Server being hacked?

[greengiant]

If you have any fedora core 2 server that are running Brute Force Detection (BFD), here is a modification to the ssh rule to stop it form adding ffff to APF's deny_hosts list. You have to add "| awk -F: '{print$4":"$5}'" to the end or ARG_VAL2. I finally found this solution after a long time searching the web. The ARG_VAL2 line in the ssh rules should look like this now.

ARG_VAL2=`$TLOGP $LP $TLOG_TF.2 | grep sshd | grep -iwf $PATTERN_FILE | grep -w "for illegal" | awk '{print$13":"$11}' | awk -F: '{print$4":"$5}' >> $TMP/.sshd`


The file you want to edit is /usr/local/bfd/rules/sshd

[ThaMATRiX]

The file you want to edit is /usr/local/bfd/rules/sshd

That file doesnt exist?
Also, does this mean I already have APF? Do I just need to install the BFD?

[greengiant]

You need to run APF (available from the same site) in order to run BFD.

If you have installed bfd to a different location then you sill have to edit the ssd file that is in teh bfd rules directory. The default location for bfd to install is /usr/local/bfd

[preleaf]

What OS are you running?

Try running using the full path to iptables or using 'su -' when su'ing to root.

my OS is fedora

[preleaf]

Run following commands from ssh and paste the output.

lsmod
ie Determine the loaded modules

modinfo ip_tables
ie Determine if the iptables kernel module is installed on your system

rpm -q iptables
ie Determine if the iptables user-space package is installed on your system



Anup

root@host [~]# lsmod
Module Size Used by Not tainted
ipt_mark 984 1 (autoclean)
ipt_MARK 1368 13 (autoclean)
ipt_TOS 1656 7 (autoclean)
iptable_mangle 2776 1
ip_conntrack_ftp 5392 0 (unused)
ip_conntrack_irc 4240 0 (unused)
ipt_unclean 8056 3
ipt_REJECT 4344 4
ipt_LOG 4344 8
ipt_limit 1688 20
iptable_filter 2412 1
ipt_multiport 1176 4
ipt_state 1016 19
ip_conntrack 32168 2 [ip_conntrack_ftp ip_conntrack_irc ipt_state]
ip_tables 16448 11 [ipt_mark ipt_MARK ipt_TOS iptable_mangle ipt_unclean ipt_REJECT ipt_LOG ipt_limit iptable_filter ipt_multiport ipt_state]
autofs 13844 0 (autoclean) (unused)
via-rhine 15888 1
mii 4124 0 [via-rhine]
crc32 3748 0 [via-rhine]
sg 37580 0 (autoclean) (unused)
scsi_mod 111092 1 (autoclean) [sg]
ext3 74500 5 (autoclean)
jbd 56624 5 (autoclean) [ext3]
keybdev 3136 0 (unused)
mousedev 5688 0 (unused)
hid 24708 0 (unused)
input 6144 0 [keybdev mousedev hid]
ehci-hcd 21768 0 (unused)
usb-uhci 27436 0 (unused)
usbcore 82592 1 [hid ehci-hcd usb-uhci]
root@host [~]# timed out waiting for input: auto-logout
root@host [~]# su -
root@host [~]# lsmod
Module Size Used by Not tainted
ipt_mark 984 1 (autoclean)
ipt_MARK 1368 13 (autoclean)
ipt_TOS 1656 7 (autoclean)
iptable_mangle 2776 1
ip_conntrack_ftp 5392 0 (unused)
ip_conntrack_irc 4240 0 (unused)
ipt_unclean 8056 3
ipt_REJECT 4344 4
ipt_LOG 4344 8
ipt_limit 1688 20
iptable_filter 2412 1
ipt_multiport 1176 4
ipt_state 1016 19
ip_conntrack 32168 2 [ip_conntrack_ftp ip_conntrack_irc ipt_state]
ip_tables 16448 11 [ipt_mark ipt_MARK ipt_TOS iptable_mangle ipt_unclean ipt_REJECT ipt_LOG ipt_limit iptable_filter ipt_multiport ipt_state]
autofs 13844 0 (autoclean) (unused)
via-rhine 15888 1
mii 4124 0 [via-rhine]
crc32 3748 0 [via-rhine]
sg 37580 0 (autoclean) (unused)
scsi_mod 111092 1 (autoclean) [sg]
ext3 74500 5 (autoclean)
jbd 56624 5 (autoclean) [ext3]
keybdev 3136 0 (unused)
mousedev 5688 0 (unused)
hid 24708 0 (unused)
input 6144 0 [keybdev mousedev hid]
ehci-hcd 21768 0 (unused)
usb-uhci 27436 0 (unused)
usbcore 82592 1 [hid ehci-hcd usb-uhci]
root@host [~]# modinfo ip_tables
filename: /lib/modules/2.4.25/kernel/net/ipv4/netfilter/ip_tables.o
description: <none>
author: <none>
license: "GPL"
root@host [~]# rpm -q iptables
iptables-1.2.9-1.0

[preleaf]

http://forums.cpanel.net/showthread.php?t=30527
I used this command line :
root@host [~]# iptables -A INPUT -s 220.73.136.254 -j DROP
bash: iptables: command not found
why?

[bullethost696]

Odd, unfortunately I havent got a clue why iptables is not working for you

[jamesbond]

BFD has issues with the script that adds teh ffff in front of the IP. Has this been fixed?

What kind of issues exactly?

I found a thread about it here http://forums.rfxnetworks.com/viewtopic.php?t=305
Does it only affect Fedora?

[SarcNBit]

http://forums.cpanel.net/showthread.php?t=30527
I used this command line :
root@host [~]# iptables -A INPUT -s 220.73.136.254 -j DROP
bash: iptables: command not found
why?

Try

/sbin/iptables -A INPUT -s 220.73.136.254 -j DROP

[picoyak]

FWIW, I've run APF/BFD on RH9, Debian, FC1/2 and the only time I saw the 'ffff' problem was using APF 0.9.3 - and simply upgrading APF to the latest release solved it.

[evisions]

Adding BFD sounds like a pretty good solution for anyone running a cpanel server. Will running it dramatically increase server load? It seems like everything I do to keep spammers and hackers off my machines ends up costing me greatly in increased processor/memory usage. How intensive is this to run?

[dgbaker]

You won't even notice it. APF with BFD I feel is a must to have and works flawlessly 9 times out of ten.

[SarcNBit]

works flawlessly 9 times out of ten.

ouch

I hope it works better than that for you. It does for me.

[dgbaker]

It does, I've just learned never to say 100%, someone will always hold you to it. I can say I personally have never had any issues installing and maintaining AFP/BFD setups.

[preleaf]

Try

/sbin/iptables -A INPUT -s 220.73.136.254 -j DROP

thank I have do your guide and it it inform any things ,what is go on?