Antidos is a really nice feature of the APF firewall, but it's not automatically turned on when you install and run APF.

First you probably want to make sure APF is running nicely for a few days and you have your own IP listed in the "allow_hosts.rules" file so you can't lock yourself out. You also want to understand how to access the EV1 remote console (from your EV1 account manager), just in case you do lock yourself out.

And to be even more safe, lets set DEVEL_MODE to "1" (on) and we need to setup USE_AD to enable the use of antidos, so find and edit these:

pico -w /etc/apf/conf.apf

DEVEL_MODE="1"

USE_AD="1"

apf -r

Now APF will quit in 5 minutes. Don't forget to put DEVEL_MODE back when everything is OK!

NOTE: Your server will not be firewalled after 5 minutes! If you are under attack right now this might not be such a good thing to disable.

If you installed APF with the normal installer most of the settings for antidos should be OK. We only need to change a few things, find and change these:

pico -w /etc/apf/ad/conf.antidos

LP_KLOG="1"
IPT_BL="1"

USR_ALERT="1"
USER = “root”
ARIN_ALERT="1"

You can test run it manually (it's just a shell script):

/etc/apf/ad/antidos -a

It doesn't say anything if it liked the config file and your system, and if you ran it for the first time, you will find it created a blank log file at:

/var/log/apfados_log

You need to have antidos set to run via cron. If you have "crontab -e" all set up you can use that to set it up. Some panels let you edit the root cron job file from the panel.

This is a critical setup point, if not done, antidos will simply not operate.

Here's an example line, I added this to my root crontab:

*/2 * * * * /etc/apf/ad/antidos -a > /dev/null 2>&1

This will run antidos every two minutes. The author of antidos doesn't recommend running it once a minute as it may cause a bottleneck for itself and the CPU. Likewise running it beyond a period of once every 5 minutes is not recommended either, for obvious reasons.

You can check to see if it's being run with something like this:

tail -30 /var/log/cron

Now restart apf again:

apf -r

Try to access a few of your sites and if you are not locked out and happy with everything you can set DEVEL_MODE to "0" (off) :

pico -w /etc/apf/conf.apf

DEVEL_MODE="0"

apf -r


At this point it would be nice to test to see if it actually works, I leave that up to you to figure out how or maybe someone else can post some ideas. I would be very careful, you don't want to DOS the wrong server.

If for some reason you find out it's locking the wrong people out and want to turn it off, take this line out of root cron:

*/2 * * * * /etc/apf/ad/antidos -a > /dev/null 2>&1

And blank out this file:

/etc/apf/ad/ad.rules

You can look in the log file to see what went wrong:

/etc/apf/ad/apfados_log

And don't forget to restart apf:

apf -r


For more info on the settings, see the doc files at:
http://rfxnetworks.com/apf.php

tanks;very clear 'how-to'

just one thing or it won't work

instead of adding in cron :

*/2 * * * * /etc/apf/ad/antidos -a > /dev/null 2>&1

to make it work I needed to add:

*/2 * * * * root /etc/apf/ad/antidos -a > /dev/null 2>&1

and restarted crond as root:

service crond restart

regards,

i don't know how to test. can anyone, please, confirm which way i should go - as it was suggested initially (*/2 * * * * /etc/apf/ad/antidos -a > /dev/null 2>&1) or as by jorgece (*/2 * * * * root /etc/apf/ad/antidos -a > /dev/null 2>&1) ?

thnx

When I try to run /etc/apf/ad/antidos -a I get the following error:

What does it mean?

The antidos portion of APF is no longer supported and discouraged from use; a new antidos subsystem yet unnamed will be released in a future version of APF.

Thank you for this vital information, i was just wondering where did the ad directory go =))

You should look at the imbedded RAB (reactive address blocking) feature within conf.apf along with the many other advanced conf.apf options at your disposal to tune things for optimal protection.