The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BFD is not detecting attacks Please help

Discussion in 'General Discussion' started by JP-HOST, Feb 5, 2005.

  1. JP-HOST

    JP-HOST Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Roscoe, IL, USA
    Ok, I have posted this over at R-fx Networks, but I have not received a reply yet. I hope that someone here will have some insight into how I can fix this...

    I am having problems with BFD. I just installed the latest version of APF and BFD but now BFD will not add attackers to the block list. I have looked at the sshd rules file and it is looking in the /var/log/messages log for sshd but when I run "grep sshd /var/log/messages" I return nothing. However when I "grep sshd /var/log/secure" I return several results that include the attacks. My bfd_log file is empty. BFD is running in the cron every 10 minutes. How can I fix this so it will block attackers again? Should the sshd rule be looking at the messages log or the secure log?

    Also should:
    Code:
    # Do kernel logging
    USE_KLOG="1"
    be set to 1 or 0?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It should be set to 1.

    If you are successfully logging sshd entries to /var/log/secure, then check that /usr/local/bfd/rules/sshd looks like:

    Code:
    LP="/var/log/secure"
    TLOG_TF="sshd"
    TRIG="5"
    
    ## SSH
    ARG_VAL1=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -iwf $PATTERN_FILE | grep -vw "for illegal" | awk '{print$11":"$9}'`
    ARG_VAL2=`$TLOGP $LP $TLOG_TF.2 | grep sshd | grep -iwf $PATTERN_FILE | grep -w "for illegal" | awk '{print$13":"$11}'`
    
    ARG_VAL=`echo $ARG_VAL1 $ARG_VAL2`
    
     
  3. JP-HOST

    JP-HOST Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Roscoe, IL, USA
    Thanks Chirpy. I have uninstalled version 0.5 and reinstalled version 0.4. I wonder why the 0.5 version's sshd rule looks like this?

    Code:
    LP="/var/log/messages"
    TLOG_TF="sshd"
    TRIG="3"
    TMP="/usr/local/bfd/tmp"
    
    ## SSH
    ARG_VAL1=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -vw "ruser=" | grep -iwf $PATTERN_FILE | grep -vw "for illegal" | awk '{print$11":"$9}' > $TMP/.sshd`
    ARG_VAL2=`$TLOGP $LP $TLOG_TF.2 | grep sshd | grep -vw "ruser=" | grep -iwf $PATTERN_FILE | grep -w "for illegal" | awk '{print$13":"$11}' >> $TMP/.sshd`
    ARG_VAL3=`$TLOGP $LP $TLOG_TF.3 | grep sshd | grep -w "ruser=" | grep -iwf $PATTERN_FILE | grep -vw "for illegal" | tr '[]=' ' ' | awk '{print$19":"$21}' >> $TMP/.sshd`
    ARG_VAL=`cat $TMP/.sshd`
    I am not sure why it is looking in the messages log for the sshd failed logins.
     
  4. 3guys

    3guys Member

    Joined:
    Nov 24, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I was looking at this last night, I prefer the way V4 used the secure log via messages logs. Does anyone know why this was changed?
    Or if the V4 sshd rules will work with v5?
     
  5. JP-HOST

    JP-HOST Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Roscoe, IL, USA
    Looks like ryan has released version 0.6 now....

    BFD Change Log

    I am not sure I want to try it though... When I went back to v0.4 I change the email flag and set the email address in the config file and then happily ran bfd -s... the next thing I knew I was was flooded with about 500 emails and so was my business partner. Which really bogged up my server. LOL I know not to do that again though...
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I guess he's not listening as the sshd rule is still wrong (checking in /var/log/messages). The new exim rules is also dubious.
     
  7. JP-HOST

    JP-HOST Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Roscoe, IL, USA
    Well, even after I reverted back to v0.4 things still weren't quite right. When an attack on an unknown username was detected it would add the username to the deny_hosts.rules instead of the attacker's IP. Well I re-wrote the sshd rule file to look like this:

    Code:
    LP="/var/log/secure"
    TLOG_TF="sshd"
    TRIG="3"
    TMP="/usr/local/bfd/tmp"
    
    ## SSH
    ARG_VAL1=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -iwf $PATTERN_FILE | grep -w "for [a-zA-Z0-9]* from" | awk '{print$11":"$9}' > $TMP/.sshd`
    ARG_VAL2=`$TLOGP $LP $TLOG_TF.2 | grep sshd | grep -iwf $PATTERN_FILE | grep -w "for invalid" | awk '{print$13":"$11}' >> $TMP/.sshd`
    
    ARG_VAL=`cat $TMP/.sshd`
    If anyone can think of an ssh attack situation that this wouldn't detect please let me know.
     

Share This Page