BFD rules for Jag servers

[thisisit3]

BFD (Brute Force Detection) is a tool that all VPS/Dedicated admins should use in their servers. Installation instructions are included in the Securing and Optimizing your server thread. Unfortunately the default rules are outdated, wrong and just not right for Jag's VPS/Dedicated servers.

I'm attaching a set of completely rewritten rules which are specific to Jag servers. First delete ALL the default rules (under /usr/local/bfd/rules by default) and unzip the attached archive in there.

apache-exploits - protects against apache and script exploits, scans and others.
apache - reads the correct log file and checks for login failures, works for all domains on the system
exim - checks for email rejections, too many from the same IP means its a spammer
imapd - checks for failed login attempts
pop3d - checks for failed login attempts
pure-ftpd - checks for failed login attempts
sshd - checks for various attacks, failed logins and broken requests

All these rules are fully tested, very efficient and independent from virtual domains. If there is a service you'd like to see included, please let me know. Its also possible to add more detections for the same service.

Comments/suggestions are welcome.


STEP 1 - Installation
Just download the attached file and unzip it inside your "rules" directory (/usr/local/bfd/rules/ by default). Overwrite all files. You may also delete all the files under your BFD tmp directory (/usr/local/bfd/tmp/ by default) so all counters are reset and your log files are re-read from the start.


STEP 2 - BFD configuration modification
The default configuration of BFD is also lacking support for Jag's servers. To be specific, it can't block IP addresses via iptables. The following is a simple change in the configuration (conf.bfd) that should make things work:

Search for:
BCMD="/etc/apf/apf -d $ATT_HOST {bfd.$MOD}"

Change to:
BCMD="/sbin/iptables -I INPUT -s $ATT_HOST -j DROP"

and...

Search for:
BCMD_FILE="/etc/apf/deny_hosts.rules"

Change to:
BCMD_FILE="$INSPATH/deny_hosts.rules"


STEP 3 - BFD exclude files
BFD uses a list of files which contain "safe" or "known" IP addresses. Any address listed in those files will not be blocked if its detected as an attacker. Unfortunately the default list is not good enough for Jag's servers.

Edit the file "exclude.files" (under /usr/local/bfd by default) and replace its contents with the following lines:

/etc/ipaddrpool
/etc/domainips
/etc/hosts.allow
/etc/hosts.deny
/usr/local/bfd/ignore.hosts



Change Log

5.0 - New "cpanel" module for cpanel logs, several new exploits
4.0 - Loads of new exploits, directadmin support for exim, Geoffrey's cyrus code, exim updates
3.0 - More 'apache-exploits', sshd fixes, lots of minor improvements
2.0 - Added 'apache-exploits', TMP path detection, more efficient scans.
1.0 - Initial release.

[thisisit3]

Another cool tip by thisisit3

[AlexKall]

Great stuff! Was wondering why it didn't do anything about the brute force attempts, now i know and it wasn't strange when it was trying to use apf. Which i've tried to install but gave up hopes on because of the different setup on a vps. Just got a bunch of errors no matter what I did!

Thank you!

And yes this must become a sticky for future reference!

PS. Don't happen to know how to install apf so that it works on a VPS? heh

[thisisit3]

No problem, glad to be of help.

About APF, I couldn't find a reason for APF since all Linux servers come with iptables. I am not aware of any extra features, if APF is just a firewall then iptables does just that.

[AlexKall]

It is there for easyer use of the IP tables. Advanced Policy Firewall, basicly works like Windows Server 2003 Policys but just for firewall. It did look pretty good, and rather easy to use (comapred to just IP_Tables)

[elflaco]

THAT'S why BFD didn't seem to be doing anything on my VPS!


OUTSTANDING!

[thisisit3]

In a week or so i'll have an updated set that will cover lots of new attacks. I'm testing them on my own system right now and i'll beta test them on a few live systems next week. I'm focusing on web attacks, script vulnerabilities and others.

Probably the most common ones are apache attacks, bots looking for vulnerable web sites. I'm tracking their URL requests as i go along.

If the vulnerable web script isn't running on the server, then its rather easy to block the attacker from the generated 404 errors. If the script does exist on the server then its a different story. One solution is to track common bot requests.

Another type of attack is buffer overflows and Windoze holes, easily found from log entries like: "Invalid method in request \\x80@\\x01\\x03".

Anyway, i'll post my updates in a week or so, once i'm done testing, to make sure the rules work on all kinds of systems.

[thisisit3]

PLEASE NOTE:

By using BFD and Portsentry, your server will block loads of IP addresses from attacking hosts. At some point you may reach your IPTABLES rule limit. The current IPTABLES rule limit for Jag's servers is set too low, but Jag allows you to open a support ticket and ask them to raise it for you. So its a good idea to do that even though you haven't reached your limit. Ask them to set it to 600 or above.

You may check your current limit by running:

Code:

cat /proc/user_beancounters | grep numiptent

[elflaco]

OK. Made all the changes you specified, and when I restarted BFD, I was rewarded with actual activity:

root@vps [~]# /usr/local/sbin/bfd -s
BFD version 0.9 <bfd@r-fx.org>
Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org>
Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

Scanning apache log...
Scanning exim log...
Scanning imapd log...
Scanning pop3d log...
Checking pure-ftpd log...
Scanning sshd log...
root@vps [~]#

Now for the dumb question:

How in the heck do I know that this thing is actually running when it's supposed to and\or working?

I changed the SSH2 port to a higher, random number so I don't expect too many attempts, but I haven't seen a thing since I installed it...

[thisisit3]

How in the heck do I know that this thing is actually running when it's supposed to and\or working?

Its simple. Have you executed the "install.sh" script when you first unpacked BFD? If yes, then that script should have installed a cron job script: "/etc/cron.d/bfd". That script executes BFD every 8 minutes and you'll get all the protection you need

Once a rule hits the an attacker, you'll also get an email (if you've modifed the conf.bfd and set an email address).

[elflaco]

Its simple. Have you executed the "install.sh" script when you first unpacked BFD? If yes, then that script should have installed a cron job script: "/etc/cron.d/bfd". That script executes BFD every 8 minutes and you'll get all the protection you need

Once a rule hits the an attacker, you'll also get an email (if you've modifed the conf.bfd and set an email address).

Ran the script, made the changes, and also edited the conf.bfd file at /usr/local/bfd/conf.bfd to include the email address.

The MAILTO line in the cron job is blank, though.

Is that normal?

[thisisit3]

Ran the script, made the changes, and also edited the conf.bfd file at /usr/local/bfd/conf.bfd to include the email address.
The MAILTO line in the cron job is blank, though.
Is that normal?

If you want to see what BFD is doing, just look at the log file (/var/log/bfd_log by default). Please remember the rules are set to hit very blunt attacks, in order to work for all types of servers.

The MAILTO should either be removed or set to something. If its removed, then the default mailto setting will apply (the default is set in /etc/crontab and its usualy set to 'root').

[thisisit3]

I've uploaded the latest rules, these include apache exploit detection. The script checks for attacks on the server from bots scanning for remote vulnerabilities (exploits) in common (and uncommon) software. The script checks for over 25 different attacks, including invalid request method vulnerabilities, bot scans and others.

Since these are rather important, the "trigger" counter is set to 1, which means even one such entry in the logs will block the IP address of the attacker.

[thisisit3]

Uploaded new version of the BFD rules.

I've added MANY new apache exploits, which should help block script scanning. Also updated some of the other scripts (sshd for example) and done some bug fixing.

[chrismfz]

Hello, I am running bfd 0.9 (or maybe I'm trying to) and I get this output on fresh install
(I think its not bfd's fault)

[root@sky bfd]# bfd -s
BFD version 0.9 <bfd@r-fx.org>
Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org>
Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

Scanning apache log...
grep: option requires an argument -- f
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
/usr/local/bfd/pattern.auth: line 1: failed: command not found
/usr/local/bfd/pattern.auth: line 2: no: command not found
/usr/local/bfd/pattern.auth: line 3: failed: command not found
/usr/local/bfd/pattern.auth: line 4: authentication: command not found
/usr/local/bfd/pattern.auth: line 5: authentication: command not found
/usr/local/bfd/pattern.auth: line 6: not: command not found
/usr/local/bfd/pattern.auth: line 7: invalid: command not found
/usr/local/bfd/pattern.auth: line 8: illegal: command not found

It tries to execute a grep and it fails:
grep: option requires an argument -- f
Usage: grep [OPTION]... PATTERN [FILE]...

pressing Control-C
and giving a ps aux I get one extra weird line
each time I run bfd
root 10050 0.0 0.0 2164 468 pts/2 S 01:28 0:00 /bin/sh ./bfd -s
root 10062 0.0 0.0 2164 640 pts/2 S 01:28 0:00 /bin/sh ./bfd -s
root 10073 0.0 0.0 2044 508 pts/2 T 01:28 0:00 login
(login?)

Anyway, I'll try to remove everything it has to do with bfd
and try re installing from scratch to see what will happen,

But, do you have any comments on this... ?

Regards,
Chris