Bfd is set to block max of more then 10 attempts it should be adding the ip address to the iptables ban list but its not. I need this work for pop3, smtp and imap4, imap4-ssl. Please advise me why is not working please?
more conf.bfd
#!/bin/sh
#
# BFD 1.5-2 [bfd@r-fx.org]
# Copyright (C) 1999-2014, R-fx Networks <proj@r-fx.org>
# Copyright (C) 2014, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch.
# (e.g: pico -w filename)
#
# how many failure events must an address have before being blocked?
# you can override this on a per rule basis in /usr/local/bfd/rules/
TRIG="10"
# send email alerts for all events [0 = off; 1 = on]
EMAIL_ALERTS="0"
# local user or email address alerts are sent to (separate multiple with comma)
EMAIL_ADDRESS="root"
# subject of email alerts
EMAIL_SUBJECT="Brute Force Warning for $HOSTNAME"
# executable command to block attacking hosts
BAN_COMMAND="/etc/apf/apf -d $ATTACK_HOST {bfd.$MOD}"
######
# You should not need to edit any options below this line
######
# installation path
INSTALL_PATH="/usr/local/bfd"
# rule files path
RULES_PATH="$INSTALL_PATH/rules"
# track log script path
TLOG_PATH="$INSTALL_PATH/tlog"
# syslog kernel log path
KERNEL_LOG_PATH="/var/log/messages"
# syslog auth log path
AUTH_LOG_PATH="/var/log/secure"
# bfd application log path
BFD_LOG_PATH="/var/log/bfd_log"
# log all events to syslog [0 = off; 1 = on]
OUTPUT_SYSLOG="1"
# log file path for syslog logging
OUTPUT_SYSLOG_FILE="$KERNEL_LOG_PATH"
# template of the email message body
EMAIL_TEMPLATE="$INSTALL_PATH/alert.bfd"
# contains list of files to search for addresses that are excluded from bans
IGNORE_HOST_FILES="$INSTALL_PATH/exclude.files"
# grab the local time zone
TIME_ZONE=`date +"%z"`
# grab the local unix time
TIME_UNIX=`date +"%s"`
# lock file path
LOCK_FILE="$INSTALL_PATH/lock.utime"
# lock file timeout
LOCK_FILE_TIMEOUT="7200"
dir
asterisk_badauth courier exim_authfail openvpnas pure-ftpd sendmail vsftpd
asterisk_iax cpanel exim_nxuser postfix rh_imapd sshd vsftpd2
asterisk_nopeer dovecot modsec proftpd rh_ipop3d vpopmail
[root@fwh rules]# more postfix
# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="10"
# file must exist for rule to be active
REQ="/usr/sbin/postfix"
if [ -f "$REQ" ]; then
PORTS="25,26"
LP="/var/log/mail.log"
TLOG_TF="postfix"
## Postfix dictionary attacks
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | egrep -w "SASL LOGIN authentication failed:|SASL PLAIN authenticatio
n failed:" | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk -F '[' '{ print $3 }' | tr -d '[a-z][A-Z]\[\]\:'`
fi
[root@fwh rules]#
more dovecot
# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
# TRIG="30"
# uncomment to disable alerting for this rule
# SKIP_ALERT="1"
# file must exist for rule to be active
REQ="/usr/sbin/dovecot"
if [ -f "$REQ" ]; then
PORTS="110,143,993,995"
LP="/var/log/maillog"
TLOG_TF="dovecot"
## DOVECOT IMAP/POP3
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | egrep '(imap|pop3)-login.*(Authentication failure|auth failed|Aborte
d login|ried to use disabled)' | egrep -v 'no auth attempts' | sed -n -e '/auth failed/s/.*user=<\(.*\)>.*rip=\
([^ ]*\),.*/\2:\1/p' | egrep '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:.*$'`
fi
[root@fwh rules]#
more courier
# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
# TRIG="10"
# uncomment to disable alerting for this rule
# SKIP_ALERT="1"
# file must exist for rule to be active
REQ="/usr/lib/courier-imap/libexec/couriertcpd"
if [ -f "$REQ" ]; then
PORTS="110,143,993,995"
LP="/var/log/maillog"
TLOG_TF="courier"
## courier imap|pop3
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | egrep '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | tr '=' ' '
| sed -n -e '/LOGIN FAILED/s/.*user \([^ ]*\)\(.*\) \([^ ]*\).*/\3:\1/p' | tr -d '[],'`
fi
[root@fwh rules]#
more conf.bfd
#!/bin/sh
#
# BFD 1.5-2 [bfd@r-fx.org]
# Copyright (C) 1999-2014, R-fx Networks <proj@r-fx.org>
# Copyright (C) 2014, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch.
# (e.g: pico -w filename)
#
# how many failure events must an address have before being blocked?
# you can override this on a per rule basis in /usr/local/bfd/rules/
TRIG="10"
# send email alerts for all events [0 = off; 1 = on]
EMAIL_ALERTS="0"
# local user or email address alerts are sent to (separate multiple with comma)
EMAIL_ADDRESS="root"
# subject of email alerts
EMAIL_SUBJECT="Brute Force Warning for $HOSTNAME"
# executable command to block attacking hosts
BAN_COMMAND="/etc/apf/apf -d $ATTACK_HOST {bfd.$MOD}"
######
# You should not need to edit any options below this line
######
# installation path
INSTALL_PATH="/usr/local/bfd"
# rule files path
RULES_PATH="$INSTALL_PATH/rules"
# track log script path
TLOG_PATH="$INSTALL_PATH/tlog"
# syslog kernel log path
KERNEL_LOG_PATH="/var/log/messages"
# syslog auth log path
AUTH_LOG_PATH="/var/log/secure"
# bfd application log path
BFD_LOG_PATH="/var/log/bfd_log"
# log all events to syslog [0 = off; 1 = on]
OUTPUT_SYSLOG="1"
# log file path for syslog logging
OUTPUT_SYSLOG_FILE="$KERNEL_LOG_PATH"
# template of the email message body
EMAIL_TEMPLATE="$INSTALL_PATH/alert.bfd"
# contains list of files to search for addresses that are excluded from bans
IGNORE_HOST_FILES="$INSTALL_PATH/exclude.files"
# grab the local time zone
TIME_ZONE=`date +"%z"`
# grab the local unix time
TIME_UNIX=`date +"%s"`
# lock file path
LOCK_FILE="$INSTALL_PATH/lock.utime"
# lock file timeout
LOCK_FILE_TIMEOUT="7200"
dir
asterisk_badauth courier exim_authfail openvpnas pure-ftpd sendmail vsftpd
asterisk_iax cpanel exim_nxuser postfix rh_imapd sshd vsftpd2
asterisk_nopeer dovecot modsec proftpd rh_ipop3d vpopmail
[root@fwh rules]# more postfix
# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="10"
# file must exist for rule to be active
REQ="/usr/sbin/postfix"
if [ -f "$REQ" ]; then
PORTS="25,26"
LP="/var/log/mail.log"
TLOG_TF="postfix"
## Postfix dictionary attacks
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | egrep -w "SASL LOGIN authentication failed:|SASL PLAIN authenticatio
n failed:" | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk -F '[' '{ print $3 }' | tr -d '[a-z][A-Z]\[\]\:'`
fi
[root@fwh rules]#
more dovecot
# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
# TRIG="30"
# uncomment to disable alerting for this rule
# SKIP_ALERT="1"
# file must exist for rule to be active
REQ="/usr/sbin/dovecot"
if [ -f "$REQ" ]; then
PORTS="110,143,993,995"
LP="/var/log/maillog"
TLOG_TF="dovecot"
## DOVECOT IMAP/POP3
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | egrep '(imap|pop3)-login.*(Authentication failure|auth failed|Aborte
d login|ried to use disabled)' | egrep -v 'no auth attempts' | sed -n -e '/auth failed/s/.*user=<\(.*\)>.*rip=\
([^ ]*\),.*/\2:\1/p' | egrep '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:.*$'`
fi
[root@fwh rules]#
more courier
# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
# TRIG="10"
# uncomment to disable alerting for this rule
# SKIP_ALERT="1"
# file must exist for rule to be active
REQ="/usr/lib/courier-imap/libexec/couriertcpd"
if [ -f "$REQ" ]; then
PORTS="110,143,993,995"
LP="/var/log/maillog"
TLOG_TF="courier"
## courier imap|pop3
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | egrep '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | tr '=' ' '
| sed -n -e '/LOGIN FAILED/s/.*user \([^ ]*\)\(.*\) \([^ ]*\).*/\3:\1/p' | tr -d '[],'`
fi
[root@fwh rules]#