Header GIF
Site is Under Maintenance
Please come back again in...
00 Days
00 Hours
00 Minutes
00 Seconds
Home
• linux •
• network security •

How to Install and Use BFD (Brute-Force Detection) on Linux

BFD (Brute Force Detection) is a script that runs on your Linux server and checks log files for authentication errors. When it sees recurring authentication failures from a specific IP address it will instruct APF (Advanced Policy Firewall) to block the IP address. It’s simple to configure, just make sure you have APF running before you continue. Let’s download it:

[root@VPS1 ~]# wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
Now extract it:

[root@VPS1 ~]# tar -xzvf bfd-current.tar.gz
Open the folder:

[root@VPS1 ~]# cd bfd-1.5/
Now we can install it:

[root@VPS1 bfd-1.5]# ./install.sh
After installation, we can edit the BFD configuration file:

[root@VPS1 bfd-1.5]# vim /usr/local/bfd/conf.bfd
Make sure you enable e-mail notifications:

EMAIL_ALERTS="1"
And configure your e-mail address:

EMAIL_ADDRESS="my@mailaddress.com"
It’s also a good idea to configure BFD to ignore your own IP address so you don’t lock yourself out. Just add your IP address to the following file:

[root@VPS1 bfd]# vim /usr/local/bfd/ignore.hosts
If you want to run BFD, you can do this using the following command:

[root@VPS1 bfd]# bfd -s
It will also run thanks to a cronjob automatically:

[root@VPS1 bfd]# vim /etc/cron.d/bfd

*/3 * * * * root /usr/local/sbin/bfd -q
By default, every 3 minutes, it will run the script and check your log files. When BFD finds anything, it will instruct APF to block the IP address, and you’ll receive an e-mail that looks like this:

The following is a summary event for exceeded login failures on VPS1.RMCSHOSTING.NL:

SOURCE ADDRESS: 20.20.20.2
TARGET SERVICE: proftpd
FAILED LOGINS: 15
EXECUTED COMMAND: /etc/apf/apf -d 20.20.20.2 {bfd.proftpd}

SOURCE LOGS FROM SERVICE 'proftpd' (GMT +0200):

Apr 19 02:13:30 VPS1 proftpd[15133]: 127.0.0.1 (10.10.10.1[10.10.10.1]) - USER mydomain@mydomain.com: no such user found from 10.10.10.1 [10.10.10.1] to 20.20.20.2:21
Apr 19 02:41:30 VPS1 proftpd[17222]: 127.0.0.1 (10.10.10.1[10.10.10.1]) - USER mydomain@mydomain.com: no such user found from 10.10.10.1 [10.10.10.1] to 20.20.20.2:21

Apr 19 03:10:32 VPS1 proftpd[19741]: 127.0.0.1 (10.10.10.1[10.10.10.1]) - USER mydomain@mydomain.com: no such user found from 10.10.10.1 [10.10.10.1] to 20.20.20.2:21
As you can see, it has discovered several failed authentications for proftp. It instructed APF to block the IP address. That’s all there is to it. I hope this helps you to protect your Linux server(s)! If you have any questions or suggestions, please leave a comment.

Happy BFD'ing!


Rate This Article

Thanks for reading: How to Install and Use BFD (Brute-Force Detection) on Linux, Sorry, my English is bad:)

Getting Info...

About the Author

I'm Aevon...Just a gal with an insane passion for all things cybersecurity. 17 years in the industry and still love what I'm doing.
#• linux • #• network security • #• tutorial •

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
More Details
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.