Brute-Force monitor customizations

[Zhenyapan]

Hello,

I'm receiving notifications from BFM like:

Subject: Brute-Force Attack detected in service log from IP(s) 222.223.217.34

A brute force attack has been detected in one of your service logs. IP 222.223.217.34 has 104 failed login attempts: exim1=104

But this IP not blocked. As I understand this connections was summarized during few weeks that's why CSF didn't block it, my CSF configured to block after 3 attemps in last 8h.
How can I configure BFM to block such IPs after 10/20/50(any) attempts, even if they was during last week/month or how long BFM keeps it's counter per IP?
Thanks!

 

[Ohm J]

it already in panel
Server Manager -> Administrator Settings
:Security section



###UPDATE wrong tab/manu

 

[apogee]

I' ve also a question about this, and it's more and more mails every day, a few hundred a day. How can we suppress them? So explicitly only those with false mail logins. What does the message do for me? It doesn't even contain an IP.

Sample:

MESSAGE
Brute-Force Attack detected in service log on User(s) abuse, [email protected], info, mike, [email protected]
2022-06-29 11:13
A brute force attack has been detected in one of your service logs.

User abuse has 153 failed login attempts: exim1=151 & exim2=2
User [email protected] has 143 failed login attempts: exim1=143
User info has 1274 failed login attempts: exim1=1172 & exim2=102
User mike has 146 failed login attempts: exim1=146
User [email protected] has 145 failed login attempts: exim1=145

Check 'Admin Level -> Brute Force Monitor' for more information
http://help.directadmin.com/item.php?id=404

For messages messages containing IPs I've a suggestion for improvement: it would be great if you could also determine the country of the IP by of geoIP and display it in the mail and in the message. E.g "country: NL"

 

[Ohm J]

@apogee
if you don't want to receipt any Email from BFM notify,

Version 1.41.0 | Directadmin Docs

DirectAdmin Knowledge Base

www.directadmin.com

 

[Zhenyapan]

@apogee already asked for feature to blacklist some Usernames/logins https://feedback.directadmin.com/b/...d-login-username-list-for-immediate-blocking/
you can vote up.

 

[apogee]

Thanks, I voted for it.

I do not want to suppress all messages but only those that are not directly useful to me.

 

[Zhenyapan]

I do not want to suppress all messages but only those that are not directly useful to me.

problem not with notifications, but with block rules (needed some additional).
notifications you can customize: https://docs.directadmin.com/direct...ing-a-specific-email-account-s-login-failures

 

[apogee]

Thanks!
It's always exciting to see what DA functions there are that you would never have thought of.

This does not solve my problem directly but with it I can script something together

Has anyone by chance already created a script which contains an array of addresses or domains?

The system indeed needs expansion