should be:

$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT

since the error says its trying to execute the command "NEW" which of course is just part of the --state flag used by iptables, not a bash command.

Chris

thanks i got it, there was space but somehow when i pasted it became 2 lines, now its fine.

if i use the default config, and don't add to /etc/rc.d/rc.local i will never be locked out of my box?

You should never be locked out of your box unless you take ssh out of the allowed ports, add your own IP to the blocklist or remove all IPs from the allowed IP list.

If you have SSH running on another port you will need to configure it, since its only allowing port 22 for SSH as default.

Chris

so, is it possible that you explain the kiss config a bit?

-BLOCK_LIST=""
block an ip from connecting to any port on the box?
-TCP_IN="21 25 53 80 110 143 443 2222"
?
-TCP_OUT="21 22 25 37 43 53 80 443"
?
-UDP_IN="53"
?
-UDP_OUT="53"
?
-TCP_IN_TRUSTED="22"
?
-TRUSTED_IPS="0.0.0.0/0"
can i enter here the ips i use to connect to the box?(or better not, cause my ip is not static)

-SERVER_IPS="0.0.0.0/0"
?

Originally posted by sander815
so, is it possible that you explain the kiss config a bit?

-BLOCK_LIST=""
block an ip from connecting to any port on the box?

-TCP_IN="21 25 53 80 110 143 443 2222"
TCP Inbound ports

-TCP_OUT="21 22 25 37 43 53 80 443"
TCP Outbound ports

-UDP_IN="53"
UDP Inbound ports

-UDP_OUT="53"
UDP Outbound ports

-TCP_IN_TRUSTED="22"
TCP Inbound ports only accessable by IP addresses listed in the TRUSTED_IPS var (22 - ssh)

-TRUSTED_IPS="0.0.0.0/0"
can i enter here the ips i use to connect to the box?(or better not, cause my ip is not static) Yes, or leave the current option to allow all IP addresses to connect

-SERVER_IPS="0.0.0.0/0"
All the IP addresses bound to your system can be listed here, although the current option works fine unless you want pings etc as discussed above.


?

All in the quote :)

Chris

is there an option to see KISS is working OK like an online scanner ore something?

I doesent link new not welcome visits...

ping / telnet

"I doesent link new not welcome visits..."

What do you mean?

Chris

@ ProWebUK: I send a PM

To close an port on what option do I need to add it?
Or can I remove the port number on:
TCP_IN="21 25 53 80 110 143 443 2222"
TCP_OUT="21 22 25 37 43 53 80 443"

I don`t use 443, so I linke to close that port

All ports are closed besides what's in the configs at the top of the script ;)

443 is the https://, so unless you dont use SSL you would be wanting that ;)

does kiss have some sort of ddos protection like APF?

http://www.rfxnetworks.com/apf.php


- antidos subsystem to stop attacks before they become a significant threat

and does it support auto update for the dshield block list? kiss i mean

Originally posted by phriendly-Mark
[B]For those who use scripts that will message them by ICQ, AIM, or YAHOO (EG: system status monitor, ClientExec, etc)

^^ where can i get such scripts (the monitoring, clientexec and mostly the MSN script)

maybe a bug in Kiss, bit with kiss on you can`t update DA.
Turn kiss off and update DA there is no problem.
my KISS details:
BLOCK_LIST="Some IP adresses"
TCP_IN="21 25 53 80 110 143 2222"
TCP_OUT="21 22 25 37 43 53 80"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="myIPadres/0"

Tips to update DA without closing the firewall?

Originally posted by vandal
^^ where can i get such scripts (the monitoring, clientexec and mostly the MSN script)

You can use command line messenger clients I would assume, although I dont have the exact information.

Chris

SERVER_IPS="0.0.0.0/0"

Try that...

Chris

Originally posted by ProWebUK
SERVER_IPS="0.0.0.0/0"

Try that...

Chris

I try but it doesent work.
Maybe because I blocked telnet?

Originally posted by sander815
does kiss have some sort of ddos protection like APF?

http://www.rfxnetworks.com/apf.php


- antidos subsystem to stop attacks before they become a significant threat

and does it support auto update for the dshield block list? kiss i mean

It has its own way of preveting DOS attacks, although its of course not perfect, neither is the one for APF.

It doesnt have any support for dshield, you can incorporate it yourself if you wish, use any other block lists etc... as default the only blocks are what you specify.

Chris

Originally posted by deltaned
I try but it doesent work.
Maybe because I blocked telnet?

What error are you getting? Can you successfully connect to the DA website from your server? Can you update the license also...

Does it work when you turn the firewall off?

Chris

if i don't want people pinging my machine, what do i do?


##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done


TRUSTED_IPS="0.0.0.0/0" <-change this iin kiss?

Originally posted by sander815

for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done

comment out the part ive quoted ;)

Chris

if i want to block a certain port for a certain ip connecting, what do i do?

Originally posted by sander815
if i want to block a certain port for a certain ip connecting, what do i do?

try:



iptables -I INPUT -s 111.111.111.111 --destination-port 22 -j DROP


ip/port

Chris

do i just execute that at the prompt?

i get an error
[root@server1 apf]# iptables -I INPUT -s 212.xx.xx.xx--destination-port 53 -j DROP
iptables v1.2.7a: Unknown arg `--destination-port'
Try `iptables -h' or 'iptables --help' for more information.
[

On my fedor2 machine I get after command: kiss start
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Tips?
The default firewall of Fedora is off.

Do you have iptables implemented in your fedora core kernel?

Jeff

Originally posted by sander815
do i just execute that at the prompt?

i get an error
[root@server1 apf]# iptables -I INPUT -s 212.xx.xx.xx--destination-port 53 -j DROP
iptables v1.2.7a: Unknown arg `--destination-port'
Try `iptables -h' or 'iptables --help' for more information.
[


please anyone? how do i use this?
i need to block a certain ip thats keeps connecting to port 53, like every 4-5 seconds, constantly

Try this one, again, untested



iptables -A INPUT -i eth0 -s *BLOCKIP* -d *SERVERIP* -p tcp -m state --state NEW --dport *PORT* -j DROP


Chris

I'm running Fedora Core 1 with Direct Admin. I havent touched the server except for the DA installation.

This is the error I get when trying to run kiss:

Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Maybe Im going off topic with this post, but how exactly do I install those modules if they "dont exist"?

Thanks in advanced.

check the following, logged in as root:

$ rpm -qa | grep iptables

Here's my results when I do this on my local desktop system:

[jlasman@da1 nobaloney.net]$ rpm -qa | grep iptables
iptables-1.2.5-3
iptables-ipv6-1.2.5-3
[jlasman@da1 nobaloney.net]$

Your results may differ.

What do you get?

Jeff

[root@server root]# rpm -qa | grep iptables
iptables-1.2.8-13
iptables-1.2.9-1.0
[root@server root]#

Then I have no idea :( .

Have you tried asking on the Fedora users' list?

Jeff

Nope. I thought someone here would probably know what's wrong.

Perhaps, but since it's not DA specific, but Fedora specific, I'd think you'd stand a better chance there.

You can join here (http://www.redhat.com/mailman/listinfo/fedora-list).

Jeff

ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.o /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.o /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.o

Output?

Chris

[root@server root]# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.o /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.o /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.o
ls: /lib/modules/2.4.26-HN-1.6-i686/kernel/net/ipv4/netfilter/ip_tables.o: No such file or directory
ls: /lib/modules/2.4.26-HN-1.6-i686/kernel/net/ipv4/netfilter/ipt_state.o: No such file or directory
ls: /lib/modules/2.4.26-HN-1.6-i686/kernel/net/ipv4/netfilter/ipt_multiport.o: No such file or directory
[root@server root]#

i'll get you the information you need in the morning, but it will involve compiling a kernel, and adding specific modules... try using up2date to check if theres a new kernel there also, as the redhat kernels should already have the support... that may just be quick fix :)

Chris

I sent the problem to the Fedora list. I'm just waiting for their reply now.

Hi,

Do you have an reply from the list?
I have the same problem...

They suggested a kernel upgrade. It's quite a process (basically what ProWebUK said).

I try and update the new kernel, but no reaction of kiss.
I use the firewall of fedore core 2 and after "playing" with the options I get all working and secured now (I hope)

is the first post the latest available script or are there updates for de DA version? do i have to check things before i install ? (redhat9)

Hey,

These are the changes I made for RH9 to the kiss file:
The install puts it here: /usr/bin/kiss
Be sure to back it up before changing anything.

Under this section:

# ALL DONE WITH CONFIGURATIONS!

I added this line:

IFCONFIG="/sbin/ifconfig"

And under this section:

# Determine MAIN_IP & SERVER_IPS if needed

I changed this:

MAIN_IP=`ifconfig eth0 | grep inet | cut -d: -f2 | awk '{print $1}'`

to this:

MAIN_IP=`$IFCONFIG eth0 | grep inet | cut -d: -f2 | awk '{print $1}'`

Basically, just change ifconfig to be a variable so I could set it's path.

David

and you used the customized DA-kiss scipt? do i need to change anything else in the config file?

Hey,

Yes, I used the customized DA-kiss script...

Yes, that's the only changes I made.

David

since the problem is with the path (ifconfig rather than /sbin/ifconfig) my guess is you are logging in as root using:

su

rather than:

su -

Chris

Originally posted by skruf
The install puts it here: /usr/bin/kiss
That's not really a good place for it.

It's a local addition, designed to be run only by a systems administrator.

My guess is it should be in /usr/local/sbin.

But what do I know :) .

I admin a lot of systems and I don't want to install it each time.

So I have one copy on my desktop system, and I just copy it in, and install it on, each new server.

If you'd like a copy, let me know by email (NOT by private message). My email address is in my sig.

If you get it, be sure to read my notes; it may require changes depending on your environment, but they're all well documented.

I agree with Chris that if you're properly logged in as root (either by direct login, or by "su -" then you won't need the path to ifconfig.

Jeff

Hey,


since the problem is with the path (ifconfig rather than /sbin/ifconfig) my guess is you are logging in as root using:

su

rather than:

su -


Damn, hate when that happens... That was it.


That's not really a good place for it.

I just left it where it was placed...

This is the first time I used it and future use probably won't include tarring it on the server. (Like you mentioned.)

Obviously, there are no changes needed like I mentioned above...

Unless of course, like me, you're trying to learn a little script writing...

David

Is there a BFD equivalent for KISS?

Link is broken :(

Which link?

I have a copy of Kiss specifically designed to work on DA servers in a hosting environment.

If enough people need it and can't get it from the original site, I'll post it on my download pages.

Jeff

Thanks , first post link is dead.

But i'm download file from rfxnetwork then install everythink ok.

i still have probs with ftping when kiss is running, in passive mode, what am i doing wrong?



##############################################################################
#
# Optional KISS Configuration Variables:
#
BLOCK_LIST=""
TCP_IN="21 25 53 80 110 143 443 2222 10000"
TCP_OUT="21 22 25 37 43 53 80 443"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"

Kiss requires a module installed for your kernel:

if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o"
$MODPROBE ip_conntrack_ftp
fi

If ip_conntrack_ftp.o available for dynamic loading on your server?

Jeff

uhm, i think so?:
[root@server01 mysql]# locate ip_conntrack_ftp.o
/lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
[root@server01 mysql]#

What version of Linux?

Jeff

RH 9

At first glance I don't see any problem.

If you want a "free as in beer" solution you might want to post on a forum specializing in the kiss firewall, or contacting the author.

Of if you know or want to learn the details of iptables, you could try a good linux help group; isp-linux.com or isp-webhosting.com are probably good places to start.

Or perhaps use a consultant (hopefully one who guarantees results) to resolve the issue for you.

Jeff

Link is broken

What link?

What are you looking for?

Jeff

Hi Jeff,

They are referring to the link in the first post to download the Kiss Firewall. The link is no longer valid.

Regards,
Onno

Has anyone found another location, or should I post it and change the first post?

Jeff

any body have link :confused:

I found it at the original location here (http://www.geocities.com/steve93138/).

My version modified to work with DirectAdmin and with Plesk PSA, and also with some optional changes (read the code) for ModernBill, can be found here (http://www.nobaloney.net/downloads/kiss/).

Jeff

Thanks man :D

recommended configure the firewall to trusted IP addresses/subnets or no install it and finsh:confused:

A jlasman's kiss version don't run in fedora (core 3). I've modified the script to run on this os. If you want, download a jlasman's kiss version here :

http://www.avenueduweb.org/scripts/kiss

Bye.

I should probably do a diff and figure out what's wrong with the original.

I guess I'll have to take the time unless you can tell me in a few words what the differences were.

Since I'm busy as a ... (well you know what I mean), can you ?

Thanks :)

Jeff

The problem is the links for ip_tables, ipt_state, ipt_multiport. In your script you test if modules exists and the links are ip_tables.o or ipt_state.o or ipt_multiport.o, but for run on fedora the links must be ip_tables.ko, ipt_state.ko and ipt_multiport.ko, and with that it's running. My modification is :


# Note: KISS requires that ip_tables, ipt_state, and ipt_multiport exist:
if [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ] || [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ] || [ ! -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
echo "Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!"
exit 1
fi

# All is well, load modules:
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then
$MODPROBE ip_tables
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ]; then
$MODPROBE ipt_state
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
$MODPROBE ipt_multiport
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then
$MODPROBE ip_tables
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ]; then
$MODPROBE ipt_state
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
$MODPROBE ipt_multiport
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/iptable_filter.ko" ]; then
$MODPROBE iptable_filter
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_unclean.ko" ]; then
$MODPROBE ipt_unclean
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_limit.ko" ]; then
$MODPROBE ipt_limit
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_LOG.ko" ]; then
$MODPROBE ipt_LOG
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_REJECT.ko" ]; then
$MODPROBE ipt_REJECT
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack.ko" ]; then
$MODPROBE ip_conntrack
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_irc.ko" ]; then
$MODPROBE ip_conntrack_irc
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko" ]; then
$MODPROBE ip_conntrack_ftp
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/iptable_mangle.ko" ]; then
$MODPROBE iptable_mangle
fi

Sorry for my bad english, it's very difficult for me to explain that in english ;o). Thanks for your script jlasman. Bye.

It's not my script; I found it on the 'net after reading about it in these forums.

I made a few line changes.

Are you saying that by default Fedora doesn't load/install the proper kernel modules? That's the impression I get from your post.

I suppose I can try your fixes to see if they work with other flavors of Linux and if they do issue one fixed version, but I'd like to get your response first.

Thanks.

Jeff

I found the thread that mentions about the error Avenueduweb said ".o" and ".ko"

http://forum.ev1servers.net/showthread.php?t=36733&page=4&pp=25

has anyone managed to get KISS to work on a debian OS? im running debian 4.0 and every time i got to run it I get:

Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!


iptables is installed I think cause I get an output of the following when using iptables -L:


Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

any ideas?

ive played around with:




# Enabled this for Pre Fedora Core 2 or Red Hat
#EXTN="o"
# Enabled this for Fedore Core 2 or later
EXTN="ko"


still no joy :(

I think you may have to recompile the kernel with those modules compiled in.

But I'm not sure :(.

Jeff

I could try a different firewall, anything different other than kiss?

You can try APF, but thats iptables based aswell. I think you may have to compile a new kernel with the coorect modules.

hi, I have a problem with kiss. My OS is Fedora Core 6 and I fellow the first post to install kiss. When I try the Kiss start command, I received this message:

[root@220915 bin]# kiss start
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!
[root@220915 bin]#

When I do kiss stop to flush the rules I received this:

[root@220915 bin]# kiss stop
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


DA-KISS Firewall - Stopped!

I also add my 10 IP adress to the SERVER_IPS="0.0.0.0/0" like this: SERVER_IPS="ip1.ip1.ip1.ip1 ip2.ip2.ip2.ip2 ip3.ip3.ip3.ip3 ..." without the /0

Any solutions for this. Thx all :)

I will try to recompile the kernel with the ip_table :) thx for the support and the previous post :)

Hi there. After looking around i decided to try out KISS. But then i got this error.I'm running VPS using Centos 5.

Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Is it because my admin don't install it?

when i run iptables -L it gave me:
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

How can i solve this problems. Thanks

You should contact your VPS provider to see if they offer support for those modules. Both KISS and APF require them.

Jeff

Tried it, getting the same issues about the ip_tables, ipt_state, and/or ipt_multiport modules. In the script it checks, for example, for existance of the file /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_tables.o. I checked for it and the file exists. However, it has a .ko extention. I'm a bit shy to try and bluntly change .o into .ko in the config file, so I thought I'd ask it here first.

The latest version of KISS allows you to set once and it will work with either .ko or .o.

But you can safely change them.

KISS doesn't have a config file. All changes are made directly in the runfile.

Jeff

Jeff

So it's safe to say I don't have the latest version? Then where do I get that as KISS is now blocking my FTP traffic due to the fact that multiple .ko files are not where it expects them to be (in this case ip_conntrack_ftp.ko I guess)?

I can answer my own question. I seem to have the latest DA-KISS, but KISS is now in v2.1. It does still refer to the ip_conntrack_ftp file. I don't have it! I only have some nf_conntrack_ftp file, but I don't know whether that's the same.

It still doesn't work. I can't find a definitive answer on nf_conntrack_ftp.

Hello, i just installed KISS using jeff's version (http://www.nobaloney.net/downloads/kiss/kiss)
When trying to start it for the first time i got this error:


Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

iptables is there but stopped, i stopped it yesterday when i thought it might be blocking DA, iptstate i installed with "yum install iptstate" and it seems to have worked, ipt_multiport isnt something that yum can find to install.

i ran locate on it and found something so it seems to be installed:

[root@flipper ~]# locate ipt_multiport
/lib/iptables/libipt_multiport.so
/usr/include/linux/netfilter_ipv4/ipt_multiport.h


Any ideas why KISS wont start? iptables wont start now either, it doesnt give any errors when running start or restart but when i check its status it just says Firewall is stopped.

Any help appreciated here.

The contents of iptables may be deleted; in CentOS boxes the file is at /etc/sysconfig/iptables.

When kiss gives us that error it's always been on a VPS box.

VPS boxes often don't have the right kernal modules actually installed, but it could be an old or specially configured kernel as well.

Jeff

Yeah, theres no iptables file in that directory, there is a iptables-config file there tho.

Any solution to the problem? I found these files named iptables i tried copying the first one to the directory you said and now when i try to start iptables it at least gives an error :)



[root@flipper sysconfig]# service iptables start
Applying iptables firewall rules: iptables-restore: line 12 failed
[FAILED]


Files
/etc/rc.d/init.d/iptables
/lib/iptables
/sbin/iptables

You have iptables on your server. You need a set of rules that work. Mine won't work for you because they're created from kiss. Perhaps someone else can give you a set of rules that that you can try.

Anyone?

Jeff

Thanks for trying to help but I got some assistance from smtalk to install a firewall, he went with APF instead of KISS so i'm all set now. :)

I've found the issue; in the later kernel versions some modules have been replaced with newer ones: specifically modules beginning with ipt have been replaced with modules beginning with xt.

I've placed more recent versions at my download page, here (http://www.nobaloney.net/downloads/kiss/).

Jeff

kiss start
Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

I get the above with a clean/fresh CentOS 5.2 64bit install

I've found the issue; in the later kernel versions some modules have been replaced with newer ones: specifically modules beginning with ipt have been replaced with modules beginning with xt.

I've placed more recent versions at my download page, here (http://www.nobaloney.net/downloads/kiss/).

Jeff

This script solved the problem for me. Thanks

We installed KISS on a CentOS 5.2 64 bit unmanaged server and received the "KISS is running message".

We then started to download DDOS Deflate and the server froze. Now we cannot connect to the server at all - DA or ssh. Reboot did not resolve the issue.

Any ideas before I have to ask the host to reinstall the OS? :(

edit: no ports are open when I scan the IP.

Why would you have your host reinstall the OS? Have them log in via the console and:

iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Have you tried sshing to the server with another IP address?

The host ran:

/etc/init.d/iptables stop

but the problem returned shorty afterwards *& I'm locked out again.

It sounds as though you're running two firewalls at once. That is not normal behavior for iptables. I recommend you get someone to take a look at your server.

I have iptables and KISS. Do I have to stop or flush iptables before using KISS?
(this my 1st dedicted)

No; the first thing KISS does is flush the tables.

Jeff

I have quite a few banned IPs and would like to know how to ban a complete set, like
IP 123.456.789.123, I want to ban all in the range 123.xxx.xxx.xxx
or 123.456.xxx.xxx
every once in a while I will get multiple hits trying ssh, so I ban each IP.
a) Can KISS be setup to "Auto Ban" after x attempts ?
b) Are there any sets of IPs that are known bad and can be added just to be on the safe side?

a) no. For that you may want to use APF+BFD.

b) Yes, but you'll have to decide which ones. For example, you may want to block China; I don't.

Jeff

After seeing many attempts from a single IP I would add to host.deny, or in the KISS block list but sometimes they never return so it seems fruitless.
went on a google search and found this, could this be added to KISS in the config?

How to deter SSH brute force login attacks with iptables



Using the iptables recent module it's easy to stop ssh login brute force attacks. Every times a tcp connection to our ssh daemon is torn down, we update our temporary list of IP connecting to our ssh daemon. If the same IP connects more than 4 times during 60 seconds, it will be blocked. Adjust --hitcount and --seconds to fit your needs.



iptables -A INPUT -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK

FIN,ACK --dport 22 -m recent --name sshattack --set



iptables -A INPUT -p tcp -m state --state ESTABLISHED --tcp-flags RST RST

--dport 22 -m recent --name sshattack --set



iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60

--hitcount 4 -m limit --limit 4/minute -j LOG --log-prefix 'SSH attack: '



iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60

--hitcount 4 -j DROP

anyone know how to have DA auto add offending IP's/hosts to the host.deny?
I dont have Python installed , seen a possible script that would work but needs Python.
The post above, seems like a good idea, where x attempts in x time, it would stop the 50 or so bursts I'm getting , like this one

Sep 2 06:57:10 srv2 sshd(pam_unix)[4898]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.115.100.144 user=root
Sep 2 06:57:11 srv2 sshd(pam_unix)[4900]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.115.100.144 user=root
Sep 2 06:57:14 srv2 sshd(pam_unix)[4904]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.115.100.144 user=root
Sep 2 06:57:15 srv2 sshd(pam_unix)[4906]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.115.100.144 user=root


found yet another much simpler code and want to ad to KISS

#$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
#$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

Try APF+BFD; it already does this.

Jeff

Thank you Jeff,

doesnt seem that the author is around anymore :confused:
almost ready to abort KISS and try your recommendation of APF+BFD

I would stop using KISS. It needs to be updated to be useful.

KISS is exactly what the name implies. A simple firewall. If you need more features, then definitely install something else, or do your firewalling manually.

What doesn't KISS do that you want?

Jeff

Correct KISS is great as a simple FW and it works, I just wanted an addition of code to the iptables to drop excessive attempt on shell, the code I found looks like it would do that, I am not sure where to insert it or if it needs tweaking to be right.

#$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
#$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

well I tried myself, didn't break anything, (the code above)
had another ssh attempt, usually have hundred tries, this one was 28 and then stopped, dont know if they gave up on their own or if new rule had something to do with it.
I placed the code in where the commented out "Provide some syn-flood protection" is, started kiss and have this listed in kiss output

W recent: SET name: SSH side: source
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NE W recent: UPDATE seconds: 60 hit_count: 8 TTL-Match name: SSH side: source

I would believe it would only give 8 tries in 60 seconds, did I place in the wrong area in KISS?

So it seems to work :rolleyes:
I like it better than having to add daily to the hosts.deny
several more attempts were made and they got 7 tries before ending.:)

You didn't say where you put it. So hard to say if it's in the right place or not :).

If it works at all, then I say it's working; it's in the wrong place it wouldn't work at all.

Where did you put it.

Don't forget that KISS is simply an interface to iptables, which is an interface to the kernel's netfilter. So when you do a KISS status all you're really doing is a printout of the current iptables configuration as set by KISS and/or anything else.

Jeff

Sorry Jeff,
did bury it a little in the other post :o

I placed the code in where the commented out "Provide some syn-flood protection" is

Should be good then :).

Jeff

http://optimum-servers.com/downloads/DirectAdmin/kiss2-1.2.tar.gz this link is not working...

Check the 1st post, or just get it here :rolleyes:

http://www.geocities.com/steve93138/kiss-2.2.tar.gz



http://optimum-servers.com/downloads/DirectAdmin/kiss2-1.2.tar.gz this link is not working...

hi

i'm having a problem with recieving pings to my main server ip. if i stop kiss i can recieve them with out a problem.

i have the following for my trusted ip's:

TRUSTED_IPS="0.0.0.0/0"

and this line further down the script:


# Allow pinging of this server's MAIN_IP by trusted IPs only.

for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -d $serverips -i eth0 -m state --state NEW -p icmp --icmp-type ping -j ACCEPT
done

but when kiss is running i can't ping the server, has anyone got any ideas what the problem is?

thans in advance

roland

can anyone tell me.why install kiss when csf have good option. we can work with it with directadmin panel not ssh and ....

tnx

I use KISS because it's simple. And generally once you install it you never have to configure it again.

You yourself write in another thread that you're having problems with CSF. Except for the very occasional issue you just install KISS, start it, and it runs.

To each his/her own.

:)

Jeff

I use KISS because it's simple. And generally once you install it you never have to configure it again.

You yourself write in another thread that you're having problems with CSF. Except for the very occasional issue you just install KISS, start it, and it runs.

To each his/her own.

:)

Jeff

beacse we can manage and config csf with directadmin panel.
forexample APF . some of user use it.as i see most of linux server (hosting) use csf

As I wrote, to each his/her own. This is not a thread for bashing kiss; it's a thread for explaining it and helping people use it.

Jeff

hello on my vps its my output:

[root@box updatescript]# kiss restart
eth0: error fetching interface information: Device not found
Could not determine MAIN_IP. Firewall script aborted!

Generally a VPS doesn't have an eth0. Figure out what your VPS calls it's network interface, and then make changes to KISS.

Jeff

There is no ipt_multiport.ko or ipt_state.ko on any of my CentOS 5.5 systems. I need those files to use KISS. How do I get those files?

Try this (http://www.nobaloney.net/downloads/kiss/kiss.kernel-2.8.16-and-newer) [nobaloney.net] version; it runs on my 5.4 systems, and requires xt_ file sinstead of ipt_ files.

Jeff

Thanks, it works.

I found another location to download v2.2 of Kiss, though Jeff's is probably the better one to use...

http://www.indotek.com/kiss/kiss-2.2.tar.gz

Taken from the instructions found on this page: http://www.indotek.com/kiss/

Steve wrote it, so it's likely his version at indotek.com is more up-to-date. However mine (which I only change as necessary) has ports open for webhosting on various systems using various billing packages.

I'm sure both will work, and I'm just as sure that you may need to make minor changes to either for them to work for you.

Jeff

do you have any idea (kiss option) to block ddos and protet server from this attack ?

While you can block individual IP#s attacking you, KISS is much too simple to block most DDOS attacks by itself. DDOS attacks are very hard to block. You might get some good information from this article (http://linuxgazette.net/126/cherian.html) (linuxgazette.net).

Jeff

do you have any idea (kiss option) to block ddos and protet server from this attack ?You should use a Hardware-Firewall instead of Software-Firewall to block/protect DDoS.

You should use a Hardware-Firewall instead of Software-Firewall to block/protect DDoS.

imean kiss config file.
for example csf have soem rules like disable in/out ping or .... .

hi,
What is the advantage of kiss to APF?
.What is a Your opinion as an expert.'s Strengths and weaknessesOF this firewall?
Because you're so stressed on the firewall and I want to know whether this program project progresses? And why you support this program ?

The above post was originally directed to me in a private message, so I'll take the liberty of being the first to respond.

I prefer KISS because of it's simplicity. For some people it may be too simple, because it doesn't automatically check for attacks and attempt to stop them.

The advantage of it is that it just works for me and for many others for whom I install it. It hasn't changed much in years, except to keep up with the names of the modules it has to check for, as the module names have been changed in various updated kernels.

I continue to maintain it and use it, and the up-to-date copies I maintain here (http://www.nobaloney.net/downloads/kiss/) should work on DirectAdmin servers. Note that you may need to make some changes depending on specific needs you have for certain ports to be open or closed, but the script is well documented and is easy to change.

It's a simple shell script and simply calls iptables. But for most of us it's much simpler than using either other firewall scripts or proramming iptables directly.

Note I did NOT have anything to do with writing it.

Jeff

i requested this to be part of directadmin core, but they ignore it.
Kiss is just a iptables manager, VERY easy to integrate with directadmin.



Once you are sure everything is ok, add the following line to the end of /etc/rc.d/rc.local

/usr/bin/kiss start
There is no need to do this. Iptables will start with the same rules after reboot.

hi,
What is the advantage of kiss to APF?
.What is a Your opinion as an expert.'s Strengths and weaknessesOF this firewall?
Because you're so stressed on the firewall and I want to know whether this program project progresses? And why you support this program ?Kiss is just a script to handle iptables.
I recommend to use kiss on servers and an external hardware firewall for the hole network.

And how can i install it?
becasue on mr jlasman directory :

kiss.kernel-2.8.16-and-newer
kiss.older-master

no installer or sh file.

tnx

i requested this to be part of directadmin core, but they ignore it.
Kiss is just a iptables manager, VERY easy to integrate with directadmin.
But it only works on Linux. It won't work on FreeBSD. So if it were to be integrated into DirectAdmin it would require something else for FreeBSD and a bit more complexity in installing and maintaining DirectAdmin.

There is no need to do this. Iptables will start with the same rules after reboot.
I don't see any kiss in code to output the commands to the iptables files. Do you?

Jeff

And how can i install it?
Read the file. The top lines tell you how to install it.

Jeff

Read the file. The top lines tell you how to install it.

Jeff

mkdir /usr/local/sbin/kiss
chmod 700 root:root /usr/local/sbin/kiss
wget http://www.nobaloney.net/downloads/kiss/kiss.kernel-2.8.16-and-newer

am i right?

I install the file as /usr/local/sbin/kiss, not in a directory of that name.

Then I chmod it 700, and make sure the ownership is root.

Jeff

Hi,
i want to install it on openvz VPS:

[root@da bin]# kiss status
eth0: error fetching interface information: Device not found
Could not determine MAIN_IP. Firewall script aborted!

Many VPS servers forward ethernet as a different name besides eth0. To find out what yours uses, run:

$ ifconfig
Jeff

[root@da bin]# kiss status
-bash: /usr/bin/kiss: Permission denied
[root@da bin]# kiss start
-bash: /usr/bin/kiss: Permission denied
[root@da bin]# chown 700 kiss
[root@da bin]# kiss start
-bash: /usr/bin/kiss: Permission denied
[root@da bin]#

Did you modify the permissions as shown at the top of my file?

Jeff

now i recive this error:


[root@da sbin]# kiss start
Since the ip_tables, xt_state, and/or xt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Hi,
i want to install it on openvz VPS:

[root@da bin]# kiss status
eth0: error fetching interface information: Device not found
Could not determine MAIN_IP. Firewall script aborted!

Everywhere you see eth0 use venet0 instead.

now i recive this error:


[root@da sbin]# kiss start
Since the ip_tables, xt_state, and/or xt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Is iptables installed? Does it work?

Use my other version to see if that works. Otherwise you may be using a kernel with a completely different set of modules. In that case you'll either need to figure it out on your own, use a different firewall, or contract with someone to log into your server to fix it for you.

We can do that; however we do charge for the service.

Jeff

Jlasman: Could you create, or modify the existing DA-KISS, to support IPv6 (and specific ip6tables)?

Unfortunately I don't have IPv6 either in my office or my datacenter, so I can't test anything, and therefore I don't have the ability right now. I'll look into what I can do, but I have no idea how long it might take.

Are any of the firewalls currently used and discussed in these forums working yet with IPv6?

Jeff

Currently I'm using the following script for IPv6, like I use KISS self:



#!/bin/sh -e
#
# Simple example IPv6 Firewall configuration.
#
# Caveats:
# - This configuration applies to all network interfaces
# if you want to restrict this to only a given interface use
# '-i INTERFACE' in the ip6tables calls.
# - Remote access for TCP/UDP services is granted to any host,
# you probably will want to restrict this using '--source'.
#
# description: Activates/Deactivates the firewall at boot time
#
# You should test this script before applying with safe-restart option
#

IP6TABLES=/sbin/ip6tables
#IP6TABLES="/sbin/ip6tables -i eth0"

[ -x "$IP6TABLES" ] || exit 1

# Inbound TCP ports
TCP_INPUT_PORTS="21 22 25 80 443"

# Inbound UDP ports
UDP_INPUT_PORTS=""

# Allowed ICMP messages
ALLOWED_ICMP="\
packet-too-big \
destination-unreachable \
time-exceeded parameter-problem \
echo-request \
echo-reply \
router-advertisement \
neighbour-solicitation \
neighbour-advertisement"

fw_start () {
# Allow related and established connection.
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP as defined in ALLOWED_ICMP
if [ -n "$ALLOWED_ICMP" ] ; then
for ICMP_TYPE in $ALLOWED_ICMP; do
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type ${ICMP_TYPE} -j ACCEPT
done
fi

# Open allowed TCP ports if any
if [ -n "$TCP_INPUT_PORTS" ] ; then
for PORT in $TCP_INPUT_PORTS; do
$IP6TABLES -A INPUT -m state --state NEW -p tcp --dport ${PORT} \
-j ACCEPT
done
fi

# Open allowed UDP ports if any
if [ -n "$UDP_INPUT_PORTS" ] ; then
for PORT in $UDP_INPUT_PORTS; do
$IP6TABLES -A INPUT -m state --state NEW -p udp --dport ${PORT} \
-j ACCEPT
done
fi

$IP6TABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IP6TABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow traffic to the loopback (needed by some applications)
$IP6TABLES -A INPUT -i lo -j ACCEPT

# Log and drop all other packets.
$IP6TABLES -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
#$IP6TABLES -A INPUT -j LOG
#$IP6TABLES -P INPUT DROP

# Los and drop all packet to be forwarded, we're not a router...
$IP6TABLES -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
#$IP6TABLES -A FORWARD -j LOG
#$IP6TABLES -P FORWARD DROP

# We're not going to filter outgoing packets
# but you can if you're paranoid like I am...
$IP6TABLES -P OUTPUT ACCEPT
}

# fw_stop disables completely the firewall and reset all chains to
# the default policy ACCEPT
fw_stop () {
$IP6TABLES -P INPUT ACCEPT
$IP6TABLES -P FORWARD ACCEPT
$IP6TABLES -P OUTPUT ACCEPT
$IP6TABLES -t mangle -P PREROUTING ACCEPT
$IP6TABLES -t mangle -P POSTROUTING ACCEPT
$IP6TABLES -t mangle -P INPUT ACCEPT
$IP6TABLES -t mangle -P OUTPUT ACCEPT
$IP6TABLES -t mangle -P FORWARD ACCEPT
$IP6TABLES -t mangle -F
$IP6TABLES -t mangle -X
$IP6TABLES -F
$IP6TABLES -X
}

# fw_clear remove the rule set from the firewall and keep the
# current default policy
fw_clear () {
$IP6TABLES -t mangle -F
$IP6TABLES -t mangle -X
$IP6TABLES -F
$IP6TABLES -X
}

case "$1" in
start|restart)
echo -n "Starting IPv6 firewall.."
fw_clear
fw_start
echo "done."
;;
stop)
echo -n "Stopping IPv6 firewall.."
fw_stop
echo "done."
;;
clear)
echo -n "Clearing IPv6 firewall rules.."
fw_clear
echo "done."
;;
test|safe-restart)
echo -n "Safely restarting IPv6 firewall..."
fw_clear
fw_start
test=""; read -t 10 -p "Is it still OK? " test ; \
[ -z "$test" ] && fw_stop
echo "done."
;;
*)
echo "Usage: $0 {start|stop|restart|safe-restart|clear}"
exit 1
;;
esac

exit 0


But it is far from perfect, maybe someone could finish it..

P.S.: The safe-restart feature I use here, would be wonderful to have in KISS too!