Installing Advanced Policy Firewall and Brute Force Detection

From Pulsed Media Wiki
Revision as of 11:37, 21 April 2025 by Gallogeta (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Install Required Packages

If server does not have required packages, here is what you need.

Before installing APF and BFD, install essential packages:

sudo apt update && sudo apt install wget curl tar unzip -y

Install APF (Advanced Policy Firewall)

cd /usr/local/src

sudo wget https://www.rfxn.com/downloads/apf-current.tar.gz

sudo tar -xzf apf-current.tar.gz

cd apf-*

sudo ./install.sh

Configure APF

Edit the main config file: 

 bash 

 sudo nano /etc/apf/conf.apf

Key options to tweak:

DEVEL_MODE="1" → Change to "0" after confirming it works (default 5 min timeout for testing).

IG_TCP_CPORTS: Incoming TCP ports you want open (e.g., 22,80,443,21).

IG_UDP_CPORTS: Incoming UDP ports (e.g., 53 for DNS).

EGF="1": Enables egress filtering (optional, advanced setups).

Start APF

 sudo /usr/local/sbin/apf -r

To test that it's working and not locking you out (important if remote): 

 sudo /usr/local/sbin/apf --status

Once confirmed: 

 sudo nano /etc/apf/conf.apf  
 # Set: DEVEL_MODE="0"  
 sudo /usr/local/sbin/apf -r

Enable APF at boot: 

 sudo systemctl enable apf

Install BFD (Brute Force Detection)

Download and Install 

 cd /usr/local/src  
 sudo wget https://www.rfxn.com/downloads/bfd-current.tar.gz  
 cd bfd-*  
 sudo ./install.sh

Configure BFD

Edit the config file: 

 sudo nano /usr/local/bfd/conf.bfd

Recommended settings:

EMAIL_ALERTS="1"

EMAIL_ADDRESS="your@email.com"

TRIG="20" (number of failed attempts before blocking)

Optional: edit rules in /usr/local/bfd/rules/ (e.g., sshd, pure-ftpd, etc.).

Save and exit.

Start BFD

 sudo /usr/local/sbin/bfd -s

Enable it with a cron job: 

 sudo crontab -e  
 */3 * * * * /usr/local/sbin/bfd -q

Verify Everything

Check APF status: 

 sudo /usr/local/sbin/apf --status

Test BFD log monitoring: Simulate failed SSH logins from another machine or VM, then check: 

 sudo tail -f /var/log/bfd_log

Tips & Best Practices

Always whitelist your IP in APF.

Be cautious with egress filtering (EGF="1"). It can break software updates if misconfigured.

Combine with fail2ban if you want additional jail-based brute-force blocking.

Consider setting up syslog or logrotate to manage log sizes for BFD.

Retrieved from "https://wiki.pulsedmedia.com/index.php?title=Installing_Advanced_Policy_Firewall_and_Brute_Force_Detection&oldid=1002720"