FAQ

Q: Which kinds/versions of SSH daemons are supported?
A: It doesn’t matter which kind or version of SSH daemon you are using. The only thing you have to care of, is that you have to log SSHd traffic via syslog and your syslog is capable to use pipes (i.e. it can redirect the output to some script). Another thing is the format of your logs, if you aren’t using latest version of OpenSSH you will probably need to change regexps used in script.

Q: BruteForceBlocker is running, but IPs aren’t being blocked.
A: This is probably because of incorrect formats of regexps used in script. I have reports from users that OpenSSH v3.8 (which is default in FreeBSD 5.4) and less, uses little bit different format of warnings. You should check your logs for the format and according to that format change the Regexps. By this way, you can also use this script not only with OpenSSH, but it’s possible to use it for example with SSH Secure Shell; it’s only up to you what you consider to be harmful message.

Q: How does the timeout work?
A: There are two types of timeout to consider. One thing is how long does the bruteforceblocker keep the internal count of failed login attempts in its memory. This affects the timeout setting in the bruteforceblocker.conf configuration file. This setting should be set to the amount of seconfs, after which you want to reset this count internally.
However, when the IP gets blocked by pf, this is beyond the bruteforceblocker. Here comes the second timeout type. To be able to remove an old entries from the pf table, you will need an external utility. I recommend using security/expiretable in conjuction with a proper entry in the crontab. In this case, set up the following:

First, let the blocked IP be stored in memory only, by the following setting in /etc/pf.conf:
table <bruteforce> persist

Next, set up a cronjob entry, which will handle the removal of old IPs from the pf table in /etc/crontable file:
0 4 * * * root /usr/local/sbin/expiretable -t 1d bruteforce

Q: Is it possible to use BruteForceBlocker with Linux and IPTABLES?
A: This is pretty easy task. All you need is to change value of $pfctl variable to contain the path to the IPTABLES binary. Then you need change line:
system(“$pfctl -t $table -T add $IP/32”) == 0 or die “Couldn’t add $IP to firewall”;
to something like:
system(“$iptables -I INPUT -s $IP -j DROP”) == 0 or die “Couldn’t add $IP to firewall”;
You should also remove some unneeded variables like $table and $tablefile or, you should use them to store rules in the iptables script to keep your firewall rules.

Q: I don’t have sshd logs after upgrade from 1.1
A: This is because BruteForceblocker 1.2 and later doesn’t log anymore. This way of logging was obsoleted because people weren’t able to log to remote syslog through BruteForceBlocker. If you don’t have line similar to this:

auth.info;authpriv.info /var/log/auth.log

in syslog.conf, then you should add it there, otherwise you won’t get auth.* messages logged.

12 thoughts on “FAQ

  1. Michael Pearl

    Does the ‘whitelist’ in the bruteforceblocker.conf support CIDR or possibly wildcards? I’d like to whitelist an entire /22.

  2. danger Post author

    Sorry, this is not yet possible (patches welcome :-)), however I suppose you can work this around by simple “quick” rule in pf.conf before bruteforceblocker’s rule, i.e.:

    table persist file “/var/db/ssh-bruteforce”

    pass in log quick proto tcp from 192.60.128.0/22 to any port ssh
    block in log quick proto tcp from to any port ssh

    Pretty straightforward. If you want to whitelist more CIDRs, you can also use another table for whitelist. I hope it helps you.
    I think I can add this to my TODO list, but I am nowadays a bit too much busy so it might take some time to implement by me. By the way, I suppose the implementation shouldn’t be hard using e.g. Net::CIDR perl extension….

  3. Norbert

    Thank you for your great script !!!
    I have adapted it to block some http requests. I was qurious why my server is so havily loaded and then I realized that I have a lot of requests similar to http://domain.name.com/index.php/includes/includes/scripts/scripts.

    I decided to use your scripts to disconnect “crackers” from my server. Although disconnecting is working fine, the time limit doesn’t work and I don;t know why.

    Will you find some time helping me.
    Below you can find my files, I am running FreeBSD 6.2

    In my apache virtual host I have:

    SetEnvIf Request_URI “/scripts/scripts” brute_force
    CustomLog “|/usr/local/sbin/apache_syslog” combined env=brute_force
    CustomLog “/var/log/domain/domain-bruteforce_log” combined env=brute_force

    SetEnvIf Request_URI “/includes/includes” brute_force
    CustomLog “|/usr/local/sbin/apache_syslog” combined env=brute_force
    CustomLog “/var/log/domain/domain-bruteforce_log” combined env=brute_force

    in syslog.conf

    local1.* |/usr/local/sbin/bruteforceblock
    er
    local1.* /var/log/apache_syslog.log

    in apache_syslog:
    #!/usr/local/bin/perl
    # script: apache-access-logger

    use Sys::Syslog;
    $SERVER_NAME = shift || ‘www’;

    $PRIORITY = ‘info’;
    $FACILITY = ‘local1’;

    Sys::Syslog::setlogsock(‘unix’);
    openlog ($SERVER_NAME,’ndelay’, $FACILITY);
    while () {
    chomp;
    syslog($PRIORITY,$_);
    }
    closelog;

    and extra rule in your script
    # the core process

    while () {
    if (/.*Failed password.*from ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}) por
    t.*/i ||
    /.*Invalid user.*from ($work->{ipv4}|$work->{ipv6}|$work->{fqdn})$/i ||
    /.*Did not receive identification string from ($work->{ipv4}|$work->{ipv
    6}|$work->{fqdn})$/i ||
    /.*Bad protocol version identification .* from ($work->{ipv4}|$work->{ip
    v6}|$work->{fqdn})$/i ||
    /.*User.*from ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}) not allowed be
    cause.*/i ||
    /.*www: ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}).*/i ) {

  4. danger Post author

    Dear Norbert,

    thank you for using my script; however I don’t think it’s a wise idea to use my script for the task you are trying to accomplish. Much more convenient ways would be something like this:

    table persist
    block quick from

    pass inet proto tcp from any to $localnet port {http, https} \
    flags S/SA keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, \
    overload flush global)

    together with security/expiretable port to remove old IPs from the table. I hope this helps to you.

  5. Norbert

    Dear danger,
    After long time I just entered your site again and I can see your reply – thanks 😉

    BTW, I successfully (8 months) use your script after I succeed adapting it to my needs. You are probably right with suggestion of blocking attackers like in the example above, but I don’t have too much experience with PF and simply afraid some experiments on heavily loaded production server.

    What I implemented is 100% transparent and is doing its task well.
    Now I can notice only a few BAD attempts daily which is acceptable.

    Below I’d like to present my scripts, one might find them useful:

    # cat /etc/periodic/hourly/bruteforce_blocker
    #!/usr/local/bin/bash
    echo>/var/db/www-bruteforce
    /etc/rc.d/pf reload
    /etc/rc.d/syslogd reload

    # cat /usr/local/sbin/apache_syslog
    #!/usr/local/bin/perl
    # script: apache-access-logger

    use Sys::Syslog;
    $SERVER_NAME = shift || ‘www’;

    $PRIORITY = ‘info’;
    $FACILITY = ‘local1’;

    Sys::Syslog::setlogsock(‘unix’);
    openlog ($SERVER_NAME,’ndelay’, $FACILITY);
    while () {
    chomp;
    syslog($PRIORITY,$_);
    }
    closelog;

    # cat /etc/syslog.conf | grep local1
    local1.* /var/log/apache_syslog.log
    local1.* |/usr/local/sbin/bruteforceblocker

    in apache virtual host
    In my apache virtual host conf I have:

    SetEnvIf Request_URI “/scripts/scripts” brute_force
    CustomLog “|/usr/local/sbin/apache_syslog” combined env=brute_force
    CustomLog “/var/log/domain/domain-bruteforce_log” combined env=brute_force

    SetEnvIf Request_URI “/includes/includes” brute_force
    CustomLog “|/usr/local/sbin/apache_syslog” combined env=brute_force
    CustomLog “/var/log/domain/domain-bruteforce_log” combined env=brute_force

    my custom bruteforceblocker rules look like this:
    /.*www: ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}).*/i ||
    /.*ftpd:.*@($work->{ipv4}).*uthentication fail.*/i

    the second rule is for pureftpd

    Best regards
    Norbert

  6. Cassidy

    I went ahead and crafted a simple hack for CIDR based whitelist networks.

    You need the following from CPAN:
    Net::IP::Match::XS

    Change lines from:
    if (!grep { /$IP/ } @{$cfg->{whitelist}}) {

    TO:
    if (!match_ip( $IP, @{$cfg->{whitelist}})) {

    It works well for me so far.

    Thanks for a great solution!

  7. Andre

    I recently installed this script and it works great but I came across a problem that I haven’t been able to resolve.The IPs that are blocked aren’t removed in the time specified in the timeout variable. How often does the script check when a blocked IP has expired? I looked at the code it seems that it only gets checked if there is an attack in the process but if there isn’t an attack for a long time, the IP will remain blocked. Anyone have ideas on this?

  8. Macio

    Hi

    I was wondering is there was any way to be deleted from this Blist.
    Or is there some timeout after your IP is deleted if you dont have a compromised computer anymore.

  9. danger Post author

    People are used to just send me an email and I will handle it manually.
    Please do so as well, stating which IP you would like to have to be removed.

  10. Paul

    Seem to be having an issue when calling the blocklist from CSF firewall and was wondering if there is a problem with the path: danger.rulez.sk/projects/bruteforceblocker/blist.php?

    I am able to view it online just get an error when trying to call the file via CSF [blockquote]Unable to retrieve blocklist BFB – Unable to download: Can’t connect to danger.rulez.sk:80 (Network is unreachable)[/blockquote]

    Any ideas?

  11. danger Post author

    Hi, I had some technical issues with the server and I have recently moved the project to a new host. It should be more stable now.

Leave a Reply

Your email address will not be published.