Setting up APF in a Virtuozzo VPS

#1
Hey, what specific setup needs to be implemented to get APF to run well on a Virtuozzo VPS? I assume that SET_MONOKERN should be set to "1" and the alternate SSH and DirectAdmin ports need to be added to the input ports list... but what else?

I have found several sites that discuss this, including one howto on the DA site:

http://www.directadmin.com/forum/showthread.php?s=d0acae1dee345b2f7ba32514ab0a9dd3&threadid=14500

but just in case the info isn't specific enough to how KnownHost has things configured, how about we document it here?

Another good FAQ on APF under Virtuozzo:

http://faq.swsoft.com/article_130_875_en.html

Thanks in advance...
 

KH-Paul

CTO
Staff member
#2
First two steps in SWsoft's FAQ article should be skipped - these steps provide information related to the configuration of the physical server.
The only difference in APF configuration between dedicated server and Virtuozzo VPS is that IFACE* and SET_MONOKERN needs to be modified to:

IFACE_IN="venet0"
IFACE_OUT="venet0"
SET_MONOKERN="1"

First two lines above tells APF which network device should be used for iptables rules (there is no eth0 in Virtuozzo VPS but venet0 is used instead), the last line tells APF that there is no need to load any iptables modules as all modules are pre-loaded already.

Regards,
Paul
 
#3
Hi Paul,

Cool. I figured KH had the VZ bits covered, but thanks for clarifying.

There are other parts to APF (and other security packages) such as sysctl.rules that I think won't work under VZ. For exampe:

Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
It's not allowed, right? When I cat them it seems they are always 0, but perhaps I just haven't hit the ones that aren't 0 yet. Are some of these kernel settings actually set upstream, and the ones in our VPS are fake?

Thanks.
 

KH-Paul

CTO
Staff member
#4
Hi Leo,

Most network-related things are handled by the host node and cannot be changed from inside the VPS. tcp_syncookies option is disabled by default as in some cases it may lead to negative effects and to weird connectivity issues for you and other customers on the physical machine where this option is enabled.

Regards,
Paul
 
#5
some usefull ssh commands

netstat -ltunp : shows all running services and ports being used
vi : pico not installed so use vi instead. Here is a list of vi commands http://www.2kweb.net/support/solutionc/handbook/chapter1/chapter1-7.html

Leomania said:
Here are my settings; please comment.

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,23,25,80,110,143,443,587,2200,2222,6000_7000,61001_65535"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,3784,8000,8050"

# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,37,43,53,80,110,443,2200,2222"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,3784,8000,8005,8050"

I'm not sure about the ports in the 8000 range; saw them referenced in a DA-specfic APF setup but I need to remove them for further testing.
mysql runs off port 3306. If making use of a database, it may be necessary to add 3306 to the IG_TCP_CPORTS
 
#6
mysql runs off port 3306. If making use of a database, it may be necessary to add 3306 to the IG_TCP_CPORTS
Since I reference MySQL via localhost, it communicates via a socket rather than a port on the external interface. So things are working correctly on my PHP/MySQL powered site, and I don't need to expose my MySQL to the outside world.

I am trying to figure out how much of exim really needs to be exposed, though. I saw a reference on a site about making connections to port 25 only inside the box, forcing connections to be authenticated on that other port. But that's something I need to dig into more, how exim is configured under DA by default. That's a topic for another thread, methinks.
 
#7
Hi Leomania,

That makes perfect sense. So I will remove port 3306 from my config file. I believe opening up 3306 will only be required if connections to the database via http is required.

How did you limit connections to mysql only via localhost/socket connection? Did you have to create a bind in the my.cnf file?

KnownHost-P said:
Sure, to do this you can add the "bind-address=127.0.01" line into the [mysqld] section of your /etc/my.cnf
Is this all we do?

Agreed about starting a thread for exim security.

Cheers
 
#8
How did you limit connections to mysql only via localhost/socket connection? Did you have to create a bind in the my.cnf file?
No, nothing like that; just left it out of the port list in conf.apf. For local connections I believe that applications will communicate with MySQL via sockets.
 
#9
Easy Install of APF

I have created an easy install of APF that takes into account the information posted above.

It is based on APF 0.9.6-1 ( I will update it as it comes out)

It can be found here:
http://qbycs.com/vps/apf-vps-da.tar.gz

First off ssh to your server as root.
Code:
cd /usr/local/src

Code:
wget http://qbycs.com/vps/apf-vps-da.tar.gz

Code:
tar -zxf apf-vps-da.tar.gz

Code:
cd apf-0.*

Code:
./install.sh

This will install apf and the config paramters from the above posts.

Code:
apf -r

Congrats! APF is now protecting your server.
 
Top