The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BFD just not working right...

Discussion in 'General Discussion' started by lamp, May 11, 2005.

  1. lamp

    lamp Well-Known Member

    Joined:
    Dec 22, 2003
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    Hello,

    I've installed the latest version of BFD on my system and it doesn't seem to be detecting attacks (that I've simulated).

    The only time it works is when I type bfd -s on the command line; doing so actually bans the ip from which I attempted to login and sends an email.

    My problem is with the cron job. There is a cron job in /etc/con.d/ called bfd and it contains the following information:

    SHELL=/bin/sh
    MAILTO=root

    */1 * * * * root /usr/local/sbin/bfd -q

    Notice that I put 1 minute so that I can test it more efficiently. Now, unfortunately, this doesn't work. I can try to login ~35 times in 1 minute and I still don't get banned... even after waiting 5 minutes.

    I checked the /var/log/cron for any entries and the cron job seems to be running successfully.

    Any thought??

    Thanks.
     
  2. bornonline

    bornonline Well-Known Member

    Joined:
    Nov 19, 2004
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    I had this problem with the previous version .7 I believe. After the latest release, it's working perfectly. Just a thought..

    Do you have the latest release?
     
  3. lamp

    lamp Well-Known Member

    Joined:
    Dec 22, 2003
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16

    Yup. I just downloaded it this morning.

    What release are you using??
     
  4. RickG

    RickG Well-Known Member

    Joined:
    Feb 28, 2005
    Messages:
    238
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    North Carolina
    You may want to take a look at the various rulesets that BFD uses for the different type of logs. They are found in /usr/local/bfd/rules. There are different files for apache, exim, sshd, etc.

    Within each ruleset you can tweak the TRIG (trigger) value which defines how many occurances need to take place (since the last time the logs were looked at) of a particular string before an entry is written to the iptables. You should also verify it is configured to look in the correct log file (defined in the LP variable). I just installed myself a few days ago (same version) and recall that the apache file was set to look in /var/log/httpd/error_log when it should have been pointed to /usr/local/apache/logs/error_log. It's working like a champ.

    If you need to, you can also tweak the "string values" that trigger a BF detection. Some of the rulesets have this information within them (look for the ARG_VAL lines). Some rulesets (like apache) point to /usr/local/bfd/pattern.auth

    And lastly, have you tried restarting cron (/etc/init.d/crond restart) ?

    And one more ... Take a look at this thread http://forums.cpanel.net/showthread.php?t=35312&highlight=bfd+iptables

    I had to make both the change in /usr/local/bfd/conf.bfd file and /usr/local/bfd/bfd to get things to work correctly.

    Hope this is of some help -
     
    #4 RickG, May 11, 2005
    Last edited: May 11, 2005
  5. michthien

    michthien Member

    Joined:
    Nov 17, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    BFD with SSL

    I had a similar problem. i using BFD without APF. I am using iptable to insert a BCMD="iptables -I INPUT -p tcp -s $ATT_HOST -j DROP" . However it is not working for some reason. However, I recieved a email said that it execute that command but when i did" iptables -L" it did not show up that DROP message.


    any help will be appreciate
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I'd suggest asking on the support forums for the application since it isn't cPanel related.
     
  7. RickG

    RickG Well-Known Member

    Joined:
    Feb 28, 2005
    Messages:
    238
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    North Carolina
    Most of us have found we have to use the full path to the iptables in the BCMD command. So just change this:

    BCMD="iptables -I ... <snip>

    to this

    BCMD="/sbin/iptables -I <snip>

    and you should be all set.

    As Jonathan suggested, there are some interesting threads in rfxnetworks forums. I've been following this one in particular in trying to get BFD to write to /etc/hosts.deny (no one seems to have much luck). http://forums.rfxnetworks.com/viewtopic.php?t=491)
     
Loading...

Share This Page