Installing APF Firewall and BFD Brute Force Detection
This is a guide on how to install and configure a firewall on your server. A firewall is one of the most import features of security on a server if NOT the MOST important.
First thing we are going to do is install APF (Advanced Policy Firewall) from R-fx Networks.
Log-in to the server with ssh and change to root user.
[root@dev ~]# cd ~
[root@dev ~]# wget http://www.r-fx.ca/downloads/apf-current.tar.gz
[root@dev ~]# tar xvzf apf-current.tar.gz
[root@dev ~]# cd apf-current
2) Installation
The installation setup of APF is very straight forward, there is an included install.sh script that will perform all the tasks of installing APF for you.
Begin Install:
[root@dev ~/apf-current]# sh install.sh
after you run this it will list your current ports for tcp and udp made a note of these we are going to need them later.
Install Path: /etc/apf
Bin Path: /usr/local/sbin/apf
Now we need to edit the firewall settings:
[root@dev ~]# nano /etc/apf/conf.apf
First thing we need to make a note of is that the APF has a Devel Mode, which will flush the firewall rules after 5 minutes incase you forget to allow a port and lock your self out of the server. Leave this set to 1 until you know for a fact that you have the firewall configured correctly.
!!! Do not leave set to (1) !!! — After you have the firewall fully configure correctly change this to 0
# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this off (0) when firewall is determined to be operating as desired.
DEVEL_MODE=”0″
You need to figure out what your network card is named eth0 or eth1 if you are not sure you can run:
[root@dev ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.1.120 Bcast:192.168.1.0 Mask:255.255.255.0
inet6 addr: 0080::219:0000:0000:0000/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12309930 errors:0 dropped:0 overruns:0 frame:0
TX packets:10772585 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2352733795 (2.1 GiB) TX bytes:136082483 (129.7 MiB)
Interrupt:16 Memory:00000000-00000000
As you can see by the output mine is eth0
# Untrusted Network interface(s); all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interfaces. Only one interface is accepted for each value.
IFACE_IN=”eth0″
IFACE_OUT=”eth0″
You will need to specify your network adapter in both IFACE_IN and IFACE_OUT.
# Configure inbound (ingress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip’s
# virtual net file located in the vnet/ directory. Format is comma separated
# and underscore separator for ranges.
#
# Example:
# IG_TCP_CPORTS=”21,22,25,53,80,443,110,143,6000_7000″
# IG_UDP_CPORTS=”20,21,53,123″
# IG_ICMP_TYPES=”3,5,11,0,30,8″
You will need to put in the ports that APF recommend to you earlier
IG_TCP_CPORTS=”21,22,25,53,80,443,110,143,6000_7000″
IG_UDP_CPORTS=”20,21,53,123″
You will need to make sure that your SSH port is in here if you have changed it other wise the default is port 22, also if you have changed your FTP port you will need to make sure that it is in the list as well.
Once you have set these ports Exit and Save.
Now, this is going to be painless since we have left DEVEL_MODE=”1″ when we start the firewall if we get kicked off the server it’s okay after 5 minutes the rules will be flushed and you will be able to access the server again.
Start the Firewall
[root@dev ~]# /usr/local/sbin/apf -s
If you did not get kicked off the server this is good if you think you have all the ports listed that you need, go ahead and edit the conf.apf again and change the DEVEL_MODE=”1″ to DEVEL_MOTE=”0″ and start the firewall.
[root@dev ~]# /usr/local/sbin/apf -s
If you want to restart the firewall use:
[root@dev ~]# /usr/local/sbin/apf -r
If you want to stop the firewall use:
[root@dev ~]# /usr/local/sbin/apf -f
Installing the script as a service so that it boots on system start up.
[root@dev ~]# /sbin/chkconfig --add apf
[root@dev ~]# /sbin/chkconfig --level 345 apf on
(ONLY ADD THIS TO BOOT ONCE YOU HAVE FINALIZE YOUR CONFIGURATION OF ALL YOUR PORTS)
More documentation for this is available here: http://rfxnetworks.com/appdocs/README.apf
Now we are going to install BFD (Brute Force Detection) from R-fx Networks.
[root@dev ~]# cd ~
[root@dev ~]# wget http://www.r-fx.ca/downloads/bfd-current.tar.gz
[root@dev ~]# tar xvzf bfd-current.tar.gz
[root@dev ~]# cd bfd-current
2) Installation
The installation setup of BFD is very straight forward, there is an included install.sh script that will perform all the tasks of installing BFD for you.
Begin Install:
[root@dev ~/bfd-current]# sh install.sh
Once this is installed it setups a three minute cronjob that checks for Brute Force Attacks, if it detects attacks it will ban the ips of the attackers, add them to your firewall deny list, and will email you about it at the address you specify.
We are going to set and email address for the BFD Attack emails to go to as well as how many attempts can be tried before the firewall blocks them.
[root@dev ~/bfd-current]# nano /usr/local/bfd/conf.bfd
# how many failure events must an address have before being blocked?
# you can override this on a per rule basis in /usr/local/bfd/rules/
TRIG=”15″
# send email alerts for all events [0 = off; 1 = on]
EMAIL_ALERTS=”1″
# local user or email address alerts are sent to (separate multiple with comma)
EMAIL_ADDRESS=”you@gmail.com”
Save and Exit.
If you install BFD you really need to add your self to the firewall allow list, this will stop you from being blocked by the firewall
[root@dev ~/bfd-current]# nano /etc/apf/allow_hosts.rules
Go to the bottom of this file and list IPs one per line e.g.
208.180.156.12
24.205.30.2
You can get your IP address from http://www.network-tools.com it will show you the IP that you have connected from. Please note that most people have a Dynamic IP address so you will need to update your IP often.
All of the blocked IPs will go into the deny hosts.
[root@dev ~/bfd-current]# nano /etc/apf/allow_hosts.rules
List them the same as above one IP per line.
More documentation for this is avaliable here: http://rfxnetworks.com/appdocs/README.bfd
Leave a Reply
You must be logged in to post a comment.