First off, I really REALLY like CSF. It's an awesome piece of work! Thank you so much for creating and supporting it!
One small suggestion that would be really useful: CSF already allows me to limit outgoing SMTP connections to specific users and groups (SMTP_ALLOWUSER and SMTP_ALLOWGROUP). It would be very handy if the same type of exceptions could be made for all outgoing TCP connections. In other words, users/groups in the exception list would be able to make outbound connections to ports that are not listed in TCP_OUT. An even better solution would be a way to have a "restricted" list for this purpose. In other words, everyone can make outgoing connections to ports in TCP_OUT but only "allowed" users could make outgoing connections to ports in TCP_RESTRICTED (or whatever). For still more bonus points, getting notified whenever a non-allowed user tried to create an outgoing connection to a restricted port would help me find malicious scripts as soon as they run.
My motivation: I recently discovered one of the websites on my server had been compromised and was being used as a proxy for attacking other servers (trying to bruteforce passwords). I would like to block outgoing connections to port 80 and 443, but that breaks a lot of stuff (cPanel, csf, Wordpress) that rely on hitting URLs to check/download updates. If I could block outgoing connections to port 80 and 443 for all users except root, cpanel, etc, I'd sleep better at night. Wordpress still wouldn't be able to update automatically, but I could live with that.
Thanks again!
-- Sam
Suggestion: Limit outbound TCP by UID
-
ForumAdmin
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: Suggestion: Limit outbound TCP by UID
You should already be able to do this using Advanced Allow/Deny Filters. If you have a look in the readme.txt you'll see an example of UID rule creation.
Re: Suggestion: Limit outbound TCP by UID
I overlooked that, thanks!
I've modified csf.conf to block outbound connections to ports 80 and 443, then added a few lines to csf.allow so root, cpanel and a few other users can get to ports 80 and 443. So far so good!
However, if I could allow all users to access ports 80 and 443 on a few select FQDNs, everything would be awesome! I've tried to add rules to csf.dyndns to allow all users to establish outbound connections to port 80 on wordpressDOTorg (for example) but it doesn't seem to work. I've tried this:
but outgoing connections are still blocked. I've set DYNDNS to "600" in my csf.conf file but that doesn't seem to change anything.
Am I misunderstanding this feature completely or am I just doing it wrong? Any help would be appreciated!
I've modified csf.conf to block outbound connections to ports 80 and 443, then added a few lines to csf.allow so root, cpanel and a few other users can get to ports 80 and 443. So far so good!
However, if I could allow all users to access ports 80 and 443 on a few select FQDNs, everything would be awesome! I've tried to add rules to csf.dyndns to allow all users to establish outbound connections to port 80 on wordpressDOTorg (for example) but it doesn't seem to work. I've tried this:
Code: Select all
tcp|out|d=80|d=wordpressDOTorg
tcp|out|d=443|d=wordpressDOTorg
Am I misunderstanding this feature completely or am I just doing it wrong? Any help would be appreciated!