Brute Force Detection

Current Release:

BFD is a modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application-specific options are stored including regular expressions for each unique auth format. The regular expressions are parsed against logs using the ‘sed’ tool (stream editor) which allows for excellent performance in all environments. In addition to the benefits of parsing logs in a single stream with sed, BFD also uses a log tracking system so logs are only parsed from the point which they were last read. This greatly assists in extending the performance of BFD even further as we are not constantly reading the same log data. The log tracking system is compatible with syslog/logrotate style log rotations which allows it to detect when rotations have happened and grab log tails from both the new log file and the rotated log file.

You can leverage BFD to block attackers using any number of tools such as APF, Shorewall, raw iptables, ip route or execute any custom command. There is also a fully customizable e-mail alerting system with an e-mail template that is well suited for everyday use or you can open it up and modify it. The attacker tracking in BFD is handled using simple flat text files that are size-controlled to prevent space constraints over time, ideal for diskless devices. There is also an attack pool where trending data is stored on all hosts that have been blocked including which rule the block was triggered by.

In the execution process, there is simply a cron job that executes BFD once every 3 minutes by default. The cronjob can be run more frequently for those that desire it and doing so will not cause any performance issues (no less than once a minute). Although cron execution does not permit BFD to act in real time, the log tracking system ensures it never misses a beat in authentication failures. Further, using cron provides a reliable framework for consistent execution of BFD in a very simplified fashion across all *nix platforms.

Funding for the continued development and research into this and other projects is solely dependent on public contributions and donations. If this is your first time using this software we ask that you evaluate it and consider a small donation; for those who frequent and are continued users of this and other projects we also ask that you make an occasional small donation to help ensure the future of our public projects.

100 Replies to “Brute Force Detection”

  1. Hello Ryan,

    Please consider to remove the filter command for the content of the BAN_COMMAND (line 180 in the bfd version 1.5): BAN_COMMAIND=`echo $BAN_COMMAND | tr -d ‘\\&;|’`

    We are using the following BAN_COMMAND and we have to delete the filter from the bfd script:

    BAN_COMMAND=”(/sbin/iptables -n -L | grep DROP | grep $ATTACK_HOST) || /sbin/iptables -I INPUT -s $ATTACK_HOST -j DROP”

    Off course we could put there an external script but we are proffering to not add another layer of bash commands.


  2. Hi,

    I’m very happy with your AFP and BFD tools, but I have a question about configuring BFD: by default, conf.bfd has:

    BAN_COMMAND=”/etc/apf/apf -d $ATTACK_HOST {bfd.$MOD}”

    This adds the hostname of the the attacker to the ban list, but is there a way to add their IP address instead?

  3. Found a small bug in BFD 1.4. Somewhere at line 153 is listed:

    if [ “$ATTACK_COUNT” -gt “$TRIG” ] || [ “$ATTACK_COUNT” -eq “$TRIG” ] && [ “$HOST_IGNORE” == “0” ]; then

    However, when $HOST_IGNORE is null, $ATTACK_COUNT is not defined at all. This will result into a script error:

    [: : integer expression expected

    Defining ATTACK_COUNT somewhere at the start of the script will fix this:

    Not sure how the working of BFD is affected by this error…

  4. Roland:

    great script, however i’m getting 1000′s of these in my exim logs and it doesn’t ban them:
    2011-06-28 05:47:38 login authenticator failed for (ylmf-pc) []: 535 Incorrect authentication data (set_id=web)
    does anyone have a rule for exim that will ban these as well?
    thanks in advance

    I am using the following rule for this:

    # failed logins from a single address before ban
    # uncomment to override conf.bfd trig value

    # file must exist for rule to be active

    if [ -f “$REQ” ]; then

    ## EXIM attacks
    ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -E “login authenticator failed for” | grep -E ‘[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+’ | tr -d ‘[]’ | sed -n -e ‘s/.*login authenticator failed for \([^ ]*\) .* \([\.0-9]*\): 535 Incorrect authentication data.*/\2:\1/p’`

Leave a Reply

Your email address will not be published. Required fields are marked *