How to install APF Firewall and DDoS Deflate protection
About APF firewall
APF Firewall stands for Advance Policy Firewall, exactly as it name, it is script that contains a certain set of firewall rules. These rules are all being saved inside the folder /etc/apf/ directory and can be changed using any editor.
This script is one of the best firewall scripts that I’ve used so far for my personal websites. One other that could be compared to is CSF (Config Server Firewall), but this, while it is really good, but I found it really confusing on some parts, although I do use it on some shared hosting server.
Well without delaying anymore then this, lets get started and install our little script.
1 2 3 4 |
wget http://www.r-fx.ca/downloads/apf-current.tar.gz gzip -d apf-current.tar.gz tar -xf apf-current.tar cd apf-9.7-2 |
Once we are in the install folder (in my case this is apf-9.7.2) we can start the installation.
1 |
./install.sh |
The result wold be something similar to the output bellow:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
Installing APF 9.7.2: Completed. Installation Details: Install path: /etc/apf/ Config path: /etc/apf/conf.apf Executable path: /usr/local/sbin/apf AntiDos install path: /etc/apf/ad/ AntiDos config path: /etc/apf/ad/conf.antidos DShield Client Parser: /etc/apf/extras/dshield/ Other Details: Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306 Listening UDP ports: 53 Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options. |
Now we need to configure our little firewall rules so that we won’t be blocked, in case you connect remotely to you server via SSH, do not forget to open you SSH port.
The configuration file is located at:
1 |
/etc/apf/conf.apf |
There would be a default configuration already set, you will need to go over it at least once and carefully open the ports that you need your server to have.
1 2 3 4 5 6 7 |
# Common inbound (ingress) TCP ports IG_TCP_CPORTS="21,22,25,53,80,110,143,443,587,783,993,995,2812,9876,10024,12525,60000" # Common inbound (ingress) UDP ports IG_UDP_CPORTS="20,21,53" |
Restart APF to test the configuration:
1 |
/etc/apf/apf -r |
If everything is alright, open the configuration file once more and change the bellow setting
1 |
DEVEL_MODE = 1 |
to
1 |
DEVEL_MODE = 0 |
And run the restart command once again.
Useful commands
1 2 3 4 |
tail -10 /var/log/apf_log # last 10 lines from log apf -d 1.2.3.4 RESON # blocking the IP 1.2.3.4 apf -u 1.2.3.4 # unblocking the IP 1.2.3.4 /etc/apf/apf -r # restarting the firewall |
Install DDoS DEFLATE
(D)DoS Deflate is another shell script that is being used by hosting providers or individuals that manage their own server. This script however is being used together with APF Firewall and is running on a cronjob to make sure visits are being checked. While the option is ok, I believe LFD from CSF package I mentioned earlier has better advantage over this. But nevertheless this script does it job that was made for.
To install DDoS Deflate, we follow the bellow commands:
1 2 |
wget http://www.inetbase.com/scripts/ddos/install.sh sh install.sh |
A few settings need to be set before we start using it, open the bellow file and then follow the comments inside the file:
1 |
vi /usr/local/ddos/ddos.conf |
Each of the options are explain there, you just need to be sure you’re reading them and have a bit of patience.
That’s it for now, do not forget to share it if you like it.