什麼是APF?
APF(Advanced Policy Firewall)是 Rf-x Networks 出品的Linux環境下的軟體防火牆,被大部分Linux伺服器管理員所採用,使用iptables的規則,易於理解及使用.可算是Linux使用較多的防火牆.APF的配置參數眾多,有效利用這些配置參數可加強你的伺服器安全,APF應該在每一台Linux伺服器中得到應用.
安裝APF
#cd /usr/local/src
#tar -zxf apf-current.tar.gz
#cd
apf-9.7-1/
2.執行安裝
#sh ./install.sh
結束安裝好你會得到一些資訊:
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
3.進行詳細配置
#vi /etc/apf/conf.apf
預設的參數適合大多數場合,按照需要進行修改即可
DEVEL_MODE="1" >>
DEVEL_MODE="0"
RAB="0" >> RAB="1"
RAB_PSCAN_LEVEL="2" >>
RAB_PSCAN_LEVEL="3"
TCR_PASS="1" >>
TCR_PASS="0"
DLIST_PHP="0" >>
DLIST_PHP="1"
DLIST_SPAMHAUS="0" >>
DLIST_SPAMHAUS="1"
DLIST_DSHIELD="0" >>
DLIST_DSHIELD="1"
DLIST_RESERVED="0" >>
DLIST_RESERVED="1"
流入埠過濾
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,3306"
#
Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465"
流出埠過濾,虛擬主機推薦開啟
# Outbound (egress) filtering
EGF="1"
#
Common outbound (egress) TCP ports
EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,3306"
#
Common outbound (egress) UDP ports
EG_UDP_CPORTS="20,21,53,465"
ICMP過濾
# Common ICMP outbound (egress) types
#
'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
另外還有兩個值得注意的設置檔: /etc/apf/allow_hosts.rules
和 /etc/apf/deny_hosts.rules 可設置目標主機的過濾規則.如添加信任主機操作等.
啟動APF
#/usr/local/sbin/apf -s
重啟APF
#/usr/local/sbin/apf -r
查看運行日誌
#tail -f /var/log/apf_log
添加為系統啟動
#vi /etc/rc.local
在其中添加 "/usr/local/sbin/apf -s" 即可(不含雙引號).
詳細參數說明
usage /usr/local/sbin/apf [OPTION]
-s|--start ......................... load all
firewall rules
-r|--restart ....................... stop
(flush) & reload firewall rules
-f|--stop........ .................. stop
(flush) all firewall rules
-l|--list .......................... list all
firewall rules
-t|--status ........................ output
firewall status log
-e|--refresh ....................... refresh
& resolve dns names in trust rules
-a
HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d
HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
-u|--remove HOST ................... remove
host from [glob]*_hosts.rules and immediately remove rule from firewall
-o|--ovars ......................... output all configuration options
此外,APF自9.6 (rev:2)版本之後增加了RAB模組.該模組取代了舊版本的antidos模組.可有效減輕拒絕服務攻擊帶來的影響,但需要iptables的內核模組ipt_recent的支援.如下圖我在VPS上啟動APF後的屏顯,提示RAB模組無法啟用.內核模組ipt_recent沒有找到.因此建議在內核支援以及iptables模組支援的情況下使用.
Faq
Problem: If you get this error apf(xxxxx):
{glob} unable to load iptables module (ip_tables), aborting.
Solution: Try changing SET_MONOKERN=”0″ to SET_MONOKERN=”1″ , then apf -r
Problem: If you get this message:
apf(xxxxx): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5
minutes.
Solution: you need to change DEVEL_MODE=1
to DEVEL_MODE=0, make sure your config is working first.
Via:http://www.securecentos.com/basic-security/install-firewall/
沒有留言:
張貼留言