save it into a different folder, called whatever you want and aftr fully removing in full BFD ver 1.5-2, extract and install ver 1.5-1.
I personally would leave the cron at 3 minutes, certainly leave all settings at default until your happy vpopmail is working, and please do not forget to add your IP to ignore.hosts
I would consider that the issues are directly with your system as it works for everyone else, and it’s not an IW issue, as bfd is not part of IW.
I would suggest if you cannot resolve the issue, you may want to consider employing the services of another company to resolve directly on your system.
Direct access to resolve issues is not anything I would do sorry.
I’m sorry we were not able to resolve in this instance.
I created a custom rule to block vchkpw-smtp attacks
If you use your normal text editor ie nano /usr/local/bfd/rules/vsmtpmail
Copy the below into that file
failed logins from a single address before ban
uncomment to override conf.bfd trig value
TRIG=“10”
file must exist for rule to be active
REQ="/var/qmail/bin/qmail-smtpd"
if [ -f “$REQ” ]; then
LP="/var/log/maillog"
TLOG_TF=“vsmtpmail”
vpopmail [qmail]
ARG_VAL=$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/vchkpw-smtp: password fail/s/.*password fail \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-smtp: system user not found/s/.*system user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-smtp: vpopmail user not found/s/.*vpopmail user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p'
fi
Save and exit then run bfd -s
Should start blocking those
Steve[/QUOTE]
I removed the newer version and re-installed bfd -1.5.2 and add the file above and its not resolving the issue.
I created a custom rule to block vchkpw-smtp attacks
If you use your normal text editor ie nano /usr/local/bfd/rules/vsmtpmail
Copy the below into that file
failed logins from a single address before ban
uncomment to override conf.bfd trig value
TRIG=“10”
file must exist for rule to be active
REQ="/var/qmail/bin/qmail-smtpd"
if [ -f “$REQ” ]; then
LP="/var/log/maillog"
TLOG_TF=“vsmtpmail”
vpopmail [qmail]
ARG_VAL=$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/vchkpw-smtp: password fail/s/.*password fail \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-smtp: system user not found/s/.*system user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-smtp: vpopmail user not found/s/.*vpopmail user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p'
fi
Save and exit then run bfd -s
Should start blocking those
Steve[/QUOTE]
I removed the new version of bfd and installed 1.5.2 using this rule and it’s still not detecting the brute force attempts after I changed the trig to 5. Now I hope that Interworx will consider adding fail2ban plugin to Interworx and it makes life a lot easer… I had it up and running in less then 15 minutes and it works and takes very little resource.
I am not sure what else I can do to try and fix this issue. It’s writting to the log file in the /var/log directory.
usage: ./bfd [OPTION]
-s|–standard … run standard with output
-q|–quiet … run quiet with output hidden
-a|–attackpool [STRING] … list addresses that have attacked this host
[root@fwh bfd]#
I have BFD installed on around 10 servers and works with no issues with my rule. If you’re happy using Fail2Ban I would continue to use it, If you want BFD, I would suggest maybe hiring a system admin to check out your system to see why it is not happy.
