Error in the new feature

[Angelokreikamp]

Hello i got the new directadmin installed 1.39
there was a new option in it called "Bruteforce"
i got this option on

And i got some attacks click ip info and then block ip i get the following error in directadmin:

Error Blocking IP

in the directadmin error log stands:

2011:06:27-15:04:58: Block IP 'XX.XX.XX.XX' error: Script output:

XX = Hide for puplic

I got the file its stands here:

Custom block_ip.sh script found. Click the button below to pass the IP to the script.


So what i am doing rong?

 

[DirectAdmin Support]

Hello,

If your script returned a non-zero value, then DA will output an error.
If your script returns a zero value, then DA won't output an error.

This has no reference to what your script is actually doing.
The brute force feature in DA only applies to the scanning of logs and reporting of attacks. DA will not block IPs in your firewall.

If you've created the script:
/usr/local/directadmin/scripts/custom/block_ip.sh

it would be up to you to write code that interfaces with your firewall to block the IP. DA does not do this for you. DA will simply execute the script when you click the button, as with all other hook-related scripts in DA.

Simply creating an empty block_ip.sh script will not do anything and doing so wouldn't not have a point.

If you have filled the scirpt with code, ensure it's chmod to 700 or 755.
You can manually test your script with (pending shell used):

cd /usr/local/directadmin/scripts/custom
ip=1.2.3.4 ./block_ip.sh

which would fill the 1.2.3.4 value into the "ip" environmental variable (as DA does), and run your script at the command prompt, so you can check it for any coding errors.

John

 

[Angelokreikamp]

Bruteforce

So with other word i must make a script that catch the da inpunt and
let it run a command to the iptables to add it to a deny list and then auto restart the firewall ?

But i still dont get it i have chmod to 755 / 644 / 777 non of them acutally put
contents in the file.

And this brings me with a new question:

in Directadmin you see at admin level
file editor > /etc/hosts.deny
if i put contents there i still be able to see the server /login to da etc
contents put:

ALL : 57.231.164.20

 

[DirectAdmin Support]

So with other word i must make a script that catch the da inpunt and
let it run a command to the iptables to add it to a deny list and then auto restart the firewall ?

Correct.

But i still dont get it i have chmod to 755 / 644 / 777 non of them acutally put contents in the file.

Only you can put contents into the file. Nothing else will do it.

I'm not sure exactly which services respect the instructions of the /etc/hosts.deny file. I know DA doesn't. Usually a firewall is the better choice for blocking IPs, to ensure all ports/services are blocked.

John

 

[scsi]

So why not just add the functionality to block the attempts then?

 

[Angelokreikamp]

because it are to many ips

 

[iczy]

I have some question. eg, I already click block this IP "IP A" then system told me "IP Blocked" but I clicked "IP A" ( IP info ) agian I seem "Block this IP" still clickable, which mean this IP doesn't exist in DA databases?

 

[DirectAdmin Support]

DA does not manage the list of blocked IPs. It's completely up to you to block the IP in the ip_block.sh script and manage if it's already been blocked or not. If it has been blocked, you'd need to take that into account in the script and return a non-zero result with the output.

DirectAdmin does not block anything. It only runs the script that you create.
If you create the script, it's assumed you know what you're doing and actually block the IP with your code written in your script.

John

 

[lorens]

I run this script:
iptables -A INPUT -s $ip -j DROP

Works perfect as I run it in the terminal with sh but dont work when i run it in DA with "block IP" submit button. The only thing that will appare is that I echo.

Any idea why?

Thanks!

 

[scsi]

Anyone have any recommended scripts for servers with csf? Is there a proper table to put it in or something... I havent looked at it yet?

 

[zEitEr]

Any idea why?

Does iptables get updated? Do you see the IP in output of

iptables-save

or

iptables -L -n -v

If not, then a rule is not added, so try /full/path/to/iptables

 

[lorens]

If not, then a rule is not added, so try /full/path/to/iptables

What was needed was a "sudo" before

 

[Angelokreikamp]

So basicly

if i put this contents

iptables -A INPUT -s $ip -j DROP

in to the file that going to block ips it gonna work?

 

[scsi]

I would just put:

#!/bin/sh

/sbin/iptables -A INPUT -s $ip -j DROP

Then make sure you chmod 700 the script.

 

[Angelokreikamp]

I would just put:

#!/bin/sh

/sbin/iptables -A INPUT -s $ip -j DROP

Then make sure you chmod 700 the script.

you would put this code into the file

block_ip.sh

??

 

[scsi]

Yes put it in block_ip.sh

Then:

chmod 700 block_ip.sh

 

[Angelokreikamp]

wont work
i can not see in "/etc/sysconfig/iptables"

that that ip is blocked :S

 

[Angelokreikamp]

i also looked in to /sbin/iptables but its just alot of "ashgfrdhdsfdsgdsfgdsgedfg"

 

[zEitEr]

See my post#11 above

 

[zEitEr]

I would just put:

#!/bin/sh

/sbin/iptables -A INPUT -s $ip -j DROP

Then make sure you chmod 700 the script.

I suppose you need to add a check in order to learn has been an attacker's IP already added or hasn't.