Brute Force Attacks

**RJH Hosting** · 06-30-2005 12:19 PM

I searched through the board to try and find someone with a similar problem, but was unable to find anything on quite the scale I am experiencing it.

I am receiving approximately 1200 Brute Force Attack Messages every day -

- yes, Twelve Hundred. 98% of them are targeting EXIM, with the other 2% targeting SSH - I believe....I honestly do not read each and every single one.

I have about 20 accounts on a single VPS. Each EXIM attack shows that they are trying to use false usernames from a single domain name.

I used to be on a VPS that BFA software was not installed so I am not sure if this is a new problem, or one that I just never saw before.

My VPS provider tells me there is nothing to worry about. But, from looking at past posts here, it looks like people are getting around 4 or 5 messages a day, or 20 a week, or numbers like that - nothing like my 1200 daily!

Any recommendations or suggestions?

**azimpact** · 06-30-2005 12:43 PM

I get a few here and there.

I'll check the IP number and if it's US based, I fire off an email I set up to the abuse for that IP. Any of the foreign base IPs are a waste of time so I just delete the warning.

I know people have reported mixed results doing this, but I've had a few email me back telling me the system the IP was on had been compromised and they were addressing it.

I've also set my BFD to run every 5 minutes so that when they try an attack, the don't very get many trys at it before their IP is banned. Also, I set the limit to only 2 screwups before it gets banned. (You have to be extra careful when logging in so you don't ban yourself)

I don't have alot of accounts on this VPS so I can afford the overhead to run it every 5 minutes.

I'll actually go a few days and won't get any at all!

As long as you have a solid password and you set up your BFD to ban the offending IPs, I wouldn't worry about it. There is not a lot you can do other than install some of the other security features listed on this board.

**linux-image** · 06-30-2005 12:45 PM

is bfd installed on your server ?

**RJH Hosting** · 06-30-2005 01:23 PM

Originally Posted by azimpact

As long as you have a solid password and you set up your BFD to ban the offending IPs, I wouldn't worry about it. There is not a lot you can do other than install some of the other security features listed on this board.

My password is a random combination of letters and numbers that is over 20 characters long - so pretty solid.

I know...I am anal - oh well.

It does ban the IP's as you said and I had to clean that file out the other day as it had over 10,000 entries and was taking way to long to process.

Originally Posted by linux-image

is bfd installed on your server ?

yep.....

**chirpy** · 06-30-2005 06:54 PM

When you say brute-force attacks against exim, are you talking about dictionary attacks or attacks against SMTP AUTH? With either, a dictionary attack ACL should help:
http://www.configserver.com/free/eximdeny.html

**RJH Hosting** · 06-30-2005 10:08 PM

Here is a copy of exactly what I get. I counted today from noon yesterday and I received exactly 1000 of these messages in the last 24 hours.

I replaced my IP address and my clients domain name of course within the output.

----------------------------------- START -----------------------------------

The remote system 221.155.10.197 was found to have exceeded acceptable login failures on MY.DOMAIN.NAME. As such the attacking host has been banned from further accessing this system; for the integrity of your host you should investigate this event as soon as possible.

The following are event logs for exceeded login failures from 221.155.10.197 on service exim (all time stamps are GMT -0600):
----
- Executed actions:
/etc/apf/apf -d 221.155.10.197 {bfd.exim}

- Log events from /var/log/exim_mainlog:
2005-06-30 20:33:55 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<xiz48fo@calweb.com> rejected RCPT <rodriquez@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:33:55 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<xiz48fo@calweb.com> rejected RCPT <romero@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:33:57 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<xiz48fo@calweb.com> rejected RCPT <rose@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:33:58 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<xiz48fo@calweb.com> rejected RCPT <rowe@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:33:58 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<xiz48fo@calweb.com> rejected RCPT <ruiz@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:33:59 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<xiz48fo@calweb.com> rejected RCPT <ryan@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:01 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <salazar@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:02 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <santiago@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:03 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <santos@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:03 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <schmidt@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:04 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <schneider@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:06 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <schultz@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:06 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<kemgpd4un@visi.net> rejected RCPT <sharp@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:10 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <shaw@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:11 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <shelton@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:14 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <silva@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:14 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <simpson@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:15 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <sims@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:16 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <slipcoat7@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:17 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <sliper3824@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:18 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<dsfl31pywzu@crcwnet.com> rejected RCPT <slipgirl16@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:20 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<lmoo9kr@avalon.net> rejected RCPT <slk98@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:20 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<lmoo9kr@avalon.net> rejected RCPT <slmitchelljr@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:21 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<lmoo9kr@avalon.net> rejected RCPT <slogic@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:22 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<lmoo9kr@avalon.net> rejected RCPT <slong_ooi@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:23 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<lmoo9kr@avalon.net> rejected RCPT <slovacek@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:23 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<lmoo9kr@avalon.net> rejected RCPT <slp921@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:25 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <slsi@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:26 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <slt1022@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:27 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <sluggy4@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:28 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <slumpff84@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:29 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <sluttish7@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:30 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <slvrty4@CLIENTSDOMAIN.NAME>: no such address here 2005-06-30 20:34:31 H=(MY.IP.ADD.RESS) [221.155.10.197] F=<nqeizg8ziu@serv.net> rejected RCPT <slwaln@CLIENTSDOMAIN.NAME>: no such address here
----

- Thank you;
root@MY.DOMAIN.NAME

----------------------------------- END -----------------------------------

There has got to be something I can do to decrease the amount of work my server is doing to block each attempt and to send me an e-mail after every 20 or so attempts.

**chirpy** · 07-01-2005 05:28 AM

That's exactly with the ACL I listed would help block.

**smachol** · 07-03-2005 11:58 PM

Originally Posted by azimpact

I've also set my BFD to run every 5 minutes so that when they try an attack, the don't very get many trys at it before their IP is banned. Also, I set the limit to only 2 screwups before it gets banned. (You have to be extra careful when logging in so you don't ban yourself)

If you don't mind my asking, what's BFD and how do you install and use it?

**cbwass** · 07-04-2005 03:58 AM

BFD should be used in conjunction with APF firewall.
http://www.rfxnetworks.com/proj.php

Install BFD (Brute Force Detection)

To install BFD, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

At command prompt type: tar -xvzf bfd-current.tar.gz

At command prompt type: cd bfd-0.4 (change 0.4 for the current edition)

At command prompt type: ./install.sh

After BFD has been installed, you need to edit the configuration file.

At command prompt type: pico /usr/local/bfd/conf.bfd

Under Enable brute force hack attempt alerts:

Find

ALERT_USR="0"

and change it to

ALERT_USR="1"

Find

EMAIL_USR="root"

and change it to

EMAIL_USR="your@email.com"

Save the changes then exit.

To start BFD

At command prompt type: /usr/local/sbin/bfd -s
---------------------------------------------------------------
in the future anytime you install apf / bfd you should type

apf -a YOURIP

------------------------------------------------------------------
BFD 0.6 [bfd@r-fx.org]

Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org>
Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

1) Introduction:
BFD is a modular shell script for parsing applicable logs and checking for
authentication failures. There is not much complexity or detail to BFD yet and
likewise it is very straight-forward in its installation, configuration and
usage. The reason behind BFD is very simple; the fact there is little to no
authentication and brute force auditing programs in the linux community that
work in conjunction with a firewall or real-time facility to place bans.

2) Installation:
There is an included 'install.sh' script that installs all files to
'/usr/local/bfd/' and places a 8-minute cronjob in '/etc/cron.d/bfd'. The setup
is really as simple as that.

3) Configuration:
The configuration file for BFD is located at '/usr/local/bfd/conf.bfd'; it is
very straight forward and the comments in themself explain what each option
is for. Of the options, you should idealy configure the ALERT_USR toggle to
enable or disable user email alerts and likewise in conjunction configure the
EMAIL_USR var with your email addresses you would like to receive alerts at.

An ignore file is present at '/usr/local/bfd/ignore.hosts'; this is a line
seperated file to place hosts into that you would like to be ignored for
authentication failures. An internal function will attempt to fetch all
local ip's bound on the installed system and there-in internally ignore
events appearing to be from such addresses.

----------------------------------------------------------------

**smachol** · 07-04-2005 09:37 PM

Thanks cbwass!

**heyjohnboy** · 07-05-2005 08:19 PM

BFD has been working great for us until this weekend, when made hundreds of attempts to access one of our boxes, but yet BFD DID NOT deny them. The only thing we can that is different from all the other attacks is that this person (I use the term loosely) seems to have used a different port with each attempt. Does anyone know if this is a vulnerability of BFD? Are there any suggestions regarding how to strengthen this possible weakness?

I've included a link to a short excerpt from a rather lengthly break-in attempt so you can see how the ports are changed each time.

attempt log

**chirpy** · 07-06-2005 10:11 AM

Which version of BFD are you running (Just type bfd to find out). Any version prior to v0.8 was quite buggy and could easily have missed such an attempt. If you're already using v0.8 then it certainly ought to have worked.

**heyjohnboy** · 07-08-2005 11:02 AM

Well, thanks for pointing out the obvious Chirpy. We were not running .8 (but we are NOW).

BTW, we had a problem when we tried to install the dictionary attack ACL. Have you installed it successfully, and if so, did you encounter any issues along the way that might guide us when we try again?

**chirpy** · 07-09-2005 04:33 AM

I've installed the ACL several hundred times by now

The main thing is to follow the instructions on the web page very carefully. One of the main mistakes people make is to not put blank lines where they are required and specified in the instructions. If you still cannot get it to work, feel free to PM me.

**ThunderHostingDotCom** · 12-08-2005 11:58 AM

Is it ok to install this on a server running APF & BFD or will thy conflict with each other? Thanks for the help!

Originally Posted by chirpy

I've installed the ACL several hundred times by now

The main thing is to follow the instructions on the web page very carefully. One of the main mistakes people make is to not put blank lines where they are required and specified in the instructions. If you still cannot get it to work, feel free to PM me.

LinkBack

Thread Tools

Brute Force Attacks

BFD vulnerability?

Brute Force attacks trying to login to an email account

Should I be concerned? Numerous brute force attacks

Brute Force Attacks

Anyone getting alot of brute force attacks against their server?

Stopping Brute Force FTP login attacks?