BFM is possible modify behaviour with mod security?

castris

castris

Verified User
Joined
Apr 16, 2021
Messages
103
Location
Arcenillas
Hi.

BFM blocks globally instead of blocking by affected ports.

Is it possible to modify BFM's behavior in some way following the Directadmin paradigm?

I currently use a script that checks /etc/csf/csf.deny every minute.

But that doesn't disable it. It's just a workaorund.
 
Until now I've only seen such option in the csf.regex.pm file.

However, we like the full block, this way it's also easier to see if a customer has a firewall issue or not. If he can't reach our website on that server, then he has a firewall issue. :)

Also you can set temporary blocks for some things (at least in CSF) so they won't be blocked forever.
 
But I'm talking about BFM, which is the one that injects the permanent block into the csf.

In the CSF cases I use csf.regex.pm for things that are not even covered by BFM. But in that case, the regex does what I gave it: permanent, temporary, etc.

What I want to know is if there is the same control so that when BFM has to ban someone through mod_security it doesn't do it as is, but only to the web port.

Best regards.
 
castris said:
But I'm talking about BFM, which is the one that injects the permanent block into the csf.
Click to expand...
Mostly yes. Except for things which are blocked in the /usr/local/directadmin/data/admin/ip_blacklist file.
But everything in csf.deny is send there by either CSF/LFD itself or by BFM of directadmin.

As for your question, yes and maybe.
Yes, permanent and temp bans can be setup via the csf.conf file.

Maybe... is this one in csf.conf:
# To only block access to the failed application instead of a complete block
# for an ip address, you can set the following to "1", but LF_TRIGGER must be
# set to "0" with specific application[*] trigger levels also set appropriately
#
# The ports that are blocked can be configured by changing the PORTS_* options
LF_SELECT = "0"
Click to expand...

So you should set this one to 1 in that case.
I think that is what you are looking for.
 
That's already in my CSF configuration file.

But when an app sends data to CSF (like BFM does) or the regex itself, it tells CSF what it wants.

I believe that configuration is internal to CSF, not to the apps or processes that are not part of its core.

best regards
 
castris said:
I believe that configuration is internal to CSF, not to the apps or processes that are not part of its core.
Click to expand...
Correct but csf.conf can be used in some cases. However I think DA BFM is sending it in another way to CSF for blocking probably something like this:
Code: 
#!/bin/sh

/etc/csf/csf.pl -td $ip 172800 BFM IP Block

exit 0;
this was a script which I had in the /scripts/custom directory before DA installed CSF some years ago. Probably DA might be sending the command this way to CSF and then indeed it's bypassing the configuration.
If you use custom scripts, then these will be used instead of the DA BFM blocks. Maybe with the csf.pl in such script there is a way to only block certain ports, but I don't know.

Maybe somebody else can answer your question or else you might want to try to send in a ticket to see if DA can provide you with an answer to this.
 
@Richard G
No, It's just perm blocked and will auto remove later using timing config by just normally scanning from "csf.deny".

BFM is useful on someone don't know how to protected the server, but it bad when want to do some advance tuning.
 
Ohm J said:
but it bad when want to do some advance tuning.
Click to expand...
Yep exactly for that reason I had these custom scripts, which overrule the BFM and then use temporary deny's.
I believe something similar was also possible via BFM without custom scripts, but I would have to search the post where that was explained, little time at the moment due to old year preparations.

However, even if that was possible, it's still not what is ask, which is to only block certain ports like possible with the regexp and not complete block.
Such option would indeed be interesting in some cases.

Edit: In the docs is explained how to use a timed block instead of perm block.

Securing with Brute Force Monitor | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com
unblock_brute_ip_time=xxx
and the others.
 
You must log in or register to reply here.
Back
Top