星期三, 9月 03, 2008

Firewall Setting (ISA 2004)

APF firewall and Brute Force Detection

APF firewall is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.

BFD(Brute Force Detection) is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans.


APF Firewall feature
- simple & well commented configuration files
- layered firewall with independent ingress and egress filtering system
- uid based egress filtering via simple configuration variables
- global tcp/udp ports & icmp types configurtion
- configurable policies for each ip on the system with convenience vars
- prerouting rules for optimal network responce; TOS (type of service)
- icmp based rate limiting to prevent common icmp 'dos' abuses
- antidos subsystem to stop attacks before they become a significant threat
- dshield.org block list support to ban networks exhibiting suspicious activity
- advanced set of sysctl parameters for tcp/ip stack hardening
- advanced set of filter rules to remove undesired traffic
- advanced use of kernel features such as abort_on_overflow & tcp syncookies
- easy to use firewall managment script
- trust based rule files (allow/deny); with advanced syntax support
- 3rd party addon projects that compliment APF features

Installation Guide

Install APF Firewall

To install APF, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

At command prompt type: tar -xvzf apf-current.tar.gz

At command prompt type: rm -f apf-current.tar.gz

At command prompt type: cd apf-0.9.4-6

At command prompt type: sh ./install.sh


After APF has been installed, you need to edit the configuration file.

At command prompt type: cd /etc/apf

At command prompt type: pico -w conf.apf


Scroll down and find

USE_DS="0"

change it to

USE_DS="1"


Now scroll down and configure the Ports.

PS: open the port that suitable for your server
PS: if you change your SSH default port, u must open it in the firewall also!!!

Common ingress (inbound) TCP ports
IG_TCP_CPORTS="22,80,443"

Common ingress (inbound) UDP ports
IG_UDP_CPORTS=""

Common ICMP (inbound) types
IG_ICMP_TYPES="3,5,11,0,30,8"

Common egress (outbound) TCP ports
EG_TCP_CPORTS="53,80,443"

Common egress (outbound) UDP ports
EG_UDP_CPORTS="53"

Common ICMP (outbound) types
EG_ICMP_TYPES="all"

---------------------------------------------

To start APF

At command prompt type: /usr/local/sbin/apf -s

APF commands are:

-s start
-r restart
-f flush - stop
-l list
-st status
-a HOST allow HOST
-d HOST deny HOST


Log out of SSH and then login again.


After you are sure everything is working fine, change the DEV option

At command prompt type: cd /etc/apf

At command prompt type: pico -w conf.apf


Scroll down and find

DEVM="1"

change it to

DEVM="0"


Save changes, exit and then restart firewall,

At command prompt type: /usr/local/sbin/apf -r

PS: Type "iptables --list" , you will see a list of danger ip range are blocked(using DShield setting)

----------------------------------------------------

Install BFD (Brute Force Detection)

To install BFD, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

At command prompt type: tar -xvzf bfd-current.tar.gz

At command prompt type: cd bfd-0.4

At command prompt type: ./install.sh


After BFD has been installed, you need to edit the configuration file.

At command prompt type: pico /usr/local/bfd/conf.bfd


Under Enable brute force hack attempt alerts:

Find

ALERT_USR="0"

and change it to

ALERT_USR="1"


Find

EMAIL_USR="root"

and change it to

EMAIL_USR="your@email.com"


Save the changes then exit.


To start BFD

At command prompt type: /usr/local/sbin/bfd -s

----------------------------------------------------

log checking, here are the log files generated by apf and bfd

/var/log/apf_log
/var/log/bfd_log

check it daily~

推薦此文