Installing APF into a CPanel server

Dan

Moderator
APF is a popular firewall that works quite well. I have used it myself for a number of years now and there is a how to in the DA forum so I thought I'd put one in here for CPanel as well.

1) SSH into your server.
2) Download the source package.

Code:
cd /home
wget [URL]http://www.rfxnetworks.com/downloads/apf-current.tar.gz[/URL]
3) Extract the tar file

Code:
tar -zxf apf-current.tar.gz
4) Remove the source file.

Code:
rm -f apf-current.tar.gz
5) Change to the APF directory and install.

Code:
cd apf-0*
./install.sh
6) Modify the configuration file.

Code:
nano /etc/apf/conf.apf
Search for (ctrl+w) IFACE_IN and change it to IFACE_IN="venet0".
Right below this is IFACE_OUT. Change it to IFACE_OUT="venet0".
Search for SET_MONOKERN and change it to SET_MONOKERN="1".

Open common and CPanel ports:
Search for # Common ingress (inbound) TCP ports and change the line below it to: IG_TCP_CPORTS="21,25,26,53,80,110,143,443,465,953,993,995,2082, 2083,2084,2086,2087,2089,2095,2096,2200,6666,7786,3000_3500"

PORT DESCRIPTIONS
21 FTP (TCP)
25 SMTP (TCP)
26 SMTP IF Exim enabled on port 26 (TCP)
53 DNS - Domain Name Server (TCP)
80 HTTP (TCP)
110 POP3 (TCP)
143 IMAP (TCP)
443 HTTPS (TCP)
465 sSMTP (TCP)
783 Spamassassin (TCP)
953 BIND (TCP)
993 IMAP4 protocol over TLS/SSL (TCP)
995 POP3 protocol over TLS/SSL (was spop3) (TCP)
2082 CPANEL (http://sitename.com:2082) (TCP)
2083 CPANEL SSL (https://sitename.com:2083) (TCP)
2084 entropychat server (disable from CPANEL service manager if not used) (TCP)
2086 WHM (http://sitename.com:2086) (TCP)
2087 WHM SSL (https://sitename.com:2087) (TCP)
2089 CPanel licensing service (TCP)
2095 WebMail (http://sitename.com:2095) (TCP)
2096 WebMail SSL (https://sitename.com:2096)
2200 SSH (TCP)
3306 mySQL remote access (TCP)
6666 Melange chat Server (disable from CPANEL service manager if not used) (TCP)
7786 Interchange (TCP)
3000_3500 FTP ports (TCP)
-----
5100 for ASP,
8080 and 8443 for JSP if you use them.
-----
You by no means have to have ALL of these ports open for your server to work. I for instance do not allow insecure access to CPanel/WHM/Webmail so have removed those ports and have added another for the ASSP configuration port. This will be a custom string. Here is mine: IG_TCP_CPORTS="21,25,26,53,80,110,143,443,465,953,993,995,2083,2087
,2089,2096,2200,3000_3500,55555"

Below this is Common ingress (inbound) UDP ports and change the line below it to: IG_UDP_CPORTS="53,6277"

PORT DESCRIPTIONS
53 DNS - Domain Name Server
6277 SpamAssassin / DCC (email scanning)

Again, can also be custom for your server.

Below that is Common ICMP (inbound) types 'internals/icmp.types' for type definition; 'all' is wildcard for any change the line below to read: IG_ICMP_TYPES="0,3,5,8,11,30"

PORT DESCRIPTIONS
0 Echo Reply (remove to disable pinging to your server)
3 Destination Unreachable
5 Destination Unreachable
8 Echo (remove to disable pinging to your server)
11 Time Exceeded
30 Traceroute (remove to disable traceroute to your server)

Below this is outbound filtering (Egress filtering [0 = Disabled / 1 = Enabled]) change the line below this to read EGF="1" to enable this.

Then is Common egress (outbound) TCP ports change the line below to read: EG_TCP_CPORTS="21,25,37,43,53,80,110,113,123,443,873,2089,3306"

PORT DESCRIPTIONS
21 FTP
25 SMTP
37 Required for CPANEL Licensing
43 WHOIS
53 DNS - Domain Name Server
80 HTTP
110 POP3 (if you have scripts that need to retrieve email via POP, e.g. HelpDesk)
113 Authentication Protocol (AUTH)
123 NTP (Network Time)
443 HTTPS
873 rsync (CPanel updates)
2089 Required for CPANEL Licensing
2703 Razor (email scanning)
3306 mySQL remote access

Also a custom string depending on the services you're providing.

Below this is Common egress (outbound) UDP ports which should be set to: EG_UDP_CPORTS="53,465,873,6277"

PORT DESCRIPTIONS
53 DNS - Domain Name Server
465 SMTPs
873 rsync
6277 SpamAssassin / DCC (email scanning)

Exit out of the editor (ctrl-x). Save (y) and (enter).

7) Start APF

Code:
/usr/local/sbin/apf -s
You may or may not get any output. Post questions or for help needed on the forum.
You should also be able to use APF as a service, to test this
Code:
service apf restart
You should see APF stop and then restart.

Be sure to test your services at this point. SSH, email, FTP, CPanel access, WHM access, as many as you can to insure they are working.

8) Set developer mode to off.

Code:
pico /etc/apf/conf.apf
Search for DEVEL_MODE="1" and change to DEVEL_MODE="0".

Exit saving changes and then restart APF.

9) Remove the source files

Code:
rm -rf /home/apf-0*
These are the APF commands:

-s start
-r restart
-f flush - stop
-l list
-st status
-a HOST allow HOST
-d HOST deny HOST

That should be it :) APF should now be up and running!
If there's anything I missed or that needs correcting please let me know and I'll fix it up!

Revised:

07/13/07
10/06/07
 
Just wondering if this should be set to 0 or 1?
Search for DEVEL_MODE="0" and change to DEVEL_MODE="1".

The conf.apf seems to imply that it should be set to 0

# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this off (0) when firewall is determined to be operating as desired.

So it seems a little confusing. Sorry just thought I'd double check to make sure.
 
when you are testing your config you should set it to 1 just so you don't lock yourself out by accidentally blocking the ssh port for example. what that does per the description is clear out the rules after 5 minutes thus allowing you to connect again. however you don't want this during production use since you want your rules to work all the time, thus you set it to 0 once you are ready to use your rules.
 
Gameutopia you're absolutely right I got busy copying right from my conf file and got them inverted. At installation it should already be a 1 and after testing you want to change it to 0.

For some reason I am unable to edit my post though...hmmm think I will PM our mod

Thanks for catching that :)
 
Ok so this is very strange. That most recent post shows an edit button but not the original?? :confused:
 
Hello,

When i active this on a VPS with WHMCS it cannot create accounts on external servers. Could you tell me what can i do in order to fix this?

thanks,

Fernando.
 
Hello,

Also, is there any issues if i copy the /etc/apf/conf.apf from one configured VPS to another VPS that i have?

Thanks,

Fernando.
 
Hello,

Also, is there any issues if i copy the /etc/apf/conf.apf from one configured VPS to another VPS that i have?

Thanks,

Fernando.

Nope shouldn't be a problem at all. Just make sure that the ports that you put into this config are relevant for the other VPS you have too. For example: Cpanel might need a certain port while Plesk might need another port opened.
 
Hello,

When i active this on a VPS with WHMCS it cannot create accounts on external servers. Could you tell me what can i do in order to fix this?

thanks,

Fernando.


Hello Fernando,

Looking at WHMCS's forums it looks like you need to open the WHM port for outbound traffic on the server running WHMCS. So in the "EG_TCP_CPORTS=" line add the port you're using (2086 for normal or 2087 for secure).

Hello,

Also, is there any issues if i copy the /etc/apf/conf.apf from one configured VPS to another VPS that i have?

Thanks,

Fernando.

This shouldn't be a problem no just double check your ports as you don't want to leave them open if you don't need them.

Hope that helps,

Dan
 
Hello,

Thanks for the help!

I would like to share something that i came across related to cpanel + spamd + apf. When you are monitoring spamd, cpanel will send you e-mail every 15 minutes saying that spamd has failed.

According to KH support this is probaly because you cannot connect on port 783. I have opened this port and everything is working fine :)
 
Hello,

Thanks for the help!

I would like to share something that i came across related to cpanel + spamd + apf. When you are monitoring spamd, cpanel will send you e-mail every 15 minutes saying that spamd has failed.

According to KH support this is probaly because you cannot connect on port 783. I have opened this port and everything is working fine :)

Hello Stormrider,

I haven't run spamassassin for a few months now but I don't remember ever having to open that port. If it works though then it works :)

Glad to hear you've gotten it all running!
 
Hello Stormrider,

I haven't run spamassassin for a few months now but I don't remember ever having to open that port. If it works though then it works :)

Glad to hear you've gotten it all running!

Hello Dan,

I would like to thank for this excellent tutorial. I have installed apf on 15 VPS and it worked on all of them :)
 
I am new to all this, and I just wanted to say say thank you for this great tutorial.

You made it all very easy.

Thanks!
 
Here is a script to install APF. It will work for CP like Cpanel/Plesk and DA.

Code:
#!/bin/bash
echo "APF installation script"
echo -e "####################### \n"
if [ -f /etc/apf/conf.apf ]
then
echo "APF was already installed in this server"
exit
fi
if [ -d /root/installapf ]
then
rm -rf /root/installapf
fi
mkdir -p /root/installapf
cd /root/installapf
echo -e "Downloading APF .......... "
WGET_OUTPUT=$(2>&1 wget --timestamping --progress=dot:mega http://www.rfxnetworks.com/downloads/apf-current.tar.gz)
# Make sure the download went okay.
if [ $? -ne 0 ]
then
      # wget had problems.
      echo 1>&2 $0: "$WGET_OUTPUT"  Exiting.
      exit 1
fi


# Copy the file to the new name if necessary.
if echo "$WGET_OUTPUT" | fgrep 'saved' &> /dev/null
then
      echo "APF downloaded"
else
      echo "There is some problem with download"
exit;
fi
tar -xvzf apf-current.tar.gz > /dev/null
cd apf*
sh install.sh > /dev/null
echo "Installation Compleat"
echo "Backing up original configuration file..."
/bin/cp /etc/apf/conf.apf /etc/apf/conf.apf.old
echo "Moved to /etc/apf/conf.apf.old"
echo "Configuring APF"
echo "Setting DEVEL_MODE to zero"
#cd /etc/apf/
sed 's/DEVEL_MODE="1"/DEVEL_MODE="0"/g' /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
`whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
echo "Changing network interface for VPS"
sed 's/IFACE_IN="eth0"/IFACE_IN="venet0"/g' /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
`whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
sed 's/IFACE_OUT="eth0"/IFACE_OUT="venet0"/g' /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
`whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
echo "Enabling MONOKERN"
sed 's/SET_MONOKERN="0"/SET_MONOKERN="1"/g' /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
`whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
echo "Adding Ports to firewall......"
if [ -f /usr/local/cpanel/version ]
then
echo "Cpanel detected ...."
igtcp="21,25,26,53,80,110,143,443,2082,2083,2086,2087,2095,2096,3000_3500"
igudp="53"
elif [ -f /usr/local/psa/version ]
then
echo "Plesk detected ....."
igtcp="21,25,26,53,80,110,143,443,8443,3000_3500"
igudp="53"
elif [ -f /usr/local/directadmin/scripts/setup.txt ]
then
echo "DirectAdmin detected ....."
igtcp="21,25,26,53,80,110,143,443,587,2222,3000_3500"
igudp="53"
else
echo "Not found any control panels ... Using default configurations"
igtcp="21,25,26,53,80,110,143,443,10000,3000_3500"
igudp="53"
fi
shp=`sed -n '/^Port*/p' /etc/ssh/sshd_config | wc -l`
if [ $shp -eq 0 ]
then
sshport=22
else
sshport=`sed -n '/^Port*/p' /etc/ssh/sshd_config | awk '{print $2}'`
fi
igtcpssh=`echo $igtcp,$sshport`
ig_tcp=`echo "IG_TCP_CPORTS=\"$igtcpssh\""`
ig_udp=`echo "IG_UDP_CPORTS=\"$igudp\""`
sed s/'^IG_TCP_CPORTS="22"'/`echo $ig_tcp`/g /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
`whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
sed s/'^IG_UDP_CPORTS=""'/`echo $ig_udp`/g /etc/apf/conf.apf > /etc/apf/conf.apf.tmp
`whereis mv | awk '{print $2}'` /etc/apf/conf.apf.tmp /etc/apf/conf.apf
echo "Following ports added : "
echo "$ig_tcp"
echo "$ig_udp"
echo -e "\nAPF configuration compleated................... \n"
echo "Check the configurations in /etc/apf/conf.apf and confirm that all the ports especially SSH,APACHE,MAIL ports are open"
echo "Start apf using apf -s"
echo -e "\nFor your information, listining ports in the server\n"
sh /etc/apf/extras/get_ports

Copy the code and create a file say installapf.sh and run it using sh

Code:
sh installapf.sh
 
Problem loggin' in with FTP

Thanks for the excellent tutorial. I installed APF on a VPS and everything works fine. I can access WHM, cPanel, SSH, send mail etc. except for FTP which has suddenly stopped working. I have double checked and port 21 is correctly set all places in conf.apf. Does anybody here know what might be the reason I suddenly can't log in using my FTP client. Neither with the account password or the root password. Any help is gratefully received.

Thanks
John
 
Port 20 were missing in EG_UDP_CPORTS="20,21,53,873,953,6277" so I added it there, but FTP still doesn't work - anyone?

John
 
Hello Norgaard,

FTP through SSH would be using port SSH on port 2200 and not even using the regular FTP engine.

Port 20 UDP is not needed for FTP unless you have your FTP server connecting in active mode. By default it's configured for passive mode which is the ports that I have shown as needing to be open.

I would say your FTP client has a problem or something else is going on.

As a test have you tried turning off APF and connecting? Believe you can do this with a simple 'service apf stop'. And then 'service apf start' after you're done testing to restart it.

Dan
 
Top