The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BFD and APF

Discussion in 'General Discussion' started by circlec, Aug 24, 2004.

  1. circlec

    circlec Active Member

    Joined:
    Jun 15, 2004
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Cape Town, South Africa
    Hello,

    I have searched through the forum but cannot find any answers relating to my query.

    I have APF installed and BFD however, when I do 'apf -s' I get the following:

    lsmod: QM_MODULES: Function not implemented
    <PAUSE>
    Then the terminal again.

    I would like to know, How can I check if APF indeed did do its job? If I tail /var/log/apf_log then I am able to see the following:

    Aug 24 13:09:42 pentagon apf(26854): default (ingress) input drop
    Aug 24 13:09:54 pentagon apf(26801): firewall initalized

    Amoungst other things before that (those are the last 2 lines)

    And when I tail /var/log/messages, I see things like:

    Aug 24 13:08:29 pentagon kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=fe:fd:00:00:00:00:00:ff:74:d7:5e:35:08:00 SRC=80.38.9.187 DST=66.45.235.143 LEN=48 TOS=0x04 PREC=0x00 TTL=105 ID=10703 DF PROTO=TCP SPT=1681 DPT=9898 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)

    etc. etc. etc.

    Is this what I should be seen? And also, how would I know if BFD is also running?

    Regards,
    David
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I've seen this before when dynamic module loading as been disabled. There may be ways around it, but you have to be careful:

    1. Are you running cPanel in a VPS? If so, do not use APF, it probably won't work.

    2. f you're not running in a VPS, then try the folllowing command:

    iptables -L -n

    If this gives you an error, i.e. not output about chains, targets, etc, then your kernel most likely doesn't have iptables loaded and that's a little beyond a post here.

    If you do get iptables output, then you can try the following:

    1. Edit /etc/apf/conf.apf and make sure you enable DEVM:

    DEVM="1"

    This makes sure that if the following does not work, you aren't locked out of your server (a cron job will run after 5 minutes clearing any iptables entries and you'll be able to get back in).

    2. Edit /etc/apf/firewall and change:

    modinit

    to:

    #modinit

    3. Reload APF:

    apf -r

    If you get the prompt back without error, then you should be up and running. If you still get an error then you most likely do not have iptables working in such a way that you can use APF.
     
  3. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Make sure you are running the latest version (v0.9.4_r5 as of this writing) of APF.

    Try setting MONOKERN=1 in your conf.apf

    (You should set DEVM=1 when testing configuration changes as Chirpy suggested so you do not end up locking yourself out)
     
  4. circlec

    circlec Active Member

    Joined:
    Jun 15, 2004
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Cape Town, South Africa
    Thank you for the detailed reply, Chirpy

    I have done as you said and when running apf, I get the following:

    root@pentagon [~]# apf -r
    Development mode enabled!; firewall will flush every 5 minutes.
    root@pentagon [~]#

    And I know this is good ;)

    What I now want to know is, BFD is supose to be running with this. How do I now make *sure* that APF is "running" and that BFD is indeed waiting to take action?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Great :)

    Now that it is running, you can set DEVM="0" to take it out of development mode. Then reload it with:

    apf -r

    You can confirm it's working with:

    apf -l

    This will list all the chains in the pico editor for you. There should be 300 or so lines.

    You can check if BFD is working by using:

    bfd -s

    Which initiates a BFD run. If you don't get an error (but get 4 lines of text at least) then it's probably running. You should also check that there is a cron job in:

    /etc/cron.d/

    called bfd.
     
  6. circlec

    circlec Active Member

    Joined:
    Jun 15, 2004
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Cape Town, South Africa
    Excellent!

    I have now done this:

    root@pentagon [~]# apf -r
    root@pentagon [~]# bfd -s
    BFD version 0.4 <bfd@r-fx.org>
    Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org>
    Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>
    This program may be freely redistributed under the terms of the GNU GPL

    Aug 25 11:03:25 pentagon BFD(22705): cleared stale lock file file.
    Aug 25 11:04:03 pentagon BFD(22705): host exceeded maximum login failures; executed ban command '/etc/apf/apf -d host'.
    /usr/local/sbin/bfd: line 94: mail: command not found
    /usr/local/sbin/bfd: line 27: 23317 Broken pipe cat <<EOF
    - Log events from $LP:
    $EV
    ----

    - Thank you;
    root@$HOSTNAME
    EOF

    grep: Invalid back reference
    grep: Invalid back reference
    grep: Invalid back reference



    This grep error above runs for about another 30 lines.

    This does NOT look good. Any idea?
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Looks like the mail binary isn't in your path. Usually mail is in /bin/mail if yours is there, edit /usr/local/bfd/bfd and look for this line:
    Code:
    	. $ALERTF | mail -s "$SUBJ_USR" "$EMAIL_USR"
    
    and change it to:
    Code:
    	. $ALERTF | /bin/mail -s "$SUBJ_USR" "$EMAIL_USR"
    
    or whereever the mail binary is on your server.
     
  8. circlec

    circlec Active Member

    Joined:
    Jun 15, 2004
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Cape Town, South Africa
    I don't have anything linking 'mail' - take note that this is a cPanel server with the latest RELEASE tree running.

    Would it be fine to use the 'sendmail' command, which cPanel says is located at:

    '/usr/sbin/sendmail'

    I have set that as mentioned by you above and I get the following when running the restart command:

    root@pentagon [~]# bfd -s
    BFD version 0.4 <bfd@r-fx.org>
    Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org>
    Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>
    This program may be freely redistributed under the terms of the GNU GPL

    Aug 25 18:25:36 pentagon BFD(7177): ffff exceeded maximum login failures; host already banned or ignored.
    exim abandoned: unknown, malformed, or incomplete option -s
    /usr/local/sbin/bfd: line 27: 7482 Broken pipe cat <<EOF
    - Log events from $LP:
    $EV
    ----

    - Thank you;
    root@$HOSTNAME
    EOF

    root@pentagon [~]#

    Now what? :(
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Do you get anything if you type:

    whereis mail
     
  10. circlec

    circlec Active Member

    Joined:
    Jun 15, 2004
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Cape Town, South Africa
    root@pentagon [~]# whereis mail
    mail: /bin/mail /sbin/mail /etc/mail /usr/games/mail
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    So you do have a mail binary in /bin/mail so if you make the change I mentioned it ought to work.
     
  12. circlec

    circlec Active Member

    Joined:
    Jun 15, 2004
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Cape Town, South Africa
    Ok, I was just asking because I notice that /bin/mail is actually a folder:

    root@pentagon [~]# cd /bin/mail
    root@pentagon [/bin/mail]# ls
    ./ ../ inbox
    root@pentagon [/bin/mail]#
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Ah, well, that won't do ;) is /sbin/mail a directory too?
     
  14. circlec

    circlec Active Member

    Joined:
    Jun 15, 2004
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Cape Town, South Africa
    root@pentagon [~]# cd /sbin/mail
    root@pentagon [/sbin/mail]# ls
    ./ ../ inbox
    root@pentagon [/sbin/mail]#


    Things just aren't getting any better.
     
  15. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Can you flush the firewall auto every 2 hours by crontab:
    0 */2 * * * /etc/apf/apf -f > /dev/null 2>&1

    This will totally start over all tracking except that those already banned is continued to be banned.

    (for bruteforceatacks - one users has students with FTP/webpages login so..)
     
  16. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That is a bad idea with the command you quoted.

    apf -f completely clears out your iptables firewall and leaves you totally exposed, i.e. no firewall :eek: . There should be no reason to reload APF unless you have manually changed the configuration file or the allow/deny files. If you do, you should use apf -r to reload the configuration.
     
  17. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Hm..ok

    What I'm after is to block the current IP adress trying to access a password protected
    area when he has failed, let's say 10 times.
    The after 2 hours this IP is cleared and allowed access again.

    This is to block the passcrack programs out there.
    There's a program called proxypass that does this but in a more advanced method
    and is mostly for protectin adult sites.

    What I wanted was to make APF's bruteforce thing to work a little similar.

    Any idea on this ?


    Also - the firewall still blocks all the ports right ?
    No matter if I flush it every 2 hours.
    Just clear what it is logging.....
    Guess I need to learn a little more here :) (here also)
     
    #17 jeroman8, Sep 2, 2004
    Last edited: Sep 2, 2004

Share This Page