How to: Install APF working with DA

Well, I was answering torp, didn't see your post... but, to try and answer,

jan 02 08:19:24 feyenoord apf(23049): activating firewall

Looks like the firewall is loaded

You can try

apf -r

to verify that it is
 
Thanks!

There's nothing that would suggest that my IP is blocked in apf/firewall

My ad.rules is clean - this is very strange.
 
Re: A funny thing happened to me today (APF Anti DOS problem)

I've removed all entries from the file afp/ad/ad.rules, but it doesn't seem to make any difference. I've also gone through all other files, and I can't find my IP address anywhere. But I'm not able to connect to any of my server's websites either... [/B]
Click to expand...
I had my APF kick me out as well, but I solved that by simply typing "apf" (after logging in from another IP, of course); you can add "allow" rules directly from command line, you don't need to edit anything.
 
deltaned: Read the comments about "dev mode" in /etc/apf/conf.apf ;)

roel: Add your own IP(s) in the /etc/apf/allow_hosts.rules file, those will never be banned
 
# [Dev. Mode]
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to flush the firewall; set
# this mode off (0) when firewall determined to be operating as desired.

OK, advice, what is the best: 1 or 0?
 
Quoted from the APF readme:
Option: DEVM="1"
Definition: APF comes default in dev. mode; meaning the firewall rules
will be flushed every 5 minutes. This is intended to prevent you from
being locked out of your system in the event of undesired results from APF.
Set the DEVM="1" option to zero (0) once APF is operating as desired.
Do NOT! leave this option enabled on a permanet basis, or you defeat
the purpose of using a firewall.
Click to expand...
Running APF in DEVM="1" if you (your current IP) get banned from your server for whatever reason, you will be able to access your server again, after 5 minutes.

Running APF in DEVM="0" if you (your current IP) get banned from your server for whatever reason, the only way the reach your server will be: from another IP or getting physical access.

You could get banned at the firewall level by BFD, APF antidos, mistakes configuring other APF settings/rules, etc.

To avoid being banned, you could enter your IP in the /etc/apf/allow_hosts.rules file. I believe that would be enough.
 
Hi,
I´ve just install apf, and i need some help:

- port 3306 must be im IG_TCP_Cports?

- how can i see the LOG files form apf?

- what we have to set for run apf antidos?

:)
 
>> port 3306 must be im IG_TCP_Cports?
3306 is the port used by MySQL, so you should decide if you want to allow remote access to the MySQL server or not.

If not, your user will only be able to use it via local applications (such a phpMyAdmin or any other program) using localhost.

>> how can i see the LOG files form apf?
In my RHLE, APF logs are located at: /var/log/apf*

>> what we have to set for run apf antidos?
http://www.rfxnetworks.com/apf.php
http://www.rfxnetworks.com/apf/README
http://www.rfxnetworks.com/apf/README.antidos
 
Hi All.

I see this thread was started in Sept 04, was wondering if anyones found a working ruleset?

Would be grateful if someone could spare a little time and paste the info here for us newbies :-)

thanks!
 
Hi Winger

Thanks for replying.

I did see that article, only thing there was no mention of settings for DA? I saw Cpanel and Ensim...

Can you paste the settings your using?
Thanks in advance
:-)
 
winger said:
Hi NewBee,

This setins are working for me:

IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2222"

IG_UDP_CPORTS="53"

EG_TCP_CPORTS="21,22,25,37,43,53,80,443"

EG_UDP_CPORTS="53"


i realy dont know if it´s correct or enought, but is working fine for my use.

you can also see this:

- http://www.rfxnetworks.com/apf/README
- http://www.rfxnetworks.com/apf/README.antidos

:D
Click to expand...

Thanks Winger - You've been a great help.

Can someone from DA Admin (or even RFX) please let us know if these settings are compatible/recommended?

I'm sure many of us would appreciate it :-)
Thanks.
 
well how i can put a range of ports like 12000-13000 is that acceptable
thanks
 
Right.... I have the firewall up and running but have not yet activated the anti-dos feature, can someone please let us know what configurations to use?

Thanks!
 
I started the anti-dos and got booted from the box right away and so did all services now can't get back in at all any ideas ???
 
If it locked you out, you can try connecting from another computer (different IP address) that might not be blocked yet.
Otherwise you'll need physical access to the server to correct the problem.
 
got back in lol called tech and had them reboot but i still haven't turned it back on again i was to affraid to get locked out again

any help in the config file would be good as to what to enable

# Parse klog for iptables logged attacks [0=off,1=on]
LP_KLOG="0"
#
# Parse snort portscan log for attacks [0=off,1=on]
LP_SNORT="0"
#
# Try to detect syn-flood attacks [0=off,1=on]
DET_SF="0"
#
# Kernel log file
KLOG="/var/log/messages"
#
# Snort portscan log file [experimental]
SLOG="/var/log/snort/portscan.log"
#
# Trigger value before we drop an event SRC
TRIG="20"
#
# Trigger value before we drop syn-floods for SRC
SF_TRIG="25"
#
# Trigger ports for syn-flood; null for all
SF_TRIG_PORTS="80,443"

##
# [Attack Filtering]
##
#
# Reject attackers in route table [0=off,1=on]
ROUTE_REJ="0"
#
# Drop destination interface [0=off,1=on]
DROP_IF="0"
#
# Do not drop interface for events matching these ports;
# line seperated strings.
NCRIT_PORTS="$INSPATH/noncrit.ports"
#
# Block attacks with iptables [0=off,1=on]
IPT_BL="1"
#
# Were to write iptable rules too
BLOCKR="$INSPATH/ad.rules"
 
You must log in or register to reply here.
Back
Top