Install and configure APF and (D)DOS-Deflate

24 Jul 2010

A supported website has recently been under a distributed vulnerability scanning that has similarities to a DOS attack.
Countermeasures had been taken and that leaded to this post, "A detailed tutorial on how to install and configure APF (Advanced Policy Firewall) and (D)DOS-Deflate"



What is APF (Advanced Policy Firewall)?
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.

- Root SSH access to your server


Login to your server through SSH and su to the root user.

  1. cd /root/downloads or another temporary folder where you store your files.
  2. wget
  3. tar -xvzf apf-current.tar.gz
  4. cd apf-0.9.5-1/ or whatever the latest version is.
  5. Run the install file: ./
    You will receive a message saying it has been installed
    .: APF installed
    Install path: /etc/apf
    Config path: /etc/apf/conf.apf
    Executable path: /usr/local/sbin/apf
  6. Configure the firewall: (i mostly use nano editor) nano /etc/apf/conf.apf
    General configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.
    You may like to use's "block" list of top networks that have exhibited suspicious activity.
    FIND: USE_DS="0"
  7. Configuring Firewall Ports:

    Cpanel Servers
    recommended settings for Cpanel Servers
    Common ingress (inbound) ports
    # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
    IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
    # Common ingress (inbound) UDP ports

    Common egress (outbound) ports
    # Common egress (outbound) TCP ports
    # Common egress (outbound) UDP ports

    Ensim Servers
    recommended settings for Ensim Servers

    Common ingress (inbound) ports
    # Common ingress (inbound) TCP ports
    # Common ingress (inbound) UDP ports
    Common egress (outbound) ports
    # Common egress (outbound) TCP ports
    # Common egress (outbound) UDP ports

    Plesk Servers
    recommended settings for Plesk Servers

    # Common ingress (inbound) TCP ports

    # Common ingress (inbound) UDP ports

    # Common ICMP (inbound) types
    # 'internals/icmp.types' for type definition; 'all' is wildcard for any

    # Egress filtering [0 = Disabled / 1 = Enabled]

    # Common egress (outbound) TCP ports

    # Common egress (outbound) UDP ports

    # Common ICMP egress (outbound) types
    # 'internals/icmp.types' for type definition; 'all' is wildcard for any

    Save your changes! Ctrl + X then y (nano editor)

  8. Starting the firewall

    apf -s

    Other commands:
    usage /usr/local/sbin/apf [OPTION]
    -s|--start ............. load firewall policies
    -r|--restart ........... flush & load firewall
    -f|--flush|--stop ...... flush firewall
    -l|--list .............. list chain rules
    -st|--status ........... firewall status
    -a HOST|--allow HOST ... add host (IP/FQDN) to allow_hosts.rules and
    immediately load new rule into firewall
    -d HOST|--deny HOST .... add host (IP/FQDN) to deny_hosts.rules and
    immediately load new rule into firewall

  9. After everything is fine, change the DEV option

    nano /etc/apf/conf.apf

    # Set firewall cronjob (devel mode)
    # 1 = enabled / 0 = disabled

    It is recommended changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.

    Save your changes! Ctrl + X then y

    Restart the firewall: apf -r

  10.  Make APF Start automatically at boot time

    To autostart apf on reboot, run this:
    chkconfig --level 2345 apf on
    To remove it from autostart, run this:
    chkconfig --del apf



What is DOS-Deflate?
MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting's Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.


  1. Login to your server as root
  2. Download the install script


  3. Run the installer


DOS-Deflate should now be installed.

Please note that DOS-Deflate uses APF to ban IPs so you must have it installed for DOS-Deflate to work properly.

Customizing DOS-Deflate is very easy. You have to edit /usr/local/ddos/ddos.conf with your favorite editor

e.g. nano /usr/local/ddos/ddos.conf

Every setting is explained in the configuration file.


##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
#####          option so that the new frequency takes effect

##### How many connections define a bad IP? Indicate that below.

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)

##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)

##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails

##### Number of seconds the banned ip should remain in blacklist.

(You can experiment with the above settings. e.g. At a time period of frequent DOS attacks you can change no_of_connections to 50 and/or increase the ban_period)

Save your changes! Ctrl + X then y