BFD and hosts.deny

[DavidR]

I mentioned this at the tail end of another thread but I thought since there are no answers coming from the Rfx forums either I would start another thread. I have a Virtuozzo VPS and so can't run APF (have another firewall script specific to that host). I installed BFD and enabled the BCMD="echo ALL:$ATT_HOST >> /etc/hosts.deny" option as an alternative. I get the emails telling me that hosts have been banned, but nothing gets into the hosts.deny file (well, it did once and never again). I also tried a variation suggested in the Rfx forum, i.e. BCMD="echo 'ALL:$ATT_HOST' >> /etc/hosts.deny".

Does anyone have this working? I would really appreciate any help you can give to make it work. Thanks.

David

 

[chirpy]

Since many processes don't use the hosts.deny files, I'd simply suggest injecting them into iptables to block them:

BCMD="iptables -I INPUT -p tcp -s $ATT_HOST -j DROP"

That works fine on VPS servers (it's how I configure BFD for them).

 

[DavidR]

Thank you for this advice, it does look like a better way. I put the line into conf.bfd instead of BCMD="echo ALL:$ATT_HOST >> /etc/hosts.deny", but it does not add the banned host to the iptable. Now, when I enter exactly the same line (with a host to be banned) at the command line, it does work and adds it to the iptable INPUT. Below is taken exactly from a BFD email alert:

- Executed actions:
iptables -I INPUT -p tcp -s zojoten.uniscope.co.jp -j DROP

I checked using iptables -L INPUT and the banned host was not there. When I executed the same line at the command line and checked again, it was there. This is similar to the problems I had with the hosts.deny line. Can you think of any reason this won't work when BFD executes it, but does at a command prompt? I'm using BFD .5 by the way. Thank you.

David

 

[chirpy]

That is odd. Have you checked in /var/log/bfd_log for any errors?

 

[DavidR]

Never thought of that but yeah, just did and no errors - it just restates the line from the email basically. This is very odd.

David

 

[dave9000]

i am having the same issue with the /etc/hosts.deny file and i'm sure its something simple but i can not find out why bfd is not updating the hosts.deny file either

 

[chirpy]

I think you're going to have to push on the rfxn forums a bit harder, though I know that getting a response can be, erm, tricky.

 

[DavidR]

Well in my situation at least, their may be some relief on the way. I've confirmed that the next version of Virtuozzo supports stateful firewalls ala APF, etc. (yeah!).

David

 

[baxteris]

That is odd. Have you checked in /var/log/bfd_log for any errors?

I noticed in the script, that particular line is piped to /dev/null so you wouldnt pick up errors in the log. You might pipe it to another log and watch it

/usr/local/bfd/bfd line 138

 

[baxteris]

Change line 138 in /usr/local/bfd/bfd from:

$BCMD >> /dev/null 2>&1 #to:
$BCMD 2>/dev/null

Works

 

[chirpy]

Well in my situation at least, their may be some relief on the way. I've confirmed that the next version of Virtuozzo supports stateful firewalls ala APF, etc. (yeah!).

David

About time! Good to hear.

 

[DavidR]

Change line 138 in /usr/local/bfd/bfd from:

$BCMD >> /dev/null 2>&1 #to:
$BCMD 2>/dev/null

Works

I'm giving this a try. When I changed it to log to it's own file, the result was "/usr/local/sbin/bfd: line 138: iptables: command not found" in the new log. I hope this works. Thanks.

David

 

[chirpy]

iptables: command not found

That's interesting - couldn't find the path to iptables. You could try changing BCMD to use the full path to iptables:

/sbin/iptables

 

[DavidR]

That's interesting - couldn't find the path to iptables. You could try changing BCMD to use the full path to iptables:

/sbin/iptables

I've done this and now waiting for a BFD alert to see what happens. I'll post when it does.

David

 

[DavidR]

It worked! Thanks everyone. I might change it to add to hosts.deny just so I can see if it is logging an error that may shed some light on that one too. Otherwise, this should be perfect for now. Thanks again.

David

 

[baxteris]

For the /etc/hosts.deny line I had to change the conf.bfg to be
BCMD=`echo ALL:$ATT_HOST >> /etc/hosts.deny`

just change the double quotes to tick marks

 

[DavidR]

For the /etc/hosts.deny line I had to change the conf.bfg to be
BCMD=`echo ALL:$ATT_HOST >> /etc/hosts.deny`

just change the double quotes to tick marks

Excellent, now we have both methods available. Thanks!

David

 

[RickG]

For the /etc/hosts.deny line I had to change the conf.bfg to be
BCMD=`echo ALL:$ATT_HOST >> /etc/hosts.deny`

Has anyone had to tweak the above in order to get BFD to write to hosts.deny?

If I use the tick marks (as above):

- the only thing written to hosts.deny is ALL: (i.e. no IP address).
- the bfd_log does shows the IP address, but only ' ' for the executed ban command.

If I use quotes " around the BCMD statement:

- I see the entry in the log files (echo ALL:221.XXX.XX.XX >> /etc/hosts.deny) but hosts.deny is never written to.

The BCMD example for iptables works properly -- trying to help out a pal that needs to use hosts.deny

Thanks -

 

[chirpy]

How about using the explicit path to echo:

BCMD="/bin/echo ALL:$ATT_HOST >> /etc/hosts.deny"