APF (Advanced Policy Firewall) is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: http://www.rfxnetworks.com/apf.php
This guide will show you how to install and configure APF firewall,
one of the better known Linux firewalls available.10
Requirements:
Root SSH access to your server
Login to your server through SSH and su to the root user.
1. cd /root/downloads or another temporary folder where you store your files.
2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
3. tar -xvzf apf-current.tar.gz
4. cd apf-0.9.5-1/ or whatever the latest version is.
5. Run the install file: ./install.sh
You will receive a message saying it has been installed
Installing APF 0.9.5-1: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
Other Details:
Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306
Listening UDP ports: 53,55880
Note: These ports are not auto-configured;
they are simply presented for information purposes. You must manually configure all port options.
6. Lets configure the firewall: vi /etc/apf/conf.apf
We will go over the general configuration to get your firewall running.
This isn’t a complete detailed guide of every feature the firewall has.
Look through the README and the configuration for an explanation of each feature.
We like to use DShield.org’s “block” list of top networks that have exhibited
suspicious activity.
FIND: USE_DS=”0″
CHANGE TO: USE_DS=”1″
7. Configuring Firewall Ports:
Cpanel Servers
We like to use the following on our Cpanel Servers
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500″
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”53″
Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF=”1″
# Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,80,443,43,2089″
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53″
Ensim Servers
We have found the following can be used on Ensim Servers -
although we have not tried these ourselves as I don’t run Ensim boxes.
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,19638″
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”53″
Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF=”1″
# Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,80,443,43″
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53″
Save the changes: Ctrl+X then Y
8. Starting the firewall
/usr/local/sbin/apf -s
Other commands:
usage ./apf [OPTION]
-s|–start ……………………. load firewall policies
-r|–restart ………………….. flush & load firewall
-f|–flush|–stop ……………… flush firewall
-l|–list …………………….. list chain rules
-st|–status ………………….. firewall status
-a HOST CMT|–allow HOST COMMENT … add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|–deny HOST COMMENT …. add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
9. After everything is fine, change the DEV option
Stop the firewall from automatically clearing itself every 5 minutes from cron.
We recommend changing this back to “0″ after you’ve had a chance to ensure everything
is working well and tested the server out.
vi /etc/apf/conf.apf
FIND: DEVM=”1″
CHANGE TO: DEVM=”0″
10. Configure AntiDOS for APF
Relatively new to APF is the new AntiDOS feature which can be found in: /etc/apf/ad
The log file will be located at /var/log/apfados_log so you might want to make note of it and watch it!
vi /etc/apf/ad/conf.antidos
There are various things you might want to fiddle with but I’ll get the ones that will alert you by email.
# [E-Mail Alerts]
Under this heading we have the following:
# Organization name to display on outgoing alert emails
CONAME=”Your Company”
Enter your company information name or server name..
# Send out user defined attack alerts [0=off,1=on]
USR_ALERT=”0″
Change this to 1 to get email alerts
# User for alerts to be mailed to
USR=”your@email.com”
Enter your email address to receive the alerts
Save your changes! Ctrl+X then press Y
Restart the firewall: /usr/local/sbin/apf -r
11. Checking the APF Log
Will show any changes to allow and deny hosts among other things.
tail -f /var/log/apf_log
Example output:
Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from 185.14.157.123
Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from 185.14.157.123
12. New – Make APF Start automatically at boot time
To autostart apf on reboot, run this:
chkconfig –level 2345 apf on
To remove it from autostart, run this:
chkconfig –del apf
13. Denying IPs with APF Firewall (Blocking)
Now that you have your shiny new firewall you probably want to block a host right,
of course you do! With this new version APF now supports comments as well.
There are a few ways you can block an IP, I’ll show you 2 of the easier methods.
A) /etc/apf/apf -d IPHERE COMMENTHERENOSPACES
> The -d flag means DENY the IP address
> IPHERE is the IP address you wish to block
> COMMENTSHERENOSPACES is obvious, add comments to why the IP is being blocked
These rules are loaded right away into the firewall, so they’re instantly active.
Example:
./apf -d 185.14.157.123 TESTING
pico /etc/apf/deny_hosts.rules
Shows the following:
# added 185.14.157.123 on 08/23/05 01:25:55
# TESTING
185.14.157.123
B) vi /etc/apf/deny_hosts.rules
You can then just add a new line and enter the IP you wish to block.
Before this becomes active though you’ll need to reload the APF ruleset.
/etc/apf/apf -r
14. Allowing IPs with APF Firewall (Unblocking)
I know I know, you added an IP now you need it removed right away!
You need to manually remove IPs that are blocked from deny_hosts.rules.
A)
vi /etc/apf/deny_hosts.rules
Find where the IP is listed and remove the line that has the IP.
After this is done save the file and reload apf to make the new changes active.
/etc/apf/apf -r
B) If the IP isn’t already listed in deny_hosts.rules and you wish to allow it,
this method adds the entry to allow_hosts.rules
/etc/apf/apf -a IPHERE COMMENTHERENOSPACES
> The -a flag means ALLOW the IP address
> IPHERE is the IP address you wish to allow
> COMMENTSHERENOSPACES is obvious, add comments to why the IP is being removed These rules
are loaded right away into the firewall, so they’re instantly active.
Example:
./apf -a 185.14.157.123 UNBLOCKING
pico /etc/apf/allow_hosts.rules
# added 185.14.157.123 on 08/23/05 01:39:43
# UNBLOCKING
185.14.157.123
How to setup a small mail server very fast on a Fedora Core 6 system. If you run a different distribution, you will have to use the package manager specific to your distro or search for and install the source packages. However, the configuration files are (usually) in the same locations. After following this tutorial, you will have:
- MTA: Postfix
- SMTP Authentification: Cyrus SASL
- IMAP and POP3: Dovecot
- Webmail: Squirrelmail
Installing packages
- Install the needed packages using YUM: Login as root and type the following command in a terminal:
# yum install postfix dovecot cyrus-sasl cyrus-sasl-devel cyrus-sasl-plain cyrus-sasl-lib squirrelmail
It doesn’t matter if you have one or more packages already installed as yum will skip those and install only the missing ones.
- Change the default MTA: Type the following command in a terminal and choose postfix:
# system-switch-mail
- Add Postfix and Dovecot (and optionally httpd if you also chose to install the webmail) to startup: First, make sure they are in the services list:
# chkconfig –list | grep postfix
# chkconfig –list | grep dovecot
# chkconfig –add postfix (only if necessary)
# chkconfig –add dovecot (only if necessary)
Then add them for init levels 3 and 5, just in case you will change your init level:
# chkconfig –levels 35 postfix on
# chkconfig –levels 35 dovecot on
# chkconfig –levels 35 httpd on
Configuring Postfix
- Edit /etc/postfix/main.cf and change the following values. These are the basic values that need editing in order to get you going really fast. Don’t edit other values unless you know what you’re doing:
myhostname = mail.example.com
This is only an example. Replace mail.example.com with your real Internet hostname or IP address. This will be the address that receives the mails.
mydomain = example.com
Optional. Replace example.com with your real domain name. This will be the domain your mails appear to be sent from. It can also be used as the destination.
inet_interfaces = all
This parameter specifies the address used for receiving mail.
mydestination = $myhostname, $mydomain, localhost, localhost.localdomain
This parameter specifies the list of domains that this machine considers itself the final destination for. You can enter here all the hostnames pointing at your IP address but DON’T specify the names of domains that this machine is backup MX host for.
home_mailbox = Maildir/
This specifies the path where the mail is stored. Mailbox will store the mailto /var/spool/mail/user or /var/mail/user, while Maildir/ (the / is required) will store the mail in each user’s home directory (/home/user/Maildir)
- Save the file and restart Postfix with:
# service postfix restart
- Test it: Run the following command and check /root/Maildir/new for a message. You can read it using less, cat or a text editor:
# echo “Hello” | mail root
Configuring Dovecot
- Edit /etc/dovecot.conf and change the following line:
protocols = imap pop3
Don’t leave the ‘#’ in front
- Test and start Dovecot:
# echo “Hello” | mail username
‘username’ is a NON-ROOT user so you might have to create one.
- Start Apache for webmail and Dovecot:
# service httpd start
# service dovecot start
- Test it: Open your favorite browser and go to http://your.hostname.com/webmail and log in with the NON-ROOT user and password. If everything worked out well, you should have a new mail in your inbox.
Enable SMTP Authentication
- Edit the /etc/postfix/main.cf file and add these lines at the bottom of the file:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains
- Start the saslauthd daemon and reload Postfix:
# service saslauthd start
# service postfix reload
Everything should work fine now. Open you favorite email client (Thunderbird, KMail etc) and set your account as follows:
Incoming
Name: Your name
Email address: The-NON-ROOT-user@example.com
Account password: your-linux-password-for-the-non-root-user
Server type: POP
Incoming server: mail.example.com
Outgoing
Description: Something
Server address: mail.example.com
Port: 25
Check “My SMTP server requires authentication”
Username: The-NON-ROOT-user@example.com
Password: your-linux-password-for-the-non-root-user
Choose “PLAIN” for authentication type.
If you want to receive the root’s mail to your non-root user maildir, edit the /etc/aliases file and uncomment the root line to look like this and reload Postfix.
root: non-root-user
Main configurations Postfix : Sample
Here armiamail.com is local domain
hostname : smtp.armiamail.com
==================================
myhostname = smtp.armiamail.com
myorigin = armiamail.com
inet_interfaces = all
mydestination = armiamail.com, smtp.armiamail.com, localhost, localhost.localdomain.com
mynetworks = 192.168.0.0/24, 127.0.0.0/8
/* Relay to outside domain*/
relay_domains = $mydestination armia.com
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = smtp.armiamail.com
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains
==========================================
]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = armiamail.com, smtp.armiamail.com, localhost, localhost.localdomain.com
myhostname = smtp.armiamail.com
mynetworks = 192.168.0.0/24, 127.0.0.0/8
myorigin = armiamail.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
relay_domains = $mydestination armia.com yahoo.com gmail.com rediffmail.com
sample_directory = /usr/share/doc/postfix-2.1.5/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = smtp.armiamail.com
smtpd_sasl_security_options = noanonymous
unknown_local_recipient_reject_code = 550
1) Download and unpack
Get the tar.gz from here: http://www.squirrelmail.org/
Move it to the “DocumentRoot” location specified in the apache config ( see /etc/httpd/conf/httpd.conf). Default is /var/www/html/.
Unpack:
tar -xvzf name.tar.gz
Don’t forget to remove the tar file (rm *.tar)
Change the user and group for the directory:
chown -R root.apache squirrelmail-version
2) Create attachments directory
cd into the squirrelmail directory created. Make the attachments directory:
mkdir attachments
3) Set permissions and owner
The user the web server runs as must have right to data and attachments. If you use the Red Hat httpd-*.rpm the default is apache for both user and group.
chown -R apache.apache data attachments
chmod -R 1770 data attachments
4) Install perl if it is not (or see the Squirrelmail website for manually editing the config)
Should be self explanatory.
5) Run the configuration script
cd into the config directory. To configure, type:
perl conf.pl
At minimum you need to change:
* Menu 2 – Server Settings
o Domain: your.domain
o Use Sendmail/SMTP: SMTP (I’m using Exim 4.x)
o Server (in IMAP Settings): xxx
(I’ve tested both uw and courier, and for a bit, exchange)
* Menu 4 – General Options
o Attachment Directory: ../attachments/
The rest is up to you. Don’t forget to save before you exit.
Note: In order to clean up the way some imap clients present the user’s mailbox I have changed:
* Menu 3 – Folder Defaults
o 1. Default Folder Prefix: INBOX. (for Courier or mail/ for UW)
o 3. Trash Folder: Trash
o 4. Sent Folder: Sent
o 5. Drafts Folder: Drafts
o 12. Default Sub. of INBOX : true (for courier)
o 13. Show ‘Contain Sub.’ Option: true (for uw)
In regaurds to shared folders, for UW-IMAP see #11 in Setting up UW-IMAP on how to make public folders appear. For Courier-IMAP I use:
o 1. Default Folder Prefix: (none)
o 2. Show Folder Prefix Option : false
o 3. Trash Folder : INBOX.Trash
o 4. Sent Folder : INBOX.Sent
o 5. Drafts Folder : INBOX.Drafts
o 12. Default Sub. of INBOX : true
6) Check php.ini
With pre-1.2.9 I had to set register_globals = On. This file should be in /etc.
With 1.2.9 and later I was able to turn register_globals=Off.
7) Check that DirectoryIndex has index.php added in httpd.conf
This will be in /etc/httpd/conf
8) Test
Point your web browser at:
http://server_name_or_ip/squirrelmail_dir/
If the squirrelmail page loads, try to login. If you can’t login, check that imap is enabled in xinetd.d/imap if using uw-imap (tip: restart xinetd) or courier is started and that you can use an email client to login.
If you see code, php isn’t working or isn’t installed. If you see files, check step 7. See the squirrelmail, apache, and php web sites for more troubleshooting and configuration tips.
9) Rename directory as desired
Once you have the basics working you can rename the squirrelmail directory that was created. By waiting until this point you can effectively test before replacing any existing installation. To rename it cd back to the DocumentRoot (ie /var/www/html) so that you can see the squirrelmail directory. Now issue:
mv oldname newname
Of course replace “oldname” and “newname” with the correct entries.
10) Add plugins as desired
There is lots of stuff out there for Squirrelmail. It comes with a few and there are more at the web site. I’m using:
delete_move_next
newmail
squirrelspell
message_details
msg_flags
folder_sizes
secure_login
compatibility
newuser_wiz
filters (with the spam rbl filtering turned off in it’s setup.php file)
vacation_exim (plugin I wrote to work with Exim’s autoreply transport and .forward files)
To install what you download, place them in (DocumentRoot)/(squirrelmail dir)/plugins. Next, unpack them:
gunzip name.tar.gz
tar -xvf name.tar
You can now remove the tar files if you like (rm *.tar).
Enter the directory created for the plugin and read the README and/or INSTALL file. Some plugins require you to configure some things in one of their files.
Then re-run the config.pl, see step 5, and add them to the list by typing in the number. To remove, reverse the process. Note that you will not see some of what you installed on the web page until you enable it through Options, such as for folder_sizes.
11) Upgrading
* Download and extract the new version of Squirrelmail.
* cp old_dir/config/config.php new_dir/config/
* cp old_dir/data/* new_dir/data/
* cd new_dir
mkdir attachments
chown -R apache.apache data attachments
chmod -R 1770 data attachments
* Check for new versions of plugins. Use new versions if available, else:
cp old_dir/plugins/plugin_to_keep new_dir/plugins/
If using new, remember to configure them where applicable.
If using the msg_flags plugin, remember to modify the Squirrelmail files it requires changed.
* Make the same changes to any files you customized in the old version.
* Run perl conf.pl in new_dir/config/. Review all settings to make sure they are correct and nothing has changed.
* Point your browser to the new_dir to make sure everything works.
* Fix anything that is broken and test again.
* mv old_dir backup_name
mv new_dir old_dir_name
12) Miscellaneous
* To get Squirrelmail -> Compose -> Addresses to search your LDAP address book in company as well as name, edit functions/abook_ldap_server.php. Change:
$expression = “cn=$expr”;
to:
$expression = “(|(cn=$expr)(o=$expr))”;
The easiest way to install Perl modules is by installing them through “shell”. Let us say that you are trying to install very common module called: LWP
You can test to see if you have LWP installed by typing:
perl -MLWP -le “print(LWP->VERSION)”
If you get something like: Can’t locate LWP.pm in @INC means that you don’t have it installed. To install LWP, type:
perl -MCPAN -eshell
NOTE: most times it is okey for you to accept default answers to questions cpan asks.
You can read through cpan help by typing “h” without the quotes at cpan> prompt.
To continue installing LWP, type:
install Bundle::LWP
After few questions, and some text scrolling, you will have LWP installed. If for some reason you don’t want to do it this way, you can always obtain source for the module you are trying to install and build it from source files. You can obtain these files from CPAN site.
Eaccelerator is a PHP accelerator/encoder/caching utility that is based off of the old mmcache (which is no longer being maintained).
What Eaccelerator does is: it caches your PHP scripts so that the database is no longer being queried everytime someone needs a script. This is particularly useful for large forums, but pretty much anyone can benefit from it. Since these scripts are cached, you’ll notice a decrease in memory use and server load.
Installing Eaccelerator
1. First, you’ll want to SSH into your server as the root user. you should
be in the default directory now. If you’re not, type in cd ~
2. Now we’ll make the eaccelerator directory:
mkdir /ea/
cd /ea/
2. Now we’ll grab the files, and untar them:
Notice that it’s a tar.bz2 file, so we need to decompress it twice.
wget
http://heanet.dl.sourceforge.net/source … c1.tar.bz2
bzip2 -d eaccelerator-0.9.4-rc1.tar.bz2
tar xvf eaccelerator-0.9.4-rc1.tar
3. Now that we’ve done that, let’s install Eaccelerator:
Note: in the following “export” command, you need to point that to where
PHP is installed. For most, it’s usually either “usr/” or “usr/local”, but
it may be something else.
cd eaccelerator-0.9.4-rc1/
export PHP_PREFIX=”/usr”
$PHP_PREFIX/bin/phpize
./configure –enable-eaccelerator=shared
–with-php-config=$PHP_PREFIX/bin/php-config
make
make install
4. It’s basically installed, now we need to edit the php.ini files to
include Eaccelerator. This is usually found in the /etc/ folder, but if
you can’t find it, run a “locate php.ini” (without quotes) to find it.
[i]I’m editting my file with nano, which pretty much anyone with a modern
server should have. You can use pico or vi, it’s your choice:
cd ~
nano /etc/php.ini
Now find ;Windows Extensions (press ctrl + W). Remove the mmcache lines
(if you had it installed before) above this and…
—————————————————————————-
For a PHP extension install (most will probably want this)
—————————————————————————-
extension=”eaccelerator.so”
eaccelerator.shm_size=”16″
eaccelerator.cache_dir=”/tmp/eaccelerator”
eaccelerator.enable=”1″
eaccelerator.optimizer=”1″
eaccelerator.check_mtime=”1″
eaccelerator.debug=”0″
eaccelerator.filter=””
eaccelerator.shm_max=”0″
eaccelerator.shm_ttl=”0″
eaccelerator.shm_prune_period=”0″
eaccelerator.shm_only=”0″
eaccelerator.compress=”1″
eaccelerator.compress_level=”9″
—————————————————————————-
For a Zend extension install (only if you have Zend installed, or
if you’re going to install it
—————————————————————————-
zend_extension=”/usr/lib/php4/eaccelerator.so”
eaccelerator.shm_size=”16″
eaccelerator.cache_dir=”/tmp/eaccelerator”
eaccelerator.enable=”1″
eaccelerator.optimizer=”1″
eaccelerator.check_mtime=”1″
eaccelerator.debug=”0″
eaccelerator.filter=””
eaccelerator.shm_max=”0″
eaccelerator.shm_ttl=”0″
eaccelerator.shm_prune_period=”0″
eaccelerator.shm_only=”0″
eaccelerator.compress=”1″
eaccelerator.compress_level=”9″
5. Now we need to make the cache directory, where the cache files will be
stored.
cd ~
mkdir /tmp/eaccelerator/
chmod 0777 /tmp/eaccelerator/
6. Yay, it’s installed! Let’s restart Apache now so that Eaccelerator will
start working:
service httpd restart
cp /ea/eaccelerator-0.9.4-rc1/eaccelerator.php /usr/local/apache/htdocs/
—————————–
7. You *should* notice some sort of speed boost or that the server
load/memory use has decreased. But let’s just make sure that it’s
installed properly.
Open up your favorite FTP client and upload the eaccelerator.php and
eaccelerator_password.php files to any directory on your website. I
uploaded mine to my forum directory, but you can pretty much place them
anywhere in the public_html directory.
Once that’s done, you can go to
http://www.your-domain.com/path_to_s…ccelerator.php (of course,
replacing that with the path to the script) to see if it’s installed. If
it’s installed properly, you’ll see a screen like this:
Otherwise, you’ll see a screen saying that it’s not installed. You have to
go back through the instructions, retry it and see if that works. Check to
make sure that you specified the right directories and files in the
instructions above!
Now, we’ll probably want to add a password to prevent some mean user from
clearing the cached scripts or causing other bad stuff to happen. Navigate
to the eaccelerator_password file and set an administrator name and
password.
This doesn’t set the password, but it gives you a line of code to place in
your php.ini file (just below the eaccelerator part). Once you do this,
you need to log in to view the eaccelerator page.
After you’re done, you can delete or rename this file, but it’s not required.
