Brute-Force Attack detected in service log

[dranelli]

Hello,

A few days ago my DirectAdmin has been automatically updated to version 1.39.1.
With DirectAdmin 1.39.1 i receive everyday hundreds of emails with object 'Brute-Force Attack detected in service log'.
I think it is a new feature of DirectAdmin 1.39.1, but i receive too many of these emails per day and this is becoming a problem for me.

What is the utility of these emails?
How can i block the sending of these emails?

Is there anyone that can help me, please?
Thank you in advance.

Regards,
George

 

[zEitEr]

Hello,

I can help you if you want a commerce service.

Otherwise see the links:
http://www.directadmin.com/features.php?id=1229
http://www.directadmin.com/features.php?id=1227
http://www.directadmin.com/forum/showthread.php?t=40767

 

[ditto]

@dranelli, you don't need the feature, so you can just disable "Brute Force Monitor". To disable it log into DirectAdmin and click on "Administrator Settings", and then tick the box "No" to the right for the text "Parse service logs for brute force attacks". Then you will no longer receive those emails.

Instead I would reccomend you install CSF/LFD (ConfigServer Security & Firewall): http://www.configserver.com/cp/csf.html (it integrate with DirectAdmin control panel).

 

[dranelli]

Thank you. I followed your instructions and disabled "Brute Force Monitor" in my DirectAdmin. Now i do not longer receive emails about Brute Force.

I used CSF/LFD (ConfigServer Security & Firewall) on my server, but it often blocked my customers' IPs and i had to disable the firewall.
I also tried to set the Firewall security level on 'Low', but the firewall blocked the IPs and i thought to disable the firewall.

Do you know how to set CSF to avoid that the firewall blocks the IPs?

Thank you.

Regards,
George

 

[21secolo]

@dranelli, you don't need the feature, so you can just disable "Brute Force Monitor". To disable it log into DirectAdmin and click on "Administrator Settings", and then tick the box "No" to the right for the text "Parse service logs for brute force attacks". Then you will no longer receive those emails.

Instead I would reccomend you install CSF/LFD (ConfigServer Security & Firewall): http://www.configserver.com/cp/csf.html (it integrate with DirectAdmin control panel).

quote... I have a very spam assault of warning emails (also from google ip [like wrong user's configuration of gmail for external mail account]]... I recive an email warning every 3 minutes, for this I have decided to disable this feature and use only CSF.

 

[nango]

I think DA use exim logs for reporting Brute-Force-Attack. but I did not found attackers IP on logs, can anyone help to find attacker IP.
And I found just 3 or 4 email address with info@domain are under attack why?
in this server there is more than 500 email user.

 

[hanime]

Wow speaking of having the same issue. I was about to create a new thread on this as well...

Check my attachment.

 

[hanime]

And this happened right after that update to 1.39.1.

 

[scsi]

its a new feature...what is the problem?

http://directadmin.com/features.php?id=1227
http://directadmin.com/features.php?id=1229

 

[wattie]

Add the attacker IP's or ranges in your firewall rules. For example under FreeBSD you can do this in ipfw.rules (add in the beginning right before the first "add allow tcp from any...":

add deny all from 110.203.20.125 to any in

or even block whole ranges (in case many IP's from one subnet kicks you):

add deny all from 110.203.20.0:255.255.255.0 to any in

After that run "sh ipfw.rules" and it will reload. Slowly the brute force attacks will disappear and you will live happier than before

 

[hanime]

Not really a problem until they break in, but I was wondering why the emails are sent to me suddenly. I have did the suggestion and turned the emails off.

I'll give the firewall a try. Thanks for the help.

 

[LawsHosting]

Thing is, no-one has ever noticed brute-forces before (unless you use CSF/LFD), so people panic. This is why there is an uproar.

In a way, this feature does help, but like people suggest, it would be good if it was off by default.

Pro-tip: Persuade your customers to use strong passwords.

 

[zEitEr]

Agree, that should be OFF by default. Because of the fact is is ON by default, I hesitate with Directadmin upgrade on most servers. I need time to decide how to deal with the feature.

 

[SeLLeRoNe]

Well should be enough add the line in directadmin.conf before update?

 

[zEitEr]

That will be enough in case if we decide not to use the feature.

 

[SeLLeRoNe]

Well, if you need to update DA for other featured make it default off before upgrade should be a workaround till this feature is well defined.

Regards

 

[Rookie]

DON'T WANT TO RECEIVE LOTS OF EMAILS about Brute-Force Attack detected...

This is a fantastic new feature THANK YOU Direct Admin...

I'm not very good at finding IP's of people trying to hack my servers. I know they can be found by searching logs via SSH ect, but that takes time.

Now I can just log in to Direct Admin and view the IP's that are tiring to attack my servers by simply clicking on "Brute Force Monitor".

JUST A TIP TO ALL THOSE THAT DON'T WANT TO RECEIVE LOTS OF EMAILS:
What you can do is:
1) Log in to Direct Admin (as Admin).
2) Then click on "Administrator Settings".
3) Find the heading "Parse service logs"
4) Then change the setting to this:
a) Notify Admins after an IP has 500 login failures on any account.
b) Notify Admins after a User has 500 login failures from any IP.
5) Then click Save.


If anyone has made more than 500 tries to login, you can be sure it's going to be a Brute-Force Attack...

PS: Before making any alteration to a server, please get advice from your preferred IT Person.

 

[wtfbrb]

Use with csf/lfd

I use csf/lfd and I have been getting these emails to, I have been looking up the origin of these attacks and if they are from asia I block the whole /8 block and if they are from Europe/North America I report them to abuse@ I have had a few of them ask me for my server logs. What log would they want? Also some of these don't have an IP just say on User(s) ___ what do I do about those messages? I've had some on generic guesses and some on actual email accounts. None of the attacking IP addresses have already existed in csf/lfd so is this in anyway interfering with csf/lfd or is catching something that csf/lfd doesn't?

 

[IT_Architect]

Nice feature! I don't know if it's because I just turned my PF firewall off to do some testing or what, but not long after I began receiving a messages from DA about a brute force attacks.

Brute-Force Attack detected in service log from IP(s) 216.186.224.214
3280 failures!

Very well done!

 

[ardainbox]

add iptable rules

If you want to care your server ssh Brute force attact

hit that on your server ip tables and thats all:

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

and check it with that:

sudo iptables -L




http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/