Brute Force Detection

Current Release:
http://www.rfxn.com/downloads/bfd-current.tar.gz
http://www.rfxn.com/appdocs/README.bfd
http://www.rfxn.com/appdocs/CHANGELOG.bfd

Description
BFD is a modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application-specific options are stored including regular expressions for each unique auth format. The regular expressions are parsed against logs using the ‘sed’ tool (stream editor) which allows for excellent performance in all environments. In addition to the benefits of parsing logs in a single stream with sed, BFD also uses a log tracking system so logs are only parsed from the point which they were last read. This greatly assists in extending the performance of BFD even further as we are not constantly reading the same log data. The log tracking system is compatible with syslog/logrotate style log rotations which allows it to detect when rotations have happened and grab log tails from both the new log file and the rotated log file.

You can leverage BFD to block attackers using any number of tools such as APF, Shorewall, raw iptables, ip route or execute any custom command. There is also a fully customizable e-mail alerting system with an e-mail template that is well suited for everyday use or you can open it up and modify it. The attacker tracking in BFD is handled using simple flat text files that are size-controlled to prevent space constraints over time, ideal for diskless devices. There is also an attack pool where trending data is stored on all hosts that have been blocked including which rule the block was triggered by.

In the execution process, there is simply a cron job that executes BFD once every 3 minutes by default. The cronjob can be run more frequently for those that desire it and doing so will not cause any performance issues (no less than once a minute). Although cron execution does not permit BFD to act in real time, the log tracking system ensures it never misses a beat in authentication failures. Further, using cron provides a reliable framework for consistent execution of BFD in a very simplified fashion across all *nix platforms.

Funding:
Funding for the continued development and research into this and other projects is solely dependent on public contributions and donations. If this is your first time using this software we ask that you evaluate it and consider a small donation; for those who frequent and are continued users of this and other projects we also ask that you make an occasional small donation to help ensure the future of our public projects.

100 Replies to “Brute Force Detection”

  1. Hi Ryan..

    the cron doesn’t work on ubuntu.. the problem is with mail line.. it should read MAILTO=””…. Or Maybe it would be better to add >/dev/null 2>&1 at the end of command?

  2. Hello,

    Can you help me, please?

    What would the command to Deny a range of IP?
    For example 92.38.128.0 to 92.38.255.255

    Thanks

  3. So, running APF + BFD at the same time is over kill right?

    I’m actually doing this at the moment, and it seems redundant.

    APF sends me:
    The following is a summary event for exceeded login failures on server.spanet.net:

    SOURCE ADDRESS: 89.122.36.158
    TARGET SERVICE: sshd
    FAILED LOGINS: 95
    EXECUTED COMMAND: /etc/apf/apf -d 89.122.36.158 {bfd.sshd}

    SOURCE LOGS FROM SERVICE ‘sshd’ (GMT -0400):

    Jul 1 07:54:47 server sshd[13794]: Failed password for root from ::ffff:89.122.36.158 port 57538 ssh2
    Jul 1 07:54:47 server sshd[13795]: Failed password for root from ::ffff:89.122.36.158 port 57545 ssh2

    BFD sends me (enabled thru WHM/Cpanel):
    5 failed login attempts to account root (system) — Large number of attempts from this IP: 89.122.36.158

    I have been using your APF server saver for years (installed via ssh). Only recently I decided to enable BFD also (from WHM).

    Your thoughts on this would be helpful.
    Thank you for your time and dedication to server security!

    1. The alerts you think are from APF are actually BFD, APF is a firewall facility, BFD detects brute force attacks and hands them off to APF for filtering. The BFD features in WHM are independent of the rfxn.com BFD project you have installed, WHM BFD though overlaps with rfxn.com BFD in some areas, in general, rfxn.com BFD covers more services for you and as such blankets the server with better protection. So, there should be no real performance impact by leaving rfxn.com BFD and WHM BFD enabled, do not uninstall APF as it is not in any way performing brute force detection, it is simply the firewall facility that allows or denies traffic to the server based on its configuration.

      For more details on each of the respective projects please refer to their project pages:
      http://www.rfxn.com/projects/advanced-policy-firewall/
      http://www.rfxn.com/projects/brute-force-detection/

  4. BFD runs as a cronjob so after reboots, it will still execute normally. You should see bans in /var/log/bfd_log assuming things are running properly. You can run bfd -s and see if it is running without errors.


    Darin:

    =If an IP has been banned, which log will the banned IP be in?

    And if I do a container reboot, will this program still be in affect?

Leave a Reply

Your email address will not be published. Required fields are marked *