Blog Entries
Installing Advanced Policy Firewall on Media Temple
Prerequisites
- 6 pack of beer or other alcoholic beverage (as this is really boring)
- About an hour of your time (allowing time for drifting off and watching tv)
- Large blunt object (hands will do) for mashing keyboard
- (mt) Developer tools installed
- (mt) SSH Access
- (mt) slow bleeding brain hemorrhage.
- Access to the internet (HAHAHAHA)
Let’s start with a basic explanation. APF (Advanced Policy Firewall) will not stop your server being hacked, funnily enough neither will media temple, as I quickly found out, but it will add an extra layer of defence and it chews up less processor time then the standard PSA (plesk) Firewall.
I like steps and so do most people but a bit of preliminary checking is required, a lot of this is relevant to anyone installing APF on a PLESK server via shell but there are differences.
Firstly this article is written SPECIFICALLY targeting people using CENTOS on a Media Temple Virtual dedicated plesk server, because it’s harder than normal. I’ll point out the parts that are not relevant for people on NON VIRTUAL servers. Hardware servers are so much fucking easier.
Anyway the steps...
- Go to http://rfxnetworks.com/apf.php and have a quick skim read of what it does and make sure you agree to the terms of usage (which is basic GPL).
- Now login to your Shell (SSH) using something like putty or what ever your SSH client is called. On an (mt) server you will have to have requested that DEV Tools are installed and requested a root shell access.
Anyone on a hardware server or with a host that lives on this planet will have been provided these already. - Change your current directory to the root folder and make a new folder that will store all your crap in from this point. (feel free to copy and paste inside the speech marks)
cd /
mkdir downloads
cd downloads
- Now download the tar.gz file to your server. On (mt) you cant install RPM’s as the servers a pain in the arse (not the technical reason).
wget http://www.r-fx.ca/downloads/apf-current.tar.gz - A bunch of lines moving across a screen later ad a quick “ls” will show you that you now have apf-current.tar.gz in your download folder.
Now we unzip it, if your not Unix savy (like most normal people with lives) then we have a quick referral to (http://meta.freeciv.org/unzipping.html) or just continue to follow my lead.
TAR, GZIP, BZ2, RAR; are all just other versions of Winzip .zip format.
So to unzip we type.
tar zxvf apf-current.tar.gz
You’ll learn this quite quickly as we’ll use it a lot in this series (yes I’m writing more). - Now type ls again and see that its created a directory, this contains all the files that came out of the zip.
SoCD apf-0.9.6-2(you may need to change that name) and once in the directory type.
sh install.sh
Now this fails for me for some reason so i usually just type./install.shwhich ever works for you is fine with me. - Now we’d all like to think it was over, but I did say it was a pain.
Firstly I’m going to clean-up on the shit way I had to learn to do this.
Basically the KERNAL in a virtual server is owned by the main server so we don’t have the pleasure of a proper setup; in some way hardware value servers are better (Aplus.net).
So if you run the firewall now it will just cop out.
We need to edit the config file which should be like this (we’ll use VI as everyone has it)
vi /etc/apf/conf.apf
If you’re on a Solid state (hardware) server skip to the end. - Now you should be seeing a big ugly version of notepad, press a.
This will give you a BLOCK that moves with the cursor, don’t use HOME, END etc , nothing is as it seems. Just move the BLOCK with the cursor keys. - Firstly as you have no real Kernel we need to tell the software this, so if you have the block on the screen press ESCAPE as we don’t need to type yet, then press SHIFT ?/ key to bring up the question mark at the bottom left of your terminal.
Now type monokern and press enter.
It should take you to the line that says Monokern =”0”, change this to a 1. - As were on a virtual server there’s no eth0 (Ethernet Card 0 aka default) , so we need to scroll up (press a then up on the cursor) to where it says IFACE_IN/IFACE_OUT if your adventurous you can use the ? search again.
- Now change eth0 to venet0 (you can get this value from PLESK -> Server -> IP Address Management (Interface in the table).
- The next thrilling task is to add your ports, WOOHOO I hear you shout.
Feel free to add more ports if your using it as a game server or for any other bizarre purpose.
Change the Common Ingres line to something like...
# Common ingress (inbound) TCP portsIG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,8443"
We need 8443 for PLESK Admin so don’t remove that, or 80 (web) or 20,21,22(ftp/ssh) and 443(SSL). - Now scroll to the top of the files and change DEVEL to 0 so it doesn’t CRON the firewall to flush-restart every 5 minutes.
To exit VI press ESCAPE then COLON (:) and type wq (lowercase) if all is well it will save and quit. - Nearly there (thank god), vi /etc/sysconfig/iptables-config (if you’re on a Virtual server).
And change the IPTABLES_MODULES line which is empty (based on mt server)
to:
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"
Probably a good idea to set :
IPTABLES_SAVE_ON_RESTART="yes"
Then exit vi (escape -> :wq)
then its good practice to restart the service.
/sbin/service iptables restart - Now to test/restart your firewall...
/usr/local/sbin/apf –r - You should receive something like this:
apf(12149): {glob} fast load snapshot saved
apf(12149): {glob} flushing & zeroing chain policies
apf(12149): {glob} firewall offline
apf(12190): {glob} activating firewall, fast load
apf(12190): {glob} firewall initialized
Yep were done... now to finish off for the Hardware Dedicated people.
Virtual people can go read the next part.
{the end for virtual people (refer to http://rfxnetworks.com/appdocs/README.apf for more advanced gizmos)}
- Hardware people need to “vi /etc/apf/conf.apf” then follow step 12 and after you’ve added it press escape type :wq and press enter.
- Now to test/restart your firewall...
/usr/local/sbin/apf –r - You shouldn’t see any errors.
That’s it, for more advanced control refer to (http://rfxnetworks.com/appdocs/README.apf) paying attention to parts near the end regarding the rules files.
[Trouble Shooting]
(Feel free to email me with any suggestions / fixes)
- (Q) I follow it then my Viruozzo statistics show ‘numiptent’ is up to 200 which is the hard limit?
(A) Go to shell and type “ cat /proc/user_beancounters |grep ten “ and you’ll see that it sets the base as 200 and the max is already set to 200.
No problem we up the number (APF’s default is 200) so we set it to 400
vzctl set 101 –numiptent 400 –save
This wont work on (MT) so we can either ask and hope they say yes?
Or more likely just live with the red line.