Hello

I need a example of bfd configs that work with Interworx please I continue to have hacking issues and I am getting sick and tired of dealing with this every day on the pop3 and the smtp server.

Here is the log /var/log/maillog entry

Sep 20 22:26:39 fwh vpopmail[6506]: vchkpw-smtp: vpopmail user not found angela@:217.160.252.130

This does not look like its the correct argu

more vpopmail

failed logins from a single address before ban

uncomment to override conf.bfd trig value

TRIG=“10”

uncomment to disable alerting for this rule

SKIP_ALERT=“1”

file must exist for rule to be active

REQ="/var/qmail/bin/qmail-pop3d"

if [ -f “$REQ” ]; then
PORTS=“110,143,993,995”
LP="/var/log/maillog"
TLOG_TF=“vpopmail”

vpopmail [qmail]

ARG_VAL=$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/vchkpw-pop3: password fail/s /.*password fail \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-pop3: system user not found/s/.*system user not found \([^ ]*\)\(.*\):\([^ ] *\).*/\3:\1/p' -e '/vchkpw-pop3: vpopmail user not found/s/.*vpopmail user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p'
fi

Hi Ptaylor1984

Please do not create new threads when your original thread covers the same post. http://forums.interworx.com/threads/8102-BFD-is-not-blocking-all-the-hack-attempts

I would advise you copy the correct default rule sets, which work, and only alter them if you understand them, or if you have not changed the rule sets, then from what I can see, your rule set shown is not an original rule set, so I’m not sure where you got them from.

Please see below for the correct default rule set for vpopmail, but also, please understand some bots etc give false details, and you will never stop these attempts on your open services.

failed logins from a single address before ban

uncomment to override conf.bfd trig value

TRIG=“10”

file must exist for rule to be active

REQ="/var/qmail/bin/qmail-pop3d"

if [ -f “$REQ” ]; then
LP="/var/log/maillog"
TLOG_TF=“vpopmail”

vpopmail [qmail]

ARG_VAL=$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/vchkpw-pop3: password fail/s/.*password fail \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-pop3: system user not found/s/.*system user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-pop3: vpopmail user not found/s/.*vpopmail user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p'
fi

Lastly, you may not receive any other answer from another user, or another user may decide to post, and as its world wide, there maybe long time differences between users who post.

I hope that helps

Many thanks

John

I tried to post a reply with all the logs but its to long so I put it on my web site.

http://cyberchatnet.com/notworking.txt

It’s not working.

Hi Ptaylor1984
Can you post your log for
/var/log/bfd_log
Many thanks
John

THe log files is emtpy

[QUOTE=d2d4j;26203]Hi Ptaylor1984
Can you post your log for
/var/log/bfd_log
Many thanks
John[/QUOTE]

-rw------- 1 root root 0 Sep 21 03:19 /var/log/bfd_log
-rw------- 1 root root 298 Sep 1 13:49 /var/log/bfd_log-20140907
-rw------- 1 root root 0 Sep 7 03:37 /var/log/bfd_log-20140914
-rw------- 1 root root 0 Sep 14 03:10 /var/log/bfd_log-20140921

more conf.bfd
#!/bin/bash

BFD 1.5-2 <bfd@rfxn.com>

Copyright © 1999-2014, R-fx Networks <proj@r-fx.org>

Copyright © 2014, Ryan MacDonald <ryan@r-fx.org>

This program may be freely redistributed under the terms of the GNU GPL

NOTE: This file should be edited with word/line wrapping off,

if your using pico please start it with the -w switch.

(e.g: pico -w filename)

how many failure events must an address have before being blocked?

you can override this on a per rule basis in /usr/local/bfd/rules/

TRIG=“10”

send email alerts for all events [0 = off; 1 = on]

EMAIL_ALERTS=“0”

local user or email address alerts are sent to (separate multiple with comma)

EMAIL_ADDRESS="plt@cyberchatnet.com"

subject of email alerts

EMAIL_SUBJECT=“Brute Force Warning for $HOSTNAME”

executable command to block attacking hosts

BAN_COMMAND="/etc/apf/apf -d $ATTACK_HOST {bfd.$MOD}"

You should not need to edit any options below this line

installation path

INSTALL_PATH="/usr/local/bfd"

rule files path

RULES_PATH="$INSTALL_PATH/rules"

track log script path

TLOG_PATH="$INSTALL_PATH/tlog"

syslog kernel log path

KERNEL_LOG_PATH="/var/log/messages"

syslog auth log path

AUTH_LOG_PATH="/var/log/secure"

bfd application log path

BFD_LOG_PATH="/var/log/bfd_log"

log all events to syslog [0 = off; 1 = on]

OUTPUT_SYSLOG=“1”

log file path for syslog logging

OUTPUT_SYSLOG_FILE="$KERNEL_LOG_PATH"

template of the email message body

EMAIL_TEMPLATE="$INSTALL_PATH/alert.bfd"

contains list of files to search for addresses that are excluded from bans

IGNORE_HOST_FILES="$INSTALL_PATH/exclude.files"

grab the local time zone

TIME_ZONE=date +"%z"

grab the local unix time

TIME_UNIX=date +"%s"

lock file path

LOCK_FILE="$INSTALL_PATH/lock.utime"

lock file timeout

LOCK_FILE_TIMEOUT=“300”

I have already removed bfd, deleted the files and directories and re-installed it last week.

Hi ptaylor1984

2 things as follows

Please can you post from your cron log, all events for bfd, a 60 minute period should surffice but please just show bfd, anything else is not needed

Please can you list all rules you have shown in rules folder for bfd - please do not list the contents, only the rules files shown

Many thanks

John

Here is the information that you requested

[QUOTE=d2d4j;26208]Hi ptaylor1984

2 things as follows

Please can you post from your cron log, all events for bfd, a 60 minute period should surffice but please just show bfd, anything else is not needed

Please can you list all rules you have shown in rules folder for bfd - please do not list the contents, only the rules files shown

Many thanks

John[/QUOTE]

John Here the information that you asked for. I also ran bfd -a several times as root and some of the log entries have more then 10 invalid login attempts and it should have tiggered the ban on iptables but it did not do it.

cd /usr/local/bfd
[root@fwh bfd]# cd rules
[root@fwh rules]# dir
asterisk_badauth courier exim_authfail openvpnas pure-ftpd sendmail vpopmail vsftpd2
asterisk_iax cpanel exim_nxuser postfix rh_imapd sshd vpopmail_orginal
asterisk_nopeer dovecot modsec proftpd rh_ipop3d test vsftpd
[root@fwh rules]# ls -l
total 88
-rw-r–r-- 1 root root 465 Sep 13 15:32 asterisk_badauth
-rw-r–r-- 1 root root 493 Sep 13 15:32 asterisk_iax
-rw-r–r-- 1 root root 494 Sep 13 15:32 asterisk_nopeer
-rw-r–r-- 1 root root 575 Sep 13 15:32 courier
-rw-r–r-- 1 root root 557 Sep 13 15:32 cpanel
-rw-r–r-- 1 root root 635 Sep 13 15:32 dovecot
-rw-r–r-- 1 root root 563 Sep 13 15:32 exim_authfail
-rw-r–r-- 1 root root 534 Sep 13 15:32 exim_nxuser
-rw-r–r-- 1 root root 1521 Sep 13 15:32 modsec
-rw-r–r-- 1 root root 534 Sep 13 15:32 openvpnas
-rw-r–r-- 1 root root 500 Sep 13 15:35 postfix
-rw------- 1 root root 461 Sep 13 15:32 proftpd
-rw-r–r-- 1 root root 555 Sep 13 15:32 pure-ftpd
-rw-r–r-- 1 root root 532 Sep 13 15:32 rh_imapd
-rw-r–r-- 1 root root 535 Sep 13 15:32 rh_ipop3d
-rw-r–r-- 1 root root 559 Sep 13 15:32 sendmail
-rw-r–r-- 1 root root 630 Sep 13 15:32 sshd
-rw-r–r-- 1 root root 672 Sep 21 22:50 test
-rw-r–r-- 1 root root 672 Sep 21 22:49 vpopmail
-rw-r–r-- 1 root root 769 Sep 21 10:32 vpopmail_orginal
-rw-r–r-- 1 root root 629 Sep 13 15:32 vsftpd
-rw-r–r-- 1 root root 507 Sep 13 15:32 vsftpd2

Sep 22 18:24:01 fwh CROND[9579]: (root) CMD (/usr/local/sbin/bfd -q)
Sep 22 18:24:01 fwh CROND[9580]: (iworx) CMD (/usr/local/sbin/bfd -q)
Sep 22 18:25:01 fwh CROND[9713]: (root) CMD (/usr/local/sim/sim -q > /dev/null 2>&1)
Sep 22 18:26:01 fwh CROND[9784]: (iworx) CMD (/usr/local/sbin/bfd -q)
Sep 22 18:27:01 fwh CROND[9810]: (root) CMD (/usr/local/sbin/bfd -q)
Sep 22 18:27:01 fwh CROND[9811]: (iworx) CMD (cd /home/interworx/cron ; ./iworx.pex --fively)
Sep 22 18:28:01 fwh CROND[10199]: (iworx) CMD (cd /home/interworx/cron ; ./iworx.pex --fifteenly)
Sep 22 18:28:01 fwh CROND[10203]: (iworx) CMD (/usr/local/sbin/bfd -q)
Sep 22 18:30:01 fwh CROND[10258]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Sep 22 18:30:01 fwh CROND[10259]: (root) CMD (/usr/local/sim/sim -q > /dev/null 2>&1)
Sep 22 18:30:01 fwh CROND[10260]: (iworx) CMD (/usr/local/sbin/bfd -q)
Sep 22 18:30:01 fwh CROND[10261]: (root) CMD (/usr/local/sbin/bfd -q)
Sep 22 18:32:01 fwh CROND[10464]: (iworx) CMD (cd /home/interworx/cron ; ./iworx.pex --fively)
Sep 22 18:32:01 fwh CROND[10468]: (iworx) CMD (/usr/local/sbin/bfd -q)
Sep 22 18:33:01 fwh CROND[10763]: (root) CMD (/usr/local/sbin/bfd -q)
Sep 22 18:34:01 fwh CROND[10880]: (iworx) CMD (/usr/local/sbin/bfd -q)
Sep 22 18:35:01 fwh CROND[10948]: (iworx) CMD (cd /home/interworx/cron ; ./iworx.pex --hourly)
Sep 22 18:35:01 fwh CROND[10949]: (root) CMD (/usr/local/sim/sim -q > /dev/null 2>&1)
Sep 22 18:36:01 fwh CROND[11068]: (iworx) CMD (/usr/local/sbin/bfd -q)
Sep 22 18:36:01 fwh CROND[11069]: (root) CMD (/usr/local/sbin/bfd -q)

Hi Ptaylor1984

Many thanks, it does indeed appear to be processing the cron job, and I see your on ver 1-5-2, which does explain the port listing in your rules, and good to see you no longer appear to have zip file rule.

I suspect the version 1-5-2 may not be correctly processing vpopmail and as such, would ask if you could test using version 1-5-1, which I’m pretty sure your going to post that you do not have it, and grabbing bfd from rfxnetworks, would only give you ver 1-5-2.

If I have time today, I’ll post a download link for ver 1-5-1, which you need to install, and ideally, first remove ver 1-5-2 in full, although 1-5-1 will import from 1-5-2, but to be sure, removce it first and start from fresh.

I hope that helps

Many thanks

John

Hi

Please download this file

wget http://iworx8.doc2disk.co.uk/bfd/bfd-current.tar.gz (this donwload link will be removed in 24 Hours)

save it into a different folder, called whatever you want and aftr fully removing in full BFD ver 1.5-2, extract and install ver 1.5-1.

I personally would leave the cron at 3 minutes, certainly leave all settings at default until your happy vpopmail is working, and please do not forget to add your IP to ignore.hosts

Hope that helps

Many thanks

John

[QUOTE=d2d4j;26218]Hi

Please download this file

wget http://iworx8.doc2disk.co.uk/bfd/bfd-current.tar.gz (this donwload link will be removed in 24 Hours)

save it into a different folder, called whatever you want and aftr fully removing in full BFD ver 1.5-2, extract and install ver 1.5-1.

I personally would leave the cron at 3 minutes, certainly leave all settings at default until your happy vpopmail is working, and please do not forget to add your IP to ignore.hosts

Hope that helps

Many thanks

John[/QUOTE]

I downloaded bfd from the link that you provided here and its 1.5.2 not 1.5.2. I am having the same issie and its not writting anything to the log file after running it as root and its reaing the same log files.

Is BFD blocking pop3 attacks with this rule?

vpopmail [qmail]

ARG_VAL=$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/vchkpw-pop3: password fail/s/.*password fail \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-pop3: system user not found/s/.*system user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-pop3: vpopmail user not found/s/.*vpopmail user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p'

It works perfect for me, but it does not block smtp attacks like this:

Sep 20 22:26:39 fwh vpopmail[6506]: vchkpw-smtp: vpopmail user not found angela@:217.160.252.130

I tried to make other rule only for smtp attacks with a modified rule regex, ports and service too.

Hello,

I created a custom rule to block vchkpw-smtp attacks

If you use your normal text editor ie nano /usr/local/bfd/rules/vsmtpmail

Copy the below into that file

failed logins from a single address before ban

uncomment to override conf.bfd trig value

TRIG=“10”

file must exist for rule to be active

REQ="/var/qmail/bin/qmail-smtpd"

if [ -f “$REQ” ]; then
LP="/var/log/maillog"
TLOG_TF=“vsmtpmail”

vpopmail [qmail]

ARG_VAL=$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/vchkpw-smtp: password fail/s/.*password fail \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-smtp: system user not found/s/.*system user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-smtp: vpopmail user not found/s/.*vpopmail user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p'
fi

Save and exit then run bfd -s

Should start blocking those

Steve

Thank you Steve!

As I see your a rule is not totally pasted, could you copy your full line?

Thank you!

Hello,

Edited the rule in my first post - sorry just woke up when I replied to the thread :eek:

Hi steve

Thanks for sharing you smtp rule, I’ll try that.

Do you mind me asking if you could grab my link file and confirm the version of bfd, and just post back.

It’s alright if you prefer not too

Many thanks

John

Hello John,

Downloaded your BFD file, extracted and shows

[root@srv ~]# ls
bfd-1.5-2 - Current version

Also installed it to check the version for you

[root@srv bfd-1.5-2]# bfd -v
Brute Force Detection v1.5-2 <bfd@r-fx.org>

Hope thats what you wanted

Hi steve

Many thanks for checking and it’s not what I wanted here sorry.

I’ve uploaded ver 151, which I’m sure I did yesterday but would appreciate if you could confirm it is now ver 151

If you just unpack it, it should create the folder bfd-1.5-1

I hope that’s alright and once again, many thanks for your help, must be getting too old.

John

Hello John,

Just re-downloaded your file and it now extracts as bfd-1.5-1

Out of interest what’s the differences in your version and the standard one?

Steve

Hi steve

Many thanks, much appreciated and that’s what I wanted to hear thanks.

Bfd ver 151 contains the security risk patch but still covers uppercase and lowercase on egrep, whereas ver 152 is more sleek in egrep searches, and also contains port listings.

That’s as far as I know but I think major changes are for rule sets for services not on IW

Once again, many thanks for your help

John

Hello,

No worries, you are more than welcome.

My SMTP rule - I can confirm it works for both both versions