How to change CSF rules to block brute-force IP?

ohadb2

Verified User
Joined
Jul 23, 2012
Messages
10
Hello,

I installed CSF with my DirectAdmin panel.
I have many brute-force attack.
I want that CSF block IP only after 3 wrong logins.
Not only for the DirectAdmin login... I want to block any IP after 3 failed logins to email\ftp and etc...

Thank you!
 
Login as Admin and go to Administrator Settings. You'll see the different options there.

3 is too low. It's not a good idea.
 
Login as Admin and go to Administrator Settings. You'll see the different options there.

3 is too low. It's not a good idea.

Thank you.
I want to change the block for all failed logins, not only for directadmin...

Can you help me to set this option?
Thank you.
 
I just look how to change CSF rules to block in 3 failed attempts.
Check csf.conf you can change it there like for FTP:
LF_FTPD = "x"
On the place of the x you have to set the number of logins which will trigger a block, in your case you want to put 3 there.
Check for similar lines for the other options you want. They are in there.
 
Check csf.conf you can change it there like for FTP:
LF_FTPD = "x"
On the place of the x you have to set the number of logins which will trigger a block, in your case you want to put 3 there.
Check for similar lines for the other options you want. They are in there.

Thank you Richard!
I attach a photo just to be sure... Can you please check if this is the setting that I need to change?
Screen Shot 2018-05-27 at 22.56.18.png
One more question:
Most of the brute force on my server is looks like this:
Screen Shot 2018-05-27 at 22.57.19 copy.png

Which kind of service I need to change in the csf.conf to block this after 3 failed attempts?

Thank you!!!
 
I attach a photo just to be sure... Can you please check if this is the setting that I need to change?
Yes. As you can see the value is 0 at the moment.
Please beware of the fact that if you only change the value from 0 to 3, it will be a permanent block. You will fill iptables lines (depending on how many you have configured) which might at a certain moment have some influence on your resources.
In a lot of cases like with mail attacks, it's better not to use permanent blocks but block for example for a couple of days or weeks or months, depending on your wishes.
However, this is just an advise.
 
Yes. As you can see the value is 0 at the moment.
Please beware of the fact that if you only change the value from 0 to 3, it will be a permanent block. You will fill iptables lines (depending on how many you have configured) which might at a certain moment have some influence on your resources.
In a lot of cases like with mail attacks, it's better not to use permanent blocks but block for example for a couple of days or weeks or months, depending on your wishes.
However, this is just an advise.

Unfortunately, something wrong.
I set LF_TRIGGER to 5 (2 days ago).
But when I take a look into Brute Force page in my DirectAdmin I see this:
Screen Shot 2018-05-29 at 23.38.42 copy.jpg

As you can see it is not block the IP after 5 attempts.

What I do wrong?
Thank you!
 
You can use that with csf.
That's why you also seen in the first lines:
./csf-bfm-install.sh

csf is for csf, bfm is for the brute force monitor of DA itself.

You best read the thread. ;)
 
Back
Top