Jeff
08-03-2005, 01:08 PM
Over the past several years brute force attacks against Internet servers have become more and more commonplace, and the number of successful intrusions as a result have greatly increased. The consequences of a successful brute force attack against your server can be quite severe, leading to an infestation of spammers and phishers, your personal data is snooped, and your host could be used to further attack other sites. The folks over at www.rfxnetworks.com have released a utility called BFD - Brute Force Detection - which will comb through your log files at a specified interval looking for signs of brute force attempts by malicious people. From the rfxnetworks.com website:
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and
likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans.
Here at Myriad Network, we have enhanced BFD to work with our VPS solutions, with the focus being in ease of installation with little to no upkeep. Although this thread is somewhat long, the process of downloading and installing BFD can be done in under a minute with very little user interaction.
(Skip ahead to the "INSTALLING BFD" section near the bottom if you are not concerned with the technical details)
Q. What changes have you made to BFD?
A. The core of BFD is still the same, and the changes are rather minimal and simplistic. The first change that was made wasn't really a change to BFD, but the addition of a customized installer. From the custom installer:
#!/bin/sh
# Installation wrapper for BFD 0.8 - http://www.rfxnetworks.com/bfd.php
# Please send questions / comments to jeff [ at ] myriadnetwork.com
#
# Dependencies:
# 1. User must be root to run this
# 2. bfd-VPS-current.tar.gz must exist in the same directory as this installer
# 3. /sbin/iptables must exist
# 4. User must have a writable /home/user/.bashrc
1. You already need to be root to install the default BFD (url to this is below).
2. bfd-VPS-current.tar.gz is the customized version of BFD for our VPS users.
3. /sbin/iptables should already exist on your host per the default setup.
4. /home/user/.bashrc should already exist on your host, per the default setup. This also assumes your login shell is /bin/bash (which is the default).
After installing the customized version of BFD, every time you log into your VPS, your IP address will be obtained and added to the file /usr/local/bfd/ignore.hosts. The ignore.hosts file is BFD's way of making sure that you are never locked out of your own host. The customer installer adds the following lines to your ~/.bashrc so that /usr/local/bfd/ignore.hosts is updated every time you log in:
export UPDATEIGNORE=`env | grep SSH_CONNECTION | cut -d = -f 2 | cut -d " " -f 1`
echo 127.0.0.1 > /usr/local/bfd/ignore.hosts
echo $UPDATEIGNORE >> /usr/local/bfd/ignore.hosts
Thus, the only host that will be immune to brute force attempts (aside from 127.0.0.1, which is a default BFD setting), will be you!
Q. But I'm not going to brute force my own host, why is this necessary?
A. If you attempt to login, say via ssh, and fail to enter the correct password several times, BFD will block you for 10 minutes. Thus, by having your IP address in the ignore.hosts file, you will not have to worry about this happening.
Q. I can see how this is useful for those users whos IP address doesn't change, but mine changes often!
A. You are allowed to attempt to log in several times before BFD blocks you. If your IP address changes and you fail to log in multiple times, simply wait 10 - 11 minutes and you will be able to attempt to log in again.
Q. What else has been changed?
A. By default, BFD uses something else they wrote called APF (Advanced Policy Firewall) to deny traffic from malicious hosts on the Internet. Since we want to make installing BFD as painless as possible (the install process takes less than 2 seconds, add a couple more for you to type in your username, and that's it!) we use the default Linux firewall - iptables. This change can be found in /usr/local/bfd/conf.bfd, specifically the line that starts with BCMD (the Ban Command):
BCMD="/sbin/iptables -I INPUT -p tcp -s $ATT_HOST -d 0/0 -j DROP"
The only other change made was a function for lifting the ban after 10 minutes. This can be found in the file /usr/local/bfd/bfd:
liftban() {
cat >/usr/local/bfd/bfd-unban$$.sh << EOF
sleep 600
/sbin/iptables -D INPUT -p tcp -s $ATT_HOST -d 0/0 -j DROP 2>/dev/null
rm -f /usr/local/bfd/bfd-unban$$.sh
EOF
sh /usr/local/bfd/bfd-unban$$.sh
}
INSTALLING BFD
Q. Ok so how do I install this version of BFD?
A. Place the following 2 files on your VPS in any directory of your choice:
http://web.myriadnetwork.com/bfd-VPS-installer.sh
http://web.myriadnetwork.com/bfd-VPS-current.tar.gz
You can download these files directly from your VPS via wget or curl (ie: wget web.myriadnetwork.com/bfd-VPS-installer.sh).
The current md5sums (as of 8/03/2005) for the files are:
92511b8091c7fea9c922e3617835a1c8 bfd-VPS-current.tar.gz
49b6a472d5731cd4cc4de71a7cf106ec bfd-VPS-installer.sh
To view the md5sums yourself - which is highly recommended - simply run the following commands:
$ md5sum bfd-VPS-current.tar.gz
92511b8091c7fea9c922e3617835a1c8 bfd-VPS-current.tar.gz
$ md5sum bfd-VPS-installer.sh
49b6a472d5731cd4cc4de71a7cf106ec bfd-VPS-installer.sh
Q. I have the files on my VPS, now what?
A.
1. su to root (just type "su" at the command line and enter your password).
2. Type: sh bfd-VPS-installer.sh
3. Enter your username (not root) when prompted.
4. That's it!
Q. How do I know that BFD is working / how do I see who has been blocked?
A. The BFD log files are stored in /var/log, as bfd_log, bfd_log.1, bfd_log.2, and so on. The following is an example of a host that tried to log in via sshd too many times, and the resulting block via iptables:
Aug 02 13:35:01 myriad BFD(19790): {sshd} 192.168.0.2 exceeded login failures; executed ban command '/sbin/iptables -I INPUT -p tcp -s 192.168.0.2 -d 0/0 -j DROP'.
Q. What other services can BFD detect brute force attacks against besides sshd?
A. Apache, IMAP, Pure-FTPD, and POP3.
Q. Are there any other precautions I can take to avoid brute force and other attacks against sshd?
A. Yes, mainly running sshd on a different port than the default, amongst other things. For more information, go here:
http://www.myriadnetwork.com/forum/showthread.php?t=26
If you have any questions or comments, feel free to reply here, email me direct - jeff [ at ] myriadnetwork.com - or open a support ticket via our helpdesk.
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and
likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans.
Here at Myriad Network, we have enhanced BFD to work with our VPS solutions, with the focus being in ease of installation with little to no upkeep. Although this thread is somewhat long, the process of downloading and installing BFD can be done in under a minute with very little user interaction.
(Skip ahead to the "INSTALLING BFD" section near the bottom if you are not concerned with the technical details)
Q. What changes have you made to BFD?
A. The core of BFD is still the same, and the changes are rather minimal and simplistic. The first change that was made wasn't really a change to BFD, but the addition of a customized installer. From the custom installer:
#!/bin/sh
# Installation wrapper for BFD 0.8 - http://www.rfxnetworks.com/bfd.php
# Please send questions / comments to jeff [ at ] myriadnetwork.com
#
# Dependencies:
# 1. User must be root to run this
# 2. bfd-VPS-current.tar.gz must exist in the same directory as this installer
# 3. /sbin/iptables must exist
# 4. User must have a writable /home/user/.bashrc
1. You already need to be root to install the default BFD (url to this is below).
2. bfd-VPS-current.tar.gz is the customized version of BFD for our VPS users.
3. /sbin/iptables should already exist on your host per the default setup.
4. /home/user/.bashrc should already exist on your host, per the default setup. This also assumes your login shell is /bin/bash (which is the default).
After installing the customized version of BFD, every time you log into your VPS, your IP address will be obtained and added to the file /usr/local/bfd/ignore.hosts. The ignore.hosts file is BFD's way of making sure that you are never locked out of your own host. The customer installer adds the following lines to your ~/.bashrc so that /usr/local/bfd/ignore.hosts is updated every time you log in:
export UPDATEIGNORE=`env | grep SSH_CONNECTION | cut -d = -f 2 | cut -d " " -f 1`
echo 127.0.0.1 > /usr/local/bfd/ignore.hosts
echo $UPDATEIGNORE >> /usr/local/bfd/ignore.hosts
Thus, the only host that will be immune to brute force attempts (aside from 127.0.0.1, which is a default BFD setting), will be you!
Q. But I'm not going to brute force my own host, why is this necessary?
A. If you attempt to login, say via ssh, and fail to enter the correct password several times, BFD will block you for 10 minutes. Thus, by having your IP address in the ignore.hosts file, you will not have to worry about this happening.
Q. I can see how this is useful for those users whos IP address doesn't change, but mine changes often!
A. You are allowed to attempt to log in several times before BFD blocks you. If your IP address changes and you fail to log in multiple times, simply wait 10 - 11 minutes and you will be able to attempt to log in again.
Q. What else has been changed?
A. By default, BFD uses something else they wrote called APF (Advanced Policy Firewall) to deny traffic from malicious hosts on the Internet. Since we want to make installing BFD as painless as possible (the install process takes less than 2 seconds, add a couple more for you to type in your username, and that's it!) we use the default Linux firewall - iptables. This change can be found in /usr/local/bfd/conf.bfd, specifically the line that starts with BCMD (the Ban Command):
BCMD="/sbin/iptables -I INPUT -p tcp -s $ATT_HOST -d 0/0 -j DROP"
The only other change made was a function for lifting the ban after 10 minutes. This can be found in the file /usr/local/bfd/bfd:
liftban() {
cat >/usr/local/bfd/bfd-unban$$.sh << EOF
sleep 600
/sbin/iptables -D INPUT -p tcp -s $ATT_HOST -d 0/0 -j DROP 2>/dev/null
rm -f /usr/local/bfd/bfd-unban$$.sh
EOF
sh /usr/local/bfd/bfd-unban$$.sh
}
INSTALLING BFD
Q. Ok so how do I install this version of BFD?
A. Place the following 2 files on your VPS in any directory of your choice:
http://web.myriadnetwork.com/bfd-VPS-installer.sh
http://web.myriadnetwork.com/bfd-VPS-current.tar.gz
You can download these files directly from your VPS via wget or curl (ie: wget web.myriadnetwork.com/bfd-VPS-installer.sh).
The current md5sums (as of 8/03/2005) for the files are:
92511b8091c7fea9c922e3617835a1c8 bfd-VPS-current.tar.gz
49b6a472d5731cd4cc4de71a7cf106ec bfd-VPS-installer.sh
To view the md5sums yourself - which is highly recommended - simply run the following commands:
$ md5sum bfd-VPS-current.tar.gz
92511b8091c7fea9c922e3617835a1c8 bfd-VPS-current.tar.gz
$ md5sum bfd-VPS-installer.sh
49b6a472d5731cd4cc4de71a7cf106ec bfd-VPS-installer.sh
Q. I have the files on my VPS, now what?
A.
1. su to root (just type "su" at the command line and enter your password).
2. Type: sh bfd-VPS-installer.sh
3. Enter your username (not root) when prompted.
4. That's it!
Q. How do I know that BFD is working / how do I see who has been blocked?
A. The BFD log files are stored in /var/log, as bfd_log, bfd_log.1, bfd_log.2, and so on. The following is an example of a host that tried to log in via sshd too many times, and the resulting block via iptables:
Aug 02 13:35:01 myriad BFD(19790): {sshd} 192.168.0.2 exceeded login failures; executed ban command '/sbin/iptables -I INPUT -p tcp -s 192.168.0.2 -d 0/0 -j DROP'.
Q. What other services can BFD detect brute force attacks against besides sshd?
A. Apache, IMAP, Pure-FTPD, and POP3.
Q. Are there any other precautions I can take to avoid brute force and other attacks against sshd?
A. Yes, mainly running sshd on a different port than the default, amongst other things. For more information, go here:
http://www.myriadnetwork.com/forum/showthread.php?t=26
If you have any questions or comments, feel free to reply here, email me direct - jeff [ at ] myriadnetwork.com - or open a support ticket via our helpdesk.