APF + BFD: Can someone help fine tune please?

[jim.thornton]

I've posted before about tons of BF attempts on my server. I have APF+BFD installed and for the most part it is working. I'm getting emails everyday of IP's that are blocked. However, I'm getting even more emails from DA's BFD system saying there has been an attempt. At first glance I thought that the number of attempts might have been the problem because I had BFD set to TRIG="50" and the DA attempts seemed to start in the range of 30 or so. As a result, I changed by BFD setting to 10.

This obviously increased the number of blocked IP's but the blocked IP's from APF+BFD still don't match those BFD attempts notified from DA.

I created a new filter with DA and it seems to be catching more IP's than before. But, DA is still notifying me of more IP's than BFD is blocking.

I investigated the IP's that I was notified by DA and there were some that were blocked by BFD and there were some that weren't. About 70% are being blocked by BFD while the other 30% are getting notified by DA but not by BFD.

Here's the weird thing... I have scanned the log files for an IP that was blocked and an IP that was NOT blocked. Both are found when I run the regexp against the log entries.

I don't understand why BFD is blocking some but not all of the IP's? Could someone please help me fine tune this to get it working better?

 

[zEitEr]

Hello,

Could someone please help me fine tune this to get it working better?

I could do that.

But why don't you try CSF/LFD?
There is a guide also available http://forum.directadmin.com/showthread.php?t=44839

 

[jim.thornton]

Is CSF better than APF?

I was under the assumption (pretty much) that a firewall is a firewall. I thought it would be easier to fine tune it than outright change the firewall.

Is CSF+BFM the preferred method of protecting the server these days? I don't care what I run, I just want something easy to use. I like the config file of APF and fine it very easy to configure. Is CSF the same?

 

[zEitEr]

Is CSF better than APF?

Is CSF+BFM the preferred method of protecting the server these days?

For whom? It's a matter of personal preferences I'd rather say. What I like about CSF that it comes together with LFD, which can monitor user processes, and find some suspicious ones.

Is CSF the same?

CSF config is much bigger, but it's well documented and can be modified via a Directadmin plugin. CSF/LFD comes with plugin for directadmin, so you can manage it through Directadmin. For more details you'd better search and read these forums (it's been discussed here many times) and visit official site: http://configserver.com/cp/csf.html

 

[jim.thornton]

Wow.. Just looked at the site. It looks pretty good.

I'll look into migrating tonight.

Thanks!