Directadmin bruteforcing

G

Guti

Verified User
Joined
Oct 23, 2005
Messages
9
Location
IL
Hey there people, I'm having a problem on my DA Server.
Some annoying user is trying to bruteforce my direct admin admin account, the DA security.log writes something like this:

2005:11:07-17:59:04: 127.0.0.1 has tried to log in 86638 times, unsuccessfully, this time into admin's account ***
2005:11:07-17:59:04: 127.0.0.1 has tried to log in 86639 times, unsuccessfully, this time into admin's account ***
2005:11:07-17:59:04: 127.0.0.1 has tried to log in 86640 times, unsuccessfully, this time into admin's account ***
2005:11:07-17:59:04: 127.0.0.1 has tried to log in 86641 times, unsuccessfully, this time into admin's account ***

the problem is that it says the hacking attempts are coming from localhost, I searched for any unauthorized apps that are running in the background and I didn't find anything suspicious.

Is there anything I can do? It's happening for like 24hours already, I suspended the admin account (I'm not using it). But I still want to stop the attacks.
 
If it says it's happening from localhost then it's happening from localhost.

Someone trying a php exploit?

Jeff
 
Mmm

I tried grepping for all the files that contain the string "2222" (the DA port) recursively on the /home dir. Didn't find anything.

Is there any other way to try to counter the problem?,I just can't even find the raw logs of directadmin (security.log is a bit uninformative) if they even exist.
If I could see where the requests are coming from, what's the refferer..etc' I could locate the abusing file/user.

Thanks,
Nimrod Gutman
 
Hello,

DA logging attempts are logged after 10 wrong attempts in /var/log/directadmin/securiy.log
Why issn't every attempt logged in /var/log/secure so my BFD can block the attacker. Is it possible to do?

Kind regards,

Martijn
 
If Guti did that he'd be blocking himself.

I'll ask DirectAdmin staff to look at the post.

Jeff
 
Hello,

Hmm, tough one. I'd imagine that something would show up in "top" with excessive usage.

Also, try this to see if it will help locate any scripts (if run through apache): http://help.directadmin.com/item.php?id=91

As a last restort, you could try using this guide to stop DA from listening on the 127.0.0.1 IP. It would break any local API's though and would only allow access from the specified IP.
http://www.directadmin.com/features.php?id=301
Nothing stopping the brute force from switching to another IP.

The option of adding a "ip blacklist" can be considered. DA could automatically add IP's to this list after hitting a certained "failed attempts" theshold. However in this case, anyone trying to connect from 127.0.0.1 would be blocked if this feature were implemented.

John
 
Good morning,
Thanks for the reply.
I think I should try to autoblacklist the addresses.
I already use the pam_abl.so PAM module to block bruteforce attemps at system-level login.

Are there instructions on how to blacklist addresses after serveral unsuccessful login attempts in DA? As it's running its own daemon I guess it will be different, unless it's implementing PAM auth.

Thanks,
Nimrod.
 
Last edited:
Hello,

No way through DA at the moment. I was just thowing out the idea of adding it as a feature.

John
 
I see, thanks anyway :).
If you need any testers I'm here :>

Thank,
Nimrod.
 
Hello,

I would like to see it as a feature within DA.
Without the blocking of 127.0.0.1
If it's within DA everybody can use instead of only the one using BFD.

Kind regards,

Martijn
 
You must log in or register to reply here.
Back
Top