S
Secret Agent
Guest
My server crashes about 5 times this week alone due to APF.
Here is what I got back from my tech:
After some examination, I have determined that the issues your server were experiencing were not hardware related. Initially, I booted the system into single user mode. The system ran nominally. Next, I started networking, and also examined your traffic graphs. As you said this was a recurring problem, I looked at your traffic over the past few weeks; nothing indicated a DoS or DDoS situation.
Finally, upon bringing the system into multiuser mode, I noticed the server was taking an extraordinary amount of time to start 'apf', so much so that upon completing the boot cycle (several minutes later) the system was unusable. I rebooted the machine back into single user mode, disabled 'apf', and the iptables startup script and the system is now running as would be expected for the amount of users hosted on it.
As I believed has been mentioned many times, you may want to reconsider using an automated firewalling tool. It seems to be causing you nothing but headaches. Also, bear in mind that while I disabled the init scripts for both apf and iptables, there is a chance that updating cPanel will cause them to be re-enabled. You may want to look into means for either paring down the ruleset that 'apf' is using, and configuring it to not firewall so aggresively. Unfortunately, as I am not intimately familiar with the use of this tool (only the havoc it can wreak), I cannot provide advice on how best to go about doing this.
--
I know it is APF as it has done this to my other servers.
This is how it was installed / configured:
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf*
./install.sh
pico /etc/apf/conf.apf
FIND: DEVM="1"
CHANGE TO: DEVM="0"
Add to /etc/apf/conf.apf
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
/usr/local/sbin/apf -s
chkconfig --level 2345 apf on
Specs:
cPanel
APF 0.9.5-1
BFD
LES
Mod Security
Please someone help me here. What should I do? I do not have mod_dosevasive nor ant-dos (from apf) enabled either.
This is the original/untouched conf.apf file attached
Here is what I got back from my tech:
After some examination, I have determined that the issues your server were experiencing were not hardware related. Initially, I booted the system into single user mode. The system ran nominally. Next, I started networking, and also examined your traffic graphs. As you said this was a recurring problem, I looked at your traffic over the past few weeks; nothing indicated a DoS or DDoS situation.
Finally, upon bringing the system into multiuser mode, I noticed the server was taking an extraordinary amount of time to start 'apf', so much so that upon completing the boot cycle (several minutes later) the system was unusable. I rebooted the machine back into single user mode, disabled 'apf', and the iptables startup script and the system is now running as would be expected for the amount of users hosted on it.
As I believed has been mentioned many times, you may want to reconsider using an automated firewalling tool. It seems to be causing you nothing but headaches. Also, bear in mind that while I disabled the init scripts for both apf and iptables, there is a chance that updating cPanel will cause them to be re-enabled. You may want to look into means for either paring down the ruleset that 'apf' is using, and configuring it to not firewall so aggresively. Unfortunately, as I am not intimately familiar with the use of this tool (only the havoc it can wreak), I cannot provide advice on how best to go about doing this.
--
I know it is APF as it has done this to my other servers.
This is how it was installed / configured:
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf*
./install.sh
pico /etc/apf/conf.apf
FIND: DEVM="1"
CHANGE TO: DEVM="0"
Add to /etc/apf/conf.apf
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
/usr/local/sbin/apf -s
chkconfig --level 2345 apf on
Specs:
cPanel
APF 0.9.5-1
BFD
LES
Mod Security
Please someone help me here. What should I do? I do not have mod_dosevasive nor ant-dos (from apf) enabled either.
This is the original/untouched conf.apf file attached
Attachments
-
11.5 KB Views: 59