Installing APF into a CPanel server

Discussion in 'cPanel HOWTOs and Tutorials' started by Dan, Jul 11, 2007.

  1. Dan

    Dan Moderator

    APF is a popular firewall that works quite well. I have used it myself for a number of years now and there is a how to in the DA forum so I thought I'd put one in here for CPanel as well.

    1) SSH into your server.
    2) Download the source package.

    Code:
    cd /home
    wget [URL]http://www.rfxnetworks.com/downloads/apf-current.tar.gz[/URL]
    
    3) Extract the tar file

    Code:
    tar -zxf apf-current.tar.gz 
    
    4) Remove the source file.

    Code:
    rm -f apf-current.tar.gz
    
    5) Change to the APF directory and install.

    Code:
    cd apf-0*
    ./install.sh
    
    6) Modify the configuration file.

    Code:
    nano /etc/apf/conf.apf
    
    Search for (ctrl+w) IFACE_IN and change it to IFACE_IN="venet0".
    Right below this is IFACE_OUT. Change it to IFACE_OUT="venet0".
    Search for SET_MONOKERN and change it to SET_MONOKERN="1".

    Open common and CPanel ports:
    Search for # Common ingress (inbound) TCP ports and change the line below it to: IG_TCP_CPORTS="21,25,26,53,80,110,143,443,465,953,993,995,2082, 2083,2084,2086,2087,2089,2095,2096,2200,6666,7786,3000_3500"

    PORT DESCRIPTIONS
    21 FTP (TCP)
    25 SMTP (TCP)
    26 SMTP IF Exim enabled on port 26 (TCP)
    53 DNS - Domain Name Server (TCP)
    80 HTTP (TCP)
    110 POP3 (TCP)
    143 IMAP (TCP)
    443 HTTPS (TCP)
    465 sSMTP (TCP)
    783 Spamassassin (TCP)
    953 BIND (TCP)
    993 IMAP4 protocol over TLS/SSL (TCP)
    995 POP3 protocol over TLS/SSL (was spop3) (TCP)
    2082 CPANEL (http://sitename.com:2082) (TCP)
    2083 CPANEL SSL (https://sitename.com:2083) (TCP)
    2084 entropychat server (disable from CPANEL service manager if not used) (TCP)
    2086 WHM (http://sitename.com:2086) (TCP)
    2087 WHM SSL (https://sitename.com:2087) (TCP)
    2089 CPanel licensing service (TCP)
    2095 WebMail (http://sitename.com:2095) (TCP)
    2096 WebMail SSL (https://sitename.com:2096)
    2200 SSH (TCP)
    3306 mySQL remote access (TCP)
    6666 Melange chat Server (disable from CPANEL service manager if not used) (TCP)
    7786 Interchange (TCP)
    3000_3500 FTP ports (TCP)
    -----
    5100 for ASP,
    8080 and 8443 for JSP if you use them.
    -----
    You by no means have to have ALL of these ports open for your server to work. I for instance do not allow insecure access to CPanel/WHM/Webmail so have removed those ports and have added another for the ASSP configuration port. This will be a custom string. Here is mine: IG_TCP_CPORTS="21,25,26,53,80,110,143,443,465,953,993,995,2083,2087
    ,2089,2096,2200,3000_3500,55555"

    Below this is Common ingress (inbound) UDP ports and change the line below it to: IG_UDP_CPORTS="53,6277"

    PORT DESCRIPTIONS
    53 DNS - Domain Name Server
    6277 SpamAssassin / DCC (email scanning)

    Again, can also be custom for your server.

    Below that is Common ICMP (inbound) types 'internals/icmp.types' for type definition; 'all' is wildcard for any change the line below to read: IG_ICMP_TYPES="0,3,5,8,11,30"

    PORT DESCRIPTIONS
    0 Echo Reply (remove to disable pinging to your server)
    3 Destination Unreachable
    5 Destination Unreachable
    8 Echo (remove to disable pinging to your server)
    11 Time Exceeded
    30 Traceroute (remove to disable traceroute to your server)

    Below this is outbound filtering (Egress filtering [0 = Disabled / 1 = Enabled]) change the line below this to read EGF="1" to enable this.

    Then is Common egress (outbound) TCP ports change the line below to read: EG_TCP_CPORTS="21,25,37,43,53,80,110,113,123,443,873,2089,3306"

    PORT DESCRIPTIONS
    21 FTP
    25 SMTP
    37 Required for CPANEL Licensing
    43 WHOIS
    53 DNS - Domain Name Server
    80 HTTP
    110 POP3 (if you have scripts that need to retrieve email via POP, e.g. HelpDesk)
    113 Authentication Protocol (AUTH)
    123 NTP (Network Time)
    443 HTTPS
    873 rsync (CPanel updates)
    2089 Required for CPANEL Licensing
    2703 Razor (email scanning)
    3306 mySQL remote access

    Also a custom string depending on the services you're providing.

    Below this is Common egress (outbound) UDP ports which should be set to: EG_UDP_CPORTS="53,465,873,6277"

    PORT DESCRIPTIONS
    53 DNS - Domain Name Server
    465 SMTPs
    873 rsync
    6277 SpamAssassin / DCC (email scanning)

    Exit out of the editor (ctrl-x). Save (y) and (enter).

    7) Start APF

    Code:
    /usr/local/sbin/apf -s
    
    You may or may not get any output. Post questions or for help needed on the forum.
    You should also be able to use APF as a service, to test this
    Code:
    service apf restart
    
    You should see APF stop and then restart.

    Be sure to test your services at this point. SSH, email, FTP, CPanel access, WHM access, as many as you can to insure they are working.

    8) Set developer mode to off.

    Code:
    pico /etc/apf/conf.apf
    
    Search for DEVEL_MODE="1" and change to DEVEL_MODE="0".

    Exit saving changes and then restart APF.

    9) Remove the source files

    Code:
    rm -rf /home/apf-0*
    
    These are the APF commands:

    -s start
    -r restart
    -f flush - stop
    -l list
    -st status
    -a HOST allow HOST
    -d HOST deny HOST

    That should be it :) APF should now be up and running!
    If there's anything I missed or that needs correcting please let me know and I'll fix it up!

    Revised:
    07/13/07
    10/06/07
     
  2. ppc

    ppc Moderator

    Thanks so much for the great tutorial Dan!
     
  3. gameutopia

    gameutopia New Member

    Just wondering if this should be set to 0 or 1?
    Search for DEVEL_MODE="0" and change to DEVEL_MODE="1".

    The conf.apf seems to imply that it should be set to 0

    # !!! Do not leave set to (1) !!!
    # When set to enabled; 5 minute cronjob is set to stop the firewall. Set
    # this off (0) when firewall is determined to be operating as desired.

    So it seems a little confusing. Sorry just thought I'd double check to make sure.
     
  4. magic

    magic New Member

    when you are testing your config you should set it to 1 just so you don't lock yourself out by accidentally blocking the ssh port for example. what that does per the description is clear out the rules after 5 minutes thus allowing you to connect again. however you don't want this during production use since you want your rules to work all the time, thus you set it to 0 once you are ready to use your rules.
     
  5. Dan

    Dan Moderator

    Gameutopia you're absolutely right I got busy copying right from my conf file and got them inverted. At installation it should already be a 1 and after testing you want to change it to 0.

    For some reason I am unable to edit my post though...hmmm think I will PM our mod

    Thanks for catching that :)
     
  6. Dan

    Dan Moderator

    Ok so this is very strange. That most recent post shows an edit button but not the original?? :confused:
     
  7. Dan

    Dan Moderator

    The original post has been fixed, thanks Josh (PPC)!
     
  8. stormrider

    stormrider New Member

    Hello,

    When i active this on a VPS with WHMCS it cannot create accounts on external servers. Could you tell me what can i do in order to fix this?

    thanks,

    Fernando.
     
  9. stormrider

    stormrider New Member

    Hello,

    Also, is there any issues if i copy the /etc/apf/conf.apf from one configured VPS to another VPS that i have?

    Thanks,

    Fernando.
     
  10. ppc

    ppc Moderator

    Nope shouldn't be a problem at all. Just make sure that the ports that you put into this config are relevant for the other VPS you have too. For example: Cpanel might need a certain port while Plesk might need another port opened.
     
  11. Dan

    Dan Moderator


    Hello Fernando,

    Looking at WHMCS's forums it looks like you need to open the WHM port for outbound traffic on the server running WHMCS. So in the "EG_TCP_CPORTS=" line add the port you're using (2086 for normal or 2087 for secure).

    This shouldn't be a problem no just double check your ports as you don't want to leave them open if you don't need them.

    Hope that helps,

    Dan
     
  12. stormrider

    stormrider New Member

    Hello,

    Thanks for the help!

    I would like to share something that i came across related to cpanel + spamd + apf. When you are monitoring spamd, cpanel will send you e-mail every 15 minutes saying that spamd has failed.

    According to KH support this is probaly because you cannot connect on port 783. I have opened this port and everything is working fine :)
     
  13. Dan

    Dan Moderator

    Hello Stormrider,

    I haven't run spamassassin for a few months now but I don't remember ever having to open that port. If it works though then it works :)

    Glad to hear you've gotten it all running!
     
  14. stormrider

    stormrider New Member

    Hello Dan,

    I would like to thank for this excellent tutorial. I have installed apf on 15 VPS and it worked on all of them :)
     
  15. Nalco

    Nalco New Member

    I am new to all this, and I just wanted to say say thank you for this great tutorial.

    You made it all very easy.

    Thanks!
     
  16. william

    william New Member

    Here is a script to install APF. It will work for CP like Cpanel/Plesk and DA.

    Code:
    #!/bin/bash
    echo "APF installation script"
    echo -e "####################### \n"
    if [ -f /etc/apf/conf.apf ]
    then
    echo "APF was already installed in this server"
    exit
    fi
    if [ -d /root/installapf ]
    then
    rm -rf /root/installapf
    fi
    mkdir -p /root/installapf
    cd /root/installapf
    echo -e "Downloading APF .......... "
    WGET_OUTPUT=$(2>&1 wget --timestamping --progress=dot:mega http://www.rfxnetworks.com/downloads/apf-current.tar.gz)
    # Make sure the download went okay.
    if [ $? -ne 0 ]
    then
          # wget had problems.
          echo 1>&2 $0: "$WGET_OUTPUT"  Exiting.
          exit 1
    fi
    
    
    # Copy the file to the new name if necessary.
    if echo "$WGET_OUTPUT" | fgrep 'saved' &> /dev/null
    then
          echo "APF downloaded"
    else
          echo "There is some problem with download"
    exit;
    fi
    tar -xvzf apf-current.tar.gz > /dev/null
    cd apf*
    sh install.sh > /dev/null
    echo "Installation Compleat"
    echo "Backing up original configuration file..."
    /bin/cp /etc/apf/conf.apf /etc/apf/conf.apf.old
    echo "Moved to /etc/apf/conf.apf.old"
    echo "Configuring APF"
    echo "Setting DEVEL_MODE to zero"
    #cd /etc/apf/
    sed 's/DEVEL_MODE="1"/DEVEL_MODE="0"/g' /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
    `whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
    echo "Changing network interface for VPS"
    sed 's/IFACE_IN="eth0"/IFACE_IN="venet0"/g' /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
    `whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
    sed 's/IFACE_OUT="eth0"/IFACE_OUT="venet0"/g' /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
    `whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
    echo "Enabling MONOKERN"
    sed 's/SET_MONOKERN="0"/SET_MONOKERN="1"/g' /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
    `whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
    echo "Adding Ports to firewall......"
    if [ -f /usr/local/cpanel/version ]
    then
    echo "Cpanel detected ...."
    igtcp="21,25,26,53,80,110,143,443,2082,2083,2086,2087,2095,2096,3000_3500"
    igudp="53"
    elif [ -f /usr/local/psa/version ]
    then
    echo "Plesk detected ....."
    igtcp="21,25,26,53,80,110,143,443,8443,3000_3500"
    igudp="53"
    elif [ -f /usr/local/directadmin/scripts/setup.txt ]
    then
    echo "DirectAdmin detected ....."
    igtcp="21,25,26,53,80,110,143,443,587,2222,3000_3500"
    igudp="53"
    else
    echo "Not found any control panels ... Using default configurations"
    igtcp="21,25,26,53,80,110,143,443,10000,3000_3500"
    igudp="53"
    fi
    shp=`sed -n '/^Port*/p' /etc/ssh/sshd_config | wc -l`
    if [ $shp -eq 0 ]
    then
    sshport=22
    else
    sshport=`sed -n '/^Port*/p' /etc/ssh/sshd_config | awk '{print $2}'`
    fi
    igtcpssh=`echo $igtcp,$sshport`
    ig_tcp=`echo "IG_TCP_CPORTS=\"$igtcpssh\""`
    ig_udp=`echo "IG_UDP_CPORTS=\"$igudp\""`
    sed s/'^IG_TCP_CPORTS="22"'/`echo $ig_tcp`/g /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
    `whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
    sed s/'^IG_UDP_CPORTS=""'/`echo $ig_udp`/g /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
    `whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
    echo "Following ports added : "
    echo "$ig_tcp"
    echo "$ig_udp"
    echo -e "\nAPF configuration compleated................... \n"
    echo "Check the configurations in /etc/apf/conf.apf and confirm that all the ports especially SSH,APACHE,MAIL ports are open"
    echo "Start apf using apf -s"
    echo -e "\nFor your information, listining ports in the server\n"
    sh /etc/apf/extras/get_ports
    Copy the code and create a file say installapf.sh and run it using sh

    Code:
    sh installapf.sh
     
  17. norgaard

    norgaard New Member

    Problem loggin' in with FTP

    Thanks for the excellent tutorial. I installed APF on a VPS and everything works fine. I can access WHM, cPanel, SSH, send mail etc. except for FTP which has suddenly stopped working. I have double checked and port 21 is correctly set all places in conf.apf. Does anybody here know what might be the reason I suddenly can't log in using my FTP client. Neither with the account password or the root password. Any help is gratefully received.

    Thanks
    John
     
  18. norgaard

    norgaard New Member

    Port 20 were missing in EG_UDP_CPORTS="20,21,53,873,953,6277" so I added it there, but FTP still doesn't work - anyone?

    John
     
  19. Dan

    Dan Moderator

    Hello Norgaard,

    FTP through SSH would be using port SSH on port 2200 and not even using the regular FTP engine.

    Port 20 UDP is not needed for FTP unless you have your FTP server connecting in active mode. By default it's configured for passive mode which is the ports that I have shown as needing to be open.

    I would say your FTP client has a problem or something else is going on.

    As a test have you tried turning off APF and connecting? Believe you can do this with a simple 'service apf stop'. And then 'service apf start' after you're done testing to restart it.

    Dan
     
  20. cyberturk

    cyberturk New Member

    Thanks for the great post
     

Share This Page