The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

APF Firewall Keeps locking me out of my server!!! Help!!!

Discussion in 'General Discussion' started by Dr. Bogger, Aug 12, 2004.

  1. Dr. Bogger

    Dr. Bogger Well-Known Member

    Joined:
    Dec 21, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I installed the APF Firewall on a new server. It works good for about 1 days, then after that 1 day later it will lock out all access to my server... Whats going on?

    This time i locked me out when i was preforming backups of my server... Whats Going On????

    Thanks.
    Sean.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    First, make sure that you running a recent release (at least v0.9.4) which you can see from the top of /etc/apf/conf.apf

    Second, check your log file for your own IP address and not any messages from kernel in:
    /var/log/messages

    That should show you which port(s) you're triggering the firewall anti-dos feature for.

    Thrid, whitelist your IP address ;)
    apf -a your.ip.addr.ess
     
  3. Dr. Bogger

    Dr. Bogger Well-Known Member

    Joined:
    Dec 21, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Ok, i found this in the messages file:

    Aug 12 12:06:40 x2 kernel: ** SSH ** IN=eth0 OUT= MAC=00:0d:61:2e:7b:1a:00:d0:00:c6:4c:0a:08:00 SRC=24.195.220.235 DST=205.209.151.100 LEN=48 TOS=0x04 PREC=0x00 TTL=111 ID=23733 DF PROTO=TCP SPT=3454 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0

    and:

    Aug 12 12:04:08 x2 kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:0d:61:2e:7b:1a:00:d0:00:c6:4c:0a:08:00 SRC=219.33.96.95 DST=205.209.151.109 LEN=48 TOS=0x04 PREC=0x00 TTL=111 ID=25185 DF PROTO=TCP SPT=3914 DPT=2745 WINDOW=64240 RES=0x00 SYN N URGP=0 OPT (020405B401010402)

    and i found this one a little bit higher up in the file:

    Aug 12 00:46:06 x2 kernel: loop: loaded (max 8 devices)
    Aug 12 11:43:03 x2 kernel: kjournald starting. Commit interval 5 seconds
    Aug 12 11:43:03 x2 kernel: EXT3 FS 2.4-0.9.19, 19 August 2002 on loop(7,0), internal journal
    Aug 12 11:43:03 x2 kernel: EXT3-fs: loop(7,0): 2 orphan inodes deleted
    Aug 12 11:43:03 x2 kernel: EXT3-fs: recovery complete.
    Aug 12 11:43:03 x2 kernel: EXT3-fs: mounted filesystem with ordered data mode.


    There are a shit load of responces from kernal... is that good or bad?

    Is there anything specific i should look for in there?

    I am realy confused... Please help.

    Thanks.
    Sean
     
  4. Dr. Bogger

    Dr. Bogger Well-Known Member

    Joined:
    Dec 21, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    ***bump***

    Anyone???
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If this is you:
    ...then that's a problem. Port 2745 is used by the Bagle mass-mailing worm. Your PC may be infected:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
     
  6. Dr. Bogger

    Dr. Bogger Well-Known Member

    Joined:
    Dec 21, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    Thanks, but no, that ip is not me, lol, I must of copyed the wrong entry >_<

    ok, also, it dont just block me out, it blocks EVERYONE out.... it almost like my whole server is down...

    So what should I do? i realy need this fixed, it is on a production server i use for webhosting, so i can't go too long without a firewall....

    Please let me know.
    Thanks.
    Sean.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It sounds like you may have crucial ports blocked on the server (or there are other issues with anti-dos or BFD if you use them).

    Could you post your strings from /etc/apf/conf.apf for:
    IG_TCP_PORTS=
    IG_UDP_PORTS=
    EG_TCP_PORTS=
    EG_UDP_PORTS=

    If all else fails, you should probably hire someone to have a look at it for you. See the Ads forum here for ideas.
     
  8. Dr. Bogger

    Dr. Bogger Well-Known Member

    Joined:
    Dec 21, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Ok, this is my config file:

    # Common ingress (inbound) TCP ports
    IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306,6666"

    # Common ingress (inbound) UDP ports
    IG_UDP_CPORTS="21,53,465,873"

    # Common ICMP (inbound) types
    # 'internals/icmp.types' for type definition; 'all' is wildcard for any
    IG_ICMP_TYPES="3,5,11,0,30,8"

    ---------------

    # Egress filtering [0 = Disabled / 1 = Enabled]
    EGF="1"

    # Common egress (outbound) TCP ports
    EG_TCP_CPORTS="21,25,26,37,43,53,80,113,465,873,2089,3306"

    # Common egress (outbound) UDP ports
    EG_UDP_CPORTS="20,21,53,465,873"

    # Common ICMP egress (outbound) types
    # 'internals/icmp.types' for type definition; 'all' is wildcard for any
    EG_ICMP_TYPES="all"


    ------------------

    Does it look correct?

    Thanks.
    Sean.
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That pretty much OK, though I open port 20 to UDP ingress traffic too, though I don't know for sure if it is necessary. Not sure I can help more through the forum, sorry.
     
Loading...

Share This Page