How to: Install APF working with DA

[ashagg]

Need some help !!!

Hi there..

I know this thread is quite old but I'm trying my luck anyways..

I run a server on which we do both ... web as well as shell hosting.. (yes I know it's a very bad idea...)

I make all web hosting a/c via DA and the shell ones via the normal linux commands...

The shell a/c are used for eggs/bnc's.

Recently I installed snort/base and whoa!! 4905 alerts in 3 hours!! Most of them the SQL alerts on port 143? Also Brute-force attempts run into a couple of thousands... so I decided on putting in a firewall...

My question is...
what ideally should be my in/out ports for APF ?? I've really no clue about what protocol use which ports apart from the usual 22,80 ec.. I've decided and notified all my shell customers to use ports 20000-30000 for all eggs/bnc's..

Can someone please help ...

Regards,
ashagg

 

[XBL]

Well, ashagg, if you know what you're running you know what ports to open. We currently have the following ports open for incoming traffic (we currently don't filter outgoing traffic, we do filter it).

TCP: 21 (ftp), 22 (ssh), 25 (smtp), 53 (dns), 80 (http), 110 (pop3), 143 (imap), 443 (https), 2222 (directadmin) and 3306 (MySQL, only for our monitoring server open).
UDP: only 53 (dns).

If you have incoming traffic for other services, like bots, and you know what port(s) they are running on, you just add those ports. If it's a port range, like you mentioned, you can add it like 20000_30000.

Jochem

 

[vdvm]

Hi,

I've configured APF like this.
I've also enabled outbound filtering on the same ports as inbound.
Is this the correct way?

What about inboud/outbound ICMP?

Thank you!

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,443,110,143,2222"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"


# Egress filtering [0 = Disabled / 1 = Enabled] // outbound filtering
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,53,80,443,110,143,2222"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="53"

# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"


# DShield.org's "block" list of top networks that have exhibited
# suspicious activity. [0 = Disabled / 1 = Enabled]
USE_DS="1"

 

[torp]

Installer not working on Debian

The installer does not work on Debian. It attempts to put the startup file for apf in /etc/rcd.0/ but this directory does not exist on Debian.

I have tried to find documentation on how to install in a specific directory, but I haven't been able to. Anyone know how to remedy this in any way?

 

[vod]

Hi,

After several attempts to install apf, i have decided to remove it.

How can i completely remove APF? i can see that a cron job
"unix1 CROND[21749]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)" is running every 5 minutes.

thanks.

 

[nobaloney]

First try would be to go into the directory from where you installed it and see if there's an uninstall script.

Jeff

 

[vod]

Thanks but could not find any uninstall script.

any manual way?

 

[nobaloney]

Find everything and delete it.

Especially the startup script.

I don't have time to look right now.

Jeff

 

[vod]

thanks jeff.

I did a chkconfig --del apf and then deleted files below:

rm /etc/init.d/apf
rm /etc/cron.daily/fw
rm -rf /etc/apf

there is no more apf scripts in crn.daily, cron.hourly, cron.weekly, etc

crontab -e does not have any apf entries.

the cron log still showing apf stop executed every 5 mins.

 

[nobaloney]

# cd /var/spool/cron
# grep apf *

If you see any output edit those cronjobs:

crontab -e <username>

and remove those lines, then save the file.

Either way be sure to restart the cron daemon:

# service crond restart

Exactly what line do you see in the logs (time for a cut and paste into the forum)?

Jeff

 

[vod]

# cd /var/spool/cron # grep apf *

returned nothing

manually cat each of the user files in that directory (admin, root, diradmin) none of them have any apf entry.

# service crond restart

Have restarted crond sevaral times. Anyway, this is a vps box. I have even rebooted the whole vps through virtuozo.

Exactly what line do you see in the logs (time for a cut and paste into the forum)?

Jan 12 12:00:00 unix1 CROND[5794]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

there is definitely no apf file in /etc/init.d, it has been removed.

Again, thanks a lot jeff for looking into this

 

[nobaloney]

Something is trying to run it, and it's not there.

How about the /etc/crontab file?

That could be the culprit?

If you change it you do have to restart the crond daemon.

Jeff

 

[vod]

argh what an oversight. it is indeed in /etc/crontab.

you just make my day Jeff. thanks a lot.

 

[nobaloney]

It took me a while to think of it as well.

I would have found it more quickly while logged in because I start by doing this:

# grep <whatever> /etc/cron*
# grep <whatever> /etc/cron*/*

and so forth until I get an error that no lower level files exist.

Jeff

 

[ju5t]

If you change it you do have to restart the crond daemon.

No, it will find changes automatically the last time I checked.

 

[nobaloney]

You're right. My error.

Not that it hurts.



Jeff

 

[milan]

Is there any info how to get this working on a debian box?

 

[XBL]

Is there any info how to get this working on a debian box?

The how-to will also work on a debian box. APF doesn't use any package systems, but simply compiles from source. It should work on most *nix systems (and probably all big Linux distro's).

Jochem

 

[milan]

It works

A+++++

 

[Seth]

6000_7000 is for passive mode FTP

Joe

THAT'S WHY IT WON'T WORK! Glad I read this thread