On Sat, 26 Sep 2009, Israel Garcia <igalva...@gmail.com> writes: > I've downloaded BFD (Brute Force Detection) from > http://www.rfxn.com/?page_id=51 and installed on a debian lenny server > and every seems to be working fine, BFD is working with APF and there > are a lot of scanning IPs blocked in /etc/apf/deny_hosts.rules file. > BUT, there're a lot failed authentication IPs address that BFD does > not see. I think it's a config problem the sshd rule. This is sshd BFD > rule I'm using: > > REQ="/usr/sbin/sshd" > > if [ -f "$REQ" ]; then > LP="$AUTH_LOG_PATH" > TLOG_TF="sshd" > TMP="/usr/local/bfd/tmp" > > ## SSHD > ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E > '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/sshd/s/.*user \(.*\) > from \([^ ]*\).*/\2:\1/p'` > fi > > I've searched google and I'm unable to find new BFD rules of using Debian > lenny. > My question is: > > Does anybody has a new BFD sshd rule for Debian lenny?
Why not using something similar to below iptables rules? #!/bin/bash # # /etc/network/if-up.d/bfa-protection - Start iptables protection against # brute-force attacks. # # Skip loopback interface. [ "$IFACE" = "lo" ] && exit 0 /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 -j DROP You can also introduce a "-j LOG" rule for persistence of the tracked attacks. Regards. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
