BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans.

Note: BFD default configuration is designed to work in conjunction with APF versions 0.9.3+

More Information: http://rfxnetworks.net/bfd.php

root@yourserver [~]# mkdir bfd
root@yourserver [~]# cd bfd

root@yourserver [~]# wget http://rfxnetworks.net/downloads/bfd-current.tar.gz

root@yourserver [~]# gunzip bfd-current.tar.gz

root@yourserver [~]# tar -xvf bfd-current.tar

root@yourserver [~]# cd bfd-0.4

root@yourserver [~]# cat README | more (If you wana read the readme)

root@yourserver [~]# ./install.sh

root@yourserver [~]# /etc/cron.d/bfd (make sure cron is set)

root@yourserver [~]# pico /usr/local/bfd/conf.bfd

root@yourserver [~]# Scroll down to ALERT_USR change to ALERT_USR="1". Just under that you can change the desired email to have alerts sent too. Save and exit

root@yourserver [~]# pico /usr/local/bfd/ignore.hosts (now add your IP in here so you're ignored, you can also add you're IP block i.e 68.44.) Save & Exit

You're done, simple process, let me know if you're getting any errors.

Typo:

root@yourserver [~]# /etc/cron.d/bfd (make sure cron is set)

Should be cat /etc/cron.d/bfd

I am using dynami IP access to server, so how can i make it the BFD does not block to me?

I guess you could resolve you're IP to you're ISP.

i.e austin.rr.com, then use that instead, not sure if that will work.

I guess the only solution I would have is to make sure you login correctly :)

BFD won't usually lock you out on one failed attempt, it's looking for people using brute force password cracking techniques.

Great tutorial, although rfxnetworks appears to be down at the moment :)

Originally posted by BenEDH
Great tutorial, although rfxnetworks appears to be down at the moment :)

use http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

or to visit their site, use http://www.rfxnetworks.com

I am under the impression thast after 3-5 login attemps Ip is blocked from server,BUT the below is from my logwatch:

Failed logins from these:
admin/password from 24.94.44.126: 4 Time(s)
guest/password from 24.94.44.126: 2 Time(s)
horde/password from 211.140.185.86: 1 Time(s)
iceuser/password from 211.140.185.86: 1 Time(s)
nobody/password from 211.140.185.86: 12 Time(s)
patrick/password from 211.140.185.86: 15 Time(s)
rolo/password from 211.140.185.86: 2 Time(s)
root/password from 211.140.185.86: 21 Time(s)
root/password from 24.94.44.126: 6 Time(s)
test/password from 24.94.44.126: 4 Time(s)
user/password from 24.94.44.126: 2 Time(s)

this guy 211.140.185.86 trys over and over
apf is running and ideas why this many times are allowed?

Hi,

I have BFD isntalled on one of my servers.
But i dont get any emails on brute force attacks.

I know its running because when i access the log files , i can see some brute forced attemps and thier IP's

I have enable the setting ALERT_USR="1"

Am i missing some configuration for the email alerts.

double check the email address you configured in BFD

Originally posted by grace5
double check the email address you configured in BFD

Thanks grace , but i have already done that the email is OK.

One thing i tried was to run the command in the Crontab.
It had a # before it so it means it was commented out.

It worked and i got about 20 emails !!
Do u think i should remove the hash (#) ?

Hi Grace5, to stop that idiot trying to access your server (yes they are only small minded kiddies) try this:

1) Bind sshd to only 1 IP, make it a different IP from your main site, and on a different non standard port. Also disable direct root login.

So your SSH access IP and port will be something like:

123.123.123.123 Port: 12345

2) Another good idea is to disable telnet all-together.




To bind SSH to one IP:


Steps:

1) Request an IP Address from your sever provider or use a spare one if you already have more than one.


2) SSH into your server as root


3) Create a new user to access root via su -, just type:

adduser {{{someuser}}}
passwd

[System will ask you to enter your desired password twice]

Note: replace {{{someuser}}} with your desired username


4) Grant the new user su - access:

groupadd {{{someuser}}}

Note: replace {{{someuser}}} with your username you created in step 3


5) Open sshd_conf

pico -w /etc/ssh/sshd_config


6) Find the line '#Port 22', uncomment it and change it to look like this example:

Port 12345

Replace 12345 with your desired port number (any number between 20000 and 40000 should be safe to use)

7) Find the line '#Protocol 2, 1', uncomment it and change to:

Protocol 2


8) Find the line '#ListenAddress 0.0.0.0' (should be below Protocol) and change to:

ListenAddress ###.###.###.###

Replacing the number signs with the new IP address you setup in step 1.



9) Find the line '#PermitRootLogin yes' and uncomment it and make it look like

PermitRootLogin no

10) Now restart SSHD using the command:

/etc/rc.d/init.d/sshd restart

Exit out, enter your new IP as the host name, and use your new random port number, ssh into your box and your done.

Those trying to access your box must now guess or scan for the SSHD port number before they can even get a response from your box. It should stop 99.9% of those un-authorized access attempts you see in logwatch.

If you have any problems, login to your server via telnet, fix the problem (usually due to an incorrect IP entered in sshd_conf), login using SSH2 again, and change your passwords.



Steps to Disable Telnet:

WARNING: Make sure you can access your box via your new IP and port number BEFORE continuing!!!!!

Type:

su -
pico -w /etc/xinetd.d/telnet

Change disable from no to yes

Save and Exit (CTRL + X, hit Y and then enter)

Restart telnet

/etc/init.d/xinetd restart

Thank you
yes we have already done this .I have found out that the cron was set to run every 10 minutes,so they had 10 mins. to play before they were locked out, by BFD APF

I followed your steps "To bind SSH to one IP" and successfully locked myself out! I can't seem to access ssh or telnet. I get "network error;connection timedout"

Any ideas on how to fix this

You need to set your telnet client to the ip that you've just set, along with port (if different than 21)...

Thanks, Im using Putty, which was using port 23 for telnet. Should have been 21. How do you login with telnet? I keep getting :
530 You aren't logged in

I didn't mean to say that you should be using telnet, it's just that PuTTY and others are generally referred to as "telnet clients" even though they have the ability to use SSH... You should use SSH if that's what you've set your server to. I believe the default SSH port is 21, but I could be wrong...

I use port 22 for ssh. I think thats the standard port. My problem is that I can't connect anymore using ssh with Putty after changing the prot and ip. The ip is working, the port I changed is timing out. Im guessing it has to do with the firewall blocking the port I specified. Im wondering how I can get access to ssh now?

ask your datacenter for access to a remote console... they might charge for that though...

Hey AMD64,

Telnet is usually port 23 and SSH is 22. This could be different on your server.

If you can't get in through telnet, ask your data center to "Flush your IP tables". A good server provider will not charge you for this as it really only takes 5 seconds from their end. They should be happy that you are trying to protect their machine.

Once you're back online, make sure that your firewall has the new port number in its allow list. If you have APF, edit the conf.apf file to add the new port (located in /etc/apf if you did the standard install).

Sorry, I should have made that clear before changing the IP and port.

All sorted and fixed now. It was done free and within 5 mins.
Firewall was blocking port, just added the new port and it is fine now, thanks.