BFD bug?

lavinya · 12-06-2007, 01:49 PM

Hello i installed bfd latest version.

i got a new mail from bfd service.

---
The remote system euid=0 was found to have exceeded acceptable login failures on "myserver"; there was 23 events to the service sshd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

Executed ban command:
/etc/apf/apf -d euid=0 {bfd.sshd}

The following are event logs from euid=0 on service sshd (all time stamps are GMT +0100):

Dec 6 10:44:47 server sshd[28722]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.137.1.253
Dec 6 10:44:49 server sshd[28725]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.137.1.253
Dec 6 10:44:52 server sshd[28735]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.137.1.253
Dec 6 10:44:54 server sshd[28737]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.137.1.253
Dec 6 10:44:56 server sshd[28739]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.137.1.253
Dec 6 10:44:59 server sshd[28749]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.137.1.253
....
....
--------
What is mean = "/etc/apf/apf -d euid=0"
This is a bug? or how to make true ips?

A other mail (from bfd)
TRUE:
----
The remote system 209.51.143.178 was found to have exceeded acceptable login failures on "myserver"; there was 22 events to the service sshd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

Executed ban command:
/etc/apf/apf -d 209.51.143.178 {bfd.sshd}

The following are event logs from 209.51.143.178 on service sshd (all time stamps are GMT +0100):

Dec 6 17:08:54 server sshd[19792]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209.51.143.178 user=root
Dec 6 17:08:55 server sshd[19792]: Failed password for root from 209.51.143.178 port 38663 ssh2
Dec 6 16:08:55 server sshd[19793]: Received disconnect from 209.51.143.178: 11: Bye Bye
Dec 6 17:08:56 server sshd[19794]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209.51.143.178 user=root
Dec 6 17:08:59 server sshd[19794]: Failed password for root from 209.51.143.178 port 38893 ssh2
Dec 6 16:08:59 server sshd[19795]: Received disconnect from 209.51.143.178: 11: Bye Bye
Dec 6 17:09:00 server sshd[19803]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209.51.143.178 user=root
...
...
-----

Please help me.

win32sux · 12-06-2007, 03:05 PM

Have you read the sticky called "Failed SSH login attempts" at the top of this forum?

lavinya · 12-07-2007, 03:26 AM

win32sux thanks for reply. But my problem other problem!

win32sux · 12-07-2007, 11:41 AM

My guess is it simply expects to find the IP in the field where the EUID is. Kinda weird, I mean, stuff like this shouldn't be happening if you used a package made for your distro. If you installed from upstream then it's more understandable. Perhaps you'll need to edit the script. I'm assuming this apf thing is some sort of iptables front-end written in a scripting language, no?

lavinya · 12-07-2007, 01:59 PM

win32sux thanks.

But i removed bfd. Because defective.
my problem solved with iptables here example:

----
/sbin/iptables -A INPUT -p tcp --dport 22 -s 85.105.241.10 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
----

Now closed all ips (ssh). Only open to my ip.

Sorry little english.

win32sux · 12-07-2007, 10:18 PM

Sounds great, if you know you'll never need to SSH from another IP.