Archive for the tag 'apf'

SBDavid
Oct 22nd, 2009

Allowing connections to the SSH service from one IP using APF

Allowing connections to the SSH service from one IP using APF

You want to deny all IPs to connect to shell/ssh on you server but only allow a select one or few to connect with APF firewall.

APF firewall can deny ALL connections for ssh and allow only a single or select few of IPs to connect to your server.

Login to your server as the root user.

cd /etc/apf
vi /etc/apf/allow_hosts.rules

Add the following in:

tcp:in:d=22:s=IP-ADDRESS
out:d=22:d=IP-ADDRESS

The d=22 part is the port, so you can repeat for other services as well to limit connections if you like.

Save the changes.

vi /etc/apf/deny_hosts.rules

Add the following:

tcp:in:d=22:s=0/0
out:d=22:d=0/0

Save the changes.

Restart APF firewall

apf -r
SBDavid
Jul 14th, 2009

ip_conntrack and APF issue

ip_conntrack and APF issue

A server is limited to a certain number of TCP/IP connections that it can keep track of.

ip_conntrack is a module which has the limit set in its conntrack database. If the table exceeds this limit, even the legitimate packets will be dropped.

We usually tweak this parameter in the sysctl.conf file.

But if you have APF installed, even if you set the sysctl parameter, APF will reset the conntrack value, since APF configuration file has conntrack value set to 34576 by default. [SYSCTL_CONNTRACK="34576"].

So in servers having APF, you would need to increase the above parameter and then restart APF.

SBDavid
Jul 8th, 2009

How to uninstall apf in linux machine

How to uninstall apf in linux machine

You can use the following steps to uninstall apf in a linux machine:

Stop the apf service running in the server.

$ /etc/rc.d/init.d/apf stop

Remove the apf files from the server.

$ rm -Rf /etc/apf
$ rm -Rf /etc/rc.d/init.d/apf
$ rm -Rf /var/log/apf_log
$ rm -Rf /var/log/apfados_log
$ rm -Rf /usr/local/sbin/apf

Disable apf in the run levels.

$ /sbin/chkconfig –level 345 apf off

Open up and remove this line:

$ vi /etc/cron.daily/fw
/etc/rc.d/init.d/apf restart >> /dev/null 2>&1
SBDavid
May 11th, 2009

APF - Advanced Policy Firewall

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations.

The offical home page for APF is located at:

http://www.rfxnetworks.com/apf.php

If you are configuring iptables in your own custom kernel then you
should be sure that the following modules are compiled with the kernel for
modular support:

ip_tables
iptable_filter
iptable_mangle
ip_conntrack
ip_conntrack_irc
ip_conntrack_ftp
ipt_state
ipt_multiport
ipt_limit
ipt_recent
ipt_LOG
ipt_REJECT
ipt_ecn
ipt_length
ipt_mac
ipt_multiport
ipt_owner
ipt_state
ipt_ttl
ipt_TOS
ipt_TCPMSS
ipt_ULOG

If you would like to make sure you support these modules then you can take a look inside of /lib/modules/kernelver/kernel/net/ipv4/netfilter/ directory.

Installation

The installation setup of APF is very straight forward, there is an included
install.sh script that will perform all the tasks of installing APF for you.

Install

# sh install.sh

If one so desires they may customize the setup of APF by editing the variables inside the install.sh script followed by also editing the path variables in the conf.apf and internals.conf files. This is however not recommends and the default paths should meet all user needs, they are:

Install Path: /etc/apf
Bin Path: /usr/local/sbin/apf

The first is to setup APF in the init system with chkconfig (done by
default during install), as detailed below:

chkconfig –add apf
chkconfig –level 345 apf on

General Usage:

The /usr/local/sbin/apf command has a number of options that will ease the
day-to-day use of your firewall. Here is a quick snap-shot of the options:

usage /usr/local/sbin/apf [OPTION]
-s|–start ……………………. load the firewall rules
-r|–restart ………………….. stop (flush) & reload firewall rules
-f|–stop …………………….. stop (flush) all firewall rules
-l|–list …………………….. list chain rules
-t|–status …………………… firewall status
-e|–refresh ………………….. refresh & resolve dns names in trust rules
-a HOST CMT|–allow HOST COMMENT … add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|–deny HOST COMMENT …. add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
-u|–remove HOST ………………. remove host from [glob_]deny_hosts.rules
and immediately remove rule from firewall
-o|–ovars ……………………. output all configuration options

Trust an address:
apf -a ryanm.dynip.org “my home dynamic-ip”
Deny an address:
apf -d 192.168.3.111 “keeps trying to bruteforce”
Remove an address:
apf -u ryanm.dynip.org
SBDavid
May 4th, 2009

Installing and Configuring CSF Firewall

Installing and Configuring CSF Firewall

ConfigServer Firewall & Security. A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection.

This article demonstrates how to install and configure the CSF (configserver) firewall. CSF can be used on a wide range of Linux systems, including those running cPanel.

cd /tmp
wget http://www.configserver.com/free/csf.tgz
tar zxf csf.tgz
cd csf
sh install.sh

To configure CSF modify the config files in /etc/csf/ - or if you are running WHM you can modify the CSF settings in there. By default CSF opens the standard cPanel ports.

If you have APF + BFD you will need to disable it, you can use the following to do so:

sh disable_apf_bfd.sh