DhoTjai
Verified User
Ye, just change the ssh port and you wont get BFD attacks anymore 
Altough they tried to attack ftp here =p, but thats only once a month =)
Altough they tried to attack ftp here =p, but thats only once a month =)
APF + BFD + DDOS + Rootkit
- Thread starter powerdomein
- Start date
@how@
Verified User
nano -w /etc/ssh/sshd_config
set
Protocol 2
&
PermitRootLogin no
&
#AllowUsers root
&
#AllowUsers admin
save & restart sshd
/sbin/service sshd restart
add new user **** with ssh access.
login **** , when login done
su
and root password
hacker can't find user with ssh access
Wael
set
Protocol 2
&
PermitRootLogin no
&
#AllowUsers root
&
#AllowUsers admin
save & restart sshd
/sbin/service sshd restart
add new user **** with ssh access.
login **** , when login done
su
and root password
hacker can't find user with ssh access
Wael
Also if anyone is using FC5 and wants to use apf you may get the error when trying to run.
and/or
The fix: edit the file /etc/apf/internals/functions.apf and change the following 2 lines
to this
Taken from the following link
here
Code:
Unable to load iptables module (ipt_state), aborting.and/or
Code:
Unable to load iptables module (ipt_multiport), aborting.The fix: edit the file /etc/apf/internals/functions.apf and change the following 2 lines
Code:
ml ipt_state 1
ml ipt_multiport 1to this
Code:
ml xt_state
ml xt_multiportTaken from the following link
here
Few notes for users considering implementing all this:
- It has been a while since we evaluated APF, but it DIDN'T HAVE UNINSTALL option back then. If you are familiar with shell scrpting, you probably will be able to uninstall it manually. However, if you are a newbie - assume you will not be able to *cleanly* remove APF once it is installed (unless they added uninstall feature).
- APF assumes your server has only 1 network card.
- While using APF with BFD, offending IPs were automatically blocked - which is ok. However, there was no command line option allowing to remove IPs from the backlist It could be done manually but not without an effort.
- BFD can be used without APF. If you don't want to use dynamic blocking for whatever reason, you might still find it usefull for reporting purposes.
- BFD has hooks up that can be used to integrate it with another firewall (kiss or ipfw in FreeBSD for example).
- Root Kit hunter will generate "false positive" warning during sshd_config check if you comment out Root login as described above:
Remove that line altogether to avoid the warning. - Root Kit hunter doesn't seem to maintain separate application advisory databases for different OSes, which might be confusing.
For example, in CentOS you might get [ Old or patched version ] message for packages that can't be further upgraded with yum.
winger
Verified User
felosi said:
Hi,
How can I have some countrys banneds?
regards,
winger.
Dark_Wizard
Verified User
- Joined
- Oct 3, 2006
- Messages
- 47
Webcart said:Few notes for users considering implementing all this:
- It has been a while since we evaluated APF, but it DIDN'T HAVE UNINSTALL option back then. If you are familiar with shell scrpting, you probably will be able to uninstall it manually. However, if you are a newbie - assume you will not be able to *cleanly* remove APF once it is installed (unless they added uninstall feature).
- APF assumes your server has only 1 network card.
- While using APF with BFD, offending IPs were automatically blocked - which is ok. However, there was no command line option allowing to remove IPs from the backlist
- BFD can be used without APF. If you don't want to use dynamic blocking for whatever reason, you might still find it usefull for reporting purposes.
- BFD has hooks up that can be used to integrate it with another firewall (kiss or ipfw in FreeBSD for example).
- Root Kit hunter will generate "false positive" warning during sshd_config check if you comment out Root login as described above:
Remove that line altogether to avoid the warning.- Root Kit hunter doesn't seem to maintain separate application advisory databases for different OSes, which might be confusing.
For example, in CentOS you might get [ Old or patched version ] message for packages that can't be further upgraded with yum.
Clean and simple removal:
/etc/init.d/apf stop
chkconfig --del apf
rm /etc/init.d/apf /etc/cron.d/fw
rm -rf /etc/apf
winger said:
http://blacklist.linuxadmin.org/
just edit out everything except the ip mask/and add it into apf
Dark_Wizard
Verified User
- Joined
- Oct 3, 2006
- Messages
- 47
Webcart said:
I have tried it yes and this is what the author has posted on another forum.
Dark_Wizard said:
I feel like our discussion starts being off-topic, so I will make my last attempt to clarify my statements above:
by "clean" remove I mean removing EVERYTHING related to this program. By saying "I have tried it yes" you probably mean you've executed the commands and since that you couldn't find any APF related files. That's ok, it just doesn't qualify as making sure that there are no files left.
I am sure that if you take the time to check everything yourself, you will find APF log file and I think another file somewhere in /usr/bin or something like that.
Kiss is a 1 file program, so uninstall is rather simple: you stop kiss first and then remove the file. If you've added it to the list of scripts executed at the boot time with chkconfig, also run
PHP:
chkconfig --del kiss
AndyII
Verified User
- Joined
- Oct 3, 2006
- Messages
- 566
Thanks, want to do this, I am running centOS 4.3 and DA latest, anything I should know or do, or is this a "out of the box" install
A good practice before messing up with firewalls is setting up "reboot" cron job that should reboot your server in, say, 5 mins.
This way, if you lock yourself out by starting the firewall, you will gain the access back in little more than 5 mins.
Of course, if you have KVM/IP or reboot port or trust your service provider to complete reboot request within 15mins, 24/7, you don't need that
rebooting the system is a bit hardcore, woudn't you agree?
Why not a shell script to fulsh the iptables and reset the default policies to accept?
Something like:
Then setup a cron job to run every 15mins:
Its a little less agressive
** examples shamlessly stolen from iptablesrocks.org
Why not a shell script to fulsh the iptables and reset the default policies to accept?
Something like:
vi /root/firewall_reset
# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT
*mangle
REROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT
*nat
:OUTPUT ACCEPT [9:684]
COMMIT
Then setup a cron job to run every 15mins:
Its a little less agressive
** examples shamlessly stolen from iptablesrocks.org
Well, if you can get the stock firewall working right, you probably don't need KISS firewall in the first place
And if your script breaks in the middle because you uploaded it in DOS format, for example, it won't help you much To sunt this upi, the concept is good, but it's not a bullet-proof solution I would recommend to beginners.