Hi there,
I have a DirectAdmin server running with brute-force detection running. (Both for DirectAdmin services and 3rd party ones). I have set it up using the brute_force_notice_ip.sh script hook to block the attacker in my firewall as well, in this case APF.
Now I am getting messages about attacks regularly. That's great. I also see them being blocked in my firewall. So far so good.
The issue I am seeing is that very attack gets noticed by DA twice. Which means two tickets will be created, and two (identical) rules will be added to the firewall. There is usually 6-24 hours between these two notifications.
An example that just came in is the following:
IP 222.186.23.9 has 9 failed login attempts: proftpd1=6&proftpd2=3
The exact same ticket was also created exactly 24 hours ago. Which makes me believe this is an issue with detection, and not with actually blocking the IP. When does DA scan the logs for failed logins, and how does it know from which point on to scan? I can imagine this is quite tricky with various system services rolling (renaming!) and compressing the log files continuesly. Also I find it strange that it mentions 9 failed logins, while the limit is set to 6 in my configuration.
Does anybody else have issues with this as well? All further relevant configuration is default.
I have a DirectAdmin server running with brute-force detection running. (Both for DirectAdmin services and 3rd party ones). I have set it up using the brute_force_notice_ip.sh script hook to block the attacker in my firewall as well, in this case APF.
Now I am getting messages about attacks regularly. That's great. I also see them being blocked in my firewall. So far so good.
The issue I am seeing is that very attack gets noticed by DA twice. Which means two tickets will be created, and two (identical) rules will be added to the firewall. There is usually 6-24 hours between these two notifications.
An example that just came in is the following:
IP 222.186.23.9 has 9 failed login attempts: proftpd1=6&proftpd2=3
The exact same ticket was also created exactly 24 hours ago. Which makes me believe this is an issue with detection, and not with actually blocking the IP. When does DA scan the logs for failed logins, and how does it know from which point on to scan? I can imagine this is quite tricky with various system services rolling (renaming!) and compressing the log files continuesly. Also I find it strange that it mentions 9 failed logins, while the limit is set to 6 in my configuration.
Does anybody else have issues with this as well? All further relevant configuration is default.