Web Hosting Forum | Lunarpages

Author Topic: Installing Advanced Policy Firewall (APF)  (Read 23683 times)

Offline abhilash

  • Intergalactic Cowboy
  • *****
  • Posts: 61
Installing Advanced Policy Firewall (APF)
« on: May 06, 2005, 09:37:40 AM »
APF (Advanced Policy Firewall)
                                                                               
APF is a modular, policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. It is maintained by R-fx Networks.
                                                                               
Installation
==========

                                                                               
i). Download and extract to /usr/local/downloads/ directory. Create it by executing the command
Code: [Select]
mkdir -p /usr/local/downloads/
cd /usr/local/downloads/
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
                                                                               
URL is http://www.rfxnetworks.com/downloads/apf-current.tar.gz
 
ii). Extract and install it
 
Code: [Select]
cd /usr/local/downloads/
tar xvzf apf-current.tar.gz

rm -f apf-current.tar.gz
cd apf*
./install.sh

You should see
 
Code: [Select]
Installation Details:
  Install path:         /etc/apf/
  Config path:          /etc/apf/conf.apf
  Executable path:      /usr/local/sbin/apf
  AntiDos install path: /etc/apf/ad/
  AntiDos config path:  /etc/apf/ad/conf.antidos
  DShield Client Parser:  /etc/apf/extras/dshield/

without any errors.
 
2. APF Configuration
===================


/etc/apf is the configuration directory of APF and conf.apf is the main configuration file. So open up conf.apf in your favorite editor.
 
Scroll down till you see
 
i)
 
IG_TCP_CPORTS="22"
 
Tip: Pico -> Ctrl+W and then keyword --> Invokes search for keyword
     Vi --> Esc and then /keyword --> Invokes search for keyword
     emacs --> Ctrl+s and then keyword --> Invokes search for keyword
 
Change it to read
 
a) For a webmin server:

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,3306,10000,30000_35000"

b) For a Cpanel server :

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2084,2086,2087,2095,2096,3306,10000,30000_35000"
 
Common incoming TCP ports.
 
ii)
 
IG_UDP_CPORTS=""
 
Change the line to read
 
IG_UDP_CPORTS="21,53,465"
 
iii) EGF="0" to EGF="1" # This filter outgoing connections also, I recommend it though it may cause issues rarely.
 
iv) EG_TCP_CPORTS="21,25,80,443,43"
 
to read
 
EG_TCP_CPORTS="21,22,25,37,53,80,110,113,443,465,43,873,2089,3306"
 
Common outgoing TCP ports

v) EG_UDP_CPORTS="20,21,53"
 
to read
 
EG_UDP_CPORTS="20,21,53,465"
 
Common outgoing TCP ports

vi) USE_DS="0" to USE_DS="1"
 
APF makes use of dshield (DS), this is a little like spam blocklists such as spews and lists the most commonly abused networks and those most often used in denial of service attacks and similar.
 
vii) USE_AD="0" to USE_AD="1"
 
The USE_AD="1" enables the Antidos Feature which is still in beta at the time of this writing. Readme says "Antidos is a log parsing script made for r-fx.org's APF (advanced policy firewall). It's purpose is too parse specific log formats for network attacks against a given system; then take certian actions. it is designed to be modular so it can be removed from APF and used in other environments."
 
You can now save the conf.apf and quit the editor. If you didn't change the value of USE_AD to 1, you can skip Step 3 and jump to Step 4
 
3. AntiDOS Configuration
=======================

 
i) Open up /etc/apf/ad/conf.antidos
 
ii) Change LP_KLOG="0" to LP_KLOG="1"
 
iii) CONAME="Your Company"
 
Enter your company name within quotes similar to CONAME="LunarPages"
 
iv) USR_ALERT="0" to USR_ALERT="1"
 
Change it to 1 only if you wish to receive email alerts.
 
v) USR="you@yourco.com"
 
Enter your email address here similar to the entry made in (iii) i.e in quotes
 
vi) Antidos is intended to operate via cron. This is a critical setup point as if not done, antidos will simply not operate.
 
Execute the command
Code: [Select]
crontab -e
*/2 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1
 
This will run antidos every two minutes.
 
4. Starting the firewall
====================

 
i) Edit /etc/apf/allow_hosts.rules and enter your IP (not a mandatory step, but will avoid being locked out of the server)
 
ii) Start the firewall by executing the command
Code: [Select]
apf -s You should see,
 
Development mode enabled!; firewall will flush every 5 minutes.
 
Now try to access all the services, including mail, ssh, and websites.
 
iii) If you are able to access all the services, then open up /etc/apf/conf.apf, change the DEVEL_MODE="1" to read DEVEL_MODE="0"
 
and then restart the firewall by executing
Code: [Select]
apf -r and you are done
 
iv) As a last step, please execute the command "chkconfig --list apf" and confirm whether you see a similar entry like
 
apf             0: off   1: off   2: off   3: on    4: on    5: on    6: off

You should see it, exactly similar to above, in case it is not like that, execute
Code: [Select]
chkconfig --level 345 apf on . Congratulations, you have successfully installed APF :-)
 
6. Firewall Usage
==============

 
Code: [Select]
Usage /usr/local/sbin/apf [OPTION]
 
OPTIONS are as below
 
-s|--start ......................... load firewall policies
-r|--restart ....................... flush & load firewall
-f|--flush|--stop .................. flush firewall
-l|--list .......................... list chain rules
-st|--status ....................... firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and                                     immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
                                     immediately load new rule into firewall

As an example, if you would like to deny an IP from accessing your sites, execute,
 
apf -d 123.123.123.123
 
References
===========
[1] http://www.rfxnetworks.com/apf/README
[2] http://www.rfxnetworks.com/apf/README.antidos
« Last Edit: January 16, 2006, 05:21:07 PM by abhilash »
Abhilash

JSA Supervisor - System Admin Team

Offline zwieciu

  • Newbie
  • *
  • Posts: 1
Re: Installing Advanced Policy Firewall (APF)
« Reply #1 on: October 16, 2007, 09:05:54 AM »
Hi, great tutorial. I'm now setting up APF on my new dedicated server. I filtered out all the ports I'm not using but am still not sure about two of them:
5666 and 10000. What are these for? Can I filter them out as well? Thanks in advance.

Rafael.

Offline perestrelka

  • Master Jedi
  • *****
  • Posts: 1397
Re: Installing Advanced Policy Firewall (APF)
« Reply #2 on: October 16, 2007, 08:45:04 PM »
Hi, great tutorial. I'm now setting up APF on my new dedicated server. I filtered out all the ports I'm not using but am still not sure about two of them:
5666 and 10000. What are these for? Can I filter them out as well? Thanks in advance.

Rafael.

Hi Rafael,

The port 10000 is for Webmin and 5666 is for Nagios plugin Lunarpages use to monitor your server, if you purchased a managed addon. If your server is not monitored and you don't have webmin, feel free to remove the both ports from the list of allowed for incoming connections.
Kind Regards,
Vlad Artamonov

Offline bethsheba

  • Space Explorer
  • ***
  • Posts: 6
Re: Installing Advanced Policy Firewall (APF)
« Reply #3 on: November 15, 2007, 09:49:37 AM »
If we opted for the Managed Lite add-on (Im on VPS) do we still have to download this firewall?

cuz it looks like there is one installed in Virtuzzo

Offline perestrelka

  • Master Jedi
  • *****
  • Posts: 1397
Re: Installing Advanced Policy Firewall (APF)
« Reply #4 on: November 15, 2007, 08:15:47 PM »
If we opted for the Managed Lite add-on (Im on VPS) do we still have to download this firewall?

cuz it looks like there is one installed in Virtuzzo


It is up to you. If firewall management module that comes with Plesk is suitable for you, you don't need APF.  I would highly recommend not using them both at the same time. You don't get APF installed with the Managed Lite addon.
Kind Regards,
Vlad Artamonov

Offline bethsheba

  • Space Explorer
  • ***
  • Posts: 6
Re: Installing Advanced Policy Firewall (APF)
« Reply #5 on: November 16, 2007, 05:08:16 PM »
Thanks for the advice.

I am more comfortable with Plesk so I guess I will stick with that.

What about Brute Force attacks?  Will I need to add the software for that?


Offline perestrelka

  • Master Jedi
  • *****
  • Posts: 1397
Re: Installing Advanced Policy Firewall (APF)
« Reply #6 on: November 16, 2007, 09:16:28 PM »
Thanks for the advice.

I am more comfortable with Plesk so I guess I will stick with that.

What about Brute Force attacks?  Will I need to add the software for that?



Yes, you'll need to setup something additionally to protect against brute force attacks as Plesk provides nothing for that.
Kind Regards,
Vlad Artamonov

Offline mileusna

  • Trekkie
  • **
  • Posts: 12
Re: Installing Advanced Policy Firewall (APF)
« Reply #7 on: June 07, 2008, 09:54:25 AM »
hi,

I have just installed APF (apf-0.9.6-3) on my new server, and it hasn't displayed AnditDos part on install

Quote
AntiDos install path: /etc/apf/ad/
AntiDos config path:  /etc/apf/ad/conf.antidos
DShield Client Parser:  /etc/apf/extras/dshield/

Also, /etc/apf/ad/ dirctory dosn't exist, but except that apf is functional.

Any hint about AntiDos, why is it gone?!
« Last Edit: June 07, 2008, 10:15:55 AM by mileusna »

Offline mileusna

  • Trekkie
  • **
  • Posts: 12
Re: Installing Advanced Policy Firewall (APF)
« Reply #8 on: June 08, 2008, 01:15:28 PM »
Well, I can answer myself now. Starting with version 0.9.6-3 APF completely replaced Antidos with RAB (Reactive Address Blocking). So there is no more additional AntiDos cron job, everything is managed by APF and the RAB options are in conf.apf as expected.

I.e. you have to update this tutorial a little bit. :)

Offline V-I-R-U-S

  • Spaceship Navigator
  • *****
  • Posts: 95
  • I Love Me
    • V-I-R-U-S
Re: Installing Advanced Policy Firewall (APF)
« Reply #9 on: June 08, 2008, 08:46:16 PM »
APF Recent Versions dont have the dos protection

Best thing to use to help with DOS attacks is Dos Deflate :)  Simple Installation

Code: [Select]
Installation
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
Uninstalling
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos


Edit settings with

Code: [Select]
cd /usr/local/ddos/

nano /usr/local/ddos/ddos.sh

or

pico /usr/local/ddos/ddos.sh

Whitelist IPS with

Code: [Select]
cd /usr/local/ddos/

nano /usr/local/ddos/ignore.ip.list

or

pico /usr/local/ddos/ignore.ip.list


Also helpful tips for added security for you linux box :)

Code: [Select]
Restrict SSH Access


To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.


SSH into server and login as root.

Note: You can download Putty by Clicking Here. It's a clean running application that will not require installation on Windows-boxes.


At command prompt type: pico /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:

-------------------------------------------

#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

-------------------------------------------


Uncomment and change

#Port 22

to look like

Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)


Uncomment and change

#Protocol 2, 1

to look like

Protocol 2


Uncomment and change

#ListenAddress 0.0.0.0

to look like

ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)


Note 1: If you would like to disable direct Root Login, scroll down until you find

#PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.


Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.


Now restart SSH

At command prompt type: [b]/etc/rc.d/init.d/sshd restart[b]


Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.


Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.




Disable Telnet

To disable telnet, SSH into server and login as root.

At command prompt type: pico -w /etc/xinetd.d/telnet

change disable = no to disable = yes

Save and Exit

At command prompt type: /etc/init.d/xinetd restart




Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

At command prompt type: pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.




Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root.

At command prompt type: pico /etc/motd

Enter your message, save and exit.

Note: I use the following message...

-------------------------------------------

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

-------------------------------------------

Now everytime someone logs in as root, they will see this message... go ahead a try it.




Disable Shell Accounts

To disable any shell accounts hosted on your server SSH into server and login as root.

At command prompt type: locate shell.php

Also check for:

[b]locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts[b]


Note: There will be several listings that will be OS/CPanel related. Examples are

/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.




Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf


Scroll (way) down and change the following line to

ServerSignature Off


Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart




Install chkrootkit

To install chrootkit, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

At command prompt type: tar xvzf chkrootkit.tar.gz

At command prompt type: cd chkrootkit-0.44

At command prompt type: make sense


To run chkrootkit

At command prompt type: /root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.




Install BFD (Brute Force Detection)

To install BFD, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

At command prompt type: tar -xvzf bfd-current.tar.gz

At command prompt type: cd bfd-0.4

At command prompt type: ./install.sh


After BFD has been installed, you need to edit the configuration file.

At command prompt type: pico /usr/local/bfd/conf.bfd


Under Enable brute force hack attempt alerts:

Find

ALERT_USR="0"

and change it to

ALERT_USR="1"


Find

EMAIL_USR="root"

and change it to

EMAIL_USR="your@email.com"


Save the changes then exit.


To start BFD

At command prompt type: /usr/local/sbin/bfd -s




Modify LogWatch

Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.


To modify LogWatch, SSH into server and login as root.

At command prompt type: pico -w /etc/log.d/conf/logwatch.conf


Scroll down to

MailTo = root

and change to

Mailto = your@email.com

Note: Set the e-mail address to an offsite account incase you get hacked.


Now scroll down to

Detail = Low

Change that to Medium, or High...

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions.


Save and exit.


What is PMON
PMON is a bash scripted network socket monitor. It is designed to track
changes to Network sockets and Unix domain sockets.

A comprehensive alert system, simple program usage & installation make PMON
ideal for deployment in any linux environment (geared for web servers). Using
a rather simple yet logical structure, PMON identifies changes in both
Network Sockets and Unix Domain Sockets. By recording a base set of what
sockets should be active then comparing the currently active socket information
to that of the base comparison files, we highlight otherwise unknown services.

To install pmon, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.r-fx.org/downloads/pmon-current.tar.gz

At command prompt type: tar xvzf pmon-current.tar.gz

At command prompt type: cd lsm-0.6

At command prompt type: ./install.sh

After PMON has been installed, you need to edit the configuration file.

At command prompt type: pico /usr/local/lsm/conf.lsm

Find

USER="root"

and change it to

USER="your@email.com"

Save the changes then exit.

To run PMON and set the base config file

At command prompt type: /usr/local/sbin/pmon -g

Then to check for changes in sockets, use the -c argument. This will compare
the current sockets running, with the generated base comparision files. If any
changes are found you will be notified, otherwise it will note if no changes
are present.

At command prompt type: /usr/local/sbin/pmon -c

Though the cron job is already configured to run at every 10 minute intervals

Offline watsonovedades

  • Space Explorer
  • ***
  • Posts: 7
    • Hechizos para enamorar
Re: Installing Advanced Policy Firewall (APF)
« Reply #10 on: February 07, 2011, 02:04:53 AM »
I had problems with the Dos Deflate installation can someone guide me trough it?
Los mejores Hechizos para enamorar ahora al descubierto

Offline wilmatan

  • Intergalactic Cowboy
  • *****
  • Posts: 51
Re: Installing Advanced Policy Firewall (APF)
« Reply #11 on: May 04, 2011, 06:48:31 AM »
Great JOb! Very thorough tutorial!  ;D ;D ;D

 

Share |