APF is a firewall for the Linux operating system. Though many people think that a firewall is instant protection that will do everything it really is not. A firewall will help prevent some things but it is not going to stop everything. It is just one piece of the security network that is being woven. I recommend advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing and incoming ports. It can also be configured to use information from some block lists. The below port list will work for Plesk.

Step 1:

Download the application from http://www.rfxnetworks.com/apf.php (http://www.rfxnetworks.com/apf.php)


[root@u15171818 src]#cd /usr/local/src
[root@u15171818 src]# wget http://rfxnetworks.com/downloads/apf-current.tar.gz
[root@u15171818 src]#tar -zxf apf-current.tar.gz
[root@u15171818 src]# cd apf-0.9.5-1/
[root@u15171818 apf-0.9.5-1]# ./install.sh
Installing APF 0.9.5-1: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
Other Details:
Listening TCP ports: 21,22,25,53,80,106,110,143,443,465,880,993,995,844 3
Listening UDP ports: 53,68,32768
Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.
[root@u15171818 apf-0.9.5-1]#


Step 2:

Now edit config file


[root@u15171818 apf-0.9.5-1]# vi /etc/apf/conf.apf


Scroll down to the "Common ingress (inbound) TCP ports section. At this point you need to find the correct configuration for your control panel.


Plesk Control Panel Ports:


IG_TCP_CPORTS="20,21,22,25,53,67,68,80,110,143,443,465,993,995,84 43"
IG_UDP_CPORTS="37,53,67,68,873"
EGF="1"
EG_TCP_CPORTS="20,21,22,25,37,43,53,67,68,80,113,123,443,465,873, 5224"
EG_UDP_CPORTS="53,67,68,123,873"


Save the file and start apf


apf -s


Note: This applies to the new FC4/Plesk 8 image only. If APF fails complaining about not being able to load "ipt_state" then you can edit the /etc/apf/firewall script and comment out the "modinit" line on or around line 42. This is a poor workaround but it seems to work at least until I can figure out why this is happening. I think there was a change in the new kernel to ipt_state in the netfilter code and I suspect has been replaced by something bigger, better, faster.

Step 3:

If everything still works then edit the config file and turn dev mode off. Make sure you can start a new ssh session before changing dev mode off. If you are kicked out you need to go back and look at what caused the problem!


DEVM="0"


If you want to integrate this firewall with the Port Scan Attack Detector (PSAD) later on you need to enable logging of the firewall traffic so you will need to turn on logging in the config file. Enabling this logging is an optional step but is required for integration with PSAD.


LOG_DROP="1"


Now restart APF


apf -r


Step 4

Now let's setup APF to start at boot time so when we reboot the firewall is automatically started


# chkconfig --add apf
# chkconfig --level 345 apf on


That's it, enjoy !

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,9 93,995,8443"
EG_TCP_CPORTS="20,21,22,25,53,37,43,80,113,443,465 ,873,5224"


Did you make a typo with "9 93" and "465 ," or do they need to be that way?

nevermind that was a stupid question, thanks for the tut :)

Hmm, i don't know why it did that. Doesn't show up that way in edit mode for the post. I'll see if I can correct it. It should just be 993 without the space.

First, thanks much, eWebtricity, for the great work on this forum. I've only recently discovered this valuable service, and since I'm new to Linux and servers in general, this is a great discovery!!

Now, my APF question -- I just installed this yesterday, and it's working great, also along with "BFD" (already logged and stopped a couple of brute force tries, amazing what's out there!).

Today, I notice in my messages log: (a bunch of these, every couple minutes)

Nov 24 10:44:55 u15186754 dhclient: DHCPREQUEST on eth0 to 82.165.237.249 port 67
Nov 24 10:44:55 u15186754 dhclient: send_packet: Operation not permitted

So, my firewall is successfully stopping these -- but looking up the IP, I see it's a 1and1 address. A little poking around on the web, I discover that DHCP uses port 67, and 68. So, for now, I decide I should allow UDP in and out on ports 67 and 68.

Is this legit? Should ports 67 and 68 be opened up to allow this 1and1 activity?

Thanks again eWebtricity for this great forum!! And thanks anyone for info on this port question.

I don't have confirmation but I suspect DHCP (Dynamic Host Configuration Protocol) is used by 1and1's recovery and reimage architecture. (ie: normal boot mode or rescue boot mode, etc ...)

Thanks .. I guess I'll keep those ports open for now.

I am aware a service from ip2location.com. I am unclear if this database can be used to only block traffic on port 80.

Anyone have any direction, solutions to block traffic to http, ftp, ssh, smtp? Or at the least block ssh traffic by country?

Thanks!

- David

Late reply on your question nextweb I just perusing this tutorial when I saw your post today. Take a look at the APF configuration file it utilizes several methods for blocking hosts that might fit your needs including DShield.

1st, thanks for the great info on these forums!!! It's been a great help weeding through some of the difficulties of managing a 1and1 server!

I'm using a root 1 server with a new reimage using fc4 with psa8.

I have tried to install this apf several times but keep getting the same error when I try to #apf -s:

# apf -s
Development mode enabled!; firewall will flush every 5 minutes.
Unable to load iptables module (ipt_state), aborting.


I've removed iptables and reinstalled it to the latest version and reinstalled apf but with the same results. I noticed that the tutorial was written back in August so I'm wondering if there is something missing or needs adjusted for this latest image.

Thanks!

When exactly was your server last imaged? Up until late last week the 1and1 FC4 images were missing iptables. Can you verify your image has iptables?

I think that 1and1 didn't compile all the modules in to the kernel for iptables support. I haven't had time to confirm this but I've run into the same issue as well on the FC4/Plesk 8 image. I've emailed 1and1 about it but their response was that they couldn't support 3rd party applications like APF firewall. They only made sure it worked (which means no errors were thrown) with the Plesk firewall.

Is it possible to block an entire subnet with APF from the command line???

Example:

/etc/apf/apf -d 192.168.1.*

edit /etc/apf/deny_hosts.rules and add the following at the end

192.168.1.0/24

Then restart apf and that should block all requests from 192.168.1.X

Thanks Highland! :)

EDIT: Added in egress port 123 for ntpdate (time sync) operation

Just wondering how big this file can get before it starts slowing down the process? With bfd, fail2ban, my own additions (most asian countries and some eastern euro's), and who knows what I'm forgetting, the file seems to have grown considerably over the last year...

Thnx!

APF and fail2ban both use iptables to do their thing. I don't think that you have a lot to worry about since neither process should be where the overhead is. I ran my server nearly 6 months with both and never had a problem (RS3 tho). If you're running a machine with less resources it's possible you could see some performance issues after a long enough time.