BFD guru wanted..

I’ve installed BFD and I’m really liking how it’s blocking SSH login attempts, but my real problem is with qmail. Are there any BFD guru’s out there? What I’d like to do is to block a user from sending too many emails through the server. Here is the specific rule file for qmail

# failed logins from a single address before ban# uncomment to override conf.bfd trig value
TRIG="3"


# uncomment to disable alerting for this rule 
# SKIP_ALERT="1"


# file must exist for rule to be active
REQ="/var/qmail/bin/qmail-pop3d"


if [ -f "$REQ" ]; then
 PORTS="110,143,993,995"
 LP="/var/log/maillog"
 TLOG_TF="vpopmail"


 ## vpopmail [qmail]
 ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/vchkpw-pop3: password fail/s/.*password fail \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-pop3: system user not found/s/.*system user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-pop3: vpopmail user not found/s/.*vpopmail user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p'` 
fi



But what I’m looking for is to block multiple attempts (set by TRIG) from a certain email address. The log looks like this:


Mar 10 13:46:24 centos6 vpopmail[4460]: vchkpw-submission: (PLAIN) login success [email address]:104.174.194.xxx
Mar 10 13:46:25 centos6 vpopmail[4484]: vchkpw-submission: (PLAIN) login success [email address]:104.174.194.xxx
Mar 10 13:46:38 centos6 vpopmail[4522]: vchkpw-submission: (PLAIN) login success [email address]:187.190.135.xxx
Mar 10 13:46:41 centos6 vpopmail[4537]: vchkpw-submission: (PLAIN) login success [email address]:187.190.135.xxx
Mar 10 13:47:14 centos6 vpopmail[4600]: vchkpw-submission: (PLAIN) login success [email address]:107.10.181.xxx
Mar 10 13:47:17 centos6 vpopmail[4609]: vchkpw-submission: (PLAIN) login success [email address]:100.36.114.xxx
Mar 10 13:47:49 centos6 vpopmail[4678]: vchkpw-submission: (PLAIN) login success [email address]:104.174.194.xxx
Mar 10 13:47:51 centos6 vpopmail[4705]: vchkpw-submission: (PLAIN) login success [email address]:104.174.194.xxx

How do I change the ARG_VAL to read these ‘good’ logins and capture them so I can set a threshold to ban an IP?

In addition does anyone know how to ban using BFD for a period of time rather than forever?

Thanks!

Hi mikei

Glad your liking bfd

Bfd is not scripted for releasing, only full ban. I think kujoe was going to write a script for releasing.

I know there’s a post to install another type of bfd, sorry I cannot remember the name, but the post contained the instructions to install, which will unban at your set intervals.

I hope that helps

Many thanks

John