Blacklisting IP's for excessive login attempts doesn't seem to work

B

bio-energy

New member
Joined
Sep 6, 2011
Messages
3
Dear members,

The past week I received many messages about failed login attempts (brute-force attacks). In DirectAdmin I applied the following restriction settings:

- Blacklist IPs after 3 failed login Attempts
- Time before failed login count resets: 1200 seconds after last attempt

But it seems this doesn't work. When I look at the logs there are still IP's that are trying to login every 5-6 seconds. Why don't they get blacklisted? :confused:

Thanks in advance for your answers
 
The BFM (Brute Force Monitor) just notify you about that, doesnt make any action automatically.

You need to block those ip manually, or, create a script that block automatically.

Regards
 
Thanks for your answer.

Ahh... Strange then that there is an option to blacklist IP's. Because in the DirectAdmin interface I couldn't find a way to
a) access this blacklist anywhere
or
b) manually block IP-addresses.

Can anyone tell me where to find this blacklist and how to block IP-addresses manually?
Later on I will explore scripts, I prefer a simple solution first, because I'm totally new to this material. By the way, I'm using CentOS, maybe that's important info in relation to how to be able to block IP's manually.

Thanks in advance for your answers!
 
Help i dont finish this step. How to create and edit .sh files

4) This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, create:

/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
and in that script, add:

#!/bin/sh
SCRIPT=/usr/local/directadmin/scripts/custom/block_ip.sh
ip=$value $SCRIPT
exit $?;
and chmod the brute_force_notice_ip.sh to 700.
Click to expand...
 
SeLLeRoNe said:
For enable Block IP you need to following this:

http://help.directadmin.com/item.php?id=380
Click to expand...

I followed the guide and the process seems to get through without any problem but it does not seems to block automatically. I always have to manually check and block the ips everyday.
Just today, I notice that even after manually clicking, the ips are not added to the blocked list.
Thanks for support.
 
Thank you. You mean to "chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh" and "chmod 700 brute_force_notice_ip.sh)?
I think I have tried that 2 times. (just tried one more time right now)
Let's see how it goes.
Thank you
 
No I am a new bee to Linux and DA, so just follow the guides from DA when set up the server.
My server is Centos 6.2
 
Hi SeLLeRoNe,
I check the Brute Force Monitor today and see that there are excessive login failures. This means the automatic blocking script does not work. And even when I try to do it manually, the Ips were not added to the blocked list.
Thanks for support.
 
Thanks SeLLeRoNe.
I have managed to get it work by referring to the earlier strings of yours. I think it is due to a script conflict.
Thank you.
 
You must log in or register to reply here.
Back
Top