BF blacklist vs Blacklist

[factor]

So I want to get some clarity on these to items. I stumbled upon them in my firewall review.
found here https://docs.directadmin.com/direct...enabling-csf--bfm-during-a-fresh-installation

This one removes singular IPs that qualify as soon as they qualify?

Remove an IP from the BF blacklist after XXXXX minutes (where XXXXX = 86400).
unblock_brute_ip_time=86400
A number of minutes after which the IP is automatically unblocked by Brute Force Monitoring.


This one clears the entire list of IPs no matter what after said minutes?

Remove an IP from the blacklist after X minutes (where X = 0 and 0 = never).
clear_blacklist_ip_time=0
Number of seconds after which the blacklisted IP address will be removed automatically.

Also isn't BF blacklist vs blacklist the same thing? There are not multiple blacklists?

If I want the ips never removed I need mark both of these option as 0

 

[scriptkitty]

Hi!

We'll correct/reword this so it is not so confusing. Thanks for bringing it up!

The brute_force_time_limit is the number of seconds after the last failed login attempt until that count of failed logins is reset to 0. The default is 2 minutes (120 seconds).

The clear_blacklist_ip_time, default 0 zero (which means never), will remove an IP that has been blacklisted after this many minutes (not seconds).

Per https://www.directadmin.com/features.php?id=1013

Thanks!

 

[factor]

Remove an IP from the BF blacklist after XXXXX minutes (where XXXXX = 86400).
unblock_brute_ip_time=86400
A number of minutes after which the IP is automatically unblocked by Brute Force Monitoring.

The brute_force_time_limit is the number of seconds after the last failed login attempt until that count of failed logins is reset to 0. The default is 2 minutes (120 seconds).

Are we changing the name? Did I miss something?

 

[scriptkitty]

I didn't mean to confuse further! I mentioned brute_force_time_limit because it was added alongside clear_blacklist_ip_time in feature 1013.

As for minutes versus seconds, it looks like it should be minutes. This says minutes:
New default is: unblock_brute_ip_time=1440 in minutes, which is 1 day / 24 hours.

As does this:
Will likely be: unblock_brute_ip_time=0 in minutes, where 0 is never. 0 will be the default.

I'll correct this in the docs. Thanks!

Now, there is a blacklist and a deny list. The BFM blacklist is for blocking DA login bruteforcers, typically on port 2222 unless the DirectAdmin port has been changed. The deny list for blocking IPs in the firewall is csf.deny (that is, if you've integrated CSF into DA and BFM). BFM will utilize both lists if you've integrated with CSF/LFD. BFM uses permanent blocks via csf.deny and lifts them when the specified time has passed.

The blacklist referenced by unblock_brute_ip_time is ip_blacklist=/usr/local/directadmin/data/admin/ip_blacklist. This is used for logging DirectAdmin login bruteforcers and existed even before BFM came to be.
The firewall deny list /etc/csf/csf.deny is used for blocking IPs by BFM in the firewall.
BFM stores hits against services and other information and uses this for keeping track of bruteforcing and blocks. This information is stored here: /usr/local/directadmin/data/admin/brute*

Let me know what other questions you have!