Results 1 to 9 of 9
Thread: APF Firewall + Anti-Dos
-
01-22-2005, 02:46 PM #1Newbie
- Join Date
- Feb 2004
- Location
- Vancouver, BC
- Posts
- 15
APF Firewall + Anti-Dos
Hello,
I have been running APF Firewall with the Anti-DoS addon for quiite some time now. But for the past three weeks or so, the anti-DoS script seems to be banning enormous amounts of IP's that are not attackers, the anti-DoS system is basically creating hundreds of false-positives and blocking my clients from their sites, along with their visitors.
I was using the default anti-DoS conf settings, but after awhile I went and changed these to more lax settings in hopes that it'll stop these false-positivies but to no avail, the anti-DoS system continues to ban IP's left and right and I was forced to disable it.
Has anybody ever come across this problem before? Also, are there alternative software anti-DoS/firewall's that I can use for my linux server?
-- Thanks,
-- JohnBordernode Networks: Limitless Possibilities
Xen HVM VPS: Linux, Windows, BSD, Solaris
Follow us on Twitter: @Bordernode
-
01-23-2005, 12:04 AM #2Junior Guru
- Join Date
- Sep 2004
- Location
- Chicago, IL
- Posts
- 214
portcentry
monowall
-
01-23-2005, 12:29 AM #3Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 2,197
If you are just wanting to do http, you can look at mod_dosevasive for apache
crucialparadigm - Affordable, Reliable, Professional :
Web Hosting
• 24/7 Support • Web Hosting • Reseller Hosting • Cloud/VPS Plans • Dedicated Servers •
-
01-23-2005, 10:11 AM #4Web Hosting Master
- Join Date
- Nov 2004
- Location
- India
- Posts
- 1,104
Also try SNORT
-
01-23-2005, 06:56 PM #5Newbie
- Join Date
- Feb 2004
- Location
- Vancouver, BC
- Posts
- 15
Hmmm...
I'm using Portsentry as well. I'll look into monowall. Also I am not just doing http, so I need a more extensive application (I use mod_security with apache).
I've tried SNORT and it's supposed to work with APF/Anti-Dos but for some odd reason SNORT never seems to start-up properly on this machine, as to the reason why it doesnt: I am clueless because no errors are generated, the process simply appears and disappears.Bordernode Networks: Limitless Possibilities
Xen HVM VPS: Linux, Windows, BSD, Solaris
Follow us on Twitter: @Bordernode
-
01-25-2005, 01:21 PM #6Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
Persistent access to a closed port from an IP will block that IP quite quickly. In my case I had users trying to send email via port 26, which was closed, then getting blocked!
-
01-26-2005, 10:15 PM #7Junior Guru Wannabe
- Join Date
- Oct 2004
- Location
- Dallas, Tx
- Posts
- 45
Re: APF Firewall + Anti-Dos
Originally posted by Jasio
Hello,
I have been running APF Firewall with the Anti-DoS addon for quiite some time now. But for the past three weeks or so, the anti-DoS script seems to be banning enormous amounts of IP's that are not attackers, the anti-DoS system is basically creating hundreds of false-positives and blocking my clients from their sites, along with their visitors.
I was using the default anti-DoS conf settings, but after awhile I went and changed these to more lax settings in hopes that it'll stop these false-positivies but to no avail, the anti-DoS system continues to ban IP's left and right and I was forced to disable it.
Has anybody ever come across this problem before? Also, are there alternative software anti-DoS/firewall's that I can use for my linux server?
-- Thanks,
-- John
This happends all the time in our servers.
We usually monitor APF logs just in case one of our real users got banned so we can reinstall it back on.
We are going to try SNORT to see if it makes any diffence.
Please let us know if SNORT does the same??
Thanks
=======================
http://www.zurca.com
Premium Hosting Solutions
-
01-27-2005, 07:50 AM #8Retired Moderator
- Join Date
- Oct 2004
- Location
- Southwest UK
- Posts
- 1,175
I run psad, and set it to email me if a port is scanned more than twice by the same IP. I tend to get 2 emails a day, and I then manually add the IPs to the deny hosts (I add the entire subnet, as the email returns a whois lookup and if it returns eg. a chinese ISP, I block the entire IP range - which is usually also included in the email).
I don't tend to ban single IPs though, as an attacker could well be using a dynamic IP which could then be allocated to an innocent user the following day.
PSAD doesn't work with APF, it can add IPs to IPTables block rules, but I've never been confident to allow it to do so as I'm not sure if it would be OK to use both manual entries and APF.
-
01-27-2005, 05:28 PM #9Newbie
- Join Date
- Jan 2005
- Posts
- 22
Have you tried Kiss2 Firewall ?
iptables script designed for a typical web server. It takes advantage of the latest firewall technologies including stateful packet inspection and connection tracking. It also contains some preventative measures for port scanning, DoS attacks, and IP spoofing, among other things.
KISS My Firewall 2 is very easy to install and does not require any initial configuration. It will work with any stock installation of Ensim WEBppliance Basic & Pro, Plesk, and Webmin. Cpanel installations require some modifications.not hoster..not company...just a fun of wht