Directadmin 1.39.0 - Release Candidate 1

Hello,

This feature does not block anything. It simply notifies you that an attack is happening.

Since we don't install or manage firewalls, it's out of the scope of DA to make changes to them.

However, there are post.sh scripts you can use upon notification. DA would call your script, and in that script you could do what you wish (such as adding the IP to your firewall, but that's beyond our support). The brute_force_notice_ip.sh script is mentioned in this feature entry.

John
 
Directadmin

Dear directadmin

Custom block_ip.sh script found. Click the button below to pass the IP to the script.

When i press blocked it says ip blocked succesfully

but that file remains empty and nothing is blocked

this is in the directadmin so i suggest that you are supporting it since
its in directadmin
 
Hello,

It's a hook, which is an interface between DA, and something you've created.
We will provide support for the button, and support for the calling of the script, but what your script does would be entirely up to you. Unfortunately, our support does not cover what you've written in your script. If your script exits with a zero-status, this is how your script will tell DA that it worked correctly, thus why DA is telling you it's blocked. It's up to you and the contents of your script to ensure that you've actually blocked the IP. Again, firewalls are beyond our support, we don't do any blocking of IPs at the firewall level.

John
 
Is it possible to disable notifications for the brute force scanner? I receive lots of emails from all the DirectAdmin servers at the moment, about brute force attacks. I prefer to just check the brute force monitor on the DA admin page.

I don't want to disable email completely, I still would like to receive the update and other notifications.
 
DirectAdmin Support said:
Hello,

2) We had a few reports of the dataskq going crazy after the update, and it was found to be caused by very large logs that take more than 1 minute to parse, causing the dataskq from the next minute to start parsing the same log from the start, slowing down the whole system. A lock file has been added.

I'll be releasing 1.39.1 shortly.

John
Click to expand...

Hi John,

Can you disable the brute force reporting feature by default ?, A lot of customers are going into panic mode from suddenly getting these mails.

And does it go over the complete log each run ?, if so, then it's still quite a resource hog even if you lock it. We have logs that are several GB's large (there's customers FTP'ing 20 times/minute due to webcam software and such)
 
Is it possible to disable notifications for the brute force scanner?
Click to expand...
Yes, leave the scanner on, but increase the "Notify on" numbers to a much higher value.

I've also modified the default number for User attempts to 40 (but left IP attempts at 20)

Can you disable the brute force reporting feature by default ?
Click to expand...
We could take a poll for the default value if you'd like. But until a decision is made, calling:
Code: 
echo brute_force_log_scanner=0 >> /usr/local/directadmin/conf/directadmin.conf
/etc/init.d/directadmin restart
would shut it off (the dataskq doesn't actually need the directadmin restart, but the settings in DA wouldn't be accurate)

And does it go over the complete log each run?
Click to expand...
No, it doesn't. It takes note where it last left off (usually the end of the file from the last run) and when the log is re-opened for another check (only if the size is different), it will jump to that same point and continue. The first run can be slow if logs are large, but after that, load would be quite minimal.

And for those log entries, DA doesn't do anything with the ip/user log unless a filter match is found. (I've gone to great lengths to make sure it doesn't do anything unless absolutely necessary)

John
 
Is there a limit on that number, so can we set the notification number to 100,000 or something?

I think it would be better to add a configuration option to disable email notifications for the brute force scanner completely.
 
The internal number is a signed integer, so you're going to want to keep it below 2,147,483,647. (2^31). The actual load involved in checking if the count is greater than the limit is quite low.. so using a higher number should be fine for now.

Without making a decision yet, a limit of 0 would probably the simplest way to disable the notifications, but keep the actual log entry scanning/parsing/logging enabled.

John
 
Console

Code: 
serwer:/# /etc/init.d/mysqld start
Starting mysqld:                [ OK ]
serwer:/#



In DA management MySQL message:

Code: 
Error connecting to MySQL: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)


Browser logs w DA, errortaskq.log

Code: 
2011:06:28-19:12:21: service mysqld wasn't running, starting it
2011:06:28-19:12:31: service mysqld didn't start, re-starting it
2011:06:28-19:13:01: service lfd wasn't running, starting it
2011:06:28-19:13:11: service lfd didn't start, re-starting it
2011:06:28-19:13:21: service mysqld wasn't running, starting it



DA system log

Code: 
2011:06:28-19:14:32: mysqld restarted
2011:06:28-19:15:01: lfd started
2011:06:28-19:15:11: lfd restarted
2011:06:28-19:15:21: mysqld started
2011:06:28-19:15:31: mysqld restarted
 
baciarek said:
Console

Code: 
serwer:/# /etc/init.d/mysqld start
Starting mysqld:                [ OK ]
serwer:/#



In DA management MySQL message:

Code: 
Error connecting to MySQL: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)


Browser logs w DA, errortaskq.log

Code: 
2011:06:28-19:12:21: service mysqld wasn't running, starting it
2011:06:28-19:12:31: service mysqld didn't start, re-starting it
2011:06:28-19:13:01: service lfd wasn't running, starting it
2011:06:28-19:13:11: service lfd didn't start, re-starting it
2011:06:28-19:13:21: service mysqld wasn't running, starting it



DA system log

Code: 
2011:06:28-19:14:32: mysqld restarted
2011:06:28-19:15:01: lfd started
2011:06:28-19:15:11: lfd restarted
2011:06:28-19:15:21: mysqld started
2011:06:28-19:15:31: mysqld restarted
Click to expand...

killall -9 mysqld
/etc/init.d/mysqld restart
If this fails, then reboot
 
It would be nice to have a few extra functions on the brute force, like filter exceptions to ignore certain failed attempts. As mentioned in this thread theres Gmail who is trying to access pop3 trough like at least 40 IP addresses, to the same user. It would be nice if I could make a rule that matches this user, so it stops sending emails. :)
 
I'd prefer to see DirectAdmin providing a script that echoes the ip to hosts.deny or such. For the lazy sysadmins that don't want to create scripts on a lot of boxes ;)
 
WizardX said:
I'd prefer to see DirectAdmin providing a script that echoes the ip to hosts.deny or such. For the lazy sysadmins that don't want to create scripts on a lot of boxes ;)
Click to expand...
Problem with that is, every box has a different configuration, this is why they let you do the scripts. Plus, its beta, it could block everything at once - so if you muck it all up, its ok, but if JBMC muck it up, no doubt people will blame them.
 
Why would they turn it on by default if it is beta? A lot of users/resellers are constantly asking why they are bruteforced.

They could gave all the necessary scripts and instrunctions how to turn it on but on your own risk. IMHO
 
WizardX said:
Why would they turn it on by default if it is beta? A lot of users/resellers are constantly asking why they are bruteforced.
Click to expand...
We get brute forced all the time, its part of the internet - can't stop it really, well, you can, disconnect the servers.

And I'm not sure why its enabled by default, thats a question for John.
 
You must log in or register to reply here.
Back
Top