Securing server - Iptables or APF? - Knowledgebase

Portal Home > Knowledgebase > Articles Database > Securing server - Iptables or APF?

Securing server - Iptables or APF?

Posted by o-dog, 07-11-2007, 12:09 PM
Hi, can anyone advise the best way to secure a server? I have iptables on my box but havent seen any scripts which i can base my config on. I have seen that APF seems to be popular, and from the scripts seems quite simple to setup. I'm not afraid of iptables per se but i would like a script on which to base for cpanel, do any exist? I also like the simplicity of APF but i am currently running static nat on iptables and wish to maintain this functionality, the server is used as a vpn gateway. Any ideas or links to base configuration scripts that would be suitable and maintain my static nat? Are there any checklists which i could go against to ensure everything is secure? Many thanks Last edited by o-dog; 07-11-2007 at 12:15 PM.
Posted by hbhb, 07-11-2007, 01:08 PM
izghitu (Server Surgeon) posted on my thread about installing them.. u can have a look! http://www.webhostingtalk.com/showpo...48&postcount=6
Posted by David, 07-11-2007, 01:19 PM
APF 'is' iptables -- just a frontend with some additions. I'd highly recommend it though as it's great
Posted by o-dog, 07-11-2007, 03:24 PM
ok thanks for the replies, any idea if APF can have additional raw iptables commands? Specifically, i am doing: # iptables -t nat -A POSTROUTING -o venet0 --source 10.19.0.0/24 -j SNAT --to-source 10.20.30.40 Cheers
Posted by prowebhoster2006, 07-12-2007, 06:35 AM
Do you have a control panel on the machine or no?
Posted by o-dog, 07-12-2007, 11:33 AM
yeah i have cpanel on there, currently the iptables rules are running fine. Any cPanel plug in for iptables would be excellent.. does one exist? Cheers
Posted by freshmint, 07-12-2007, 12:12 PM
Yes, you can use RAW iptable commands. Check the *.rules files.
Posted by o-dog, 07-12-2007, 04:53 PM
Thanks for the reply, i'd rather not install APF without a little bit more background info but cant find any tutorials on the net for custom raw rules. So could you kindly confirm, there is a (this is only a guess) raw.rules file which is called at the end of configuration and will run my natting iptables command? Cheers
Posted by Jeremy, 07-12-2007, 05:25 PM
etc/apf/main.rules works. EX $IPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 12345 -j ACCEPT
Posted by whmcsguru, 07-12-2007, 06:20 PM
If you're considering apf, you should look at CSF instead. BOTH are iptables frontends, though CSF offers a more advanced security setup (dos checking, md5sum checking, etc), and is updated more frequently, while APF had a good year or two period where it wasn't updated, nobody could contact the author (even paying customers), and is pretty much out of date any more.
Posted by SparkSupport, 07-12-2007, 06:25 PM
CSF will be a good option for you.
Posted by Orien, 07-12-2007, 08:02 PM
I would also recommend that you check out CSF.
Posted by Scott.Mc, 07-12-2007, 08:28 PM
APF has not been full of local roots and a remote vuln. APF's latest updates in anti-dos specfically make it much better than CSF. As a straight out iptables firewall APF is far superior to CSF. CSF has more features that are totally unrelated to being a firewall. So it's not entirely fair to say CSF is more secure than APF because when it comes to security you don't have to worry about the very firewall you install to "protect" you as being the very thing that gets you "hacked" with APF. Does that mean APF is better than CSF ? No, far from it. CSF has more features but that's the reason it's better in your opinion. Not because it offers more security because IMO that's just plain wrong.
Posted by Steven, 07-12-2007, 08:37 PM
Tom, You have something about every kind of software.. It could be apf, or spam assassin... Have you ever thought that is just the preference of the person? Everyone has their own distro they likes, everyone has their own beer they like? Just becausse YOU think CSF is better doesnt mean you have to put apf down like you do. Question Tom: Have you ever even coded a firewall? Or do you just use other peoples creations? CSF is NOT the best solution for everything. For HIGH traffic servers that do nothing but serve images for example.. I have found its not unlikely to see decreased performance, where a CUSTOM built firewall would do better. Also I dont even consider CSF as the same category then apf. APF is a FIREWALL ... csf is more of a SECURITY SUITE Do me a favor, compare the rules and tell me the differences They are pretty similar at the core.
Posted by hbhb, 07-12-2007, 08:46 PM
The last time I installed CSF, my server went down offline. I couldn't ping out google.com from the screen infront the server in the datacenter. I couldn't ping the server IP from my home. All problems are solved when i stop iptables but it will happen again after few hours.
Posted by tchryan, 07-21-2007, 12:50 AM
There are 3 main ways you can add custom iptables rules to you're APF installation and each affords you different level of accommodation. The first is within the /etc/apf/preroute.rules file, this file is one of the first rule sets loaded in the firewall so it is naturally ideal for prerouting rules as the name implies or any prescrub rules you want to have iptables perform. These type of rules would range from inbound priority classing, traffic shaping, use of qos chains - you name it. The second is within the /etc/apf/main.rules file, this file is loaded as an intermediate after all the preroute, trust, core functions and bells and whistles of APF but before postrouting and virtualization rules. This is an ideal place to add custom port limiting rules, extended logging, custom chains or any such jazz that is not really order specific. The final is within the /etc/apf/postroute.rules file, this file is loaded as one of the final rule sets in the firewall so it is ideal for any custom rules dealing with connection termination, outbound traffic shaping, outbound priority classing or just in general anything that you want to apply a rule towards when it about to finish passing through the firewall. There is another method of the sorts but it is more virtualization related and that comes into play when the vnet subsystem is enabled, you could add any custom rules into the /etc/apf/vnet/IP.rules files while also making use of convenience variables from conf.apf (this is also the case with any rule fule).
Posted by jon-f, 07-21-2007, 01:58 AM
Ha, i seen this thread and was gonna say the same thing about he should go with csf , csf rocks, but ryan does still work on apf, its not outdated, it actually has some more advanced features for filtering garbage packets, but he really needs connection tracking feature on it, Ive suggested it as well. I think the antidos on apf now just has a packet threshold. As far as filtering and advanced rules apf has it. But the average user doesnt need all this, and you cant beat all the other built in features. Using apf and dos deflate will do pretty good against dos but dos deflate needs a permanent ban feature, I dont know if it has one now or not. But yeah csf is great, I use it on every box. But if rfxn would come up with something similar I would for sure give it a shot, I think he just doesnt want to copy the idea or something, not sure, but would be nice
Posted by tchryan, 07-21-2007, 02:13 AM
If you could point me to a URL for the dos deflate project I would be curious to check it out further. The antidos subsystem to APF is phased out of the current RC version in testing at the moment and a supplemented replacement is already implemented in the current release called Reactive Address Blocking (RAB). It is by far not an anti-denial of service feature at this time but sets the foundation for future additions to it and provides a baseline intrusion prevention system. Here is a summary of what RAB is from the configuration description: # The use of RAB is such that it allows the firewall to track an address as it # traverses the firewall rules and subsequently associate that address across # any number of violations. This allows the firewall to react to critical # policy violations by blocking addresses temporarily on the assumed precaution # that we are protecting the host from what the address may do on the pretext # of what the address has already done. The interface that allows RAB to work # resides inside the kernel and makes use of the iptables 'ipt_recent' module, # so there is no external programs causing any additional load. Likewise you are correct, APF does provide many advanced features that may in most cases be of no use to users day-to-day. However I am of the mindset that it is better to have the features there and not need them than to need them and not have them. Last edited by tchryan; 07-21-2007 at 02:22 AM.
Posted by jon-f, 07-21-2007, 02:53 AM
heh, I didnt see your post above mine. deflate.medialayer.com its just a simple script to parse netstat for so many connections per ip and ban them, csf does the same way. If you could put a feature like that with the ability to perma ban , also include bfd all wrapped into one I would definitely try it out. There is actually a lot of features id like to see in an ideal anti-dos firewall, ill contact you sometime, give you some ideas, not like ideas on coding but some of the problems I see with current firewall scripts like csf in dealing with low bandwidth syn and some other things. Ddosers are adapting to dos protection on network and server level so some ew things are needed. I would also like to see a better per ip configuration , I know apf already has this but would be nice if it was wrapped up into one config.
Posted by BurakUeda, 07-21-2007, 03:15 AM
Another vote for CSF here. If you have cPanel, it has a very neat WHM interface too with one-click updates etc.
Posted by o-dog, 07-21-2007, 04:40 AM
Thanks for all the replies chaps, i put on APF as mentioned with a slightly reduced rule set and its been perfek. I added the masquerade ip table command in my postrouting.rule file and its been running solid since installed. Just so i know for future, is this the integrated whm/csf you kindly mentioned http://www.configserver.com/cp/csf.html? Maybe i want my cake and eat it, but are there any WHM integrations for APF? The reason is now its working i dont see a reason to remove, but i like the idea of updating with one-click from WHM. Cheers again, Chris
Posted by whmcsguru, 07-21-2007, 05:09 AM
Prior to a few months back, no updates, or evidence of said work had been done for almost 2 years. I'd say that the indication of "still working on APF" is just not there. AFAIK, no, but Ryan WAS mentioning the possibility of adding it to it. The problem is that the "antidos" method in apf is not stable, by the author's own admission. Problem #2 is that APF alone can NOT handle what CSF does. Oh, sure, APF with BFD, LSM, etc, CAN (with a LOT of configuration), but when it comes down to it, I don't want to spend all day configuring 5 different applications and adding individual rules for every application (mysql, httpd, sshd, etc) . That's a flat out waste of my time. I'm just going to ignore the rest of the trolling comments by individuals directed towards me. If you don't like what was stated (the truth), then PROVE IT WRONG, but you can't, see, because it's NOT wrong. APF was great back in the day, but, any more, APF is outdated. When it's continuously updated again, then perhaps it won't be, but the fact remains that when it comes to UPDATES, and NEW FEATURES added in, as well as support, CSF is, hands down, the winner between the two.
Posted by whmcsguru, 07-21-2007, 06:04 AM
My comments were hardly directed at you, except those quoting what you said, and yes, one individual has repeatedly tried to get me lured into various debates on various issues, insisting they are right on them, and that one individual did so here as well, again, trolling. Not surprising, given the one individual's attitude of late, but sobeit.
Posted by Steven, 07-21-2007, 10:43 AM
This is still an opinion, there is NO evidence that apf is less secure then CSF at what its meant to do, be a firewall. All other applications aside, show me how csf is better then apf at being a firewall. Just because you don't want to spend the time configuring apf (and related items) does not mean someone else is not willing to spend the time. This is no reason to troll apf. The anti-ddos issue? I have never used it, I have found other ways to do this, that beat both csf and apf.
Posted by tchryan, 07-24-2007, 01:51 PM
The first release of APF came in on Apr 24th 2003 at 12:33 AM, from that point forward it has been maintained and updated as appropriate. If however just because you do not see fan-fair announcements regarding every internal revision to the project is no case to call it un-maintained. It is a mature project that has met and exceeded all project goals and at times there was no pressing issue that shouted for large or even minor changes to the project. Any inclination to the contrary that the project is un-maintained is not only unfounded but could not be further from the truth. The amount of projects both public and private (most of which become public at some point) that I manage require a particular level of priority scaling. I can not always devote my time equally to all projects while also working to pay my bills and put food on my table. If you have a problem with how I prioritize between projects then by all means you are welcome to find another project more fitting of your grandiose expectations. There is an ncurses console based and php web based front-end being worked on for APF and a combined suite set of projects. The integration to WHM will come once the php front-end has been properly peer reviewed in beta testing for a sound structural setup and to dig out any possible security issues. The antidos subsystem in APF has always been under constant development, any admission that it is flawless, works perfect or does not require further improvements would have been a bold face lie. All DOS mitigation or defense tools require a particular level of persistent management to be successful as attacker trends dictate. So, in hind sight all that you have on antidos is a simple disclaimer clause warning users that due to this level of development they may run into the occasional unexpected bug between revisions. Likewise on a technical level, antidos does more than CSF ever has - it can monitor snort and kernel iptable logs in addition to this over hyped status quo of parsing the netstat output for CONFIGURABLE connection states. So now the proper administration of a system is supposed to be left to auto configured suite-style applications and not to the human factor? Ya, ok. The features APF provide are what it is intended for - a FIREWALL. The features CSF provides are for what it is intended for, a SECURITY SUITE. This is like comparing apples and oranges, give it up and stop the knock-fest you insist on engaging in with anyone who disagrees with you on any subject. The various r-fx.org projects from inception have been designed to work together and independent of each other. This allows for SCALABLE usage of the projects by those who CHOOSE to use them. If you want to run shorewall with nsiv or tripwire with lsm complimenting environment security -- whatever, it is up to you the administrator to make educated decisions that YOU are comfortable with in the administration of YOUR server, not for a suite to impose upon you. From the inception of APF it has been years ahead of other open source firewall solutions with the integrated features it provides. Now, fast forward to the present date and what do you find in APF - more features, more viability and again more features years ahead of most other open source solutions. This inclination you have that a firewall must receive constant updates to remain viable is very foolish at best. As mature firewall software and technology goes, unless it broken don't update it! The single most common oversight for administrators is holes opened in the firewall policies on the network or server level during updates to the technology. The development of APF is such that it recognizes this trend and has long been at a mature level where you can run the same version for years at a time without the need to update it. Last edited by tchryan; 07-24-2007 at 01:56 PM.
Posted by WHRKit, 07-27-2007, 12:01 AM
I switched to CSF and found it to be the easier to work with option. It is also well supported. APF has served me well on the old server before I switched to a new one and had the need to secure a server, but another reason to switch to CSF was that Ryan/RFXNetworks accepts payments for his Linux security bundle, but never contacts a customer and runs with the money. Even if APF would be updated or maintained, but how much can you trust somebody in regards to security if the same person steals money? Just my two cents. Christoph
Posted by tchryan, 07-27-2007, 12:18 AM
I think you will find one clear continuity between MSP's on this forum and it is that most if not all at times have trouble keeping up with demand at times, especially the older providers. If you ever had issue with service provided or lack there of, then e-mail me or even contact me through one of the many mediums in my profile on this forum as is often the case.
Posted by WHRKit, 07-27-2007, 12:58 AM
Really? Let's try. Please check your PMs here in this very forum. Christoph
Posted by Frontpage1, 07-27-2007, 08:17 PM
I used APF and BFD for years until I found CSF. I have been running CSF and Mailscanner. Excellent support and better user interface. And it actually works!

Add to Favourites Print this Article