Bobcares

Installing and Configuring APF for cPanel

by | Jan 11, 2006

Articles by Smitha Soman

The whole process of securing a Server or network is quite extensive. I’m discussing just one major aspect of Security here – Firewalls. Specifically my topic is about APF firewall.

I’m dividing this article into 2 sections :-
The first section is for amateurs. The second section is strictly for experts, at least for those who are more well versed with the intricacies of coding, and would like to understand a bit more about what’s happening.

Installing APF Firewall for cPanel

In this section, I would like to enumerate the steps to install APF firewall for CPanel. This would help any person who decides to install APF firewall by themselves, and is maybe dreading that decision, to do so in just 13 EASY-TO-DO steps.

First of all, like all tasks, there’s a requirement list here too :

  • Linux Operating System
  • Root access to your system
  • PERL support
  • IP Table Support

When you ensure that you have everything on this check list, you can start the process of installation. I have listed the steps of code you have to use as well.

Well… Here goes….

1) Login as root to your system

2) Download the APF version 0.9.3.3 (current) to your system

bash# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3) Now you have to extract the tar file

bash# tar -zxf apf-current.tar.gz

4) Go to the APF directory

bash# cd apf-0.9.3_3

5) Run the code for installation

bash# ./install.sh

You will be alerted when the installation is complete.

Install path : /etc/apf
Config path : /etc/apf/conf.apf
Executable path : /usr/local/sbin/apf

6) Modify the APF config file according to your user defined requirements.

bash# vi /etc/apf/conf.apf

(Hit i to enter the INSERT mode)

7) Add in the ports you want to open for inbound (INGRES).

 # Common ingress (inbound) TCP ports

  IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,

    2083,2086,2087,2095,2096,3306,6666"

  # Common ingress (inbound) UDP ports

  IG_UDP_CPORTS="21,53,465,873"

  # Common ICMP (inbound) types

  IG_ICMP_TYPES="3,5,11,0,30,8"

The variables mentioned above are already present in the config file. You can customize the ports.

8) You have to particularly instruct APF to monitor outgoing (EGRESS) ports as well.

Change the line: EGF="0" to EGF="1"

9) Specify the outbound ports to monitor.

  # Common egress (outbound) TCP ports

  EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306"

  # Common egress (outbound) UDP ports

  EG_UDP_CPORTS="20,21,53,465,873"

  # Common ICMP (outbound) types

  EG_ICMP_TYPES="all"

10) Specify the ports you want to block, if any.
– The allow and deny trust files are located at:
/etc/apf/allow_hosts.rules
/etc/apf/deny_hosts.rules
You just have to list the ip’s that you specifically wish to allow or deny in the respective files.

– The format of these files are line-separated addresses, IP masking is supported.
Example:

192.168.1.11
192.168.3.0/24

Save and exit – hit ‘esc’ :wq ‘enter’

11) Start APF

bash# /usr/local/sbin/apf -s

If everything goes as planned, you’ll go back to the command line.

12) If all goes well, edit the config file and change the developer mode to 0

bash# vi /etc/apf/conf.apf

(Hit i to enter insert mode)

Change DEVM=”1″ to DEVM=”0″

Save and quit – Hit ‘esc’ :wq ‘enter’

13) Restart APF

bash# /usr/local/sbin/apf -r

Great news !!! APF is now installed and monitoring your system.

Tweaking APF

This section is strictly for professionals who may wish to try their hand at tweaking the APF settings to meet their requirements.

Like I’ve already mentioned before, here are the major paths to take note of –

Install path : /etc/apf
Config path : /etc/apf/conf.apf
Executable path : /usr/local/sbin/apf

Here are a few more pointers that you could use to further customize your APF firewall.

Usually APF is started at boot time.

You can run it at run time like this –

bash# chkconfig --add apf

 bash# chkconfig --level 2345 apf on

You could also remove it from autostart like this –

bash# chkconfig --del apf

And you could enable a cron job that starts the firewall sometime after runtime.

You could DOS protect your system as well.

Change value of USE_AD (in /etc/apf/conf.apf) to 0/1 to disable or enable

         [0 = Disabled / 1 = Enabled]

=> In additon to specifying the ports and ip’s , you could also specify the protocols.

Advanced trust usage :

The trust rules can be made in advanced format with 4 options(proto:flow:port:ip);

protocol: [packet protocol tcp/udp]

flow in/out: [packet direction, inbound or outbound]

s/d=port: [packet source or destination port]

s/d=ip(/xx) [packet source or destination address, masking supported]

Flow assumed as Input if not defined. Protocol assumed as TCP if not defined.
When defining rules with protocol, flow is required.

proto:flow:[s/d]=port:[s/d]=ip(/mask)

 s - source , d - destination , flow - packet flow in/out

 Examples:

   inbound to destination port 22 from 192.168.6.11 -

    tcp:in:d=22:s=192.168.6.11

I have already mentioned 2 options, to start and restart APF. The main ‘apf’ script has a few operations built in to ease the use of your firewall.

bash #/usr/local/sbin/apf [OPTION]

  -s|--start ............. load firewall policies

  -r|--restart ........... flush & load firewall

  -f|--flush|--stop ...... flush firewall

  -l|--list .............. list chain rules

  -st|--status ........... firewall status

  -a HOST|--allow HOST ... add host (IP/FQDN) to allow_hosts.rules and

  immediately load new rule into firewall

  -d HOST|--deny HOST .... add host (IP/FQDN) to deny_hosts.rules and

  immediately load new rule into firewall

Or
APF can also be started from the init script located at /etc/init.d/apf,
standard start|stop|restart arguments are accepted by this script.

Here are a few options in the APF config file /etc/apf/conf.apf .

        - Option: DEVM="1"

   Definition:  APF comes default in dev. mode; meaning the firewall rules

   will be flushed every 5 minutes. This is intended to prevent you from

   being locked out of your system in the event of undesired results from APF.

   Set the DEVM="1" option to zero (0) once APF is operating as desired.

   Do NOT! leave this option enabled on a permanent basis, or you defeat

   the purpose of using a firewall.

 - Option: FWPATH="/etc/apf"

   Definition: Absolute install path to APF; should not be changed usually.

 - Option: IF="eth0"

   Definition: Network interface visable too the Internet/Intranet.

 - Option: NET=`ifconfig $IF | grep inet | cut -d : -f 2 | cut -d   -f 1`

   Definition: IP Address that $IF holds; either define the IP in this value

   or leave it as-is to autodetect.

 - Option: IPTLOG="/var/log/apf_log"

   Definition: Location that APF should log status information to.

 - Option: DROP_LOG="1"

   Definition: Control toggle to enable/disable netfilter kernel log chains.

   These chains appear in the default syslog kernel log; /var/log/messages.

 - Option: LRATE="60"

   Definition: Limiting toggle to increase or decrease the max iptables

   logging events per/minute. This should be left high but may be decreased

   to preserve disk space and logging overhead.

 - Option: EGF="0"

   Definition: Toggle on or off the egress packet filtering; when off APF will

   operate as traditional older versions did with just input filtering.

   [0 = Disabled / 1 = Enabled]

 - Option: USE_DS="0"

   Definition: DShield.org's "block" list of top networks that have exhibited

   suspicious activity. [0 = Disabled / 1 = Enabled]

Hope this article helps you install, configure and customize APF firewall for your CPanel system.


0 Comments

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF