APF banning user.

computervitals

New Member
I've got an issue I'm hoping you can help out with.

I have Brute force detector and APF installed.
After awhile, I have a main user that will not be able to conenct to my site. I can shut down, flush, restart APF and it still wont allow him access.

He has to be on, I shut the firewall down, then he can assess. Once he's accessed the site I can turn on teh firewall. After awhile he can no longer connect.

I've added his IP, to the allow.hosts and glob_allow.hosts and still will react the same.
Heres the odd thing, There is no mention of any IP's getting banned.
Is there any other place that the IPs would be logged?

If it helps, he's on Suddenlink. (used to be Cox Cable)
 

khiltd

New Member
I know squat all about APF, but shouldn't it be keeping logs of its actions somewhere so you can find out why this is happening? Maybe your friend is using some kind of silly web accelerator thing that opens up too many connections.
 

Dan

Moderator
Hello computervitals,

Is it working better now?

If not then this post might help to shed some light.

You can also find the APF log in /var/log and it may tell you something too.
 

computervitals

New Member
In the middle of the problems, I ddos'd my own server and got banned. (changed the Dev mode to 1) once I was let back in. I looked at the logs and it noted my IP to the deny, then off the deny. So it's logging correctly. But for some reason he wasn't able to get on the site, None of the sites on my vps,

Since I un installed then reinstalled it's been good. But i will find out tonight after work to see if he is able to view the site again.
 

computervitals

New Member
**For Testing Purposes Only**

Before you do this. You need to enter conf.apf and set the Dev mode to 1 so you can get back into your server.


Go to this site:
http://www.socketsoft.net/

Download DoSHTTP 2.0
Download the trial. You only get a few goes. Load in your URL and send the packets.
You will then Be locked out of your server
Wait between 5-10 minutes depending on your cron. APF will let you back in. Check the var/log/apf.log at the bottom you'll see your IP address listed.
 

ppc

Moderator
**For Testing Purposes Only**

Before you do this. You need to enter conf.apf and set the Dev mode to 1 so you can get back into your server.


Go to this site:
http://www.socketsoft.net/

Download DoSHTTP 2.0
Download the trial. You only get a few goes. Load in your URL and send the packets.
You will then Be locked out of your server
Wait between 5-10 minutes depending on your cron. APF will let you back in. Check the var/log/apf.log at the bottom you'll see your IP address listed.
I tried but it didint lock me out....hmmm...I guess thats why you want to run tests.

Any ideas?
 

computervitals

New Member
do you have your IP's in your allow list?

I did this and set it to 5000, within 30 seconds I was out and putty was disconnected.
Also check the log to see if it logged banning you.
 

ppc

Moderator
do you have your IP's in your allow list?

I did this and set it to 5000, within 30 seconds I was out and putty was disconnected.
Also check the log to see if it logged banning you.

If you like, shoot me a message and I will test for you.
Nope IP not in allow list.

BFD banned you? BFD runs via cron every 10 minutes so I would doubt it was BFD that banned you within 30 seconds.
 

ppc

Moderator
Here's what that script outputted:

[FONT=&quot]HTTP Flood Testing Report[/FONT]

[FONT=&quot]Date: 09/11/2007 10:41:29 PM[/FONT]

[FONT=&quot]Duration: 37 seconds[/FONT]
[FONT=&quot]Requests Issued: 5000[/FONT]

[FONT=&quot]Responses Received: 2[/FONT]

[FONT=&quot]Requests Lost: 99.96%[/FONT]

[FONT=&quot]Request Rate: 135.14 requests per second[/FONT]


What does that mean, APF knew it was being ddoses and blocked most of them? But I still was not banned.
 

computervitals

New Member
When you did this, could you get on your server?

My report was similier. But I was kicked out of SSH, and I couldn't get on my webpages. meaning APF blocked.

If you have access to your server.
Check

/var/log/apf_log
 

ppc

Moderator
When you did this, could you get on your server?

My report was similier. But I was kicked out of SSH, and I couldn't get on my webpages. meaning APF blocked.

If you have access to your server.
Check

/var/log/apf_log
Yup I can still get on my server.

APF blocks? I thought its BFD that tells APF to block?

Nothing in the log.
 

computervitals

New Member
BFD is just a brute force detector for someone slamming passwords.
APF will ban a user if they bang away at a port. Most of the time it's http attacks. (port 80)
Too many connections then APF will ban you.
 

ppc

Moderator
BFD is just a brute force detector for someone slamming passwords.
APF will ban a user if they bang away at a port. Most of the time it's http attacks. (port 80)
Too many connections then APF will ban you.
Well it looks like it was denying the connections, right?
 

computervitals

New Member
In your apf log you should have a load of startup and shutdown information. you will also see the bans happen here as well.

Something like this:
Code:
Sep 09 20:32:18 ns1 apf(3600): {glob} status log not found, created
Sep 09 20:32:18 ns1 apf(3600): {glob} activating firewall
Sep 09 20:32:18 ns1 apf(3661): {glob} determined (IFACE_IN) venet0 has address 127.0.0.1
Sep 09 20:32:18 ns1 apf(3661): {glob} determined (IFACE_OUT) venet0 has address 127.0.0.1
Sep 09 20:32:18 ns1 apf(3661): {glob} loading sysctl.rules
Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_logmartians disabled
Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_ecn disabled
Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_syncookies enabled
Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_overflow disabled
Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_tcp enabled
Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_syn enabled
Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_routing enabled
Sep 09 20:32:18 ns1 apf(3661): {glob} loading preroute.rules
Sep 09 20:32:18 ns1 apf(3661): {resnet} downloading [URL]http://r-fx.ca/downloads/reserved.networks[/URL]
Sep 09 20:32:19 ns1 apf(3661): {resnet} parsing reserved.networks into /etc/apf/internals/reserved.networks
Sep 09 20:32:19 ns1 apf(3661): {glob} loading reserved.networks
Sep 09 20:32:20 ns1 apf(3661): {glob} loading bt.rules
Sep 09 20:32:20 ns1 apf(3661): {dshield} downloading [URL]http://feeds.dshield.org/top10-2.txt[/URL]
Sep 09 20:32:20 ns1 apf(3661): {dshield} parsing top10-2.txt into /etc/apf/ds_hosts.rules
Sep 09 20:32:20 ns1 apf(3661): {dshield} loading ds_hosts.rules
Sep 09 20:32:20 ns1 apf(3661): {sdrop} downloading [URL]http://www.spamhaus.org/drop/drop.lasso[/URL]
Sep 09 20:32:21 ns1 apf(3661): {sdrop} parsing drop.lasso into /etc/apf/sdrop_hosts.rules
Sep 09 20:32:21 ns1 apf(3661): {sdrop} loading sdrop_hosts.rules
Sep 09 20:32:22 ns1 apf(3661): {glob} loading common drop ports
 

ppc

Moderator
This is a portion of what I see now, which was logged hours ago(before I "attacked it"):

Code:
Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 25 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 80 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 443 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 995 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 43 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 5800 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 5500 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 5900 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 5901 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound udp port 20 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound udp port 21 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound udp port 53 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening inbound icmp type 3 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening inbound icmp type 5 on 0/0
Sep 11 22:02:41 ns1 apf(25835): {glob} opening inbound icmp type 11 on 0/0
Sep 11 22:02:42 ns1 apf(25835): {glob} opening inbound icmp type 0 on 0/0
Sep 11 22:02:42 ns1 apf(25835): {glob} opening inbound icmp type 30 on 0/0
Sep 11 22:02:42 ns1 apf(25835): {glob} opening inbound icmp type 8 on 0/0
Sep 11 22:02:42 ns1 apf(25835): {glob} opening outbound icmp all on 0/0
Sep 11 22:02:42 ns1 apf(25835): {glob} resolv dns discovery for <snipped>
Sep 11 22:02:42 ns1 apf(25835): {glob} resolv dns discovery for <snipped>
Sep 11 22:02:42 ns1 apf(25835): {glob} loading postroute.rules
Sep 11 22:02:42 ns1 apf(25835): {glob} default (egress) output drop
Sep 11 22:02:42 ns1 apf(25835): {glob} default (ingress) input drop
Sep 11 22:02:42 ns1 apf(25795): firewall initalized
 
Top