How do I stop a brute force attack?

Please, do not confuse the others, as htaccess file won't help you to protect server from brute-force attacks in content of directadmin. Directadmin BFM protects against POP/IMAP/SMTP, FTP and SSH brute force attacks, which have nothing with htaccess file at all.
 
I am sorry for bumping an old thread.

I am seeing massive brute force attempts (5000 user logins) like these:

Code:
13447465210001	41.84.204.13	[email protected]	1	dovecot1	Aug 12 06:41:22 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 18 secs): user=<[email protected]>, method=PLAIN, rip=41.84.204.13, lip=myip, session=<3J1bLwrHewApVMwN>

I am using Config server firewall and security. Can anybody tell me if I can just create the brute_force_ip.sh file and add those lines to enable auto blocking? Because I think csf already has ip tables etc and I don't want to install it 2x.

Or is my CSF not working properly cause it's not blocking?
 
Does anyone mind sharing the solution with APF firewall? Thank you :)
 
Hi
Just a question, to understand how it works

I add this script : brute_force_notice_ip.sh
Code:
#!/bin/sh

#give your server a name for easy idenfication 
SERVER=`hostname -s`

#where you want the email to be sent to
EMAIL=myemail

echo "IP $value has been blocked by Brute_Force_Notice_IP for making $count failed login attempts

$data

`dig -x $value`" | mail -s "$SERVER:  blocked $value for $count failed attempts" $EMAIL

SCRIPT=/usr/local/directadmin/scripts/custom/block_ip.sh
ip=$value $SCRIPT
exit $?;

$value is the IP, I suppose sent by directadmin
$count : from where comes this value ? how to change it ?

Last question : when this script is run ?

Thanks for your reply.
I use CSF, which block very well brute force attacks, except exim.
So I want to secure more my servers, and I think your suggestions will be very usefull. But I prefer to understand exactly what I'm doing.

Thanks for your explanations.
 
Last edited:
Edit the script that will enable the ip blocking.

Code:
nano /usr/local/directadmin/scripts/custom/block_ip.sh

And put this code

Code:
#!/bin/sh

/etc/csf/csf.pl -d $ip

exit 0

Now, when you will click for block, csf will do all the work automatically and you will be able to manage lists from csf as for everything else.

Regards

Hi, I tried you way of block the script kiddies but I when I tried to block the ips I get this message:


2013:05:17-18:21:19: Block IP '114.80.155.58' error: Script output:
2013:05:17-18:21:19: Block IP '119.254.7.71' error: Script output:
2013:05:17-18:21:19: Block IP '5.152.207.51' error: Script output:
2013:05:17-18:21:19: Block IP '61.142.106.34' error: Script output:
2013:05:17-18:21:19: Block IP '69.64.43.8' error: Script output:
2013:05:17-18:21:19: Block IP '85.114.130.15' error: Script output:

How to Fix This?
 
about variable available

Hello,

I test the small tutorial of the post 15 and work as well, the script "block_ip.sh" receive as value the IP address and save in the "$value", then is export in the "ip" var, my question is, is possible receive also the port where is doing the attack?

Thank you very much.
 
Port number is not passed directly, you can see how we detect it in our script:

https://github.com/poralix/directadmin-bfm-csf/blob/master/block_ip.sh

Our set of scripts for CSF/LFD + Directadmin BFM: https://forum.directadmin.com/showthread.php?t=44839

Hello Alex, thank you, I check it and have one doubt, I understand that the data var is exported by directadmin correct?, by other side do you have some example of this value before that you apply your filters?, thank you again.
 
Back
Top