Brute Force Detection

Current Release:
http://www.rfxn.com/downloads/bfd-current.tar.gz
http://www.rfxn.com/appdocs/README.bfd
http://www.rfxn.com/appdocs/CHANGELOG.bfd

Description
BFD is a modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application-specific options are stored including regular expressions for each unique auth format. The regular expressions are parsed against logs using the ‘sed’ tool (stream editor) which allows for excellent performance in all environments. In addition to the benefits of parsing logs in a single stream with sed, BFD also uses a log tracking system so logs are only parsed from the point which they were last read. This greatly assists in extending the performance of BFD even further as we are not constantly reading the same log data. The log tracking system is compatible with syslog/logrotate style log rotations which allows it to detect when rotations have happened and grab log tails from both the new log file and the rotated log file.

You can leverage BFD to block attackers using any number of tools such as APF, Shorewall, raw iptables, ip route or execute any custom command. There is also a fully customizable e-mail alerting system with an e-mail template that is well suited for everyday use or you can open it up and modify it. The attacker tracking in BFD is handled using simple flat text files that are size-controlled to prevent space constraints over time, ideal for diskless devices. There is also an attack pool where trending data is stored on all hosts that have been blocked including which rule the block was triggered by.

In the execution process, there is simply a cron job that executes BFD once every 3 minutes by default. The cronjob can be run more frequently for those that desire it and doing so will not cause any performance issues (no less than once a minute). Although cron execution does not permit BFD to act in real time, the log tracking system ensures it never misses a beat in authentication failures. Further, using cron provides a reliable framework for consistent execution of BFD in a very simplified fashion across all *nix platforms.

Funding:
Funding for the continued development and research into this and other projects is solely dependent on public contributions and donations. If this is your first time using this software we ask that you evaluate it and consider a small donation; for those who frequent and are continued users of this and other projects we also ask that you make an occasional small donation to help ensure the future of our public projects.

100 Replies to “Brute Force Detection”

  1. Hello,

    Thank you for this great project
    I use it but I find that the system detect the attack but it doesn’t really apply the ban command when it run by the cron job and when I run bfd -q or bfd -s it works and apply the command. by the way I change the ban command to blackhole the IP “”BAN_COMMAND=”ip route add blackhole $ATTACK_HOST”
    Also there is a problem in the system that if the IP in the ban.list file the system ignore any attack from the IP, this happen when the system detect the ip but the command didn’t applied

    Also I see that the IPs in pan.list file removed after some time, how does this configured and what’s the default time.

    Thanks


    1. Biruny:

      Hello,
      Thank you for this great project
      I use it but I find that the system detect the attack but it doesn’t really apply the ban command when it run by the cron job and when I run bfd -q or bfd -s it works and apply the command. by the way I change the ban command to blackhole the IP “”BAN_COMMAND=”ip route add blackhole $ATTACK_HOST”
      Also there is a problem in the system that if the IP in the ban.list file the system ignore any attack from the IP, this happen when the system detect the ip but the command didn’t applied
      Also I see that the IPs in pan.list file removed after some time, how does this configured and what’s the default time.
      Thanks

      Hello,

      any update about these comments ??
      dose any one know the problems ?

  2. I have made a few scripts for some very-specific services. You shouldn’t have to be using Debian, but they are confirmed working in Debian with all the latest packages. For SASL-based authentication failures in Postfix, try the following:

    — BEGIN /usr/local/bfd/rules/postfix —

    # failed logins from a single address before ban
    # uncomment to override conf.bfd trig value
    #TRIG=”50″

    # file must exist for rule to be active
    REQ=”/usr/sbin/postfix”

    if [ -f “$REQ” ]; then
    LP=”/var/log/mail.log”
    TLOG_TF=”postfix”

    ## Postfix dictionary attacks
    ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -iwE “SASL LOGIN authentication failed:|SASL PLAIN authentication failed:” | grep -E ‘[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+’ | cut -d ‘ ‘ -f 7 | tr -d ‘[a-z][A-Z]\[\]\:’`
    fi

    — END —

    Also, if you have your postfix daemon properly configured to block invalid HELO tries, the user actually won’t even make it as far as authentication when faking HELOs, but you will get lots of annoying log entries about it. Here’s a script called postfix2 to also block many failed HELO attempts:

    — BEGIN /usr/local/bfd/rules/postfix2 —

    # failed logins from a single address before ban
    # uncomment to override conf.bfd trig value
    #TRIG=”50″

    # file must exist for rule to be active
    REQ=”/usr/sbin/postfix”

    if [ -f “$REQ” ]; then
    LP=”/var/log/mail.log”
    TLOG_TF=”postfix2″

    ## Postfix failed HELOs
    ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -iwE “lost connection after RCPT from” | grep -E ‘[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+’ | awk -F \[ ‘{ print $3 }’| tr -d ‘[]’`
    fi

    — END —

    Finally, for vsftpd failures, try this script that I borrowed from someone else and modified slightly:

    — BEGIN /usr/local/bfd/rules/vsftpd —

    REQ=”/usr/sbin/vsftpd”
    if [ -f “$REQ” ]; then
    LP=”/var/log/vsftpd.log”
    TLOG_TF=”vsftpd”
    TRIG=”6″

    ## VSFTPD
    ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -w ‘FAIL LOGIN:’ | tr ‘[]’ ‘ ‘ | tr -d ‘()’ | awk ‘{print$12″ “$8}’ | tr -d ‘:’ | tr -d ‘”‘ | awk ‘{print$1”:”$2}’ | grep -E ‘[0-9]+’`
    fi

    — END —

    Hope those help someone.

    1. Found an error in ‘postfix’ that would cause invalid addresses when the hostname had numbers (kept the numbers and dots so it usually looked something like 207..123.45.67.89. Here is the new and improved postfix script, which works with numbered hostnames:

      — BEGIN /usr/local/bfd/rules/postfix —

      # failed logins from a single address before ban
      # uncomment to override conf.bfd trig value
      #TRIG=”50″

      # file must exist for rule to be active
      REQ=”/usr/sbin/postfix”

      if [ -f “$REQ” ]; then
      LP=”/var/log/mail.log”
      TLOG_TF=”postfix”

      ## Postfix dictionary attacks
      ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -iwE “SASL LOGIN authentication failed:|SASL PLAIN authentication failed:” | grep -E ‘[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+’ | awk -F ‘\[‘ ‘{ print $3 }’ | tr -d ‘[a-z][A-Z]\[\]\:’`
      fi

      — END —

      Tested on Debian (sid)’s postfix, and a few others.

      1. Thank you for your contribution, added to 1.5 release that is now live, credit included in CHANGELOG. I removed the escape on the -F ‘\[‘ as it was being treated as just ‘[‘ anyways and awk would throw a warning about it under RHEL awk versions.

  3. hi remco

    this works for me for dovecot you can give it a try:

    REQ=”/usr/sbin/dovecot”
    if [ -f “$REQ” ]; then
    LP=”/var/log/maillog”
    TLOG_TF=”pop3″
    TRIG=”8″

    ## pop3
    ARG_VAL=`$TLOG_PATH $LP $TLOG_TF |grep dovecot |grep -w “failed” |grep auth |grep -o -E ‘[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+’`
    fi

  4. great script, however i’m getting 1000’s of these in my exim logs and it doesn’t ban them:
    2011-06-28 05:47:38 login authenticator failed for (ylmf-pc) [113.65.143.13]: 535 Incorrect authentication data (set_id=web)

    does anyone have a rule for exim that will ban these as well?

    thanks in advance

    roland

  5. Hi Ryan,

    I’m wondering if it would be possible to use bfd with the uw-imap daemon. My server uses this as part of the Parallels Pro (formerly Ensim) control panel and we’re getting bombarded with imap floods.

    Thanks for a great set of products and for your ongoing work.

    -Ray

Leave a Reply

Your email address will not be published. Required fields are marked *