The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

APF on ... ports still open

Discussion in 'General Discussion' started by xml, Sep 17, 2004.

  1. xml

    xml Well-Known Member

    Joined:
    Jan 15, 2004
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    8
    APF been working fine for several months but suddenly i discoverd today its not cloosing ports

    open ports in apf.config as following :

    IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2083,2087,2095,2096,3306,10000,35000_35999"

    i found that 2082 and 2086 still open !!

    any idea where should i start to investigate?

    note : APF is ON & DEVM="0"

    apf 0.9.3_3
    RHE3
    kernel 2.4.21-20.EL
    WHM 9.4.0 cPanel 9.4.1-S65

    more details in here
    http://www.webhostingtalk.com/showthread.php?s=&postid=2484588#post2484588

    seems guys in webhostingtalk gave up
     
  2. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    Do you really have a space in that line?

    According to waht you pasted, there is a space in 2087 (208 7) which would probably cause it to error out.

    Suprised you aren't seeing an error when you restart apf.
     
  3. xml

    xml Well-Known Member

    Joined:
    Jan 15, 2004
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    8
    there is no space ,its the copy&paste thing
     
  4. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    You look in your apf log to see what it says?
     
  5. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    If your using the SMTP tweek this may flush the rules, portsentry, may also flush the rules. If you've got any other programs that play with iptables, figure out how they work, so you can figure out how they can either work together, or be replaced or uninstalled.
     
  6. xml

    xml Well-Known Member

    Joined:
    Jan 15, 2004
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    8
    i upgraded to apf-0.9.4-5 and its working fine

    the thing is when i activate AD every body got banned including me and couldnt get into the box till i changed my ip adress and stopped APF and disabled some AD rules

    LP_SNORT="0"
    LP_KLOG="0"
    IPT_BL="0"

    then i echo > ad.rules to clear all banned ip`s

    restsarted APF , every thing was ok

    so wich is the crazy AD rule was banning evey one ?

    is it LP_SNORT or LP_KLOG or IPT_BL ?
     
    #6 xml, Sep 17, 2004
    Last edited: Sep 17, 2004
  7. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    You may want to scan your logs to see exactly why the ips were banned.

    The antidos system is great, but you should always tweak it according to your own usage. You may want to raise the TRIG="15" to about 20 - 25.

    If you don't know EXACTLY what the antidos system does, i would suggest not running it at all untill you can get an understanding of the features.
     
  8. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    What does it do, exactly?
     
  9. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
  10. xml

    xml Well-Known Member

    Joined:
    Jan 15, 2004
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    8
  11. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Taken from the README.antidos file:

    Option: IPT_BL="1"
    Definition: This options controles standard iptables block of an attack and
    should be enabled. [0 = Disabled / 1 = Enabled]

    And yes, i would suggest monitoring the klog over snort. Its really up to you, but using snort is useless unless you have it installed and set up correctly ( No abefroman, i will not tell you how to install and set this up, sorry. ). Its one or the other with those 2, not both.
     
  12. xml

    xml Well-Known Member

    Joined:
    Jan 15, 2004
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    8
    thanks haze
     
  13. xml

    xml Well-Known Member

    Joined:
    Jan 15, 2004
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    8
    when i enable LP_KLOG="1" i get banned with all users

    when i check why i was banned i found this :

    cat /var/log/apfados_log

    Sep 18 06:52:06 host antidos(21853):( my ip adress ):2472 -> ( server ip ):2086
    Sep 18 06:52:06 host antidos(21853):( my ip adress ):-> ( server ip ) (DROPPED)



    cd /etc/apf/ad

    then cat ad.rules

    $IPT -A INPUT -s (my ip adress ) -d ( server ip ) -j $DSTOP

    what is the problem?..why i was banned?....did i miss some configurations to mak AD work properly without false alarm?
     
  14. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    I have snort installed, thank you
     
  15. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    It banned you for accessing WHM? That can't be right. There should be a way to safelist your IP.

    Can someone post their conf.antidos file here?
     
  16. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    If snort is install is it better to use that than klog?
     
  17. xml

    xml Well-Known Member

    Joined:
    Jan 15, 2004
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    8
    how can i disable the ability for APF anti-dos to drop the IP into IPtables ?
     
Loading...

Share This Page