APF + BFD + DDOS + Rootkit

[bas1968]

I have installed apf on a box with CentOS 5. When I start apf I get this error:

[root@server1 apf-0.9.6-2]# apf -s
eth0: error fetching interface information: Device not found
apf(11210): {glob} activating firewall
eth0: error fetching interface information: Device not found
eth0: error fetching interface information: Device not found
apf(11254): {glob} could not verify that interface eth0 is routed to a network, aborting.
apf(11210): {glob} firewall initalized
apf(11210): {glob} !!DEVELOPMENT MODE ENABLED!! - firewall will flush every 5 minutes.


Somebody knows how to solve?

 

[nobaloney]

Are you running a VPS? Usually VPS servers don't use standard terminology for their ethernet ports.

You probably have to make changes to the APF code depending on what your server calls it's ethernet ports.

Jeff

 

[bas1968]

Hello Jeff, it´s isn´t an VPS but an dedicated box. I found the problem, the ethernet device was not eth0 but eth1. Probably Kiss wouldn´t run because of the same problem. After I changed this in the config file it´s running perfect.

 

[nobaloney]

Glad to hear you've fixed it .

Jeff

 

[burning_vn]

Can you tell me what these ports do?

-----DIrect Admin-----
IG_TCP_CPORTS="21,22,25,53,80,110,111,143,443,2222,3306,32769"
IG_UDP_CPORTS="53,111,631,724,5353,32768,32809"

 

[AndyII]

A simple Google search yields this,

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Can you tell me what these ports do?

-----DIrect Admin-----
IG_TCP_CPORTS="21,22,25,53,80,110,111,143,443,2222,3306,32769"
IG_UDP_CPORTS="53,111,631,724,5353,32768,32809"

 

[ozgurerdogan]

Great post even its old and I did all steps. But one question, should I uninstall, disable iptables when apf is active. If yes how please.
Thanks

 

[littleoak]

Oz,

APF is a front-end for iptables. If you're using APF you're using iptables as your firewall.

 

[ozgurerdogan]

Thanks I am learning learning and learning linux as a windows guy.
I am trying to make all securty things like apf firewall, ddos protection, modsecurity, use update script.
I hope I do not break or load on server.

 

[program5]

For all those complaining about SSH attacks, shut the service down by using Webmin, or Directadmin. And turn it on whenever You just need it.

Why the heck would You need a working SSH all the time anyway ?

Just my 2 cents

 

[nobaloney]

Why the heck would You need a working SSH all the time anyway ?

Some reasons:

1) Because sometimes DirectAdmin either won't restart or will lock you out.

2) Because you may not want to use Webmin, which is beginning to get attacked as often as ssh is.

3) Because you may be trying to manage your server from a locaton where you don't have http access.

4) Because you offer shell service to at least some of your clients.

These are all perfectly valid reasons which of course may not apply to you.

Jeff

 

[program5]

Dear Jlasman,

I do respect Your knowledge . But ;

1. DA has an adjustable security level , which can prevent one after xxx times of loggins. In my cases, whenever I'd kicked out by DA , I just restarted another browsing session , and it worked

2. I use webmin , and as far as I see, the SSH kiddies are more into breaking into the heart of the system, and port 22 is far more catchy for them. Of course, if You dont SSL Your webmin, it's not even option compared to SSH.

3.Yes, I agree on that.

4.I am my own client and boss.Not a reseller, or host. So I did not have think about this, unless ,the times I personly helped that server to made ready to go live.

I'm not sending this message , because I do not agree with You. All I wanted to say is , that UNIX world is giving us more and more options in real life. Almost all of them are open source, reliable, and life savers.

One needs to try, learn and even fail , and be able to control on the game as much as its possible

APF+BFD and a decent AV will always help.

And what level I am ?
Just a beginner

Regards

 

[nobaloney]

1. DA has an adjustable security level , which can prevent one after xxx times of loggins. In my cases, whenever I'd kicked out by DA , I just restarted another browsing session , and it worked

I don't know why it worked. It shouldn't. DirectAdmin's firewall is based on your IP# only, not on anything else.

Sooner or later you may find yourself locked out of your server; that'll be your problem .

You did notice my last sentence, though, I presume.

Jeff

 

[littleoak]

For all those complaining about SSH attacks, shut the service down by using Webmin, or Directadmin. And turn it on whenever You just need it.

Why the heck would You need a working SSH all the time anyway ?

Disabling SSH is a really, really bad idea. If your Webmin panel is ever inaccessible you will lose access to your server.

 

[njm]

hi...
i've APF firewall installed from ELS script...install went fine...it recognized DA panel...

but when i set APF to start i have this msg...

[root@nms001 apf]# ./apf -s
iptables v1.3.5: Unknown arg `--set-tos'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Unknown arg `--set-tos'
Try `iptables -h' or 'iptables --help' for more information.
[root@nms001 apf]#

my APF version is 0.9.6

been searchin APF files..but can get rid off this iptables error msg...
any ideas ?!


thanks

 

[jnet]

I have installed

CFS
Mod Security
Logwatch
CHKROOTKIT
clamscan


Do I need more?

 

[Dravu]

I have installed

CFS
Mod Security
Logwatch
CHKROOTKIT
clamscan


Do I need more?

Knowledge of those is pretty important as well, especially Mod Security. Having the applications doesn't automatically make things as secure as they can be with them. You have to know how to use them.

 

[jnet]

yes thanks I am learning! but my question any other things to install as basic security

 

[program5]

SIM from Rf-networks, Modevasive, nobodycheck ,latest kernel , latest apache, php etc. Disabling dangerous functions of php, some tweaks in Your httpd.conf.Hardening sysctl.conf, securing temp.

There are really lots to do, and We have great people here who created scritps like custombuild, customapache and UpdateScript, ELS.

This scripts will help You and all of them are free.
Please search the forum to get them

Regards

 

[AndyII]

ddos

ignore.ip.list not working, I have my IP listed and still got banned from a simple ftp download of a folder? @ a 150 connections
should I just disable, does IP_IGNORE file need any special permissions, is set at 600

I see at site there is ddosv2, should this be used instead of the other one (ddos)

Now go back to /usr/src

Code:
cd /usr/src

Code:
wget http://www.inetbase.com/scripts/ddos/install.sh

Code:
sh install.sh

The config file is in /usr/local/ddos/ddos.conf , set your max connections, alert and such in there.

The usage is pretty self explanatory

Usage: ddos.sh [OPTIONS] [N]
N : number of tcp/udp connections (default 150)
OPTIONS:
-h | --help: Show this help screen
-c | --cron: Create cron job to run this script regularly (default 1 mins)
-k | --kill: Block the offending ip making more than N connections

Congratulations you now have dos and brute force protection and an easy to use firewall interface.