1. Advanced Policy Firewall — APF Installation

Here we are going to install an awesome firewall onto your server. Advanced Policy Firewall
APF Site Description of the software:
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.
Summary of features:
– global ports configurtion via simple config file
– configurable policies for each ip on the system [global config overrides]
– powerfull postrouting rules for FWMARK and TOS
– plug-in friendly for QoS [CBQ/HTB]
– antidos subsystem to stop attacks before they become a significant threat
– dshield.org block list support to ban networks exhibiting suspicious activity
– advanced set of sysctl parameters for TCP stack hardening
– advanced set of filter rules to remove undesired traffic
– easy to use firewall managment script
– trust based rule files (allow/deny); with advanced syntax support

1. Make /usr/src the current working directory.
cd /usr/src
2. Obtain the most curent verison of APF.
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
3. Expand the APF tar.gz file.
tar -xvzf apf-current.tar.gz
4. Remove the tar.gz file.
rm -f apf-current.tar.gz
5. Locate the APF directory.
ls -la
Look for a directory named apf-#.#/ where #.# represents the version of APF being installed
(APF version 0.8.7 would be in a directory apf-0.8.7/ and version 0.9 would be in a directory named apf-0.9).
6. Make the APF directory the current working directory.
Use the directory name you located in step 5.
Note that the numbers will change as new versions are released.
cd apf-0.9
7. Run the APF install.
sh ./install.sh
8. Make /etc/apf the current working directory.
cd /etc/apf
9. Edit the conf.apf file as desired.
pico -w conf.apf

In order for this firewall to work properly you have to edit/add/delete ports.
These ports will allow services such as mail, ftp, and ssh to come in and out of the server.
If you have changed any ports, please modify them below and add/remove as needed.

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”20,21,22,25,53,80,110,143,443,465,9 93,995,2082,2083,2086,2087,2095,2096,3306,10000,35 000_35999″
please note that ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in

# Common ingress (inbound) UDP ports


* RAB=”0″ to RAB=”1″
* TCR_PASS=”1″ to TCR_PASS=”0″
* DLIST_PHP=”0″ to DLIST_PHP=”1″

Find IFACE_IN= and IFACE_OUT= in /etc/apf/conf.apf and verify that they match your network interface

Locate HELPER_SSH_PORT=”22″ and change it to your SSH port IF you changed it in your sshd_config

Locate IG_TCP_CPORTS=”22″ and change it to your SSH port IF you changed it in your sshd_config

10. After you have finished editing the ports save the file and test APF.
CTRL-x, y to save enter to confirm
11. Start APF by typing.
./apf –start
service apf start
12. If APF is functioning properly and you are not locked out edit the conf.apf again
pico -w conf.apf
13. When your happy with your firewall and everything works fine, Edit /apf.conf find DEVEL_MODE=”1″ and change it to DEVEL_MODE=”0″

14. Once done Exit and save the file.
CTRL-x, y to save enter to confirm
15. Restart APF
service apf restart

Make sure APF starts automatic after restart

chkconfig –add apf
chkconfig –level 345 apf on

Problem: If you get this error apf(xxxxx): {glob} unable to load iptables module (ip_tables), aborting.
Solution: Try changing SET_MONOKERN=”0″ to SET_MONOKERN=”1″ , then apf -r

Problem: If you get this message: apf(xxxxx): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.
Solution: you need to change DEVEL_MODE=1 to DEVEL_MODE=0, make sure your config is working first.

Enabling connections for server monitoring.

Some service providers that offer monitoring need access to your server, and access
without setting off alarms, firewalls etc. is a good thing. Just becareful which IP(s) you put in here.

1. To allow connections from xx.xx.xx.xx/24
pico -w /etc/apf/allow_hosts.rules
2. At the very end of the file add this line
Of course replace the xx.xx.xx.xx with the IP address provided to you.

2. BFD (Brute Force Detection)

What is Brute Force Detection? (BFD)
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans.
This How-To will show you how to install BFD on your Linux Server to prevent and monitor brute force hack attempts.
This software like some others has requirements. You must be running APF / Advanced Policy Firewall for Brute Force Detection to work.
1. Login to your server via SSH as Root.
2. Type:
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
3. Type:
tar -xvzf bfd-current.tar.gz
4. Type:
cd bfd*
5. Now let’s install BFD onto the server.

:: You Should See ::
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
6. Now we need to edit the configuration file, and set some options.
Don’t worry the BFD Configuration isn’t hard to edit or understand!
Type: pico -w /usr/local/bfd/conf.bfd
7. Now we need to find the line to edit:
Right below that we need to change the email:
Change EMAIL_USR=”root” TO EMAIL_USR=”you@yoursite.com”
8. That wasn’t to bad let’s save and exit the file
Press: CTRL-X then type Y then hit enter 9. Now we have to prevent locking yourself out of the server.
Type: pico -w /usr/local/bfd/ignore.hosts 10. Add any IP address that you want to be ignored from the rules.
If your server provider is doing monitoring add their IP(s) here.
Since you need these IPs open in APF as well you cancopy the IPs you used in APF
Type: pico -w /etc/apf/allow_hosts.rulesThen scroll down to the bottom and copy those IPs (drag mouse over that’s it)
Press: CTRL-XType: pico -w /usr/local/bfd/ignore.hosts Paste those IPs to the bottom. You should also add your home IP if you hadn’t done so before.
If your home IP is dynamic this is not a good idea, and you should get a static IP.
Press: CTRL-X then Y to save then enter. Now lets run BDF!!!
Type: /usr/local/sbin/bfd -s


Installation How-To :

1. Login to your server as root. (SSH)
2. Type:
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
3. Type:
tar xvzf chkrootkit.tar.gz
4. Change to new directory
cd chkrootkit*
5. Compile It
make sense
6. Now give it a test.

Everything should read not found, and/or not infected
This is a GOOD thing!

How-To make chkrootkit e-mail you daily :

1. Login to your server as root. (SSH)
2. Type:
crontab -e
3. Add this line to the top:
0 1 * * * (cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s “chkrootkit output” root)
This will run CHKROOTKIT at 1am every day, and e-mail the output to root.
If you are in PICO
CTRl-X, Y, Enter to save and exit

4. Disabling Direct Root Login (SSH)

If you’re using cPanel make sure you add your anotheruser user to the ‘wheel’ group so that you will be able to ‘su -‘ to root, otherwise you may lock yourself out of root.
Set up anotheruser if you haven’t already got one:
a. Type: groupadd anotheruser
b. Type: useradd anotheruser -ganotheruser
c. Type: passwd anotheruser passwordhere
and add a password for the new account.
On a CPanel system, you can (MUST) now go into root WHM and add anotheruser to the wheel group.
After you do this, you will have to login as anotheruser then you will ‘su -‘ to get to root.

If you need this option send SLHOST an email to support@slhost.com

5. Disabling Telnet Access

Telnet should be disabled, and you should use SSH. Telnet sends password in plain text, and ‘crackers/hackers’ can obtain these passwords easily compared to SSH, and then takeover your dedicated web server.

1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to
disable = yes.
3. CTRL+x, then y then enter to save the file.
Restart xinted with:
/etc/rc.d/init.d/xinetd restart

6. Force the use of SSH protocol 2

SSH Protocol 1 based systems are facing many automated “root kits”.
As a result to step up the security Protcol 2 should be enabled as soon as possible.
The reason to use SSH Protocol 2 on your dedicated webserver is that it is more secure.
1. Type: pico -w /etc/ssh/sshd_config
2. Find the line: #Protocol 2, 1
Uncomment it and change it to look like:
Protocol 2
3. CTRL+x, then y then enter to save the file.
4. Now Restart SSH with
/etc/rc.d/init.d/sshd restart
(If the above restart does not work you will need to login to WHM as root
and restart the service.)

7. How to install mail scanner

How to install mail scanner (Mail Scanner & ClamAV Installation)

This is an addon to Exim. Exim is still the MTA, Mail Scanner scans and clamav is the AV system.
This will help in preventing the spread of virus’s through your webserver. It will deny/block the virus’s
so that they do not reach the recipient. ClamAv can be used at the command line however the main purpose of this
software is the integration with mail servers (attachment scanning). Which is what Mail Scanner & ClamAV do.

1. Login to your server via SSH.
2. Type:
wget http://layer1.cpanel.net/mailscanner…all-1.5.tar.gz
3. Type:
tar zxvf mailscanner-autoinstall-1.5.tar.gz
4. Type:
cd mailscanner*
5. Type:
This make take up to 5 minutes to download, and install all the librarys require for Mail Scanner.
6. If the above Finished and brought you back to prompt goto step #7 if not continue with step 6
Press: CTRL-C
Type: pico -w install
Comment out these lines w/ a #

print “Installing Perl Modules…”;
ssystem(“/scripts/perlinstaller”,”MIME::Base64″,”File::Spec”,”HTML:: Tagset”,”HTML::Parser”,”MIME::Tools”,”File::Temp”, “Convert::TNEF”);
print “Done\n”;

So they look like this:

#print “Installing Perl Modules…”;
#ssystem(“/scripts/perlinstaller”,”MIME::Base64″,”File::Spec”,”HTML:: Tagset”,”HTML::Parser”,”MIME::Tools”,”File::Temp”, “Convert::TNEF”);
#print “Done\n”;

Login to WHM as Root.
Install the above Modules in WHM’s Perl Module Installer.
Type: ./install
Then goto Step #7 when install finishes
7. Type:
killall -9 MailScanner
8. Type:

If you want to look at the Mail Scanner configuration file you can do so by.
Type: pico -w /usr/mailscanner/etc/MailScanner.conf
DO NOT Enable anything to do with SpamAssin.

8. Jail all users

Let’s prevent the users from accessing any directories/files outside of their home directory.
This is a great security precaution and should be done.

1. Login to WHM as root.
2. Account Functions
Manage Shell Access
Jail All Users

If possible it is best to NOT
grant shell access to users at all.

9. Remove Trojan by CHKROOTKIT

*NOTE* This is a HUGE step “INTO” your server. Doing anything wrong can severly damage your server and make it non-responsive. Do this entire how-to at your own risk. This is NOT a substitute for re-installing the OS, this is simply another WAY to remove a rootkit called T0rnkitv8
If you have not already done so do this step first.

Login to WHM as root
Click Tweak Settings
and please remove the tick from
[ ] Allow cPanel users to reset their password via email

1. Login to your server via SSH

2. Run CHKROOTKIT. If you do not have this installed then visit CHKROOTKIT Installation and continue once you do.
You will see some INFECTED lines/files. It should also report hidden processes.
Here’s an example of partial output.
Checking `ifconfig’… INFECTED
Checking `login’… INFECTED
Checking `pstree’… INFECTED
and also:
Checking `lkm’… You have X process hidden for ps command
Warning: Possible LKM Trojan installed

Type: /etc/init.d/syslog restartShutting down kernel logger: [ OK ]

Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]

3. Type: top
You may/will then see:
top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory

4. type: /etc/rc.d/rc.sysinit

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

Configuration files

/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}

Infected Binaries:

top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,

Infected Librairies:


BackDoor: (located at /lib/lblip.tk)



Now, Lets start the cleaning process:

1. Type: pico /etc/rc.d/rc.sysinit
remove the lines that show
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

2. reboot the system
WARNING: 2 servers got their kernel removed after reboot.

If your’s does this too and that is what the DataCenter complains after reboot, please ask them to do the following:

reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages
that should fix it.

— since already in resuce mode, perhaps also ask them to — force install the following rpm’s


3. After the system is up
Type: cd /lib
Type: rm -rf lblip.tk
4. Remove the configuration files given above.
5. Type: cat /etc/redhat-releasenote down your version of redhat, then from
search for the following rpm’s


— and rpm –force install them

6. if you see the hosts.h file, it says to hide all IP’s from
Type: cat /usr/include/hosts.h
If you want, you can block all the IP’s from 193.60 to your server via iptables.
Or if you have APF you can add them to the Deny File.

7. If the above is completed.
Reboot the Server & Run CHKROOTKIT again.

10. Secure /tmp Directory ( Very Important )

Many hackers/malicious users are exploiting the /tmp directory to execute files. This is a huge security problem for dedicated

server owners as it practically leaves your server wide open for a complete takeover.
The following is how to secure your /TMP directory using a cPanel Script.
You MUST have cPanel installed for this to work.

1. Login to your server as root via SSH.
2. Type: /scripts/securetmp That’s it your done. cPanel wrote that script to allow users to secure their /TMP Directory very easily.