Re: BFD ( Brute Force Detection) rules for Debian Lenny.
On Sat, 26 Sep 2009, Israel Garcia <igalvarez@gmail.com> writes:
> I've downloaded BFD (Brute Force Detection) from
> http://www.rfxn.com/?page_id=51 and installed on a debian lenny server
> and every seems to be working fine, BFD is working with APF and there
> are a lot of scanning IPs blocked in /etc/apf/deny_hosts.rules file.
> BUT, there're a lot failed authentication IPs address that BFD does
> not see. I think it's a config problem the sshd rule. This is sshd BFD
> rule I'm using:
>
> REQ="/usr/sbin/sshd"
>
> if [ -f "$REQ" ]; then
> LP="$AUTH_LOG_PATH"
> TLOG_TF="sshd"
> TMP="/usr/local/bfd/tmp"
>
> ## SSHD
> ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E
> '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/sshd/s/.*user \(.*\)
> from \([^ ]*\).*/\2:\1/p'`
> fi
>
> I've searched google and I'm unable to find new BFD rules of using Debian lenny.
> My question is:
>
> Does anybody has a new BFD sshd rule for Debian lenny?
Why not using something similar to below iptables rules?
#!/bin/bash
#
# /etc/network/if-up.d/bfa-protection - Start iptables protection against
# brute-force attacks.
#
# Skip loopback interface.
[ "$IFACE" = "lo" ] && exit 0
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 -j DROP
You can also introduce a "-j LOG" rule for persistence of the tracked
attacks.
Regards.
Reply to: