I always look up the DNS info for IPs the Brute Force Detection (BFD) alert emails to see where the attack is coming from. If several attacks come from similar places the ISP or datacenter can be notified of the attack.
I added a few lines to the BFD system to automatically supply the DNS lookup information with the alert email saving a manual lookup.
Add the following snippets to /usr/local/bfd/alert.bfd:
EB=0
EV=`nice -n 19 tail -n 25000 $LP | grep $ATT_HOST | tail -n 250`
# damonp add dig command to get IP DNS info
DIG=`dig -x $ATT_HOST`
EV=`nice -n 19 tail -n 25000 $LP | grep $ATT_HOST | tail -n 250`
# damonp add dig command to get IP DNS info
DIG=`dig -x $ATT_HOST`
Executed ban command:
$BCMD
$BCMD
DNS Info:
$DIG
The following are event logs from $ATT_HOST on service $MOD (all time stamps are GMT $TMZ):
Or just download this alert.bfd.dig file. Then rename and replace the original one at /usr/local/bfd/alert.bfd.
Popularity: unranked [?]
