APF and BFD issues...

[olivier222333]

hi all
I have installed APF and BDF following the steps here:

http://www.dedicated-resources.com/g...Firewall).html

I am doing a tail -f /var/log/apf_log and a tail -f /var/log/bfd_log
but nothing blocked..
I have attempted to login with ssh from another 20 times with a wrong root password, but I am not blocked...
I tested to make some nmap too , not blocked anymore...

I have put the config that dedicated-resources.com told me.
any ideas?

: ps aux|grep bfd
root 23210 0.0 0.0 3644 568 pts/0 S 09:35 0:00 grep bfd

ps aux|grep apf
root 23262 0.0 0.0 3656 572 pts/0 S 09:35 0:00 grep apf

normal?

can you test? 67.19.99.130

[chirpy]

You're probably better off asking on the rfxn forums and posting your conf.<app> files there, since it's nothing to do with cPanel. Sounds like you haven't configured APF correctly (you did switch off DEV mode, didn't you?)

[olivier222333]

DEVM="0"

yes it s OK now:

Feb 27 11:30:10 ns1 BFD(2176): {sshd} 81.181.106.124 exceeded maximum login failures; host already banned or ignored.
Feb 27 11:30:10 ns1 BFD(2176): {sshd} ruser exceeded maximum login failures; host already banned or ignored.
Feb 27 11:30:10 ns1 BFD(2176): {sshd} 81.181.106.124 exceeded maximum login failures; host already banned or ignored.


but
how can I change the maximum login to 10?
what is by default the maximum login ssh? or ftp?

thanks

[gorilla]

default for ssh is 3 and apache is 6 and all the rest is 10 you should be able to find this in

cd /usr/local/bfd/rules
and an ls will show you apache proftpd rh_imap rh_pop3 sshd rules in that directory

[olivier222333]

I dont understand one thing...
what do you mean by apache login?
I understood for ssh login of course;...but there...

[gorilla]

go and have a look at all the individual files and it'll explain it itself !

The apache rule is

if [ -f "/var/log/httpd/error_log" ]; then
LP="/var/log/httpd/error_log"
else
LP="/usr/local/apache/logs/error_log"
fi
TLOG_TF="apache"
TRIG="6"


ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -w error | grep -w user | grep -iwf $PATTERN_FILE | awk '{print$8":"$10}' | tr -d ']'`

# Example check of multiple apache logs [ensim]
if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then

for dom in `cat /etc/virtualhosting/mappings/domainmap | awk '{print$1}'`; do
if [ -f "/home/virtual/$dom/var/log/httpd/error_log" ]; then
# The TLOG_TF value must be unique for every log file processed
TLOG_TF="apache.$dom"
LP="/home/virtual/$dom/var/log/httpd/error_log"
ARG_VAL2=`/bin/nice -n 16 $TLOGP $LP $TLOG_TF | grep -w error | grep -w user | grep -iwf $PATTERN_FILE | awk '{print$8":"$10}' | tr -d ']'`
fi
done

# Now just merge ARG_VAL and ARG_VAL2 under the variable name ARG_VAL
ARG_VAL=`echo $ARG_VAL $ARG_VAL2`
fi

[olivier222333]

ok I know
but I dont understand
can you explain for apache??
TRIG="6" (I dont see what it represent...)
a user can t display 6 pages at the same momenT?

[JP-HOST]

If you use .htaccess password protection for a directory, BFD will detect invalid passwords or usernames and ban after 6 attempts.

[olivier222333]

ok super I understood
thanks

[olivier222333]

ok super I understood
thanks

[olivier222333]

last point:


i have read in this forum this config file for CPanel but I dont understand why he opened ports : 35000_35999?
thanks


IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096"