APF+BFD+2.6.10 Kernel

[anup123]

BFD seems to be passing the wrong string to apf -d

Here is the example:

Jan 30 15:40:58 scorpio sshd[21315]: Invalid user guest from 83.144.65.212
Jan 30 15:40:58 scorpio sshd[21315]: Failed password for invalid user guest from 83.144.65.212 port 54723 ssh2
Jan 30 15:50:03 scorpio BFD(21563): {sshd} guest exceeded login failures; executed ban command '/etc/apf/apf -d guest'.


The ARG_VALS are:

ARG_VAL1=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -vw "ruser=" | grep -iwf $PATTERN_FILE | grep -vw "for illegal" | awk '{print$11":"$9}' > $TMP/.sshd`
ARG_VAL2=`$TLOGP $LP $TLOG_TF.2 | grep sshd | grep -vw "ruser=" | grep -iwf $PATTERN_FILE | grep -w "for illegal" | awk '{print$13":"$11}' >> $TMP/.sshd`
ARG_VAL3=`$TLOGP $LP $TLOG_TF.3 | grep sshd | grep -w "ruser=" | grep -iwf $PATTERN_FILE | grep -vw "for illegal" | tr '[]=' ' ' | awk '{print$19":"$21}' >> $TMP/.sshd`
ARG_VAL=`cat $TMP/.sshd`

What needs to be tuned to get BFD pass the IP Address instead of the failed usernames

I am on RH9 and lates versions of APF and BFD

TIA
Anup

 

[anup123]

Moving a step forward:

ARG_VAL1=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -iwf $PATTERN_FILE | grep -vw "for invalid user" | awk '{print$11":"$9}'

ARG_VAL2=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -iwf $PATTERN_FILE | grep -vw "for root" | awk '{print$13":"$11}'

Gives the outfile in format of:

IPADDRESS:username

Any clue from this to get BFD working?

Anup

 

[rs-freddo]

Actually when I was using the 2.6.10 kernel the same thing happened. I wasn't using it for long so BFD only hit one attacker (my DC).

You're better of posting this on the BFD forums as a bug.

 

[anup123]

Thanks. I posted it on BFD forums also and waiting for a reply.
Actually had read on these forums someone going out of business literally due to BFD rendering the server non useable so never went ahead trying anything beyond what ryan (the author) has given in terms of the patest BFD. Could get the IPADDRESS:username to outfile by modifying the ARG_VAL1/2 but not tried the change live.

Thanks
Anup

 

[rs-freddo]

I've been using BFD for a long time and never had any trouble. I think that person will eventually find it was a bad image rather than bfd. Notice the problems only occurred at one data center and not the other....

It's a very popular piece of software and that's the first time I've ever heard of problems with it.

 

[anup123]

Agreed. No complaints against APF+BFD just that being toooo cautious on trying out any changes to ARG_VAL1/2 live. From the logfile (in the format that is creating these problems), i could manage to have the IPADDRESS:username format but did not go beyond that

Thanks
Anup

 

[picoyak]

Just thought I'd toss in here that I am running kernel 2.6.10 + APF/BFD/AD without issue [so far]. Distro is FC2, however.

 

[anup123]

Uninstalled BFD for the time being and managing thru a small shell script:


for i in 'tail -n 10000 /var/log/messages | grep "Invalid user" | cut -d" " -f10 | uniq';
do apf -d $i
done

Anup