Advanced Policy Firewall

Advanced Policy Firewall

  1. Login to your server via shell as the root user.
  2. Download the APF version 0.9.7-1 (most current version todate) to your system
  3. bash# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

  4. Now you have to extract the tar file
  5. bash# tar -zxf apf-current.tar.gz

  6. Go to the APF directory
  7. bash# cd apf-0.9.7-1

  8. Run the code for installation
  9. bash# ./install.sh

    You will be alerted when the installation is complete.

    Install path : /etc/apf
    Config path : /etc/apf/conf.apf
    Executable path : /usr/local/sbin/apf

  10. Modify the APF config file according to your user defined requirements.
  11. bash# vi /etc/apf/conf.apf

    (Hit i to enter the INSERT mode)

  12. Add in the ports you want to open for inbound (INGRES).
  13. # Common ingress (inbound) TCP ports

    IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,
    995,2082,2083,2086,2087,2095,2096,3306,6666"

    # Common ingress (inbound) UDP ports

    IG_UDP_CPORTS="21,53,465,873"

    # Common ICMP (inbound) types

    IG_ICMP_TYPES="3,5,11,0,30,8"

    The variables mentioned above are already present in the configuration file. You can customize the ports.

  14. You have to particularly instruct APF to monitor outgoing (EGRESS) ports as well.
  15. Change the line: EGF="0" to EGF="1"

  16. Specify the outbound ports to monitor.
  17. # Common egress (outbound) TCP ports

    EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306"

    # Common egress (outbound) UDP ports

    EG_UDP_CPORTS="20,21,53,465,873"

    # Common ICMP (outbound) types

    EG_ICMP_TYPES="all"

  18. Specify the ports you want to block, if any.

    The allow and deny trust files are located at:
    /etc/apf/allow_hosts.rules
    /etc/apf/deny_hosts.rules
    You just have to list the ip's that you specifically wish to allow or deny in the respective files.

    The format of these files are line-separated addresses, IP masking is supported.

    Example:
    24.202.16.11
    24.202.11.0/24

    Save and exit - hit 'esc' :wq 'enter'

  19. Start APF
  20. bash# /usr/local/sbin/apf -s

  21. If all goes well, edit the config file and change the developer mode to 0
  22. bash# vi /etc/apf/conf.apf

    (Hit i to enter insert mode)

    Change DEVM="1" to DEVM="0"

    Save and quit - Hit 'esc' :wq 'enter'

  23. Restart APF
  24. bash# /usr/local/sbin/apf -r

This is a list of ports you may want to exclude as they are required for the usage of Cpanel

  • 1 & 111 Portscanner (to detect scans)
  • 20 ftp tcp inbound/outbound
  • 21 ftp tcp,udp inbound/outbound
  • 22 ssh tcp inbound
  • 25 smtp tcp inbound/outbound
  • 26 smtp tcp inbound/outbound
  • (this port is only needed to be open if the option in cpanel to run exim on port 26 is used.)
  • 37 rdate tcp outbound
  • 43 whois tcp outbound
  • 53 DNS tcp/udp inbound/outbound
  • (inbound is only needed if you run your own public DNS server)
  • 80 http tcp inbound/outbound
  • 110 pop3 tcp inbound
  • 113 ident tcp outbound
  • 143 imap4 tcp inbound
  • 443 https tcp inbound
  • 465 smtp tls/ssl tcp/udp inbound/outbound
  • 873 rsync tcp/udp outbound
  • 993 imap4 ssl tcp inbound
  • 995 pop3 ssl tcp inbound
  • 2082 cpanel tcp inbound
  • 2083 cpanel ssl tcp inbound
  • 2086 whm tcp inbound/(outbound for DNS cluster)
  • 2087 whm ssl tcp inbound/(outbound for DNS cluster)
  • 2089 cp licence tcp outbound (see below*)
  • 2095 Webmail tcp inbound
  • 2096 Webmail SSL tcp inbound
  • 3306 mysql tcp (only if you need to connect remotely)
  • 6666 chat tcp inbound
  • 9898 AIM tcp outbound
  • 13 Els usuaris han Trobat Això Útil
Ha estat útil la resposta?

Articles Relacionats

..htaccess guidance

  .htaccess guidance .htaccess is a special Apache file that tells your website how to...

Linux Sites preview Offline

Linux Site's Preview Offline   http://IP_address/~UserName OR http://ServerName/~userName...

How to scan your website's data from CPanel?

Welcome the comprehensive step-by-step guide by our web hosting company on how to scan your...

How Can I Download a Backup of Full cPanel Account Using FTP?

If you want to download a backup of your website using FTP, please follow these easy steps below:...

How to create an addon domain?

An add-on domain is a fully functional domain and it can be created by using your Cpanel. Add-on...