Great Post Steve! script is working like a charm.

I did have to un# the DNS entries, like the others stated, Earthlink nameservers (ns1.earthlink.net etc) could not resolve my dns entries for some reason. All other name servers seemed fine.

Also for those of you who might fear locking yourself out - I created this little cronjob to stop the firewall after 5 mins. I uncomment it when testing changes, that way the firewall is stopped automatically:

(in /etc/crontab)

#0-59/5 * * * * root sh /root/kiss/kissstop

kissstop is simply the kiss script with the stop parameter hard coded - ie the start/status code removed:

(kissstop segment)
# Arguments: Stopping the script in case we mess up and lock ourselves out.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -L -n
echo ""
echo ""
echo -e "033[31mKISS My Firewall - Stopped!"
echo -e -n "033[0m "
echo ""
exit 0

again Thanks Steve!

This is really important does no one know the answer to my probleM?

I've installed Kiss 2.0 yesterday. It was amazingly simple and a great script.

I have noticed one difference it makes in performance with streaming files. I've tested this with and without the firewall, so am sure it's directly related to this.

For a RealPlayer audio file I have for example the following code in HTML:



Whether the .rpm file contains a pnm:// or rtsp:// link, it's still slow. With the firewall on it takes about 80 seconds to begin playing the audio of a 140kb .rm file. With the firewall off it takes less than 10 seconds to begin playing.

Does anyone have ideas on how to change the configuration so that streaming is not slow?

I am trying to use CURL on a server that has KISS2 installed, but it won't let me. What port should I specify in KISS to enable CURL to work thru the firewall?

I have installed Kiss and everything work great, until ev1 support needed to SSH to my box. They recommend that I add to my trusted list the following IP's 207.218.193.* and 203.193.165.*. That did not work. Can someone help me with the format to list these range of ips.
Thank you.
Carol

There's no documention so I'm just guessing. Leave off the .* part. i.e.:

207.218.193 203.193.165

Hello busybey,
I have made the change and it does list the ev1 ips, but it fills the third
position with 0s. Here is what it does:
ACCEPT tcp -- 207.218.0.193
ACCEPT tcp -- 203.193.0.165
it should be :
207.218.193.all range 0.255
203.193.165.all range 0.255
Am I right?
This will allow only the Ips 207.218.0.193 and 203.193.0.165
I do not think this is going to work.
I have tryed 207.218.193/0 and 203.193.165/0 This configuration did not give me an error, but it did not list these ips as ACCEPT. We better find a an answer to this problem or a lot you will run into the same problem when you will need ev1 support.
Any other ideas?
Thank you.

207.218.193/24 203.193.165/24

this is one of the related thread I found

kiss 2.0 is acting this way on all of my servers as well
I am using RH 7.3 + iptalbes 1.2.8 ....

I really don't know what to say about this....

I have switch to APF Firewall. It is working great, easy to install and configure. Try it.

Hello Steve,
Thank you for the reply. In apf have entered the following IP for ev1 the following way:
207.218.193.0/24 203.193.165.0/24
Thank you again.

If anyone has tried KISS on Slackware you prolly got this error message:

Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Well... I did some digging and found that ip_tables.o is ip_tables.o.gz in slack. So I did some modification to KISS 2.0 to take this into account. I also added the ability to alter which interface KISS uses.

Steve, if you want, I can send it to you so you can look at my simple little hacks.

removed by MadMax

removed by MadMax

Is there any way to block this type of DoS attack.
This cracker was trying to break in through ftp
about 300+ times.

Feb 24 12:15:33 server5 proftpd[18342]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:33 server5 proftpd[18340]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:33 server5 proftpd[18341]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:33 server5 proftpd[18337]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:33 server5 proftpd[18339]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:33 server5 proftpd[18342]: server5. (crackers IP address) - no such user 'qwerty'
Feb 24 12:15:33 server5 proftpd[18340]: server5. (crackers IP address) - no such user 'asdf'
Feb 24 12:15:33 server5 proftpd[18341]: server5. (crackers IP address) - no such user 'asdf'
Feb 24 12:15:33 server5 proftpd[18337]: server5. (crackers IP address) - no such user 'username'
Feb 24 12:15:33 server5 proftpd[18339]: server5. (crackers IP address) - no such user 'james'
Feb 24 12:15:33 server5 proftpd[18342]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:33 server5 proftpd[18340]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:33 server5 proftpd[18341]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:33 server5 proftpd[18337]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:33 server5 proftpd[18339]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:33 server5 proftpd[18344]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:34 server5 proftpd[18345]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:34 server5 proftpd[18346]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:34 server5 proftpd[18347]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:34 server5 proftpd[18343]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:34 server5 proftpd[18344]: server5. (crackers IP address) - no such user 'zxcvb'
Feb 24 12:15:34 server5 proftpd[18345]: server5. (crackers IP address) - no such user 'zxcvb'
Feb 24 12:15:34 server5 proftpd[18346]: server5. (crackers IP address) - no such user 'qwerty'
Feb 24 12:15:34 server5 proftpd[18347]: server5. (crackers IP address) - no such user '123'
Feb 24 12:15:34 server5 proftpd[18343]: server5. (crackers IP address) - no such user 'qwerty'
Feb 24 12:15:34 server5 proftpd[18344]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:34 server5 proftpd[18345]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:34 server5 proftpd[18346]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:34 server5 proftpd[18347]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:34 server5 proftpd[18343]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:34 server5 proftpd[18348]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:34 server5 proftpd[18349]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:34 server5 proftpd[18350]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:34 server5 proftpd[18351]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:34 server5 proftpd[18348]: server5. (crackers IP address) - no such user '12345'
Feb 24 12:15:34 server5 proftpd[18349]: server5. (crackers IP address) - no such user 'michael'
Feb 24 12:15:34 server5 proftpd[18350]: server5. (crackers IP address) - no such user 'jacob'
Feb 24 12:15:34 server5 proftpd[18351]: server5. (crackers IP address) - no such user 'matthew'
Feb 24 12:15:34 server5 proftpd[18348]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:34 server5 proftpd[18349]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:34 server5 proftpd[18350]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:34 server5 proftpd[18351]: server5. (crackers IP address) - FTP session closed.
Feb 24 12:15:35 server5 proftpd[18352]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:35 server5 proftpd[18353]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:35 server5 proftpd[18354]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:35 server5 proftpd[18355]: server5. (crackers IP address) - FTP session opened.
Feb 24 12:15:35 server5 proftpd[18352]: server5. (crackers IP address) - no such user 'christopher'
Feb 24 12:15:35 server5 proftpd[18353]: server5. (crackers IP address) - no such user 'nicholas'
Feb 24 12:15:35 server5 proftpd[18354]: server5. (crackers IP address) - no such user 'austin'
Feb 24 12:15:35 server5 proftpd[18355]: server5. (crackers IP address) - no such user 'joshua'
Feb 24 12:15:35 server5 proftpd[18352]: server5. (crackers IP address) - FTP session closed.

madmax,
Are you in the hosting business? If you are I would not like to be one of your customer. If you have blocked all the Ip's above, from your server, that is not good! Your are blocking a lot of potential customer from your accounts. As this does affect http. I thought you like to know.

I found that out after a bunch of support tickets came in.
LOL

Does anyone have an answer to my ftp cracker preventing?

something strange this way comes....

Have a user who cannot get to her site or webmail while kiss is running, turn off kiss, she can access it.

I on the other hand can get to both parts of her site without issue, kiss on or off.

She can get to other domains on the same server without issues...

so... here are some other specifics...


Server is running RHEL 3 and Plesk 7.

hlep.....

Hello,

When i´m try start the KISS, show this error:

root@server7 [/usr/bin]# kiss start
lsmod: QM_MODULES: Function not implemented

Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!
root@server7 [/usr/bin]#

How to fix this problem?

Thanks!
Minotauro.

How do I block all pings with version 2.0
Thanks

I am also getting this error on 2.6.4 kernel:

lsmod: QM_MODULES: Function not implemented

Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!


anyone know how to fix this please

my kiss firewall seem to block people from europe to access my server...

they can ping my ip and cannot acces the sites on the servers.. when i shut it down it works...

what i have to change to make it work !!
i never touched the file KISS.. still original

mcnightmare: is your server a dns server for those sites also? if so, read earlier posts by me in this thread about making sure your nameservers can communicate to everyone (it involves uncommenting a few lines from KISS).

Hi!
I try edit SERVER_IPS , add all my other IPs there, but I still can not ping these IPs.

thanks revolution it worked out for me !

Some probems I found with this version of KISS:



1 - It doesn't seem to work with kernel 2.6.5.

For some reason, it doesn't have the files ipt_multiport.o, ipt_state.o, ip_tables.o, and all the .o files.

Instead it has .ko files with the same name. I don't know if they are the same thing with different extensions.

The dir is /lib/modules/2.6.5-1.315smp/kernel/net/ipv4/netfilter.



2 - It doesn't support multiple NICs. My machine has two. For some reason, I can't use eth0, maybe it is malfunctioning, so I use eth1. I rewrote the script replacing all eth0 with eth1 and it seems to work fine. Also, I disabled the ONBOOT option on /etc/sysconfig/network-scripts/ifcfg-eth0. I wonder if it works with a single NIC with multiple ips...



3 - I ran kiss start without any modifications. It didn't kick me out of ssh, but I could not open another ssh session. I had to put 22 in the TCP_IN option.

Ok, for you guys using kernel 2.6 and getting the error:

lsmod: QM_MODULES: Function not implemented

Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!



Just replace ".o" with ".ko" and the script should work. Worked for me with kernel 2.6.5.

anyone knows why I can only ping the server's main IP after kiss started.

What do you mean by the .o with .ko?

I am looking for a firewall app that works with the 2.6.5 mono kernel and it looks like KISS My Firewall has the same issue.

Kiss my firewall is a script. So open it on you favorite text editor, and replace all ocurrences of .o with .ko.

For example:
somefile.o

Should become:
somefile.ko

Got it?

Right. I have done that as well to no avail.

kiss
lsmod: QM_MODULES: Function not implemented

Since the ip_tables, ipt_state, and/or ipt_multiport modules do not exist, KISS can not function. Firewall script aborted!

Of course viewing the system they are still .o with the mono kernel.

The problem lies in uname -r producing 2.6.4 and there is no 2.6.4 directory under modules. There is a 2.4.21-4.0.1.EL in my case though but when changed it does not suffice.

Ok bit confused here. I can ping my server with the firewall on! With original KISS I used last year when the firewall was on you can't ping the server, but I can ping mine. Is there a configuration setting I've missed as I can't see the port enabled in the config file or does this mean that my firewall isn't working?


Config:
[root@ensim bin]# kiss start
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 127.0.0.0/8 0.0.0.0/0
DROP all -- 255.255.255.255 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0
DROP all -- 0.0.0.0/0 255.255.255.255
DROP all -- 224.0.0.0/4 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.0/4
ACCEPT 2 -- 0.0.0.0/0 224.0.0.0/4
DROP all -- 0.0.0.0/0 224.0.0.0/4
DROP all -- 240.0.0.0/4 0.0.0.0/0
DROP all -- 0.0.0.0/8 0.0.0.0/0
DROP all -- 169.254.0.0/16 0.0.0.0/0
DROP all -- 192.0.2.0/24 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:113 reject-with icmp-port-unreachable
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:3784
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:19638
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp spts:1024:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 myipaddress state NEW tcp spts:1024:65535 dpt:22
ACCEPT icmp -- 0.0.0.0/0 myipaddress state NEW icmp type 8

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:37
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:43
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:55000
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp spts:1024:65535 dpt:53


KISS My Firewall - Running!

[root@ensim bin]#




"ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 " looks ?????

The new port monitoring service requires that we allow access to 216.12.192.107. I've tried doing it like this:

TRUSTED_IPS="0.0.0.0/0 216.12.192.107"

However, that does not seem to work, as the monitor shows my system is not responding. Does anyone know what's needed?

Thanks!

I've installed KISS perfectly on my web server and it works great. Thanks.

I'm trying to install it on my personal machine with running BitTorrent. So I've added the ports 6880-6999.



The 6880 to 6999 are all open via TCP both in and out.

I'm still having problems connecting to any peers/seeds/trackers in bittorrent. As soon as I disable the firewall it immediately works.

Any ideas? as far as I know bit torrent runs on 6881-6889 and 6969 for the tracker so I've opened way more then I need and it is still not working.

Thanks,
Kevin

the link doesnt work anymore !!

someone have a working link ??

With bastille I used PSAD and PSAD sends an email when malicious activity comes against your server, is there anyway to implement a script that sends emails whenever some is trying to scan or attack your IP address?

I am on Sprint DSL which uses "Earthlink" for their "ISP" and I was having email problems sending from earthlink to my servers after I installed KISS, they were bouncing with lookup failures. After removing the coments from the section discribed here email started to be delivered in seconds and not bouncing in two days.

I am also having another strange thing come up since I added my servers IP's to the file. I added 127.0.0.1 207.xx.xx.xx 207.xx.xx.xx.... and so on for all the IP's and in my logwatch I am getting:

62 Time(s): ll header: 00:01:80:23:6c:7c:00:e0:52:0a:fd:4d:08:00
8 Time(s): martian source 207.xx.xx.xx from 127.0.0.1, on dev eth0
10 Time(s): martian source 207.xx.xx.xx from 127.0.0.1, on dev eth0
11 Time(s): martian source 207.xx.xx.xx from 127.0.0.1, on dev eth0
8 Time(s): martian source 207.xx.xx.xx from 127.0.0.1, on dev eth0
14 Time(s): martian source 207.xx.xx.xx from 127.0.0.1, on dev eth0
5 Time(s): martian source 207.xx.xx.xx from 127.0.0.1, on dev eth0
6 Time(s): martian source 207.xx.xx.xx from 127.0.0.1, on dev eth0

I don't see any problems with accessing the server through any running service but I am sure this is not normal. As a retired Windows Administrator (Please don't thow stones at me :-D ) this is a strange error.

can i also block a certain ip connecting to a certain port?

i keep getting strange connections to my mail server every 5 sec or so, form 1 ip

I have been getting UDP Syn Floods on port 33434 of UDP. How would I go about closing off this port with kiss?

I see theres is a section for the servers ip, I think it has to do with that- however anybody know the format of how we enter the entire list of ips that direct to the machine??

SERVER_IPS="0.0.0.0/0" do we say for instance
"ip1, ip2, ip3, ip4..."

I would only be nervous about locking myhself out of the machine temporarilly.

that is correct - just list the ips that are bound to that server.

As for locking yourself out - earlier in this post I posted a shell script to turn off kiss after a certain amount of time (via cron) - that way while testing if you do lock yourself out the system will reset itself after your designated time limit.

Opusjack- Thanks- however I still cant ping teh secondary ips
Also the problem with the extra ips not being pingable seems to persist yet I can ping

% ping ns1.xxxxxxxxxxxxxxxxx.com [same ip of main server]
PING ns1.##########.com (67.##.#.##): 56 data bytes
64 bytes from 67.##.#.##: icmp_seq=0 ttl=48 time=65.512 ms

% ping 67.##.#.### [extra ip that a website is attached to- and still accessible while the firewall is running]
PING 67.##.#.### (67.##.#.###): 56 data bytes

Any ideas- the firewall took the addition of the ips- it puked when the commas seperated the ips.

Thanks for everything

I am getting the following on initial start or restart of the script:


Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `eth0'
Try `iptables -h' or 'iptables --help' for more information.
Chain INPUT (policy DROP)
target prot opt source destination

It starts ok but I need to resolve the errors..any ideas?

I haven't included port 21 but still can use FTP.

Would Portsentry interfere with it?

Any ideas?

Hi Steve,

I prefer KISS firewall because it is easy to use.
However, I am having a problem loading a large
list of IPS (CIDR). It freezes up the server.

Any ideas?

Here is my other post
http://forum.ev1servers.net/showthread.php...2242#post292242

Seems that my problem is that I don't have parport support so no /sbin/modprobe.

How to fix this?

Can anyone help?"

http://forum.ev1servers.net/showthread.php...&threadid=48392

What is the difference between TRUSTED_IP's and SERVER_IPs?

TRUSTED_IP's: the ips that are allow to access to the server.
SERVER_IPs: Ips of the server.

A wish list that I would like, is instead of trying to fit a ton of ip's into the blocked, or trusteed rows, is to be able to have a file that the KISS script reads from. it'd be easier to maintin, even automate ... not sure if Steve wrote this, or is just providing instructions or not ....