Results 1 to 14 of 14

Thread: How to change CSF rules to block brute-force IP?

  1. #1
    Join Date
    Jul 2012
    Posts
    9

    How to change CSF rules to block brute-force IP?

    Hello,

    I installed CSF with my DirectAdmin panel.
    I have many brute-force attack.
    I want that CSF block IP only after 3 wrong logins.
    Not only for the DirectAdmin login... I want to block any IP after 3 failed logins to email\ftp and etc...

    Thank you!

  2. #2
    Join Date
    May 2008
    Posts
    652
    Login as Admin and go to Administrator Settings. You'll see the different options there.

    3 is too low. It's not a good idea.

  3. #3
    Join Date
    Jul 2012
    Posts
    9
    Quote Originally Posted by wattie View Post
    Login as Admin and go to Administrator Settings. You'll see the different options there.

    3 is too low. It's not a good idea.
    Thank you.
    I want to change the block for all failed logins, not only for directadmin...

    Can you help me to set this option?
    Thank you.

  4. #4
    Join Date
    May 2008
    Posts
    652

  5. #5
    Join Date
    Jul 2012
    Posts
    9
    Quote Originally Posted by wattie View Post
    I wish to continue use CSF but to change the block rules...
    I just look how to change CSF rules to block in 3 failed attempts.

  6. #6
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,291
    I just look how to change CSF rules to block in 3 failed attempts.
    Check csf.conf you can change it there like for FTP:
    LF_FTPD = "x"
    On the place of the x you have to set the number of logins which will trigger a block, in your case you want to put 3 there.
    Check for similar lines for the other options you want. They are in there.
    Greetings, Richard.

  7. #7
    Join Date
    Jul 2012
    Posts
    9
    Quote Originally Posted by Richard G View Post
    Check csf.conf you can change it there like for FTP:
    LF_FTPD = "x"
    On the place of the x you have to set the number of logins which will trigger a block, in your case you want to put 3 there.
    Check for similar lines for the other options you want. They are in there.
    Thank you Richard!
    I attach a photo just to be sure... Can you please check if this is the setting that I need to change?
    Screen Shot 2018-05-27 at 22.56.18.png
    One more question:
    Most of the brute force on my server is looks like this:
    Screen Shot 2018-05-27 at 22.57.19 copy.png

    Which kind of service I need to change in the csf.conf to block this after 3 failed attempts?

    Thank you!!!

  8. #8
    Join Date
    May 2014
    Posts
    76
    Quote Originally Posted by ohadb2 View Post
    Which kind of service I need to change in the csf.conf to block this after 3 failed attempts?
    To stop attacks on wp-login.php, you have to create a custom rule. Please check this forum topic https://forum.configserver.com/viewtopic.php?t=9447

  9. #9
    Join Date
    Jul 2012
    Posts
    9
    Quote Originally Posted by dave097 View Post
    To stop attacks on wp-login.php, you have to create a custom rule. Please check this forum topic https://forum.configserver.com/viewtopic.php?t=9447
    Thank you.

  10. #10
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,291
    I attach a photo just to be sure... Can you please check if this is the setting that I need to change?
    Yes. As you can see the value is 0 at the moment.
    Please beware of the fact that if you only change the value from 0 to 3, it will be a permanent block. You will fill iptables lines (depending on how many you have configured) which might at a certain moment have some influence on your resources.
    In a lot of cases like with mail attacks, it's better not to use permanent blocks but block for example for a couple of days or weeks or months, depending on your wishes.
    However, this is just an advise.
    Greetings, Richard.

  11. #11
    Join Date
    Jul 2012
    Posts
    9
    Quote Originally Posted by Richard G View Post
    Yes. As you can see the value is 0 at the moment.
    Please beware of the fact that if you only change the value from 0 to 3, it will be a permanent block. You will fill iptables lines (depending on how many you have configured) which might at a certain moment have some influence on your resources.
    In a lot of cases like with mail attacks, it's better not to use permanent blocks but block for example for a couple of days or weeks or months, depending on your wishes.
    However, this is just an advise.
    Unfortunately, something wrong.
    I set LF_TRIGGER to 5 (2 days ago).
    But when I take a look into Brute Force page in my DirectAdmin I see this:
    Screen Shot 2018-05-29 at 23.38.42 copy.jpg

    As you can see it is not block the IP after 5 attempts.

    What I do wrong?
    Thank you!

  12. #12
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,291
    CSF/LFD does -not- look at brute-forces made at the DA login by default.
    Those can be setup in the DA interface itself.

    You can also use some brute force scripts made by zEitEr, which are supported:
    http://forum.directadmin.com/showthread.php?t=44839

    I made some custom ones myself.
    Greetings, Richard.

  13. #13
    Join Date
    Jul 2012
    Posts
    9
    Quote Originally Posted by Richard G View Post
    CSF/LFD does -not- look at brute-forces made at the DA login by default.
    Those can be setup in the DA interface itself.

    You can also use some brute force scripts made by zEitEr, which are supported:
    http://forum.directadmin.com/showthread.php?t=44839

    I made some custom ones myself.
    Can I use this with CSF install or that I have to remove CSF?

  14. #14
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,291
    You can use that with csf.
    That's why you also seen in the first lines:
    ./csf-bfm-install.sh

    csf is for csf, bfm is for the brute force monitor of DA itself.

    You best read the thread.
    Greetings, Richard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •