The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BFD keeps blocking my IP

Discussion in 'General Discussion' started by webignition, Mar 17, 2005.

  1. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    I'd appreciate some help in figuring out why BFD on the server I manage is blocking my IP. I know what events lead to it occuring, I just can't figure out why since I don't reckon it should be happening - although my knowledge of BFD is basic to say the least!

    To begin with, I can't just add my IP to always be accepted as it is not fixed. And I'm using BFD 0.4 - I haven't upgraded to 0.6 yet.

    My IP is being blocked by BFD (ok, via BFD by APF) due to the actions performed by a PHP script I am developing. Let me explain the background of what I am doing.

    I have a development version of a site running from /home/userdev and a public live version of the site running from /home/user. Changes are applied to the development version and after being tested and deemed OK, the same changes are then applied to the public live version.

    Since phpsuexec is enabled, PHP is running as the relevant account's user, and so in order to get a script executing from /home/userdev to copy files to /home/user, the PHP script does the following:

    Code:
    	$s_command = "sudo -u root cp -u --reply=yes $s_frompath $s_topath";
    	$s_result = shell_exec($s_command);
    This itself works fine both from PHP and from an SSH window.

    After copying a few files from /home/userdev to /home/user using a PHP script in the above fashion, I find that I cannot access the server. Disconnecting and reconnecting to the Internet to get an different IP I can connect and also receive a brute force warning from BFD containing somewhere around 10 lines of the style:

    Code:
    [Thu Mar 17 11:18:29 2005] [error] [client (My IP)] user userdev not found: /sync/files.update.php
    which are obviously also present in /usr/local/apache/logs/error_log and occur in the logs just after the point when /home/userdev/sync/files.update.php executes.

    I assume that BFD is blocking due to the errors found in Apache's error log, so I suppose the real question would be why Apache is logging these errors.

    The way I imagine that things happen (which probably isn't the case otherwise Apache wouldn't log errors) is that:

    1. PHP is happily running as userdev
    2. Due to the above sudo command using shell_exec(), PHP switches to root to execute the cp command
    3. After shell_exec() has finished executing, PHP reverts back to running as userdev

    Any help would be appreciated so that I can stop BFD blocking my IP!
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Would there be any problems if I . . .

    Taking a look a bit more into how BFD checks logs and what it looks for, I've come up with an idea of how to get round this problem although I don't know if its all that wise to do so.

    In /usr/local/bfd/pattern.auth is the following:

    Code:
    failed
    no such user found
    failed password
    authentication failure
    authentication failed
    not found
    and since Apache is logging the errors relevant to this issue as "user userdev not found", commenting out or removing the last line in /usr/local/bfd/pattern.auth would prevent these Apache errors from being considered by BFD.

    All brute force warnings that I receive relate to failed SSH logins and no brute force warnings to date (ignoring the ones I have managed to generate) have been due to "no found" being present in error logs.

    What problems might doing this present? From what I can see this would mean that BFD would not pick up on failed HTTP authentications which is something that I can live with for the time being.
     
  3. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    just add your ip to allow hosts

    apf -a <ip>

    you will still get the notice but your ip is whitelisted so you can sto banning yourself
     
  4. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Thanks Dalem for the advice, however its not that straightforward as I don't have a static IP (which I think I mentioned at the start of the post but perhaps not that clearly!)
     
  5. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    you did i just did not read it

    looks like all you need to do is create the user userdev
    unless i am missing somthing here?

    or run everything as root an chown it back to the correct user when done
     
  6. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Well userdev is only an example, not the actual username listed in the Apache error logs. However lets assume that it is the correct username for the moment.

    To clarify the whole situation:

    userdev is a Cpanel account username whose home dir is /home/userdev and whose account's URL is http://dev.example.com
    userdev is also the username required for HTTP authentication when accessing http://dev.example.com
    syncdev is the username required for HTTP authentication when accessing http://dev.example.com/sync/ (not accessible to all those who can otherwise access http://dev.example.com)

    user is a Cpanel account username whose home dir is /home/user and whose URL is http://example.com

    /home/userdev holds a development copy of the site running from /home/user. When changes have been tested from http://dev.example.com (/home/userdev) the changed files are copied to http://example/.com (/home/user)

    The PHP script that copies the files is at /home/userdev/sync/files.update.php. With phpsuexec enabled, this means that PHP is running as 'userdev' and so makes it impossible, by default, to simple copy the relevant files from /home/userdev to /home/user and so /home/userdev/sync/files.update.php has to sudo to root to cp the files.

    So the logical chain or events relevant to the error appearing in the Apache logs is:

    1. Visit http://dev.example.com/
    2. Login using HTTP authentication as userdev
    3. Visit http://dev.example.com/sync/
    4. Login using HTTP authentication as syncdev
    5. Visit http://dev.example.com/sync/files.compare.php and select files to update and send HTTP request to http://dev.example.com/sync/files.update.php
    6. http://dev.example.com/sync/files.update.php, running as userdev, sudo's to root and cp's files from /home/userdev to /home/user via PHP's shell_exec() function
    7. PHP script (http://dev.example.com/sync/files.update.php) finishes executing correctly
    8. Error pops into the Apache logs in the form regarding user userdev not being found
    9. Return to step 5 and continue without a problem
    Code:
    [Thu Mar 17 11:18:29 2005] [error] [client (My IP)] user userdev not found: /sync/files.update.php
    Things may be a little confusing as the Cpanel account username 'userdev' is also the same as the username required by HTTP authentication when accessing http://dev.example.com. I believe that the Apache logs must be referring to 'userdev' with regards to HTTP authentication - if I had to enter the username 'betterthanbob' in the pop-up login box when accessing http://dev.example.com, this would be the username referenced in the Apache logs.

    This Apache log error is the same as if HTTP authentication had failed i.e. if I had gone to http://dev.example.com, entered the username in the pop-up login box as 'userdev' but failed to enter the correct password enough times. But then if HTTP authentication somehow failed at step 8 above, I surely would not be able to continue with step 9 and so on.

    This seems rather odd to me!
     
  7. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Ok I get it now Had a similar problem when using FP EXTENTIONS would not accept the directory password using FP password protect had to use good ol .htaccess but I do not think that will fix you up

    I am not sure if this will work for you but it might last post in thread for http authorization

    http://forums.cpanel.net/showthread.php?t=13119
     
    #7 dalem, Mar 17, 2005
    Last edited: Mar 17, 2005
Loading...

Share This Page