How to block IPs with Brute Force Monitor in DirectAdmin using CSF

If you don't see a blocked IP on the page then the IP has been blocked by CSF/LFD directly, for port scanning probably. Check logs for more details.
 
From CSF/LFD either in directadmin or in a server console. Read official guides and csf/lfd usage for more details.
 
From CSF/LFD either in directadmin or in a server console. Read official guides and csf/lfd usage for more details.

grep '103.237.76.34' /var/log/lfd.log
Sep 18 20:45:42 tofa lfd[995]: (directadmin) Failed DirectAdmin login from 103.237.76.34 (BD/Bangladesh/103.237.76.34.combinedbd.com): 5 in the last 3600 secs - *Blocked in csf* [LF_DIRECTADMIN]

just check log showing.. this .. but i can not find in visul plugin :(
 
The guide you are referring to suggests disabling LF_DIRECTADMIN in CSF/LFD. There is also an auto-installer which disables the check LF_DIRECTADMIN as well.

If you have the check LF_DIRECTADMIN enabled then you should unblock the IP directly from CSF/LFD. And CSf/LFD comes with a visual plugin whenever it's installed on directadmin server.
 
The guide you are referring to suggests disabling LF_DIRECTADMIN in CSF/LFD. There is also an auto-installer which disables the check LF_DIRECTADMIN as well.

If you have the check LF_DIRECTADMIN enabled then you should unblock the IP directly from CSF/LFD. And CSf/LFD comes with a visual plugin whenever it's installed on directadmin server.

thanks how i can enable it?
 
If you don't have the CSF/LFD plugin installed, it might mean your installation is not correct. You should either re-install CSF/LFD or enable the plugin manually.

I don't have instructions on any of these two.
You should read official guides and csf/lfd usage for more details.
 
Using BFM with CSF (all together)

I installed CSF to work with BFM using the link above (automated method) :
- https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm

Everything seem's to work well (after 2 days).

Analyzing the log file '/var/log/exim/rejectlog', I found we have too many authentication required from the same IPs

2019-09-21 15:05:21 H=([193.32.160.145]) [193.32.160.135] F=<[email protected]> rejected RCPT <[email protected]>:
2019-09-21 15:05:21 H=([193.32.160.145]) [193.32.160.135] F=<[email protected]> rejected RCPT <[email protected]>:
2019-09-21 15:05:21 H=([193.32.160.145]) [193.32.160.135] F=<[email protected]> rejected RCPT <[email protected]>:
2019-09-21 15:05:21 H=([193.32.160.145]) [193.32.160.135] F=<[email protected]> rejected RCPT <[email protected]>:

So I customized the line above (in '/etc/csf/csf.conf')
- CUSTOM1_LOG = "/var/log/exim/rejectlog"

And added the lines above (in '/etc/csf/regex.custom.pm')

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: authentication required/)) {
return ("RCPT not allowed from ",$2,"RCPT","5",,"3600");
}

I've restarted csf using 'csf -r' and lfd using 'lfd -r'

But even if BFM works, CSF custom scans seem's to be ignored.

I (successfully) tested the regex using the link above :
- https://www.regextester.com/

After reading all this thread, I understood that only bfm is active. The scans provided by csf alone are not.

How is it possible to keep bfm active AND add some custom ones ?

Many thank's for any help,

Jérémy
 
Jérémy,

Automated method disables checks in CSF/LFD letting DirectAdmin BFM to do its job. DirectAdmin BFM does not read settings from
'/etc/csf/csf.conf'. You will need to add your custom settings into Directadmin, you can create a custom file here for this:

/usr/local/directadmin/data/templates/custom/brute_filter.list

See https://www.directadmin.com/features.php?id=1227 for more details.
 
CSF did the job

Thank's for your answer,

It seems that CSF finally did the job after a daemon restart at 00:00

But I will have a look to your solution in setting this in the file 'brute_filter.list' in the folder 'custom' and let you know.

But today I don't have such a logs any more... due to the CSF work (;-)

exim5=ip_after=]) [&ip_until=]&text=: authentication required

Jérémy
 
Thank for your script and tut.
I have installed CSF from first port and set
Code:
Blacklist IPs for excessive DA login attempts = 3
but it seems it doesn't ban attackers.

I just attached my settings as JPG file and here is my DA messages :

A brute force attack has been detected in one of your service logs.

Code:
A brute force attack has been detected in one of your service logs.

IP 188.165.169.140 has 97 failed login attempts: exim2=97
IP 69.30.221.90 has 22 failed login attempts: wordpress2=22

Check 'Admin Level -> Brute Force Monitor' for more information
http://help.directadmin.com/item.php?id=404

I just wonder why the attacker should can try 97 or 22 attack when I set it to "3" ?

Notes : I changed my SSH port and DA port .

Thanks in advance
 

Attachments

  • AdminSetting.JPG
    AdminSetting.JPG
    67.5 KB · Views: 25
See https://help.directadmin.com/item.php?id=404

The option Blacklist IPs for excessive DA login attempts = 3 is responsible only blocking attacks to DirectAdmin port 2222.

ButeForce attacks to other services according to the image should be blocked after 5 attempts.

First make sure CSF/LFD is running, and then try to manually block an IP from DirectAdmin brute force manager page and see results.
 
See https://help.directadmin.com/item.php?id=404

The option Blacklist IPs for excessive DA login attempts = 3 is responsible only blocking attacks to DirectAdmin port 2222.

ButeForce attacks to other services according to the image should be blocked after 5 attempts.

First make sure CSF/LFD is running, and then try to manually block an IP from DirectAdmin brute force manager page and see results.
Thanks a lot for your reply.
CSF is runnig as you can see in below code
Code:
[root@server ~]# csf -e
csf and lfd are not disabled!
also I tried block this IP in csf :
Code:
A brute force attack has been detected in one of your service logs.

IP 183.150.223.153 has 15 failed login attempts: wordpress2=15

Check 'Admin Level -> Brute Force Monitor' for more information
http://help.directadmin.com/item.php?id=404
and CSF told me :
Code:
Adding 183.150.223.153 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  183.150.223.153  -> 0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 183.150.223.153
but when I did
Code:
cat blocked_ips.txt | grep "183.150.223.153"
it gave me :
Code:
183.150.223.153=dateblocked=1574607782
183.150.223.153=dateblocked=1574649002
183.150.223.153=dateblocked=1574680081

So what should I do now? Is blocking in "blocked_ip.txt" enough ? or it should be also blocke in CSF?
How can I do that?
Why Directadmin is not so smart to monitor changed port?
Where should I request Directadmin for adding this feature?
Where can I do that for CSF ?Adding feature like Akismet in Wordpress to automatically block famous attackers in all servers that installed CSF .

Thanks in advance
 
Directadmin finds attacking IPs and tells CSF/LFd to block them. Meanwhile DirectAdmin manages its own list of blocked IPs, i.e. "blocked_ip.txt" and it is used only for metadata only.

If you changed port for DirectAdmin, it's OK, the option Blacklist IPs for excessive DA login attempts = 3 will still work, what I wanted to say, is that the option works only for login attempts to DirectAdmin panel only, whatever port it s running on.

As for Akismet, refer to CSF/LFD documentation.
 
Directadmin finds attacking IPs and tells CSF/LFd to block them. Meanwhile DirectAdmin manages its own list of blocked IPs, i.e. "blocked_ip.txt" and it is used only for metadata only.

If you changed port for DirectAdmin, it's OK, the option Blacklist IPs for excessive DA login attempts = 3 will still work, what I wanted to say, is that the option works only for login attempts to DirectAdmin panel only, whatever port it s running on.

As for Akismet, refer to CSF/LFD documentation.

Thanks a lot for your reply dear Alex.
so the main question is :

What should I do to CSF/LFD block IPs listed in "blocked_ip.txt" automatically?
Why the CSF didn't block them because I should seen IP 183.150.223.153 is already exists.


Beside I thought DA will block IPs into
Code:
/usr/local/directadmin/data/admin/ip_blacklist
but I meant "blocked_ip.txt" in root path of my server and I should notice that this file created after installing "CSF"
and another question is
"What should I do to CSF/LFD block other attacks like exim,wordpress , etc ... ?"


Thanks a bunch
 
To me you are asking how to make the things (which should work by default from a box) to work? I don't have an answer, as I would expect them all to be working from a box by default. That's what the script was created for. DirectAdmin protects all the services: FTP, POP, IMAP, HTTP/HTTPS against continuous brute-force attacks.

If the things do not work you should check logs and try to identify where it is broken.
 
Sorry to bump this topic but I have a question:

I have used this thread and followed all the steps with brute_force_notice_ip.sh etc. Some questions though: I'm getting hammered by massive hacks all day and It seems the auto ban feature doesn't work for everything.

See image below
Xun28r1.jpg


It says "notified yes" and blocked "no". What does this mean? If I click on the IP which has this it shows that it's on filter SSHD4. I assume this is SSH.
I have SSH running on a different port. But I changed block_ip.sh and added the port to the SSH line in the beginning (is this right?)

Can anybody explain why this is happening and the user is not being blocked? if I check the csf.deny file the IP shown above in the screenshot is not listed. I do see entries being added in the csf.deny file though (examples below)

Code:
 112.3.30.47 # Blocked with Directadmin Brute Force Manager - Sat Jan 18 16:47:02 2020
123.140.114.252 # Blocked with Directadmin Brute Force Manager - Sat Jan 18 16:49:02 2020
106.13.125.84 # Blocked with Directadmin Brute Force Manager - Sat Jan 18 16:50:01 2020
185.248.44.119 # Blocked with Directadmin Brute Force Manager - Sat Jan 18 16:53:02 2020
180.143.244.204 # lfd: (smtpauth) Failed SMTP AUTH login from 180.143.244.204 (CN/China/-): 5 in the last 3600 secs - Sat Jan 18 16:53:31 2020
106.13.16.56 # Blocked with Directadmin Brute Force Manager - Sat Jan 18 17:00:02 2020
 
Are the script executable?
Are the script correctly in /usr/local/directadmin/scripts/custom/?

If the permission are not at least "+x" (755) it will not work.
 
Hello friends.
I recently installed DA on a VPS (CentOS 7). But I don't know why firewalld was masked and no port was open by default so I added these ports manually and did
Code:
firewall-cmd --reload
then installed CSF Automatically via this tut but when I checked "CSF plugin" in the DA panel I got Firewall Status: Enabled but Stopped [START].
When I click on "Start" it gives me :
Code:
Error: *Error* firewalld found to be running. You must stop and disable firewalld when using csf, at line 922
So I tried install CSF manually via this tut but problem still there.

1. What should I do know for installing CSF ?
2. Is there any scripts to open all DA default ports like FTP , HTTP , HTTPS , SMTP , ... ?

Thanks in advance
 
Back
Top