blocking IPs with Brute Force Monitor in DirectAdmin using CSF not working

[France Presern]

Hi.

We are using DirectAdmin (version 1.50.1) and we installed CSF to use for brute-force protection for exim2, proftpd, ... We followed (to the letter) the instructions found at https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm . We are getting the brute force attempt notifications via e-mail (with subject New Message: Brute-Force Attack detected in service log from IP(s) ), but the attackers don't get blocked. According to configuration, the attackers should get blocked after 10 failed attempts but don't get even after 300+ attempts.

There is user interface for Brute Force Monitor in DirectAdmin. It is working in every aspect (it lists all the failed/brute force attempts and allows manual blocking of the attacking IPs) but automatic blocking.

Is there a step missing on https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm ? How can we fix it?

Thank you and best regards,
F.

 

[SeLLeRoNe]

Can you ensure that the scripts in /usr/local/directadmin/scripts/custom/ are executable?

Best regards

 

[ikkeben]

IN which Time window these brute force are 300 in 1 minute?

If only a few 1 to amount of your setting then a time blocking should be there, if they donot force within these amount and time they will not be blocked i think

We have here every day some same ip's only trying 3 or other server 5 times these we have to block manually.

 

[France Presern]

SeLLeRoNe;

Yes, the scripts are executable;

[root@s1 custom]# ls -la
total 40
drwx------ 2 diradmin diradmin    7 Oct 10 14:17 .
drwx------ 4 diradmin diradmin   75 Oct  3 12:08 ..
-rwx------ 1 root     root     6295 Sep 30  2013 README
-rwx------ 1 root     root     7607 Oct 10 14:16 block_ip.sh
-rwx------ 1 root     root      406 Apr 21  2012 brute_force_notice_ip.sh
-rwx------ 1 root     root      102 Dec  9  2014 show_blocked_ips.sh
-rwx------ 1 root     root     2869 Oct 10 14:16 unblock_ip.sh
[root@s1 custom]# pwd
/usr/local/directadmin/scripts/custom

We tried changing user and group to diradmin:diradmin. After that didn't work, we also tried changing the rights to 711 (chmod +x), but it didn't help either.

Like I said, the functions of Brute force monitor in GUI work flawlessly and as much as I understand, they use the same scripts to block/unblock IPs?? Only the autoblocking doesn't work and I can't shake the feeling that I overlooked some setting that was left out from the instrucions?


ikkeben;

As much as I understand the configuration, the IP should be blocked after 11 attempts within 1h

LF_TRIGGER = 11
LF_INTERVAL = 3600 (1h)​

LF_FTPD = 10
LF_FTPD_PERM = 1​

No, 300 failed attempts weren't within a minute, but when I was testing, I did 20 intentional failed attempts (failed connections to proftpd) within 10 minutes but didn't get blocked... I did get the e-mail notification though...

Any other suggestions? Please?

 

[zEitEr]

Hello,

It was me who wrote the guide and scripts, and we have tested it many times with our installations and setups done for our customers. Be sure it does not miss any step.

What are the settings in Directadmin:

[FONT=Monaco][COLOR=#333333]/usr/local/directadmin/directadmin c | sort | grep brute --color

?

[/COLOR][/FONT]Do you see the IP blocked in CSF? If to say Directadmin notified you that IP 1.2.3.4 was blocked. What do you see with the following command:

csf -g 1.2.3.4

you should replace 1.2.3.4 with a real IP address.

 

[zEitEr]

Probably the guide is missing the information that you should enable BFM in Directadmin. Updating it now...

 

[Tommyhara]

I am having same problem like France Presern, I limited number of login attempts but still seeing message with users trying to login reach out hundreds of times.
Seem CSF didn't work. Is there a way to check its version and update CSF?

Hello,

It was me who wrote the guide and scripts, and we have tested it many times with our installations and setups done for our customers. Be sure it does not miss any step.

What are the settings in Directadmin:

[FONT=Monaco][COLOR=#333333]/usr/local/directadmin/directadmin c | sort | grep brute --color

?

[/COLOR][/FONT]Do you see the IP blocked in CSF? If to say Directadmin notified you that IP 1.2.3.4 was blocked. What do you see with the following command:

csf -g 1.2.3.4

you should replace 1.2.3.4 with a real IP address.

I will try to test your way! Thanks!

 

[zEitEr]

I limited number of login attempts

Where and how did you do that?

 

[Tommyhara]

Where and how did you do that?

Administrator Settings



Is that correct?

 

[defomaz]

Administrator Settings

View attachment 2212

Is that correct?

maybe your setting still to high, Please see https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm

in step-3. Update Settings in Directadmin
see this pic. https://help.poralix.com/_mod_files/ce_images/poralix/da_bfm_settings.png