howtos

BFD (brute force detector) is an excellent package by rfxnetworks that works hand-in-hand with the APF firewall package to automatically detect and put an end to brute force access attempts. BFD works by monitoring for excessive access attempts via ssh. If it does detect attempts, it places the offender’s IP in APF’s deny hosts file. Thus APF automatically drops packets from the offender and cuts them off from the server.

cd to a temp folder with exec permissions

wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd*
./install.sh

.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

Edit the configuration file located at /usr/local/bfd/conf.bfd

Change ALERT_USR="0" TO ALERT_USR="1"
Change EMAIL_USR=”root” TO EMAIL_USR=”you@yoursite.com”
(if you wish to receive alert e-mails at an address other than root’s)

Now add your IP address to BFD’s list of ignore hosts. This prevents you from getting locked out of your server in the future.
edit /usr/local/bfd/ignore.hosts
Add any IP address that you want to be ignored from the rules - e.g. your IP, server provider’s monitoring services, authorised users’ IPs, etc.
A good rule of thumb is to copy the list of IPs already in apf’s allow_hosts.conf file. If you are already allowing these addresses through the firewall, it is more than likely that you also want to ignore them from bfd’s monitoring.

/usr/local/sbin/bfd -s