Install instructions

Please note that you must have APF installed before you install BFD. The installation guide for APF is located here.

1. Download and extract BFD

wget http://www.r-fx.ca/downloads/bfd-current.tar.gz
gzip -d bfd-current.tar.gz
tar -xf bfd-current.tar

2. Move to the extracted directory

cd bfd-0.9/

3. Run the installer

./install.sh

After the installer runs you should see something like


BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

4. Edit the configuration files

pico /usr/local/bfd/conf.bfd

The only things that I suggest changing are:
- ALERT_USR=”0″ to ALERT_USR=”1″
- EMAIL_USR=”root” to EMAIL_USR=”you@domain.com”

BFD works by running a cron every 5 minutes to check for login attempts. You can customize the rules used for any of the monitored services by editing the appropriate rule located in /usr/local/bfd/rules

If you have any questions about BFD please leave a comment and I will try to answer each and every question.

APF is one of the best firewalls out there and is an important component in your server security. Every server should have a firewall installed !

How to install APF

1. Download the package and extract the files

wget http://www.r-fx.ca/downloads/apf-current.tar.gz
gzip -d apf-current.tar.gz
tar -xf apf-current.tar
cd apf-0.9.6-2/

2. Do the actual install

./install.sh

You will get something like

Installing APF 0.9.6-2: Completed.

Installation Details:
  Install path: /etc/apf/
  Config path: /etc/apf/conf.apf
  Executable path: /usr/local/sbin/apf
  AntiDos install path: /etc/apf/ad/
  AntiDos config path: /etc/apf/ad/conf.antidos
  DShield Client Parser: /etc/apf/extras/dshield/

Other Details:
  Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306
  Listening UDP ports: 53
  Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

3. You have to configure the firewall now

pico /etc/apf/conf.apf

I will only show you the basic configuration. APF is a very powerful firewall and you should read every setting carefully.
We will limit inbound access ports. Locate in the /etc/apf/conf.apf the section “IG_TCP_CPORTS” and use the fallowing lines:

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2089,2095,2096,3306,5432,61001_65535″

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”21,53,465,873″

NOTE! This is what I use for most servers and should also work well with your server but I provide no guarantee! If you have a custom ssh port or you run a server on a different port you should add that to IG_TCP_CPORTS or to IG_UDP_CPORTS.

4. Now it’s time to test the configuration. Do a apf restart:

service apf restart


Now test to see if everything is ok and that you can access all your services just fine.
If everything is ok proceed to next step. You for some reason you get locked out just wait about 5 minutes as the firewall is set in test mode and will flash itself out after that period.
Go back and check all the settings and then restart apf again.

5. Finalize the install

If everything is ok after the initial tests you have to set APF into “production” mode.
Edit /etc/apf/conf.apf and change DEVEL_MODE=”1″ to DEVEL_MODE=”0″
Go ahead and restart apf one last time:

service apf restart

For more information about apf configuration please feel free to consult http://rfxnetworks.com/appdocs/README.apf
Please note that APF has a very nice log that you can check. For example you can tail the last 10 rows for this files

tail -10 /var/log/apf_log

If you what to deny IP 1.2.3.4 you have to run the command:

apf -d 1.2.3.4 RESON

Unbanning an IP can by done by running:

apf -u 1.2.3.4

Also banning and unbanning can be done by editing the file /etc/apf/deny_hosts.rules

pico /etc/apf/deny_hosts.rules

After you do any changes don’t forget to restart APF

service apf restart

Hope this helps !