Turn off brute force notifications BUT keep the monitor running and blocking

D

Dae

Verified User
Joined
May 25, 2011
Messages
6
Hello,
we're running the latest DirectAdmin with brute-force monitor + block_ip.sh + brute_force_notice_ip.sh which block the "brute-forcers" automatically.

Everything works good, except that we don't want to receive notifications about the brute-force attacks. I assume that the auto-blocking feature is tied to the "notify admins after an IP has ... login failures" setting, so I can't change it.

Of course I can make my email filter those messages out, but perhaps there's a smarter solution.

Thanks! :)
 
AFAIK the BFM scripts run just after notifications, so, disabling notifications would disable "actions" aswell.

Perhaps i should be wrong, maybe someone have a solution.

Regards
 
I installed the latest DA. What does the Brute Force Monitor do and what does it means when I ad a IP to the skip list? What does the skip list means?
 
The BFM is for detecting possible hacks on the server, like incorrect logins, people who try to hack your server, and so on. The skip list is to avoid an certain ip address is getting blocked.

@Dae, why you want to disable the notification?
I think it's very good thing you get notified when there is an bruteforce atack, it gives you information to improve the server security. When you dont want emails from the server, you can disable email messages from the server in DA.
 
Last edited:
I too would like to not get notifications from the Brute Force monitor. Disabling all email messages from the server is not an option for me. Currently I filter the messages to /dev/null on my desktop, but I'd much rather have them not sent.

Jeff
 
Me too, i agree with action on "notice" but notification can be disabled, once is notified is banned... i would prefer that system do the ban task without notificate me, no reason why, once is banned :)

Regards
 
You can't turn it of now, but this might be a way to get way less notifications:

In the admin level, go to extre features -> administrator settings.
Scroll down to "Security".
Notify Admins after an IP has xx login failures on any account
Click to expand...
and
Notify Admins after a User has xx login failures from any IP.
Click to expand...
Both these settings are related to the Brute force monitor.

Set both these values to 999 or something like that, and the bruteforce monitor will work, but notifications only appear after 999 attempts of a bruteforce.
Correct?

You think it will stop the blocking, but you can easy test this, can't you?
 
The script for integration with firewall (and so the scripts for block the ip is brute forcing) start just after notification.

If you put a notification with a so high value, those notification doesnt arrive, and so, script are not called.. and so.. ips that are brute forcing are not banned (no action will be taken untill 999 attempts).

Regards
 
Hello,

I'll add a directadmin.conf option to disable notification of notifications.. if that makes sense ;)

John
 
Hi;
we have upgraded our directadmin to latest version. (1.41)
According to http://www.directadmin.com/features.php?id=1332 there has to be hide_brute_force_notifications=0 line in directadmin.conf but we don't.
Is it safe to add this line manually and do we have to do anything before / after adding to disable notifications but keep blocking active?

Regards.
 
yes you can add it without problem at the end of the file directadmin.conf

if you prefer, just run:

Code: 
echo "hide_brute_force_notifications=1" >> /usr/local/directadmin/conf/directadmin.conf

Once done, restart directadmin.

Regards
 
Is it possible to send these brute force notifications to a seperate emailaddress?
 
Yes, you might need to write your own script to send emails here in /usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh or found someone who will do it for you.

related: http://www.directadmin.com/features.php?id=1332
 
I do something similar with Dovecot and built-in sieve (pigeonhole), using RoundCube to create the rules. All administration stuff goes to one local account on the server, and from there gets redircted by Dovecot based on header and/or body contents. Right now I'm only filtering to different folders in the same acco0unt, but given the actions available, I should be able to easily forward to different email addrsses, on or off server.

Jeff
 
I'v added the hide_brute_force_notifications=1 line at the bottom of the directadmin.conf, but it looks like it doesn't work.

I look at the loaded config with the "/usr/local/directadmin/directadmin c" command the hide_brute_force_notifications is still 0,

I have tested with changing another config parameter and restart directadmin, that value stores perfectly and shows in "/usr/local/directadmin/directadmin c" the right value,

But hide_brute_force_notifications is insert in the config.

I'm Running version 1.45.2 on Debian 6.0 64-bit.

What's going Wrong ?
 
You must log in or register to reply here.
Back
Top