Results 1 to 9 of 9
  1. #1
    Join Date
    Jun 2004
    Posts
    282

    BFD ... is it really working ?

    i installed 2 days ago BFD (Brute Force Detection) changed rules to be strict

    but when i check( bfd_log )and APF ( deny_hosts.rules ) i find nothing

    i even made trig=1 for sshd for 24 hours and still got no banned IP

    when i checked inside tmp folder i found tons of IP

    Code:
    ./                   dos-213.189.82.242  dos-62.150.203.158  dos-62.215.116.196
    ../                  dos-213.189.94.112  dos-62.150.203.50   dos-62.215.149.53
    .apf-ad.lp1          dos-213.189.94.215  dos-62.150.203.96   dos-62.215.18.113
    clamd=               dos-24.208.70.44    dos-62.150.204.151  dos-62.215.21.236
    dos-137.32.101.32    dos-62.114.112.144  dos-62.150.204.60   dos-62.215.26.127
    dos-139.141.11.49    dos-62.135.97.209   dos-62.150.205.75   dos-62.215.32.207
    dos-166.87.255.133   dos-62.150.105.75   dos-62.150.206.53   dos-62.215.3.51
    dos-168.187.0.34     dos-62.150.108.116  dos-62.150.216.202  dos-62.215.3.61
    dos-168.187.0.35     dos-62.150.108.164  dos-62.150.222.110  dos-62.215.44.55
    dos-193.188.105.23   dos-62.150.108.210  dos-62.150.223.135  dos-62.215.55.231
    dos-193.251.135.126  dos-62.150.131.221  dos-62.150.223.165  dos-62.231.129.126
    dos-195.226.241.122  dos-62.150.135.8    dos-62.150.223.175  dos-66.249.65.173
    dos-195.226.241.191  dos-62.150.136.163  dos-62.150.223.181  dos-66.249.65.6
    dos-195.226.241.48   dos-62.150.136.226  dos-62.150.223.212  dos-66.249.65.84
    dos-195.39.128.245   dos-62.150.136.245  dos-62.150.3.101    dos-66.249.66.179
    dos-195.39.128.3     dos-62.150.137.241  dos-62.150.3.141    dos-66.249.66.235
    dos-195.39.135.197   dos-62.150.137.43   dos-62.150.3.193    dos-66.249.66.242
    dos-195.39.155.148   dos-62.150.137.72   dos-62.150.3.29     dos-69.215.251.10
    dos-195.39.155.59    dos-62.150.139.104  dos-62.150.38.135   dos-82.145.223.133
    dos-195.39.161.144   dos-62.150.140.84   dos-62.150.38.241   dos-82.167.18.191
    dos-195.39.161.99    dos-62.150.140.97   dos-62.150.38.76    dos-82.167.27.44
    dos-195.39.176.220   dos-62.150.141.40   dos-62.150.44.225   dos-84.36.14.29
    dos-195.39.177.62    dos-62.150.142.239  dos-62.150.44.6     dos-84.36.4.223
    dos-195.39.178.92    dos-62.150.153.66   dos-62.150.45.152   dos-84.57.66.254
    dos-195.39.180.147   dos-62.150.154.186  dos-62.150.45.157   dos-84.68.25.227
    dos-195.39.180.149   dos-62.150.155.186  dos-62.150.45.218   dos-84.9.74.149
    dos-196.204.158.68   dos-62.150.157.215  dos-62.150.49.117   dos-86.136.103.5
    dos-196.207.205.30   dos-62.150.179.62   dos-62.150.49.124   lost+found/
    dos-202.30.224.62    dos-62.150.180.210  dos-62.150.49.189   mysql.sock@
    dos-205.234.193.86   dos-62.150.181.8    dos-62.150.49.78    phpSvvH92
    dos-212.122.229.76   dos-62.150.202.128  dos-62.150.82.52  
      phpuqF8D1
    dos-212.180.75.26    dos-62.150.202.234  dos-62.150.9.66
    dos-213.189.67.169   dos-62.150.203.117  dos-62.194.13.231
    1.can any one tell what are thease IP`s i found inside tmp folder

    2. what are thease files phpSvvH92 and phpuqF8D1

    3. why BFD not banning any IP`s in bfd_log or deny_hosts.rules

  2. #2
    Join Date
    Jun 2004
    Posts
    1,958
    You probably didn't install BFD correctly. And the tmp files are from mod_evasive.
    It's Scott!

  3. #3
    Join Date
    Jun 2004
    Posts
    282
    Quote Originally Posted by camers
    You probably didn't install BFD correctly. And the tmp files are from mod_evasive.
    thanks for your reply

    [email protected] [~]# /usr/local/sbin/bfd -s
    BFD version 0.9 <[email protected]>
    Copyright (C) 1999-2004, R-fx Networks <[email protected]>
    Copyright (C) 2004, Ryan MacDonald <[email protected]>
    This program may be freely redistributed under the terms of the GNU GPL

    does the out put means BFD is installed?

  4. #4
    Join Date
    Jun 2005
    Posts
    697
    Installed doesn't mean it is setup correctly. You need to check conf.bfd. BFD uses a cron script that reads the log files and then denies access to the server (if I remember that correctly). So several points of failure: is the cron script there? What does your setup say when it should run? Does the system logger work correctly?

    There is more, but that comes to mind.
    ReflexNetworks means Happy Clients!

  5. #5
    Join Date
    Jun 2004
    Posts
    282
    Quote Originally Posted by andren
    Installed doesn't mean it is setup correctly. You need to check conf.bfd. BFD uses a cron script that reads the log files and then denies access to the server (if I remember that correctly). So several points of failure: is the cron script there? What does your setup say when it should run? Does the system logger work correctly?

    There is more, but that comes to mind.
    You need to check conf.bfd

    conf.bfd

    # Enable/disable user alerts [0 = off; 1 = on]
    ALERT_USR="1"
    #
    # User alert email address
    EMAIL_USR="[email protected]"


    is the cron script there?

    /etc/cron.d/bfd

    MAILTO=
    SHELL=/bin/sh
    */10 * * * * root /usr/local/sbin/bfd -q



    [email protected] [/usr/local/bfd/rules]# cat sshd

    REQ="/usr/sbin/sshd"
    if [ -f "$REQ" ]; then
    LP="/var/log/secure"
    TLOG_TF="sshd"
    TRIG="1"
    TMP="/usr/local/bfd/tmp"


    What does your setup say when it should run?

    /usr/local/sbin/bfd -s

    BFD version 0.9 <[email protected]>
    Copyright (C) 1999-2004, R-fx Networks <[email protected]>
    Copyright (C) 2004, Ryan MacDonald <[email protected]>
    This program may be freely redistributed under the terms of the GNU GPL


    Does the system logger work correctly?

    this is some what i found in /var/log/secure

    Nov 4 07:42:08 host sshd[14617]: refused connect from 211.147.20.214 (211.147.20.214)
    Nov 4 07:42:14 host sshd[14618]: refused connect from 211.147.20.214 (211.147.20.214)
    Nov 4 07:42:20 host sshd[14619]: refused connect from 211.147.20.214 (211.147.20.214)
    Nov 4 07:42:26 host sshd[14620]: refused connect from 211.147.20.214 (211.147.20.214)
    Nov 4 07:42:28 host sshd[14621]: refused connect from 211.147.20.214 (211.147.20.214)


    does this mean the system logger is workinng correctly ?

    any suggetion to solve this problem?

    APF 0.9.6-1
    WHM 10.6.0 cPanel 10.8.0-S59
    RedHat Enterprise 3 i686 - WHM X v3.1.0
    Last edited by xmlxp; 11-04-2005 at 07:30 AM.

  6. #6
    Join Date
    Oct 2004
    Location
    Ohio
    Posts
    1,641
    check the pattern.auth file for the phrase "refused connect from". If its not there add it and see what happens. Hope this helps.

  7. #7
    Join Date
    Jun 2004
    Posts
    282
    Quote Originally Posted by ResellersHQ
    check the pattern.auth file for the phrase "refused connect from". If its not there add it and see what happens. Hope this helps.
    i added ( refused connect from ) to :

    /root/bfd-0.9/files/pattern.auth
    /usr/local/bfd/pattern.auth
    /bfd-0.9/files/pattern.auth

    ( should i restart any thing ? )

    then i run /usr/local/sbin/bfd -q

    still got nothing..... bfd_log still empty

  8. #8
    Join Date
    Oct 2004
    Location
    Ohio
    Posts
    1,641
    You shouldnt need to restart anything. Has there been any login attempts since you added the rule? If not, wait and see what happens. Also, have you checked the sshd rule to make sure that it is reading the correct log?

  9. #9
    Join Date
    Jun 2004
    Posts
    282
    FINALLY ..... i got the warning Email

    when i checked bfd_log

    Code:
    [email protected] [~]# tail -f /var/log/bfd_log
    Nov  5 00:40:03 host BFD(2099): {sshd} 200.21.90.227 exceeded login failures; ex
    ecuted ban command '/etc/apf/apf -d 200.21.90.227 {bfd.sshd}'.
    Nov  5 02:50:02 host BFD(11422): {sshd} 65.167.60.74 exceeded login failures; ex
    ecuted ban command '/etc/apf/apf -d 65.167.60.74 {bfd.sshd}'.
    Thank you ResellersHQ the solution was adding refused connect from To pattern.auth file as you mentioned in your reply

    and many thanks for the others for thier replies
    Last edited by xmlxp; 11-04-2005 at 08:13 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •