APF Questions....

geetee

New Member
Hi,

Firstly - I've been reading this forum for a while now and learnt a lot from the contributors - so thanks for that. :)

I've recently moved from Reseller to a VPS and having seen some odd looking Apache proxy probes (google "prx1.php" if your interested) and other requests for non-existent scripts on one of my hosted sites from APNIC (most resolving back to China) and AfriNIC IP addresses I want to do more to secure my server.

For the few sites I have, I have no desire for anyone from those IP blocks getting access at all, we have 99%+ US traffic and no desire for anything else. So I got hold of the APNIC and AfriNIC IP allocations and added them into the IP Deny manager via cPanel for the site in question.

Then the paranoia kicks in of course.... what else would they start looking for?

So I briefly started trying to add them into the Virtuozzo firewall ruleset..... I'm a patient guy, but that was just going to take too long so gave up on it.

I remember seeing other threads about APF integration with WHM/cPanel but embarrasingly can't find them again! I Searched all forums for "APF" and it returns no hits :confused:

I've played around with both ipchains and iptables rules in the past on standalone linux boxes and oddly enough Speedtouch DSL routers (funnily enough they run a Linux core), so I'm not a complete beginner - but I don't really want to steam into installing something on a server in a live environment without doing my homework!

So... now I've waffled around and you've got bored.. I'll ask the questions :) All answers or simply urls for further info or reading much appreciated.

How does this APF <> cPanel/WHM integration work?
Is it simply that it recognises that cPanel is present and changes the default config to allow the necessary ports or is there some pretty WHM applet for maintaining rules?

I know KH will perform the install for me if I ask, but I like to learn and do things myself..... how much of the work is it reasonable to expect them to do? i.e. would it be reasonable to ask that they install it and configure it to allow inbound connections to all the usual web / cPanel-WHM / VPS ports from any source and allow any outbound connections. Or is it more reasonable to just expect them simply to do the install and I figure out the rest and get it running?

As I say, I'm keen to learn and no novice at the command line, it's just the possible embarrassment of completely stuffing it up on a live server that is worrying me!

Many thanks in advance to those who managed to stay awake through all that!

TTFN
Graham
 
Hello geetee,

Firstly, you're right! For some reason it looks like maybe the search index on the forum has gotten corrupted or something as a search for APF returns absolutely nothing. We'll have to see if we can't have something done about that.

Secondly, I do not remember ever seeing anything about APF being integrated into the cPanel or WHM interface but there is certainly information about installing it onto a cPanel server. There are integrated plugins out there and a Google search will find them for you. I just looked and found one that was free and it's page referenced another more encompassing one that was for pay.

Thirdly, you can find a post under cPanel HOWTOs and Tutorials on how to install it :)

You can of course ask KH to install it for you but I wouldn't expect them to go into adding rules and configuring multitudes of ports for you.

Hope that helps!
 
Graham, if you're looking for iptables frontend with integration with cPanel/WHM then you might want to take a look at CSF: http://www.configserver.com/cp/csf.html
APF doesn't have any integration with cPanel/WHM but my personal preference still goes to APF in cases when more or less easy to use iptables frontend needs to be installed.

Dan, Graham, min word length was set to 4 and was changed to 2. Now search for "APF" should return a bunch of results
 
Graham, if you're looking for iptables frontend with integration with cPanel/WHM then you might want to take a look at CSF: http://www.configserver.com/cp/csf.html
APF doesn't have any integration with cPanel/WHM but my personal preference still goes to APF in cases when more or less easy to use iptables frontend needs to be installed.

Dan, Graham, min word length was set to 4 and was changed to 2. Now search for "APF" should return a bunch of results

Awesome!

Thanks Paul! :D
 
Thanks guys... good information.

Strangely I stumbled across CSF while googling :)

Looks like I have a lot of reading ahead before jumping in!

Thanks again
Graham
 
OK - I've not even had a chance to start reading up yet and my APNIC block on the site in question is causing a problem :)

Does anyone now of an easy way to get information on which parts of the APNIC space are assigned to Australian ISP's carriers?

Thanks
Graham
 
Hi,

CSF installed and seems to be working fine :)

One minor annoyance though, CSF is not compatible with WHM's SMTP Tweak (CSF refuses to start if it is enabled) - instead it suggests you use it's own SMTP_BLOCK function. Daft thing is, when you try that it throws an error stating that SMTP_BLOCK is not compatible with Virtuozzo servers.

I'll see how this goes for a week or so then maybe take a look at APF.

Thanks for the advice again :)

Ta
Graham
 
Graham,

This is correct, neither SMTP_BLOCK nor SMTP Tweak can be used inside the VPS

Regards,
Paul
 
Thanks Paul

Seems like a fundamental flaw to me given Virtuozzo's growing popularity.

As an aside, just an hour after I got CSF+LFD going, LFD trapped an unknown IP address failing auth on cPanel. It would have been caught by cPHulk anyway, but it's nice to see it's working :)

To be honest the CSF WHM interface isn't that amazing, sure it's handy not to have to SSH and type but things like the allow and deny editors are just text editors embedded in a webpage that allow you to edit the csf.allow and csf.deny files without having to remember the nano or vi crtl-x keys.

I do like the CSF server security check thing though, being a newb it gives some good suggestions (and brief explanations) of things to check. All things anyone more experienced would know I'm sure but good for the likes of me.

So far so good :)

Time to dig into other security measures....

Thanks all
Graham
 
Heya Graham,

Out of curiosity I went and read up on CSF myself and I decided to take out APF and BFD to install it. You're right that it's not necessary to have a nice shiny interface but the tips were nice! It is also much more thurough and integrated having CSF and LFD all together as it is. It's also written specifically for cPanel and has all the paths correctly coded which is all very nice. One thing many may not like is the fact that LFD stays in memory although it's not a lot of memory. Also at start up a lot of CPU is consumed while it reads and parses the log files.

So far I'm thinking I'll be keeping it myself :)
 
Hey Dan,

From what I've been reading, I think LFD stays in memory because it is log watching every few seconds rather than on a cron every few minutes. Which in theory should make it sharper on blocking brute force attacks. That's my understanding of it at least... as always I stand to be corrected :)

Seems to do what it says on the tin really. I'm happy with it.

I gave up trying to collate my APNIC and AfriNIC lists excluding Australia. I was up to nearly 7000 CIDR lines to add to the deny list.... somehow I don't think iptables would swallow that lol

Let me know how it goes.

Ta
Graham
 
I have used CSF/LFD myself now for a while and it has worked great for me. Has blocked several things for me very well.
 
Top