BFD is an easy to use brute force detection script that plays very nicely when combined with APF…
currently it does support certain daemons out of the box… but vspftd is not one of those 🙁
This a *very basic* (it does not pass the offending username to bfd) script to add VSFTPD support to BFD.
You just need to create a file named “vsftpd” into the BFD ./rules/ directory and paste this content into it:
REQ="/usr/sbin/vsftpd" if [ -f "$REQ" ]; then LP="/var/log/vsftpd.log" TLOG_TF="vsftpd" #Mon Mar 28 23:57:38 2011 [pid 9897] [asdasd] FAIL LOGIN: Client "127.0.0.1" ## VSFTPD ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -w 'FAIL LOGIN' | sed -r 's/^.{0,}Client .//' | sed 's/"/:vsftpd/g'` fi |
This script refers to the standard vsftpd rhel/centos installation…
If the logfile is placed elsewhere (vsftpd_log_file) or if the option “syslog_enable” in vsftpd.conf has been enabled it needs to be adjusted 🙂
PS: this was a NON-WORKING test (usernames with a space in it where making it fail):
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -w 'FAIL LOGIN' | awk '{print $12":"$8}' | tr '[]"'` |