Few suggestions:
1. what about an deny_drop.rules
where we can list the IPs that can not be dropped. Example: The nameservers and main server IP.

2. The Firewall can add the IP back again after XX minutes.

What is the correct format of /etc/apf/ad/ignore ?

I'd like to make sure antidos won't lock me out. Thus, I need to add my IP to this file, right? Say my IP is 123.45.67.89; then /etc/apf/ad/ignore should contain:

8192
8080
1080
113
123.45.67.89

?

I'm a little confused because the four numbers that are in the ignore-file look like port-numbers and I'm looking to ignore an IP. Thanks in advance, great project!

the ignore file is string match based. you can put ports or ip's in it or any other string context logged by netfilter to kernel (e.g: mac address)

Ok, thanks! So, this means that with the above ignore-file all IP-addresses with 113 in it will also be ignored. That's a small vulnerability then.

string match explicit; the whole string must match, not portions. Only port 113 will be ignored not 202.3.113.4

Nicely programmed!

rfxn,

This is a great script my man. :-) Good job, and thank you for some of the one-on-one PM help. :-)

If I know of an attacking IP, let's say, attacking vulnerabilities in Apache that doesn't get picked up by your script, (because it's normal activity, just over excesive)... how could I 'easily' add this IP to be dropped?

As well, how could i 'easily' remove an IP (without placing in the ignore files)..

Possibly a command line: apfdrop 1.2.3.4 or apfclear 2.3.4.5 ... or something like that?

Thanks :-)

-- Mindlash

Add it to deny_hosts.rules

yup just add/remove entries from the trust rules; this is better explained in the APF readme file.

edited:

Something not right here, why is this?

iptables v1.2.5: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


Okay, I think I have set up the firewall ok, but after running a port scan it tells me that all my ports are open, I think.

I am using AA tools to run the scan.

But it brings up hundreds of open ports and potential problems this will cause, I ran afp -status and it claims to have opened only those ports that I asked.

I also ran afp -start so I cant see why it would not be working?

Any ideas.

I have posted an image of the prot scan here

http://www.wise1host.com/test.html

Might take a few minutes to becom visible.

any help appreciated

Did you set DEVM="0" on conf.apf ?

no I set it to 1 as stated so that I could get back in again after a few minutes should things go wrong.

Right

Well what that feature does is tells the firewall to 'unload' itself after 5 minutes, so that if you lock yourself out you can get back in. So obviously with the firewall up a portscan would take (full portscan) over 5 minutes (way over). So once that 5 minutes passes all the ports open and your scanner will end almost right after.

Id recommend if everything is working fine to run your portscan after you set DEVM="0" , and restart APF (/etc/init.d/apf restart).

Okay I changed it and it seems to be working.

It lets me access all areas, when I ftp I cant use passive mode, but I believe this is normal and indicates a firewall is running.

Whe I run a port scan it shows only the TCP ports that should be open i.e 21....... funny though port 20 is open but it does not show?

The only port (UDP) that should be open is 53, yet every single UDP port is open, is that normal?

Final one:

When I ping my sever it say unreachable every second or so rather than the normal detail. Is there another port that shoul d be open to allow ping or should this be closed as well ideally.

Apart from that I think I am up and running


I am still getting error messages all over the place when I restart though.

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: Couldn't load match `string':/lib/iptables/libipt_string.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: Couldn't load match `string':/lib/iptables/libipt_string.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: Couldn't load match `string':/lib/iptables/libipt_string.so: cannot open shared object file: No such file or directory

Okay, I looked at my kernel and it was well out of date so I updated it and ran apf again, not as many errors but these still come up. Any ideas.

Try `iptables -h' or 'iptables --help' for more information.
APF 0.8.6 [apf@r-fx.net]
usage /usr/sbin/apf: [-s|-f|-l|-st|-r|-h]
root@typhoon [/etc/apf]# apf -r
/usr/sbin/apf: Set: command not found
/usr/sbin/apf: ICMP: command not found
/usr/sbin/apf: Packets: command not found
Bad argument `snort'
Try `iptables -h' or 'iptables --help' for more information.
/usr/sbin/apf: Set: command not found
/usr/sbin/apf: ICMP: command not found
/usr/sbin/apf: Packets: command not found
Bad argument `snort'
Try `iptables -h' or 'iptables --help' for more information.
/usr/sbin/apf: Set: command not found
/usr/sbin/apf: ICMP: command not found
/usr/sbin/apf: Packets: command not found
Bad argument `snort'
Try `iptables -h' or 'iptables --help' for more information.
/etc/apf/vnet/vnetgen: Set: command not found
/etc/apf/vnet/vnetgen: ICMP: command not found
/etc/apf/vnet/vnetgen: Packets: command not found
Bad argument `snort'
Try `iptables -h' or 'iptables --help' for more information.
/etc/apf/firewall: Set: command not found
/etc/apf/firewall: ICMP: command not found
/etc/apf/firewall: Packets: command not found
Bad argument `snort'
Try `iptables -h' or 'iptables --help' for more information.
APF - [06/23/03 21:36:30]: Loading allow_hosts.rules

ok first off; why dont you tell us something about your system so we know what these errors are coming from; your throwing us into a needle in a haystack scenario.

What kernel version, what distro release, is your PATH export setup properly ?

kernel-2.4.20-18.7

apf 0.8.6

is you path export set up properly??? dont know??

Okay after I updated Kernel and recompiled apache I ran apf again and there were no error messages just this:

APF - [06/23/03 22:18:13]: Loading allow_hosts.rules

Delete APF:
rpm -e apf
rm -rf /etc/apf

And install:
http://www.r-fx.net/downloads/apf-0.8.7.tar.gz

Be sure to read the docs and also check internals.conf to verify the path to iptables.

Why does iptables -L show this after starting apf? These are some big blocks being blocked.

DROP all -- 1.0.0.0/8 anywhere
DROP all -- 2.0.0.0/8 anywhere
DROP all -- 5.0.0.0/8 anywhere
DROP all -- 7.0.0.0/8 anywhere
DROP all -- 23.0.0.0/8 anywhere
DROP all -- 27.0.0.0/8 anywhere
DROP all -- 31.0.0.0/8 anywhere
DROP all -- 36.0.0.0/8 anywhere
DROP all -- 37.0.0.0/8 anywhere
DROP all -- 39.0.0.0/8 anywhere
DROP all -- 41.0.0.0/8 anywhere
DROP all -- 42.0.0.0/8 anywhere
DROP all -- 58.0.0.0/8 anywhere
DROP all -- 59.0.0.0/8 anywhere
DROP all -- 60.0.0.0/8 anywhere
DROP all -- 70.0.0.0/8 anywhere
DROP all -- 71.0.0.0/8 anywhere
DROP all -- 72.0.0.0/8 anywhere
DROP all -- 73.0.0.0/8 anywhere
DROP all -- 74.0.0.0/8 anywhere
DROP all -- 75.0.0.0/8 anywhere
DROP all -- 76.0.0.0/8 anywhere
DROP all -- 77.0.0.0/8 anywhere
DROP all -- 78.0.0.0/8 anywhere
DROP all -- 78.0.0.0/8 anywhere
DROP all -- 79.0.0.0/8 anywhere
DROP all -- 83.0.0.0/8 anywhere
DROP all -- 84.0.0.0/8 anywhere
DROP all -- 85.0.0.0/8 anywhere
DROP all -- 86.0.0.0/8 anywhere
DROP all -- 87.0.0.0/8 anywhere
DROP all -- 88.0.0.0/8 anywhere
DROP all -- 89.0.0.0/8 anywhere
DROP all -- 90.0.0.0/8 anywhere
DROP all -- 91.0.0.0/8 anywhere
DROP all -- 92.0.0.0/8 anywhere
DROP all -- 93.0.0.0/8 anywhere
DROP all -- 94.0.0.0/8 anywhere
DROP all -- 95.0.0.0/8 anywhere
DROP all -- 96.0.0.0/8 anywhere
DROP all -- 97.0.0.0/8 anywhere
DROP all -- 98.0.0.0/8 anywhere
DROP all -- 99.0.0.0/8 anywhere
DROP all -- 100.0.0.0/8 anywhere
DROP all -- 101.0.0.0/8 anywhere
DROP all -- 102.0.0.0/8 anywhere
DROP all -- 103.0.0.0/8 anywhere
DROP all -- 104.0.0.0/8 anywhere
DROP all -- 105.0.0.0/8 anywhere
DROP all -- 106.0.0.0/8 anywhere
DROP all -- 107.0.0.0/8 anywhere
DROP all -- 108.0.0.0/8 anywhere
DROP all -- 109.0.0.0/8 anywhere
DROP all -- 110.0.0.0/8 anywhere
DROP all -- 111.0.0.0/8 anywhere
DROP all -- 112.0.0.0/8 anywhere
DROP all -- 113.0.0.0/8 anywhere
DROP all -- 114.0.0.0/8 anywhere
DROP all -- 115.0.0.0/8 anywhere
DROP all -- 116.0.0.0/8 anywhere
DROP all -- 117.0.0.0/8 anywhere
DROP all -- 118.0.0.0/8 anywhere
DROP all -- 119.0.0.0/8 anywhere
DROP all -- 120.0.0.0/8 anywhere
DROP all -- 121.0.0.0/8 anywhere
DROP all -- 122.0.0.0/8 anywhere
DROP all -- 123.0.0.0/8 anywhere
DROP all -- 124.0.0.0/8 anywhere
DROP all -- 124.0.0.0/8 anywhere
DROP all -- 125.0.0.0/8 anywhere
DROP all -- 126.0.0.0/8 anywhere
DROP all -- 128.66.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 197.0.0.0/8 anywhere
DROP all -- 221.0.0.0/8 anywhere
DROP all -- 222.0.0.0/8 anywhere
DROP all -- 223.0.0.0/8 anywhere
DROP all -- 240.0.0.0/4 anywhere

I ran into a problem before of someone being on one of the 80 blocks.

Has anyone come up with official minimal lists for each control panel? I would be intersted in the minimum for Cpanel specifically. I think there are ports open that I don't need at the moment.

Noone???

It depends what service you offer. This is my list

21 - ftp
22 - ssh
80 - apache
147 - apache ssl
2083 - https cpanel
2087 - https whm
8081 - urchin

Urgent!

I added new ip address to deny.host.rules

Then stopped APF. But when did

service apf start

It hangs there and wont start it. It just happened in few seconds, because I restarted apf 40 sec before.

Does anybody know what can be a problem?

Thanks

Disable DShield USE_DS="0" in conf.apf the http://feeds.dshield.org/block.txt url is down so it is hanging trying to update the desheild list.

I did disabled it temporaly to avoid the lag, util the url is up again.

thank you

This seems to work as minimal on Cpanel:

# Common TCP PortsTCP_CPORTS="20,21,22,25,53,80,110,147,443,2082,2083,2086,2087,2095"

# Common UDP PortsUDP_CPORTS="53"

Hi,

I get tons of this messages daily in /var/log/maillog



Is there a way i can block this attempts?

to block those ip addresses, open

/etc/apf/deny_hosts.rules

and write there

in:d=25:s=ip_address

This will block port 25 for that ip address.

in:d=25:s=65.170.79.0/24 will block all ips from 65.170.79.0 to 65.170.79.255

Thks for the help.

Can i do this:
in:d=25:s=www.opinionsurveys.com
in:d=25:s=www.simflight.net

or must it be an ip?

It's up now.

New RS/APF user here - hello

I thought the script was meant to create an entry in /etc/cron/run.hourly? I just checked there (after a successful install of APF) and it's empty? What's going on? Are we meant to create the crob job ourselves?

The latest versions restart daily.

Download: http://www.r-fx.net/downloads/apf-current.tar.gz
Homepage: http://www.r-fx.net/apf.php

Changes in 0.8.7:
[Fix] fixed ml() in main firewall script to properly exit on failed module loads
[Change] added comments to conf.apf and README regarding ipt_string.o module
[Fix] fixed stdout redirect for trust files to log file
[Change] removed stdout null output redirect for init script; show fatal errors
[Change] exported misc. conf.apf vars to internals.conf
[Fix] fixed ident check routine
[Change] revised dshield url parser routine
[New] added best-match ip whois for ARIN,RIPE,APNIC, & LACNIC to antidos script
[Fix] modified PREV var placment in antidos to fix looped ip checks
[Change] moved certian temp file creation from /tmp to install path
[New] added src ip/8 comparison to antidos; filter same network attacks quicker
[Fix] DROP_IF function in antidos not ignoring eth0
[Change] modified logging rate limit from 10/minute to 25 for TCP/UDP DROP
[New] noncrit.ports file to ignore IF drops based on destination port; antidos
[New] src port/dst port loging for antidos events log
[Fix] dropped interface log event not being sent with usr email; antidos
[Fix] ignore FTP (pasv.) false positives for snort portscan log; antidos
[New] ROUTE_REJ ignore routine if SRC attacker equals eth0 IP
[New] config var for tcp/udp drop log chain toggling
[Fix] suppresed main.vnet error output if no aliased ip's found
[Fix] corrected source include path for main.vnet dynamic entries

rfxn


I installed your firewall yesterday , and I love it .
I works fine .
Really good job !!

Greetings!

I installed the latest version this evening on a new server. when I issue "apf -restart" I get this error message: "/etc/apf/vnet/*.rules No such file or directory."

However the vnet directory does exist. Is this an installation problem, or can I safely ignore it?

Thanks,
Norm

Great!

RPM version out soon? I'm just used to upgrading with them, that's all.

norm1153; what version 0.8.6 or .7 ?

And yes i informed gpan of the new release tonight; probably in a few days *shrugs*

Hello all,

APF [antidos] log:
06/28/03 11:20:03: Packet rate exceeded for 217.128.74.237 -> myip
06/28/03 11:20:03: 217.128.74.237 -> myip (DROPPED)

Event logs:
Jun 28 11:19:44 217.128.74.237:1574 -> myip:34924 SYN ******S*
Jun 28 11:19:45 217.128.74.237:1576 -> myip:34925 SYN ******S*
Jun 28 11:19:45 217.128.74.237:1577 -> myip:80 SYN ******S*
Jun 28 11:19:46 217.128.74.237:1578 -> myip:34926 SYN ******S*
Jun 28 11:19:47 217.128.74.237:1579 -> myip:34927 SYN ******S*
Jun 28 11:19:49 217.128.74.237:1580 -> myip:34928 SYN ******S*

i got this mail from antidos but each time like that i had to reboot my server. Can you give me some advices for avoiding this probleme plz..... ? or what should i have to do ... ?

Thanks a lots for your advices.

NT

Did you turn on DROP_IF ?
IF yes

If you do not want APF to drop your server IPs:

To restore Dropped IPs in CPanel do:

Thanks for your answer

Can anyone post installation instructions for the tar version( for the newbie's among us?)

almogeh, I think it should work:

wget http://www.r-fx.net/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf-0.8.7
sh ./install.sh

How can I compile ipt_string into kernel to use [IPT Snort]?

I don't have it: ls: /lib/modules/2.4.18-4.7.x/kernel/net/ipv4/netfilter/ipt_string.o: No such file or directory


Thanks.

Thanks! i did that but when i try to start the firewall i get this error:
"Unable to load iptables module (ipt_string), aborting."

It worked fine with 0.8.6 RPM... any ideas?

Update: it works fine as long as i dont enable snort.
So my question is the same as dval...

Actually it did not work fine in .6; there was just a bug that prevented .6 from exiting on bad module insertions ;P

Anyone using antidos SHOULD BE using version 0.8.7. If your running anything else and using antidos; upgrade now.

I have apf 8.7 installed Can anyone explain in detail how I could limit port 21, 22, 2087 to only accept from my static IP address?
Thanks
New at all this.

I can see an increase in the Administrative issue enclosed emails using 0.8.7

How can I remove an old RPM without removing the current APF?

I found that I have the RPM of APF 0.8.4 installed although I am using 0.8.7 (I installed it using the install.sh)

First i recommend you set DEVM="1" in conf.apf for the purpose of testing the below; set to 0 again once things are running as desired.

Remove ports 21,22,2087 from /etc/apf/conf.apf (TCP_CPORTS line).

Then add to /etc/apf/allow_hosts.rules , the following (replace 1.1.1.1 with your static ip):
in:d=21:s=1.1.1.1
in:d=22:s=1.1.1.1
in:d=2087:s=1.1.1.1

And restart APF ; /etc/init.d/apf restart