Brute Force Monitor stopped working since I updated DA

Sygmoral

Verified User
Joined
Aug 15, 2012
Messages
64
Greetings,

I updated DirectAdmin and all relevant server software on November 30. It had been a while since I updated, I may have skipped from 1.44.? to 1.46.3.

Only today did I figure out that the Brute Force Monitor is not doing anything anymore - in fact, I am not getting any messages in the "Message System" whatsoever. The last entry there is precisely in the time window where I was doing the updates. I normally get multiple failed logins each hour, so the abrupt end is very obviously caused by the updates.

None of the brute_* files in /usr/local/directadmin/data/admin have been changed since then, and IP addresses from November 23-30 are still blocked, even though they are to be unblocked after a week. Well, no more explanation needed, it's obviously just not running :)

But I can't figure out how to make it run again. Also, my backups are not executing either - I thought this was due to my move to another FTP server, but it is probably related to this. I figure I should have received notes about the backups failing if it was due to the FTP server anyway, but I'm not getting either success or failure messages.

What steps should I take?
Also, does this mean with certainty that my server has been completely open to brute-force attacks in the past 18 days?... :(
 
Last edited:
Hello,

What you see with

Code:
/usr/local/directadmin/directadmin o

and

Code:
uname -a
?
 
First I got a mysql lib error :) (the libmysqlclient.so.16 link in /usr/lib had not been updated after I updated from 5.5 to 5.6, back in February). After fixing that lib link, I got:
Code:
Compiled on 'Debian 6.0 64-libmysqlclient.so.16bit'
Compile time: Oct 24 2014 at 20:35:56
Compiled with IPv6
and
Code:
Linux server.name 2.6.32-5-amd64 #1 SMP Sun May 6 04:00:17 UTC 2012 x86_64 GNU/Linux

I also notice that the first System Message in 18 days has already appeared: a notice about many emails having been sent - which is normal as we often send out emailings, but it didn't display those messages in the previous weeks either. So that lib link update might actually have fixed (part of) the problem! I'll see what happens in the next hours...
 
Last edited:
Okay, so that was indeed the whole issue... your question fixed my problem!

I'm getting messages now about backups from these previous weeks that are apparently all trying to execute right now, and also received a "Brute Force" notice about many IPs at the same time (while it normally always mentions a single one). Cleared up the files a bit so it didn't choke on all that data anymore. Pretty soon it will all be normalized and it should be working as before again... Let's just hope I didn't get a break-in during that time; at least no one logged in on root during that time.

Strange though that the issue only manifested during my most recent update routine in November, while MySQL was already upgraded in February. Perhaps in November it only changed something concerning those links. Also unfortunate that I didn't get a warning about it, but I guess that was hard if the warning system itself was running on it.

Meanwhile I'm fixing my backup issue: the uploads that are now executing, always get interrupted after about 650MB. I'm using GoDaddy Online Storage, which doesn't seem to work very well with FTP Passive mode (PASV); Active mode (PORT) seems to work better, at least from my home pc. So I went into /usr/local/directadmin/scripts/ftp_upload.php, added the -E option on the $FTPPUT line near the end of the file (in order to use Active mode), which made the next backup upload up to about 1 GB... I finally also added -z (enable resuming uploads), but it still fails after 1.1GB. I'll edit this post when I figure out a solution... (for future reference, if someone ends up here via Google or something).

[update] If anyone else is using GoDaddy Online Storage for backup,.. I'm sorry, I gave them up, their server simply *$%&. I got a backup account at a different provider (adrive.com), and the issues immediately resolved.
 
Last edited:
Back
Top