The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

APF Blocks All

Discussion in 'General Discussion' started by emericklaw, Jan 12, 2006.

  1. emericklaw

    emericklaw Active Member

    Joined:
    Mar 31, 2005
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    I have been using APF for a while now and recently I have been having a lot of problems with it locking out either random ports or all of them at about 4am (same time as upcp is run) I have tried to fix this problem but nothing seems to work.

    It is definatly a firewall issue because if I connect with SSH before the ports get blocked I can just restart APF and everything works fine again.

    If anyone has any suggestions of what I could look at to solve this then I would be very grateful. getting up at 4am everyday to check on the server is no fun!

    Also alternatives to APF would be good to know aswell.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    APF can cause all sorts of problems on servers where it seems to have compatability problems (which I see at least twice a week). There are others, such as shorewall and kissmyfirewall (I use the latter on servers where APF is to buggy).
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Does APF cause problems on a certain OS or hardware or is it seemingly random?
     
  4. emericklaw

    emericklaw Active Member

    Joined:
    Mar 31, 2005
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    What I find strange is that it was working fine since I installed it in April of last year and since December its been playing up. I will take a look at those alternates you suggested. Thanks
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I've not found a common reason why it works on some servers and not others.

    One thing to be sure of with APF is that:

    1. You're using the latest 0.9.6+ version as 0.9.5 was very buggy.

    2. Don't use antidos, it causes more problems than it is work (IMO/IMX)

    3. Keep /etc/apf/deny_hosts.rules to a minimum, i.e. only block current threats and don't keep old ones - it's a sure way to get your server slow/unbootable over time (I'd suggest emptying it out once in a while)

    4. If you use BFD make sure you're running at least v 0.9+

    5. Don't use the BFD exim rule - it's a poor method of blocking dictionary attacks (use an exim ACL instead):

    rm -fv /usr/local/bfd/rules/exim
     
  6. emericklaw

    emericklaw Active Member

    Joined:
    Mar 31, 2005
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    @jamesbond: The only server I am having problems with is Fedora Core 2 with the most recent stable version running.

    @chirpy: A have always kept APF upto date and tried disabling antidos in the past (never really sure if it worked) I will chekc out the other points you raised too.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  8. madmac

    madmac Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    I've found that if deny_hosts.rules is too large, then APF will just block everything instead. Truncating the file always clears the problem, for me... though I don't know exactly why but recently we've also been experiencing the deny_hosts.rules file filling up much faster than it ever has in the past.

    I'd say you want to at least clean it once per week. I'm cleaning mine out once per day because I got tired of waking up to a server that had locked itself down over the night.
     
  9. emericklaw

    emericklaw Active Member

    Joined:
    Mar 31, 2005
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    In the end I removed APF and started to use KISS My Firewall which I am happy to say has been very stable.
     
  10. asish

    asish Active Member

    Joined:
    Dec 4, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    You can downgrade APF to see APF working too.
    This works :)
    You can use this script to install and even reinstall apf.
    The configuration file will open all the necessary Cpanel ports.


    #!/bin/bash

    if [ -e /root/apf ]
    then
    mv -f /root/apf /root/apf.`date +%Y%m%d`
    fi
    mkdir /root/apf
    cd /root/apf

    if [ -e /usr/local/sbin/apf ]
    then
    mv -f /usr/local/sbin/apf /usr/local/sbin/apf.`date +%Y%m%d`
    mv -f /etc/apf/conf.apf /opt/conf.apf.`date +%Y%m%d`
    mv -f /etc/apf/deny_hosts.rules /opt/deny_hosts.rules
    fi


    wget http://www.r-fx.ca/downloads/apf-0.9.5-1.tar.gz

    wget http://tuxtamer.com/conf.apf.apf-0.9.5-1
    mv conf.apf.apf-0.9.5-1 conf.apf
    # YOU CAN REPLACE THE ABOVE LINE AND USE THE LINK WHERE YOU HAVE YOUR
    # COSTOMIZED conf.apf FILE.
    tar -xvzf apf-0.9.5-1.tar.gz
    cd apf-*
    ./install.sh
    cd /root/apf
    cp -f conf.apf /etc/apf/conf.apf
    mv -f /opt/deny_hosts.rules /etc/apf/deny_hosts.rules
    /usr/local/sbin/apf -r
    /etc/init.d/apf restart
    chkconfig --level 2345 apf on
    echo "You have successfully installed apf-0.9.5-1 "
    echo "Asish"
     
    #10 asish, Mar 13, 2006
    Last edited: Mar 13, 2006
  11. madmac

    madmac Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Wait, why would you downgrade to APF 0.9.5, a version that is known to be buggy and problematic? That really doesn't make alot of sense.
     

Share This Page