Login to your server through SSH and su to the root user.
- Download the APF Source
# wget http://www.rfxn.com/downloads/apf-current.tar.gz
- Extract the tar.gz
# tar -xvzf apf-current.tar.gz
- Enter the APF directory
# cd apf-0.9.7-1/ or whatever the latest version is.
- Run the install file:
# ./install.sh
- Modify the APF config File
# pico /etc/apf/conf.apf
- Add in the ports you want to open for inbound (INGRES).
- The following is for a Cpanel Servers
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,
2083,2086,2087,2095,2096,3306,6666"\
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873" - The following is for a Directadmin Servers
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=" 21,22,25,53,80,110,111,143,443,587953,2222,3306,32769"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53,111,631,724,5353,32768,32809"
- The following is for a Cpanel Servers
- Tell APF to monitor out going (EGRESS) also
Change the line:
EGF="0″
to
EGF="1″ - Tell APF what ports to monitor
# Common egress (outbound) TCP ports (for Cpanel servers)
EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,465,873"
# Common ICMP (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all" - Save your changes! Ctrl+X then press Y
- Start APF
# /usr/local/sbin/apf -s
- If all works edit the config file and change the developer mode to 0
# pico /etc/apf/conf.apf
Change
DEVM="1″
to
DEVM="0″
Save your changes! Ctrl+X then press Y - Restart APF
# /usr/local/sbin/apf -r
- Checking the APF LogWill show any changes to allow and deny hosts among other things.
tail -f /var/log/apf_log
Example output:Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from 185.14.157.123
Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from 185.14.157.123 - Make APF Start automatically at boot time
To autostart apf on reboot, run this:chkconfig --level 2345 apf on
To remove it from autostart, run this:chkconfig --del apf
- Denying IPs with APF Firewall (Blocking)
Now that you have your shiny new firewall you probably want to block a host right, of course you do! With this new version APF now supports comments as well. There are a few ways you can block an IP, I'll show you 2 of the easier methods.
A) /etc/apf/apf -d IPHERE COMMENTHERENOSPACES
> The -d flag means DENY the IP address
> IPHERE is the IP address you wish to block
> COMMENTSHERENOSPACES is obvious, add comments to why the IP is being blocked
These rules are loaded right away into the firewall, so they're instantly active.
Example:./apf -d 185.14.157.123 TESTING
pico /etc/apf/deny_hosts.rules
Shows the following:# added 185.14.157.123 on 08/23/05 01:25:55
# TESTING
185.14.157.123
B) pico /etc/apf/deny_hosts.rules
You can then just add a new line and enter the IP you wish to block. Before this becomes active though you'll need to reload the APF ruleset./etc/apf/apf -r
- Allowing IPs with APF Firewall (Unblocking)I know I know, you added an IP now you need it removed right away! You need to manually remove IPs that are blocked from deny_hosts.rules.
A) pico /etc/apf/deny_hosts.rules
Find where the IP is listed and remove the line that has the IP.
After this is done save the file and reload apf to make the new changes active./etc/apf/apf -r
B) If the IP isn't already listed in deny_hosts.rules and you wish to allow it, this method adds the entry to allow_hosts.rules
/etc/apf/apf -a IPHERE COMMENTHERENOSPACES
> The -a flag means ALLOW the IP address
> IPHERE is the IP address you wish to allow
> COMMENTSHERENOSPACES is obvious, add comments to why the IP is being removed These rules are loaded right away into the firewall, so they're instantly active.
Example:./apf -a 185.14.157.123 UNBLOCKING
pico /etc/apf/allow_hosts.rules
# added 185.14.157.123 on 08/23/05 01:39:43
# UNBLOCKING
185.14.157.123
Source: http://www.123tweak.com/how-to-install-apf-advanced-policy-firewall/
Blogger Comment
Facebook Comment