Bfd is set to block max of more then 10 attempts it should be adding the ip address to the iptables ban list but its not. I need this work for pop3, smtp and imap4, imap4-ssl. Please advise me why is not working please?
more conf.bfd
#!/bin/sh
BFD 1.5-2 [bfd@r-fx.org]
Copyright © 1999-2014, R-fx Networks <proj@r-fx.org>
Copyright © 2014, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL
NOTE: This file should be edited with word/line wrapping off,
if your using pico please start it with the -w switch.
(e.g: pico -w filename)
how many failure events must an address have before being blocked?
you can override this on a per rule basis in /usr/local/bfd/rules/
TRIG=“10”
send email alerts for all events [0 = off; 1 = on]
EMAIL_ALERTS=“0”
local user or email address alerts are sent to (separate multiple with comma)
EMAIL_ADDRESS=“root”
subject of email alerts
EMAIL_SUBJECT=“Brute Force Warning for $HOSTNAME”
executable command to block attacking hosts
BAN_COMMAND="/etc/apf/apf -d $ATTACK_HOST {bfd.$MOD}"
You should not need to edit any options below this line
installation path
INSTALL_PATH="/usr/local/bfd"
rule files path
RULES_PATH="$INSTALL_PATH/rules"
track log script path
TLOG_PATH="$INSTALL_PATH/tlog"
syslog kernel log path
KERNEL_LOG_PATH="/var/log/messages"
syslog auth log path
AUTH_LOG_PATH="/var/log/secure"
bfd application log path
BFD_LOG_PATH="/var/log/bfd_log"
log all events to syslog [0 = off; 1 = on]
OUTPUT_SYSLOG=“1”
log file path for syslog logging
OUTPUT_SYSLOG_FILE="$KERNEL_LOG_PATH"
template of the email message body
EMAIL_TEMPLATE="$INSTALL_PATH/alert.bfd"
contains list of files to search for addresses that are excluded from bans
IGNORE_HOST_FILES="$INSTALL_PATH/exclude.files"
grab the local time zone
TIME_ZONE=date +"%z"
grab the local unix time
TIME_UNIX=date +"%s"
lock file path
LOCK_FILE="$INSTALL_PATH/lock.utime"
lock file timeout
LOCK_FILE_TIMEOUT=“7200”
dir
asterisk_badauth courier exim_authfail openvpnas pure-ftpd sendmail vsftpd
asterisk_iax cpanel exim_nxuser postfix rh_imapd sshd vsftpd2
asterisk_nopeer dovecot modsec proftpd rh_ipop3d vpopmail
[root@fwh rules]# more postfix
failed logins from a single address before ban
uncomment to override conf.bfd trig value
TRIG=“10”
file must exist for rule to be active
REQ="/usr/sbin/postfix"
if [ -f “$REQ” ]; then
PORTS=“25,26”
LP="/var/log/mail.log"
TLOG_TF=“postfix”
## Postfix dictionary attacks
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | egrep -w "SASL LOGIN authentication failed:|SASL PLAIN authenticatio
n failed:" | grep -E ‘[0-9]+.[0-9]+.[0-9]+.[0-9]+’ | awk -F ‘[’ ‘{ print $3 }’ | tr -d ‘[a-z][A-Z][]:’`
fi
[root@fwh rules]#
more dovecot
failed logins from a single address before ban
uncomment to override conf.bfd trig value
TRIG=“30”
uncomment to disable alerting for this rule
SKIP_ALERT=“1”
file must exist for rule to be active
REQ="/usr/sbin/dovecot"
if [ -f “$REQ” ]; then
PORTS=“110,143,993,995”
LP="/var/log/maillog"
TLOG_TF=“dovecot”
## DOVECOT IMAP/POP3
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | egrep '(imap|pop3)-login.*(Authentication failure|auth failed|Aborte
d login|ried to use disabled)’ | egrep -v ‘no auth attempts’ | sed -n -e ‘/auth failed/s/.user=<(.)>.rip=
([^ ]),./\2:\1/p’ | egrep '^[0-9]+.[0-9]+.[0-9]+.[0-9]+:.$’`
fi
[root@fwh rules]#
more courier
failed logins from a single address before ban
uncomment to override conf.bfd trig value
TRIG=“10”
uncomment to disable alerting for this rule
SKIP_ALERT=“1”
file must exist for rule to be active
REQ="/usr/lib/courier-imap/libexec/couriertcpd"
if [ -f “$REQ” ]; then
PORTS=“110,143,993,995”
LP="/var/log/maillog"
TLOG_TF=“courier”
courier imap|pop3
ARG_VAL=$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | egrep '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | tr '=' ' ' | sed -n -e '/LOGIN FAILED/s/.*user \([^ ]*\)\(.*\) \([^ ]*\).*/\3:\1/p' | tr -d '[],'
fi
[root@fwh rules]#