How to install (D)DoS Deflate and APF (Advanced Policy Firewall) to block bad IPs

Discussion in 'Solutions and Extensions' started by MislavO, Feb 26, 2014.

  1. MislavO

    MislavO Kilo Poster


    You could probably find tutorials using google, but here it is, at one place.

    Before few days I had problems with one of the servers I administrate and situation on the server was as follows:
    - totally slow network, websites loading was 10-20sec (30)
    - at first I though, ok, slow loading, server load is high and some client is doing problems
    - after connecting to the server and checking statistics - server CPU was all the time on 20-30%, memory was fine, all services were up-and-running so where is the problem?
    - server wasn't on latest #MU, it was just missing 2-3 updates (I'm talking about plesk 11.5) and I could saw in history of changes no security updates whatsoever, but what ever, lets give it a try - nothing, didn't helped
    - i did apt-get update && upgrade - still nothing
    - current status was that everything is up-to-date, however there are still problems
    - listing connections on the server with command:
    - there was so many connections from few IPs that I was like wow...after blocking them, server status was normal again (probably some kind of DDOS attack)

    At this point, since Plesk doesn't have something like CSF on cPanel, I knew I need something to block this "bad" IPs or at least the ones with a lot of connections automatically, without me doing it manually.

    After using google, searching and reading documentation, I've installed successfully (D)DOS Deflate and APF (Advanced Policy Firewall).

    What is (D)DOS deflate?

    What is APF (Advanced Policy Firewall)?

    What can you do with this two/what do they do? For start, please do take 5-10mins and read above what they are.
    - you can setup cron to run every X minute to check for connection number (I personally run script every minute, why not? it lists only IP addresses and that takes few seconds, there is no load on your CPU, you can even set-up it to run with command nice, if you want to)
    - script is automatically blocking IP address if there are more then XX connections from it - you specify the number in configuration (more later)
    - you can at any time unblock/block current/new IP address (more later) // make sure you whitelist your local IP address from office or local network range or you might end up like me blocked and then laugh hahaha, well, good thing is I could switch to another internet provider and change IP and then connect to the server->unblock myself->whitelist myself
    - email is sent you (root)
    - you choose ban period (in addition you can block whole IP/network range with APF permanently - more later)
    - with APF you choose what ports you would like to open on the servers, all other ports will not work, firewall
    - if I forgot something, I will probably mention later on when explaining everything

    (D)DOS Deflate:
    # wget
    # chmod 0700
    # ./

    APF (Advanced Policy Firewall):
    # wget
    # tar xfz apf-current.tar.gz
    # cd apf-9.*
    # ./

    After installation, lets configure settings.

    First, lets edit "Deflate" conf:
    # nano /usr/local/ddos/ddos.conf

    - config file will look like this one:
    Change following as follows:
    - NO_OF_CONNECTIONS - I choose something like 150; I think that is pretty high number and everything above that should be blocked - you can set this lower, lets say, 75-150, but don't go to anything above 300 or 500, that is way too much!
    - APF_BAN - leave this on 1, as we configure APF for this one
    - EMAIL_TO - email will come to your email, if you ofcourse, want to receive emails (I don't see why not, create new folder in your mail, filter messages as there might be a lot of them)
    - BAN_PERIOD - I strongly suggest that you set to something like 1800-3600 (30-60mins), don't set this number very low, better to set higher number, if customers will complain, if some of them get blocked, you can unblock them in a matter of second, question is, what were they doing to get e.g. 300 connections to get blocked?

    Now, lets configure APF conf:
    - this conf is really good commented by default, so you can read it
    - before going in config file, you'll need to use command "ifconfig" in order to find out under which ethX you're running (most likely eth0 or eth1, but it can be different)
    - since the file is pretty big, I will post just things that are mandatory in other to make it work and have it up-and-running

    # nano /etc/apf/conf.apf (find variables and replace them)
    - DEVEL_MODE="0" (set this option to 1 until you're happy with the settings)
    - IFACE_IN="eth0" (set this to whatever is result from ifconfig)
    - IFACE_OUT="eth0" (same as IFACE_IN)
    - IG_TCP_CPORTS="21" (make sure you include here all email ports, SSH port, website ports, because if you leave default value here, no website/email will be working on the server) - mine is set to something like this:
    - same goes for variable IG_UDP_CPORTS, EG_TCP_CPORTS, EG_UDP_CPORTS


    Lets try to start everything and DEBUG:
    - Restart DDos Deflate
    # cd /usr/local/ddos/ && ./ -c
    - great, error before we started...lets fix it
    # nano /usr/local/ddos/

    - as error said, line 13 is the problem:
    change it to
    - save the with changes and restart Deflate again:
    # cd /usr/local/ddos/ && ./ -c
    - on some distributions and OS this will work, but I'm running here Debian 7 and there is no crond startup, just cron, so lets edit the file again:
    # nano /usr/local/ddos/
    - find and replace all crond with cron (only if you have this error) - on line 70, 81 you will see "service crond restart", change it to "service cron restart"
    - save the file and exit
    - restart Deflate again with:
    # cd /usr/local/ddos/ && ./ -c

    - now we've successfully restart Deflate, lets start APF now with command:
    # /usr/local/sbin/apf -s

    There are also other commands/parameters you can use:
    -s - start APF
    -r - restart APF
    -f - stop APF (if something is not working, stop the APF immediatelly, debug later)
    -l - list statistics
    -st - status of APF
    -u - unban IP (in case you want to unban some IP that is already banned and you see it when running "/usr/local/sbin/apf -l", syntax is "/usr/local/sbin/apf -u IP")
    -a host - allow connections from "host" (e.g. if you can to whitelist IP, example: /usr/local/sbin/apf -a XX.XX.0.0/16 - you can include just single IP or whole network)
    -d host - deny connections from "host" (same as above example, you're just using -d)

    How do you know if this is working? Simply check the connections from IP with command:
    If you've setuped email in ddos.conf and there is IP that is greater then defined NO_OF_CONNECTIONS, you will receive email. You can also see that IP in file "/etc/apf/deny_hosts.rules" on the bottom of the file (please note that IP will be in file only long as you specify BAN_PERIOD).

    If you need to unblock the IP address, simple remove line in "/etc/apf/deny_hosts.rules" and restart APF with command:
    # /usr/local/sbin/apf -r

    To make everything work, setup cron under your root user as follows:
    * * * * * cd /usr/local/ddos/ && ./ (this will check for new IP connections and block them - setting cron is MANDATORY, however schedule it by your needs)

    Please read their comments in configuration carefully if you're changing something that I didn't mention here.

    Feel free to ask any question. I will update this topic in case I find something additional that could be usefull.

    EDIT 1 - 27/2/2014:
    - find attached tutorial below (add_banned_ip_in_subject.txt) and check comment #2 for changes

    Attached Files:

    Last edited: Feb 27, 2014
  2. GravuTrad

    GravuTrad New Member

  3. MislavO

    MislavO Kilo Poster

    Hi there, thank you.

    I've updated my first post and I added modified add_banned_ip_in_subject.txt. "How to do it" is explained as well in the file.

    Since there is a limit of 10k characters, I'm posting here changes.

    Changes - nothing special, I just added few lines to have banned IP address in the subject as well, so you can sort later way more easy all emails and blacklist IP address if you see that the same is getting blocked almost every day, few times.
    - by default, you will receive email with subject looking like this:
    - now, with modifications, you will receive with:
    - banned IP will be in subject
  4. LucasMontanheiro

    LucasMontanheiro New Member

    I use Debian and my running this well:

    Is this normal?
  5. MislavO

    MislavO Kilo Poster

    I'm currently on vacation, but I'll check this out, but no, this is not normal. I will check what exactly is on this lines - restart was succesful, not sure though about this 'let' and what kind of directory need to be created/does not exists.
  6. LucasMontanheiro

    LucasMontanheiro New Member

    You can enjoy your holiday, I'm using CSF meantime. When you have some time to resolve, you post.
  7. MislavO

    MislavO Kilo Poster

    Well, CSF is far better solution then this one to be honest, I'm using CSF on our cPanel servers.

    Anyway, I've tested this on our server running Debian 7 and I can't reproduce the above (your) errors. What version are you using?
  8. LucasMontanheiro

    LucasMontanheiro New Member

    Have uninstalled and am using the CSF with an adaptation Deflate.

    So far this well, more my problem is the DDoS, since working with games, I will hire a company specializing in the game, with better protection.

    Thank you for your attention.
  9. Jyosua

    Jyosua New Member

    Add this to the top of the script:

    #! /bin/bash
    See this thread for an explanation:

    Thanks for this thread, guys! It has helped me a lot.
  10. Tsi-Shawn

    Tsi-Shawn Bit Poster

    I have tried this twice and each time I have the same problem. Running netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n will sort the connections by IP and number of connections but at the top of the list is always a single number: See below.


    Then I will get an email that says:

    Banned the following ip addresses on Wed Sep 10 09:26:01 EST 2014

    78 with 78 connections

    This repeats over and over with different numbers. How do I fix this? What would cause this?
    I would love to use the script again but until this stops I can't.
  11. MislavO

    MislavO Kilo Poster

    Please be so kind and go to:

    # nano /usr/local/ddos/ddos.conf

    Locate the line
    I assume you have value here less then 60-70. If that is the case, increase number of connections, save the file and run:
    # cd /usr/local/ddos/ && ./ -c

    to restart service.
  12. Tsi-Shawn

    Tsi-Shawn Bit Poster

    I will do so but how does that removed that line with a number and no IP?
  13. custer

    custer Parallels Team

  14. NikhilT

    NikhilT Bit Poster

  15. MislavO

    MislavO Kilo Poster

    Very nice :)
  16. NikhilT

    NikhilT Bit Poster

    Thank You. Please let us know if you would like any open source project to be integrated to Plesk as an extension.
  17. MislavO

    MislavO Kilo Poster

    Do I get it then for free? :cool:
  18. NikhilT

    NikhilT Bit Poster

    The DDOS Deflate was built as per suggestion received by Andrey of the Parallels Team. However, if you can suggest us a project; and if it is built and delivered by us, we will be happy to give you discounted lifetime offer on the same.

    And in case of the DDOS Extension, we can give you a free 1 month. Please register with us at: and open a ticket and I will have it cleared for you.
  19. Paula1

    Paula1 Bit Poster

    The DDos Deflate Plesk Extension from Admin-Ahead is one of the nicest thing that I have found for Plesk.
    I use it with the APF extension. Just amazing.
    And by the way, they give an Outstanding Support. I'm glad I found this tread. Thanks!
  20. NikhilT

    NikhilT Bit Poster

    Thank You Paula1.

Share This Page