You should have a look at the first 4 parts of this tutorial series on installing, configuring, and running APF (Advanced Policy Firewall) on a Dedicated Server before proceeding here, just to be sure your dedicated server is setup correctly with APF configurations. Here is a quick list to roundup these tutorials on dedicated web hosting and APF setup:

1. Installing APF on a Dedicated Server

2. Configuring APF on a Dedicated Server

3. Configuring AntiDOS on a Dedicated Server for APF (optional)

4. Starting APF on a Dedicated Server

Now, here are some helpful commands for your Firewall Usage. With these codes and options, you can do nearly everything necessary to run APF, block IP addresses, flush the firewall, etc. Please review these APF codes below and keep them handy for future reference.

Firewall Usage

Usage /usr/local/sbin/apf [OPTION]

OPTIONS are as below

-s|–start ……………………. load firewall policies
-r|–restart ………………….. flush & load firewall
-f|–flush|–stop ……………… flush firewall
-l|–list …………………….. list chain rules
-st|–status ………………….. firewall status
-a HOST CMT|–allow HOST COMMENT … add host (IP/FQDN) to allow_hosts.rules and immediately load new rule into firewall
-d HOST CMT|–deny HOST COMMENT …. add host (IP/FQDN) to deny_hosts.rules and immediately load new rule into firewall

As an example, if you would like to deny an IP from accessing your sites, execute,

apf -d 123.123.123.123

Hopefully this tutorial series for APF on a Dedicated Server has been extremely helpful to you, but if you’re ever stuck, contact your dedicated web hosting provider and ask for Managed Hosting solutions.

After you have successfully installed and configured APF (Advanced Policy Firewall) on your dedicated server, you can optionally configure AntiDOS for DOS protection. Once done, you will need to start and run APF on your server, and below, you will find the steps necessary to do so.

Starting APF on Your Web Server

1. Edit /etc/apf/allow_hosts.rules and enter your IP (not a mandatory step, but will avoid being locked out of the server)

2. Start the firewall by executing the command apf -s

You should then see,

Development mode enabled!; firewall will flush every 5 minutes.

Now try to access all the services, including mail, ssh, and websites.

3. If you are able to access all the services, then open up /etc/apf/conf.apf, change the DEVEL_MODE=”1″ to read DEVEL_MODE=”0″

Then simply restart the firewall by executing apf –r and you should be done!

4. As a last step, you should execute the command “chkconfig –list apf” and confirm whether you see a similar entry like

apf             0: off   1: off   2: off   3: on    4: on    5: on    6: off

You should see it, exactly similar to above, but in case it is not like that, execute chkconfig –level 345 apf on

Congratulations, you have successfully installed APF! If these tutorials were over your head or you feel you may have done something erroneously, you ought to purchase Managed Hosting from Lunarpages, as they can offer APF installation completely free with your Managed Hosting purchase.

Please refer to our earlier tutorials on Installing APF on a Dedicated Server and Configuring APF on a Dedicated Server. If you do not wish to setup anti-DOS on your server, you can skip this series in the tutorial and move onto Starting APF.

Please note that this configuration is completely optional when setting up a dedicated web hosting server. While it can help protect your server and website from DOS attacks, there are also other ways to do this.

AntiDOS Configuration

1. Open up /etc/apf/ad/conf.antidos

2. Change LP_KLOG=”0″ to LP_KLOG=”1″

3. CONAME=”Your Company”

Enter your company name within quotes similar to CONAME=”Lunarpages”

4. USR_ALERT=”0″ to USR_ALERT=”1″

Change it to 1 only if you wish to receive email alerts.

5. USR=”you@yourco.com”

Enter your email address here similar to the entry made in step 3 (i.e in quotes).

6. Antidos is intended to operate via cron. This is a critical setup point as if not done, antidos will simply not operate.

Execute the command

crontab -e

*/2 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1

This will run antidos every two minutes.

If this sounds too confusing for you or you are unsure about managing your dedicated server, you should definitely look into Managed Hosting from Lunarpages, as they offer free APF installation with your purchase. Check out our Dedicated Hosting Coupons page for more information on the latest deals from Lunarpages Dedicated Web Hosting.

So you have learned about Advanced Policy Firewall (APF) and how to install it on your dedicated server. However, there are a couple more steps to providing advanced firewall support for your dedicated web hosting account. This will help secure your dedicated server and assure your server’s safety.

Remember, if you purchased Managed Hosting from Lunarpages, they can install APF for you at no additional charge. There’s no coupon necessary for this promotion, but if you’re not yet signed up with our recommended dedicated host, check out our Dedicated Hosting Coupons for information on how you can save a bundle on your dedicated server hosting purchase!

Configuring APF (Advanced Policy Firewall)

/etc/apf is the configuration directory of APF and conf.apf is the main configuration file. So open up conf.apf in your favorite editor.

1. Scroll down till you see

IG_TCP_CPORTS=”22″

Tip: Pico -> Ctrl+W and then keyword –> Invokes search for keyword
Vi –> Esc and then /keyword –> Invokes search for keyword
emacs –> Ctrl+s and then keyword –> Invokes search for keyword

Change it to read

a) For a webmin server:

IG_TCP_CPORTS=”20,21,22,25,53,80,110,143,443,465,993,3306,10000,30000_35000″

b) For a Cpanel server :

IG_TCP_CPORTS=”20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2084,2086,2087,2095,2096,3306,10000,30000_35000″

2. Change IG_UDP_CPORTS=”" to read

IG_UDP_CPORTS=”21,53,465″

3. EGF=”0″ to EGF=”1″ #

This filters outgoing connections also, though I recommend it even if it may sometimes cause issues.

4. Change EG_TCP_CPORTS=”21,25,80,443,43″ to read:

EG_TCP_CPORTS=”21,22,25,37,53,80,110,113,443,465,43,873,2089,3306″

5. Change EG_UDP_CPORTS=”20,21,53″ to read

EG_UDP_CPORTS=”20,21,53,465″

6. Change USE_DS=”0″ to USE_DS=”1″

APF makes use of dshield (DS), which is a little like spam blocklists such as spews and lists the most commonly abused networks and those most often used in denial of service attacks and similar.

7. USE_AD=”0″ to USE_AD=”1″

The USE_AD=”1″ enables the Antidos Feature which is still in beta at the time of this writing. Readme says “Antidos is a log parsing script made for r-fx.org’s APF (advanced policy firewall). Its purpose is to parse specific log formats for network attacks against a given system; then it takes certain actions. It is designed to be modular so it can be removed from APF and used in other environments.”

You can now save the conf.apf and quit the editor. If you didn’t change the value of USE_AD to 1, you can skip our our web hosting turtorial on Configuring antiDOS and jump to the fourth one on Starting APF Firewall.

Securing your dedicated server is an important part of any webmaster’s job. While services and features like Managed Hosting can assist in keeping your dedicated server safe, you will also need to turn on or install an advanced firewall to protect your machine.

In dedicated web hosting, APF or Advanced Policy Firewall is one of the best solutions for assisting in securing your dedicated server. So what is APF?

APF (Advanced Policy Firewall) is a modular, policy based firewall system. As one of the easiest to configure, it helps you secure and protect your dedicated web server from attacks and threats. It is for Linux web hosting users and is simple enough for a novice or guru alike.

Here are the steps necessary to install APF on your Dedicated Server Hosting plan.

1. Download and extract to /usr/local/downloads/ directory. Create it by executing the following command:

mkdir -p /usr/local/downloads/
cd /usr/local/downloads/
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

URL is http://www.rfxnetworks.com/downloads/apf-current.tar.gz

2. Extract and install APF using the following code:

cd /usr/local/downloads/
tar xvzf apf-current.tar.gz

rm -f apf-current.tar.gz
cd apf*
./install.sh

After installing APF on your dedicated server, you should then see the following code without any errors!

Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/

It’s actually incredibly simple, but if you get stuck, contact your web hosting provider and they can likely point you in the right direction via tutorials and online assistance. Our recommended best dedicated host, Lunarpages Web Hosting, will actually install APF for you for free if you have Managed Hosting with them, an amazing deal which can save you time and money.

Surviving a DDoS attack can be really challenging and overcoming the bad exposure you’ll have gotten and/or explaining the downtime and disruption to your customers isn’t easy either. So taking the necessary steps to have a secured dedicated server is evermore incredibly important to your dedicated hosting environment.

So do you know how to secure your dedicated server?

Here’s a quick checklist to help you secure your server:

SYN Cookies – These are helpful because they deny any connections that are not verifiable

Firewalls – Just like on your home computer, server firewalls are meant to prevent malicious attacks and to keep your information safe. However, don’t let a firewall ease your fears, as many DDoS attacks are becoming too complex for even the best firewall to prevent.

Switches – These can limit, prevent, and filter the DDoS attacks and also alert you to their presence, which is a great help as you try to recover.

What to do when webmin goes wrong?  As with any dedicated hosting situation, you need to review the situation and possible ask support if you need help.  The other day I noticed somebody having a problem with webmin not working.  They tried to go to :

http://my.ip.address.here:10000/

It wasn’t leading anywhere.  What is a guy with a dedicated server to do?

First you want to check that the webmin process is running by reviewing the list of the processes in order on the server itself.  Then you will want to ensure that the port 10000 is opened in the firewall on the server.  You might also try:

https://the.server.ip.address:10000/

If you are still having problems gaining access to your dedicated hosting’s webmin, then you need to check your /var/log/messages for any hints that could help hunt down the problem.