Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

suggested configuration for apf's anti-dos?

Discussion in 'General Discussion' started by Secret Agent, Mar 19, 2005.

  1. Secret Agent

    Secret Agent Guest

    Please suggest recommended anti-dos (from APF) settings (default below)

    #
    # antidos beta 0.6 [antidos@r-fx.org]
    #
    # NOTE: This file should be edited with word/line wrapping off,
    # if your using pico please start it with the -w switch.
    # (e.g: pico -w filename)
    #
    ##
    # [Main Configuration]
    ##
    #
    # Installation base path of apf
    APF_BASE="/etc/apf"
    #
    # Config file path for apf
    APF_CNF="$APF_BASE/conf.apf"
    #
    # Installation path
    INSPATH="$APF_BASE/ad"
    #
    # Log file for antidos
    ANTILOG="/var/log/apfados_log"
    #
    # Max load; do not allow antidos to run passed this load level
    MLOAD="30"

    ##
    # [Attack Triggers & Routines]
    ##
    #
    # Parse klog for iptables logged attacks [0=off,1=on]
    LP_KLOG="0"
    #
    # Parse snort portscan log for attacks [0=off,1=on]
    LP_SNORT="0"
    #
    # Try to detect syn-flood attacks [0=off,1=on]
    DET_SF="0"
    #
    # Kernel log file
    KLOG="/var/log/messages"
    #
    # Snort portscan log file [experimental]
    SLOG="/var/log/snort/portscan.log"
    #
    # Trigger value before we drop an event SRC
    TRIG="20"
    #
    # Trigger value before we drop syn-floods for SRC
    SF_TRIG="25"
    #
    # Trigger ports for syn-flood; null for all
    SF_TRIG_PORTS="80,443"


    ##
    # [Attack Filtering]
    ##
    #
    # Reject attackers in route table [0=off,1=on]
    ROUTE_REJ="0"
    #
    # Drop destination interface [0=off,1=on]
    DROP_IF="0"
    #
    # Do not drop interface for events matching these ports;
    # line seperated strings.
    NCRIT_PORTS="$INSPATH/noncrit.ports"
    #
    # Block attacks with iptables [0=off,1=on]
    IPT_BL="1"
    #
    # Were to write iptable rules too
    BLOCKR="$INSPATH/ad.rules"

    ##
    # [E-Mail Alerts]
    ##
    #
    # Topic for warning emails
    ARTOPIC="Urgent: Administrative issue enclosed, please read."
    #
    # Max number of emails to send
    MAX_MNUM="12"
    #
    # Send out user defined attack alerts [0=off,1=on]
    CONAME="Your Company"
    #
    # Send out user defined attack alerts [0=off,1=on]
    USR_ALERT="0"
    #
    # User for alerts to be mailed to
    USR="you@yourco.com"


    ##
    # [E-Mail Alerts]
    ##
    #
    # Topic for warning emails
    ARTOPIC="Urgent: Administrative issue enclosed, please read."
    #
    # Max number of emails to send
    MAX_MNUM="12"
    #
    # Send out user defined attack alerts [0=off,1=on]
    CONAME="Your Company"
    #
    # Send out user defined attack alerts [0=off,1=on]
    USR_ALERT="0"
    #
    # User for alerts to be mailed to
    USR="you@yourco.com"
    #
    # Send out ip-whois abuse alerts upon attack [0=off,1=on]
    ARIN_ALERT="0"
    #
    # Whois server for default queries
    IPW_SRV="whois.arin.net"
    #
    # Return path for email alerts (reply address)
    RETUSR="$USR"

    ##
    # [Misc Paths]
    ##
    #
    # Arin attack warning file
    WARIN="$INSPATH/arin.msg"
    #
    # User attack warning file
    WUSR="$INSPATH/usr.msg"
    #
    # Ignore file, for ignoring hosts/specific patterns
    IGNORE="$INSPATH/ignore"
    IGNORE_HOSTS="$INSPATH/ignore.hosts"
    #
    # Data file to track amount of emails sent
    MNUM_F="$INSPATH/.mnum"
    #
    # Firewall chains keyword file
    FWCHAINS="$INSPATH/chains"
    #
    # Just a temp file we can write to
    TMPF="$INSPATH/.ad.swp"
    #
    # Grab the systems numeric timezone (e.g: -0500)
    TMZ=`date +"%z"`
    #
    # unix time for lock tracking
    UTIME=`date +"%s"`
    #
    # lock file path
    LOCK="$INSPATH/lock.utime"
    #
    # lock file timeout in seconds
    LOCK_TIMEOUT="300"
     
  2. Compubuster

    Compubuster Well-Known Member

    Joined:
    Mar 31, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    156
    cPanel Access Level:
    Root Administrator
    For me, I change the following :


    Code:
    # Max load; do not allow antidos to run passed this load level 
    MLOAD="10" 
    
    # Parse klog for iptables logged attacks [0=off,1=on] 
    LP_KLOG="1" 
    
    # Try to detect syn-flood attacks [0=off,1=on] 
    DET_SF="1" 
    
    # Trigger value before we drop an event SRC 
    TRIG="10" 
    # 
    # Trigger value before we drop syn-floods for SRC 
    SF_TRIG="15" 
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    318
    Its all a matter of what works best for you. I find the following to cause less problems on our machines:

    # Trigger value before we drop an event SRC
    TRIG="30"
    #
    # Trigger value before we drop syn-floods for SRC
    SF_TRIG="35"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Compubuster

    Compubuster Well-Known Member

    Joined:
    Mar 31, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    156
    cPanel Access Level:
    Root Administrator
    .. Exactly :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice