How to block IPs with Brute Force Monitor in DirectAdmin using CSF

zEitEr

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
15,366
Location
www.poralix.com
To make Directadmin's BFM compatible with CSF you should do the following:

Auto-installation with the help of the script:
Code: 
cd ~
wget -O csf-bfm-install.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/install.sh
chmod 700 csf-bfm-install.sh
./csf-bfm-install.sh


Manual installation:

Code: 
cd /usr/local/directadmin/scripts/custom/
cp block_ip.sh block_ip.sh.bak
cp unblock_ip.sh unblock_ip.sh.bak

It's OK if you have no block_ip.sh and unblock_ip.sh, and the previous step might fail with a warning:

cp: cannot stat `block_ip.sh': No such file or directory
cp: cannot stat `unblock_ip.sh': No such file or directory

Now fetch the files:

Code: 
cd /usr/local/directadmin/scripts/custom/
wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt
wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt
wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt
chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh

Create the empty block list and exempt list files:

Code: 
touch /root/blocked_ips.txt
touch /root/exempt_ips.txt

This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, install the following script:

Code: 
cd /usr/local/directadmin/scripts/custom
wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh
chmod 700 brute_force_notice_ip.sh

Now you've got Directadmin which will automatically block IPs of attackers with CSF.

Disable iptables:

That was reported that raw iptables in some cases might overwrite existing rules loaded by CSF/LFD. To avoid it we'd recommend to disable iptables and ip6tables from being loaded at boot time:

CentOS 5, 6:
Code: 
chkconfig iptables off
chkconfig ip6tables off

Code: 
mv /etc/init.d/iptables /etc/init.d/iptables~moved
echo -e '#!/bin/bash\nexit 0;' > /etc/init.d/iptables
chmod 755 /etc/init.d/iptables

Now you've got Directadmin which will automatically block IPs of attackers with CSF.

Permanent link on this How-To
 
Last edited:
Thanks for this, Alex. What happens if you don't make this modification? Are Brute Force Monitor and CSF incompatible if you don't? Does something break if you run both without doing this?

Jeff
 
You're welcome, Jeff.

The mains reasons I integrated CSF command suggested by Andrea (thanks to him for that)

Code: 
/etc/csf/csf.pl -d $ip

with scripts suggested by Directadmin Help System are as following:

1. I want to see blocked IPs in Directadmin on BFM page.
2. I want to be able to unblock IPs in Directadmin on BFM page.

Described modifications can be applied also on the servers without installed CSF, as if "/etc/csf/csf.pl" is not found or is not executable, then /etc/init.d/iptables script (provided by Directadmin) will be used to update loaded iptables rules.

So, you can still use CSF and BFM (in any way you'd like it) if those two aspects are of no importance for you. And if you use LFD for blocking IPs, you probably need to skip the guide. If you don't use BFM, you for sure should skip the guide either.
 
i had installed csf on centos and i had to remove it as it would block external access to the sever after working for some time and had to be rebooted manually for it to work again.does this modification solve the problem
 
I don't know why were you blocked, you might need to add your IP into a white list in CSF, so you could avoid blocking of your IP. After that you would need to read logs and dmesg output (if you have any from those times when you were blocked) to learn the reasons why you were blocked. I presume CSF treated you like an attacker, that's why you were blocked.

Anyway, the guide has nothing to do with such a situation, it's purpose to make managing of banned with BFM IPs simpler, and of course allowing BFM to block/unblock attackers with CSF.
 
i tried finding the reasons for it.it used block all traffic completely not just my ip even ssh access was blocked .i tried adding my ips etc but still it would get blocked.so in the end had to remove it.i even added certain services not to be blocked also .is there anything other than csf to block the ips detected in bfm automatically
 
im currently doing it manually in iptables but its a tedious process. i will try the other method .thanks a lot
 
Hi zEitEr,

I found (block_ip.sh)

Code: 
echo "Blocking $ip ...<br>";
echo "$ip=dateblocked=`date +%s`" >> $BF;
......................
..........some code here............
......................
echo "Restarting iptables ...<br>";
/etc/init.d/iptables restart
fi

but you say
"Then open block_ip.sh in editor and find lines:
Code: 
echo "Blocking $ip ...<br>";
echo "$ip=dateblocked=`date +%s`" >> $BF;

echo "Restarting iptables ...<br>";
/etc/init.d/iptables restart
"

I don't understand, your guide is:

find:
Code: 
echo "Blocking $ip ...<br>";
echo "$ip=dateblocked=`date +%s`" >> $BF;

replace with:
Code: 
echo "$ip=dateblocked=`date +%s`" >> $BF;

if [ -x "/etc/csf/csf.pl" ]; then
    echo "Found csf instaled, so blocking $ip with it<br>";
    /etc/csf/csf.pl -d $ip
else
    echo "Blocking $ip and restarting iptables ...<br>";
    /etc/init.d/iptables restart
fi;

find:
Code: 
echo "Restarting iptables ...<br>";
/etc/init.d/iptables restart

replace with:
Code: 
echo "$ip=dateblocked=`date +%s`" >> $BF;

if [ -x "/etc/csf/csf.pl" ]; then
    echo "Found csf instaled, so blocking $ip with it<br>";
    /etc/csf/csf.pl -d $ip
else
    echo "Blocking $ip and restarting iptables ...<br>";
    /etc/init.d/iptables restart
fi;

or

find:
Code: 
echo "Blocking $ip ...<br>";
echo "$ip=dateblocked=`date +%s`" >> $BF;
......................
..........some code here............
......................
echo "Restarting iptables ...<br>";
/etc/init.d/iptables restart
fi

and replace with:
Code: 
echo "$ip=dateblocked=`date +%s`" >> $BF;

if [ -x "/etc/csf/csf.pl" ]; then
    echo "Found csf instaled, so blocking $ip with it<br>";
    /etc/csf/csf.pl -d $ip
else
    echo "Blocking $ip and restarting iptables ...<br>";
    /etc/init.d/iptables restart
fi;

Please help me. Thanks!
 
Please clarify what is not clear for you. Can't you find the lines which are to be replaced or what?
Note, the original files (which you can download by the links from original guide posted here http://help.directadmin.com/item.php?id=380) changed a little, as FreeBSD support was added. So I guess I need to update my guide. Let me some time to update the How-To.
 
Error adding IP to blocklist

When I try to add a IP to the blocklist i get an error.

Code: 
Error Blocking IPs

Details

Is there something I need to do or forgot?

I also followed steps 1,2,3 on this link http://help.directadmin.com/item.php?id=380

I'm running DA with csf v6.07 on Centos
 
Not me, at least. You might want to post a feature request here, or use CSF/LFD, as they support ip6tables from a box.
 
A pity. I ran into this problem while configuring a new VPS. The standard installation had all IPv4 ports open and all IPv6 ports blocked except for 22. I closed a lot of IPv4 ports using the modified iptables.

In the IPv6 firewall I now opened ports 80 and 443 as well. I gave a shot at adjusting the DA-iptables for IPv6 but that was a too tedious process.
 
You must log in or register to reply here.
Back
Top