Install and configure APF and (D)DOS-Deflate

24 Jul 2010

A supported website has recently been under a distributed vulnerability scanning that has similarities to a DOS attack.
Countermeasures had been taken and that leaded to this post, "A detailed tutorial on how to install and configure APF (Advanced Policy Firewall) and (D)DOS-Deflate"

 

APF

What is APF (Advanced Policy Firewall)?
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.

Requirements:
- Root SSH access to your server

Install

Login to your server through SSH and su to the root user.
 

  1. cd /root/downloads or another temporary folder where you store your files.
     
  2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
     
  3. tar -xvzf apf-current.tar.gz
     
  4. cd apf-0.9.5-1/ or whatever the latest version is.
     
  5. Run the install file: ./install.sh
    You will receive a message saying it has been installed
    .: APF installed
    Install path: /etc/apf
    Config path: /etc/apf/conf.apf
    Executable path: /usr/local/sbin/apf
     
  6. Configure the firewall: (i mostly use nano editor) nano /etc/apf/conf.apf
    General configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.
    You may like to use DShield.org's "block" list of top networks that have exhibited suspicious activity.
    FIND: USE_DS="0"
    CHANGE TO: USE_DS="1"
     
  7. Configuring Firewall Ports:

    Cpanel Servers
    recommended settings for Cpanel Servers
     
    Common ingress (inbound) ports
    # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
    IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
    #
    # Common ingress (inbound) UDP ports
    IG_UDP_CPORTS="53"

    Common egress (outbound) ports
    # Common egress (outbound) TCP ports
    EG_TCP_CPORTS="21,25,80,443,43,2089"
    #
    # Common egress (outbound) UDP ports
    EG_UDP_CPORTS="20,21,53"

    Ensim Servers
    recommended settings for Ensim Servers

    Common ingress (inbound) ports
    # Common ingress (inbound) TCP ports
    IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
    #
    # Common ingress (inbound) UDP ports
    IG_UDP_CPORTS="53"
    Common egress (outbound) ports
    # Common egress (outbound) TCP ports
    EG_TCP_CPORTS="21,25,80,443,43"
    #
    # Common egress (outbound) UDP ports
    EG_UDP_CPORTS="20,21,53"

    Plesk Servers
    recommended settings for Plesk Servers

    # Common ingress (inbound) TCP ports
    IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,3306,4643,5224,8443,8447,10000,
    35000_35999"

    # Common ingress (inbound) UDP ports
    IG_UDP_CPORTS="20,21,53,1040"

    # Common ICMP (inbound) types
    # 'internals/icmp.types' for type definition; 'all' is wildcard for any
    IG_ICMP_TYPES="3,5,11,0,30,8"

    # Egress filtering [0 = Disabled / 1 = Enabled]
    EGF="0"

    # Common egress (outbound) TCP ports
    EG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,3306,5224,8443,10000,35000_35999"

    # Common egress (outbound) UDP ports
    EG_UDP_CPORTS="20,21,37,53,123,1040"

    # Common ICMP egress (outbound) types
    # 'internals/icmp.types' for type definition; 'all' is wildcard for any
    EG_ICMP_TYPES="all"

    Save your changes! Ctrl + X then y (nano editor)
     

  8. Starting the firewall

    apf -s

    Other commands:
    usage /usr/local/sbin/apf [OPTION]
    -s|--start ............. load firewall policies
    -r|--restart ........... flush & load firewall
    -f|--flush|--stop ...... flush firewall
    -l|--list .............. list chain rules
    -st|--status ........... firewall status
    -a HOST|--allow HOST ... add host (IP/FQDN) to allow_hosts.rules and
    immediately load new rule into firewall
    -d HOST|--deny HOST .... add host (IP/FQDN) to deny_hosts.rules and
    immediately load new rule into firewall
     

  9. After everything is fine, change the DEV option

    nano /etc/apf/conf.apf

    # Set firewall cronjob (devel mode)
    # 1 = enabled / 0 = disabled
    DEVEL_MODE="0"

    It is recommended changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.

    Save your changes! Ctrl + X then y

    Restart the firewall: apf -r
     

  10.  Make APF Start automatically at boot time

    To autostart apf on reboot, run this:
    chkconfig --level 2345 apf on
    To remove it from autostart, run this:
    chkconfig --del apf

 

(D)DOS-Deflate

What is DOS-Deflate?
MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting's Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.

Install

  1. Login to your server as root
     
  2. Download the install script

    wget http://www.inetbase.com/scripts/ddos/install.sh
     

  3. Run the installer

    ssh install.sh
     

DOS-Deflate should now be installed.

Please note that DOS-Deflate uses APF to ban IPs so you must have it installed for DOS-Deflate to work properly.

Customizing DOS-Deflate is very easy. You have to edit /usr/local/ddos/ddos.conf with your favorite editor

e.g. nano /usr/local/ddos/ddos.conf

Every setting is explained in the configuration file.

e.g.

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
#####          option so that the new frequency takes effect
FREQ=1

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1

##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1

##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="root"

##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600

(You can experiment with the above settings. e.g. At a time period of frequent DOS attacks you can change no_of_connections to 50 and/or increase the ban_period)

Save your changes! Ctrl + X then y

Info