*APF Firewall with AntiDOS Module and Brute Force Detection Installation Process for cPanel Servers* By Aric Pedersen Revision History: July 25, 2004: Initial Release. August 4, 2004: Clean up a typo. Add to discussion of monolithic kernals. August 7, 2004: Added "cut'n'paste" directions. February 6, 2005: Updated cut'n'paste directions and downloadable apf config UDP ports. April 2, 2006: Update directions with latest version of APF, AntiDOS and BFD. Removed "preconfigured" option. April 15, 2006: Updated configuration suggestion with a few other optional port suggestions. April 18, 2006: A few minor cleanups. May 23, 2006: Added more optional ports (for Razor2, DCC and Pyzor anti-spam technologies). WHERE CAN I DOWNLOAD THE LATEST VERSION OF THIS DOCUMENT? http://captainshareware.com/apfcpinstall.txt WHAT YOU NEED TO COMPLETE THE INSTALLATION OF APF ON YOUR CPANEL SERVER: 1) The latest version of APF and BDF: http://www.rfxnetworks.com/downloads/apf-current.tar.gz http://www.r-fx.org/downloads/bfd-current.tar.gz 2) A Linux-based server with a copy of cPanel/WHM installed and configured properly (don't bother with this install procedure until you are certain that cPanel and WHM are installed and configured and working properly, otherwise you won't be able to tell if the problem you are experiencing is a cPanel/WHM thing or an APF thing). 3) This document. ;-) A FEW WORDS BEFORE WE BEGIN: APF is a software-based firewall frontend. If you aren't familiar with what a firewall is, what the heck are you doing reading this document?! Just kidding. ;-) You may want to brush up on what a firewall is first: http://www.howstuffworks.com/firewall.htm APF with the antiDOS module can be an effective tool to help prevent some kinds of attacks against your server. Just because you have a firewall installed does NOT mean your server is hacker-proof, it just makes it more difficult for hackers to exploit certain services on your server and it can help to mitigate a DOS attack before it gets out of hand. IT IS POSSIBLE for a DOS attack to overwhelm the firewall from blocking potential attacks, so it is not a foolproof solution. What is a DOS attack, you ask? http://www.grc.com/dos/grcdos.htm Now you know. :) The install of APF and AntiDOS is very easy. The problem lies in making absolutely certain that you get the configuration exactly right. After all, a firewall's job is to block traffic in and/or out of your server. If you don't configure APF correctly, then it will happily block legitimate traffic, including ALL access to your server (which would mean a tech with physical access to your machine would have to log in and disable the firewall before you could get back in). Not pleasant, to be sure! Also, since this is a SOFTWARE firewall and not a HARDWARE firewall separate from your server, you need to be careful that you don't "over" configure the firewall because the more work the software firewall has to do, the more CPU load it will take. If you have a lower powered server (like a Celeron), this is more of a concern than if you have dual Xenon processors and 2 GB RAM, but it would still be something you need to consider. Note that use of the AntiDOS or BFD modules could also overload your server on startup with too many blocked IPs and it may crash, so be sure to clean out the /etc/apf/deny_hosts file periodically and get rid of old entries. Still want to move forward? Then read on... INSTALLING APF: 1) Log into your server as root via SSH. 2) Navigate to a directory where you can download and work with the APF installer files (typically you can do this right in root (~). 3) Type the following to download the very latest copy of APF onto your server: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz 4) Run the following to decompress the file you just downloaded: tar xfz apf-current.tar.gz 5) Now, change directory to the one you just decompressed: cd apf* 6) Run the install script: ./install.sh That's it. You are done with the install. Now "all" we have to do is configure APF and AntiDOS (if you choose to use it), and run some tests. Piece of cake! ;-) CONFIGURING APF: The configuration file of APF is very well commented, but they sometimes assume you know more about some options than you might actually know. I'll walk through all the settings we need to be worried about as well as a few others you might decide to change. I'm going to assume you are starting with a "clean" copy of the config files and are going to edit them yourself. I'm also going to assume you will use pico on your server to do the editing. The important thing to remember (the actual config file mentions this, incase you forget) is that you need to use the -w flag so pico doesn't word wrap anything (nano works the same way). EDITING CONF.APF: Fire up your text editor of choice and open the conf.apf file: pico -w /etc/apf/conf.apf Now we can get down to editing the file (you can also see descriptions of each option in the README.apf file): I will first refer to line as it is in the "clean" unmodified copy of conf.apf and then discuss what it means and what if anything you might want to do with that line. Line 19: DEVEL_MODE="1" Remember that I said if you weren't careful, you could easily lock yourself out of your own server using APF? Well, APF has a built-in safety net for just such eventualities. If DEVM is set to 1, as it is by default, APF when started will only remain active and blocking with the settings from the config file for 5 minutes, after that time, a special cronjob will flush the firewall (disabling it). This means you have 5 minutes to run tests on your server, trying to send and receive traffic on various ports in various ways to see if your settings restrict something they shouldn't. On the off chance that you accidentally block yourself or an important port and can't get in, APF will automatically be turned off in 5 minutes, so you can come back, make changes, restart APF and test again. ONLY CHANGE DEVM to 0 (zero) if you are CERTAIN everything is working as it should and that you can safely SSH into your server. DEVM=0 removes the safety net, so you'd better hope your config is good enough that you haven't locked yourself out. :) Line 27: INSTALL_PATH="/etc/apf" This is the path to the location where APF is installed. Generally you should never have to change this unless you installed APF manually into some other location. Line 33: IFACE_IN="eth0" Line 34: IFACE_OUT="eth0" This is the Linux "name" for the interface (probably an ethernet card) that your server uses to connect to the outside world (the Internet). Line 33 is incoming traffic, line 34 is outgoing. Likely you won't change this, as typically most servers only have 1 interface, and it is typically called eth0. However, if you know that your server is connected on some other interface like eth1 or eth2, please change this line to reflect that. Line 38: IFACE_TRUSTED="" Typically you wouldn't change this either. Any values in quotes here are TRUSTED interfaces, this means APF doesn't act as a firewall for these interfaces. This is useful if your server has a second network connection that might only be connected to a local, trusted intranet at your server's data center. If so, enter the name of the interface here, separate more than 1 with commas. eth2,eth3 etc. Line 45: SET_VNET="0" APF now allows you to set up different rules for different IP addresses on your server. If you want to enable this, change the 0 to a 1. Line 49: SET_MONOKERN="0" If you've compiled a monolithic kernel (perhaps a GR-Sec kernel) without loadable kernel modules, then you should set this to 1. Otherwise, the rest of the universe (and this probably includes you ;-) ) should leave this line set to zero unless you get an error about being unable to load iptables later when starting up APF. Then you should set this to 1. Line 55: VF_LGATE="" Another line you probably won't change. Any MAC address here will be implicitly trusted (because it is traffic from a local gateway you have set up). If the traffic comes from some other MAC it is denied. If you have to ask what that means, then you don't need to worry about it. ;-) Line 59: VF_ROUTE="1" Verifies that the IFACE and IFACE_TRUSTED are properly routed. Leave this set to 1 unless you enjoy watching APF fail if you made a mistake above. Line 63: VF_CROND="1" This checks to make sure that the cron job for DEVEL_MODE is active, if set to 1. If the cron is not active, APF will refuse to start (rather than permanently locking you out). Leave this set to 1 unless you have problems with it. Line 70: VF_UTIME="0" You can set this to a numerical value that is the total amount of uptime the server has had below which APF will not load (it will exit with an error and you must manually restart it). Setting this to 0 disables this feature. This can help avoid problems with lockups during server booting due to too many rules being set up. However, it does require rather fine setting or APF will not boot automatically on startup. When in doubt, leave this set to 0. Line 81: TCP_STOP="DROP" This line defines what happens when TCP traffic hits a port that APF has closed. You have three choices DROP (which is the best choice, typically, this causes the server to totally ignore all TCP packets on non-permitted ports so no one even knows the server is there); RESET (Servers typically respond when someone pings them and says "this port is closed" if you want this to happen, you should change this line to RESET); and REJECT (if you want the server to tell the computer trying to access the port that their traffic will be rejected to this port). Line 89: UDP_STOP="DROP" Same as Line 81, but controls how UDP packets are handled. UDP stands for User Datagram Protocol. UDP is a transport layer protocol in the TCP/IP protocol suite used in the Internet. UDP is used at the two ends of a data transfer. It does not establish a connection or provide reliable data transfer like TCP. It gets used a lot for streaming media. Line 95: DSTOP="DROP" All other packet types get handled like this. Either DROP or REJECT. Leave this as-is, typically. Line 101: PKT_SANITY="1" This serves as an overall toggle for the other sanity checks. Generally a good idea to leave set to 1, unless you think one of the sanity checks is causing a problem, then set this to 0 to test. Line 106: PKT_SANITY_INV="0" If you set this to 1, it will check to make sure that all packets conform to standards for valid packet types. If they do not conform, the packets are automatically dropped. This can help stop malformed packet attacks and is probably safe to use in most cases. If you experience problems, you may want to set this back to 0, otherwise, set it to 1. Line 110: PKT_SANITY_FUDP="1" When this is set to 1, APF checks to see if UDP packets are fragmented. If they are, they get dropped. UDP packets should not be fragmented, so this is safe to leave set to 1. Line 114: PKT_SANITY_PZERO="1" Set to 1, this option checks incoming and outgoing packets to see if they are trying to communicate to port 0, if so, the offending packets are dropped. No legitimate traffic should ever try to do this, so leave this set to 1. Line 117: PKT_SANITY_STUFFED="0" If this is set to 1, APF will deny any packets with "stuffed" routing. You can set this as you choose, though set it back to zero if you experience problems. Line 125: TOS_DEF_TOS="0" As noted in the comments, you can change the way the firewall is configured so that packets are handled differently. APF used to set this to 4. Given the granularity of this feature, it's probably best to leave it set to 0, but it's up to your needs for the server. This is just the default. You can set different options for different ports below. Line 128: TOS_DEF_RANGE="512:65535" This is the port range covered by these TOS rules. Any ports outside this range are not subject to the TOS settings. Line 131: TOS_0="" Ports that should be set to normal service. Line 134: TOS_2="" Ports that you want set to TOS_2. Line 137: TOS_4="" Ports that you want set to TOS_4. Line 140: TOS_8="" Ports that you want set to TOS_8. Line 143: TOS_16="" Ports that you want set to TOS_16. Line 149: TCR_PASS="1" TCR_PORTS="33434:33534" If TCR_PASS is set to 0, no traceroute requests will be permitted on the server. If it is set to 1, traceroute requests are permitted on the port range listed in TCR_PORTS. For security, some people like to turn traceroutes off, otherwise, you can leave everything as-is. Line 155: ICMP_LIM="30/s" The max ICMP packets per second (#/s), or per minute (#/m) after which any additional packets will be dropped. This line should be set to any reasonable value. What is reasonable really depends on what kind of hardware you've chosen for this server. Line 160: RESV_DNS="1" This tells APF to use the nameservers listed in /etc/resolv.conf to dynamically block content and create rules. The default is 1, set it to whatever you prefer. Line 166: RESV_DNS_DROP="1" If, and only if you set Line 160 RESV_DNS to 1, then you will probably want to leave this on 1 as well, or you will see a lot of extra mostly pointless entries in your log. Don't have Line 160 set to 1? Then this line does NOTHING either way, so leave it as-is. Line 172: BLK_P2P="1" Line 173: BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778" This blocks the ports that certain common P2P networks use. As P2P networks can generate a lot of traffic, you may wish to leave BLK_P2P set to 1. If you want to allow these sorts of connections, change it to 0. If you only want to allow certain ones, make sure to remove any ports you wish to allow P2P traffic on from BLK_P2P_PORTS. Line 179: BLK_MCATNET="0" If you have a streaming server specially set up to access MBONE then leave this set to zero. If not (and you almost certainly do NOT), then set this to 1 which will block rogue traffic from MBONE. Line 187: BLK_PRVNET="0" If you have a home network (several computers sharing a single Internet connection typically through a router, switch or even another computer), you are probably familiar with IP addresses like 192.168.1.100. This is your LOCAL IP address on your home network, and most privet/home networks use this same block of IPs. If you have a home network, your REAL IP address is the one your ISP assigns to you and NOT the local home network IP address. LOCAL IPS are ONLY used BEHIND a firewall or router on a private network. Setting this line to 1 (which is a good idea, generally) will block traffic from these sort of "private" IP addresses from accessing your server. Unless your server is sitting in your house, set this to 1 and be done with it. Line 194: BLK_RESNET="0" There are certain blocks of IP addresses not assigned to anyone at all right now. They are reserved for some future use. Setting this line to 1 will block any traffic from these currently unassigned IP addresses as no traffic should be coming from them anyway. Line 200: BLK_IDENT="0" Set this to 1 if you want to block incoming and outgoing IDENT requests on port 113 if port 113 is not explicitly open in incoming or outgoing *_TCP_CPORTS. Setting this to 1 is probably a good idea as it may increase the speed of FTP and certain other types of connections. Line 207: SYSCTL_CONNTRACK="34576" This is the maximum number of connections that the firewall can track using kernel memory. Set this too high and you're wasting memory. Set it too low and some connections may be denied (especially in periods of high traffic). Leave this set as-is unless you know you have a problem with it. Line 212: SYSCTL_TCP="1" This changes the way your server responds to packets. Leaving this set to 1 makes your server respond more quickly to packets than it typically would. It is a good idea to leave this option set to 1. Line 217: SYSCTL_SYN="1" Leaving this set to 1 will help protect your server from syn-flood attacks: http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm Leave it set to 1 unless you have some special reason you don't wish to do so (or are having problems with this feature. Line 221: SYSCTL_ROUTE="0" Setting this to 1 can help protect against spoofed packets. Occasionally having this on creates problems, so it is up to you to decide if the increased security is worth the potential issues. Line 226: SYSCTL_LOGMARTIANS="0" Setting this to 1 will log any internal server traffic that isn't multicast or to or from a local interface. This can create a lot of mostly pointless log entries unless you suspect a problem, so leave this off. Line 233: SYSCTL_ECN="0" Turning this on will cause the server to mark certain unimportant packets as such in case there is network congestion, so that the important packets go first. This feature can cause issues in some cases, so you may wish to leave it off. Line 247: SYSCTL_SYNCOOKIES="1" This changes the way packets are handled. This is non-standard, and thus can cause connectivity problems or slowdowns. Setting this to 1 is definitely more secure, but you may wish to set this to 0 to improve compatibility and response times. Line 257: SYSCTL_OVERFLOW="0" Another nonstandard method of handling packets. This definitely should NOT be turned on if line 247 SYSCTL_SYNCOOKIES="1" and vice versa as they are mutually exclusive. This can also slow down your connection. Leave it off. Line 263: CDPORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127" This is a list of commonly scanned ports that typically have absolutely no business being open. Port ranges are separated by an underscore character, so 135_139 tells APF (on this line) to totally ignore and block all traffic into or out of port 135, 136, 137, 138 and 139. You can leave this as-is. Now we are getting to the critical part of the config. You need to make sure you don't block ports that need to be open and open ports that shouldn't be. Make sure you talk to your data center, because some of them employ special scanners and monitors that may try to connect on a non-standard port. At least at first, you may want to err on the side of leaving a few too many ports open, and then scale them back if you are sure you don't need them. Planning and research is key to making sure APF is effective, but not too restrictive. Where did I get most of the information I used to make changes to these lines? Much cam from rfxnetwork's own preferred APF for cPanel setup, and others came from common experience and other sources on the Internet. I know the changes I made should work just fine for most cPanel servers, but you should use your own judgement. Line 279: IG_TCP_CPORTS="22" Any ports here are ports that you expect to have INBOUND TCP(/IP) traffic to (from the Internet to your server). I have changed this line to cover the most common inbound ports, but you may wish to revise it to best cover your own situation: SUGGESTED Line 279: IG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,123,143,443,465,873,993,995,2082,2083,2084,2086,2087,2089,2095,2096,2703,3306,6277,6666,8080,9999,11371,30000_50400" Port descriptions: 20=Annon FTP, 21=FTP, 22=SFTP/SSH, 25=SMTP (mail), 26=Alternate SMTP (change this to whichever alternate port you set in WHM or remove it), 37= RDATE, 43=WHOIS, 53=DNS/Nameserver, 80=HTTP (web), 110=POP3 (mail), 113=IDENT (optional), 123=NTP (Network Time Protocol - optional), 143=IMAP (mail), 443=HTTP SSL/TLS, 465=SMTP SSL/TLS (mail), 873=RSYNC, 993= IMAP SSL/TLS (mail), 995= POP3 SSL/TLS (mail), 2082=cPanel, 2083=cPanel SSL/TLS, 2084=cPanel Chat Service (optional), 2086=WHM, 2087=WHM SSL/TLS, 2089=cPanel License Checking, 2095=cPanel Webmail, 2096=cPanel Webmail SSL/TLS, 2703=Razor2 (optional), 3306=Remote MySQL (optional), 6277=DCC (Optional), 6666=cPanel Chat, 8080=TomCat/Java Admin or PSoft.net SiteBuilder (optional), 9999=Urchin Web Stats Admin (optional), 11371=PGP Keyservers (optional) 30000_50400=Passive FTP (depending on your configuration, you may not need this entire range open) Line 282: IG_UDP_CPORTS="" Allow incoming UDP packets on the specified port. SUGGESTED Line 282: IG_UDP_CPORTS="20,21,53,465,873,2703,6277" Port descriptions: 20=Annon FTP, 21=FTP, 53=DNS/Nameserver, 465=SMTP SSL/TLS, 873=RSYNC, 2703=Razor2 (Optional), 6277=DCC (optional) Line 286: IG_ICMP_TYPES="3,5,11,0,30,8" See comments for where to look for a description of ICMP types if you are interested. Leave this line as-is. Line 306: EGF="0" If you set this line to 1, APF will also filter OUTBOUND traffic from your server to the Internet. For increased safety, I recommend setting this to 1, but do what you feel is best. Line 309: EG_TCP_CPORTS="21,25,80,443,43" If we ware going to use EGF, then we should edit this list to cover common outbound TCP(/IP) ports: REVISED Line 309: EG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,123,143,443,465,873,2087,2089,2703,3306,6277,11371,30000_50400" Port description: 20=Annon FTP, 21=FTP, 22=SFTP/SSH, 25=SMTP (mail), 26=SMTP Alternate port (optional, should match what you set in WHM's Service Manager), 37=RDATE, 43=WHOIS, 53=DNS/Nameserver, 80=HTTP (web), 110=POP3 (mail), 113=IDENT (optional), 123=NTP (optional), 143=IMAP, 443=HTTP SSL/TLS, 465=SMTP SSL/TLS (mail), 873=RSYNC, 2089=cPanel License Checking, 2703=Razor2, 3306=Remote MySQL (optional), 6277=DCC (optional), 11371=PGP Keyservers (optional) 30000_50400=Passive FTP (again, you probably don't need this entire range open, check your FTP server configuration for the correct ports) Line 312: EG_UDP_CPORTS="20,21,53" Ditto here, but for UDP ports outbound: SUGGESTED Line 312: EG_UDP_CPORTS="20,21,37,53,123,465,873,2703" Port description: 20=FTP, 21=FTP, 37=RDATE, 53=DNS/Nameserver, 123=NTP (Optional), 465=SMTP SSL/TLS (mail), 873=RSYNC, 2703=Razor2 (Optional), 6277=DCC (Optional) Line 316: EG_ICMP_TYPES="all" Same as IMCP types discussed above, but this is OUTGOING types. Leave as-is. Line 331: EG_TCP_UID="" If you want to restrict or allow outbound TCP(/IP) connections based on userids, then this would be the place to do it. Line 334: EG_UDP_UID="" Ditto here for UDP. Line 347: EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl" APF can stop any specific command from running on the server. This should be the command name that appears in the process list. This list is pretty good as-is, but you may wish to add/remove to match your security needs/AUP. Line 355: USE_DS="0" Controls if you want APF to periodically check dshield.org's "blacklist" to automatically block any IPs that are known to behave strangely or belong to known hackers. Turn this on. Visit http://dshield.org/ if you want to learn more about their free service. 1 = on. Line 357: DS_URL="feeds.dshield.org/top10-2.txt" # block.txt url (no *://) Line 358: DS_URL_PROT="http" # protocol to use for wget If you are going to use dshield.org's blacklist, set these lines to the address for the blacklist file and what protocol you want to use. The default should be OK. Line 366: USE_RGT="0" Line 368: GA_URL="yourhost.com/glob_allow.rules" # glob_allow.rules url (no *://) Line 369: GA_URL_PROT="http" # protocol for use with wget Line 371: GD_URL="yourhost.com/glob_deny.rules" # glob_deny.rules url (no *://) Line 372: GD_URL_PROT="http" # protocol for use with wget APF can use one central repository of allow/deny host rules instead of a separate one for each server. If you want to use it, set Line 366 to 1 and configure the others to point to the correct location for the rules. Line 378: USE_RD="1" Line 380: RD_URL_PROT="http" # protocol to use for wget Line 381: RD_URL="r-fx.ca/downloads/reserved.networks" # reserved.networks url If you are using BLK_RESNET, then it is a good idea to set this feature to 1, since it automatically updates the reserved network list with the latest copy. Even if you aren't using BLK_RESNET, it is safe to leave these lines set to their defaults. Line 386: USE_AD="0" Change this to 1 if you wish to use APF's AntiDOS (AD) module AntiDOS (more on that later). Line 397: LOG_DROP="0" Have APF log all dropped packets. Don't turn this on unless you're in the mood for lots and lots of data. Line 401: LOG_LEVEL="crit" Set this to the level you want to log data at. Line 406: LOG_TARGET="LOG" Specify where to send log data, ULOG allows you to handle the data, LOG passes the data to the kernel log. Line 411: LOG_IA="1" Log all Telnet/SSH interactive access. Marks the loged item with either a Telnet or SSH prefix. Line 415: LOG_LGATE="0" Log all foreign gateway traffic. Line 420: LOG_EXT="0" Set this to 1 if you want to log extended information for each logged item. Useful for debugging and attack mitigation, but only turn it on when you need it. Line 424: LOG_RATE="30" The maximum numbers of items to log per minute. Anything more than this number in a given moment won't be recorded. This helps keep your server from getting too overloaded when you have logging on. Line 428: LOG_APF="/var/log/apf_log" This is the location of the APF status log where it logs every startup, shutdown and other runtime status data. The last few lines should not be changed, so I'm not going to discuss them here. That's it for the conf.apf file. Save your work. Before we get going, we also need to set up the AntiDOS part of APF if you want to use it, so we have yet another config file to edit: EDITING THE ANTIDOS CONFIGURATION FILE: Open the AntiDOS config file. Don't forget to turn off word wrap with the -w flag if you use pico. You need to watch APF's deny_hosts file or IPTable's rules if you use this module, because it could cause the blocked IP list to become so large that APF or IPTables crashes. pico -w /etc/apf/ad/conf.antidos We'll walk through the config file just as we did the APF config: Line 13: APF_BASE="/etc/apf" This is the location where APF itself is installed. This should match whatever you entered in your APF config file. Typically you won't need to change this. Line 16: APF_CNF="$APF_BASE/conf.apf" This is where the conf.apf file you edited earlier is located. You probably won't need to change this. Line 19: INSPATH="$APF_BASE/ad" This is the location where AntiDOS is located. Again, you shouldn't need to edit this. Line 22: ANTILOG="/var/log/apfados_log" This is where the AntiDOS log will be created. You shouldn't need to change it. Line 25: MLOAD="30" This is the maximum load after which AntiDOS will stop running (so it doesn't further contribute to the problems your server may be having). If you have a Celeron or a server with another low-end processor, you may wish to lower it. You want to set it to a level high enough that AntiDOS can do its job well, but not so high that AntiDOS would start to cause problems. Line 32: LP_KLOG="0" If you want AntiDOS to parse the Kernel log for IPTables based attacks, set this to one (I think it's a good idea). Line 35: LP_SNORT="0" If you have Snort ( http://snort.org/ ) installed and you want AntiDOS to work with it, set this to 1. If snort isn't installed or configured, leave this set to zero. Whole big thick books have been written about snort, so it's beyond the scope of this document to explain it. Line 38: DET_SF="0" Setting this to 1 tells AntiDOS to try and detect Syn-flood attacks which is generally a good idea unless you notice AntiDOS flagging a lot of false attacks for some reason. Line 41: KLOG="/var/log/messages" This tells AntiDOS where your kernel log file is. Typically, you won't need to edit this. Although, this is only used if you set LP_KLOG=1. Line 44: SLOG="/var/log/snort/portscan.log" This tells AntiDOS where your snort portscan log is if you have snort installed and LP_SNORT=1. You probably won't need to edit this. Line 47: LN="100" AntiDOS will read the last # of lines from the log files looking for suspicious activity. This affects all logs and is a reasonable value and not one you probably need to change. Line 50: TRIG="15" How many times a suspicious event needs to happen before AntiDOS reports it. Keeping this number high will reduce the likelihood that one of your users will accidentally trigger this. 15 is an OK value, although 20 is probably better. Line 53: SF_TRIG="25" This is how many times an event needs to happen before it is considered a syn-flood and AntiDOS takes action. This is a reasonable value. Line 56: SF_TRIG_PORTS="80,443" These are the specific ports that AntiDOS looks for syn floods on. If you set this line to "" (nothing) it will look at ALL ports for syn-flood activity. Ports 80 and 443 are reasonable values and should help to keep false matches to a minimum, but if you are concerned, feel free to edit this line as you see fit. Line 63: ROUTE_REJ="0" Reject attackers listed in the route table. I leave this off. You can do what you want, although if you don't know what this does, please leave it OFF. Line 66: DROP_IF="0" Drop the destination interface. If you turn this on, it is critical to make sure that Line 70 listed below is set up properly. Line 70: NCRIT_PORTS="$INSPATH/noncrit.ports" This is the path to a file that defines non-critical ports. If you've turned on Line 66, you should probably check this file to make sure it is set the way you want. Line 73: IPT_BL="1" Block attacks using the IPTables. This is a good idea and should be on. This will block anyone determined to be attacking your server. Line 76: BLOCKR="$INSPATH/ad.rules" This is where AntiDOS will write any rules it adds to your IPTables. You probably don't need to edit this. Line 80: NETBLOCK=0 Set this to 1 if you want APF to parse logs for attackers and automatically block them. Line 83: NETBLOCK_MASK=24 Block a range of IPs if Line 80 is set to 1 based on a /16 or /24 netmask. This can stop an attacker from using additional IPs from the same ISP to continue the attack. Line 90: ARTOPIC="Urgent: Administrative issue enclosed, please read." This is the subject line of any e-mail that AntiDOS sends out to warn you about activity it sees or actions it has taken. Edit as you see fit. Line 93: MAX_MNUM="12" This is the maximum number of e-mails that AntiDOS will send out before it gives up warning you about a particular issue. This way, if you are out of town, you won't come back to 1,000's of messages from AntiDOS. :) Line 96: CONAME="Your Company" This should be the name of your company. It will appear in the body of the e-mail. Line 99: USR_ALERT="0" Set this to 1 if you want to alert an administrator if your server appears to be under attack. This is a good idea. Line 102: USR="you@yourco.com" Set this to the e-mail address of the administrator to receive the warning e-mails. Line 105: ARIN_ALERT="0" If you want to have AntiDOS also look up the contact e-mail address for the domain name involved AND send an e-mail to that location, then set this to 1. Line 108: IPW_SRV="whois.arin.net" What whois server do you want to use to look up said e-mail address to be used for the e-mail from Line 98? This setting should be fine. Line 111: RETUSR="$USR" The return e-mail address set for the e-mail that AntiDOS will send. This is from Line 95. The rest of the AntiDOS config file probably shouldn't be edited, unless you have a good reason to do so, and if so, you don't need me to walk you through it, do you? ;-) Save the file. Now we need to start up APF and test it. FINALIZING INSTALLATION AND TESTING APF: 1) Make sure APF is in testing mode (DEVM=1) so that it will stop blocking ports after 5 minutes and then we need to add APF so that it starts up with the server: chkconfig --add apf chkconfig --level 345 apf on 2) Now we start up APF: /usr/local/sbin/apf -s or /usr/local/sbin/apf -start or service apf start (any one of these three should work) Keep in mind that the first time you start APF, it might take a bit to return you to the command line, because it is setting up and checking a number of things. 3) We now have 5 minutes to check to see if we blocked ports we weren't supposed to. Load cPanel accounts, try anything that accesses other ports. Try updating cPanel/WHM, logging out and back into SSH, try cPanel webmail, WHM, etc. If anything goes wrong or doesn't respond, wait 5 minutes, log into SSH and make the necessary changes and then restart APF. 4) If after testing, all is well, edit DEVM=1 in the APF config file to DEVM=0 and restart APF. This will make the firewall stay on permanently unless you disable it. INSTALLING AND CONFIGURING BFD: We still have one more thing to set up, but we couldn't do until APF and AntiDOS were installed, configured and working properly. We need to install BFD (rfxnetworks seems to love initials.... Brute Force Detection does just what it says; it scans the logs looking for attempts by clumsy hackers looking for a "way in" to your server. If it discovers a single IP trying too many times and failing to get in, it automatically blocks the IP and warns you about it (if you want it to do so). BFD requires APF and is a lot easier to set up the APF was. To install: 1) Download the latest version of BFD while logged in as root: cd wget http://www.r-fx.org/downloads/bfd-current.tar.gz tar xfz bfd-current.tar.gz cd bfd* 2) Install BFD: ./install.sh 3) Configure BFD: pico -w /usr/local/bfd/conf.bfd There isn't much that needs to be configured, really. Line 28: INSPATH="/usr/local/bfd" Where BFD is installed. You probably don't need to edit this. Line 31: RPATH="$INSPATH/rules" Where the rules file is. Don't edit this. Line 34: TLOGP="$INSPATH/tlog" Where the tracking log is. Don't edit this. Line 37: LOG="/var/log/bfd_log" Where BFD's log is kept. Don't edit this. Line 40: USE_KLOG="1" Tells BFD to use Kernel logging. This is a good idea. Leave it as-is. Line 43: KLOG="/var/log/messages" Where your Kernel log is. Don't edit unless you know the log is elsewhere on your server. Line 46: SLOG="/var/log/secure" Where the server's secure log is. Don't edit unless you know the log is elsewhere on your server. Line 49: ALERT_USR="0" Setting this to 1 will send you an e-mail when BFD takes some action. It is a very good idea to turn this on at least for a while... Line 52: EMAIL_USR="root" What e-mail address is the e-mail from BFD sent to? Root is good so long as you have root mail forwarded to a real e-mail address, otherwise change this. Line 55: SUBJ_USR="Brute Force Warning for $HOSTNAME" This is the subject line of the e-mail BFD sends. $HOSTNAME is a variable that will print the name of your server. Change if you want. Line 58: ALERTF="$INSPATH/alert.bfd" This is the path to the template that BFD uses for the e-mail it sends to you. Feel free to edit the template as you see fit. Line 63: PATTERN_FILE="$INSPATH/pattern.auth" This is the pattern file that BDF uses. Don't edit this path. Line 67: BCMD="/etc/apf/apf -d $ATT_HOST" This is the path and command BFD uses to access your firewall (APF). You don't need to edit this. Line 71: BCMD_FILE="/etc/apf/deny_hosts.rules" This is the location of the deny_hosts file that your firewall (APF) uses to block IPs. Line 75: PRECHK_FILES="$INSPATH/exclude.files" This file is used by BFD to make sure that it doesn't block any IP address in the exclude file. For example, if you have a static IP address at home or work, you may wish to add that IP to the exclude file so that you never get accidentally locked out of your server. Don't put your IP in the exclude file if it is dynamic or you could eventually let a hacker get by BFD. Line 78: TMZ=`date +"%z"` Finds the current timezone.Leave this as is. Line 81: UTIME=`date +"%s"` Used for lock file tracking. Don't edit this. Line 84: LOCK="$INSPATH/lock.utime" Ditto. Line 87: LOCK_TIMEOUT="60" This is the time in seconds that the lock file will automatically time out in. You can leave this as-is. Once you've finished, save the changes and restart APF for good measure. service apf restart If you want to change how often BFD checks for intrusion attempts (every 8 minutes by default), edit the cron file here: /etc/cron.d/bfd That's it. You are done! CUT 'N' PASTE APF/AD/BFD DIRECTIONS: Here for your delectation are the commands you will typically run, in order, to set up APF/AD/BFD on your server. Don't use these if you don't know what you're doing! cd ~ wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz tar xfz apf-current.tar.gz cd apf* ./install.sh pico -w /etc/apf/conf.apf pico -w /etc/apf/af/conf.antidos chkconfig --add apf chkconfig --level 345 apf on service apf start Test the apf installation to make sure it works and then set DEVM="1" in conf.apf before continuing. wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz tar xfz bfd-current.tar.gz cd bfd* ./install.sh pico -w /usr/local/bfd/conf.bfd service apf restart cd ~ rm -Rf apf* rm -Rf bfd*