Page 4 of 4 FirstFirst ... 234
Results 61 to 74 of 74

Thread: How to block IPs with Brute Force Monitor in DirectAdmin using CSF

  1. #61
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,940
    @roly,

    I will check from my side and let you know.


    @shanky,

    1. It is Directadmin BFM which should be configured to detect attacks on wp-login.php. Check https://www.directadmin.com/features.php?id=1695


    2. Check:


    There will be a set of filter definitions (multiple definitions for each service) stored in:
    /usr/local/directadmin/data/templates/brute_filter.list


    where you can also create a custom version here:
    /usr/local/directadmin/data/templates/custom/brute_filter.list

    https://www.directadmin.com/features.php?id=1227

    So, it's possible.
    Regards, Alex G.

    - You can hire me on www.poralix.com to work on your server
    - Follow and like @Poralix on Facebook

  2. #62
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,940
    Quote Originally Posted by roly View Post
    hi

    this works fine with USE_PORT_SELECTED_BLOCK=1 but if i change it to USE_PORT_SELECTED_BLOCK=0 it no longer works, any ideas what the problem is? im using centos 6

    I did not find any issue on my end. What do you see in /var/log/directadmin/ when searching an IP which is expected to be blocked?
    Regards, Alex G.

    - You can hire me on www.poralix.com to work on your server
    - Follow and like @Poralix on Facebook

  3. #63
    Join Date
    Oct 2004
    Location
    Behind You!
    Posts
    85
    Hi,

    My Client's IP has been blocked cause failure login (EMail).
    How do I white-list client's IP to avoid blocked ?

    Thank you...
    Regards,

    Alex.

  4. #64
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,694
    You could put the clients ip in the csf.ignore file.
    However, totally no checks will be done against that ip anymore. So if the clients machine will be infected with spam malware, they can have a ball.

    It's better to teach customers to write down their passwords. Because even whitelisted they won't be able to login with the correct password. I would never whitelist a customers ip, but that's your choice.
    Greetings, Richard.

  5. #65
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,940
    Alex,

    If you followed the guide in full and disabled CSF to check logs for brute-force attempts, it will be sufficient to add trusted IPs in a skip-list naively managed by Directadmin. You can find it on a BFM page at admin level in Directadmin.

    1. Connect DA as admin
    2. Go to Brute Force Monitor
    3. Find text area under a list of attacking IPs
    4. Specify your IP
    5. Click "Add to skip list"




    Quote Originally Posted by alex2k View Post
    My Client's IP has been blocked cause failure login (EMail).
    How do I white-list client's IP to avoid blocked ?
    Regards, Alex G.

    - You can hire me on www.poralix.com to work on your server
    - Follow and like @Poralix on Facebook

  6. #66
    Join Date
    Oct 2004
    Location
    Behind You!
    Posts
    85
    Thank you for your solution Alex

    Quote Originally Posted by zEitEr View Post
    Alex,

    If you followed the guide in full and disabled CSF to check logs for brute-force attempts, it will be sufficient to add trusted IPs in a skip-list naively managed by Directadmin. You can find it on a BFM page at admin level in Directadmin.

    1. Connect DA as admin
    2. Go to Brute Force Monitor
    3. Find text area under a list of attacking IPs
    4. Specify your IP
    5. Click "Add to skip list"
    Regards,

    Alex.

  7. #67
    Join Date
    Oct 2004
    Location
    Behind You!
    Posts
    85
    Quote Originally Posted by Richard G View Post
    You could put the clients ip in the csf.ignore file.
    However, totally no checks will be done against that ip anymore. So if the clients machine will be infected with spam malware, they can have a ball.

    It's better to teach customers to write down their passwords. Because even whitelisted they won't be able to login with the correct password. I would never whitelist a customers ip, but that's your choice.
    Thank you for your suggestion Richard.

    Yes I know the risk and I will teach the client as your suggestion
    Regards,

    Alex.

  8. #68
    Join Date
    Jun 2018
    Posts
    25
    Hi,
    I have a problem with implementation, actually it work good, but after I applied that csf stop to add new IP to /etc/csf/csf.deny except # Blocked with Directadmin Brute Force Manager

    what might be a problem?

  9. #69
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,940
    Using the guide/script you disable CSF/LFD from scanning logs for attacks, since then only Directadmin scans logs for attacking IPs and tell CSF to block them.

    Directadmin and CSF/LFD originally do the same work, they duplicate each-other, and the setup address it.
    Regards, Alex G.

    - You can hire me on www.poralix.com to work on your server
    - Follow and like @Poralix on Facebook

  10. #70
    Join Date
    Jun 2018
    Posts
    25
    Ok great, can I configure it like no of lines for blocked_ips.txt or other options? Does it block ssh brute force attacks?

  11. #71
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,940
    Directadmin detects brute-force to Apache/nginx, exim, dovecot, ftp, ssh; and blocks attacking IPs.
    Regards, Alex G.

    - You can hire me on www.poralix.com to work on your server
    - Follow and like @Poralix on Facebook

  12. #72
    Join Date
    Apr 2016
    Posts
    31
    I have used your auto installation script and I must say it works great. Thank you so much for making that!

    I do have a problem with the skip list. According to this feature I can add an IP range to the skip list. This range does not seem work with your CSF script.

    Lets say my brute_skip.list looks like this:

    Code:
    90.1.2.1-255=comments=Test range&type=IP&when=%31%35%35%34%38%38%37%32%36%38
    90.1.2.25=comments=Single IP&type=IP&when=%31%35%35%34%38%38%37%32%36%38
    When I try to block 90.1.2.24 then it succeeds while it should be within the range. When I try to block 90.1.2.25 it fails because it is listed as a single IP.
    FYI: Both lines in the skiplist are added through the BFM user interface within DirectAdmin. The file has not been editted manually.

  13. #73
    Join Date
    Apr 2016
    Posts
    31

    Exclamation

    Are IP address being blocked by the service they use? Is it possible that an IP address appears multiple times in the BFM blocked list? I am seeing some IP addresses multiple times in the blocked list. Is that because they first attack over HTTP (port 80) and after being blocked they attack over HTTPS (port 443)?
    Last edited by Freddy; 04-10-2019 at 05:49 AM.

  14. #74
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,940
    The brute_skip.list is used by Directadmin, if you think it does not filter IPs properly then you need to contact Directadmin developers on the matter.

    It is Directadmin to find attacking IPs in logs and tell CSF/LFD to block an IP with iptables. In the current setup CSF/LFD is disabled from scanning logs for attacks.

    The IP might appear several times, by default we don't block all ports for an attacking IPs. Only access to the attacked service is blocked.

    SMTP has 3 ports: 25, 576, 465
    POP has 2 ports, IMAP has 2 ports
    HTTP(s) has 2 ports: 80, 443



    Regards, Alex G.

    - You can hire me on www.poralix.com to work on your server
    - Follow and like @Poralix on Facebook

Page 4 of 4 FirstFirst ... 234

Similar Threads

  1. Does the brute force monitor also block the attacks?
    By darkus in forum General Technical Discussion & Troubleshooting
    Replies: 1
    Last Post: 07-03-2012, 09:57 AM
  2. [FR] Separate alert and block thresholds in the brute force monitor
    By interfasys in forum Feedback & Feature Requests
    Replies: 0
    Last Post: 04-09-2012, 02:25 PM
  3. Problems with Brute Force Monitor
    By pinotje in forum CentOS
    Replies: 1
    Last Post: 10-30-2011, 08:29 AM
  4. How can i stop brute force monitor?
    By uberguru in forum Admin-Level Difficulties
    Replies: 2
    Last Post: 08-17-2011, 09:15 AM
  5. brute force monitor error
    By wdieke in forum Admin-Level Difficulties
    Replies: 10
    Last Post: 07-04-2011, 11:29 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •