The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

APF+BFD+2.6.10 Kernel

Discussion in 'General Discussion' started by anup123, Jan 30, 2005.

  1. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    BFD seems to be passing the wrong string to apf -d

    Here is the example:

    Jan 30 15:40:58 scorpio sshd[21315]: Invalid user guest from 83.144.65.212
    Jan 30 15:40:58 scorpio sshd[21315]: Failed password for invalid user guest from 83.144.65.212 port 54723 ssh2
    Jan 30 15:50:03 scorpio BFD(21563): {sshd} guest exceeded login failures; executed ban command '/etc/apf/apf -d guest'.


    The ARG_VALS are:

    ARG_VAL1=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -vw "ruser=" | grep -iwf $PATTERN_FILE | grep -vw "for illegal" | awk '{print$11":"$9}' > $TMP/.sshd`
    ARG_VAL2=`$TLOGP $LP $TLOG_TF.2 | grep sshd | grep -vw "ruser=" | grep -iwf $PATTERN_FILE | grep -w "for illegal" | awk '{print$13":"$11}' >> $TMP/.sshd`
    ARG_VAL3=`$TLOGP $LP $TLOG_TF.3 | grep sshd | grep -w "ruser=" | grep -iwf $PATTERN_FILE | grep -vw "for illegal" | tr '[]=' ' ' | awk '{print$19":"$21}' >> $TMP/.sshd`
    ARG_VAL=`cat $TMP/.sshd`

    What needs to be tuned to get BFD pass the IP Address instead of the failed usernames

    I am on RH9 and lates versions of APF and BFD

    TIA
    Anup
     
  2. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Moving a step forward:

    ARG_VAL1=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -iwf $PATTERN_FILE | grep -vw "for invalid user" | awk '{print$11":"$9}'

    ARG_VAL2=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -iwf $PATTERN_FILE | grep -vw "for root" | awk '{print$13":"$11}'

    Gives the outfile in format of:

    IPADDRESS:username

    Any clue from this to get BFD working?

    Anup
     
    #2 anup123, Jan 30, 2005
    Last edited: Jan 30, 2005
  3. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Actually when I was using the 2.6.10 kernel the same thing happened. I wasn't using it for long so BFD only hit one attacker (my DC).

    You're better of posting this on the BFD forums as a bug.
     
  4. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Thanks. I posted it on BFD forums also and waiting for a reply.
    Actually had read on these forums someone going out of business literally due to BFD rendering the server non useable so never went ahead trying anything beyond what ryan (the author) has given in terms of the patest BFD. Could get the IPADDRESS:username to outfile by modifying the ARG_VAL1/2 but not tried the change live.

    Thanks
    Anup
     
  5. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I've been using BFD for a long time and never had any trouble. I think that person will eventually find it was a bad image rather than bfd. Notice the problems only occurred at one data center and not the other....

    It's a very popular piece of software and that's the first time I've ever heard of problems with it.
     
  6. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Agreed. No complaints against APF+BFD just that being toooo cautious on trying out any changes to ARG_VAL1/2 live. From the logfile (in the format that is creating these problems), i could manage to have the IPADDRESS:username format but did not go beyond that :)

    Thanks
    Anup
     
  7. picoyak

    picoyak Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Just thought I'd toss in here that I am running kernel 2.6.10 + APF/BFD/AD without issue [so far]. Distro is FC2, however.
     
  8. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Uninstalled BFD for the time being and managing thru a small shell script:


    for i in 'tail -n 10000 /var/log/messages | grep "Invalid user" | cut -d" " -f10 | uniq';
    do apf -d $i
    done

    Anup
     
Loading...

Share This Page