I posted this in rfxnetworks forum but I havent received any replies. Can someone who used APF and BFD please help.

APF and /var/log/secure.1...

Im new to linux so bare with me. Everything seems to be working fine when i first installed APF and BFD. All bad logging attempts shown in /var/log/messages and /var/log/secure were getting blocked.

I noticed that the system logs have rotated to bfd_log.1, /var/log/secure.1 and /var/log/messages.2 among other things like /var/log/maillog.1. And the recent attempts shown in secure.1 and messages.2 are not getting blocked.

Can someone post a Step by Step solution to this ... things i might need to change or add?

Noticing the 'rotates' above, just to be sure know, this is normal & usually at about once per week.

Don't recognize APF and BFD, but if I assume correctly from all you said that these are firewalls, I do not know the 'advanced' tools, I just use hand-coded iptables scripts. Iptables usually underlies all else, and can do *anything*, but does take *some* learning and care writing.

LOL,

I read some info about using iptables manually. But I was afraid of messing things up, specially since Im still learning linux. After searching around and seeing what some people are recommending... APF/BFD seem to be a lot easier to use for beginners such as myself.

Everything was working fine until now. Can someone help?

How about posting some of the contens from your logfiles, that you think has to do with all this -- both before & after woudl be good. Most graphical (gui, desktop, etc) file browsers can display the contents of the rotated files, and you can copy/paste from them.

Maybe I or someone else can help you better with these. It probably will need a couple more question/answer exchanges to get there.

And yes, I did mean that iptables takes significant learning, but it will quite possibly be worth your time in the long run.

Basically im getting a bunch of bruteforce attempts like this in /var/log/secure.1:

Mar 23 18:27:29 sshd[20758]: Illegal user master from ::ffff:xxx.xxx.xx.xxx
Mar 23 18:27:32 sshd[20758]: Failed password for illegal user master from ::ffff:xxx.xxx.xx.xxx port 34918 ssh2
March 23 18:27:33 sshd[20763]: Illegal user account from ::ffff:xxx.xxx.xx.xxx
Mar 23 18:27:36 sshd[20763]: Failed password for illegal user account from ::ffff:xxx.xxx.xx.xxx port 34978 ssh2

I noticed that once the logs are rotated back to /var/log/secure, /var/log/messages, /var/log/maillog... APF and BFD starts working normal again. And it adds the ips with all the bad login attempts to /etc/apf/deny_hosts.rules. But it stops functioning again when it goes back to /var/log/secure.1.

tilt32,
Sorry delay -- rather busy here now!

THe ".1", ".2" etc should be the saves of the previous, 2nd-prev, etc, and the 'no-dot-anything's should always be the latest files.

Are you sayng that the *newest* logs are the ".1"'s??!!??
(Rotating through 'no-dot' to '.1' to ... ?? If so, there is some kind of strange setup issue thee -- never heard of that before, but!, if that is the case, I'd have to guess that someone got enough through the firewall to cause this, and maybe this is somehow causing the fw to fail except when the correct log-names are in use.


As for firming up the firewall, like I said, I don't know those tools, so I can't help there.