Logo

  • Register
  • | Login
  • Facebook
  • Twitter
  • Gplus
  • Linkedin

Our forum Area

Page 1 of 7 12 ... LastLast
Results 1 to 15 of 94

This is a discussion on BFD rules for Jag servers in the Dedicated Servers forum
BFD (Brute Force Detection) is a tool that all VPS/Dedicated admins should use in their servers. Installation instructions are included in the Securing and Optimizing ...

  1. #1
    Loyal Client thisisit3's Avatar
    Join Date
    Mar 2007
    Posts
    727

    Jpc Icon BFD rules for Jag servers

    BFD (Brute Force Detection) is a tool that all VPS/Dedicated admins should use in their servers. Installation instructions are included in the Securing and Optimizing your server thread. Unfortunately the default rules are outdated, wrong and just not right for Jag's VPS/Dedicated servers.

    I'm attaching a set of completely rewritten rules which are specific to Jag servers. First delete ALL the default rules (under /usr/local/bfd/rules by default) and unzip the attached archive in there.

    apache-exploits - protects against apache and script exploits, scans and others.
    apache - reads the correct log file and checks for login failures, works for all domains on the system
    exim - checks for email rejections, too many from the same IP means its a spammer
    imapd - checks for failed login attempts
    pop3d - checks for failed login attempts
    pure-ftpd - checks for failed login attempts
    sshd - checks for various attacks, failed logins and broken requests

    All these rules are fully tested, very efficient and independent from virtual domains. If there is a service you'd like to see included, please let me know. Its also possible to add more detections for the same service.

    Comments/suggestions are welcome.


    STEP 1 - Installation
    Just download the attached file and unzip it inside your "rules" directory (/usr/local/bfd/rules/ by default). Overwrite all files. You may also delete all the files under your BFD tmp directory (/usr/local/bfd/tmp/ by default) so all counters are reset and your log files are re-read from the start.


    STEP 2 - BFD configuration modification
    The default configuration of BFD is also lacking support for Jag's servers. To be specific, it can't block IP addresses via iptables. The following is a simple change in the configuration (conf.bfd) that should make things work:

    Search for:
    BCMD="/etc/apf/apf -d $ATT_HOST {bfd.$MOD}"

    Change to:
    BCMD="/sbin/iptables -I INPUT -s $ATT_HOST -j DROP"

    and...

    Search for:
    BCMD_FILE="/etc/apf/deny_hosts.rules"

    Change to:
    BCMD_FILE="$INSPATH/deny_hosts.rules"


    STEP 3 - BFD exclude files
    BFD uses a list of files which contain "safe" or "known" IP addresses. Any address listed in those files will not be blocked if its detected as an attacker. Unfortunately the default list is not good enough for Jag's servers.

    Edit the file "exclude.files" (under /usr/local/bfd by default) and replace its contents with the following lines:

    /etc/ipaddrpool
    /etc/domainips
    /etc/hosts.allow
    /etc/hosts.deny
    /usr/local/bfd/ignore.hosts



    Change Log

    5.0 - New "cpanel" module for cpanel logs, several new exploits
    4.0 - Loads of new exploits, directadmin support for exim, Geoffrey's cyrus code, exim updates
    3.0 - More 'apache-exploits', sshd fixes, lots of minor improvements
    2.0 - Added 'apache-exploits', TMP path detection, more efficient scans.
    1.0 - Initial release.
    Attached Files Attached Files
    Last edited by thisisit3; 10-10-2007 at 01:08 AM. Reason: updated BCMD_FILE variable

  2. #2
    Loyal Client thisisit3's Avatar
    Join Date
    Mar 2007
    Posts
    727
    Another cool tip by thisisit3

  3. #3
    Loyal Client
    Join Date
    Apr 2006
    Location
    Sweden
    Posts
    262
    Great stuff! Was wondering why it didn't do anything about the brute force attempts, now i know and it wasn't strange when it was trying to use apf. Which i've tried to install but gave up hopes on because of the different setup on a vps. Just got a bunch of errors no matter what I did!

    Thank you!

    And yes this must become a sticky for future reference!

    PS. Don't happen to know how to install apf so that it works on a VPS? heh
    Last edited by AlexKall; 03-24-2007 at 09:23 AM.
    My VPS server:
    www.myfedoraserver.com


  4. #4
    Loyal Client thisisit3's Avatar
    Join Date
    Mar 2007
    Posts
    727
    No problem, glad to be of help.

    About APF, I couldn't find a reason for APF since all Linux servers come with iptables. I am not aware of any extra features, if APF is just a firewall then iptables does just that.

  5. #5
    Loyal Client
    Join Date
    Apr 2006
    Location
    Sweden
    Posts
    262
    It is there for easyer use of the IP tables. Advanced Policy Firewall, basicly works like Windows Server 2003 Policys but just for firewall. It did look pretty good, and rather easy to use (comapred to just IP_Tables)
    My VPS server:
    www.myfedoraserver.com


  6. #6
    Loyal Client
    Join Date
    Feb 2007
    Posts
    83
    THAT'S why BFD didn't seem to be doing anything on my VPS!


    OUTSTANDING!

  7. #7
    Loyal Client thisisit3's Avatar
    Join Date
    Mar 2007
    Posts
    727
    In a week or so i'll have an updated set that will cover lots of new attacks. I'm testing them on my own system right now and i'll beta test them on a few live systems next week. I'm focusing on web attacks, script vulnerabilities and others.

    Probably the most common ones are apache attacks, bots looking for vulnerable web sites. I'm tracking their URL requests as i go along.

    If the vulnerable web script isn't running on the server, then its rather easy to block the attacker from the generated 404 errors. If the script does exist on the server then its a different story. One solution is to track common bot requests.

    Another type of attack is buffer overflows and Windoze holes, easily found from log entries like: "Invalid method in request \\x80@\\x01\\x03".

    Anyway, i'll post my updates in a week or so, once i'm done testing, to make sure the rules work on all kinds of systems.

  8. #8
    Loyal Client thisisit3's Avatar
    Join Date
    Mar 2007
    Posts
    727
    PLEASE NOTE:

    By using BFD and Portsentry, your server will block loads of IP addresses from attacking hosts. At some point you may reach your IPTABLES rule limit. The current IPTABLES rule limit for Jag's servers is set too low, but Jag allows you to open a support ticket and ask them to raise it for you. So its a good idea to do that even though you haven't reached your limit. Ask them to set it to 600 or above.

    You may check your current limit by running:

    Code:
    cat /proc/user_beancounters | grep numiptent

  9. #9
    Loyal Client
    Join Date
    Feb 2007
    Posts
    83
    OK. Made all the changes you specified, and when I restarted BFD, I was rewarded with actual activity:

    root@vps [~]# /usr/local/sbin/bfd -s
    BFD version 0.9 <bfd@r-fx.org>
    Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org>
    Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>
    This program may be freely redistributed under the terms of the GNU GPL

    Scanning apache log...
    Scanning exim log...
    Scanning imapd log...
    Scanning pop3d log...
    Checking pure-ftpd log...
    Scanning sshd log...
    root@vps [~]#

    Now for the dumb question:

    How in the heck do I know that this thing is actually running when it's supposed to and\or working?

    I changed the SSH2 port to a higher, random number so I don't expect too many attempts, but I haven't seen a thing since I installed it...

  10. #10
    Loyal Client thisisit3's Avatar
    Join Date
    Mar 2007
    Posts
    727
    Quote Originally Posted by elflaco View Post
    How in the heck do I know that this thing is actually running when it's supposed to and\or working?
    Its simple. Have you executed the "install.sh" script when you first unpacked BFD? If yes, then that script should have installed a cron job script: "/etc/cron.d/bfd". That script executes BFD every 8 minutes and you'll get all the protection you need

    Once a rule hits the an attacker, you'll also get an email (if you've modifed the conf.bfd and set an email address).

  11. #11
    Loyal Client
    Join Date
    Feb 2007
    Posts
    83
    Quote Originally Posted by thisisit3 View Post
    Its simple. Have you executed the "install.sh" script when you first unpacked BFD? If yes, then that script should have installed a cron job script: "/etc/cron.d/bfd". That script executes BFD every 8 minutes and you'll get all the protection you need

    Once a rule hits the an attacker, you'll also get an email (if you've modifed the conf.bfd and set an email address).

    Ran the script, made the changes, and also edited the conf.bfd file at /usr/local/bfd/conf.bfd to include the email address.

    The MAILTO line in the cron job is blank, though.

    Is that normal?

  12. #12
    Loyal Client thisisit3's Avatar
    Join Date
    Mar 2007
    Posts
    727
    Quote Originally Posted by elflaco View Post
    Ran the script, made the changes, and also edited the conf.bfd file at /usr/local/bfd/conf.bfd to include the email address.
    The MAILTO line in the cron job is blank, though.
    Is that normal?
    If you want to see what BFD is doing, just look at the log file (/var/log/bfd_log by default). Please remember the rules are set to hit very blunt attacks, in order to work for all types of servers.

    The MAILTO should either be removed or set to something. If its removed, then the default mailto setting will apply (the default is set in /etc/crontab and its usualy set to 'root').

  13. #13
    Loyal Client thisisit3's Avatar
    Join Date
    Mar 2007
    Posts
    727
    I've uploaded the latest rules, these include apache exploit detection. The script checks for attacks on the server from bots scanning for remote vulnerabilities (exploits) in common (and uncommon) software. The script checks for over 25 different attacks, including invalid request method vulnerabilities, bot scans and others.

    Since these are rather important, the "trigger" counter is set to 1, which means even one such entry in the logs will block the IP address of the attacker.

  14. #14
    Loyal Client thisisit3's Avatar
    Join Date
    Mar 2007
    Posts
    727
    Uploaded new version of the BFD rules.

    I've added MANY new apache exploits, which should help block script scanning. Also updated some of the other scripts (sshd for example) and done some bug fixing.

  15. #15
    I need a coffee
    Join Date
    Jan 2007
    Location
    Serres, Greece
    Posts
    16
    Hello, I am running bfd 0.9 (or maybe I'm trying to) and I get this output on fresh install
    (I think its not bfd's fault)

    [root@sky bfd]# bfd -s
    BFD version 0.9 <bfd@r-fx.org>
    Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org>
    Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>
    This program may be freely redistributed under the terms of the GNU GPL

    Scanning apache log...
    grep: option requires an argument -- f
    Usage: grep [OPTION]... PATTERN [FILE]...
    Try `grep --help' for more information.
    /usr/local/bfd/pattern.auth: line 1: failed: command not found
    /usr/local/bfd/pattern.auth: line 2: no: command not found
    /usr/local/bfd/pattern.auth: line 3: failed: command not found
    /usr/local/bfd/pattern.auth: line 4: authentication: command not found
    /usr/local/bfd/pattern.auth: line 5: authentication: command not found
    /usr/local/bfd/pattern.auth: line 6: not: command not found
    /usr/local/bfd/pattern.auth: line 7: invalid: command not found
    /usr/local/bfd/pattern.auth: line 8: illegal: command not found

    It tries to execute a grep and it fails:
    grep: option requires an argument -- f
    Usage: grep [OPTION]... PATTERN [FILE]...

    pressing Control-C
    and giving a ps aux I get one extra weird line
    each time I run bfd
    root 10050 0.0 0.0 2164 468 pts/2 S 01:28 0:00 /bin/sh ./bfd -s
    root 10062 0.0 0.0 2164 640 pts/2 S 01:28 0:00 /bin/sh ./bfd -s
    root 10073 0.0 0.0 2044 508 pts/2 T 01:28 0:00 login
    (login?)

    Anyway, I'll try to remove everything it has to do with bfd
    and try re installing from scratch to see what will happen,

    But, do you have any comments on this... ?

    Regards,
    Chris

Page 1 of 7 12 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •