Home / FREE VPS Trial / How to install BFD (Brute Force Detection) on Linux

How to install BFD (Brute Force Detection) on Linux


BFD (Brute Force Detection) is a script that runs on your linux server and checks log files for authentication errors. When it sees recurring authentication failures from a certain IP address it will instruct APF (Advanced Policy Firewall) to block the IP address.

It’s simple to configure, just make sure you have APF running before you continue. Let’s download it:

 

Now extract it:

[root@VPS1 ~]# tar -xzvf bfd-current.tar.gz

 

Open the folder:

[root@VPS1 ~]# cd bfd-1.5/

 

Now we can install it:

[root@VPS1 bfd-1.5]# ./install.sh

 

After installation we can edit the BFD configuration file:

[root@VPS1 bfd-1.5]# vim /usr/local/bfd/conf.bfd

 

Make sure you enable e-mail notifications:

EMAIL_ALERTS="1"

 

And configure your e-mail address:

EMAIL_ADDRESS="my@mailaddress.com<script cf-hash="f9e31" type="text/javascript">
/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>"

 

It’s also a good idea to configure BFD to ignore your own IP address so you don’t lock yourself out. Just add your IP address to the following file:

[root@VPS1 bfd]# vim /usr/local/bfd/ignore.hosts

 

If you want to run BFD you can do this using the following command:

[root@VPS1 bfd]# bfd -s

 

It will also run automatically thanks to a cronjob:

[root@VPS1 bfd]# vim /etc/cron.d/bfd
*/3 * * * * root /usr/local/sbin/bfd -q

 

By default each 3 minutes it will run the script and check your log files. When BFD finds anything it will instruct APF to block the IP address and you’ll receive an e-mail that looks like this:

The following is a summary event for exceeded login failures on VPS1.RMCSHOSTING.NL:
SOURCE ADDRESS: 20.20.20.2
TARGET SERVICE: proftpd
FAILED LOGINS: 15
EXECUTED COMMAND: /etc/apf/apf -d 20.20.20.2 {bfd.proftpd}
SOURCE LOGS FROM SERVICE 'proftpd' (GMT +0200):
Apr 19 02:13:30 VPS1 proftpd[15133]: 127.0.0.1 (10.10.10.1[10.10.10.1]) - USER mydomain@mydomain.com<script cf-hash="f9e31" type="text/javascript">
/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>: no such user found from 10.10.10.1 [10.10.10.1] to 20.20.20.2:21
Apr 19 02:41:30 VPS1 proftpd[17222]: 127.0.0.1 (10.10.10.1[10.10.10.1]) - USER mydomain@mydomain.com<script cf-hash="f9e31" type="text/javascript">
/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>: no such user found from 10.10.10.1 [10.10.10.1] to 20.20.20.2:21
Apr 19 03:10:32 VPS1 proftpd[19741]: 127.0.0.1 (10.10.10.1[10.10.10.1]) - USER mydomain@mydomain.com<script cf-hash="f9e31" type="text/javascript">
/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>: no such user found from 10.10.10.1 [10.10.10.1] to 20.20.20.2:21

 

As you can see it has discovered a number of failed authentications for proftp. It instructed APF to block the IP address.

That’s all there is to it. I hope this helps you to protect your linux server(s)! If you have any questions or suggestions please leave a comment.


Check Also

VPSBit.com FREE – Europe XEN Based VPS

Hello from VPSBiT.com ! We are launching a new VPS hosting brand, called VPSBiT. As ...

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.