Difference between revisions of "Installing Advanced Policy Firewall and Brute Force Detection"
(Created page with " == Install Required Packages == '''If server does not have required packages, here is what you need.''' Before installing APF and BFD, install essential packages: '''sudo...") |
|||
| Line 81: | Line 81: | ||
Save and exit. | Save and exit. | ||
| + | |||
| + | == Start BFD == | ||
| + | |||
| + | sudo /usr/local/sbin/bfd -s | ||
| + | |||
| + | Enable it with a cron job: | ||
| + | |||
| + | sudo crontab -e | ||
| + | */3 * * * * /usr/local/sbin/bfd -q | ||
| + | |||
| + | == Verify Everything == | ||
| + | |||
| + | '''Check APF status:''' | ||
| + | |||
| + | sudo /usr/local/sbin/apf --status | ||
| + | |||
| + | '''Test BFD log monitoring: Simulate failed SSH logins from another machine or VM, then check:''' | ||
| + | |||
| + | sudo tail -f /var/log/bfd_log | ||
| + | |||
| + | == Tips & Best Practices == | ||
| + | |||
| + | Always whitelist your IP in APF. | ||
| + | |||
| + | Be cautious with egress filtering (EGF="1"). It can break software updates if misconfigured. | ||
| + | |||
| + | Combine with fail2ban if you want additional jail-based brute-force blocking. | ||
| + | |||
| + | Consider setting up syslog or logrotate to manage log sizes for BFD. | ||
Latest revision as of 11:37, 21 April 2025
Contents
Install Required Packages
If server does not have required packages, here is what you need.
Before installing APF and BFD, install essential packages:
sudo apt update && sudo apt install wget curl tar unzip -y
Install APF (Advanced Policy Firewall)
cd /usr/local/src
sudo wget https://www.rfxn.com/downloads/apf-current.tar.gz
sudo tar -xzf apf-current.tar.gz
cd apf-*
sudo ./install.sh
Configure APF
Edit the main config file:
bash sudo nano /etc/apf/conf.apf
Key options to tweak:
DEVEL_MODE="1" → Change to "0" after confirming it works (default 5 min timeout for testing).
IG_TCP_CPORTS: Incoming TCP ports you want open (e.g., 22,80,443,21).
IG_UDP_CPORTS: Incoming UDP ports (e.g., 53 for DNS).
EGF="1": Enables egress filtering (optional, advanced setups).
Start APF
sudo /usr/local/sbin/apf -r
To test that it's working and not locking you out (important if remote):
sudo /usr/local/sbin/apf --status
Once confirmed:
sudo nano /etc/apf/conf.apf # Set: DEVEL_MODE="0" sudo /usr/local/sbin/apf -r
Enable APF at boot:
sudo systemctl enable apf
Install BFD (Brute Force Detection)
Download and Install
cd /usr/local/src sudo wget https://www.rfxn.com/downloads/bfd-current.tar.gz cd bfd-* sudo ./install.sh
Configure BFD
Edit the config file:
sudo nano /usr/local/bfd/conf.bfd
Recommended settings:
EMAIL_ALERTS="1"
EMAIL_ADDRESS="your@email.com"
TRIG="20" (number of failed attempts before blocking)
Optional: edit rules in /usr/local/bfd/rules/ (e.g., sshd, pure-ftpd, etc.).
Save and exit.
Start BFD
sudo /usr/local/sbin/bfd -s
Enable it with a cron job:
sudo crontab -e */3 * * * * /usr/local/sbin/bfd -q
Verify Everything
Check APF status:
sudo /usr/local/sbin/apf --status
Test BFD log monitoring: Simulate failed SSH logins from another machine or VM, then check:
sudo tail -f /var/log/bfd_log
Tips & Best Practices
Always whitelist your IP in APF.
Be cautious with egress filtering (EGF="1"). It can break software updates if misconfigured.
Combine with fail2ban if you want additional jail-based brute-force blocking.
Consider setting up syslog or logrotate to manage log sizes for BFD.
