Brute Force and CSF

Zhenyapan

Zhenyapan

Verified User
Joined
Feb 23, 2018
Messages
2,466
Location
UA
Hello,

Directadmin BFM see: User user has 632 failed login attempts: exim2=29 & proftpd1=4 & sshd4=599
But CSF didn't see proftpd and exim.
Centos7 x64.
Can You provide rules that BFM use to parce logs, and can I put them to CSF/LFD?
 
Zhenyapan said:
Hello,

Directadmin BFM see: User user has 632 failed login attempts: exim2=29 & proftpd1=4 & sshd4=599
But CSF didn't see proftpd and exim.
Centos7 x64.
Can You provide rules that BFM use to parce logs, and can I put them to CSF/LFD?
Click to expand...
Did you convert the server to the new integrated method?
 
No, just installed from archive downloaded from CSF website.
Can you tell more about conversion?
 
Last edited:
Look's like it works, but it didn't ban if bruteforce non existent login like:
User nologin has 1228 failed login attempts: exim2=1228
User info has 411 failed login attempts: dovecot1=10 & exim1=103 & exim2=246 & sshd4=52
User postmaster has 240 failed login attempts: exim1=64 & exim2=170 & sshd4=6
----
also proftpd still BFM see attempts, but didn't ban:
02-11-2020 23-12-12.jpg
while CSF configured to ban after 3 failed attempts. Where I can set BFM to ban EXIM/DOVECOT/PROFTPD/SSH after 3 fsiled attempts?
 
this too?

Version 1.39.0 | Directadmin Docs

DirectAdmin Knowledge Base
www.directadmin.com

maybe look at the section in csf > firewall config
Login Failure Blocking and Alerts

LF_FTPD = Default: 10 [0-100]
LF_FTPD_PERM = Default: 1 [0-604800]

[*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = Default: 5 [0-100]
LF_SMTPAUTH_PERM = Default: 1 [0-604800]

[*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = Default: 10 [0-100]
LF_EXIMSYNTAX_PERM = Default: 1 [0-604800]

[*]Enable login failure detection of pop3 connections

SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = Default: 10 [0-100]
LF_POP3D_PERM = Default: 1 [0-604800]

[*]Enable login failure detection of imap connections

SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = Default: 10 [0-100]
LF_IMAPD_PERM = Default: 1 [0-604800]
Click to expand...
 
You must log in or register to reply here.
Back
Top