# of attempts to block an IP

O

orkinoks

Verified User
Joined
Dec 24, 2010
Messages
74
Hi;
I have applied the settings to one of my servers explained here :
http://help.directadmin.com/item.php?id=380

I have two things that are not told in docs and couldn't find it with the help of my big brother google.

1) Do we have to set Admin Settings > "Parse service logs for brute force attacks" to yes for this automatic blocking mechanism to work?
2)How do we set the number of login attempts to block an IP? Is it directadmin.conf > ip_brutecount setting?

thanks.
 
@mr.applesauce
thanks for the links but I have already read them.

------------
Notifications will be sent to all Admins on the system after an IP makes x number of attempts on any account:
ip_brutecount=20

or a user account received x number of attempts from any IP:
user_brutecount=20
------------

These settings are told to be the limits for admin notifications, not Block limit for IP or user. I wonder if there is another setting somewhere else, or these notification limits are also used for blocking.There is no description about this both in the links you have sent and in http://help.directadmin.com/item.php?id=380
 
Hi;
since nobody replied, I had to ask it to directadmin support.I am adding their answer for future referance, hense I realy think that the tutorial has to include these information.

My questions :

1) Do we have to set Admin Settings > "Parse service logs for brute force attacks" to yes for this automatic blocking mechanism to work for dovecot, ssh, etc?

2)How do we set the number of login attempts to block an IP? Is it directadmin.conf > ip_brutecount setting? If not what is it?

3) Can we block the IP automatically, without notification to admin since when you have multiple servers, these notifications rains as hell.
Click to expand...

The answer :
1) Yes. The feature is only for notifcation. The automated blocking of IPs uses the notification script to trigger the block, hence set the notifications to what you'd like, and this will block the IPs upon notificaiton.

2) Admin Settings -> Notify Admins after an IP has [X] login failures on any account.

3) It's linked to the message system. You can't disable the notifications, but you can set the message system to deliver to an account rarely used.
Click to expand...
 
Or of course send it to a forwarder set to /dev/null. Search these forums for how.

Jeff
 
Hi There
we noticed that the package at http://files1.directadmin.com/services/all/iptables blocks 465 and 995 ports by default.

We have done :

Code: 
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d **.**.**.** --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s **.**.**.** --sport 995 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables save

but the connection is still blocked.(It works when iptables is turned off, we have done the conf in exim.conf and dovecot.conf.)

Anyone knows how to add 465 and 995 to iptables allow list? Alternatively can we use kiss or APF to edit these rules with this iptables package? http://help.directadmin.com/item.php?id=380

Here is the output of #iptables -vnL --line-numbers

Code: 
Chain INPUT (policy ACCEPT 2318 packets, 265K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       40  1608 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
2        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
3        0     0 REJECT     all  --  *      *       0.0.0.0/0            127.0.0.0/8         reject-with icmp-port-unreachable
4        0     0 DROP       all  --  *      *       122.176.65.9         0.0.0.0/0
5        0     0 DROP       all  --  *      *       117.38.4.13          0.0.0.0/0
6        0     0 DROP       all  --  *      *       193.106.172.96       0.0.0.0/0
7       42  2016 DROP       all  --  *      *       188.3.49.68          0.0.0.0/0
8        0     0 DROP       all  --  *      *       116.125.126.12       0.0.0.0/0
9        0     0 DROP       all  --  *      *       220.248.167.236      0.0.0.0/0
10       0     0 DROP       all  --  *      *       220.248.167.238      0.0.0.0/0
11       0     0 DROP       all  --  *      *       222.246.37.255       0.0.0.0/0
12       0     0 DROP       all  --  *      *       121.35.77.217        0.0.0.0/0
13       0     0 DROP       all  --  *      *       32.64.28.38          0.0.0.0/0
14       0     0 DROP       all  --  *      *       78.168.241.4         0.0.0.0/0
15       0     0 DROP       all  --  *      *       119.122.229.195      0.0.0.0/0
16       0     0 DROP       all  --  *      *       221.176.11.13        0.0.0.0/0
17       0     0 DROP       all  --  *      *       113.116.243.35       0.0.0.0/0
18       0     0 DROP       all  --  *      *       117.41.182.209       0.0.0.0/0
19       0     0 DROP       all  --  *      *       119.122.124.120      0.0.0.0/0
20       0     0 DROP       all  --  *      *       94.123.229.127       0.0.0.0/0
21       2   128 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0
22   22406 2346K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
23       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20
24       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21
25       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
26       1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2222
27     196  9920 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 flags:0x17/0x02 limit: avg 1/sec burst 10
28       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 flags:0x17/0x02
29       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
30       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:587
31       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
32       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
33    1089 59063 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
34      71  3866 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110
35       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113
36       2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143
37       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
38       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306
39       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:3306
40       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1433 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: MSSQL '
41       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1433
42       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6670 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Deepthrt '
43       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6670
44       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6711 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Sub7 '
45       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6711
46       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6712 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Sub7 '
47       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6712
48       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6713 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Sub7 '
49       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6713
50       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12345 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Netbus '
51       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12345
52       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12346 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Netbus '
53       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12346
54       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20034 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: Netbus '
55       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20034
56       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:31337 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: BO '
57       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:31337
58       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6000 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: XWin '
59       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6000
60       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33523
61       0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 reject-with icmp-port-unreachable
62       0     0 REJECT     2    --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
63       0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 reject-with icmp-port-unreachable
64       0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 reject-with icmp-port-unreachable
65      84  4896 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix `Firewalled packet:'
66      96  5604 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
67       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
2        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix `Firewalled packet:'
3        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
4        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2412 packets, 2247K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:6660:6669
2        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:7000
3    16777   33M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     tcp  --  *      *       **.**.**.**        0.0.0.0/0           tcp spt:995 dpts:1024:65535 state ESTABLISHED
5        0     0 ACCEPT     tcp  --  *      *       **.**.**.**        0.0.0.0/0           tcp spt:995 dpts:1024:65535 state ESTABLISHED
6        0     0 ACCEPT     tcp  --  *      *       **.**.**.**        0.0.0.0/0           tcp spt:995 dpts:1024:65535 state ESTABLISHED
 
Last edited:
I keep on answering my own questions.:)
For those who uses http://help.directadmin.com/item.php?id=380 this article to have an auto blocking mechanism, all the rules are set inside the iptables file downloaded from directadmin server so do not search for a iptables rules file. :)

Here is the thing to do to open Secure SMTP and Secure POP3 ports in iptables installed with the article in http://help.directadmin.com/item.php?id=380 Please note that, if you haven't installed iptables using this article, this solution may not work for you.

Code: 
cd /etc/init.d
nano iptables

Find the following line:
$IPTABLES -A INPUT -p tcp --dport 587 -j ACCEPT
Click to expand...
Add the following line below.
$IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT
Click to expand...

Find the following lines :
# POP-3
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
Click to expand...
Add the following lines below.
# POP-3S
$IPTABLES -A INPUT -p tcp --dport 995 -j ACCEPT
# IMAPS
$IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT
Click to expand...

save file and
Code: 
/etc/init.d/iptables restart

that's it.
 
Last edited:
I have just received and e-mail from directadmin support, which tells that 993 and 995 ports are now enabled.

thanks.
 
You must log in or register to reply here.
Back
Top