linux防穷举侦测组件-bfd
2013-06-05 17:21:41 
阿炯
BFD全称为:Brute Force Detection(穷举破解侦测),主要用于侦测和防止穷举破解,与apf配合使用来阻止那些不良的登录尝试。BFD is a modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.
The regular expressions are parsed against logs using the ‘sed’ tool (stream editor) which allows for excellent performance in all environments. In addition to the benefits of parsing logs in a single stream with sed, BFD also uses a log tracking system so logs are only parsed from the point which they were last read. This greatly assists in extending the performance of BFD even further as we are not constantly reading the same log data. The log tracking system is compatible with syslog/logrotate style log rotations which allows it to detect when rotations have happened and grab log tails from both the new log file and the rotated log file.
In the execution process, there is simply a cron job that executes BFD once every 3 minutes by default. The cronjob can be run more frequently for those that desire it and doing so will not cause any performance issues (no less than once a minute). Although cron execution does not permit BFD to act in real time, the log tracking system ensures it never misses a beat in authentication failures. Further, using cron provides a reliable frame work for consistent execution of BFD in a very simplified fashion across all *nix platforms.
配置
编辑/usr/local/bfd/conf.bfd
/*设置事件失败次数,达到此数值后禁止引发此事件的IP地址*/
TRIG="5"
/*允许发送告警邮件,设置邮件地址,设置邮件主题*/
EMAIL_ALERTS="1"
EMAIL_ADDRESS="master@freeoa.net"
EMAIL_SUBJECT="Brute Force Warning For Host: $HOSTNAME"
也可设置信任列表
编辑/usr/local/bfd/igonre.hosts
每行一个IP
启动服务
#bfd –s
在BFD安装后,就会将一个cron任务添加到/etc/cron.d/bfd下,每3分钟执行一次。它的日志产生在'/var/log/bfd_log'。
查看被阻止的地址
#bfd –a
最新版本:1.5
项目主页:http://www.rfxn.com/projects/brute-force-detection/