Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section General Discussion
  • Search

Why /usr/local/vesta/data/firewall/chains.conf is overwritten each time system is rebooted??

General questions about VestaCP
Post Reply
  • Print view
Advanced search
2 posts • Page 1 of 1
pabbae
Posts: 23
Joined: Fri Feb 03, 2017 6:58 pm

Os: CentOS 6x
Web: apache + nginx
Why /usr/local/vesta/data/firewall/chains.conf is overwritten each time system is rebooted??
  • Quote

Post by pabbae » Sat Dec 01, 2018 8:26 pm

I've detected that file /usr/local/vesta/data/firewall/chains.conf is restored to its default content each time that the system is rebooted.

Is that usual? Why is it overwritten?

I've detected it on a centos 7 64 fresh install with default vesta installation.
Top
pabbae
Posts: 23
Joined: Fri Feb 03, 2017 6:58 pm

Os: CentOS 6x
Web: apache + nginx
Re: Why /usr/local/vesta/data/firewall/chains.conf is overwritten each time system is rebooted??
  • Quote

Post by pabbae » Sun Dec 02, 2018 4:14 pm

I answer my question: v-add-firewall-chain overwritte the file on boot,

Code: Select all

# Preserving chain
chains=$VESTA/data/firewall/chains.conf
check_chain=$(grep "CHAIN='$chain'" $chains 2>/dev/null)
if [ -z "$check_chain" ]; then
    echo "CHAIN='$chain' PORT='$port' PROTOCOL='$protocol'" >> $chains
fi
but... what's the problem?? The problem is that all services port (except vestaport) are hardcoded on that file , so If you have changed your default ports of services like ssh, ftp, etc... (to improve your server security) v-add-firewall-chain will create chains with the incorrect port... and due this, fail2ban won't block any attack!

Code: Select all

# Checking known chains
case $chain in
    SSH)        port=22; protocol=TCP ;;
    FTP)        port=21; protocol=TCP  ;;
    MAIL)       port='25,465,587,2525,110,995,143,993'; protocol=TCP  ;;
    DNS)        port=53; protocol=UDP  ;;
    WEB)        port='80,443'; protocol=TCP  ;;
    DB)         port='3306,5432'; protocol=TCP  ;;
    VESTA)      port=$vestaport; protocol=TCP  ;;
    *)          check_args '2' "$#" 'CHAIN PORT' ;;
esac
I think that ports should not be hardcoded in any script,or at least check the services config file to get if the port has been changed, this is done in v-update-firewall with ssh for example:

Code: Select all

# Checking custom OpenSSH  port
sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
if [[ "$sshport" =~ ^[0-9]+$ ]] && [ "$sshport" -ne "22"  ]; then
    sed -i "s/PORT='22'/PORT=\'$sshport\'/" $rules
fi
Other option could be use the file /usr/local/vesta/data/firewall/ports.conf to read the ports, so if any user change any port service, he should update this file too editing the service port.
Top
Post Reply
  • Print view
2 posts • Page 1 of 1

Return to “General Discussion”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

Login  •  Register

I forgot my password