Page 3 of 3 FirstFirst 123
Results 41 to 57 of 57

Thread: How to block IPs with Brute Force Monitor in DirectAdmin using CSF

  1. #41
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,411
    Make sure, you've got

    Code:
    TESTING = "0"


    in csf config file.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  2. #42
    Join Date
    Jun 2016
    Location
    Istanbul, TR
    Posts
    55
    Test (off)= 0

    Chain num pkts bytes target prot opt in out source destination

    DENYIN 63 0 0 DROP tcp -- !lo * 78.xxx.88.xx 0.0.0.0/0 tcp dpt:20
    DENYIN 64 13 784 DROP tcp -- !lo * 78.xxx.88.xx 0.0.0.0/0 tcp dpt:21

  3. #43
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,411
    It's working, and blocking access only to attacked port, more reading:

    https://forum.directadmin.com/showth...598#post272598
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  4. #44
    Join Date
    Jun 2016
    Location
    Istanbul, TR
    Posts
    55
    My old system settings for CSF was blocked IP for all. Example wrong pass login roundcube, on mobil device, ftp, BFA etc.
    Sometimes CSF bloked me when I try to login abc.com:2222. And I unblocked IP's on CSF.
    Now I consifer; how to unblock IP, if blocked somewhere directadmin or csf when I need to unblock it.

  5. #45
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,411
    Unblock IP preferably in Directadmin, or use CSF cli.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  6. #46
    Join Date
    Jun 2016
    Location
    Istanbul, TR
    Posts
    55
    Thank you for all.
    Tested and working very well.
    And the last question is CSF blocks port 5-10 wrong login attempt can I make it 20 or more?

  7. #47
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,411
    When using Directamin BFM and CSF it's highly suggested to disable login failure detector in CSF. More reading: https://forum.directadmin.com/showth...633#post272633
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  8. #48
    Join Date
    Jun 2016
    Location
    Istanbul, TR
    Posts
    55
    Let the login failure check to BFM isn't it?
    New CSF:

    LF_TRIGGER = "0"
    LF_SSHD = "0"
    LF_FTPD = "0"
    LF_SMTPAUTH = "0"
    LF_EXIMSYNTAX = "0"
    LF_POP3D = "0"
    LF_IMAPD = "0"
    LF_HTACCESS = "0"
    LF_MODSEC = "0"
    LF_DIRECTADMIN = "0"

    Thanks....

  9. #49
    Join Date
    Jul 2016
    Posts
    2
    Quote Originally Posted by zEitEr View Post
    [B]To make Directadmin's BFM compatible with CSF you should do the following:
    ...
    Dear Forum Users,

    Thanks for this post, I have installed it - it works fine for me. I use the automatic adding script (brute_force_notice_ip.sh)

    However, I really want to tweak it, I use this version of block_ip.sh - 0.1.6

    Q1:
    How does this file work:
    EF="/root/exempt_ips.txt";

    Is this just plain text, add each IP on a new line? Anyone got an example?

    Q2:
    SLF="/usr/local/directadmin/data/admin/brute_skip.list";

    I don't seem to have this file? Where can I get this file? (also tried "locate", it was not found on my server).

    Q3:
    TTL, where does it come from? All blocks now have are temporary of 3600 seconds. In the file I see this:

    TTL=`/usr/local/directadmin/directadmin c | grep unblock_brute_ip_time= | cut -d\= -f2`;
    TTL=$((TTL*3*60)); # It is Directadmin which unblocks IP, so we need to have enough long TTL
    # so that Directadmin have a chance to unblock it
    # Additionaly convert minutes to seconds *60


    I don't think I can find the "unblock_brute_ip_time" in this file: /usr/local/directadmin/directadmin

    Q4:
    I figured that this script/scripts are using the Security values under CMD_ADMIN_SETTINGS

    Any advice on this?
    What I want - if an IP get's blocked, I like to see the it in the log for about 7 days.

    These are my current settings:

    Prevent 127.0.0.1 from being Blacklisted = Yes
    Time before failed login count resets = 1200
    Remove an IP from the blacklist after = 2880

    Parse service logs for brute force attacks = Yes
    Notify Admins after an IP has = 200
    Notify Admins after a User has = 200
    Remove an IP from the BF blacklist after = 0
    Reset count of IP/User failed attempts = 168
    Clear failed login attempts from log = 7
    Scan for WordPress attacks = All logs


    I can't seem to find the value 3600 (TTL)?

    At this moment, a block will be temporary for 3600 (1 hour) - but some IP's will be blocked directly again, after this 1 hour period, for failing 1 more login. (ei 200 failed logins > block 1 hour> 1 hour later > 201st failed login > blocked again by 1 hour > etc.).

    I really like to increase this 3600 seconds (TTL), any advice on this?

    Thanks for reading!

  10. #50
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,411
    Quote Originally Posted by daverd81 View Post
    Q1:
    How does this file work:
    EF="/root/exempt_ips.txt";
    The file is fully managed by Directadmin you should not touch it.

    Quote Originally Posted by daverd81 View Post
    Q2:
    SLF="/usr/local/directadmin/data/admin/brute_skip.list";

    I don't seem to have this file? Where can I get this file? (also tried "locate", it was not found on my server).
    The file is fully managed by Directadmin you should not touch it manually. You can add IPs into the file in Directadmin at admin level (Brute Force Monitor /CMD_BRUTE_FORCE_MONITOR)

    Quote Originally Posted by daverd81 View Post
    Q3:
    TTL, where does it come from? All blocks now have are temporary of 3600 seconds. In the file I see this:

    TTL=`/usr/local/directadmin/directadmin c | grep unblock_brute_ip_time= | cut -d\= -f2`;
    TTL=$((TTL*3*60)); # It is Directadmin which unblocks IP, so we need to have enough long TTL
    # so that Directadmin have a chance to unblock it
    # Additionaly convert minutes to seconds *60


    I don't think I can find the "unblock_brute_ip_time" in this file: /usr/local/directadmin/directadmin
    It's a binary, you should not try to find anything in it.

    Quote Originally Posted by daverd81 View Post
    Q4:
    I figured that this script/scripts are using the Security values under CMD_ADMIN_SETTINGS

    Any advice on this?
    What I want - if an IP get's blocked, I like to see the it in the log for about 7 days.

    These are my current settings:

    Prevent 127.0.0.1 from being Blacklisted = Yes
    Time before failed login count resets = 1200
    Remove an IP from the blacklist after = 2880

    Parse service logs for brute force attacks = Yes
    Notify Admins after an IP has = 200
    Notify Admins after a User has = 200
    Remove an IP from the BF blacklist after = 0
    Reset count of IP/User failed attempts = 168
    Clear failed login attempts from log = 7
    Scan for WordPress attacks = All logs


    I can't seem to find the value 3600 (TTL)?

    At this moment, a block will be temporary for 3600 (1 hour) - but some IP's will be blocked directly again, after this 1 hour period, for failing 1 more login. (ei 200 failed logins > block 1 hour> 1 hour later > 201st failed login > blocked again by 1 hour > etc.).

    I really like to increase this 3600 seconds (TTL), any advice on this?

    Thanks for reading!
    Change zero 0 to 3600 if you want an IP be removed after 3600 minutes, or to 60 if you want an IP be removed from ban after an 60 minutes (1 hour). You have now:

    Remove an IP from the BF blacklist after = 0
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  11. #51
    Join Date
    Jul 2016
    Posts
    2
    Thanks for all the help.

    Still I can't seem to alter this:

    Whenever a IP gets blocked, this is the value in CSF (fictional IP):

    Temporary Blocks: IP:12.34.56.78 Port:110 Dir:inout TTL:3600 (Blocked port 110 with Directadmin Brute Force Manager)

    So it will be blocked only for 3600 seconds. Is there anyway to increase this temp block to 1 day (86 400 seconds).

    Thanks again!

  12. #52
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,411
    Directadmin (Admin level) -> Administrator Settings

    Change it to 1440:

    Remove an IP from the BF blacklist after 1440 minutes (0 = never)
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  13. #53
    Join Date
    Jun 2015
    Posts
    35
    Does it work on centos 7 ?

  14. #54
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,684
    Yes

    Best regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  15. #55
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,411
    Quote Originally Posted by mohammad.983 View Post
    Does it work on centos 7 ?
    It works on all OS versions which are officially supported both by Directadmin and CSF/LFD.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  16. #56
    Join Date
    Jan 2017
    Location
    Nederlands
    Posts
    33
    Great work

    After how many attempt an IP address gets automaticly blocked?

  17. #57
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,411
    That depends on your settings in Directadmin. It's on admin level

    da_bfm_settings.png

    I usually set it to 20-30, so an IP gets blocked after 20-30 attempts. Please note Directadmin does not allow to set different values depending on a service under an attack.

    Full instructions on one page can be found here: https://help.poralix.com/articles/ho...irectadmin-bfm
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

Page 3 of 3 FirstFirst 123

Similar Threads

  1. Does the brute force monitor also block the attacks?
    By darkus in forum General Technical Discussion & Troubleshooting
    Replies: 1
    Last Post: 07-03-2012, 10:57 AM
  2. [FR] Separate alert and block thresholds in the brute force monitor
    By interfasys in forum Feedback & Feature Requests
    Replies: 0
    Last Post: 04-09-2012, 03:25 PM
  3. Problems with Brute Force Monitor
    By pinotje in forum CentOS
    Replies: 1
    Last Post: 10-30-2011, 09:29 AM
  4. How can i stop brute force monitor?
    By uberguru in forum Admin-Level Difficulties
    Replies: 2
    Last Post: 08-17-2011, 10:15 AM
  5. brute force monitor error
    By wdieke in forum Admin-Level Difficulties
    Replies: 10
    Last Post: 07-05-2011, 12:29 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •