[BlueOnyx:15927] Re: apf too picky

[Michael Stauber]

Hi Meaulnes,

> talking about firewalls, I'm a bit unhappy about my apf 
> configuration, I get kicked out after a single false login...
> 
> How can I raise this number? I went through /etc/apf 
> files but couldn't find the appropriate option

As some has already mentioned: APF is just the firewall. The blocking is
done by a separate component.

In the past APF included BFD (the "Brute Force Detector"). But this has
been discontinued recently.

Your VPS's are already using a modified DFIX2 instead. DFIX2 constantly
monitors the logfiles for suspicious activity and has finely tuned event
triggers. It can whitelist and blacklist.

For example: If you successfully log in via POP3 or IMAP, then your IP
will be temporarily whitelisted. So just 1-3 freak "false logins" within
the next minutes won't result in a blocking event. We can also generate
more complex rules that trigger on single events, a certain number of
events, or on behavior that occurs over time.

Usually DFIX2 uses access deny, but yours interfaces with the APF
firewall to dynamically generate (and remove) blocks for offending IP
addresses.

The rules for DFIX2 are located in /etc/sec/ and it logs events to
/var/log/sec

So you might want to do two things:

a.) Check /var/log/sec to see which rule triggered to block you. Then
you can either adjust the rule, or can see if the blocking happened for
more or less good reasons.

b.) Edit /etc/apf/allow_hosts.rules and (following the examples in it)
add your IP to the whitelisted IP address range.

Changes in the DFIX2 config files require DFIX2 to be restarted:

/sbin/service sec restart

Changes in the APF config files require that APF is restarted:

/sbin/service apf restart

-- 
With best regards

Michael Stauber