Ok so you need a firewall. Well we recommend using APF. The following are the instructions you need to install
1) Login to your box as root
2) Download the APF Source (current version 0.9.3.3)

CODE
# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz


3) Extract the tar.gz

CODE
# tar -zxf apf-current.tar.gz


4) Enter the APF directory

CODE
# cd apf-0.9.3_3


5) Run install code

CODE
./install.sh


6) Modify the APF config File

CODE
#vi /etc/apf/conf.apf


Hit i to enter insert mod
7) Add in the ports you want to open for inbound (INGRES). The following is for a cPanel box

CODE

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,
2083,2086,2087,2095,2096,3306,6666"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"



Please note that the above variables are already there, I placed what should be in there

8) Tell APF to monitor out going (EGRESS) also

CODE

Change the line:
EGF="0"
to
EGF="1"




9) Tell APF what ports to monitor

CODE

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,465,873"

# Common ICMP (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"

10) Save and exit - hit 'esc' :wq 'enter'

11) Start APF

CODE
# /usr/local/sbin/apf -s


You may or may not get output, if you do please reply and I can advide as to what to fix. If all goes well ou go back to the command line.
You now want to verify everyhting works, you can still get into SSH, cPanel works, you can view a page, etc.

12) If all works edit the config file and change the developer mode to 0

CODE
# vi /etc/apf/conf.apf


Hit i to enter insert mode

CODE
Change
DEVM="1"
to
DEVM="0"



Save and quit
Hit 'esc' :wq 'enter'

13) Restart APF


CODE
# /usr/local/sbin/apf -r



APF is now installed and monitoring your server.

This tutorial is brought to you by MyCPAdmin.

*Note: We have used this method on many many servers but we cannot be held responsible for any damage this may cause.

Thanks for the tutorial.

What's the UDP ftp ports for?

guys i get this:
Unable to load iptables module (ip_tables), aborting.
when i type apf -s
note that this is a vds running virtuozzo with rh 9 and cpanel
can you help?

can anyone help?

Change your MONO_KERN value in configuration file and restart APF.

now i'm getting dousins of problems: all of them contining something like this

iptables: No chain/target/match by that name
or
iptables: Memory allocation problem

same. running a VDS and now i get the above if i change mono_kern.

also how do I uninstall the APF Firewall?

anyone can helpppppppppp?

This is a very usefull thread.
Thank you

Here's a nice little list of ports that should be open on a cPanel server.

Credit to CyberSpirit from the cPanel forums for compiling this.

port service protocol direction

1 & 111 Portscanner (to detect scans)

20 ftp tcp inbound/outbound

21 ftp tcp,udp inbound/outbound

22 ssh tcp inbound

25 smtp tcp inbound/outbound

26 smtp tcp inbound/outbound
(this port is only needed to be open if the option in cpanel to run exim on port 26 is used.)

37 rdate tcp outbound

43 whois tcp outbound

53 DNS tcp/udp inbound/outbound
(inbound is only needed if you run your own public DNS server)

80 http tcp inbound/outbound

110 pop3 tcp inbound

113 ident tcp outbound

143 imap4 tcp inbound

443 https tcp inbound

465 smtp tls/ssl tcp/udp inbound/outbound

873 rsync tcp/udp outbound

993 imap4 ssl tcp inbound

995 pop3 ssl tcp inbound

2082 cpanel tcp inbound

2083 cpanel ssl tcp inbound

2086 whm tcp inbound/(outbound for DNS cluster)

2087 whm ssl tcp inbound/(outbound for DNS cluster)

2089 cp licence tcp outbound (see below*)

2095 Webmail tcp inbound

2096 Webmail SSL tcp inbound

3306 mysql tcp (only if you need to connect remotely)

6666 chat tcp inbound

9898 AIM tcp outbound

* You may wish to setup port 2089 as follows:

out:d=2089:d=216.118.116.100
in:s=2089:s=216.118.116.110

As this port is used to cPanel licensing, and not always actively used - this will allow the port to remain open, but ONLY to the cPanel server.

what does this mean when I restart apf?

root@server1 [~]# /usr/local/sbin/apf -r
iptables v1.2.9: Unknown arg `--set-tos'
Try `iptables -h' or 'iptables --help' for more information

for those on VPS/VDS - it is up to your vendors to issue kernels with all appropriate iptable modules compiled. APF is an advanced firewall which uses allot of high-level features that is not common in other firewalls. As such kernels often lack the default modules required by APF -- or atleast the stock VPS/VDS kernels.

I installed everything OK... but, now I get this:

root@apco [/usr/local/sbin]# apf -s
FATAL: Module ip_tables already in kernel.
FATAL: Module ipt_state already in kernel.
FATAL: Module ipt_multiport already in kernel.
FATAL: Module iptable_filter already in kernel.
FATAL: Module ipt_limit already in kernel.
FATAL: Module ipt_LOG already in kernel.
FATAL: Module ipt_REJECT already in kernel.
FATAL: Module ip_conntrack already in kernel.
FATAL: Module ip_conntrack_irc already in kernel.
FATAL: Module ip_conntrack_ftp already in kernel.
FATAL: Module iptable_mangle already in kernel.


I remember, I upgraded to kernel 2.6.10

Perhaps something with that?

usually indicates modules already in use -- often another firewall; try to do apf -f then apf -r and see if the issue continues.

Many of our customers use APF on dedicated machines... great software...

We had a ticket the other day asking how to disable console logging of blocked requests... and none of our guys knew offhand.

Any suggestions on this? The customer in question has disabled SSH and is using a KVM over IP system that we are leasing to him -- therefore he does work "at" the console fairly often, and I can see how all of those messages would get annoying to him.

Thanks,
Russell

Look in /etc/syslog.conf and see where probably kern.* is directed to /dev/console.

I guess you could either comment the kern.* line, or change the output from /dev/console to something else.

or you could just tweak the output of kern messages so that only the most critical goes to console

kern.* /var/log/kernel
kern.crit /dev/console

then restart syslog to make your changes stick

Originally posted by rfxn
usually indicates modules already in use -- often another firewall; try to do apf -f then apf -r and see if the issue continues.

Nothing... same issue... I think, perhaps I should compile my kernel again (2.6.10) and turn off those modules... plz!! help!!!!:bawling:

Is this firewall only for cPanel (stupid question, I think I know the answer but asking to make sure), and how much resources does it need (RAM, CPU, etc)? Thanks :)

Great guide, thanks!

nice 1 !!!!! i really learned from it ;-)

Originally posted by jethbrown
what does this mean when I restart apf?

root@server1 [~]# /usr/local/sbin/apf -r
iptables v1.2.9: Unknown arg `--set-tos'
Try iptables -h' or 'iptables --help' for more information

Most people don't know this, it seems, but once you realize that APF is simply a frontend extension for IPTables, and not something independent, it's very simple.

/etc/init.d/iptables restart

or

service iptables restart

IPTables is still doing all of the filtering for your server, APF just gives you more specific control.

Thanks for the tutorial! I installed it with no errors.

Only question is how do I know it's running? I don't see any apf processes running...

root@gravity [/etc/log.d/conf]# /usr/local/sbin/apf -r
root@gravity [/etc/log.d/conf]# ps -ef | grep apf
root 11213 29615 0 11:02 pts/0 00:00:00 grep apf
root@gravity [/etc/log.d/conf]#

Originally posted by hwyking
Thanks for the tutorial! I installed it with no errors.

Only question is how do I know it's running? I don't see any apf processes running...

root@gravity [/etc/log.d/conf]# /usr/local/sbin/apf -r
root@gravity [/etc/log.d/conf]# ps -ef | grep apf
root 11213 29615 0 11:02 pts/0 00:00:00 grep apf
root@gravity [/etc/log.d/conf]#

I figured it out. /usr/local/sbin/apf -st :)

I have already installed apf but I see this log and apf command not run ? what is the problem.

root@turk [~]# /usr/local/sbin/apf -st
APF Status Log:
Apr 24 16:00:00 turk apf(14586): firewall offline
Apr 24 16:00:00 turk apf(14586): flushing & zeroing chain policies
Apr 24 15:59:11 turk apf(13879): firewall initalized

there is no "apf' process all apf does is load iptables rules

thanks
what is my problem? dear friends
can u help me ? I don't install iptables

Apr 24 15:59:11 turk apf(13879): firewall initalized

its running there will be no process running.

iptables -L will show you the rules

I see iptables command not found

Wow nice tutorial! Very helpful

why is the thread starters' account disabled?? am i paranoid?

This thread is regarding apf 0.9.3 revision 3 and there appears no malintent on the posters part and it is consistent with standard apf setup options.

However apf is currently at version 0.9.5 revision 2. We recommend you use the latest version from http://www.r-fx.org/apf.php - optionally a trusted resource for r-fx.org project guides is webhostgear.com so be sure to check them out.

cool, thanks.

Cheers for the great guide, it worked a treat!

Just wondering though, is it possible to get APF to start automatically when i reboot my server?

yes.

just type this in a shell:
chkconfig --level 2345 apf on


if you want to stop it from running on reboots:
chkconfig --del apf

Cheers for that!!

Is there anyway to check that it is running after a reboot? I tried 'top' but thar didnt show it! (sorry im still very new to this all!)

try: apf -st

Is there anyway to clear the status log for APF? Mines huge now :(

Originally posted by JonBlower
Cheers for that!!

Is there anyway to check that it is running after a reboot? I tried 'top' but thar didnt show it! (sorry im still very new to this all!)
apf will not show in top as it (in a nutshell) something that interacts with iptables
run something like this to make sure you have it added to startup:
% chkconfig --list | grep apf

it should output something like this:
apf 0:off 1:off 2:on 3:on 4:on 5:on 6:off


Originally posted by JonBlower
Is there anyway to clear the status log for APF? Mines huge now :(

easy way to truncate apf's log/"status" file:
cat /dev/null > /var/log/apf_log

and for anyone who needs to block only HTTP/HTTPS from IP's while still allowing other things to go on (e.g., receiving emails, etc.), add this to your /etc/apf/deny_hosts.rules. After saving the file, type apf -r
d=80:s=22.123.12.33
d=443:s=22.123.12.33

when i start i get:

lsmod: QM_MODULES: Function not implemented

Unable to load iptables module (ip_tables), aborting.

My conf.apf file matches the port setup that is described here for a cPanel server, however when i turn on apf with this port setup it seems to block port 53, as no website loads, they all simply cannot be found.

Port 53 is setup for inbound and outbound, here is my port setup:


# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087$

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"


# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="21,53,123,465,873"

# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"

Doesn't anyone have any ideas at all?

Originally posted by ownagesbot
when i start i get:

lsmod: QM_MODULES: Function not implemented

Unable to load iptables module (ip_tables), aborting.

enable the mono kernel option in conf.apf

Originally posted by Metalp3n
Doesn't anyone have any ideas at all?
are you running the latest version of APF?

If so then their may be a problem with the advanced filters that are configured and/or your iptables modules may be improperly buit/some missing.

I am using the latest version, and is there any way to check where it is being blocked?

Ive got SET_MONOKERN="1" to get rid of iptable errors.. but now i get

Development mode enabled!; firewall will flush every 5 minutes.
lsmod: QM_MODULES: Function not implemented

thanks for the tut worked great.

Get this error on a VPS

root@server [~]# /usr/local/sbin/apf -s
Development mode enabled!; firewall will flush every 5 minutes.
Unable to load iptables module (ip_tables), aborting.

I m getting some errors after all the installation when i go to start the Firewall.

It is giving the following error:

/etc/apf/firewall: line 428 :q command not found

Can anyone tell me whats the wrong about?

I m getting some errors after all the installation when i go to start the Firewall.

It is giving the following error:



Can anyone tell me whats the wrong about?

:q may be entered accidentally by someone when editing (It is a vi command). So go to 428 and remove :q

I just removed all the files from /etc/apf and /user/local/sbin/apf
Then i use rpm to install the APF and it worked fine now :)

Get this error on a VPS

I get the same error:

root@server [~]# /usr/local/sbin/apf -s
Development mode enabled!; firewall will flush every 5 minutes.
Unable to load iptables module (ip_tables), aborting.


is there anything special that needs to be done on a VPS. I noticed it said something about not finding a device.

http://www.r-fx.ca/downloads/apf-current.tar.gz is the recommended version; rpms of APF are very old as often seen running back at version 0.8.x, current is presently 0.9.6.

Hi to all!

I have just installed APF, and found the same error as a lot of peeps here:
root@server [~]# apf -r
Unable to load iptables module (ip_tables), aborting.
I have done the SET_MONOKERN="1", and the error dissapeared but now a new error arises:
root@server [~]# apf -r
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
iptables: Memory allocation problem
... and many more of the same ...
Why is this showing up?
:smash:

CODE
# tar -zxf apf-current.tar.gz


4) Enter the APF directory

CODE
# cd apf-0.9.3_3



I seem to be having trouble with this section, after entering step 3, nothing happens where i'd expect it to unzip into the folder... i tried skipping to step 4 anyway, but it says there is no such file or directory.

Does anyone know what is going wrong?

do this

# ls

then find out what the APF directory is called. I bet the version number is different.

then

# cd apf-whatever-the-version_is

worked a treat, thankyou... is there any way i can check to see if it is working?

edit the APF conf file and take port 80 out of the allowed list.

Then

# service apf restart

try accessing your website (or a site on the server) then quickly edit the file to put port 80 back and

# service apf restart

again to make sure to don't forget to re-enable...

thankyou, you've been a great help!