BFD Updated Rules, Ban'em Faster, Better (V0.9)

These new "rules" make BFD ban faster, checks every minute. BFD only checked every 10 minutes and could miss attackers that show up at the right time. Now we keep 10 minutes of IPs, and ban using that list.

I feel that APF and BFD are still the best choices for protecting my server. Cpanel's new "cphulk" feature has a lot more to go to be as good, plus you have total control with BFD where you can add and change rules to suit your needs as they grow, or modify them for particular problems.

The changes I made are based on the latest version of BFD V0.9, you should have that version installed and WORKING ALREADY.

Remember, they are simply shell scripts that define the log file to keep track of and what keywords to trigger on. You can view them with any text reader.

WARNING: These work for me, USE AT YOUR OWN RISK, always make sure you add your current IP in /usr/local/bfd/ignore.hosts (and) /etc/apf/allow_hosts.rules so you don't accidentally ban yourself!

Inside the below tar.gz file are my modified "rules" files for exim, pure-ftpd, rh_imap, rh_pop3, sendmail and sshd. No changes to the BFD V0.9 main program are needed.

You should change the cron job to run BFD every minute, edit this file:
/etc/cron.d/bfd

Change the line in that file to this so it runs every minute:
*/1 * * * * root /usr/local/sbin/bfd -q

I checked the CPU load and since it's reading only a small part of the log file every minute, the CPU load isn't bad, it's done in about 8 seconds on my system. Expect a small rise in load average since it is doing work more often.

The "rules" files are contained in your server directory:
/usr/local/bfd/rules

The "rules" files should be REPLACED with the new ones, if you want to keep the old ones around then MOVE THEM OUT to another directory NOT INSIDE the "rules" directory, or else they will be run when BFD runs.

If you need apache, proftpd or other "rules" then you will have to modify them yourself, otherwise you should move these out of the "rules" DIRECTORY, they will not do much with BFD set to run every minute (unless you modify them yourself). I only modified the rules I needed for my server, feel free to post your own mods here.

OK enough, here's the file:

[url]

(it's also attached to this message, see below)

This file will only be around for a few months on this free upload site. Someone please put it in a good place/mirror and post a link, thanks.

Technical details:

This runs every minute but keeps a list of the last 10 minutes of bad IPs in a file in tmp, trimming the file every minute so only new IPs are saved.

You can see the list of IPs in files such as:
/usr/local/bfd/tmp/.exim
/usr/local/bfd/tmp/.sshd

The marker "----" (four dashes) is used to mark each minute and is ignored by BFD but used to trim the old IPs off the file.

If the number of "----" are more than 10, it trims the top of the file up to the marker every run. If the file doesn't exist it's created.

The exim filter "grep" part was modified slightly because the old one was producing bad data every once and a while. The others are all the default filters that come with V0.9.

(BFD people feel free to add this to the next version update, I consider it GPL)