Brute Force Monitor settings

[Eldad]

Hi all,
I'm getting many attacks from different IPs on the "Failed Logins" section under Brute Force Monitor in DA.
Example:
IP Login Failures First Last Notified Blocked IP Info Select
185.234.219.110 30 Apr 4 18:01 Apr 5 06:10 Yes Yes IP Info
185.36.81.23 30 Apr 3 18:45 Apr 4 09:48 Yes Yes IP Info
45.125.65.42 30 Apr 3 19:03 Apr 4 06:27 Yes Yes IP Info
141.98.10.141 25 Apr 3 08:06 Apr 3 17:10 No Yes IP Info
185.36.81.57 24 Apr 3 08:14 Apr 3 17:12 No Yes IP Info
141.98.10.137 23 Apr 3 08:25 Apr 3 17:07 No Yes IP Info
185.36.81.78 17 Apr 3 08:15 Apr 3 16:53 No Yes IP Info
51.161.96.104 6 Apr 4 07:35 Apr 4 08:44 No No IP Info

I was wondering if there is a way to automatically block those IPs just after 2 unsuccessfull connections (since this is my private server and no one else is supposed to connect to it). Right now it's only blocking them after a few dozens attempts, or I'm just blocking them manually.

Also can I change the settings so those IPs will get removed from the blacklist after a really long time or something?

Many thanks!

 

[jamgames2]

If you say " my private server and no one else is supposed to connect to it "

why you don't try just whilist only your IP to connect.

You can use " CSF Firewall " for manage Deny, Allow. and something attacked like ddos...

 

[Eldad]

Hi, thanks! I don't have a static IP here for technical reasons.
Anyway, I use Gsuite (Gmail) services.. Wouldn't that break any SMTP/POP integration to my server?
Also I was wrong, there are a few more additional mailboxes that my clients are using in my server..

 

[Eldad]

Also I'm starting to suspect that these attacks infects huegly on my resources, is that possible?
My host manager expanded my VPS from 4 cores / 6GB to 8 cors / 16GB so I can check my server performance.
It's been a day and it's using 11GB of RAM, is that reasonable?

Thread Count	8
Processor Name	Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Vendor ID	GenuineIntel
Processor Speed (MHz)	2197.446
Processor Name	Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Vendor ID	GenuineIntel
Processor Speed (MHz)	2197.446
Processor Name	Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Vendor ID	GenuineIntel
Processor Speed (MHz)	2197.446
Processor Name	Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Vendor ID	GenuineIntel
Processor Speed (MHz)	2197.446
Processor Name	Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Vendor ID	GenuineIntel
Processor Speed (MHz)	2197.446
Processor Name	Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Vendor ID	GenuineIntel
Processor Speed (MHz)	2197.446
Processor Name	Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Vendor ID	GenuineIntel
Processor Speed (MHz)	2197.446
Processor Name	Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Vendor ID	GenuineIntel
Processor Speed (MHz)	2197.446
Total Memory	16420864 kB
Free Memory	4599952 kB
Total Swap Memory	1548288 kB
Free Swap Memory	1543928 kB
System Uptime	0 Days, 23 Hours and 5 Minutes
Apache 2.4.43	Running
DirectAdmin 1.60.4	Running
Exim 4.93.0.4	Running
MariaDB 10.4.12	Running
Named 9.11.4	Running
ProFTPd 1.3.6c	Running
sshd	Running
Nginx 1.17.9	Running
dovecot 2.3.10 (0da0eff44)	Running
Php 7.4.4	Installed

 

[jamgames2]

Then " CSF Firewall " Is your best option for technical prevent bruteforce or ddos, It can set limit of fail login on SSH, FTP, MAIL,. ...etc

Just learn by your self, CSF Firewall can help a lot of technical.
beware you need to setting by yourself for FTP Server otherwise your client has some problem.

it normally for ram when you make Highend Webserver. bcause there is so many bruteforce or ddos in network and can't protect 100%,
Sometime you need to fix firewall for fighting again ddos that attack you with highend.

Then you need to learning some network for yourself. It can help a lot of in future.

 

[Eldad]

Thanks again!
I'm using CSF for about two month now. I think I've set everything correctly there, but still there are many attacks...
Can you guide me to the relevant part/s overthere? and maybe some guides for beginners like me in this area, something that could get me started?

 

[Richard G]

CSF will only log certain things, and will not monitor Brute forces to the Directadmin panel itself.
You can integrate this in a couple of ways to CSF.
This is a good one which combines both:

How to block IPs with Brute Force Monitor in DirectAdmin using CSF

(Updated 2018-06-12) Directadmin since version 1.39 has a built-in brute force monitor, which scan your service logs for any brute force login attempts on your system (dovecot, exim, proftpd, sshd) and sent notifications to an admin. Here you can...

help.poralix.com

it's from Zeiter which is a respected and valued user here with DA.

 

[Eldad]

I will look into this, thanks alot!

 

[Eldad]

Just wanted to give you guys an update, maybe it will help someone sometime:
After a month that I've been manually blocking twice a day all the IPs in the Brute Force Monitor list of attacks, the amount of attacks has been dropped significantly.. I guess that those brute force attackers care about resources in some sort of level..

 

[justaserverguy]

Just wanted to give you guys an update, maybe it will help someone sometime:
After a month that I've been manually blocking twice a day all the IPs in the Brute Force Monitor list of attacks, the amount of attacks has been dropped significantly.. I guess that those brute force attackers care about resources in some sort of level..

Do you get the notifications telling you about the blocked IPs?

 

[Eldad]

Do you get the notifications telling you about the blocked IPs?

No, just a finish page that includes a list of which IPs we're blocked and which IP's are already blocked