DirectAdmin 1.695

Ohm J said:
I just update some setting in today to match with my custom "block_ip.sh".
Click to expand...
I'm confused now, does this affect the block_ip.sh file? I'm also using that, can I keep the seconds setting or do I need to change that value so it will be minutes after the newest update? Always has been seconds until now (as should be).
So these things should not suddenly be changed for no reason, better to change the GUI than the system.
 
@Richard G
Your script might not same with my script, because I revoke into temp block and use some of these value from directadmin.

So, my script could become "temporary block for 90days" 😅

So nevermind, I'm not use this value anymore and switch to "clear_brute_log_time" and set "unblock_brute_ip_time" to 0 for prevent any missleading in the future.

Since I'm using temporary block, so I don't need the DA task to clear the "csf.deny".



..... And I just found something problem today, "clear_brute_log_time" must matching with temp block timing. Otherwise DA won't notify to "ip_block.sh" anymore on the re-abused IPs until that's old notify past the "clear_brute_log_time" timing.
 
Maybe mine is not affected, still not sure.
My block_ip.sh is called by the brute_force_notice_ip.sh script.
Contents of this script is:
Code: 
#!/bin/sh
SCRIPT=/usr/local/directadmin/scripts/custom/block_ip.sh
ip=$value $SCRIPT
exit $?;

And the block_ip.sh is
Code: 
#!/bin/sh
/etc/csf/csf.pl -td $ip 14400 BFM IP Block
exit 0;

Normally this gives a temp block of 4 hours by CSF. This should never become 14400 minutes. :)

Scripts were created by @zEitEr in te past, they are on his github.
 
Richard G said:
Scripts were created by @zEitEr in te past, they are on his github.
Click to expand...

Probably in the old days the scripts were that simple. Now they have evolved into bigger ones.

github.com

GitHub - poralix/directadmin-bfm-csf: A set of scripts to let Brute Force Monitor in DirectAdmin to block IPs using CSF/LFD. If you need custom installation or support please feel free to request it here or on our site

A set of scripts to let Brute Force Monitor in DirectAdmin to block IPs using CSF/LFD. If you need custom installation or support please feel free to request it here or on our site - poralix/direct...
github.com github.com

The scripts do not operate with clear_blacklist_ip_time variable, that is shown as "Blacklist removal timeout" in the section "Brute Force Monitor", which allows modifying settings for protecting the DirectAdmin web interface only.

The scripts use unblock_brute_ip_time which is represented under the same name "Blacklist removal timeout", but in the section "Brute force log scanner". This exact section goes for a protection of other services against brute-force attacks.

And according to the code in the script block_ip.sh written years ago, the unblock_brute_ip_time represented time in minutes:

Bash: 
    TTL=$(/usr/local/directadmin/directadmin c | grep -m1 "unblock_brute_ip_time=" | cut -d= -f2);

    if [ "${TTL}" == "0" ];
    then
        TTL="1825d";       # If TTL=0 then IP should be blocked forever
                           # here we set TTL to 5 years = 365d * 5
    else
        TTL=$((TTL*3*60)); # It is Directadmin which unblocks IP, so we need to have enough long TTL
                           # so that Directadmin have a chance to unblock it
                           # Additionaly convert minutes to seconds *60
    fi;

- https://github.com/poralix/directadmin-bfm-csf/blob/master/block_ip.sh

So nothing changed in this part I believe.
 
zEitEr said:
Now they have evolved into bigger ones.
Click to expand...
Yep they are surely evolved, but I just use that one for temporary blocks in CSF. This way there is no need for me to have an unblock_ip.sh as temp blocks are released automatically by CSF. ;)

But for people who want to run things more comprehensive and/or via the DA interface, they should for sure have a look at your newer versions.
 
Yep, I have that TTL in my script too. But... long time ago, DA set the default as "1440" or 1day, and suddenly change the default value without change logs.. so I throught it's revoke into "seconds" on the GUI in evolution skin and still save as "minute" same as "1440" before.

Since notify must be reset with "clear_brute_log_time", otherwise in won't trigger block anymore on the same IP until timing has pass "24hr"( default value ).

Then temp block should using "clear_brute_log_time" instead of "unblock_brute_ip_time".

Example: I just want to block for 2hr. If timing lower than "clear_brute_log_time", it become free bruteforce.

Look at the picture, when I blocked for 2hr and keep "clear_brute_log_time" to "24" hr.

In this picture, it only blocked on the first time, and then after unblock 2hr, it's free spam on that day.
Because "notified" column still flag as "Yes", meant no more notify to script until reset it.
 

Attachments

  • 1772044235003.jpeg
    1772044235003.jpeg
    73 KB · Views: 4
You must log in or register to reply here.
Back
Top