How to activate hooks when DA detects brute force attack

jim.thornton

Verified User
Joined
Jan 1, 2008
Messages
334
I'm using APF firewall. I had DA setup a few years ago and really neglected it. I didn't keep it up to date or maintain it for security very well. The server was never compromised on the DA/Admin level but I believe that one of the user accounts has been compromised and it has been sending out a ton of emails as a result.

I have now re-installed the whole server, locked it down with the assistance of my VPS provider.

I have APF Firewall and BFD installed. BFD works well monitoring the ssh/ftp/exim2/etc ports and automatically adds IP's to the APF blacklist when there has been X number of attempts within 1 minute. The problem is that I'm still getting emails from DA saying that there have been 400+ (or whatever) login attempts on different services and the IP's weren't added to the blacklist. They should have been added after X number within 1 minute.

I would like to add this same functionality to DirectAdmin. I have read that there are hooks with the brute force monitor within DA. My new server has been installed for approximately 30 days and I have 209 emails from the server indicating brute force attack attempts. WOW! They started within 1 hour of installing the new server.

Can someone please help me get this going?
Could someone help me get this up and running. I saw the Knowledgebase article talking about block_ip.sh but it seems that it adds a button to DA that the admin has to manually block the IP. On top of which, I would like to use APF to block the IP's as opposed to whatever firewall is used in the DA Knowlegdebase article.
 
I dont think is related to your server security.

This is most probably happen from a hacked website of one of your user.

You need to investigate which user is sending mail and investigate on logs.

Regards
 
I know exactly which user it is and I believe it was the website that was compromised as well. Joomla 1.0.x is running on that site. I'm in the process of rebuilding the site (pretty much done) and going to launch it.

That said, I would like to add the hooks within DA just as an added security measure. APF is blocking some of the IP's but I'm not sure why some are still able to continue without getting blocked. On the 27th of October there was one IP address that did 400+ attempts to get into exim2. I would like to set it up so that it isn't even possible. None of the attempted usernames are active on my server but that's not the point. Statistically I guess it is possible to get the right combination by chance. So I figured by setting up the hooks and blocking the IP I can take away that statistical possibility.
 
Further investigation shows that APF is actually blocking most of the IP addresses. I don't know why some are being blocked and some aren't so I have adjusted my rules in APF reducing the exim, exim2 to 25 failed attempts instead of 50.

What number of failed attempts are recommended before banning someone with the firewall?

Also... is there a security feature in exim or dovecot that will limit the amount of failed user attempts within so many minutes? For example, I'm getting 30-35 failed attempts on names like, bob, susan, admin, harry, etc.

In some cases one attacker might have hundreds and hundreds of attacking attempts but because each service is under the allowable limit their IP is not getting blocked.

Any suggestions?
 
Back
Top