Sysadmin: Brute force detection – custom rule for SMTP and SSH

I wrote before about excellent tool BFD that allows to block brute force password guessing attempts on different network services.
I prefer it to Fail2ban because of portability (bash script) system resource consumption (bash script!) and extendаbility (true “unix way” modularity).
I also wrote before a brief instruction on how to extend BFD with your own rule to fight with apache/Wordpress DOS attack.
In this post I will show you how to write custom rules to block SMTP password guessing brute force attempts and SSSHD

All BFD predefined rules are stored in separate files in /usr/local/bfd/rules. By the script name you can figure out which service it protects. Each file is the shell script wхich is pretty easy to read and modify for your need.
The problem – attempts to guess user passwords via SMTP Auth are registered by sendmail and SASL authd. Saslauthd reports failed password guess attempt but doesn’t report the offending IP in /var/log/messages on CentOS:

simply because it’s used by sendmail indirectly. The sendmail on the other hand reports the IP but does not report the authentication attempt in /var/log/maillog :

What we will do – we will modify existing sendmail rule script to process these log entries as failed SMTP authentication attempts.

Existing sendmail rule file:

The most interesting part is the last part of ARG_VAL line between first | and ` at the end. This part is used to extract offending IP addresses from the configured log file. It’s easy to verify using following command:

After running this command you should be able to see the list of IP addresses of brute force attempts to connect to sendmail. Using minimal modification it is possible to match SMTP authentication brute force attempts log lines with something like this:

To use this line I will create separate rule script with the name sasl

Another one custom rule file will be for SSHD brute force attempts that will match following lines from /var/log/secure :

The idea is the same – customizing ARG_VAL sting matching part until it will be able to filter out list of offenders IPs.
Here is the result rule file sshd2:

Save custome rule scripts in separate files in /usr/local/bfd/rules directory. When running from command line bfd -s you will see if your new custom rules caught any offending IPs.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">