[BlueOnyx:15929] Re: apf too picky

[Meaulnes Legler @ MailList]

thank you Michael!

Meaulnes Legler
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

On 10.09.14 01:16, Michael Stauber wrote : schrieb : a écrit : ha scritto : escribó :
> Hi Meaulnes,
>
>> talking about firewalls, I'm a bit unhappy about my apf
>> configuration, I get kicked out after a single false login...
>>
>> How can I raise this number? I went through /etc/apf
>> files but couldn't find the appropriate option
>
> As some has already mentioned: APF is just the firewall. The blocking is
> done by a separate component.
>
> In the past APF included BFD (the "Brute Force Detector"). But this has
> been discontinued recently.
>
> Your VPS's are already using a modified DFIX2 instead. DFIX2 constantly
> monitors the logfiles for suspicious activity and has finely tuned event
> triggers. It can whitelist and blacklist.
>
> For example: If you successfully log in via POP3 or IMAP, then your IP
> will be temporarily whitelisted. So just 1-3 freak "false logins" within
> the next minutes won't result in a blocking event. We can also generate
> more complex rules that trigger on single events, a certain number of
> events, or on behavior that occurs over time.
>
> Usually DFIX2 uses access deny, but yours interfaces with the APF
> firewall to dynamically generate (and remove) blocks for offending IP
> addresses.
>
> The rules for DFIX2 are located in /etc/sec/ and it logs events to
> /var/log/sec
>
> So you might want to do two things:
>
> a.) Check /var/log/sec to see which rule triggered to block you. Then
> you can either adjust the rule, or can see if the blocking happened for
> more or less good reasons.
>
> b.) Edit /etc/apf/allow_hosts.rules and (following the examples in it)
> add your IP to the whitelisted IP address range.
>
> Changes in the DFIX2 config files require DFIX2 to be restarted:
>
> /sbin/service sec restart
>
> Changes in the APF config files require that APF is restarted:
>
> /sbin/service apf restart
>