R-fx Networks

BFD 1.4: Important Security Fix

by on May.08, 2010, under Development

Today I have put up a new release of BFD, version 1.4, that addresses an unsanitized variable issue that is used on the command line. This is a serious issue and should be treated as such, if you currently have BFD installed I would encourage you to update it immediately, the install.sh script in the BFD package will retain all your options and tracking data so the update process is painless.

Current Release:
http://www.rfxn.com/downloads/bfd-current.tar.gz

Change Log:
[Fix] properly sanitized vars passed to the command line
[Fix] ignore.hosts is now updated with system addresses on each bfd run
[Note] thanks to jpetersen@webhostsecurity.com for invaluable input and pointers

wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar xvfz bfd-current.tar.gz
cd bfd-1.4/
./install.sh

Although this issue has many mitigating factors that lessen the severity of the potential impact it is nevertheless very serious and best to opt on the side of caution. I need to extend a special thanks to Jeff Petersen of webhostsecurity.com for identifying this issue in a very professional fashion and offering technical input.

:, , ,

5 Comments for this entry

  • MST

    The Latest Commands with v1.5

    wget http://www.rfxn.com/downloads/bfd-current.tar.gz
    tar xvzf bfd-current.tar.gz
    cd bfd-1.5/
    ./install.sh

  • John Faubion

    Please keep in mind that if you have any custom rules such as for watching Asterisk, Dovecot or others, these will be blown out with this update even though the rules are compatible. Just want you to know so that you can copy them back from the backup directory when done.

    Also I wasn’t happy with my log files filling up with “processing rule file xxxxxxxxx” entries. I commented out line 112 which is an eout statement. You could also change this to a echo and still have them sent to the display when you run it without having to see them in the logs.

  • Ohmster

    This whole “bfd” thing is such a great idea, why hasn’t someone or some huge corporation produced something like this before? As a small Linux server owner, my logs are choked with unauthorized attempts to gain access through ssh, apache, ftp, telnet (If I were stupid enough to enable it.), and any other way in to my system.

    When I got lazy and did not update from Redhat 9 after it went EOL (I had so many customizations and setups on it that only a clean install would work right because the changes to the libraries, etc., were huge.), that I left RH9 running for years after EOL. Of course script kiddies got in through some sort of apache hack and next thing I know, my machine has a CPU load of like 99% constantly. I could not figure out why my machine was so slow until I ran top and saw certain processes running wild. I was getting no so nice email as to why am I emailing these people viruses and then I knew. I asked for help in the Usenet security group and was TOLD to unplug from the Internet IMMEDIATELY! I had servers running and needed this machine online. I did not want to listen but in the end, they were right. The machine was hopelessly rooted and compromised, I had to start over with a current distro. I learned my lesson and am now running Fedora 13, soon to go 14 and do not get lazy like that anymore.

    But if there were something, system wide, that could monitor failed login attempts, and then ban the IP after so many failed attempts, it would be worth it’s weight in gold! No matter what, ftp, ssh, apache, email, who cares, anyone who tries to login 6 times in a row and fails should be banned, period. I used to examine the logs and then ban the IP myself, but that was like locking the barn door after the horses have gone. I need an IP blocker that is instant and I need it NOW. I found out about bfd from googling various Linux forums and immediately installed it to my Fedora 13 system. I get daily mail about it kicking in to ban IP addresses after way too many login attempts, here is an example:

    The following is a summary event for exceeded login failures on paulspcworks.com:
    ———————————————————————
    SOURCE ADDRESS: 200.21.232.166
    TARGET SERVICE: sshd
    FAILED LOGINS: 28
    EXECUTED COMMAND: /etc/apf/apf -d 200.21.232.166 {bfd.sshd}

    SOURCE LOGS FROM SERVICE ‘sshd’ (GMT -0500):
    ———————————————————————
    I do not want that many attempts per IP allowed before banning the IP and I would like to know where the banned IP list is so that I can view it and remove anything that should not be there. I also want to know if these bans ever “expire” and if so, how to adjust this. The docs that come with bfd are not good enough and I wish there were more detailed information. Online documentation would be fine, I do not mind writing (As you can see from this long reply.) and would be happy to help with the documentation if you could use the help. Just contact me and I will be glad to help.

    A webmin module for bfd would be *awesome*, could you please, please make a module for webmin for bfd or could someone, anyone, with the skills to do so produce such a module and make a decent one? I used to use vsftpd as my ftp server and was so thrilled when someone one day wrote a webmin module for it. I installed it immediately but it sucked! There were like 2-5 things you could do with it, hardly anything really, no logging or monitoring, I was so disappointed. A feature rich bfd webmin module would be such a killer Christmas present, oh please Santa, bring me one!

    I am not rich. I can barely pay my bills. But I love bfd so much, even if it is not as good as I think it is, just the idea is so great, that I will make a small donation. I feel duty bound to do so.

    The information in the current README of bfd is out of date, this part does not work and should be updated or changed:
    ———————————————————————
    The offical home page for BFD is located at:
    http://www.rfxnetworks.com/bfd.php

    (The word “official” is mispelled, by the way.)
    ———————————————————————
    That is a 404 error. Page not found or does not exist. I will try the forum next. Great, no server at all.
    ———————————————————————
    Server not found
    Firefox can’t find the server at forums.rfxnetworks.com.
    ———————————————————————
    Okay, I am done, going to play with it. I *LOVE* bfd! Someone please answer my questions. I will make the donation. Get some docs or a forum up somewhere, please?

    Thank you.
    Ohmster

  • Ryan M.

    Whoops, sure – done and thanks!


    init6:

    i know its a small thing, but can you change the post so it shows the following

    wget http://www.rfxn.com/downloads/bfd-current.tar.gz
    tar xvzf bfd-current.tar.gz
    cd bfd-1.4/
    ./install.sh

    thanks

  • init6

    i know its a small thing, but can you change the post so it shows the following

    wget http://www.rfxn.com/downloads/bfd-current.tar.gz
    tar xvzf bfd-current.tar.gz
    cd bfd-1.4/
    ./install.sh

    thanks

Leave a Reply

Looking for something?

Use the form below to search the site:

Site Links

A few links to navigate our site quicker...