Brute Force Monitor unblocking IPv6 not working

Freddy

Verified User
Joined
Apr 14, 2016
Messages
119
Blocking IPv6 addresses works just fine. But whenever I want to unblock a blocked IPv6 address I get the following error message:

Error UnBlocking IPs
Details
A valid IP was not provided

I have checked my custom unblock_ip.sh script but it works like expected. I guess DirectAdmin itself tries and fails to validate the IPv6 address. Is this a bug?

The address I used for checking this functionality is:
Code:
2002:781b:6784::781b:6784
The full address is
Code:
2002:781b:6784:0:0:0:781b:6784
but my ipset converts it to the short-written format.
 
One more addition to this problem. In the list with failed logins there is a column "Blocked" telling me if the IP address is blocked or not. That column is not working for IPv6 addresses. It might have something to do with the fact that the failed login list shows the full IPv6 address and my blocked list is showing the short-written IPv6 address. If DirectAdmin is matching them as a string comparison then this might fail.

Code:
"2002:781b:6784:0:0:0:781b:6784" != "2002:781b:6784::781b:6784"

while in fact

2002:781b:6784:0:0:0:781b:6784 == 2002:781b:6784::781b:6784
 
I use iptables in combination with ipset to create a blacklist. The IP's detected by the DirectAdmin Brute Force Monitor are stored in two seperate ipset's. One for IPv4 addresses and one for IPv6 addresses.
 
So you see 2002:781b:6784:0:0:0:781b:6784 in /root/blocked_ips.txt ?
And 2002:781b:6784::781b:6784 in ipset output ?

If these are correct, then you might need to open a ticket with Directadmin support asking for a fix.
 
I do not have the file /root/blocked_ips.txt. What you might be talking about is the "Blacklist IPs for excessive DA login attempts" while I am talking about the "Parse service logs for brute force attacks" option in the Administrator Settings.

Let me show you some screenshots as an example. This is an IPv6 address that got blocked last weekend for attacking a Wordpress login page from one of our domains.

jQioAIr.png

What you see here is that the attacker has hit the "Notify Admins after an IP has" setting. The admin has been notified and the custom script "block_ip.sh" has been run. This script adds the IP address to the ipset that I use for blocking connections. As you can see the IPv6 address is written in the long format. The column "Notified" says "Yes" telling me the block script has run. The column "Blocked" says "No" probably because the format of the IPv6 address in the blocked list (bug?).

CTCvDAT.png

In this screenshot you see the list with blocked IP addresses. This list is being filled by the custom script "show_blocked_ips.sh". As you can see the IPv6 address is written in the short format. If I select an IP address here and click the "Unblock" button I receive the error about the invalid IP (bug?).
 
The file /root/blocked_ips.txt is used by Brute Force Monitor native scripts to store blocked IPs:

- https://help.directadmin.com/item.php?id=380

the same file is used by scripts for CSF/LFD integration written by me:

- https://help.directadmin.com/item.php?id=527

It seems you are using your own scripts or 3rd party software, which is not known to us, if this is the case then I'd rather say it's not a Directadmin's bug.

So first of all let us see the scripts from /usr/local/directadmin/scripts/custom:

- block_ip.sh
- show_blocked_ips.sh
- unblock_ip.sh
- brute_force_notice_ip.sh

If you can't show the content of the files you might need to contact the scripts developer on the matter.
 
My scripts are indeed custom. That's what I said from the start. But the error message I receive while unblocking does not seem to come from my script.

Can anyone confirm that unblocking an IPv6 address through the native scripts is working?
 
OK, I guess I see what you mean. Both iptables and ipset compress IPv6 when adding it.

From what logs did you find the expanded IPv6? Is it logs of apache, nginx, exim, dovecot, ftp, ssh?
 
The IPv6 address came from the build-in wordpress1 filter, which is an Apache filter I guess. The IP address is compressed by default but DirectAdmin seems to decompress it before reporting it. Check this screenshot.

qO4uSQ1.png


As you can see the log entry reports "2002:c1a9:fe5a::c1a9:fe5a" but IP column reports "2002:c1a9:fe5a:0:0:0:c1a9:fe5a".
 
OK, thanks for the details.

I've reported the issue to Directadmin developers.

Ticket #14817
 
Thanks for the report. I've added a quick for for the "A valid IP was not provided" to accept the ipv6 in short-form.

For the compress != full form issue, what is the exact error message you're getting? And for which action?
Just need it to trace things down to find where it's being compared.

Pre-release binaries are going up now with the first fix, so also let me know if it didn't work for you. (done in 20 minutes or so)
 
Sorry for the late reply. I have updated to DirectAdmin version 1.56 and most problems with the IPv6 seem to have been fixed. The only remaining problem is that the Failed Logins table does not show the correct value in the Blocked column. Check this screenshot for example.

https://imgur.com/jQioAIr

The IPv6 address has been blocked after the notification was send. But the Blocked column still says "No".
 
Back
Top