emericklaw

Active Member
Mar 31, 2005
25
0
151
I have been using APF for a while now and recently I have been having a lot of problems with it locking out either random ports or all of them at about 4am (same time as upcp is run) I have tried to fix this problem but nothing seems to work.

It is definatly a firewall issue because if I connect with SSH before the ports get blocked I can just restart APF and everything works fine again.

If anyone has any suggestions of what I could look at to solve this then I would be very grateful. getting up at 4am everyday to check on the server is no fun!

Also alternatives to APF would be good to know aswell.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
APF can cause all sorts of problems on servers where it seems to have compatability problems (which I see at least twice a week). There are others, such as shorewall and kissmyfirewall (I use the latter on servers where APF is to buggy).
 

jamesbond

Well-Known Member
Oct 9, 2002
737
1
168
chirpy said:
APF can cause all sorts of problems on servers where it seems to have compatability problems (which I see at least twice a week).
Does APF cause problems on a certain OS or hardware or is it seemingly random?
 

emericklaw

Active Member
Mar 31, 2005
25
0
151
What I find strange is that it was working fine since I installed it in April of last year and since December its been playing up. I will take a look at those alternates you suggested. Thanks
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
I've not found a common reason why it works on some servers and not others.

One thing to be sure of with APF is that:

1. You're using the latest 0.9.6+ version as 0.9.5 was very buggy.

2. Don't use antidos, it causes more problems than it is work (IMO/IMX)

3. Keep /etc/apf/deny_hosts.rules to a minimum, i.e. only block current threats and don't keep old ones - it's a sure way to get your server slow/unbootable over time (I'd suggest emptying it out once in a while)

4. If you use BFD make sure you're running at least v 0.9+

5. Don't use the BFD exim rule - it's a poor method of blocking dictionary attacks (use an exim ACL instead):

rm -fv /usr/local/bfd/rules/exim
 

emericklaw

Active Member
Mar 31, 2005
25
0
151
@jamesbond: The only server I am having problems with is Fedora Core 2 with the most recent stable version running.

@chirpy: A have always kept APF upto date and tried disabling antidos in the past (never really sure if it worked) I will chekc out the other points you raised too.
 

madmac

Well-Known Member
Jan 11, 2004
60
0
156
I've found that if deny_hosts.rules is too large, then APF will just block everything instead. Truncating the file always clears the problem, for me... though I don't know exactly why but recently we've also been experiencing the deny_hosts.rules file filling up much faster than it ever has in the past.

I'd say you want to at least clean it once per week. I'm cleaning mine out once per day because I got tired of waking up to a server that had locked itself down over the night.
 

emericklaw

Active Member
Mar 31, 2005
25
0
151
In the end I removed APF and started to use KISS My Firewall which I am happy to say has been very stable.
 

asish

Active Member
Dec 4, 2004
30
0
156
India
You can downgrade APF to see APF working too.
This works :)
You can use this script to install and even reinstall apf.
The configuration file will open all the necessary Cpanel ports.


#!/bin/bash

if [ -e /root/apf ]
then
mv -f /root/apf /root/apf.`date +%Y%m%d`
fi
mkdir /root/apf
cd /root/apf

if [ -e /usr/local/sbin/apf ]
then
mv -f /usr/local/sbin/apf /usr/local/sbin/apf.`date +%Y%m%d`
mv -f /etc/apf/conf.apf /opt/conf.apf.`date +%Y%m%d`
mv -f /etc/apf/deny_hosts.rules /opt/deny_hosts.rules
fi


wget http://www.r-fx.ca/downloads/apf-0.9.5-1.tar.gz

wget http://tuxtamer.com/conf.apf.apf-0.9.5-1
mv conf.apf.apf-0.9.5-1 conf.apf
# YOU CAN REPLACE THE ABOVE LINE AND USE THE LINK WHERE YOU HAVE YOUR
# COSTOMIZED conf.apf FILE.
tar -xvzf apf-0.9.5-1.tar.gz
cd apf-*
./install.sh
cd /root/apf
cp -f conf.apf /etc/apf/conf.apf
mv -f /opt/deny_hosts.rules /etc/apf/deny_hosts.rules
/usr/local/sbin/apf -r
/etc/init.d/apf restart
chkconfig --level 2345 apf on
echo "You have successfully installed apf-0.9.5-1 "
echo "Asish"
 
Last edited:

madmac

Well-Known Member
Jan 11, 2004
60
0
156
Wait, why would you downgrade to APF 0.9.5, a version that is known to be buggy and problematic? That really doesn't make alot of sense.