How do I stop a brute force attack?

gunemalli

Verified User
Joined
Jul 22, 2009
Messages
86
Location
Sheffield, UK
Hello,

I'm getting some brute force attacks recently, specially targeted on exim. I'm running CSF, but it seems it doesn't monitor exim. I'm getting loads of emails from directadmin saying brute force attack detected, but I have to manually block the IP.

Is there a way to automatically block the IP or drop the connections within DA?

Thanks
 
Edit the script that will enable the ip blocking.

Code:
nano /usr/local/directadmin/scripts/custom/block_ip.sh

And put this code

Code:
#!/bin/sh

/etc/csf/csf.pl -d $ip

exit 0

Now, when you will click for block, csf will do all the work automatically and you will be able to manage lists from csf as for everything else.

Regards
 
Edit the script that will enable the ip blocking.

Code:
nano /usr/local/directadmin/scripts/custom/block_ip.sh

And put this code

Code:
#!/bin/sh

/etc/csf/csf.pl -d $ip

exit 0

Now, when you will click for block, csf will do all the work automatically and you will be able to manage lists from csf as for everything else.

Regards


I have also installed this firewall but i cant find this file:
nano /usr/local/directadmin/scripts/custom/block_ip.sh
 
I have also installed this firewall but i cant find this file:
nano /usr/local/directadmin/scripts/custom/block_ip.sh

create it then,

Code:
touch /usr/local/directadmin/scripts/custom/block_ip.sh
 
You could also do something similar to sshblack (http://www.pettingers.org/code/sshblack.html). I use that and customized it a bit to also monitor the exim mainlog file. Once a specified number of invalid attempts occur, it is configured to block that IP in the firewall and unblocks that IP address after a specified amount of time.
 
RBL will help you

According to the exim log you have to find a suitable RBL for your mail server. that is better Idea for for brute force attack.
If your issue is not resolving by that RBL let me see your log. May be i can help you...
 
An RBL is no replacement or something better against a brute force attack.
An RBL is a blacklist or blocking list (whatever you want to call it), to block known spam adresses and ip's.

So if you got several persons or servers, not known as spammers or otherwise reported, mail attempts will pass thru. So you have to report them first and normally it takes more reports before ip's will get on the blacklist which are used by the RBL's.

However if the attack is at the pop3 server, CSF should be able to automaticaly ban the ip's.
 
Edit the script that will enable the ip blocking.

Code:
nano /usr/local/directadmin/scripts/custom/block_ip.sh

And put this code

Code:
#!/bin/sh

/etc/csf/csf.pl -d $ip

exit 0

Now, when you will click for block, csf will do all the work automatically and you will be able to manage lists from csf as for everything else.

Regards

So your saying this change alone will ban the IP after direct admin triggers a brute force attack? I want this automated if I can.... I see nothing in the above that will do this automated? please clarify.
 
No,

this will enable the Block IP Button in IP Info page.

For automatic there is a script that should be like

/usr/local/directadmin/scripts/custom/brute_notify_post.sh

but im not sure about this, here you can setup what automaticly do after notify (should be same code as block_ip.sh but not sure).

Regards
 
So your saying this change alone will ban the IP after direct admin triggers a brute force attack? I want this automated if I can.... I see nothing in the above that will do this automated? please clarify.

The answer can be found here:

4) This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, create:

Code:
/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
and in that script, add:

Code:
#!/bin/sh
 SCRIPT=/usr/local/directadmin/scripts/custom/block_ip.sh
 ip=$value $SCRIPT
 exit $?;
and chmod the brute_force_notice_ip.sh to 700.


That's it.
 
Zeither doest this work with the csf script aswell?

Why dont just put the block_ip code in it? Would make same effect, am i wrong?

Regards
 
Zeiter doest this work with the csf script aswell?

Why not?

Why dont just put the block_ip code in it? Would make same effect, am i wrong?

Why do you ask me? It's an example from the help system.

If your block_ip.sh has two lines of code, you can double it in brute_force_notice_ip.sh. It's your choice. Not mine.

But if you read the page from help system, you'll see, that there are a little more lines of code in block_ip.sh. And why should one double it? But if you want, you're welcome...
 
Ive asked cause i wasnt sure about the $value variable, if was the IP coming from the notify or a variable for the block_ip.sh script.

Ive tested it and work aswell with csf cause the $value is just the ip :)

I dont use the default script but the csf version for implementation and i was trying to get why send to another script while csf script is 3 line of code.. then ive saw the directadmin one and ive understood :)

Well, it work well, in both way.

Regards
 
Yes I'm running CSF, so trying to see if the proper way to include these brute force attacks that da is processing and block them with csf.

So far da brute force detection is 100% and doing well... I just need csf to block them now.
 
Back
Top