Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hosting Security and Technology Tutorials : How-To: Install APF Firewall for cPanel

[VicePlanet]

Ok so you need a firewall. Well we recommend using APF. The following are the instructions you need to install
1) Login to your box as root
2) Download the APF Source (current version 0.9.3.3)

CODE
# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz


3) Extract the tar.gz

CODE
# tar -zxf apf-current.tar.gz


4) Enter the APF directory

CODE
# cd apf-0.9.3_3


5) Run install code

CODE
./install.sh


6) Modify the APF config File

CODE
#vi /etc/apf/conf.apf


Hit i to enter insert mod
7) Add in the ports you want to open for inbound (INGRES). The following is for a cPanel box

CODE

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,
2083,2086,2087,2095,2096,3306,6666"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"



Please note that the above variables are already there, I placed what should be in there

8) Tell APF to monitor out going (EGRESS) also

CODE

Change the line:
EGF="0"
to
EGF="1"




9) Tell APF what ports to monitor

CODE

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,465,873"

# Common ICMP (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"

10) Save and exit - hit 'esc' :wq 'enter'

11) Start APF

CODE
# /usr/local/sbin/apf -s


You may or may not get output, if you do please reply and I can advide as to what to fix. If all goes well ou go back to the command line.
You now want to verify everyhting works, you can still get into SSH, cPanel works, you can view a page, etc.

12) If all works edit the config file and change the developer mode to 0

CODE
# vi /etc/apf/conf.apf


Hit i to enter insert mode

CODE
Change
DEVM="1"
to
DEVM="0"



Save and quit
Hit 'esc' :wq 'enter'

13) Restart APF


CODE
# /usr/local/sbin/apf -r



APF is now installed and monitoring your server.

This tutorial is brought to you by MyCPAdmin.

*Note: We have used this method on many many servers but we cannot be held responsible for any damage this may cause.

[mikesmi7h]

Thanks for the tutorial.

[AcuNett]

What's the UDP ftp ports for?

[arty]

guys i get this:
Unable to load iptables module (ip_tables), aborting.
when i type apf -s
note that this is a vds running virtuozzo with rh 9 and cpanel
can you help?

[arty]

can anyone help?

[Angelo]

Change your MONO_KERN value in configuration file and restart APF.

[arty]

now i'm getting dousins of problems: all of them contining something like this

iptables: No chain/target/match by that name
or
iptables: Memory allocation problem

[PuNkEr]

same. running a VDS and now i get the above if i change mono_kern.

also how do I uninstall the APF Firewall?

[arty]

anyone can helpppppppppp?

[hostingNIS]

This is a very usefull thread.
Thank you

[Devil Inside]

Here's a nice little list of ports that should be open on a cPanel server.

Credit to CyberSpirit from the cPanel forums for compiling this.

port service protocol direction

1 & 111 Portscanner (to detect scans)

20 ftp tcp inbound/outbound

21 ftp tcp,udp inbound/outbound

22 ssh tcp inbound

25 smtp tcp inbound/outbound

26 smtp tcp inbound/outbound
(this port is only needed to be open if the option in cpanel to run exim on port 26 is used.)

37 rdate tcp outbound

43 whois tcp outbound

53 DNS tcp/udp inbound/outbound
(inbound is only needed if you run your own public DNS server)

80 http tcp inbound/outbound

110 pop3 tcp inbound

113 ident tcp outbound

143 imap4 tcp inbound

443 https tcp inbound

465 smtp tls/ssl tcp/udp inbound/outbound

873 rsync tcp/udp outbound

993 imap4 ssl tcp inbound

995 pop3 ssl tcp inbound

2082 cpanel tcp inbound

2083 cpanel ssl tcp inbound

2086 whm tcp inbound/(outbound for DNS cluster)

2087 whm ssl tcp inbound/(outbound for DNS cluster)

2089 cp licence tcp outbound (see below*)

2095 Webmail tcp inbound

2096 Webmail SSL tcp inbound

3306 mysql tcp (only if you need to connect remotely)

6666 chat tcp inbound

9898 AIM tcp outbound

* You may wish to setup port 2089 as follows:

out:d=2089:d=216.118.116.100
in=2089=216.118.116.110

As this port is used to cPanel licensing, and not always actively used - this will allow the port to remain open, but ONLY to the cPanel server.

[jethbrown]

what does this mean when I restart apf?

root@server1 [~]# /usr/local/sbin/apf -r
iptables v1.2.9: Unknown arg `--set-tos'
Try `iptables -h' or 'iptables --help' for more information

[rfxn]

for those on VPS/VDS - it is up to your vendors to issue kernels with all appropriate iptable modules compiled. APF is an advanced firewall which uses allot of high-level features that is not common in other firewalls. As such kernels often lack the default modules required by APF -- or atleast the stock VPS/VDS kernels.

[ThomasO]

I installed everything OK... but, now I get this:

root@apco [/usr/local/sbin]# apf -s
FATAL: Module ip_tables already in kernel.
FATAL: Module ipt_state already in kernel.
FATAL: Module ipt_multiport already in kernel.
FATAL: Module iptable_filter already in kernel.
FATAL: Module ipt_limit already in kernel.
FATAL: Module ipt_LOG already in kernel.
FATAL: Module ipt_REJECT already in kernel.
FATAL: Module ip_conntrack already in kernel.
FATAL: Module ip_conntrack_irc already in kernel.
FATAL: Module ip_conntrack_ftp already in kernel.
FATAL: Module iptable_mangle already in kernel.


I remember, I upgraded to kernel 2.6.10

Perhaps something with that?

[rfxn]

usually indicates modules already in use -- often another firewall; try to do apf -f then apf -r and see if the issue continues.