DDOS while using Brute Force Monitor

[merlijnb]

Hi,

We have problems with DDOS attacks.
We are using Brute Force Monitor for a year now but it looks like it is not working properly.

Take a look at this image:

http://i60.tinypic.com/nqcns.jpg

As you can see some iP's are have more than 50000 attempts.
These IPs are blocked but they are still trying to log on.

We have problems with our server which is crashing due to the huge amounts of attempts.

How can we solve this problem?

Thanks in advance!

Merlijn

 

[SeLLeRoNe]

Have you created the need script to real block IP's? (using CSF or iptables?)

If not, i would suggest you to use CSF (search the forum)

If yes, and you're using CSF, in /etc/csf/csf.conf file there is a value that would maybe be increased (DENY_IP_LIMIT), this is made to set a max number of IP to keep banned (default is low), increase it (i'd increased it to 10000, but depend on server specs how many chain you can mantain).

If you're using iptables, you should check if is running and if the chain list is filled up correctly.

Useful URL's:
http://help.directadmin.com/item.php?id=527
http://help.directadmin.com/item.php?id=380
https://www.plugins-da.net/info/how-to-block-ips-with
http://configserver.com/cp/csf.html


Regards

 

[BBM]

Hi,
...
We are using Brute Force Monitor for a year now but it looks like it is not working properly.
...

BFM is not blocking anything, it's just a 'monitor'.
To get it to auto-block, follow the links Sellerone has provided.

Personally, I don't have BFM auto-blocking either on my VPS, but whenever I see multiple attempts coming from a subnet-range of IP, I manually enter the IP in the CSF deny-list, only blocking the entire last subnet range, like this; 103.41.124.0/24

I wonder why the DA doesn't has a selectable option to have IP's blocked by BFM as well, or at least 'know' when CSF is installed, that BFM is coupled with it.
Seems to me a server's security would be improved by it.

 

[SeLLeRoNe]

BFM can block things he notice actually, check the links i did provide.

Is not automatic and is not mantained by DA since CSF is not a DA owned "software", but can be implemented pretty easly.

CSF+BFM related links:
http://forum.directadmin.com/showthread.php?t=45599&p=233421#post233421
http://forum.directadmin.com/showthread.php?t=44839&highlight=csf+bfm

Regards

 

[merlijnb]

Thanks

Thanks, we have installed CSF now and it is blocking the most IP addresses now.

But we still get ddos attacks in the night. We already removed all xmlrpc.php files from our Wordpress websites and they are all up-to-date.
Today we got a ddos attack from malta1804.startdedicated.de with the IP 85.25.210.188.

Every night around 15:00 he starts attacking and our server goes to 200%.
When I add his IP to iptables he stops, but the next night he starts again. How can he remove his IP from the iptables?

Who has tips for scanning on hacks on the server? We cannot find any hacked files...

Thanks in advance

 

[zEitEr]

Hello,

Are you sure it is DDoS attack? In DDoS attacks they use more than 1 IP, usually it is a botnet with hundreds or thousands of IP.
If you face an issue with only one IP just block it with CSF:

csf -d 85.25.210.188

and it won't be removed from banlist until you face a DENY_IP_LIMIT, which Andrea has already suggested to increase.

 

[zinnium]

Don't use the BF monitor. Do this:


#1 Install CSF. There is a full guide on this and its pretty easy. But Make sure you have all the dependencies installed first or it just doesn't work right.

#2 Set your SSH Port out to any unused port. That basically ends that. make sure you add the Port to CSF.

#3 Make a new user on your server (in SSH no in DA). Make sure you can SSH with that user.

#4 In your SSH setting: Disable your ROOT, and all DA Admins from directly SSHing into the server. Go from the base user, and SU into Root. This way you don't have to worry about common names causing issues.

#5 Repeat this for FTP ports and all is good.


Its pretty OP once you have it setup right. Simply moving the port stops like 90% of the BS, and then CSF catches all the stuff right after that. Then you forth and PROFIT!!!!


To Make the server really kick in:
1) Do the NGNIX + Apache Reverse Proxy. Its Plug and Play with Custom Build 2.0. The Nginx will take most of the load off the server during a DDOS.
2) Do the Varnish Cache install. (There is a DA Guide for this). The Varnish Cache then servers the DDOSers, and take load off #1.

You will get major improvements all across the board.