Installing APF Firewall and BFD Brute Force Detection

This is a guide on how to install and configure a firewall on your server. A firewall is one of the most import features of security on a server if NOT the MOST important.

First thing we are going to do is install APF (Advanced Policy Firewall) from R-fx Networks.

Log-in to the server with ssh and change to root user.

[root@dev ~]# cd ~
[root@dev ~]# wget
[root@dev ~]# tar xvzf apf-current.tar.gz
[root@dev ~]# cd apf-current

2) Installation
The installation setup of APF is very straight forward, there is an included script that will perform all the tasks of installing APF for you.

Begin Install:

[root@dev ~/apf-current]# sh

after you run this it will list your current ports for tcp and udp made a note of these we are going to need them later.

Install Path: /etc/apf
Bin Path: /usr/local/sbin/apf

Now we need to edit the firewall settings:

[root@dev ~]# nano /etc/apf/conf.apf

First thing we need to make a note of is that the APF has a Devel Mode, which will flush the firewall rules after 5 minutes incase you forget to allow a port and lock your self out of the server.  Leave this set to 1 until you know for a fact that you have the firewall configured correctly.

!!! Do not leave set to (1) !!! — After you have the firewall fully configure correctly change this to 0
# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this off (0) when firewall is determined to be operating as desired.

You need to figure out what your network card is named eth0 or eth1 if you are not sure you can run:

[root@dev ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr: Bcast: Mask:
inet6 addr: 0080::219:0000:0000:0000/64 Scope:Link
RX packets:12309930 errors:0 dropped:0 overruns:0 frame:0
TX packets:10772585 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2352733795 (2.1 GiB) TX bytes:136082483 (129.7 MiB)
Interrupt:16 Memory:00000000-00000000

As you can see by the output mine is eth0

# Untrusted Network interface(s); all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interfaces. Only one interface is accepted for each value.

You will need to specify your network adapter in both IFACE_IN and IFACE_OUT.

# Configure inbound (ingress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip’s
# virtual net file located in the vnet/ directory. Format is comma separated
# and underscore separator for ranges.
# Example:
# IG_TCP_CPORTS=”21,22,25,53,80,443,110,143,6000_7000″
# IG_UDP_CPORTS=”20,21,53,123″
# IG_ICMP_TYPES=”3,5,11,0,30,8″

You will need to put in the ports that APF recommend to you earlier


You will need to make sure that your SSH port is in here if you have changed it other wise the default is port 22, also if you have changed your FTP port you will need to make sure that it is in the list as well.

Once you have set these ports Exit and Save.

Now, this is going to be painless since we have left DEVEL_MODE=”1″ when we start the firewall if we get kicked off the server it’s okay after 5 minutes the rules will be flushed and you will be able to access the server again.

Start the Firewall

[root@dev ~]# /usr/local/sbin/apf -s

If you did not get kicked off the server this is good if you think you have all the ports listed that you need, go ahead and edit the conf.apf again and change the DEVEL_MODE=”1″ to DEVEL_MOTE=”0″ and start the firewall.

[root@dev ~]# /usr/local/sbin/apf -s

If you want to restart the firewall use:

[root@dev ~]# /usr/local/sbin/apf -r

If you want to stop the firewall use:

[root@dev ~]# /usr/local/sbin/apf -f

Installing the script as a service so that it boots on system start up.

[root@dev ~]# /sbin/chkconfig --add apf
[root@dev ~]# /sbin/chkconfig --level 345 apf on


More documentation for this is available here:

Now we are going to install BFD (Brute Force Detection) from R-fx Networks.

[root@dev ~]# cd ~
[root@dev ~]# wget
[root@dev ~]# tar xvzf bfd-current.tar.gz
[root@dev ~]# cd bfd-current

2) Installation
The installation setup of BFD is very straight forward, there is an included script that will perform all the tasks of installing BFD for you.

Begin Install:

[root@dev ~/bfd-current]# sh

Once this is installed it setups a three minute cronjob that checks for Brute Force Attacks, if it detects attacks it will ban the ips of the attackers, add them to your firewall deny list, and will email you about it at the address you specify.

We are going to set and email address for the BFD Attack emails to go to as well as how many attempts can be tried before the firewall blocks them.

[root@dev ~/bfd-current]# nano /usr/local/bfd/conf.bfd

# how many failure events must an address have before being blocked?
# you can override this on a per rule basis in /usr/local/bfd/rules/

# send email alerts for all events [0 = off; 1 = on]

# local user or email address alerts are sent to (separate multiple with comma)

Save and Exit.

If you install BFD you really need to add your self to the firewall allow list, this will stop you from being blocked by the firewall

[root@dev ~/bfd-current]# nano /etc/apf/allow_hosts.rules

Go to the bottom of this file and list IPs one per line e.g.

You can get your IP address from it will show you the IP that you have connected from.  Please note that most people have a Dynamic IP address so you will need to update your IP often.

All of the blocked IPs will go into the deny hosts.

[root@dev ~/bfd-current]# nano /etc/apf/allow_hosts.rules

List them the same as above one IP per line.

More documentation for this is avaliable here:

November 1, 2008 • Posted in: Linux, Scripts, Security

Leave a Reply

You must be logged in to post a comment.