APF on ... ports still open

[xml]

APF been working fine for several months but suddenly i discoverd today its not cloosing ports

open ports in apf.config as following :

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2083,2087,2095,2096,3306,10000,35000_35999"

i found that 2082 and 2086 still open !!

any idea where should i start to investigate?

note : APF is ON & DEVM="0"

apf 0.9.3_3
RHE3
kernel 2.4.21-20.EL
WHM 9.4.0 cPanel 9.4.1-S65

more details in here
http://www.webhostingtalk.com/showth...88#post2484588

seems guys in webhostingtalk gave up

[GOT]

Do you really have a space in that line?

According to waht you pasted, there is a space in 2087 (208 7) which would probably cause it to error out.

Suprised you aren't seeing an error when you restart apf.

[xml]

there is no space ,its the copy&paste thing

[GOT]

You look in your apf log to see what it says?

[haze]

If your using the SMTP tweek this may flush the rules, portsentry, may also flush the rules. If you've got any other programs that play with iptables, figure out how they work, so you can figure out how they can either work together, or be replaced or uninstalled.

[xml]

i upgraded to apf-0.9.4-5 and its working fine

the thing is when i activate AD every body got banned including me and couldnt get into the box till i changed my ip adress and stopped APF and disabled some AD rules

LP_SNORT="0"
LP_KLOG="0"
IPT_BL="0"

then i echo > ad.rules to clear all banned ip`s

restsarted APF , every thing was ok

so wich is the crazy AD rule was banning evey one ?

is it LP_SNORT or LP_KLOG or IPT_BL ?

[haze]

You may want to scan your logs to see exactly why the ips were banned.

The antidos system is great, but you should always tweak it according to your own usage. You may want to raise the TRIG="15" to about 20 - 25.

If you don't know EXACTLY what the antidos system does, i would suggest not running it at all untill you can get an understanding of the features.

[AbeFroman]

If you don't know EXACTLY what the antidos system does, i would suggest not running it at all untill you can get an understanding of the features.

What does it do, exactly?

[haze]

What does it do, exactly?

RTFM
http://www.rfxnetworks.com/apf/README.antidos

[xml]

haze

i saw your reply in here :

http://forums.rfxnetworks.com/viewtopic.php?t=37

you suggest i only use one of the following rules:

LP_SNORT="0"
LP_KLOG="0"


how if it is like :

LP_SNORT="0"
LP_KLOG="1"
IPT_BL="1"

is this ok ?

[haze]

Taken from the README.antidos file:

Option: IPT_BL="1"
Definition: This options controles standard iptables block of an attack and
should be enabled. [0 = Disabled / 1 = Enabled]

And yes, i would suggest monitoring the klog over snort. Its really up to you, but using snort is useless unless you have it installed and set up correctly ( No abefroman, i will not tell you how to install and set this up, sorry. ). Its one or the other with those 2, not both.

[xml]

thanks haze

[xml]

when i enable LP_KLOG="1" i get banned with all users

when i check why i was banned i found this :

cat /var/log/apfados_log

Sep 18 06:52:06 host antidos(21853) my ip adress ):2472 -> ( server ip ):2086
Sep 18 06:52:06 host antidos(21853) my ip adress ):-> ( server ip ) (DROPPED)



cd /etc/apf/ad

then cat ad.rules

$IPT -A INPUT -s (my ip adress ) -d ( server ip ) -j $DSTOP

what is the problem?..why i was banned?....did i miss some configurations to mak AD work properly without false alarm?

[AbeFroman]

( No abefroman, i will not tell you how to install and set this up, sorry. ).

I have snort installed, thank you

[AbeFroman]

when i enable LP_KLOG="1" i get banned with all users

when i check why i was banned i found this :

cat /var/log/apfados_log

Sep 18 06:52:06 host antidos(21853) my ip adress ):2472 -> ( server ip ):2086
Sep 18 06:52:06 host antidos(21853) my ip adress ):-> ( server ip ) (DROPPED)



cd /etc/apf/ad

then cat ad.rules

$IPT -A INPUT -s (my ip adress ) -d ( server ip ) -j $DSTOP

what is the problem?..why i was banned?....did i miss some configurations to mak AD work properly without false alarm?

It banned you for accessing WHM? That can't be right. There should be a way to safelist your IP.

Can someone post their conf.antidos file here?