Results 1 to 9 of 9
  1. #1
    Join Date
    Feb 2004
    Location
    Vancouver, BC
    Posts
    15

    APF Firewall + Anti-Dos

    Hello,

    I have been running APF Firewall with the Anti-DoS addon for quiite some time now. But for the past three weeks or so, the anti-DoS script seems to be banning enormous amounts of IP's that are not attackers, the anti-DoS system is basically creating hundreds of false-positives and blocking my clients from their sites, along with their visitors.

    I was using the default anti-DoS conf settings, but after awhile I went and changed these to more lax settings in hopes that it'll stop these false-positivies but to no avail, the anti-DoS system continues to ban IP's left and right and I was forced to disable it.

    Has anybody ever come across this problem before? Also, are there alternative software anti-DoS/firewall's that I can use for my linux server?

    -- Thanks,
    -- John
    Bordernode Networks: Limitless Possibilities
    Xen HVM VPS: Linux, Windows, BSD, Solaris
    Follow us on Twitter: @Bordernode

  2. #2
    Join Date
    Sep 2004
    Location
    Chicago, IL
    Posts
    214
    portcentry

    monowall
    Ben Lenard, MS, MBA
    TechMinds 4 Hire, Inc - (866) 214-1285 x 2001
    http://www.tm4h.com

  3. #3
    If you are just wanting to do http, you can look at mod_dosevasive for apache
    crucialparadigm - Affordable, Reliable, Professional :
    Web Hosting
    24/7 Support • Web Hosting • Reseller Hosting • Cloud/VPS Plans • Dedicated Servers •

  4. #4
    Join Date
    Nov 2004
    Location
    India
    Posts
    1,104
    Also try SNORT

  5. #5
    Join Date
    Feb 2004
    Location
    Vancouver, BC
    Posts
    15
    Hmmm...

    I'm using Portsentry as well. I'll look into monowall. Also I am not just doing http, so I need a more extensive application (I use mod_security with apache).

    I've tried SNORT and it's supposed to work with APF/Anti-Dos but for some odd reason SNORT never seems to start-up properly on this machine, as to the reason why it doesnt: I am clueless because no errors are generated, the process simply appears and disappears.
    Bordernode Networks: Limitless Possibilities
    Xen HVM VPS: Linux, Windows, BSD, Solaris
    Follow us on Twitter: @Bordernode

  6. #6
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    Persistent access to a closed port from an IP will block that IP quite quickly. In my case I had users trying to send email via port 26, which was closed, then getting blocked!

  7. #7
    Join Date
    Oct 2004
    Location
    Dallas, Tx
    Posts
    45

    Re: APF Firewall + Anti-Dos

    Originally posted by Jasio
    Hello,

    I have been running APF Firewall with the Anti-DoS addon for quiite some time now. But for the past three weeks or so, the anti-DoS script seems to be banning enormous amounts of IP's that are not attackers, the anti-DoS system is basically creating hundreds of false-positives and blocking my clients from their sites, along with their visitors.

    I was using the default anti-DoS conf settings, but after awhile I went and changed these to more lax settings in hopes that it'll stop these false-positivies but to no avail, the anti-DoS system continues to ban IP's left and right and I was forced to disable it.

    Has anybody ever come across this problem before? Also, are there alternative software anti-DoS/firewall's that I can use for my linux server?

    -- Thanks,
    -- John


    This happends all the time in our servers.

    We usually monitor APF logs just in case one of our real users got banned so we can reinstall it back on.

    We are going to try SNORT to see if it makes any diffence.


    Please let us know if SNORT does the same??

    Thanks





    =======================
    http://www.zurca.com
    Premium Hosting Solutions

  8. #8
    Join Date
    Oct 2004
    Location
    Southwest UK
    Posts
    1,175
    I run psad, and set it to email me if a port is scanned more than twice by the same IP. I tend to get 2 emails a day, and I then manually add the IPs to the deny hosts (I add the entire subnet, as the email returns a whois lookup and if it returns eg. a chinese ISP, I block the entire IP range - which is usually also included in the email).

    I don't tend to ban single IPs though, as an attacker could well be using a dynamic IP which could then be allocated to an innocent user the following day.

    PSAD doesn't work with APF, it can add IPs to IPTables block rules, but I've never been confident to allow it to do so as I'm not sure if it would be OK to use both manual entries and APF.

  9. #9
    Have you tried Kiss2 Firewall ?

    iptables script designed for a typical web server. It takes advantage of the latest firewall technologies including stateful packet inspection and connection tracking. It also contains some preventative measures for port scanning, DoS attacks, and IP spoofing, among other things.

    KISS My Firewall 2 is very easy to install and does not require any initial configuration. It will work with any stock installation of Ensim WEBppliance Basic & Pro, Plesk, and Webmin. Cpanel installations require some modifications.
    not hoster..not company...just a fun of wht

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •