The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BFD and hosts.deny

Discussion in 'cPanel Developers' started by DavidR, Feb 3, 2005.

  1. DavidR

    DavidR Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    I mentioned this at the tail end of another thread but I thought since there are no answers coming from the Rfx forums either I would start another thread. I have a Virtuozzo VPS and so can't run APF (have another firewall script specific to that host). I installed BFD and enabled the BCMD="echo ALL:$ATT_HOST >> /etc/hosts.deny" option as an alternative. I get the emails telling me that hosts have been banned, but nothing gets into the hosts.deny file (well, it did once and never again). I also tried a variation suggested in the Rfx forum, i.e. BCMD="echo 'ALL:$ATT_HOST' >> /etc/hosts.deny".

    Does anyone have this working? I would really appreciate any help you can give to make it work. Thanks.

    David
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Since many processes don't use the hosts.deny files, I'd simply suggest injecting them into iptables to block them:

    BCMD="iptables -I INPUT -p tcp -s $ATT_HOST -j DROP"

    That works fine on VPS servers (it's how I configure BFD for them).
     
  3. DavidR

    DavidR Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    Thank you for this advice, it does look like a better way. I put the line into conf.bfd instead of BCMD="echo ALL:$ATT_HOST >> /etc/hosts.deny", but it does not add the banned host to the iptable. Now, when I enter exactly the same line (with a host to be banned) at the command line, it does work and adds it to the iptable INPUT. Below is taken exactly from a BFD email alert:
    I checked using iptables -L INPUT and the banned host was not there. When I executed the same line at the command line and checked again, it was there. This is similar to the problems I had with the hosts.deny line. Can you think of any reason this won't work when BFD executes it, but does at a command prompt? I'm using BFD .5 by the way. Thank you.

    David
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That is odd. Have you checked in /var/log/bfd_log for any errors?
     
  5. DavidR

    DavidR Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    Never thought of that but yeah, just did and no errors - it just restates the line from the email basically. This is very odd.

    David
     
  6. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    i am having the same issue with the /etc/hosts.deny file and i'm sure its something simple but i can not find out why bfd is not updating the hosts.deny file either
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I think you're going to have to push on the rfxn forums a bit harder, though I know that getting a response can be, erm, tricky.
     
  8. DavidR

    DavidR Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    Well in my situation at least, their may be some relief on the way. I've confirmed that the next version of Virtuozzo supports stateful firewalls ala APF, etc. (yeah!).

    David
     
  9. baxteris

    baxteris Member

    Joined:
    Oct 1, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I noticed in the script, that particular line is piped to /dev/null so you wouldnt pick up errors in the log. You might pipe it to another log and watch it

    /usr/local/bfd/bfd line 138
     
  10. baxteris

    baxteris Member

    Joined:
    Oct 1, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Change line 138 in /usr/local/bfd/bfd from:

    $BCMD >> /dev/null 2>&1 #to:
    $BCMD 2>/dev/null

    Works
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    About time! Good to hear.
     
  12. DavidR

    DavidR Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    I'm giving this a try. When I changed it to log to it's own file, the result was "/usr/local/sbin/bfd: line 138: iptables: command not found" in the new log. I hope this works. Thanks.

    David
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's interesting - couldn't find the path to iptables. You could try changing BCMD to use the full path to iptables:

    /sbin/iptables
     
  14. DavidR

    DavidR Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    I've done this and now waiting for a BFD alert to see what happens. I'll post when it does.

    David
     
  15. DavidR

    DavidR Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    It worked! Thanks everyone. I might change it to add to hosts.deny just so I can see if it is logging an error that may shed some light on that one too. Otherwise, this should be perfect for now. Thanks again.

    David
     
  16. baxteris

    baxteris Member

    Joined:
    Oct 1, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    For the /etc/hosts.deny line I had to change the conf.bfg to be
    BCMD=`echo ALL:$ATT_HOST >> /etc/hosts.deny`

    just change the double quotes to tick marks
     
  17. DavidR

    DavidR Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    16
    Excellent, now we have both methods available. Thanks!

    David
     
  18. RickG

    RickG Well-Known Member

    Joined:
    Feb 28, 2005
    Messages:
    238
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    North Carolina
    Has anyone had to tweak the above in order to get BFD to write to hosts.deny?

    If I use the tick marks (as above):

    - the only thing written to hosts.deny is ALL: (i.e. no IP address).
    - the bfd_log does shows the IP address, but only ' ' for the executed ban command.

    If I use quotes " around the BCMD statement:

    - I see the entry in the log files (echo ALL:221.XXX.XX.XX >> /etc/hosts.deny) but hosts.deny is never written to.

    The BCMD example for iptables works properly -- trying to help out a pal that needs to use hosts.deny

    Thanks -
     
  19. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    How about using the explicit path to echo:
    Code:
    BCMD="/bin/echo ALL:$ATT_HOST >> /etc/hosts.deny"
     

Share This Page