Setting up APF in a Virtuozzo VPS

Discussion in 'DirectAdmin HOWTOs and Tutorials' started by Leomania, Aug 29, 2006.

  1. Leomania

    Leomania New Member

    Hey, what specific setup needs to be implemented to get APF to run well on a Virtuozzo VPS? I assume that SET_MONOKERN should be set to "1" and the alternate SSH and DirectAdmin ports need to be added to the input ports list... but what else?

    I have found several sites that discuss this, including one howto on the DA site:

    http://www.directadmin.com/forum/showthread.php?s=d0acae1dee345b2f7ba32514ab0a9dd3&threadid=14500

    but just in case the info isn't specific enough to how KnownHost has things configured, how about we document it here?

    Another good FAQ on APF under Virtuozzo:

    http://faq.swsoft.com/article_130_875_en.html

    Thanks in advance...
     
  2. KH-Paul

    KH-Paul CTO Staff Member

    First two steps in SWsoft's FAQ article should be skipped - these steps provide information related to the configuration of the physical server.
    The only difference in APF configuration between dedicated server and Virtuozzo VPS is that IFACE* and SET_MONOKERN needs to be modified to:

    IFACE_IN="venet0"
    IFACE_OUT="venet0"
    SET_MONOKERN="1"

    First two lines above tells APF which network device should be used for iptables rules (there is no eth0 in Virtuozzo VPS but venet0 is used instead), the last line tells APF that there is no need to load any iptables modules as all modules are pre-loaded already.

    Regards,
    Paul
     
  3. Leomania

    Leomania New Member

    Hi Paul,

    Cool. I figured KH had the VZ bits covered, but thanks for clarifying.

    There are other parts to APF (and other security packages) such as sysctl.rules that I think won't work under VZ. For exampe:

    Code:
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    It's not allowed, right? When I cat them it seems they are always 0, but perhaps I just haven't hit the ones that aren't 0 yet. Are some of these kernel settings actually set upstream, and the ones in our VPS are fake?

    Thanks.
     
  4. KH-Paul

    KH-Paul CTO Staff Member

    Hi Leo,

    Most network-related things are handled by the host node and cannot be changed from inside the VPS. tcp_syncookies option is disabled by default as in some cases it may lead to negative effects and to weird connectivity issues for you and other customers on the physical machine where this option is enabled.

    Regards,
    Paul
     
  5. onelove

    onelove New Member

    some usefull ssh commands

    netstat -ltunp : shows all running services and ports being used
    vi : pico not installed so use vi instead. Here is a list of vi commands http://www.2kweb.net/support/solutionc/handbook/chapter1/chapter1-7.html

    mysql runs off port 3306. If making use of a database, it may be necessary to add 3306 to the IG_TCP_CPORTS
     
  6. Leomania

    Leomania New Member

    Since I reference MySQL via localhost, it communicates via a socket rather than a port on the external interface. So things are working correctly on my PHP/MySQL powered site, and I don't need to expose my MySQL to the outside world.

    I am trying to figure out how much of exim really needs to be exposed, though. I saw a reference on a site about making connections to port 25 only inside the box, forcing connections to be authenticated on that other port. But that's something I need to dig into more, how exim is configured under DA by default. That's a topic for another thread, methinks.
     
  7. onelove

    onelove New Member

    Hi Leomania,

    That makes perfect sense. So I will remove port 3306 from my config file. I believe opening up 3306 will only be required if connections to the database via http is required.

    How did you limit connections to mysql only via localhost/socket connection? Did you have to create a bind in the my.cnf file?

    Is this all we do?

    Agreed about starting a thread for exim security.

    Cheers
     
  8. Leomania

    Leomania New Member

    No, nothing like that; just left it out of the port list in conf.apf. For local connections I believe that applications will communicate with MySQL via sockets.
     
  9. ryan.tourge

    ryan.tourge New Member

    Easy Install of APF

    I have created an easy install of APF that takes into account the information posted above.

    It is based on APF 0.9.6-1 ( I will update it as it comes out)

    It can be found here:
    http://qbycs.com/vps/apf-vps-da.tar.gz

    First off ssh to your server as root.
    Code:
    cd /usr/local/src

    Code:
    wget http://qbycs.com/vps/apf-vps-da.tar.gz

    Code:
    tar -zxf apf-vps-da.tar.gz

    Code:
    cd apf-0.*

    Code:
    ./install.sh

    This will install apf and the config paramters from the above posts.

    Code:
    apf -r

    Congrats! APF is now protecting your server.
     
  10. ppc

    ppc Moderator

    Moved to the tutorial forum.

    Thanks!
     

Share This Page