Getting blacklisted by DirectAdmin

Anne

Verified User
Joined
Dec 3, 2015
Messages
18
Hi,

This is strange. I just click around in DirectAdmin after a single succesful login as admin, but after a few clicks I get:

error=1&text=Your IP is blacklisted
http://help.directadmin.com/item.php?id=306

So I removed my IP in the "ip_blacklist" file (/usr/local/directadmin/data/admin) and added it to (ip_whitelist). A few moments later however, I'm again blacklisted.

I don't know why and second, the whitelist does not seems to work? Quite strange.

I have DA 1.60.1 and also CSF is running (white listed my IP in there too).

Any thoughts?

update: it's very anoying, I can just click 10 times and then get blocked again. I need to edit "ip_blacklist" all the time to get my work done.
 
Last edited:

Anne

Verified User
Joined
Dec 3, 2015
Messages
18
Hi,

Things like:

2020:02:22-12:43:52: Error opening ./data/admin/ip_access/(my ip address)/unauthorized_connections for appending count: No such file or directory
2020:02:22-12:48:39: unable to stat /usr/local/directadmin/data/sessions/da_sess_VadqHg*****.temp for filesize after write: euid:995
2020:02:22-12:48:39: Unable to write session file: Unable to stat /usr/local/directadmin/data/sessions/da_sess_VadqHg2******.temp for filesize after write<br>
ConfigFile::removeFile(/usr/local/directadmin/data/sessions/da_sess_VadqH******) filename does not match<br>
. Make sure the disk isn't full.
2020:02:22-12:49:42: Error opening ./data/admin/ip_access/(my ip address)/unauthorized_connections for appending count: No such file or directory
2020:02:22-12:54:47: is not a number. From '' > '0'
2020:02:22-12:54:47: is not a number. From '' > '0'
2020:02:22-12:55:57: Error opening ./data/admin/ip_access/(my ip address)/unauthorized_connections for appending count: No such file or directory
2020:02:22-12:59:03: Error opening ./data/admin/ip_access/(my ip address)/unauthorized_connections for appending count: No such file or directory
2020:02:22-12:59:42: is not a number. From '' > '0'
2020:02:22-12:59:42: is not a number. From '' > '0'
2020:02:22-13:03:22: Error opening ./data/admin/ip_access/(my ip address)/unauthorized_connections for appending count: No such file or directory

I see a "Make sure the disk isn't full." I know for sure I have a lot of space left.

Also, I'm clicking around now for 10 minutes and no black listing anymore... I think it's strange.


update: and in security.log I see multiple lines:

2020:02:22-12:43:52: [my ip address] has tried to log in 10 times, unsuccessfully, this time into (null)'s account ***
2020:02:22-12:43:52: Adding [my ip address] to the blacklist file: /usr/local/directadmin/data/admin/ip_blacklist

But I did not, however what about the (null)'s account, seems not right? Should this not be admin account?
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,243
Location
GMT +7.00
Hello,

Maybe you try another browser? Or try and disable all installed browser extensions?
 

Anne

Verified User
Joined
Dec 3, 2015
Messages
18
Hi,

I've updated to 1.60.3 and then it occur one more time. But now it's gone and all works fine.

Wish I could find the reason, this have never happend to me before in Direct Admin for over 10 years.

Can an attacker cause this? I have brute force attacks all the time, but DA and CSF seems to handle them just fine.
 

crenet

Verified User
Joined
Sep 23, 2019
Messages
114
Hi,
I also have something similar to this and I have this in log /var/log/directadmin/error.log

Screen Shot 2020-02-29 at 10.31.22.png

Please help
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,005
Thanks, I've found a few issues with that, but the blacklist itself "was still working", although the logs would be causing confusion.

1) Issue with DA deleting the ip_access/1.2.3.4 folder upon blacklist (after adding to ip_blacklist), but the same call contiued to try and bump the failed counter, hence the error of the missing folder. Pre-releaes binaries are up now for anyone wanting them.

2) Issue with Evo not checking the X-DirectAdmin: blacklisted header, expecting json out, but it's never json out as the blacklist output generated without ever parsing any of the input, so it's throwing a wrong user/pass message instead of the "your are bloacklisted" message, since the login form page itself doesn't reload, as it's using the dynamic json back-end (reported, likely fixed soon)

John
 
Top