Web Hosting Forum | Lunarpages

Author Topic: Brute Force Detection [BFD] (APF is required)  (Read 14114 times)

Offline PeterM

  • Spacescooter Operator
  • *****
  • Posts: 36
Brute Force Detection [BFD] (APF is required)
« on: May 09, 2005, 12:09:27 AM »
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans.

To download and install BFD, SSH to your server and go to a directory where you can store some files. If you don't have one do
[root@office root]# mkdir /usr/local/downloads

[root@office root]# cd /usr/local/downloads

[root@office downloads]# lynx http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

Hit "d" for download, then hit "enter" (2 times) to save the file to disk, hit "q" to quit lynx.

[root@office downloads]# ls
bfd-current.tar.gz

 [root@office downloads]# tar -xvzf bfd-current.tar.gz

[root@office downloads]# cd bfd-0.8

[root@office bfd-0.8]# ./install.sh
Install path:    /usr/local/bfd
Config path:     /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

[root@office bfd-0.8]#vi /usr/local/bfd/conf.bfd

#change this option to "1" if you want to receive an alert e-mail:
# Enable/disable user alerts [0 = off; 1 = on]
ALERT_USR="1"

# User alert email address
EMAIL_USR="user@doamin.com"

#change this to the binary of APF:
BCMD="/usr/local/sbin/apf -d $ATT_HOST {bfd.$MOD}"

Leave all other options as they are.

Do a "shift zz" to save the file.
 
Now it's time to fire up BFD:

[root@office bfd-0.8]# /usr/local/sbin/bfd -s
BFD version 0.8 <bfd@r-fx.org>
Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org>
Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

[root@office bfd-0.8]#

Offline davefan

  • Space Explorer
  • ***
  • Posts: 8
    • http://www.weeklydavespeak.com
Re: Brute Force Detection [BFD] (APF is required)
« Reply #1 on: May 01, 2006, 08:41:54 PM »
Hey there,

I wanted to let people know that I got my dedicated server a few weeks ago, but only this past week installed this brute force detector using the instructions above.

Just now, BFD sent me an email showing the following:

Quote
The remote system 66.255.20.55 was found to have exceeded acceptable login failures on server.xxx.com; there was 165 events to the service sshd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

Executed ban command:
/usr/local/sbin/apf -d 66.255.20.55 {bfd.sshd}

The following are event logs from 66.255.20.55 on service sshd (all time stamps are GMT -0700):

May  1 20:46:29 server sshd[11488]: Did not receive identification string from 66.255.20.55
May  1 20:46:29 server sshd[11487]: Did not receive identification string from 66.255.20.55
May  1 20:46:29 server sshd[11486]: Did not receive identification string from 66.255.20.55
May  1 21:27:18 server sshd[15530]: Illegal user staff from 66.255.20.55
May  1 21:27:21 server sshd[15530]: Failed password for illegal user staff from 66.255.20.55 port 36270 ssh2
May  1 21:27:22 server sshd[15537]: Illegal user sales from 66.255.20.55
May  1 21:27:24 server sshd[15537]: Failed password for illegal user sales from 66.255.20.55 port 36390 ssh2
May  1 21:27:25 server sshd[15539]: Illegal user staff from 66.255.20.55
May  1 21:27:25 server sshd[15543]: Illegal user recruit from 66.255.20.55
May  1 21:27:27 server sshd[15539]: Failed password for illegal user staff from 66.255.20.55 port 36471 ssh2
May  1 21:27:28 server sshd[15543]: Failed password for illegal user recruit from 66.255.20.55 port 36494 ssh2
May  1 21:27:28 server sshd[15549]: Illegal user sales from 66.255.20.55
May  1 21:27:29 server sshd[15553]: Illegal user alias from 66.255.20.55
May  1 21:27:30 server sshd[15549]: Failed password for illegal user sales from 66.255.20.55 port 36573 ssh2
May  1 21:27:31 server sshd[15553]: Failed password for illegal user alias from 66.255.20.55 port 36597 ssh2
May  1 21:27:32 server sshd[15560]: Illegal user recruit from 66.255.20.55
May  1 21:27:33 server sshd[15564]: Illegal user office from 66.255.20.55
May  1 21:27:34 server sshd[15560]: Failed password for illegal user recruit from 66.255.20.55 port 36676 ssh2
May  1 21:27:35 server sshd[15564]: Failed password for illegal user office from 66.255.20.55 port 36699 ssh2
May  1 21:27:35 server sshd[15573]: Illegal user alias from 66.255.20.55
May  1 21:27:36 server sshd[15577]: Illegal user samba from 66.255.20.55
May  1 21:27:38 server sshd[15573]: Failed password for illegal user alias from 66.255.20.55 port 36778 ssh2
May  1 21:27:39 server sshd[15577]: Failed password for illegal user samba from 66.255.20.55 port 36803 ssh2
May  1 21:27:39 server sshd[15587]: Illegal user office from 66.255.20.55
May  1 21:27:40 server sshd[15594]: Illegal user tomcat from 66.255.20.55
...

----
- Thank you;
root@server.xxx.com

If I didn't have this installed, I wouldn't have even realized this was happening.  By the time I was told about it, the offending IP was banned.  I highly recommend anyone who hasn't installed this or something like it to do so.

It takes like no time.

Also, I pulled my domain out of the above log, but the offending IP is real--so feel free to block it.

rob

Offline vlad.panainte

  • Spaceship Captain
  • *****
  • Posts: 122
Re: Brute Force Detection [BFD] (APF is required)
« Reply #2 on: April 13, 2008, 03:13:45 AM »
Hello

You should be able to block the offending IP in /etc/apf/deny_host.rules and also is recommended to restart firewall after you do this.

/etc/init.d/apf restart

I hope this helps

Thanks

Offline JeremyD

  • SleePy...
  • Jabba the Hutt
  • *****
  • Posts: 733
  • SMF Team Member
    • LcT Tribe
Re: Brute Force Detection [BFD] (APF is required)
« Reply #3 on: April 29, 2008, 12:27:28 PM »
I tried this out myself..
I installed it last night and by the time 18 hours rolled around I had received 3 emails from it.

This is something I would have to recommend to anyone with a vps or dedicated server. I feel a bit safer now knowing I got a little helper taking care of the attacks to my server that hasn't been up even a year.

Offline karma

  • Trekkie
  • **
  • Posts: 18
Re: Brute Force Detection [BFD] (APF is required)
« Reply #4 on: July 16, 2008, 01:22:20 PM »
Quote
[root@office downloads]# lynx http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

Hello, I have a new dedicated server. I thought I would look at installing this, but the above message yields:

-bash: lynx: command not found

Is this normal?

Offline perestrelka

  • Master Jedi
  • *****
  • Posts: 1397
Re: Brute Force Detection [BFD] (APF is required)
« Reply #5 on: July 16, 2008, 10:11:30 PM »
Quote
[root@office downloads]# lynx http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

Hello, I have a new dedicated server. I thought I would look at installing this, but the above message yields:

-bash: lynx: command not found

Is this normal?

This means the lynx is not installed in your system. You can either use another tool to get the bfd package (i.e. wget - "http://www.rfxnetworks.com/downloads/bfd-current.tar.gz") or install lynx via yum - "yum install lynx" and then repeat the command.
Kind Regards,
Vlad Artamonov

 

Share |