Why /usr/local/vesta/data/firewall/chains.conf is overwritten each time system is rebooted??
Why /usr/local/vesta/data/firewall/chains.conf is overwritten each time system is rebooted??
I've detected that file /usr/local/vesta/data/firewall/chains.conf is restored to its default content each time that the system is rebooted.
Is that usual? Why is it overwritten?
I've detected it on a centos 7 64 fresh install with default vesta installation.
Is that usual? Why is it overwritten?
I've detected it on a centos 7 64 fresh install with default vesta installation.
Re: Why /usr/local/vesta/data/firewall/chains.conf is overwritten each time system is rebooted??
I answer my question: v-add-firewall-chain overwritte the file on boot,
but... what's the problem?? The problem is that all services port (except vestaport) are hardcoded on that file , so If you have changed your default ports of services like ssh, ftp, etc... (to improve your server security) v-add-firewall-chain will create chains with the incorrect port... and due this, fail2ban won't block any attack!
I think that ports should not be hardcoded in any script,or at least check the services config file to get if the port has been changed, this is done in v-update-firewall with ssh for example:
Other option could be use the file /usr/local/vesta/data/firewall/ports.conf to read the ports, so if any user change any port service, he should update this file too editing the service port.
Code: Select all
# Preserving chain
chains=$VESTA/data/firewall/chains.conf
check_chain=$(grep "CHAIN='$chain'" $chains 2>/dev/null)
if [ -z "$check_chain" ]; then
echo "CHAIN='$chain' PORT='$port' PROTOCOL='$protocol'" >> $chains
fi
Code: Select all
# Checking known chains
case $chain in
SSH) port=22; protocol=TCP ;;
FTP) port=21; protocol=TCP ;;
MAIL) port='25,465,587,2525,110,995,143,993'; protocol=TCP ;;
DNS) port=53; protocol=UDP ;;
WEB) port='80,443'; protocol=TCP ;;
DB) port='3306,5432'; protocol=TCP ;;
VESTA) port=$vestaport; protocol=TCP ;;
*) check_args '2' "$#" 'CHAIN PORT' ;;
esac
Code: Select all
# Checking custom OpenSSH port
sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
if [[ "$sshport" =~ ^[0-9]+$ ]] && [ "$sshport" -ne "22" ]; then
sed -i "s/PORT='22'/PORT=\'$sshport\'/" $rules
fi