I am receiving in my log-file lots of "Brute-Force Attack detected in service log from IP(s)..." messages. For websites I usially use htaccess which checks if user has some cookie set and if he has he can enter, if he doesn't he is redirected to another page. Is there any way to do this for DirectAdmin? I Have checked files in /usr/local/directadmin, but I haven't managed to get this to work (with htaccess or php redirect).
Brute force attacks
- Thread starter ExSpirit
- Start date
zEitEr
Super Moderator
You did not specify what service is under attack. Directadmin works well and stops brute-force attacks. But it does not block IPs from a box, you need to apply some custom actions if you want Directadmin to block attackers IPs. And here you can find one possible solution: http://forum.directadmin.com/showthread.php?t=44839 (BFM+CSF)
Directadmin does not use any webserver (either apache or nginx) to proxy requests from a web-browser to it, and it does not support .htaccess file. If you want to check cookies you could try this http://help.directadmin.com/item.php?id=84 (Running DirectAdmin through apache on port 80), and even in this case you will need probably write your instructions directly in apache config, as no .htaccess will be still supported.
Under my messages in admin account I get lots of this kind of messages:
And under Brute Force Monitor I have lots of lines like this:
I don't want to block IPs, that is bad solution, because "attacks" will still happen from various IPs, just not as much tries (but maybe the system may some day lock me out because I will write password wrong a few times). I thought that this will stop if I change DA port, but still there's around 50 different "attacks" each day. That's why I don't even want scanners/bots to come to login page, I would like to only allow access to me in case if I have set some cookie or something like that - no IP limit. Is there anything which can be done like that for DA (or maybe somehow hide that I am using DA so that bots don't even tries to login)? Maybe some captaha (maybe custom made - like second password, so user has to write correct word in there) under user/password fields?
And under Brute Force Monitor I have lots of lines like this:
- 2015-06-23 23:59:18 login authenticator failed for (User) [193.189.116.49]: 535 Incorrect authentication data (set_id=webmaster)
- Jun 24 01:07:03 server proftpd[8540]: 46.19.8.63:ffff:46.50.183.5[::ffff:46.50.183.5]) - USER anonymous: no such user found from ::ffff:46.50.183.5 [::ffff:46.50.183.5] to ::ffff:46.19.8.63:21
- 2015-06-23 18:31:35 login authenticator failed for (ylmf-pc) [201.163.31.144]: 535 Incorrect authentication data (set_id=info)
I don't want to block IPs, that is bad solution, because "attacks" will still happen from various IPs, just not as much tries (but maybe the system may some day lock me out because I will write password wrong a few times). I thought that this will stop if I change DA port, but still there's around 50 different "attacks" each day. That's why I don't even want scanners/bots to come to login page, I would like to only allow access to me in case if I have set some cookie or something like that - no IP limit. Is there anything which can be done like that for DA (or maybe somehow hide that I am using DA so that bots don't even tries to login)? Maybe some captaha (maybe custom made - like second password, so user has to write correct word in there) under user/password fields?
zEitEr
Super Moderator
That says about brute force attacks on exim. Directadmin login page however you protect it won't help with brute-force attacks on SMTP, IMAP, FTP, SSH services.
jojolafrite
Verified User
- Joined
- Sep 19, 2014
- Messages
- 53
From your error messages, i can see someone try to take control of one of your email account to send spams
I personally advise to use fail2ban
It is service that will lock out bad people without locking you out. fail2ban does not change the directadmin configuration & it is easy to setup.
after installing fail2ban from repo (debian or centos) on your directadmin server, you just copy the default config file to a local one
cp fail2ban.conf fail2ban.local
then, you open fail2ban.local & activate protection for courrier authorization under
[courierauth]
I hate CSF / LDF:
I had very bad experience with CSF plugin on directadmin and locked my admin account several times even with heavy configurations. Also CSF is only a frontend for iptables that load and unload complicated tables. It slows down your server if you activate process monitoring.
I personally advise to use fail2ban
It is service that will lock out bad people without locking you out. fail2ban does not change the directadmin configuration & it is easy to setup.
after installing fail2ban from repo (debian or centos) on your directadmin server, you just copy the default config file to a local one
cp fail2ban.conf fail2ban.local
then, you open fail2ban.local & activate protection for courrier authorization under
[courierauth]
I hate CSF / LDF:
I had very bad experience with CSF plugin on directadmin and locked my admin account several times even with heavy configurations. Also CSF is only a frontend for iptables that load and unload complicated tables. It slows down your server if you activate process monitoring.
Last edited:
LawsHosting
Verified User
I get thousands of attempts a day, smtp, pop, ftp, etc....... Install fail2ban and forget about it, and tell your clients to use strong passwords, and not the same one for everything.