Hi,

I have completed a setup of BFD and looks like it's not working properly for my system as far as correctly extracting IP addresses from the logs.

Last night I received two BFD emails on attack attempts. One of them was parsed correctly by BFD, others weren't.

Here is the first that worked:

QUOTE
Executed ban command:
/etc/apf/apf -d h-217.114.218.67.keyweb.de {bfd.sshd}

The following are event logs from h-217.114.218.67.keyweb.de on service sshd (all time stamps are GMT -0700):

Jun 27 03:32:20 admin sshd[30002]: reverse mapping checking getaddrinfo for h-217.114.218.67.keyweb.de failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 27 03:32:24 admin sshd[30096]: reverse mapping checking getaddrinfo for h-217.114.218.67.keyweb.de failed - POSSIBLE BREAK-IN ATTEMPT!


Here is the one that did not work:

QUOTE
Executed ban command:
/etc/apf/apf -d euid=0 {bfd.sshd}

The following are event logs from euid=0 on service sshd (all time stamps are GMT -0700):

Jun 24 15:09:53 admin sshd[8079]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.144.235.236
Jun 24 15:29:13 admin sshd[1932]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=189-10-92-61.pmjce700.e.brasiltelecom.net.br
...


Obviously, the BFD is parsing the string "euid=0" as the host/IP entry from the log.

Has anyone else had this issue and how do I fix it?

Thanks

Krabs