Getting blacklisted by DirectAdmin

Anne

Verified User
Joined
Dec 3, 2015
Messages
72
Hi,

This is strange. I just click around in DirectAdmin after a single succesful login as admin, but after a few clicks I get:

error=1&text=Your IP is blacklisted
http://help.directadmin.com/item.php?id=306

So I removed my IP in the "ip_blacklist" file (/usr/local/directadmin/data/admin) and added it to (ip_whitelist). A few moments later however, I'm again blacklisted.

I don't know why and second, the whitelist does not seems to work? Quite strange.

I have DA 1.60.1 and also CSF is running (white listed my IP in there too).

Any thoughts?

update: it's very anoying, I can just click 10 times and then get blocked again. I need to edit "ip_blacklist" all the time to get my work done.
 
Last edited:
Hi,

Things like:

2020:02:22-12:43:52: Error opening ./data/admin/ip_access/(my ip address)/unauthorized_connections for appending count: No such file or directory
2020:02:22-12:48:39: unable to stat /usr/local/directadmin/data/sessions/da_sess_VadqHg*****.temp for filesize after write: euid:995
2020:02:22-12:48:39: Unable to write session file: Unable to stat /usr/local/directadmin/data/sessions/da_sess_VadqHg2******.temp for filesize after write<br>
ConfigFile::removeFile(/usr/local/directadmin/data/sessions/da_sess_VadqH******) filename does not match<br>
. Make sure the disk isn't full.
2020:02:22-12:49:42: Error opening ./data/admin/ip_access/(my ip address)/unauthorized_connections for appending count: No such file or directory
2020:02:22-12:54:47: is not a number. From '' > '0'
2020:02:22-12:54:47: is not a number. From '' > '0'
2020:02:22-12:55:57: Error opening ./data/admin/ip_access/(my ip address)/unauthorized_connections for appending count: No such file or directory
2020:02:22-12:59:03: Error opening ./data/admin/ip_access/(my ip address)/unauthorized_connections for appending count: No such file or directory
2020:02:22-12:59:42: is not a number. From '' > '0'
2020:02:22-12:59:42: is not a number. From '' > '0'
2020:02:22-13:03:22: Error opening ./data/admin/ip_access/(my ip address)/unauthorized_connections for appending count: No such file or directory

I see a "Make sure the disk isn't full." I know for sure I have a lot of space left.

Also, I'm clicking around now for 10 minutes and no black listing anymore... I think it's strange.


update: and in security.log I see multiple lines:

2020:02:22-12:43:52: [my ip address] has tried to log in 10 times, unsuccessfully, this time into (null)'s account ***
2020:02:22-12:43:52: Adding [my ip address] to the blacklist file: /usr/local/directadmin/data/admin/ip_blacklist

But I did not, however what about the (null)'s account, seems not right? Should this not be admin account?
 
Last edited:
Hello,

Maybe you try another browser? Or try and disable all installed browser extensions?
 
Hi,

I've updated to 1.60.3 and then it occur one more time. But now it's gone and all works fine.

Wish I could find the reason, this have never happend to me before in Direct Admin for over 10 years.

Can an attacker cause this? I have brute force attacks all the time, but DA and CSF seems to handle them just fine.
 
Hi,
I also have something similar to this and I have this in log /var/log/directadmin/error.log

Screen Shot 2020-02-29 at 10.31.22.png


Please help
 
Thanks, I've found a few issues with that, but the blacklist itself "was still working", although the logs would be causing confusion.

1) Issue with DA deleting the ip_access/1.2.3.4 folder upon blacklist (after adding to ip_blacklist), but the same call contiued to try and bump the failed counter, hence the error of the missing folder. Pre-releaes binaries are up now for anyone wanting them.

2) Issue with Evo not checking the X-DirectAdmin: blacklisted header, expecting json out, but it's never json out as the blacklist output generated without ever parsing any of the input, so it's throwing a wrong user/pass message instead of the "your are bloacklisted" message, since the login form page itself doesn't reload, as it's using the dynamic json back-end (reported, likely fixed soon)

John
 
Well, was this issue resolved?

Some time ago I enlarged the partition of my vps and was blacklisted in directadmin. After a few weeks I could log in again. (Of course I can log in at another address, or if I go off the wifi with my phone, but that is annoying).

Now, after enlarging the partition again, I have the same problem again. I suspect that I try to log in too quickly after resetting the vps.

When I do a blacklist check, or check the whitelist, I see that my ip address is not in the blacklist at all, but is in the whitelist.
Still I can't log on because my ip address is blacklisted according to directadmin.

If I click the link and go to: https://docs.directadmin.com/direct...n-due-to-error-message-your-ip-is-blacklisted
The solution does not help because I am not blacklisted at all.
 

Attachments

  • WhatsApp Image 2022-06-27 at 7.10.03 PM.jpeg
    WhatsApp Image 2022-06-27 at 7.10.03 PM.jpeg
    105.9 KB · Views: 115
  • WhatsApp Image 2022-06-27 at 7.11.05 PM.jpeg
    WhatsApp Image 2022-06-27 at 7.11.05 PM.jpeg
    130 KB · Views: 101
  • WhatsApp Image 2022-06-27 at 7.11.06 PM.jpeg
    WhatsApp Image 2022-06-27 at 7.11.06 PM.jpeg
    21 KB · Views: 102
and don't turnoff Directadmin Detection because currently CSF Firewall can't detect Failed Login with new log format.

Also, Please create your own threads/topics.
 
Having an IP whitelisted on Imunify360, CSF and Brute Force monitor on DA, is not enough.

we still see IPs getting added to /usr/local/directadmin/data/admin/ip_blacklist

is so stupid to have that file adding IPs to blacklist, with no logs on brute force, mod security, csf, im360, nothing.
 
Back
Top