[CentOS] Help: Server security compromised?

Thu Aug 7 15:53:45 UTC 2008
Ray Leventhal <centos at swhi.net>

Noob Centos Admin wrote:
> On Thu, Aug 7, 2008 at 1:54 AM, Sorin Srbu <sorin.srbu at gmail.com 
> <mailto:sorin.srbu at gmail.com>> wrote:
>     Seen this?
>     http://www.askbjoernhansen.com/2007/09/18/safely_change_firewall_rules_remotely.html
> Unfortunately, only after you pointed it out :(
> But thankfully whoever wrote APF apparently knows this, hence it does 
> insert an automatic reset of the firewall after 5 minutes

My US$0.02 on this.....I'm a fan of apf as a front-end to iptables...but 
it takes some reading to understand the switches and the entire RAB 
(reactive address blocking) configuration options.  Sadly, RAB is poorly 
documented, but with a bit of tinkering, I've enjoyed this feature 
tremendously as it cuts down on the hammering I used to get to port 22 
by the bots and script kiddies.

If you've a static IP at your workstation, add your IP address to the 
apf nicely formed 'allow_hosts.rules' file, usually located in 
/etc/apf.  This is a simple IP address or IP block list (using slash 
notation, i.e. to allow access to an IP or range of 
IPs.  Further, the deny_hosts.rules list is the same format for hosts to 
always deny.

/usr/local/sbin/apf -a <ip address || ip block>
will add to the allow list *and* flush and reload the iptables back-end 
so you don't have to restart apf

/usr/local/sbin/apf -d <ip address || ip block>
will add to the deny list *and* flush and reload the iptables back-end 
so you don't have to restart apf

Once the firewall is configured properly, set DEVEL to 0 in the conf.apf 
file, then restart apf.  The authors rightly include DEVEL mode which 
crons a shutdown every 5 mins so you're not locked out for long.  Trust 
me, I've been bitten by this (more than I care to admit)

There are other CLI switches, all well documented on the apf site 


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.