The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suggested configuration for apf's anti-dos?

Discussion in 'General Discussion' started by Secret Agent, Mar 19, 2005.

  1. Secret Agent

    Secret Agent Guest

    Please suggest recommended anti-dos (from APF) settings (default below)

    #
    # antidos beta 0.6 [antidos@r-fx.org]
    #
    # NOTE: This file should be edited with word/line wrapping off,
    # if your using pico please start it with the -w switch.
    # (e.g: pico -w filename)
    #
    ##
    # [Main Configuration]
    ##
    #
    # Installation base path of apf
    APF_BASE="/etc/apf"
    #
    # Config file path for apf
    APF_CNF="$APF_BASE/conf.apf"
    #
    # Installation path
    INSPATH="$APF_BASE/ad"
    #
    # Log file for antidos
    ANTILOG="/var/log/apfados_log"
    #
    # Max load; do not allow antidos to run passed this load level
    MLOAD="30"

    ##
    # [Attack Triggers & Routines]
    ##
    #
    # Parse klog for iptables logged attacks [0=off,1=on]
    LP_KLOG="0"
    #
    # Parse snort portscan log for attacks [0=off,1=on]
    LP_SNORT="0"
    #
    # Try to detect syn-flood attacks [0=off,1=on]
    DET_SF="0"
    #
    # Kernel log file
    KLOG="/var/log/messages"
    #
    # Snort portscan log file [experimental]
    SLOG="/var/log/snort/portscan.log"
    #
    # Trigger value before we drop an event SRC
    TRIG="20"
    #
    # Trigger value before we drop syn-floods for SRC
    SF_TRIG="25"
    #
    # Trigger ports for syn-flood; null for all
    SF_TRIG_PORTS="80,443"


    ##
    # [Attack Filtering]
    ##
    #
    # Reject attackers in route table [0=off,1=on]
    ROUTE_REJ="0"
    #
    # Drop destination interface [0=off,1=on]
    DROP_IF="0"
    #
    # Do not drop interface for events matching these ports;
    # line seperated strings.
    NCRIT_PORTS="$INSPATH/noncrit.ports"
    #
    # Block attacks with iptables [0=off,1=on]
    IPT_BL="1"
    #
    # Were to write iptable rules too
    BLOCKR="$INSPATH/ad.rules"

    ##
    # [E-Mail Alerts]
    ##
    #
    # Topic for warning emails
    ARTOPIC="Urgent: Administrative issue enclosed, please read."
    #
    # Max number of emails to send
    MAX_MNUM="12"
    #
    # Send out user defined attack alerts [0=off,1=on]
    CONAME="Your Company"
    #
    # Send out user defined attack alerts [0=off,1=on]
    USR_ALERT="0"
    #
    # User for alerts to be mailed to
    USR="you@yourco.com"


    ##
    # [E-Mail Alerts]
    ##
    #
    # Topic for warning emails
    ARTOPIC="Urgent: Administrative issue enclosed, please read."
    #
    # Max number of emails to send
    MAX_MNUM="12"
    #
    # Send out user defined attack alerts [0=off,1=on]
    CONAME="Your Company"
    #
    # Send out user defined attack alerts [0=off,1=on]
    USR_ALERT="0"
    #
    # User for alerts to be mailed to
    USR="you@yourco.com"
    #
    # Send out ip-whois abuse alerts upon attack [0=off,1=on]
    ARIN_ALERT="0"
    #
    # Whois server for default queries
    IPW_SRV="whois.arin.net"
    #
    # Return path for email alerts (reply address)
    RETUSR="$USR"

    ##
    # [Misc Paths]
    ##
    #
    # Arin attack warning file
    WARIN="$INSPATH/arin.msg"
    #
    # User attack warning file
    WUSR="$INSPATH/usr.msg"
    #
    # Ignore file, for ignoring hosts/specific patterns
    IGNORE="$INSPATH/ignore"
    IGNORE_HOSTS="$INSPATH/ignore.hosts"
    #
    # Data file to track amount of emails sent
    MNUM_F="$INSPATH/.mnum"
    #
    # Firewall chains keyword file
    FWCHAINS="$INSPATH/chains"
    #
    # Just a temp file we can write to
    TMPF="$INSPATH/.ad.swp"
    #
    # Grab the systems numeric timezone (e.g: -0500)
    TMZ=`date +"%z"`
    #
    # unix time for lock tracking
    UTIME=`date +"%s"`
    #
    # lock file path
    LOCK="$INSPATH/lock.utime"
    #
    # lock file timeout in seconds
    LOCK_TIMEOUT="300"
     
  2. Compubuster

    Compubuster Well-Known Member

    Joined:
    Mar 31, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    For me, I change the following :


    Code:
    # Max load; do not allow antidos to run passed this load level 
    MLOAD="10" 
    
    # Parse klog for iptables logged attacks [0=off,1=on] 
    LP_KLOG="1" 
    
    # Try to detect syn-flood attacks [0=off,1=on] 
    DET_SF="1" 
    
    # Trigger value before we drop an event SRC 
    TRIG="10" 
    # 
    # Trigger value before we drop syn-floods for SRC 
    SF_TRIG="15" 
     
  3. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Its all a matter of what works best for you. I find the following to cause less problems on our machines:

    # Trigger value before we drop an event SRC
    TRIG="30"
    #
    # Trigger value before we drop syn-floods for SRC
    SF_TRIG="35"
     
  4. Compubuster

    Compubuster Well-Known Member

    Joined:
    Mar 31, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    .. Exactly :)
     
Loading...

Share This Page