APF banning user.

Discussion in 'Linux VPS/Dedicated - cPanel' started by computervitals, Sep 9, 2007.

  1. computervitals

    computervitals New Member

    I've got an issue I'm hoping you can help out with.

    I have Brute force detector and APF installed.
    After awhile, I have a main user that will not be able to conenct to my site. I can shut down, flush, restart APF and it still wont allow him access.

    He has to be on, I shut the firewall down, then he can assess. Once he's accessed the site I can turn on teh firewall. After awhile he can no longer connect.

    I've added his IP, to the allow.hosts and glob_allow.hosts and still will react the same.
    Heres the odd thing, There is no mention of any IP's getting banned.
    Is there any other place that the IPs would be logged?

    If it helps, he's on Suddenlink. (used to be Cox Cable)
     
  2. computervitals

    computervitals New Member

  3. khiltd

    khiltd New Member

    I know squat all about APF, but shouldn't it be keeping logs of its actions somewhere so you can find out why this is happening? Maybe your friend is using some kind of silly web accelerator thing that opens up too many connections.
     
  4. Dan

    Dan Moderator

    Hello computervitals,

    Is it working better now?

    If not then this post might help to shed some light.

    You can also find the APF log in /var/log and it may tell you something too.
     
  5. computervitals

    computervitals New Member

    In the middle of the problems, I ddos'd my own server and got banned. (changed the Dev mode to 1) once I was let back in. I looked at the logs and it noted my IP to the deny, then off the deny. So it's logging correctly. But for some reason he wasn't able to get on the site, None of the sites on my vps,

    Since I un installed then reinstalled it's been good. But i will find out tonight after work to see if he is able to view the site again.
     
  6. ppc

    ppc Moderator

    Just curious, how do you do that?
     
  7. computervitals

    computervitals New Member

    **For Testing Purposes Only**

    Before you do this. You need to enter conf.apf and set the Dev mode to 1 so you can get back into your server.


    Go to this site:
    http://www.socketsoft.net/

    Download DoSHTTP 2.0
    Download the trial. You only get a few goes. Load in your URL and send the packets.
    You will then Be locked out of your server
    Wait between 5-10 minutes depending on your cron. APF will let you back in. Check the var/log/apf.log at the bottom you'll see your IP address listed.
     
  8. ppc

    ppc Moderator

    I tried but it didint lock me out....hmmm...I guess thats why you want to run tests.

    Any ideas?
     
  9. computervitals

    computervitals New Member

    do you have your IP's in your allow list?

    I did this and set it to 5000, within 30 seconds I was out and putty was disconnected.
    Also check the log to see if it logged banning you.
     
  10. ppc

    ppc Moderator

    Nope IP not in allow list.

    BFD banned you? BFD runs via cron every 10 minutes so I would doubt it was BFD that banned you within 30 seconds.
     
  11. ppc

    ppc Moderator

    Here's what that script outputted:

    [FONT=&quot]HTTP Flood Testing Report[/FONT]

    [FONT=&quot]Date: 09/11/2007 10:41:29 PM[/FONT]

    [FONT=&quot]Duration: 37 seconds[/FONT]
    [FONT=&quot]Requests Issued: 5000[/FONT]

    [FONT=&quot]Responses Received: 2[/FONT]

    [FONT=&quot]Requests Lost: 99.96%[/FONT]

    [FONT=&quot]Request Rate: 135.14 requests per second[/FONT]


    What does that mean, APF knew it was being ddoses and blocked most of them? But I still was not banned.
     
  12. computervitals

    computervitals New Member

    When you did this, could you get on your server?

    My report was similier. But I was kicked out of SSH, and I couldn't get on my webpages. meaning APF blocked.

    If you have access to your server.
    Check

    /var/log/apf_log
     
  13. ppc

    ppc Moderator

    Yup I can still get on my server.

    APF blocks? I thought its BFD that tells APF to block?

    Nothing in the log.
     
  14. computervitals

    computervitals New Member

    BFD is just a brute force detector for someone slamming passwords.
    APF will ban a user if they bang away at a port. Most of the time it's http attacks. (port 80)
    Too many connections then APF will ban you.
     
  15. ppc

    ppc Moderator

    Well it looks like it was denying the connections, right?
     
  16. computervitals

    computervitals New Member

    In your apf log you should have a load of startup and shutdown information. you will also see the bans happen here as well.

    Something like this:
    Code:
    Sep 09 20:32:18 ns1 apf(3600): {glob} status log not found, created
    Sep 09 20:32:18 ns1 apf(3600): {glob} activating firewall
    Sep 09 20:32:18 ns1 apf(3661): {glob} determined (IFACE_IN) venet0 has address 127.0.0.1
    Sep 09 20:32:18 ns1 apf(3661): {glob} determined (IFACE_OUT) venet0 has address 127.0.0.1
    Sep 09 20:32:18 ns1 apf(3661): {glob} loading sysctl.rules
    Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_logmartians disabled
    Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_ecn disabled
    Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_syncookies enabled
    Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_overflow disabled
    Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_tcp enabled
    Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_syn enabled
    Sep 09 20:32:18 ns1 apf(3661): {glob} setting sysctl_routing enabled
    Sep 09 20:32:18 ns1 apf(3661): {glob} loading preroute.rules
    Sep 09 20:32:18 ns1 apf(3661): {resnet} downloading [URL]http://r-fx.ca/downloads/reserved.networks[/URL]
    Sep 09 20:32:19 ns1 apf(3661): {resnet} parsing reserved.networks into /etc/apf/internals/reserved.networks
    Sep 09 20:32:19 ns1 apf(3661): {glob} loading reserved.networks
    Sep 09 20:32:20 ns1 apf(3661): {glob} loading bt.rules
    Sep 09 20:32:20 ns1 apf(3661): {dshield} downloading [URL]http://feeds.dshield.org/top10-2.txt[/URL]
    Sep 09 20:32:20 ns1 apf(3661): {dshield} parsing top10-2.txt into /etc/apf/ds_hosts.rules
    Sep 09 20:32:20 ns1 apf(3661): {dshield} loading ds_hosts.rules
    Sep 09 20:32:20 ns1 apf(3661): {sdrop} downloading [URL]http://www.spamhaus.org/drop/drop.lasso[/URL]
    Sep 09 20:32:21 ns1 apf(3661): {sdrop} parsing drop.lasso into /etc/apf/sdrop_hosts.rules
    Sep 09 20:32:21 ns1 apf(3661): {sdrop} loading sdrop_hosts.rules
    Sep 09 20:32:22 ns1 apf(3661): {glob} loading common drop ports
    
     
  17. ppc

    ppc Moderator

    This is a portion of what I see now, which was logged hours ago(before I "attacked it"):

    Code:
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 25 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 80 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 443 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 995 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 43 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 5800 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 5500 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 5900 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound tcp port 5901 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound udp port 20 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound udp port 21 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening outbound udp port 53 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening inbound icmp type 3 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening inbound icmp type 5 on 0/0
    Sep 11 22:02:41 ns1 apf(25835): {glob} opening inbound icmp type 11 on 0/0
    Sep 11 22:02:42 ns1 apf(25835): {glob} opening inbound icmp type 0 on 0/0
    Sep 11 22:02:42 ns1 apf(25835): {glob} opening inbound icmp type 30 on 0/0
    Sep 11 22:02:42 ns1 apf(25835): {glob} opening inbound icmp type 8 on 0/0
    Sep 11 22:02:42 ns1 apf(25835): {glob} opening outbound icmp all on 0/0
    Sep 11 22:02:42 ns1 apf(25835): {glob} resolv dns discovery for <snipped>
    Sep 11 22:02:42 ns1 apf(25835): {glob} resolv dns discovery for <snipped>
    Sep 11 22:02:42 ns1 apf(25835): {glob} loading postroute.rules
    Sep 11 22:02:42 ns1 apf(25835): {glob} default (egress) output drop
    Sep 11 22:02:42 ns1 apf(25835): {glob} default (ingress) input drop
    Sep 11 22:02:42 ns1 apf(25795): firewall initalized
     
  18. computervitals

    computervitals New Member

    Looks that way.
    Check PM
     

Share This Page