Installing APF into a CPanel server

Discussion in 'cPanel HOWTOs and Tutorials' started by Dan, Jul 11, 2007.

  1. Dan

    Dan Moderator

    APF is a popular firewall that works quite well. I have used it myself for a number of years now and there is a how to in the DA forum so I thought I'd put one in here for CPanel as well.

    1) SSH into your server.
    2) Download the source package.

    cd /home
    wget [URL][/URL]
    3) Extract the tar file

    tar -zxf apf-current.tar.gz
    4) Remove the source file.

    rm -f apf-current.tar.gz
    5) Change to the APF directory and install.

    cd apf-0*
    6) Modify the configuration file.

    nano /etc/apf/conf.apf
    Search for (ctrl+w) IFACE_IN and change it to IFACE_IN="venet0".
    Right below this is IFACE_OUT. Change it to IFACE_OUT="venet0".
    Search for SET_MONOKERN and change it to SET_MONOKERN="1".

    Open common and CPanel ports:
    Search for # Common ingress (inbound) TCP ports and change the line below it to: IG_TCP_CPORTS="21,25,26,53,80,110,143,443,465,953,993,995,2082, 2083,2084,2086,2087,2089,2095,2096,2200,6666,7786,3000_3500"

    21 FTP (TCP)
    25 SMTP (TCP)
    26 SMTP IF Exim enabled on port 26 (TCP)
    53 DNS - Domain Name Server (TCP)
    80 HTTP (TCP)
    110 POP3 (TCP)
    143 IMAP (TCP)
    443 HTTPS (TCP)
    465 sSMTP (TCP)
    783 Spamassassin (TCP)
    953 BIND (TCP)
    993 IMAP4 protocol over TLS/SSL (TCP)
    995 POP3 protocol over TLS/SSL (was spop3) (TCP)
    2082 CPANEL ( (TCP)
    2083 CPANEL SSL ( (TCP)
    2084 entropychat server (disable from CPANEL service manager if not used) (TCP)
    2086 WHM ( (TCP)
    2087 WHM SSL ( (TCP)
    2089 CPanel licensing service (TCP)
    2095 WebMail ( (TCP)
    2096 WebMail SSL (
    2200 SSH (TCP)
    3306 mySQL remote access (TCP)
    6666 Melange chat Server (disable from CPANEL service manager if not used) (TCP)
    7786 Interchange (TCP)
    3000_3500 FTP ports (TCP)
    5100 for ASP,
    8080 and 8443 for JSP if you use them.
    You by no means have to have ALL of these ports open for your server to work. I for instance do not allow insecure access to CPanel/WHM/Webmail so have removed those ports and have added another for the ASSP configuration port. This will be a custom string. Here is mine: IG_TCP_CPORTS="21,25,26,53,80,110,143,443,465,953,993,995,2083,2087

    Below this is Common ingress (inbound) UDP ports and change the line below it to: IG_UDP_CPORTS="53,6277"

    53 DNS - Domain Name Server
    6277 SpamAssassin / DCC (email scanning)

    Again, can also be custom for your server.

    Below that is Common ICMP (inbound) types 'internals/icmp.types' for type definition; 'all' is wildcard for any change the line below to read: IG_ICMP_TYPES="0,3,5,8,11,30"

    0 Echo Reply (remove to disable pinging to your server)
    3 Destination Unreachable
    5 Destination Unreachable
    8 Echo (remove to disable pinging to your server)
    11 Time Exceeded
    30 Traceroute (remove to disable traceroute to your server)

    Below this is outbound filtering (Egress filtering [0 = Disabled / 1 = Enabled]) change the line below this to read EGF="1" to enable this.

    Then is Common egress (outbound) TCP ports change the line below to read: EG_TCP_CPORTS="21,25,37,43,53,80,110,113,123,443,873,2089,3306"

    21 FTP
    25 SMTP
    37 Required for CPANEL Licensing
    43 WHOIS
    53 DNS - Domain Name Server
    80 HTTP
    110 POP3 (if you have scripts that need to retrieve email via POP, e.g. HelpDesk)
    113 Authentication Protocol (AUTH)
    123 NTP (Network Time)
    443 HTTPS
    873 rsync (CPanel updates)
    2089 Required for CPANEL Licensing
    2703 Razor (email scanning)
    3306 mySQL remote access

    Also a custom string depending on the services you're providing.

    Below this is Common egress (outbound) UDP ports which should be set to: EG_UDP_CPORTS="53,465,873,6277"

    53 DNS - Domain Name Server
    465 SMTPs
    873 rsync
    6277 SpamAssassin / DCC (email scanning)

    Exit out of the editor (ctrl-x). Save (y) and (enter).

    7) Start APF

    /usr/local/sbin/apf -s
    You may or may not get any output. Post questions or for help needed on the forum.
    You should also be able to use APF as a service, to test this
    service apf restart
    You should see APF stop and then restart.

    Be sure to test your services at this point. SSH, email, FTP, CPanel access, WHM access, as many as you can to insure they are working.

    8) Set developer mode to off.

    pico /etc/apf/conf.apf
    Search for DEVEL_MODE="1" and change to DEVEL_MODE="0".

    Exit saving changes and then restart APF.

    9) Remove the source files

    rm -rf /home/apf-0*
    These are the APF commands:

    -s start
    -r restart
    -f flush - stop
    -l list
    -st status
    -a HOST allow HOST
    -d HOST deny HOST

    That should be it :) APF should now be up and running!
    If there's anything I missed or that needs correcting please let me know and I'll fix it up!


  2. ppc

    ppc Moderator

    Thanks so much for the great tutorial Dan!
  3. gameutopia

    gameutopia New Member

    Just wondering if this should be set to 0 or 1?
    Search for DEVEL_MODE="0" and change to DEVEL_MODE="1".

    The conf.apf seems to imply that it should be set to 0

    # !!! Do not leave set to (1) !!!
    # When set to enabled; 5 minute cronjob is set to stop the firewall. Set
    # this off (0) when firewall is determined to be operating as desired.

    So it seems a little confusing. Sorry just thought I'd double check to make sure.
  4. magic

    magic New Member

    when you are testing your config you should set it to 1 just so you don't lock yourself out by accidentally blocking the ssh port for example. what that does per the description is clear out the rules after 5 minutes thus allowing you to connect again. however you don't want this during production use since you want your rules to work all the time, thus you set it to 0 once you are ready to use your rules.
  5. Dan

    Dan Moderator

    Gameutopia you're absolutely right I got busy copying right from my conf file and got them inverted. At installation it should already be a 1 and after testing you want to change it to 0.

    For some reason I am unable to edit my post though...hmmm think I will PM our mod

    Thanks for catching that :)
  6. Dan

    Dan Moderator

    Ok so this is very strange. That most recent post shows an edit button but not the original?? :confused:
  7. Dan

    Dan Moderator

    The original post has been fixed, thanks Josh (PPC)!
  8. stormrider

    stormrider New Member


    When i active this on a VPS with WHMCS it cannot create accounts on external servers. Could you tell me what can i do in order to fix this?


  9. stormrider

    stormrider New Member


    Also, is there any issues if i copy the /etc/apf/conf.apf from one configured VPS to another VPS that i have?


  10. ppc

    ppc Moderator

    Nope shouldn't be a problem at all. Just make sure that the ports that you put into this config are relevant for the other VPS you have too. For example: Cpanel might need a certain port while Plesk might need another port opened.
  11. Dan

    Dan Moderator

    Hello Fernando,

    Looking at WHMCS's forums it looks like you need to open the WHM port for outbound traffic on the server running WHMCS. So in the "EG_TCP_CPORTS=" line add the port you're using (2086 for normal or 2087 for secure).

    This shouldn't be a problem no just double check your ports as you don't want to leave them open if you don't need them.

    Hope that helps,

  12. stormrider

    stormrider New Member


    Thanks for the help!

    I would like to share something that i came across related to cpanel + spamd + apf. When you are monitoring spamd, cpanel will send you e-mail every 15 minutes saying that spamd has failed.

    According to KH support this is probaly because you cannot connect on port 783. I have opened this port and everything is working fine :)
  13. Dan

    Dan Moderator

    Hello Stormrider,

    I haven't run spamassassin for a few months now but I don't remember ever having to open that port. If it works though then it works :)

    Glad to hear you've gotten it all running!
  14. stormrider

    stormrider New Member

    Hello Dan,

    I would like to thank for this excellent tutorial. I have installed apf on 15 VPS and it worked on all of them :)
  15. Nalco

    Nalco New Member

    I am new to all this, and I just wanted to say say thank you for this great tutorial.

    You made it all very easy.

  16. william

    william New Member

    Here is a script to install APF. It will work for CP like Cpanel/Plesk and DA.

    echo "APF installation script"
    echo -e "####################### \n"
    if [ -f /etc/apf/conf.apf ]
    echo "APF was already installed in this server"
    if [ -d /root/installapf ]
    rm -rf /root/installapf
    mkdir -p /root/installapf
    cd /root/installapf
    echo -e "Downloading APF .......... "
    WGET_OUTPUT=$(2>&1 wget --timestamping --progress=dot:mega
    # Make sure the download went okay.
    if [ $? -ne 0 ]
          # wget had problems.
          echo 1>&2 $0: "$WGET_OUTPUT"  Exiting.
          exit 1
    # Copy the file to the new name if necessary.
    if echo "$WGET_OUTPUT" | fgrep 'saved' &> /dev/null
          echo "APF downloaded"
          echo "There is some problem with download"
    tar -xvzf apf-current.tar.gz > /dev/null
    cd apf*
    sh > /dev/null
    echo "Installation Compleat"
    echo "Backing up original configuration file..."
    /bin/cp /etc/apf/conf.apf /etc/apf/conf.apf.old
    echo "Moved to /etc/apf/conf.apf.old"
    echo "Configuring APF"
    echo "Setting DEVEL_MODE to zero"
    #cd /etc/apf/
    sed 's/DEVEL_MODE="1"/DEVEL_MODE="0"/g' /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
    `whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
    echo "Changing network interface for VPS"
    sed 's/IFACE_IN="eth0"/IFACE_IN="venet0"/g' /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
    `whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
    sed 's/IFACE_OUT="eth0"/IFACE_OUT="venet0"/g' /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
    `whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
    echo "Enabling MONOKERN"
    sed 's/SET_MONOKERN="0"/SET_MONOKERN="1"/g' /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
    `whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
    echo "Adding Ports to firewall......"
    if [ -f /usr/local/cpanel/version ]
    echo "Cpanel detected ...."
    elif [ -f /usr/local/psa/version ]
    echo "Plesk detected ....."
    elif [ -f /usr/local/directadmin/scripts/setup.txt ]
    echo "DirectAdmin detected ....."
    echo "Not found any control panels ... Using default configurations"
    shp=`sed -n '/^Port*/p' /etc/ssh/sshd_config | wc -l`
    if [ $shp -eq 0 ]
    sshport=`sed -n '/^Port*/p' /etc/ssh/sshd_config | awk '{print $2}'`
    igtcpssh=`echo $igtcp,$sshport`
    ig_tcp=`echo "IG_TCP_CPORTS=\"$igtcpssh\""`
    ig_udp=`echo "IG_UDP_CPORTS=\"$igudp\""`
    sed s/'^IG_TCP_CPORTS="22"'/`echo $ig_tcp`/g /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
    `whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
    sed s/'^IG_UDP_CPORTS=""'/`echo $ig_udp`/g /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
    `whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
    echo "Following ports added : "
    echo "$ig_tcp"
    echo "$ig_udp"
    echo -e "\nAPF configuration compleated................... \n"
    echo "Check the configurations in /etc/apf/conf.apf and confirm that all the ports especially SSH,APACHE,MAIL ports are open"
    echo "Start apf using apf -s"
    echo -e "\nFor your information, listining ports in the server\n"
    sh /etc/apf/extras/get_ports
    Copy the code and create a file say and run it using sh

  17. norgaard

    norgaard New Member

    Problem loggin' in with FTP

    Thanks for the excellent tutorial. I installed APF on a VPS and everything works fine. I can access WHM, cPanel, SSH, send mail etc. except for FTP which has suddenly stopped working. I have double checked and port 21 is correctly set all places in conf.apf. Does anybody here know what might be the reason I suddenly can't log in using my FTP client. Neither with the account password or the root password. Any help is gratefully received.

  18. norgaard

    norgaard New Member

    Port 20 were missing in EG_UDP_CPORTS="20,21,53,873,953,6277" so I added it there, but FTP still doesn't work - anyone?

  19. Dan

    Dan Moderator

    Hello Norgaard,

    FTP through SSH would be using port SSH on port 2200 and not even using the regular FTP engine.

    Port 20 UDP is not needed for FTP unless you have your FTP server connecting in active mode. By default it's configured for passive mode which is the ports that I have shown as needing to be open.

    I would say your FTP client has a problem or something else is going on.

    As a test have you tried turning off APF and connecting? Believe you can do this with a simple 'service apf stop'. And then 'service apf start' after you're done testing to restart it.

  20. cyberturk

    cyberturk New Member

    Thanks for the great post

Share This Page