BFD Not blocking...

W

westm003

Verified User
Joined
Sep 14, 2006
Messages
26
Hi All..

i installed APF + BFD on my Centos 4.4 server with Directadmin installed (standard install)...

the rule for Proftpd works but the rule for pop3 doesnt work.

It seems vm-pop3d only writes the authentication errors to "maillog" and not "messages".

The standard rules do not aply for a Directadmin install... :mad:

Are the DA specific rules that reliably work???? (for all DA services)

Thanks a lot! :cool:


f.e
"messages" says for a pop3 attack:
May 22 23:57:14 srv1 PAM_pwdb[13053]: authentication failure; (uid=0) -> username for vm-pop3d service

while the maillog says:
May 22 23:57:15 srv1 vm-pop3d[13053]: User 'username' - failed auth, from=xx.xx.xx.xx


But the maillog is not parsed in the standard rules (which talk of Ipop3d!!) did someone allready rewrite the rules??
 
Last edited:
Could you please post the rules files for pop, imap and apache. So that I can check them against mine. I am having the same issue.

Thanks
 
Thanks for posting these rules

did u check these rules with someone else aswell?

Have u not fixed the rules for rh_imapd
 
rules

the rules i use in production and are verified to work....

(only http is not verified the rest is!)

the rest of the rules are alll verified to work in production...

(took me some time to figure out the grep stuff)

Remember i use a standard DA setup....

The name of the rules is not relevant, i renamed it probably from rh_imapd to rh_imap but it does not matter whatsoever. The server uses every rule with every name...
 
Last edited:
thanks for the update

I just tested your rh_pop3 rule and it works fine

your sshd is different from the sshd rule given by bfd

after doing checking i found that your rule for sshd would give something like this (IP) as an output

x.x.x.x

but what we get from sshd rule given by rf-networks is of type:

x.x.x.x:username

difference in awk '{print$11}' (your rule) and awk '{print$11":"$9}' (rf-networks rule)

your rh_imap is same as theirs
 
what u think abt the format of sshd rule output?

x.x.x.x from urs and
x.x.x.x:user from orig rule
 
ip

the output needs to produce an ip number since the number is added to the blocklist in apf....

Apf cannot handle text... just ip numbers...
 
You must log in or register to reply here.
Back
Top