Adjusting aggressiveness of Brute Force blocking?

J

James2k

Verified User
Joined
Nov 28, 2012
Messages
28
Hi,

I have setup BFM and CSF on my VPS Server. I have modified the block_ip and unblock_ip sh scripts to be usable with CSF. So BFM detects the brute force attempts but CSF actually handles the blocking with the CSF deny file, but enables the BFM monitor section in DirectAdmin to work in conjunction.

My question is, is there any easy way to specify how aggressive the brute force blocking is? While brute forcers are being automatically blocked no problem, I've noticed they are able to make a good 30 sometimes even 40 attempts before being blocked, this seems too long and should be blocked sooner.

I have the notify settings both set to 10. Is there anything else I can change to make the brute force blocking more aggressive?

Thanks,

James
 
Hi,

Not sure exactly what your pointing out here, I didn't mention it directly but my "Blacklist IPs for excessive login attempts" setting is also at 10, but IP's are able to make more attempts than this before actually getting blocked. I of course also followed this guide to implement basic brute force protection:

http://help.directadmin.com/item.php?id=380

And then proceeded to modifying the required sh scripts to make everything compatible with CSF.

Thanks,

James
 
Well look at help.directadmin.com and directadmin.com/versions.php then.
 
Sorry if my previous reply sounded rude, I didn't intend for that. After re-reading my wording, it may have seemed that way.

I have looked through all the DA help files relating to Brute Force and couldn't find any obvious way to control how quickly brute force attempts are blocked, other than the previously mentioned settings above. I guess these are only settings available?

It just seems odd a brute force attack can get up to 40 requests with a setting of 10 defined. I know the frequency variability is a factor (i.e. x amount of frequency per time limit) as described here: http://www.directadmin.com/features.php?id=1227, but most attempts are consecutive one after the other (per second) so in theory they should be blocked sooner, or am I missing something?
 
If you use a value of 10 after 10 attempts it should block the user on the 11th attempt. I am not sure exactly how the brute force is checked. If it is live or if it runs via a cron through the logs or something. My guess is that it runs off a timed check as it has to parse all the log files, so the user could actually try 40 times before it checks again. But I am not 100% sure.

You can open a ticket here and ask the developer:

https://www.directadmin.com/clients/safesubmit.php
 
You are probably right. I was just curious as DirectAdmin didn't seem to be honoring the value I put, but it seems there are situations that allow such brute force attempts to be attempted after the block value, but none the less they are blocked in due course so it isn't really a concern. More for clarification really.

Thanks for your help.
 
You must log in or register to reply here.
Back
Top