Results 1 to 14 of 14

Thread: bfd?

  1. #1

    bfd?

    how can i test if bfd is working

    if i use the command bfd -a it has listed some attack hosts yet it hasn't added anything to the deny rules in apf


    also can someone tell me how i could setup a script or something to remove the bans put in place by bfd i sort of want it to ban someone but only for a set amount of time (say 15mins)

    just incase someone was to login ftp enter the wrong password and then get banned becuase of their clients auto retry kept retrying the login with the wrong password or something.

    really want someone to be blocked long enough for them to be detered from attempting a bruteforce attack but at the sametime i dont want to perminatly ban legitamte users who simply forgotten their password.

    espcally if i was to ban myself (and yes i know i could set it so my ip never gets banned but my ip is dynamicly assinged by my isp)

  2. #2
    Join Date
    Feb 2004
    Posts
    1,226
    once I started doing a script that would check the timestamp to remove just entries older than 6 hours or so
    but I ended up doing something much more easy

    create a "deny_hosts.rules.clean" in the /etc/apf/ dir... without rules

    and put this in crontab:

    Code:
    cp -f /etc/apf/deny_hosts.rules.clean /etc/apf/deny_hosts.rules ; /sbin/service apf restart
    if you want to ban an IP for more time, just add it to deny_hosts.rules.clean

  3. #3
    does this look right, this is what i have in my crontab atm

    */15 * * * * cp -f /etc/apf/deny_hosts.rules.clean /etc/apf/deny_hosts.rules ; /apf/apf -r > /dev/null 2>&1


    should that unblock every 15mins?

    basicly i just want to deter people from trying a bruteforce attack by banning them for upto 15mins

    if they persisted id then add them to the deny_hosts.rules.clean

  4. #4
    Join Date
    Feb 2004
    Posts
    1,226
    Originally posted by dragon2611
    does this look right, this is what i have in my crontab atm

    */15 * * * * cp -f /etc/apf/deny_hosts.rules.clean /etc/apf/deny_hosts.rules ; /apf/apf -r > /dev/null 2>&1


    should that unblock every 15mins?

    basicly i just want to deter people from trying a bruteforce attack by banning them for upto 15mins

    if they persisted id then add them to the deny_hosts.rules.clean
    it looks like correct, but I would change the time the crontab runs to 25 or 30 minutes
    suppose someone do an attack at minute 14... he will be unblocked at minute 15
    so 2 suggestions:
    - if you want an average of 15 minutes banned, set it to 30 minutes... but there still may happen people being blocked at minute 29 and unblocked at minute 30
    - set a cron that, each 15 minutes, compare the deny_hosts.rules with a deny_hosts.rules.old file... then set the deny_hosts.rules as the difference (intersection) between them
    then copy deny_hosts.rules to deny_hosts.rules.old
    this way you'll remove only the ones that were banned for at least 15 minutes (but maybe more)
    you can probably get to do that without much effort using something like "cat deny_hosts.rules | grep -v -f deny_hosts.rules.old >deny_hosts.rules"... just make sure you don't have any empty lines in the file

    the first suggestion is easier and I don't have a problem with it, because even if the person get banned for 1 minute, if he tries again, he will get banned again

  5. #5
    i have a feeling this isnt going to work as i think BFD just redoes the ban

    EDIT

    nope wasnt that it was a typo in the cron command i put /apf/apf -r instead of /etc/apf/apf -r
    Last edited by dragon2611; 07-18-2005 at 03:23 PM.

  6. #6
    also changed the cron job for bfd

    deleted the cron file it made and added it to the main crontab using crontab -e

    also took the reccomendation to change the ban time to 30mins.

  7. #7
    Join Date
    Feb 2004
    Posts
    1,226
    Originally posted by dragon2611
    also changed the cron job for bfd

    deleted the cron file it made and added it to the main crontab using crontab -e

    also took the reccomendation to change the ban time to 30mins.
    and now it worked?

  8. #8
    Originally posted by Lem0nHead
    and now it worked?
    not sure just testing it

  9. #9
    not to sure if its rebanning correctly after unbanning

    might it have something to do the file lock setting in the config file for bfd?

    also its not emailing me when it bans someone

    ive tryed setting the email notify address to my email account and back to root (which is forwarded to my email acc anyway) and yet i dont get any emails about the bans even with notify user set to "1" in config

  10. #10
    nope this isnt working properly i think im going to see if can find something else

    it doesnt do what i want it to.

  11. #11
    in the end i replaced with denyhost

    */5 * * * * /usr/bin/denyhosts/denyhosts.py ; /etc/apf/apf -r > /dev/null 2>&1

    and then clear out the bans every night at midnight

    55 23 * * * cp -f /etc/apf/deny_hosts.rules.clean /etc/apf/deny_hosts.rules ; /etc/apf/apf -r > /dev/null 2>&1

    59 23 * * * rm -f /usr/bin/denyhosts/denyhosts/* > /dev/null 2>&1



    this only monitors SSH but it impliments a ip ban to all services if they they and force ssh


    that is if i've done it right?
    Last edited by dragon2611; 07-18-2005 at 07:16 PM.

  12. #12
    Join Date
    Feb 2004
    Posts
    1,226
    Originally posted by dragon2611
    in the end i replaced with denyhost

    */5 * * * * /usr/bin/denyhosts/denyhosts.py ; /etc/apf/apf -r > /dev/null 2>&1

    and then clear out the bans every night at midnight

    55 23 * * * cp -f /etc/apf/deny_hosts.rules.clean /etc/apf/deny_hosts.rules ; /etc/apf/apf -r > /dev/null 2>&1

    59 23 * * * rm -f /usr/bin/denyhosts/denyhosts/* > /dev/null 2>&1



    this only monitors SSH but it impliments a ip ban to all services if they they and force ssh


    that is if i've done it right?
    seens it's correct
    if you know a little about programming, you should give a look at BFD source and try to see why it's not working in your case

  13. #13
    edit nm

  14. #14
    UPDATE

    */5 * * * * /usr/bin/denyhosts/denyhosts.py -c /usr/bin/denyhosts/denyhosts.cfg > /dev/null 2>&1
    55 23 * * * cp -f /etc/hosts.deny.clean /etc/hosts.deny > /dev/null 2>&1
    59 23 * * * rm -f /usr/bin/denyhosts/denyhosts/* > /dev/null 2>&1


    it has to go in hosts.deny for ip tables directly apf does like the way it writes the rules.

    but i got it working at last

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •