You're the expert, so whatever you think best.

I just restarted apf (with the new reserverd.networks) and it takes a fair while to start because of all the:
iptables v1.2.8: host/network `186.173.36.72.reverse.layeredtech.com' not found
in the deny file. Being able to delete up to the last n lines would get rid of most of these, hopefully anyway.

Apf is very greedy it seems. A user of my site gets blocked all the time. Now i have him in my allow list, but how could this happen. He's just surfing on my site.
The config is attached.

It sounds like you got antidos or bfd installed and one of is set too sensative.

Where can i check the config of those?

RTFM .....
Please, take some time to read the documentation. It's not a pain in the ....!

AntiDos should be in : /etc/apf/ad/
and bfd in : /usr/local/bfd/

Regards
Jean

Yes i know those, but maybe there more config files since i see nothing in there that could explain it. Bfd should send my an e-mail if it blocks something and antidos seems not even to be working (/var/log/apfados_log doesn't exists).
Futhermore, ad.rules is empty, so it isn't because of ad too ??

If I don' restart iptables and apf in a day I have too much packet loss and after that server gone. I checked messages and see this messages .

Oct 10 22:08:34 in kernel: ip_conntrack: table full, dropping packet.
Oct 10 22:08:39 in kernel: NET: 683 messages suppressed.
Oct 10 22:08:39 in kernel: ip_conntrack: table full, dropping packet.


cat /proc/sys/net/ipv4/ip_conntrack_max
34576

This value set by APF firewall and this value in conf.apf..
This settings is now SYSCTL_CONNTRACK="34576"

I have too many http traffic. 2 gb ram .What is the correct value for me?

Hey guys,
I have a problem... I just bought another server, and installed apf and bfd. However, my bfd doesn't seem to be working on the new server. I have compared both conf files with a working server, and they are identical. Servers are both running RHEL3. I've tried multiple attempts with wrong passwords via ssh and ftp, and nothing gets blocked by bfd. I have the triggers set to 5 for sshd and 10 for ftp.

I have attached both my conf.apf and conf.bfd files.

Note that I'm running ssh on port 1719 not on port 22.

Any advice would be appreicated.

Thanks much

You probably put yourself into the ignore hosts list so you are not going to ever get locked out.

And you don't want to get locked out, right? (in other words, leave it that way)

You would need to attempt to log in from another IP. Maybe use a dial up or go over to a coffee shop? If you had another server you could probably log in from the other server.

Did you start apf and bfd and did you set the DEV option thing so apf is running all the time? Remember you have to restart apf after you change the DEV option.

Sorry, forgot to mention that I was trying from another server And yes, DEV_MODE is set to 0

OK, you always check the fuse first before taking apart something.

Now we can get more technical I guess. Do you think it's reading the correct log files?

You could manually test the scripts, see this thread where I posted some info on how to test them.

http://forum.ev1servers.net/showthread.php?t=58611

The command is just a lot of pipe'ed commands, you can try each one, one at a time and keep piping them to each other and see what each one does with the log entries. Bfd is written as a shell script, all of it.

You probably want to try that test with the ssh and/or ftp script. It should find the entries you have for any "illegal" attempts you tried. Make sure there are some log entries that it should be picked up or you will be wasting your time.

I found that the default apache script isn't doing it's job right now on my server. The ssh and ftp work ok.

BFD can also e-mail you when it finds something, you should turn that on and make sure it's got the correct e-mail address.

I'm just throwing things out there for you to try, the install of BFD went great for me and stopped an attack to ssh right away within a few seconds of starting it.

You may want to think about what differences there are between your other server and this new one that could cause problems. Are you using a different panel? Is there a default firewall installed? Is iptables a version that is supported by apf? Is iptables installed and working on your new box? Is cron in a default location where bfd can find it?

Apf writes to iptables and then quits, it doesn't keep running and bfd is a cron called script that runs and then reads through the log files, then quits. Does bfd get called by cron properly?

Bfd isn't added to your crontab, it's in cron.d if I remember correctly.

I have no idea how to run those, I tried, but keep getting many grep errors


That's already enabled


Both servers are the same version of RHEL3 with the same control panel (Plesk). There was no default firewall loaded, and I'm sure apf is running because I can see all the rules when doing iptables -L. Cron is also working fine, and I even tried running the bfd script from a prompt with no luck.

Perhaps there is a way I could test if the ssh and ftp script is being executed by the bfd script correctly?

Thanks again for your reply

The bfd script simply loops through every rule in the directory, so if you stuck a new one in there is would use that one too.

The sshd rule seems to have several lines that deal with different things like "failed password for illegal user" or "Invalid", then it appends all the IPs it finds into a temp file and after it's done it then puts it all in the proper ending variable:

ARG_VAL=`cat $TMP/.sshd`

In most of the scripts you get a list like this (IPs to block):

54.43.45.65
65.54.43.23
34.54.65.78

Looking at /usr/local/bfd/rules/sshd

You see:

ARG_VAL2=`$TLOGP $LP $TLOG_TF.2 | grep sshd | grep -viw "error: Bind" | sed 's/::ffff://' | grep -iw "failed password for illegal user" | grep -iwf $PATTERN_FILE | awk '{print$13":"$11}' | grep -E '[0-9]+' >> $TMP/.sshd`

So now you want to try each grep one at a time manually to see what it does:

cat /var/log/secure | grep sshd | grep -viw "error: Bind"

[ you get some lines printed ]

Those lines will be piped into the next commands:

cat /var/log/secure | grep sshd | grep -viw "error: Bind" | sed 's/::ffff://' | grep -iw "failed password for illegal user"

[ you get some lines printed, this time only the ones with "failed password for illegal user" ]

Now, forget the $PATTERN_FILE part for now, if you are a real nerd you can figure that out how to set that variable up. That's probably where you got the grep errors. You can go look at the patern file yourself if you think that is causing problems.

So now do the whole thing:

cat /var/log/secure | grep sshd | grep -viw "error: Bind" | sed 's/::ffff://' | grep -iw "failed password for illegal user" | awk '{print$13":"$11}' | grep -E '[0-9]+'

And you get the final result, a IP then a colon then the name of the illegal username tried.

If you see more than the limit number of errors for a IP then it should have triggered a block.

That's how you do it, a little at a time.

The sshd rule has three of these lines, you may have to try them all. The ftp ruls seem to have only one line in them.

Your setup may be generating log files with a different output and so "failed password for illegal user" may not be the thing to look for, you have to look in the log and find out what it says. That's why I am showing you how to do a little at a time so you can see where it's having problems.

Again, thanks for going into such detail. Now I know how to try the scripts... These are my findings on the sshd rules:

The first of the grep lines:



Returned over 10 lines of the IP I was trying from, plus a ":" and then user name "root"

I then tried the second line on the sshd script:


but it didn't return anything.

The third line:


also didn't return anything...

And the last one:


didn't return anything either...

I really don't know what to make of this, since the first line in fact returned the IP of the attacker, why isn't it being added to the deny_hosts.rules files?

Also ran the line from the proftpd rule:

and got the list of the offending IP : username.

I also went ahead and tried the command:

[root@web1 rules]# /usr/local/sbin/bfd -s
BFD version 0.9
Copyright © 1999-2004, R-fx Networks
Copyright © 2004, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL

[root@web1 rules]#

Lastly, I tried all the above lines on the other server where bfd works fine, and got exactly the same results (line 1 returned IPs, line 2 through 4 nothing)

I'm really at a lost. Any other piece of advice you would like to share?

Thanks again

If you add a line in one of the rules files at or near the end it could write out to a file, that may help. (make a backup of the original)

echo $ARG_VAL >> my_log_file.txt

The trigger amount in each rule file should be set properly, is it set less than 10 ? It's in the area at the top of each rule where the variables are set like the log file location string.

You could also add a "echo" line into the actual bfd script, same as above or just a "I'm here" marker, but put it in the area where it sends the final command to apf, maybe it never gets there and placing some echo commands in other places may give you some idea of where it's failing.

In a lot of situations like this, I can get quite complicated in how I find a solution to a problem and I can spend a lot of time on details, but in the end, most of the time it's something basic and simple that was overlooked.

You could see how many lines contain the error line by just doing the more important grep(s) on the log file as a quick test, for example:

cat /var/log/secure | grep -iwv "Failed password for illegal user"

Oh, and in your tests if it returned 10 "violations" in one of the sshd things, then that would be 10 entries returned to bfd and should trigger if the amount is over what you have set in the other variable. The results sound correct with the IP, colon and username (on the sshd script, for email it's just a list of IPs).

I think you should stick to the ftp part for now (easier), get that working and the rest will probably fall in place.

I added the echo line you mentioned before the fi line in the proftpd rule, and it doesn't write anything to the log file my_log_file.txt. I also added echo lines at the begining of each procedure on the bfd script, and I can see it runs the pre() and apool_rgen() [never runs get_state()]. Also added an echo line "checking" on the check() procedure after line 158, and it never shows, so this part of the script is not running?? I think this could be the problem ? Now, how to fix it?

EDIT: I uninstalled bfd, and reinstalled it, and now the rule for proftpd is working fine. Its banning IPs like it should, however, it's not doing it for the sshd rule. Could it be because I'm running sshd on another port other than 22?
Or, maybe because once it bans an IP via a rule, then it doesn't ban it again if it applies to another rule (sshd) ?

Thanks

That's funny. Like I said it's always something simple. Glad it started working on the reinstall.

Yes, once it sees that a IP is already banned (I think in apf's list) it will not do it again, so you have to remove that IP from the list.. If you look over the bfd script, it's really not all that complicated if you do a general overview of it, you can see where it looks in the banned list before it bothers sending a command to apf. I think the rule script has to run anyway, how else will it get the IP? So that should show you the IPs anyway, just that bfd won't report it to apf.

You know how this works, it searches through the log file for keywords, so it shouldn't care about what port ssh is running on.

I always feel better knowing how all this works since I have to manage the box. The one thing I don't like is mod_security. After reading the manual on it I still don't get it, but I have to learn some of it because I have to manage it and will probably find something that I have to change to keep one of my users happy.

I hope it all ends up working, it sounds good so far.

It's been a couple of months since the last response, but will give it a go anyway.

I've installed APF on redhat servers, from 7.* to 8.*. Works well. Have tried to install onto a Fedora Core 4 and have wrestled with APF for many days. It loads, does not complain, and I see attacks posted to /var/log/messages. /var/log/apf_log shows apf loading everything, and there are no errors. But I do not see any attacks appended to /var/log/apf_log as I do on every other server before tho I see them show up in /var/log/messages. I also do not see anything added to iptables.

Have read many posts, have tried to walk through the code to see what may be happening. apf -d "Ipaddr" does append to the /var/log/apf_log but shouldn't I see the ipaddr in iptables --list ??

I've reinstalled several times. Tweaked up all kinds of settings. Gone backwards a version (am using current as of 1-16-06). It always adds to /var/log/messages but does not append to /var/log/apf_log and of course, nothing shows up in iptables.

Anyway, can anyone lend a hand with this? I will supply whatever info... but would like to figure this out if anyone can pitch in. I'd add all the things done but felt it best to wait for a direct question first.

iptables --list will show addresses in FQDN format - you need to do the list with:
iptables --list --numeric

to see the ip's in numeric fashion as options imply, or apf -l does similar.

Thank you for this response. It is a relief to find where apf'rs hang. Very cool app.

This makes sense, I ran the first command and did locate the IP that was added via the apf -d command. Cool.

But IPs are not being added after APF is run. As mentioned, I have this working on a couple other Redhat installs, but it fails on FC4. In /var/log/messages I see lines like:

kernel: ** IN_UDP DROP ** IN=eth0 OUT= MAC=00:30:48:55:f2:10:00:04:dd:fc:75:20
:08:00 SRC=61.156.238.238 DST=192.xxx.xxx.xxx LEN=486 TOS=0x08 PREC=0x00 TTL=45 ID=0 DF PROTO=UDP S
PT=39744 DPT=1027 LEN=466

but nothing is appended to /var/log/apf_log, and iptables does not reflect the 'attack' either.

Any thoughts where to start? I've applied a lot of elbow grease trying to understand why... am stuck.

Can I limit connection/sec? I want only one connection in 1 sec.
Before I saw iptables command about this but I'm not sure it is work.

What does this mean when I start my firewall - have I done something wrong?
Stopping APF: [ OK ]
Starting APF:iptables v1.2.11: host/network `209.177.110.4-cust.idyia.net' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: host/network `209.177.110.4-cust.idyia.net' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: host/network `host-85-159-105-182.dol.sk' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: host/network `host-85-159-105-182.dol.sk' not found
Try `iptables -h' or 'iptables --help' for more information.
[ OK ]

You're using an old version of APF that banned hostnames instead of IPs. Those hostnames are no longer valid. You'd be advised to clear them out as they make rebooting the server a longer process.

Actuallly I am using the latest from there website so am confused with your statement. I only downloaded latest version a week ago so have I done something wrong when I ran ./install.sh

The version I am using if
apf-0.9.6-1 on a CentOS system with Ensim 4.1

Delete from the deny file in /etc/apf/.

Thanks soo much. Sinple when you know what to look for. That fixed the problem

Hello,

I just installed the legendary APF firewall software easiliy without a hassle and without any error.

I edit conf.php with Nano as described in http://www.eth0.us/apf

But when I try to start it I get this



What should I do then?

Best Regards
Ingres

Pull all the :q:qq:'s out of your conf file. CTRL-X / Y exits and saves in Nano.

Can I reinstall APF or do I need to uninstall first? If so how can I uninstall it?

Thanks in advance

Edit: I removed the :q's and APF seems working thanks. But still consider to reinstall

If you reinstall, it makes a backup in /etc/apf.bk.last. Go for it.

Bump....

Just installed APF on new VPS. Everything seems fine, except now command line whois is not working.

# whois google.com
[Querying whois.internic.net]
And stalls.

Turn off APF, and works great.

What am I missing?

Egress filtering is off.

OK, when I start APF I get on my virtuozzo vps account I now get:


This is on a virtuozzo vps with numiptent at 500 (using 314) and the following modules activated:


Everything works normally, except:
command line 'whois'
(ping and traceroute work for example fine.)
and
/usr/local/cpanel/cpkeyclt can't connect with APF running



Nothing is logged to /var/log/messages when either whois or cpkeyclt is blocked by APF. But the moment I turn APF off, they both work fine.

Anybody have any ideas, please

Hmmm... worse than I thought. It seems with APF running mail is not going out from the vps either (timeout errors.) Turn it off, and all works.

So for some reason APF does seem to be egress filtering even though EGF="0"

I suppose the "No chain/target/match" errors must be the root of my problem? Is there a way to log exactly what those are? Or suggestions for getting APF to run properly on a virtuozzo vps?

As a followup, EV1 support sorted this out for me. The required modules had been enabled for my vps account, but had not been properly configured on the hardware node. Once that was completed, APF is up and running without error. Thank you to EV1 support for solving this issue - you guys are awesome!

Could anyone elaborate on how this could be done using update-rc.d ?

just fyi- I've searched thread for "19368" to see if I could find the issue in this huge thread...no luck
So, I believed I previously installed 8.7.
Today, I almost definitely installed 9.6, but not sure because
[root@x apf]# rpm apf -q
apf-0.8.7-1

how do I know which version is running?

Also, now when I go to use the appliane web admin for any of the ensim control panels they won't show.
What line / what ports do I need to open for this? I added "19368" to
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,443,110,143,19368,6000_7000"
but no luck (yes, I restarted firewall, apf -r)

thank you

Looks like you got the rpm version of apf installed which is Very old and not really supported by anyone. We recommend you use the current version accessible from the http://www.r-fx.ca/ website at anytime.

hi -
Thanks for above. I actually did the "wget" bit and that's why the old version showed when I rpm - q... because the "wget" line doesn't get an rpm. I was actually good to go but couldn't tell (another question - what command name shows for apf if you #ps aucx?)

Anyways - about the blocked control panel. Firewall is working fine, so good I can't use the web interface at
https://(MYIP#)132.321.321.123:19638/webhost/

so what port/ config line to open up that access?
443? what protol line in conf.apf?

thanks

Anyways - about the blocked control panel. Firewall is working fine, so good I can't use the web interface at
https://(MYIP#)132.321.321.123:19638/webhost/


The port that you are trying to access is 19638. The number after the colon in a URL is always the port.

Looks like you have your ports wrong:

IG_TCP_CPORTS="21,22,25,53,80,443,110,143,19368,60 00_7000"

Notice how you have 19368 listed to be open? You need to edit that to say 19638 instead for Ensim to be reachable through the firewall.
Also, APF will not show in ps aucx as it is a script for loading rules into iptables instead of a running daemon or service.

fix:
in apf.conf add port 19638 to inbound TCP ports:

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000,19638"


two dumb-@#!@#!@#! ways to *not* fix the problem:
1 - add the port in the commented example line, save, restart apf.
2 - act like a dyslexic person and use 19368 instead of 19638.

Thanks to those for looking and helping.

Glad to have helped you get it working..dont feel bad, half the time I get the port for ensim right, and half the time...well I have to redo it..lol

By the way, I just noticed that your ports include:
6000_700 0

which should likely be:
6000_7000

thanks, but no worries! (Actually I just fat-fingered it on the discussion board, but I did check the actual file just in case, all good.)

darn carpal tunnel braces!

Well i think I have sucessfully installed and setup apf

just a couple of questions:

how can tell if its running or not?
does apf block IP's automaticly if so where are they stored? (same question for antidos)
is there anywhere I can get a list of 'bad' IP's or odes apf already do this?

thanks alot
aj

I've often wondered this myself. If you find out let me know.

apf does not block ip's automatically except that there are configuration optios to block private or reserved IP's, or to use the DShield list, etc. AntiDoS will auto block IP's by adding them (with comments) to APF's deny_hosts.rules file found in /etc/apf. Same with BFD and other plugins for APF.

Well, there are certain known lists such as DShield that are built in, but in general if you want IP's blocked then you either need AD, BFD or similar, or just add them yourself.

hey thanks for your reply

i think i enabled DShield, and have just installed ad and bfd.

hmm i wonder how can you tell if a bfd or ad are working either

hi, i'm not sure if this is the right thread but I am sure that you can help me guys, here's my issue -->

-----------------------
Sending of email from lunaparksydney.com server into itself email account is not sending, its like not recognizing or not allowing to do it.

I've made a simple php mail() script in http://lunaparksydney.com/sendmail.php that sends out email automatically into lunapark email accounts (sales@lunaparksydney.com & jbrown@lunaparksydney.com) and (mark@motivemedia.com.au), but still no email received from those lunaparksydney.com accounts except from my mark@motivemedia.com.au

If you have an idea whats causing this, please let us know as soon as possible.

thanks,
Mark


-----------------------
I'm just going to add some more information in on behalf of my colleague.

We purchased a new server from you in late January. The web site was on our old EV1 server. We didn't have problems on the old server but NOW HAVE PROBLEMS ON THE NEW SERVER.

All enquiry forms on the web site lunaparksydney.com should be sending emails to sales@lunaparksydney.com. The MX record for all emails is kept with a third party, NOT on the EV1 server or with EV1. The EV1 server does not host the email. Therefore the enquiry forms should be sending out to those email addresses.

We have changed the enquiry forms to send to katrina@motivemedia.com.au, for example, and can receive the forms perfectly. So the enquiry forms are working perfectly. The code is correct. The old server worked perfectly. The new server is the problem.

Lunaparksydney are not receiving any emails from the web site. They have checked their mail logs and no attempt has been made.

This would indicate that the server is sending the enquiry results back to itself RATHER THAN SENDING THEM OUT.

We have been told by a server admin that there is a function in plesk to send mailout off-site but can't find anything in the version that we have.

We have checked the forums and read http://forum.ev1servers.net/showthread.php?p=380436 but this has not fixed our problem.

We didn't have this problem on our other Ev1 server and the problem has only arisen with the new server.

We've been working on this problem for a week and haven't been able to resolve. I'm hoping that you can make a suggestion or look into the server to see if it is having problems sending email out.

Thank you,
Katrina