Comments on: Brute Force Detection http://www.rfxn.com  Linux Software & Blog Thu, 26 Jan 2012 07:01:13 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Ryan M. http://www.rfxn.com/projects/brute-force-detection/#comment-21972 Ryan M. Mon, 09 Jan 2012 10:32:24 +0000 http://www.rfxn.com/?page_id=51#comment-21972 Use the absolute path to the command in the BAN_COMMAND value, such as /sbin/ip instead of just ip. Use the absolute path to the command in the BAN_COMMAND value, such as /sbin/ip instead of just ip.

]]> By: Ryan M. http://www.rfxn.com/projects/brute-force-detection/#comment-21971 Ryan M. Mon, 09 Jan 2012 10:30:32 +0000 http://www.rfxn.com/?page_id=51#comment-21971 Thank you for your contribution, added to 1.5 release that is now live, credit included in CHANGELOG. I removed the escape on the -F '\[' as it was being treated as just '[' anyways and awk would throw a warning about it under RHEL awk versions. Thank you for your contribution, added to 1.5 release that is now live, credit included in CHANGELOG. I removed the escape on the -F ‘\[‘ as it was being treated as just ‘[‘ anyways and awk would throw a warning about it under RHEL awk versions.

]]> By: BFD Rules for Asterisk | Sean Siegel http://www.rfxn.com/projects/brute-force-detection/#comment-21438 BFD Rules for Asterisk | Sean Siegel Tue, 03 Jan 2012 08:02:46 +0000 http://www.rfxn.com/?page_id=51#comment-21438 [...] a regular user of APF and BFD by RF Networks, I decided to make my own BFD scripts. I did find some very similar scripts on the [...] [...] a regular user of APF and BFD by RF Networks, I decided to make my own BFD scripts. I did find some very similar scripts on the [...]

]]> By: Salvatore LaMendola http://www.rfxn.com/projects/brute-force-detection/#comment-20993 Salvatore LaMendola Thu, 29 Dec 2011 09:04:03 +0000 http://www.rfxn.com/?page_id=51#comment-20993 Found an error in 'postfix' that would cause invalid addresses when the hostname had numbers (kept the numbers and dots so it usually looked something like 207..123.45.67.89. Here is the new and improved postfix script, which works with numbered hostnames: -- BEGIN /usr/local/bfd/rules/postfix -- # failed logins from a single address before ban # uncomment to override conf.bfd trig value #TRIG="50" # file must exist for rule to be active REQ="/usr/sbin/postfix" if [ -f "$REQ" ]; then LP="/var/log/mail.log" TLOG_TF="postfix" ## Postfix dictionary attacks ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -iwE "SASL LOGIN authentication failed:|SASL PLAIN authentication failed:" | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk -F '\[' '{ print $3 }' | tr -d '[a-z][A-Z]\[\]\:'` fi -- END -- Tested on Debian (sid)'s postfix, and a few others. Found an error in ‘postfix’ that would cause invalid addresses when the hostname had numbers (kept the numbers and dots so it usually looked something like 207..123.45.67.89. Here is the new and improved postfix script, which works with numbered hostnames:

– BEGIN /usr/local/bfd/rules/postfix –

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
#TRIG=”50″

# file must exist for rule to be active
REQ=”/usr/sbin/postfix”

if [ -f "$REQ" ]; then
LP=”/var/log/mail.log”
TLOG_TF=”postfix”

## Postfix dictionary attacks
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -iwE “SASL LOGIN authentication failed:|SASL PLAIN authentication failed:” | grep -E ‘[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+’ | awk -F ‘\[' '{ print $3 }' | tr -d '[a-z][A-Z]\[\]\:’`
fi

– END –

Tested on Debian (sid)’s postfix, and a few others.

]]> By: Top 20 OpenSSH Server Best Security Practices | ByPat博客专注于Linux资源分享! http://www.rfxn.com/projects/brute-force-detection/#comment-20248 Top 20 OpenSSH Server Best Security Practices | ByPat博客专注于Linux资源分享! Tue, 20 Dec 2011 03:42:45 +0000 http://www.rfxn.com/?page_id=51#comment-20248 [...] Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format. [...] [...] Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format. [...]

]]> By: Top 20 OpenSSH Server Best Security Practices - Linux tutorials http://www.rfxn.com/projects/brute-force-detection/#comment-18972 Top 20 OpenSSH Server Best Security Practices - Linux tutorials Sun, 27 Nov 2011 10:42:19 +0000 http://www.rfxn.com/?page_id=51#comment-18972 [...] Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format. [...] [...] Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format. [...]

]]> By: Brute Force Detection | R-fx Networks | MKfmn | Matthew M. Kaufman http://www.rfxn.com/projects/brute-force-detection/#comment-18345 Brute Force Detection | R-fx Networks | MKfmn | Matthew M. Kaufman Sat, 19 Nov 2011 11:27:08 +0000 http://www.rfxn.com/?page_id=51#comment-18345 [...] Brute Force Detection | R-fx Networks. [...] [...] Brute Force Detection | R-fx Networks. [...]

]]> By: Les best practices OpenSSH http://www.rfxn.com/projects/brute-force-detection/#comment-18250 Les best practices OpenSSH Fri, 18 Nov 2011 15:05:52 +0000 http://www.rfxn.com/?page_id=51#comment-18250 [...] Brute Force detection [...] [...] Brute Force detection [...]

]]> By: Securing cPanel After Install « Recon Hosting Docs http://www.rfxn.com/projects/brute-force-detection/#comment-17797 Securing cPanel After Install « Recon Hosting Docs Sun, 13 Nov 2011 04:07:42 +0000 http://www.rfxn.com/?page_id=51#comment-17797 [...] and bruteforce detection mechanism such as the free firewall [CSF]. Other options include [APF]+[BFD], or custom iptables [...] [...] and bruteforce detection mechanism such as the free firewall [CSF]. Other options include [APF]+[BFD], or custom iptables [...]

]]> By: Jez http://www.rfxn.com/projects/brute-force-detection/#comment-17031 Jez Mon, 07 Nov 2011 13:09:27 +0000 http://www.rfxn.com/?page_id=51#comment-17031 Hi, I'm very happy with your AFP and BFD tools, but I have a question about configuring BFD: by default, conf.bfd has: BAN_COMMAND="/etc/apf/apf -d $ATTACK_HOST {bfd.$MOD}" This adds the hostname of the the attacker to the ban list, but is there a way to add their IP address instead? Hi,

I’m very happy with your AFP and BFD tools, but I have a question about configuring BFD: by default, conf.bfd has:

BAN_COMMAND=”/etc/apf/apf -d $ATTACK_HOST {bfd.$MOD}”

This adds the hostname of the the attacker to the ban list, but is there a way to add their IP address instead?

]]> By: zwerfkat http://www.rfxn.com/projects/brute-force-detection/#comment-16804 zwerfkat Fri, 04 Nov 2011 08:21:13 +0000 http://www.rfxn.com/?page_id=51#comment-16804 Found a small bug in BFD 1.4. Somewhere at line 153 is listed: if [ "$ATTACK_COUNT" -gt "$TRIG" ] || [ "$ATTACK_COUNT" -eq "$TRIG" ] && [ "$HOST_IGNORE" == "0" ]; then However, when $HOST_IGNORE is null, $ATTACK_COUNT is not defined at all. This will result into a script error: [: : integer expression expected Defining ATTACK_COUNT somewhere at the start of the script will fix this: ATTACK_COUNT=0 Not sure how the working of BFD is affected by this error... Found a small bug in BFD 1.4. Somewhere at line 153 is listed:

if [ "$ATTACK_COUNT" -gt "$TRIG" ] || [ "$ATTACK_COUNT" -eq "$TRIG" ] && [ "$HOST_IGNORE" == "0" ]; then

However, when $HOST_IGNORE is null, $ATTACK_COUNT is not defined at all. This will result into a script error:

[: : integer expression expected

Defining ATTACK_COUNT somewhere at the start of the script will fix this:
ATTACK_COUNT=0

Not sure how the working of BFD is affected by this error…

]]> By: Basic / Advance security tips for SSH – Mayur's Blog http://www.rfxn.com/projects/brute-force-detection/#comment-14745 Basic / Advance security tips for SSH – Mayur's Blog Sat, 15 Oct 2011 13:01:57 +0000 http://www.rfxn.com/?page_id=51#comment-14745 [...] Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format. [...] [...] Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format. [...]

]]> By: Brute Force EVO 2 – a users review http://www.rfxn.com/projects/brute-force-detection/#comment-14562 Brute Force EVO 2 – a users review Wed, 12 Oct 2011 04:06:21 +0000 http://www.rfxn.com/?page_id=51#comment-14562 [...] Small Business Debt Relief Strategies How To Negotiate And Get Rid Of DebtMyBrute Brute Force!Brute Force Detection .posts-default li { width: 205px; height: 225px; } .posts-default img, .posts-default [...] [...] Small Business Debt Relief Strategies How To Negotiate And Get Rid Of DebtMyBrute Brute Force!Brute Force Detection .posts-default li { width: 205px; height: 225px; } .posts-default img, .posts-default [...]

]]> By: 5 Security Tips That Could Save Your Server http://www.rfxn.com/projects/brute-force-detection/#comment-14013 5 Security Tips That Could Save Your Server Thu, 06 Oct 2011 04:01:53 +0000 http://www.rfxn.com/?page_id=51#comment-14013 [...] detection software, such as Brute Force Detection, can alert you whenever someone attempts to sneak into your fortress. Many of these solutions will [...] [...] detection software, such as Brute Force Detection, can alert you whenever someone attempts to sneak into your fortress. Many of these solutions will [...]

]]> By: zwerfkat http://www.rfxn.com/projects/brute-force-detection/#comment-13331 zwerfkat Wed, 28 Sep 2011 19:31:33 +0000 http://www.rfxn.com/?page_id=51#comment-13331 <blockquote> <a href="#comment-9589" rel="nofollow"> <strong><em>Roland:</em></strong> </a> great script, however i’m getting 1000′s of these in my exim logs and it doesn’t ban them: 2011-06-28 05:47:38 login authenticator failed for (ylmf-pc) [113.65.143.13]: 535 Incorrect authentication data (set_id=web) does anyone have a rule for exim that will ban these as well? thanks in advance roland </blockquote> I am using the following rule for this: # failed logins from a single address before ban # uncomment to override conf.bfd trig value TRIG="50" # file must exist for rule to be active REQ="/usr/sbin/exim" if [ -f "$REQ" ]; then LP="/var/log/exim/mainlog" TLOG_TF="exim1" ## EXIM attacks ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -E "login authenticator failed for" | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | tr -d '[]' | sed -n -e 's/.*login authenticator failed for \([^ ]*\) .* \([\.0-9]*\): 535 Incorrect authentication data.*/\2:\1/p'` fi


Roland:

great script, however i’m getting 1000′s of these in my exim logs and it doesn’t ban them:
2011-06-28 05:47:38 login authenticator failed for (ylmf-pc) [113.65.143.13]: 535 Incorrect authentication data (set_id=web)
does anyone have a rule for exim that will ban these as well?
thanks in advance
roland

I am using the following rule for this:

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG=”50″

# file must exist for rule to be active
REQ=”/usr/sbin/exim”

if [ -f "$REQ" ]; then
LP=”/var/log/exim/mainlog”
TLOG_TF=”exim1″

## EXIM attacks
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -E “login authenticator failed for” | grep -E ‘[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+’ | tr -d ‘[]‘ | sed -n -e ‘s/.*login authenticator failed for \([^ ]*\) .* \([\.0-9]*\): 535 Incorrect authentication data.*/\2:\1/p’`
fi

]]>