Did BFD just put me out of business? Please help!

[dianaward]

I've had APF on all web hosting servers for a bit, but after reading this forum and at the urging of my server lessor's forum, 4 nights ago I installed BFD on 4 servers. Set up each one the same, with the same ignored IPs.

The next night I was working on one of them quite a bit, had to log out and back in, and was blocked. Since I didn't know whether something was damaged by what I had been working on or if it was BFD, it took me and the techs until the next morning to get me back into it. It also shut down ftp and file managers to any client who logged in more than twice. Things were back up and I was going to uninstall BFD when I was locked out again. Got warnings and block notices from BFD both times. Even the techs and datacenter can't get into either machine.

For whatever it's worth, I have 2 servers in this datacenter, and the other 2 servers I installed BFD are in a different datacenter. The 2 at this data center have been down for 2 days now, and now the datacenter techs are telling me that both are so corrupted that they have to reinstall the OS and I have to pay. The 2 in the other datacenter are purring along fine. (Both the bad servers are Redhat, once in the other DC is also, the other is Fedora, if that makes a difference.)

Does this make any sense? Could BFD have done this damage? I need to know so I can know how to deal with this, as I may wind up with no hosting customers if this continues.

[rs-freddo]

I doubt that BFD caused the problem - all BFD does is read the logs and if there are a certain number of failed logins for a certain IP then it tells APF to block the IP. APF simply adds a rule to IPChanins. It's a very straight forward piece of software.

If you are ever blocked your datacenter can easily get into you machine from the console - before APF loads (safe mode??). At ev1servers you can also login yourself via console and unblock your IP - as console bypasses APF.

Sounds like your DC is bullshiXXing you.

[AndyReed]

Last week, two clients signed up with us having the same problem with APF and BFD. For some reason, the default built-in firewall, ipchains and iptables, got corrupted. Since it was free, their DCs formatted their HDs and re-installed their OSs from scratch.

I'd urge any body not to install APF and/or BFD unless they know what they are doing. If you need to protect your server, you can also use tipwire, mod_dosevasive, or mod_security.

[chirpy]

Whenever I've come across this situation, it's actually been APF anti-dos to blame. As rs-freddo said, APF and BFD are relatively straightforward and it is usually a matter of identifying (through the BFD logs and the server logs) what you did from that IP address that got yourself blocked. Invariably it a misconfigured port checking utility, or login failures to a website that I see causing the problem with BFD.

[dianaward]

$75 per server to replace the OS, and then I will have to recreated all the sites from backups. If the backups aren't corrupted, that is. And I only installed it because the dc basically ordered me to get it.

She says, sniveling softly.

I don't intend to reinstall it, I can tell you that! Even with the normal problems with it, I don't want to be locked out of my own servers because cpanel won't log me into a control panel or my SSH client is being troublesome, or I just can't type today, (as happens often...thank God for the backspace key.)

[AlaskanWolf]

in the future anytime you install apf / bfd you should type

apf -a YOURIP

that way your ip is on the allow list for apf

[ntwaddel]

I don't see how bfd or apf could have corrupted a system. They are both just perl scripts that do basic tasks

[dezignguy]

perl? heh, it looks like a shell script to me... and it's calling /bin/sh instead of /usr/bin/perl

But yeah... it's scripting and with its fairly limited functions, i don't see how it could 'corrupt' a system either (many different uses/meanings for 'corrupt' though). I had a firewall (on windows though) blocking certain hard drive accesses and was causing problems because of it. So it's possible I suppose that APF blocked some sort of local communications and caused some bad things to happen... even though I doubt that could happen with the way linux is setup, and I think apf is fairly intelligent with regard to local addresses.

I've been using APF on a Redhat Enterprise 3 server for around a year now and it seems quite fine (though admittedly, I'm a couple minor revisions behind the latest version.)

And yeah, Alaskan Wolf has some good advice there too. Always add your ip (or /24 if you have adynamic ip) to the exclude list so you can't ever be blocked.

[dianaward]

APF and BFD would have prevented it, I agree. But I did do that. I added it and the techs' as well. It must have been BFD, I guess, because it had been the only change on those machines, and one of them had been working fine for at least a year.

On the older one I was blocked the first time I tried to access it after the install. No "unsuccessful log ins" at all.

This has been a horror that has not only cost me the money I had to pay for the repair, but about $200 a month in income from fleeing customers. And, I guess since I refuse to pay my dc's techs to put it in again, if I'm ever hacked I'll be paying for that too, since they said servers not secured as they recommended would be liable if hacking occured. I am very unamused by this. Spent basically all of 2 weeks dealing with nothing but getting 2 webservers and their sites working again, between crashing servers, datacenter changing IPs without bothering to tell me to change them on the server, messed up permissions on both new servers, and now this. For how much can one sell a web hosting business?

[ntwaddel]

APF and BFD would have prevented it, I agree. But I did do that. I added it and the techs' as well. It must have been BFD, I guess, because it had been the only change on those machines, and one of them had been working fine for at least a year.

On the older one I was blocked the first time I tried to access it after the install. No "unsuccessful log ins" at all.

This has been a horror that has not only cost me the money I had to pay for the repair, but about $200 a month in income from fleeing customers. And, I guess since I refuse to pay my dc's techs to put it in again, if I'm ever hacked I'll be paying for that too, since they said servers not secured as they recommended would be liable if hacking occured. I am very unamused by this. Spent basically all of 2 weeks dealing with nothing but getting 2 webservers and their sites working again, between crashing servers, datacenter changing IPs without bothering to tell me to change them on the server, messed up permissions on both new servers, and now this. For how much can one sell a web hosting business?

well when you get blocked, cant you just ssh from a different ip?

[AndyReed]

It is very unfortunate that you ran into such problems with APF and BFD on your servers. These scripts are provided AS IS without any guarantee and you can use them at your own risk. These days every body rush to install different scripts/programs on their servers without making sure that these scripts/programs are 99.9% compatible with their OS distribution.

We learn from our and others mistakes. Sorry to hear about the money and time involved to solve your problem. It is just part of the business ordeal.

Good luck :-)

[dianaward]

I was very wary of the script, but so many said it was fine and I was so financially urged to install it. I mainly posted here to try to see if it really was likely that such a simple script could have done this damage, and perhaps as a warning to others to be very thoughtful about this. And probably also to have an ear to complain to, since my dc isn't sympathetic.

I have plenty of experience with installing scripts, and, as I stated, installed the script working fine on 2 other servers (different datacenter, but all cpanel, 3 Redhat and one Fedora) at the same time that this happened. (I have removed BFD from those servers now, out of fear of a repeat performance.)

So many people use BFD that I am sure it is basically a good script, but apparently on some server setups it can be dangerous.

And no, I changed IPs, the techs changed IPs, the dc tried it, nobody could get in.

[rs-freddo]

but apparently on some server setups it can be dangerous.

So many people use APF and BFD that I can only conclude you had a bad image from that DC.

[3guys]

I agree BFD/APF work flawlessly for me, your problem must be something else.

[Jones]

Like Chirpy said, there is nothing to do with apf/bfd.

This is because you enabled anti-dos in apf. I had an experience to this already and anti-dos will block your clients when they try to access your server more than 5 times in a row or less. It will even block clients browsing your site if they keep on refreshing the site meaning abusing your site....

Solution?

Disable it. You can secure your server in some other way also. APF/BFD is fine as long as you configured it properly and it is very straight forward.


Hope this help.

Whenever I've come across this situation, it's actually been APF anti-dos to blame. As rs-freddo said, APF and BFD are relatively straightforward and it is usually a matter of identifying (through the BFD logs and the server logs) what you did from that IP address that got yourself blocked. Invariably it a misconfigured port checking utility, or login failures to a website that I see causing the problem with BFD.