{"id":53,"date":"2012-06-10T11:44:36","date_gmt":"2012-06-10T11:44:36","guid":{"rendered":"http:\/\/rmohan.com\/?p=53"},"modified":"2012-06-13T12:03:40","modified_gmt":"2012-06-13T04:03:40","slug":"configure-advanced-policy-based-firewall-apf-brute-force-detection-bfd-ddos-deflate","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=53","title":{"rendered":"Configure Advanced Policy-based Firewall (APF), Brute Force Detection (BFD), DDoS Deflate"},"content":{"rendered":"

Configure Advanced Policy-based Firewall (APF), Brute Force Detection (BFD), DDoS Deflate <\/strong><\/p>\n

Advanced Policy Firewall <\/strong><\/p>\n

Description:<\/strong>
\nAdvanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today\u2019s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the \u2018apf\u2019 command, which includes detailed usage information on all the features.<\/p>\n

The technical side of APF is such that it utilizes the latest stable features from the iptables (netfilter) project to provide a very robust and powerful firewall. The filtering performed by APF is three fold:
\n1) Static rule based policies (not to be confused with a \u201cstatic firewall\u201d)
\n2) Connection based stateful policies
\n3) Sanity based policies<\/p>\n

Features:
\n– detailed and well commented configuration file
\n– granular inbound and outbound network filtering
\n– user id based outbound network filtering
\n– application based network filtering
\n– trust based rule files with an optional advanced syntax
\n– global trust system where rules can be downloaded from a central management server
\n– reactive address blocking (RAB), next generation in-line intrusion prevention
\n– debug mode provided for testing new features and configuration setups
\n– fast load feature that allows for 1000+ rules to load in under 1 second
\n– inbound and outbound network interfaces can be independently configured
\n– global tcp\/udp port & icmp filtering with multiple filters (drop, reject, prohibit)
\n– configurable policies for each ip on the system with convenience variables to import settings
\n– packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp
\n– prerouting and postrouting rules for optimal network performance
\n– dshield.org block list support to ban networks exhibiting suspicious activity
\n– spamhaus Don\u2019t Route Or Peer List support to ban known \u201chijacked zombie\u201d IP blocks
\n– any number of additional interfaces may be configured as trusted or untrusted
\n– additional firewalled interfaces can have there own unique firewall policies applied
\n– intelligent route verification to prevent embarrassing configuration errors
\n– advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards
\n– filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more
\n– configurable type of service options to dictate the priority of different types of network traffic
\n– intelligent default settings to meet every day server setups
\n– dynamic configuration of your servers local DNS revolvers into the firewall
\n– optional filtering of common p2p applications
\n– optional filtering of private & reserved IP address space
\n– optional implicit blocks of the ident service
\n– configurable connection tracking settings to scale the firewall to the size of your network
\n– configurable kernel hooks (ties) to harden the system further to syn-flood attacks & routing abuses
\n– advanced network control such as explicit congestion notification and overflow control
\n– helper chains for FTP DATA and SSH connections to prevent client side issues
\n– optional rate limited event logging
\n– logging subsystem that allows for logging data to user space programs or standard syslog files
\n– comprehensive logging of every rule added
\n– detailed startup error checking
\n– if you are familiar with netfilter you can create your own rules in any of the policy files
\n– pluggable and ready advanced use of QoS algorithms provided by the Linux
\n– 3rd party add-on projects that compliment APF features<\/p>\n

Install Procedure <\/strong><\/p>\n

mkdir \/software
\ncd software
\nwget -c http:\/\/rfxnetworks.com\/downloads\/apf-current.tar.gz
\ntar -zxvf apf-current.tar.gz
\ncd apf-9.7-2\/
\n.\/install.sh
\ncp \/etc\/apf\/conf.apf \/etc\/apf\/conf.apf.bk
\nvi \/etc\/apf\/conf.apf<\/p>\n

DEVEL_MODE=\u201d0\u201d
\nIG_TCP_CPORTS=\u201d21,22,25,53,80,110,143,443,3306\u201d
\nIG_UDP_CPORTS=\u201d53,67,68,111,5353,48443\u201d
\nUSE_AD=\u201d1\u201d<\/p>\n

\/etc\/init.d\/apf restart
\n
\nBrute Force Detection (BFD)<\/strong><\/p>\n

Brute Force Detection (BFD)<\/p>\n

1) Download and Install Brute Force Detection (BFD)
\n wget -c http:\/\/rfxnetworks.com\/downloads\/bfd-current.tar.gz
\n tar xvfz bfd-current.tar.gz
\n cd bfd-*
\n .\/install.sh
\n Backup and Edit BFD Configuration
\n cp \/usr\/local\/bfd\/conf.bfd \/usr\/local\/bfd\/conf.bfd.ori
\n vi \/usr\/local\/bfd\/conf.bfd<\/p>\n

EMAIL_ALERTS=”0″
\n EMAIL_ADDRESS=”admin@email.com”
\n Backup and Edit BFD Ignore Hosts
\n cp \/usr\/local\/bfd\/ignore.hosts \/usr\/local\/bfd\/ignore.hosts.ori
\n vi \/usr\/local\/bfd\/ignore.hosts<\/p>\n

192.168.1.108
\n Run BFD
\n bfd -s<\/p>\n

DDoS Deflate<\/strong><\/p>\n

Download and Install DDoS Deflate
\n wget -c http:\/\/www.inetbase.com\/scripts\/ddos\/install.sh<\/p>\n

sh install.sh
\n Backup and Edit DDOS Configuration
\n cp \/usr\/local\/ddos\/ddos.conf \/usr\/local\/ddos\/ddos.conf.ori
\n vi \/usr\/local\/ddos\/ddos.conf<\/p>\n

EMAIL_TO=”test@email.com”
\n Run DDOS
\n \/usr\/local\/ddos\/ddos.sh -c<\/p>\n

Open a port in apf firewall and add trusted IP<\/strong><\/p>\n

Apf is a policy based iptable firewall which is very useful for blocking DDoS attack on heavily traffic servers.
\nThe issue is when we developrs\/testers are using the same server which will deny all the traffic from their static Ip given.
\nThis is a major headache in most cases.<\/p>\n

1. Opening port in apf firewall
\nEdit the file
\n“\/etc\/apf\/conf.apf”<\/p>\n

and find the entry of IG_TCP_CPORTS”<\/p>\n

and added the ports to be opened in it.<\/p>\n

A sample entry like this, I add the port \u20199091? in it
\n# Common inbound (ingress) TCP ports
\nIG_TCP_CPORTS=”20,21,22,25,53,80,110,143,443,465,993,995,3306″<\/strong><\/p>\n

Then restart the firewall
\n[root@host.mydomain.com] ~ >> apf -r<\/p>\n

Trusting our ip\u2019s on Apf firewall<\/p>\n

Add our ip information on \u201d
\n\/etc\/apf\/allow_hosts.rules<\/p>\n

\u201c. A sample entry like this
\n# inbound to destination port 22 from 192.168.2.1
\n# tcp:in:d=22:s=192.168.2.1#
\n# outbound to destination port 23 to destination host 192.168.2.1
\n# out:d=23:d=192.168.2.1#
\n# inbound to destination port 3306 from 192.168.5.0\/24
\n# d=3306:s=192.168.5.0\/24
\n# my IP ranges
\n10.0.4.0\/24
\n10.0.5.0\/24
\n10.0.6.0\/24
\ntcp:in:d=22:s=192.168.2.1#
\nout:d=23:d=192.168.2.1#
\nd=3306:s=192.168.5.0\/24<\/p>\n","protected":false},"excerpt":{"rendered":"

Configure Advanced Policy-based Firewall (APF), Brute Force Detection (BFD), DDoS Deflate <\/p>\n

Advanced Policy Firewall <\/p>\n

Description: Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today\u2019s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,8],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/53"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=53"}],"version-history":[{"count":6,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/53\/revisions"}],"predecessor-version":[{"id":243,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/53\/revisions\/243"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=53"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=53"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=53"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}