Installing Advanced Policy Firewall and Brute Force Detection

From Pulsed Media Wiki

Install Required Packages

If server does not have required packages, here is what you need.

Before installing APF and BFD, install essential packages:

sudo apt update && sudo apt install wget curl tar unzip -y

Install APF (Advanced Policy Firewall)

cd /usr/local/src

sudo wget https://www.rfxn.com/downloads/apf-current.tar.gz

sudo tar -xzf apf-current.tar.gz

cd apf-*

sudo ./install.sh

Configure APF

Edit the main config file: 

 bash 

 sudo nano /etc/apf/conf.apf

Key options to tweak:

DEVEL_MODE="1" → Change to "0" after confirming it works (default 5 min timeout for testing).

IG_TCP_CPORTS: Incoming TCP ports you want open (e.g., 22,80,443,21).

IG_UDP_CPORTS: Incoming UDP ports (e.g., 53 for DNS).

EGF="1": Enables egress filtering (optional, advanced setups).

Start APF

 sudo /usr/local/sbin/apf -r

To test that it's working and not locking you out (important if remote): 

 sudo /usr/local/sbin/apf --status

Once confirmed: 

 sudo nano /etc/apf/conf.apf  
 # Set: DEVEL_MODE="0"  
 sudo /usr/local/sbin/apf -r

Enable APF at boot: 

 sudo systemctl enable apf

Install BFD (Brute Force Detection)

Download and Install 

 cd /usr/local/src  
 sudo wget https://www.rfxn.com/downloads/bfd-current.tar.gz  
 cd bfd-*  
 sudo ./install.sh

Configure BFD

Edit the config file: 

 sudo nano /usr/local/bfd/conf.bfd

Recommended settings:

EMAIL_ALERTS="1"

EMAIL_ADDRESS="your@email.com"

TRIG="20" (number of failed attempts before blocking)

Optional: edit rules in /usr/local/bfd/rules/ (e.g., sshd, pure-ftpd, etc.).

Save and exit.

Start BFD

 sudo /usr/local/sbin/bfd -s

Enable it with a cron job: 

 sudo crontab -e  
 */3 * * * * /usr/local/sbin/bfd -q

Verify Everything

Check APF status: 

 sudo /usr/local/sbin/apf --status

Test BFD log monitoring: Simulate failed SSH logins from another machine or VM, then check: 

 sudo tail -f /var/log/bfd_log

Tips & Best Practices

Always whitelist your IP in APF.

Be cautious with egress filtering (EGF="1"). It can break software updates if misconfigured.

Combine with fail2ban if you want additional jail-based brute-force blocking.

Consider setting up syslog or logrotate to manage log sizes for BFD.

Retrieved from "https://wiki.pulsedmedia.com/index.php?title=Installing_Advanced_Policy_Firewall_and_Brute_Force_Detection&oldid=1002720"