BFD and APF

**circlec** · 08-24-2004 06:11 AM

Hello,

I have searched through the forum but cannot find any answers relating to my query.

I have APF installed and BFD however, when I do 'apf -s' I get the following:

lsmod: QM_MODULES: Function not implemented
<PAUSE>
Then the terminal again.

I would like to know, How can I check if APF indeed did do its job? If I tail /var/log/apf_log then I am able to see the following:

Aug 24 13:09:42 pentagon apf(26854): default (ingress) input drop
Aug 24 13:09:54 pentagon apf(26801): firewall initalized

Amoungst other things before that (those are the last 2 lines)

And when I tail /var/log/messages, I see things like:

Aug 24 13:08:29 pentagon kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=fe:fd:00:00:00:00:00:ff:74:d7:5e:35:08:00 SRC=80.38.9.187 DST=66.45.235.143 LEN=48 TOS=0x04 PREC=0x00 TTL=105 ID=10703 DF PROTO=TCP SPT=1681 DPT=9898 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)

etc. etc. etc.

Is this what I should be seen? And also, how would I know if BFD is also running?

Regards,
David

**chirpy** · 08-24-2004 09:42 AM

I've seen this before when dynamic module loading as been disabled. There may be ways around it, but you have to be careful:

1. Are you running cPanel in a VPS? If so, do not use APF, it probably won't work.

2. f you're not running in a VPS, then try the folllowing command:

iptables -L -n

If this gives you an error, i.e. not output about chains, targets, etc, then your kernel most likely doesn't have iptables loaded and that's a little beyond a post here.

If you do get iptables output, then you can try the following:

1. Edit /etc/apf/conf.apf and make sure you enable DEVM:

DEVM="1"

This makes sure that if the following does not work, you aren't locked out of your server (a cron job will run after 5 minutes clearing any iptables entries and you'll be able to get back in).

2. Edit /etc/apf/firewall and change:

modinit

to:

#modinit

3. Reload APF:

apf -r

If you get the prompt back without error, then you should be up and running. If you still get an error then you most likely do not have iptables working in such a way that you can use APF.

**SarcNBit** · 08-24-2004 11:15 AM

Make sure you are running the latest version (v0.9.4_r5 as of this writing) of APF.

Try setting MONOKERN=1 in your conf.apf

(You should set DEVM=1 when testing configuration changes as Chirpy suggested so you do not end up locking yourself out)

**circlec** · 08-25-2004 02:32 AM

Thank you for the detailed reply, Chirpy

I have done as you said and when running apf, I get the following:

root@pentagon [~]# apf -r
Development mode enabled!; firewall will flush every 5 minutes.
root@pentagon [~]#

And I know this is good

What I now want to know is, BFD is supose to be running with this. How do I now make *sure* that APF is "running" and that BFD is indeed waiting to take action?

**chirpy** · 08-25-2004 03:31 AM

Great

Now that it is running, you can set DEVM="0" to take it out of development mode. Then reload it with:

apf -r

You can confirm it's working with:

apf -l

This will list all the chains in the pico editor for you. There should be 300 or so lines.

You can check if BFD is working by using:

bfd -s

Which initiates a BFD run. If you don't get an error (but get 4 lines of text at least) then it's probably running. You should also check that there is a cron job in:

/etc/cron.d/

called bfd.

**circlec** · 08-25-2004 04:06 AM

Excellent!

I have now done this:

root@pentagon [~]# apf -r
root@pentagon [~]# bfd -s
BFD version 0.4 <bfd@r-fx.org>
Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org>
Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

Aug 25 11:03:25 pentagon BFD(22705): cleared stale lock file file.
Aug 25 11:04:03 pentagon BFD(22705): host exceeded maximum login failures; executed ban command '/etc/apf/apf -d host'.
/usr/local/sbin/bfd: line 94: mail: command not found
/usr/local/sbin/bfd: line 27: 23317 Broken pipe cat <<EOF
- Log events from $LP:
$EV
----

- Thank you;
root@$HOSTNAME
EOF

grep: Invalid back reference
grep: Invalid back reference
grep: Invalid back reference

This grep error above runs for about another 30 lines.

This does NOT look good. Any idea?

**chirpy** · 08-25-2004 09:57 AM

Looks like the mail binary isn't in your path. Usually mail is in /bin/mail if yours is there, edit /usr/local/bfd/bfd and look for this line:

Code:

	. $ALERTF | mail -s "$SUBJ_USR" "$EMAIL_USR"

and change it to:

Code:

	. $ALERTF | /bin/mail -s "$SUBJ_USR" "$EMAIL_USR"

or whereever the mail binary is on your server.

**circlec** · 08-25-2004 01:41 PM

I don't have anything linking 'mail' - take note that this is a cPanel server with the latest RELEASE tree running.

Would it be fine to use the 'sendmail' command, which cPanel says is located at:

'/usr/sbin/sendmail'

I have set that as mentioned by you above and I get the following when running the restart command:

root@pentagon [~]# bfd -s
BFD version 0.4 <bfd@r-fx.org>
Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org>
Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

Aug 25 18:25:36 pentagon BFD(7177): ffff exceeded maximum login failures; host already banned or ignored.
exim abandoned: unknown, malformed, or incomplete option -s
/usr/local/sbin/bfd: line 27: 7482 Broken pipe cat <<EOF
- Log events from $LP:
$EV
----

- Thank you;
root@$HOSTNAME
EOF

root@pentagon [~]#

Now what?

**chirpy** · 08-26-2004 03:09 AM

Do you get anything if you type:

whereis mail

**circlec** · 08-26-2004 05:09 AM

root@pentagon [~]# whereis mail
mail: /bin/mail /sbin/mail /etc/mail /usr/games/mail

**chirpy** · 08-26-2004 09:32 AM

So you do have a mail binary in /bin/mail so if you make the change I mentioned it ought to work.

**circlec** · 08-26-2004 09:49 AM

Ok, I was just asking because I notice that /bin/mail is actually a folder:

root@pentagon [~]# cd /bin/mail
root@pentagon [/bin/mail]# ls
./ ../ inbox
root@pentagon [/bin/mail]#

**chirpy** · 08-26-2004 09:51 AM

Ah, well, that won't do

is /sbin/mail a directory too?

**circlec** · 08-26-2004 10:29 AM

root@pentagon [~]# cd /sbin/mail
root@pentagon [/sbin/mail]# ls
./ ../ inbox
root@pentagon [/sbin/mail]#

Things just aren't getting any better.

**jeroman8** · 09-02-2004 02:53 AM

Can you flush the firewall auto every 2 hours by crontab:
0 */2 * * * /etc/apf/apf -f > /dev/null 2>&1

This will totally start over all tracking except that those already banned is continued to be banned.

(for bruteforceatacks - one users has students with FTP/webpages login so..)

LinkBack

Thread Tools

BFD and APF

APF and BFD Install

APF and BFD issues...

APF+BFD+2.6.10 Kernel

BFD without APF?

APF & BFD