Brute Force Detection (Linux/BSD)
Rob from HSpherePackages.com just release a nice BFD script, which allows for automatic banning of the attacking IP
The script can work both in Linux and FreeBSD (probably can work on other flavors of BSD as well)
I keep a mirrored copy for download [HERE]
Read more for instructions
Here is the post he made when he released it .. including instructions/info:
1) Download the package
2) untar/gzip the package
3) change directories to the untared dir
4) run the installation script (eg: ./install)
5) read the questions and answer them
6) setup a crontab for the system. the name of the binary is hspherebfd.
My Mini F.A.Q.:
Q: Has this been tested on freebsd and linux?
A: Yes! I have tested it on freebsd and our very own Carlos and Tracy have tested the system on linux. None of these systems needed any modifications to the scripts to work.
Q: What does the script cost?
A: I am releasing it for free. I normally charge for my scripts/software via hspherepackages.com however this one is going to be free.
Q: Why is it free?
A: because i feel like it. Sounds good doesnt it?
Q: Who is going to support it?
A: no one. I will write more rule files as I see a need for them and hope others will too. Its a simple script and shouldn’t need much support. If you have a question, ask the community here I am sure someone else has tried it and is willing to answer.
Q: Where can I get the software?
A: Keep reading. I will eventually post it on hspherepackages.com as a free package however I don’t have the time now. Not a high priority. When it is posted on hspherepackages.com I will write a manual page for it too.
Q: Who can I call when I lock myself out of my server?
A: Someone besides me. Be careful with the auto blocking as you *CAN* lock yourself out if you are not careful. There is a whitelist file, you might want to add your IP in there to be safe.
Q: What should my crontab look like?
A: Ugh. This depends on how often you want the system to check. The default in the rules files is 5 failures before a person is concidered an attacker. So if you wanted it to be 5 failures in 1 minute it would look something like this:
* * * * * /usr/local/bin/hspherebfd >> /dev/null
The config File:
$instdir – The installation directory for the configuration. Everything (except the binary/script if you installed it elsewhere) should be in this DIR.
$rules – The directory where the rules are stored. Don’t touch it as it probably is correct.
$excluded – the path to the file that contains the whitelist of IP’s that the system will*NOT* block.
$notify – set to “1” to recieve emails when the system finds something, set to “0” to turn the emails off.
$email – The email address to send the emails too.
$autoblock – Turn on the firewall autoblocking? 0 = no and 1 = yes.
$block_cmd – The command to run if autoblocking is turned on. The work “attacker” will be replaced with the attackers IP address.
$email_subject – The subject of the email when it is sent.
for an IPTABLES based setup, I personally changed the $block_cmd to:
$block_cmd=”iptables -I INPUT -s attacker -j DROP”;
To make it work on a non Hsphere server, you will have to edit the error_log (apache) path on /%cfgpath/bfd/rules/apache