Server Security with Advanced Policy Firewall and Antidos

APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. APF is ideal for deployment in many server environments based on Linux.

Below are notes on installing, configuring and running APF.

  1. Download the latest tarball via rfxnetworks.com
  2. Extract and install it:
    # tar -xvzf apf-current.tar.gz
    # cd apf*
    # ./install.sh
    
  3. Check the port that you need to protect with `ifconfig`. Usually it is "eth0" but if it's something else, change it in the "conf.apf" file or you’ll risk locking yourself from the server.
  4. Edit "/etc/apf/conf.apf" and enable D-Shield block list of top networks exhibiting suspicious activity, and activate Antidos also.
    USE_DS="1"
    USE_AD="1"
    
  5. Open the common inbound and outboud ports.
    IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443"
    IG_UDP_CPORTS="53"
    
    EGF="1"
    EG_TCP_CPORTS="21,22,25,43,53,80,110,443"
    EG_UDP_CPORTS="20,21,53"
    
  6. Edit "/etc/apf/ad/conf.antidos":
    LP_KLOG="1"
    
    USR_ALERT="1"
    USR="root"
    
  7. Add antidos to "/etc/crontab":
    # Antidos
    */2 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1
    
  8. Star the firewall via `apf –s`.
  9. If you are not locked out of SSH, disable development mode in "conf.apf" file.
    DEVM="0"
    
  10. Restart with `apf -r` and verify that firewall is up and protecting the server using `iptables -L -n`.

Notes:

  • APF uses init files and is automatically set to startup at boot time. Check with `chkconfig --list apf`.
  • The apf and antidos logs are rotated via the conf files present in "/etc/logrotate.d".
  • Remember to add your IP address in "/etc/apf/allow_hosts.rules" and "/etc/apf/ad/ignore.hosts" files to avoid being locked out of the server.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
libipt_recent.so missing in RHEL3

APF complains of libipt_recent.so missing in RHEL3.

Install Milan Kerslager iptables rpm which includes the missing library.

To install via yum add the below repository to yum.conf:

[ker]
name=Milan Kerslager RPM Repository for Enterprise Linux $releasever
baseurl=ftp://ftp.pslib.cz/pub/users/Milan.Kerslager/RHEL-3/stable/
    &nbsp;   ftp://ftp.vslib.cz/pub/local/milan.kerslager/RHEL-3/stable/<br />    &nbsp;   http://ftp.linux.cz/pub/linux/people/milan_kerslager/RHEL-3/stable/

Then update via yum:

yum update iptables

Restart apf:

apf -r

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=173729

apf breaks ftp on kernel 2.6.20 and greater on FC5

With kernel 2.6.20 and later, apf breaks ftp as "ip_conntrack" is no longer in use and has been replaced by "nf_conntrack" instead. So edit "/etc/apf/internals/functions.apf" to use nf_conntrack.

Add the below lines in the "modinit" function to load the respective modules:

ml nf_conntrack
ml nf_conntrack_irc
ml nf_conntrack_ftp

Also add the correct path check to the modules in the "ml" function:

if [ -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/$1.$MEXT" ] || [ -f "/lib/modules/$(uname -r)/kernel/net/netfilter/$1.$MEXT" ]; then
    &nbsp;   $MPB $1
fi

Brute Force Detection

Along with APF and antidos, the BFD (Brute Force Detection) package is also recommended. Besides, BFD default configuration is designed to work in conjunction with APF versions 0.9.3+.

# wget http://www.r-fx.ca/downloads/bfd-current.tar.gz
# tar -xvzf bfd-current.tar.gz
# cd bfd-0.9
# sh ./install.sh

Onces installed, edit the "/usr/local/bfd/conf.bfd" file if you want to receive email alerts.

ALERT_USR="1"
EMAIL_USR="root"

APF error on Fedora

I got the below error with APF on Fedora Core 6:

Starting APF:Unable to load iptables module (ipt_state), aborting.

A workaround I found was to edit "/etc/apf/firewall" and comment out the call to modinit on or near line 42. The kernel should load the proper modules it needs itself when starting apf.

ipt_state has been deprecated in the 2.6.16 kernel in favor of xt_state.

apf support for passive ftp

Passive ftp broke when commenting out the modinit line as mentioned above.

Instead, in "/etc/apf/internals/functions.apf" I replaced "ml ipt_multiport 1" with "ml xt_multiport", which seems to have resolved the ipt_state warning as well as support for passive ftp.

apf, proftpd and passive ftp

Edit "/etc/proftpd.conf" and add the following line:

PassivePorts 50000 51000

Edit "/etc/apf/conf.apf" and add the above range to the Ingress ports.

IG_TCP_CPORTS="...,50000_51000"

Restart apf and proftpd.

Comment