How to block IPs with Brute Force Monitor in DirectAdmin using CSF

Aldan55

New member
Joined
Sep 9, 2013
Messages
1
You'll want to test this out to ensure it works for you:

/etc/init.d/iptables restart
to make sure you can still connect to everything ok. If not, you may need to head to the datacenter to shut it off (partly why we don't offer support for firewalls)
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,217
Location
Maastricht
I wouln't recommend to use iptables restart when using csf/lfd, because your default firewall would start working.
You should use csf -r.

Next to that, if you want to see if things are working, try:
Code:
iptables -L
which gives you the complete output the current iptables state.

You can also set csf to test mode, in csf.conf. Then you can start it and it will only be enabled for a short time. That's the best way for testing csf/lfd working and settings.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
@Aldan55:

Are you a person or a bot? It appears to me that you may be a bot. To avoid having your emails deleted as irrelevant please reply. I've deleted several of your past emails as irerelevant.

Thanks.

Jeff
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
Hello,


Please note that the current version of http://files.directadmin.com/services/all/block_ip.sh has the following code:


Code:
curriptables(){
    echo "<br><br><textarea cols=160 rows=60>";
    if [ "$OS" = "FreeBSD" ]; then
        /sbin/ipfw table 10 list
    else
        /sbin/iptables -nL
    fi
    echo "</textarea>";
}

which is shown in a browser when you click to ban an IP in Directadmin and every time directadmin automatically block an IP. That would be OK if it were not a matter of directadmin logs which become of a very great size because of this function. Just imagine iptables rules with >200-300 rules and they all go into a log file locate in /var/log/directadmin/.


Thus my suggested would be if you want to use a guide provided here comment all calls to the function. Find all lines with


Code:
curriptables

and change them to


Code:
#curriptables

an do not change line


Code:
curriptables()

That's it.
 
Last edited:

enkrypt

Verified User
Joined
Feb 3, 2011
Messages
38
Hello,
...
That's it.
Do you happen to have a version for CentOS 7 that uses systemd instead of initd?

If not, I am sure I could try and modify it myself, but I figured I would ask first :)

Thanks for the tutorial!
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
If you've got running CSF/LFD on CentOS 7, then you may try the updated guide located here: https://www.plugins-da.net/info/how-to-block-ips-with There you can find updated versions of the scripts:

Code:
cd /usr/local/directadmin/scripts/custom/
wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt
wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt
wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt
chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh
They operate directly with CSF and are not OS version dependent.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
IMPORTANT UPDATE!

There has been found a bug in unblock_ip.sh script, which could result in infinite loops, when directadmin tries to unblock an IP, which already is removed from CSF/LFD block but still is presenting in /root/blocked_ips.txt.

Run this code to update the script:
Code:
cd /usr/local/directadmin/scripts/custom/
wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt
chmod 700 unblock_ip.sh
 

Jan_E

Verified User
Joined
Apr 29, 2011
Messages
107
Location
Amsterdam, NL
Thanks for the update. I have just upgraded my (6) Centos servers with DA. Is not it time to include this script in the normal DA updates?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
Hello,

A new version of the scripts were released.

Run this to backup them:

Code:
cd /usr/local/directadmin/scripts/custom/
cp block_ip.sh block_ip.sh.bak
cp unblock_ip.sh unblock_ip.sh.bak
Run this to update them:

Code:
cd /usr/local/directadmin/scripts/custom/
wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt
wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt
wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt
chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh

Changes in block_ip.sh and unblock_ip.sh:

Code:
# ====================================================================
# Version: 0.1.5 Mon Apr 25 11:30:01 NOVT 2016
# Changes: A switcher USE_PORT_SELECTED_BLOCK added
# ====================================================================
# Version: 0.1.4 Thu Jan 14 19:20:39 NOVT 2016
# Changes: grep replaced with egrep to support old format of
#          /root/block_ips.txt, when IP comes w/out date.
#          A switcher CSF_GREP_API_CALL added
# ====================================================================
#
USE_PORT_SELECTED_BLOCK=1;
                            # SET TO 1 OR 0
                            # 1: TO BAN ACCESS ONLY TO A PORT WHICH
                            #    WAS BRUTEFORCED
                            # 0: TO BLOCK ACCESS TO ALL PORTS
                            #
                            # NOTICE: MANUAL TRIGGER FROM DIRECTADMIN
                            # WILL STILL BLOCK ACCESS TO ALL PORTS
                            # FOR AN IP


CSF_GREP_API_CALL=0; 
                            # SET TO 1 TO USE API CALL TO CSF
                            # WHEN SEARCHING AN IP AGAINST BLOCKLIST
                            # SET TO 0 (ZERO) TO GREP A FILE DIRECTLY
                            # 1 - MORE ACCURATE, USE csf
                            # 0 - MORE SPEEDY, USE egrep
# ====================================================================
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,217
Location
Maastricht
Is it correct that "show blocked ip's" is not showing ip's blocked by CSF? It's only looking at the bruteforce monitor.
Code:
BF=/root/blocked_ips.txt

echo "havedata=1"
cat $BF

exit 0;
While the block_ip.sh is also looking at the csf deny files.

At the moment I'm using my custom block_ip.sh which can also set a certain block and time, is that also possible with your block_ip.sh somehow?
This is mine:
Code:
#!/bin/sh

/etc/csf/csf.pl -td $ip 172800 BFM IP Block

exit 0
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
Richard,

It is Directadmin which triggers unblock_ip.sh to remove IP from block list when time comes. If IP would be unblocked with CSF, it wouldn't update a list of banned IP in /root/blocked_ips.txt, thus an unblocked IP would be still listed as blocked in Directadmin.

If Directadmin detects unblock_ip.sh and show_blocked_ips.sh scripts in /usr/local/directadmin/scripts/custom/ then you will have a new field on administrator settings page in DA to specify time in minutes after passing of which IP should be unblocked by Directadmin.

Though block_ip.sh introduced in the thread with option USE_PORT_SELECTED_BLOCK=1 will use temp block of CSF with specified TTL (the same way as you, Richard, do), it multiplies unblock_brute_ip_time 3 times (and converts it to seconds) to give Directadmin a chance to unblock IP before CSF will try to do it.

Code:
   TTL=$((TTL*3*60)); 
                       # It is Directadmin which unblocks IP, so we need to have enough long TTL
                       # so that Directadmin have a chance to unblock it
                       # Additionally convert minutes to seconds *60
So it is Directadmin which tells CSF to block IP, and it is still Directadmin which tells CSF to unblock IP.

Even more when using BFM+CSF I'd suggest the following settings for CSF:

Code:
LF_TRIGGER = "0"
LF_SSHD = "0"
LF_FTPD = "0"
LF_SMTPAUTH = "0"
LF_EXIMSYNTAX = "0"
LF_POP3D = "0"
LF_IMAPD = "0"
LF_HTACCESS = "0"
LF_MODSEC = "0"
LF_DIRECTADMIN = "0"
to disable CSF from scanning logs for brute-force attacks and avoid conflicts.

Related: https://www.directadmin.com/features.php?id=1376
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,217
Location
Maastricht
So it is Directadmin which tells CSF to block IP, and it is still Directadmin which tells CSF to unblock IP.
Thank you, I know that part about DA triggering the unblock_ip.sh etc.
I just wondered if it could be used without that /root/blocked_ips.txt files and call CSF directly. So use it with CSF only and directly. Clearly it still needs those files.

In that case I keep using my own method. I've set those values you advise to set to 0, to different values. Some to do a temp block, others to do a permanent block, based on what is CSF/LFD discoveres itself in the logs.
The block_ip.sh I'm only using for the DA-BFM stuff which now automatically temp blocks the ip by using the brute_force_notice_ip.sh which I have pointing to block_ip.sh.

Only issue is that we can not unblock the ip via unblock_ip.sh, but that's not a big deal, doing that via ssh anyway if necessary.

Thank you for the explanation though.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
It seems I've missed one question of yours.

Is it correct that "show blocked ip's" is not showing ip's blocked by CSF? It's only looking at the bruteforce monitor.
If an IP was blocked directly by CSF we should not care of it in terms of using BFM. Thus we do not read list of banned IPs in CSF.

I just wondered if it could be used without that /root/blocked_ips.txt files and call CSF directly. So use it with CSF only and directly. Clearly it still needs those files.
You might reach the same effect with using block_ip.sh (introduced here) without unblock_ip.sh. Just manually add unblock_brute_ip_time=960 with your value in directadmin.conf

960 * 3 * 60 = 172800
 

develop

Verified User
Joined
Jun 9, 2016
Messages
117
Location
Istanbul, TR
To make Directadmin's BFM compatible with CSF you should do the following:
Code:
cd /usr/local/directadmin/scripts/custom/
cp block_ip.sh block_ip.sh.bak
cp unblock_ip.sh unblock_ip.sh.bak
It's OK if you have no block_ip.sh and unblock_ip.sh, and the previous step might fail with a warning:
cp: cannot stat `block_ip.sh': No such file or directory
cp: cannot stat `unblock_ip.sh': No such file or directory

Now fetch the files:
Code:
cd /usr/local/directadmin/scripts/custom/
wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt
wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt
wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt
chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh

Create the empty block list and exempt list files:
Code:
touch /root/blocked_ips.txt
touch /root/exempt_ips.txt

This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, install the following script:
Code:
cd /usr/local/directadmin/scripts/custom
wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh
chmod 700 brute_force_notice_ip.sh

Now you've got Directadmin which will automatically block IPs of attackers with CSF.

Disable iptables:

That was reported that raw iptables in some cases might overwrite existing rules loaded by CSF/LFD. To avoid it we'd recommend to disable iptables and ip6tables from being loaded at boot time:

CentOS 5, 6:
Code:
chkconfig iptables off
chkconfig ip6tables off
Code:
mv /etc/init.d/iptables /etc/init.d/iptables~moved
echo -e '#!/bin/bash\nexit 0;' > /etc/init.d/iptables
chmod 755 /etc/init.d/iptables

Now you've got Directadmin which will automatically block IPs of attackers with CSF.

Permanent link on this How-To
with Centos 7

# mv /etc/init.d/iptables /etc/init.d/iptables~moved
mv: cannot stat '/etc/init.d/iptables': No such file or directory
 

develop

Verified User
Joined
Jun 9, 2016
Messages
117
Location
Istanbul, TR
I found solution completely coincidence

https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm

4. Disable firewalld:
CentOS 7:
systemctl disable firewalld
systemctl stop firewalld
5. Suppress BFM messages:
If you trust your software and security settings, then you will probably want to hide all those numerous emails about found Brute force attacks. And here is how you can achieve it:
echo "hide_brute_force_notifications=1" >> /usr/local/directadmin/conf/directadmin.conf
Restart directadmin.

How to check it. I try to login with long pass BFM blocked it but in list of CSF there is no IP.
 

develop

Verified User
Joined
Jun 9, 2016
Messages
117
Location
Istanbul, TR
I tryed to login ftp with wrong password.
Directadmin blocked it but csf not blocked.

Not working correctly.

I setted all with that guide.
 

develop

Verified User
Joined
Jun 9, 2016
Messages
117
Location
Istanbul, TR
Is it possible to work all on csf. Block alla csf and if want to unblock Ip can I dı in via CSF panel?

Best regards.
 
Top