Best Web Hosts 2011 » Articles » Server Security » E-mail Alert on Root SSH Login

Best-Selling Hosting

Top Rated Providers

Editors Pick

E-mail Alert on Root SSH Login Published: Dec 08, 2003

  • Rating

    4/5

This guide will show you how to install and configure BFD to protect your system from brute force login hack attempts providing brute force prevention.

What is BFD (Brute Force Detection)?
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at: http://www.rfxnetworks.com/bfd.php

This guide will show you how to install and configure BFD to protect your system from brute force hack attempts.

Requirements:
- You MUST have APF Firewall Installed before installing BFD - it works with APF and requires some APF files to operate.
- Root SSH access to your server

Updated: April 13, 2005

Lets begin!
Login to your server through SSH and su to the root user.

1. cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

3. tar -xvzf bfd-current.tar.gz

4. cd bfd-0.7

5. Run the install file: ./install.sh
You will receive a message saying it has been installed

.: BFD installed
Install path:    /usr/local/bfd
Config path:     /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

6. Lets edit the configuration file: pico /usr/local/bfd/conf.bfd

7. Enable brute force hack attempt alerts:
Find: ALERT_USR="0"   CHANGE TO: ALERT_USR="1"   

Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="your@yourdomain.com"

Save the changes: Ctrl+X then Y

8. Prevent locking yourself out!
pico -w /usr/local/bfd/ignore.hosts and add your own trusted IPs
Eg: 192.168.1.1

Save the changes: Ctrl+X then Y

BFD uses APF' cli insert feature
and as such will override any allow_hosts.rules entries users have in-place.
So be sure to add your trusted ip addresses to the ignore file to prevent
locking yourself out.

9. Run the program!
/usr/local/sbin/bfd -s

10. Customize your applicatoins brute force configuration
Check out the rules directory in your /usr/local/bfd

Here you'll find all kinds of pre-made rules for popular services such as Apache, and ProFTPD w00t!
If you have any clue about shell scripting you can customize them or create new rules for enhanced brute force detection and prevent attacks.

Thanks to RFX Networks for creating another great script for the community, Brute Force Detection is excellent!

Cheers
Steve

  • Rating

    4/5

Related Articles

Comments (16)

  • Gravatar - Edward
    Edward 07:05, December 9, 2003
    Loved it worked like a charm, but I had to make the entire code into one line instead of a 3 line code not sure why.
  • Gravatar - Chris
    Chris 22:34, December 19, 2003
    I am trying to do this but get a mail command not found when I login after doing this. cpanel/RH9

    Any ideas what I might be doing wrong?
  • Gravatar - C0NIk
    C0NIk 17:15, March 16, 2004
    it's cool one but sometime dont work with the Red Hat Entrprise 3

    so if it didnt work it will be easy to install LogWatch
  • Gravatar - Jimmy B Silva II
    Jimmy B Silva II 10:20, March 27, 2004
    Make sure you put in a single line like Edward did. It should work for Red Hat Enterprise 3
  • Gravatar - jad madi
    jad madi 15:46, May 20, 2004
    use echo -n for better
    so none will notice that there is a monitoring for login
  • Gravatar - JLChafardet
    JLChafardet 19:36, November 2, 2004
    It worked like charm on my RHEL ES3 box, will see if it sends mails every root try.<br />
    <br />
    any way it is most recomended that you forbid direct root logins.
  • Gravatar - Holoken
    Holoken 20:53, July 17, 2005
    If the attacker's clever then it won't work. Instead of logging in like Joe Admin would, he'll tell ssh to execute the following command: "ssh user@example.com /bin/bash --noprofile --norc". This'll bypass the mail-sending script in /root/.bashrc, and we'll be none the wiser.<br />
    <br />
    Put it instead in /root/.ssh/rc which is executed before any command (including any login shell) is run. This way the attacker's login will not go undetected even if he uses the above method to get in.<br />
  • Gravatar - Arif Kanji
    Arif Kanji 19:22, August 9, 2005
    Awesome!<br />
    How do u code to get alerts only for users who have entered incorrect username and/or password?<br />
    <br />
    Thanx
  • Gravatar - Clayton
    Clayton 21:40, October 23, 2005
    Hi,<br />
    I couldn't see .bashrc anywhere in my /root what should i do.<br />
    <br />
    Thanks<br />
    Regards,<br />
    CEO NightShells.NeT
  • Gravatar - BitSurFer
    BitSurFer 16:38, July 11, 2006
    somthing wrong!!<br />
    when i login i get this error<br />
    ----------------------------<br />
    cut: you must specify a list of bytes, characters, or fields<br />
    Try `cut --help' for more information.<br />
    -bash: -f1: command not found<br />
    ----------------------------
  • Gravatar - Dave
    Dave 16:55, March 15, 2007
    BitSurFer,<br />
    <br />
    Try replacing:<br />
    `who | cut -d"(" -f2 | cut -d")" -f1`<br />
    <br />
    with:<br />
    `whoami`<br />
    <br />
    It should do the same thing.<br />
  • Gravatar - JACOB
    JACOB 10:50, April 10, 2008
    I CAN'T SEE WHERE IT IS WRITTEN - "echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourdomain.com" <br />
    <br />
  • Gravatar - Phil
    Phil 17:29, May 15, 2008
    For FreeBSD users, edit the /root/.cshrc file and add the line as follows:<br />
    <br />
    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `whoami`" yourname@your.email<br />
    <br />
    This should all be one line and should probably be added to the end of the file.<br />
    <br />
  • Gravatar - Paul Brady
    Paul Brady 21:11, September 9, 2008
    I can only get this tip to work if I enter:<br />
    # source .bash_profile<br />
    <br />
    to source the file. When I do that, I get an email. When I log out, however, and then log back in (using su) I get no alert by email.<br />
    Am I missing something? I've been banging my head on the wall for hours. Can someone help? :-)<br />
  • Gravatar - ubaid
    ubaid 00:49, September 23, 2008
    can we add the IP address of the machine whom we login or just like the message we get when we login to root user
  • Gravatar - ericinwisconsin
    ericinwisconsin 15:59, July 1, 2009
    An elegant solution, yes, but also prevent root from logging in at all. Add this line:<br />
    <br />
    AllowUsers <i>username</i><br />
    <br />
    to your sshd_config file.<br />
    <br />
    For us Debian (and probably Ubuntu) users, the file it at /etc/ssh/sshd_config<br />
    <br />
    You can issue an "su" command to become root. I NEVER allow root direct ssh access to a box, but I do also use the technique on this page to make sure. I also limit ssh access only from certain other boxes on important servers and routers.<br />

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2010 WebHostGear.com