Announcement

Collapse
No announcement yet.

BFD guru wanted..

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • BFD guru wanted..

    I've installed BFD and I'm really liking how it's blocking SSH login attempts, but my real problem is with qmail. Are there any BFD guru's out there? What I'd like to do is to block a user from sending too many emails through the server. Here is the specific rule file for qmail

    Code:
    # failed logins from a single address before ban# uncomment to override conf.bfd trig value
    TRIG="3"
    
    
    # uncomment to disable alerting for this rule 
    # SKIP_ALERT="1"
    
    
    # file must exist for rule to be active
    REQ="/var/qmail/bin/qmail-pop3d"
    
    
    if [ -f "$REQ" ]; then
     PORTS="110,143,993,995"
     LP="/var/log/maillog"
     TLOG_TF="vpopmail"
    
    
     ## vpopmail [qmail]
     ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/vchkpw-pop3: password fail/s/.*password fail \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-pop3: system user not found/s/.*system user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-pop3: vpopmail user not found/s/.*vpopmail user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p'` 
    fi




    But what I'm looking for is to block multiple attempts (set by TRIG) from a certain email address. The log looks like this:


    Code:
    Mar 10 13:46:24 centos6 vpopmail[4460]: vchkpw-submission: (PLAIN) login success [email address]:104.174.194.xxx
    Mar 10 13:46:25 centos6 vpopmail[4484]: vchkpw-submission: (PLAIN) login success [email address]:104.174.194.xxx
    Mar 10 13:46:38 centos6 vpopmail[4522]: vchkpw-submission: (PLAIN) login success [email address]:187.190.135.xxx
    Mar 10 13:46:41 centos6 vpopmail[4537]: vchkpw-submission: (PLAIN) login success [email address]:187.190.135.xxx
    Mar 10 13:47:14 centos6 vpopmail[4600]: vchkpw-submission: (PLAIN) login success [email address]:107.10.181.xxx
    Mar 10 13:47:17 centos6 vpopmail[4609]: vchkpw-submission: (PLAIN) login success [email address]:100.36.114.xxx
    Mar 10 13:47:49 centos6 vpopmail[4678]: vchkpw-submission: (PLAIN) login success [email address]:104.174.194.xxx
    Mar 10 13:47:51 centos6 vpopmail[4705]: vchkpw-submission: (PLAIN) login success [email address]:104.174.194.xxx







    How do I change the ARG_VAL to read these 'good' logins and capture them so I can set a threshold to ban an IP?

    In addition does anyone know how to ban using BFD for a period of time rather than forever?

    Thanks!

  • #2
    Hi mikei

    Glad your liking bfd

    Bfd is not scripted for releasing, only full ban. I think kujoe was going to write a script for releasing.

    I know there's a post to install another type of bfd, sorry I cannot remember the name, but the post contained the instructions to install, which will unban at your set intervals.

    I hope that helps

    Many thanks

    John

    Comment

    Working...
    X