CSF to auto block IPS attempting certain logins?

S

silvatech

Verified User
Joined
Sep 21, 2019
Messages
34
I keep having Bruteforce attempts on logins that have either never existed or existed a very long time ago. So I was wondering if there is a way in current settings to make it black list anyone trying (example) [email protected] . Anyway of adding rule or a plugin that allows such a thing. Almost every Ip attack keeps trying a few key emails that do not exist it would block them alot quicker that way, but don't think there is an option in CSF. Although CSF has so many options I may of missed it so figured I would ask here.

Thanks

edit
Has now been added to feed back forum.

Upvoty

feedback.directadmin.com feedback.directadmin.com
 
Last edited:
I don't see any benefit in that. So you block [email protected] and over a few weeks they try [email protected] and/or [email protected] or whatever.
I don't know why people worry about these bruteforces so much, they will keep appearing anyway.

Also it can be a load of ip's. So blocking them all will at a certain point use up resources. Best practice still is to temp block them for a certain time.

As far as I know, BFM of directadmin has an auto block on login attempts which is passed to CSF.

However, why worry about attempts on non existing accounts?
 
Richard G said:
I don't see any benefit in that. So you block [email protected] and over a few weeks they try [email protected] and/or [email protected] or whatever.
Click to expand...
Its so same ip then cant try X amount other valid logins Is the reason it works. It also confuses the bots as they learn ok if I do IP 4 times not 5 x amount hours no ban. It throws there algorythm it all off. Similar techniques used on WP plugins and it does lower the attempts made drastically per IP before it blocked by the firewall.
 
Last edited:
Please don't quote full posts. ;)

Oke I see your point, imho it still something which only will help reasonable shortly, but it can't do harm to try.

However, as far as I know, there is no such option in CSF, maybe only via the custom regexp but I'm not familiar with creating regexp stuff.
I've seen @Zhenyapan liking your post, so he probably also seems interested in something like that.

But to change this I think it might be necessary to change something in DA's BFM mechanism.

You can best request this at the feedback forum then, good chance you will get it upvoted enough.
Be aware you need a seperate login for that.
 
Tip: When you created a thread for it in the feedback forum, post the link here, so users can find it more easily and upvote it.
 
Richard G said:
I've seen @Zhenyapan liking your post, so he probably also seems interested in something like that.
Click to expand...
Yep, i though about this few years ago, but it will be complicated, because CSF didn't know what was wrong - login or pass, so we must somehow give it login list and regexp to parse it, and this will be less secure if we will have additional list of correct logins. But there are good idea to remove standart logins from system and add rule to block any who will try it at least 1 time. For example rename admin to something like "monegar", replace "root" too, and then ban anyone who will try to log in with login "admin, administrator, root, webmaster etc."
 
Zhenyapan said:
admin, administrator, root, webmaster etc.
Click to expand...
Yes indeed, but there are so many different names they are trying. I guess it would be a very long list.
So maybe just blocking by login attempts (existing or non existing) via BFM might have some more result.
 
Zhenyapan said:
For example rename admin to something like "monegar", replace "root" too, and then ban anyone who will try to log in with login "admin, administrator, root, webmaster etc."
Click to expand...
Yeah, mostly looking for a way to manually add a few logins. Only reason I thought of this was because of some really interesting brute force attacks I am having. Course love idea of having common ones like admin etc. I have this setup on some of my clients WP sites. I know they must be coming from same org. As they keep trying for an example maggie.waterhouse82 . I would love to put that in a spot so it knows not. Also been trying 2 peoples old emails that have not been clients in over 15 years. Honestly its amazing how much data they retain for BFAs over long periods of time.
 
You must log in or register to reply here.
Back
Top