Installing Advanced Policy Firewall and Brute Force Detection
Contents
Install Required Packages
If server does not have required packages, here is what you need.
Before installing APF and BFD, install essential packages:
sudo apt update && sudo apt install wget curl tar unzip -y
Install APF (Advanced Policy Firewall)
cd /usr/local/src
sudo wget https://www.rfxn.com/downloads/apf-current.tar.gz
sudo tar -xzf apf-current.tar.gz
cd apf-*
sudo ./install.sh
Configure APF
Edit the main config file:
bash sudo nano /etc/apf/conf.apf
Key options to tweak:
DEVEL_MODE="1" → Change to "0" after confirming it works (default 5 min timeout for testing).
IG_TCP_CPORTS: Incoming TCP ports you want open (e.g., 22,80,443,21).
IG_UDP_CPORTS: Incoming UDP ports (e.g., 53 for DNS).
EGF="1": Enables egress filtering (optional, advanced setups).
Start APF
sudo /usr/local/sbin/apf -r
To test that it's working and not locking you out (important if remote):
sudo /usr/local/sbin/apf --status
Once confirmed:
sudo nano /etc/apf/conf.apf # Set: DEVEL_MODE="0" sudo /usr/local/sbin/apf -r
Enable APF at boot:
sudo systemctl enable apf
Install BFD (Brute Force Detection)
Download and Install
cd /usr/local/src sudo wget https://www.rfxn.com/downloads/bfd-current.tar.gz cd bfd-* sudo ./install.sh
Configure BFD
Edit the config file:
sudo nano /usr/local/bfd/conf.bfd
Recommended settings:
EMAIL_ALERTS="1"
EMAIL_ADDRESS="your@email.com"
TRIG="20" (number of failed attempts before blocking)
Optional: edit rules in /usr/local/bfd/rules/ (e.g., sshd, pure-ftpd, etc.).
Save and exit.
