How do I install APF firewall into the VE?

The installation of APF requires some additional steps to be taken on the hardware node.

1. First of all, you should define which iptables modules are available for VEs.

Edit /etc/sysconfig/iptables-config file on a Virtuozzo hardware node:
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

Edit /etc/sysconfig/vz file on a Virtuozzo hardware node:
IPTABLES="ipt_REJECT
ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

Please note – iptables modules list in IPTABLES and IPTABLES_MODULES parameters in /etc/sysconfig/vz and /etc/sysconfig/iptables-config files should be placed in one single line, no linebreaks is allowed in this parameter.

Restart Virtuozzo. All VEs will be restarted.
# service vz restart

2. Increase ‘numiptent’ parameter for the VE you need to install APF into. This parameter limits the amount of iptables rules available for a VE. Default APF configuration requires ~400 rules. Lets set it to 400 in the example below for VE #101:
# vzctl set 101 --numiptent 400 --save

3. Install APF inside the VE. Edit /etc/apf/conf.apf inside VE, set the following parameters:
IFACE_IN="venet0"
IFACE_OUT="venet0"
SET_MONOKERN="1"

4. Start APF inside the VE:
# /etc/init.d/apf start

Uninstall APF

Sometimes we may require to remove APF from the server. Here is a guide which shows how to remove APF completely from the server.

Stop the firewall first
service apf stop
/bin/rm -rfv /etc/apf
Remove the cron for APF
/bin/rm -fv /etc/cron.daily/fw
/bin/rm -fv /etc/init.d/apf
lastly disable at startup
chkconfig apf off

This should remove APF completely from the server as we removed the APF daemon, cron and files.

cPanel required ports list

Cpanel required ports list

PortServiceProtocolDirectionNotes
20ftptcpinbound/outbound
21ftptcp,udpinbound/outbound
22sshtcpinbound
25smtptcpinbound/outbound
26smtptcpinbound/outbound
37rdatetcpoutbound
43whostcpoutbound
53DNStcp/udpinbound/outbound Inbound only needed if you run your own DNS server
80httptcpinbound/outbound
110pop3tcpinbound
113identtcpoutbound
143imap4tcpinbound
443httpstcpinbound
465smtptcp/ssl, tcp/udpinbound/outbound
873rsynctpc/udpoutbound
993imap4ssl tcpinbound
995pop3ssl tcpinbound
2082cpaneltcpinbound
2083cpanelssl tcpinbound
2086whmtcpinbound
2087whm ssltcpinbound
2089cp licensetcpoutbound
2095webmailtcpinbound
2096webmailssl tcpinbound
3306mysqltcpinboundOnly if you need to connect remotely
6666chattcpinbound

DoS: looking at open connections

Here is a command line to run on your server if you think your server is under attack. It prints our a list of open connections to your server and sorts them by ammount.

RedHat: netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

BSD: netstat -na |awk ‘{print $5}’ |cut -d “.” -f1,2,3,4 |sort |uniq -c |sort -n

You can also check for connections by running the following command.
netstat -plan | grep :80 | awk ‘{print $4 }’ | sort -n | uniq -c | sort

These are few step to be taken when you feel the server is under attack:
——————————————————————————-
Step 1: Check the load using the command “w”.
Step 2: Check which service is utilizing maximum CPU by “nice top”.
Step 3: Check which IP is taking maximum connection by netstat -anpl|grep :80|awk {‘print $5’}|cut -d”:” -f1|sort|uniq -c|sort -n
Step 4: Then block the IP using firewall (APF or iptables “apf -d < IP>” )
——————————————————————————-

You can also implement security features in your server like:

1) Install apache modules like mod_dosevasive and mod_security in your server.
2) Configure APF and IPTABLES to reduce the DDOS
3) Basic server securing steps :
===============================
http://www.linuxdevcenter.com/pub/a/linux/2006/03/23/secure-your-server.html?page=1
===============================
4) Configure sysctl parameters in your server to drop attacks.

You can block the IP which is attacking your server using Ipsec from command prompt.
=========
>> netsh ipsec static add filterlist name=myfilterlist
>> netsh ipsec static add filter filterlist=myfilterlist srcaddr=a.b.c.d dstaddr=Me
>> netsh ipsec static add filteraction name=myaction action=block
>> netsh ipsec static add policy name=mypolicy assign=yes
>> netsh ipsec static add rule name=myrule policy=mypolicy filterlist=myfilterlist filteraction=myaction
========