To make Directadmin's BFM compatible with CSF you should do the following:
The file is fully managed by Directadmin you should not touch it.Q1:
How does this file work:
The file is fully managed by Directadmin you should not touch it manually. You can add IPs into the file in Directadmin at admin level (Brute Force Monitor /CMD_BRUTE_FORCE_MONITOR)Q2:
I don't seem to have this file? Where can I get this file? (also tried "locate", it was not found on my server).
It's a binary, you should not try to find anything in it.Q3:
TTL, where does it come from? All blocks now have are temporary of 3600 seconds. In the file I see this:
TTL=`/usr/local/directadmin/directadmin c | grep unblock_brute_ip_time= | cut -d\= -f2`;
TTL=$((TTL*3*60)); # It is Directadmin which unblocks IP, so we need to have enough long TTL
# so that Directadmin have a chance to unblock it
# Additionaly convert minutes to seconds *60
I don't think I can find the "unblock_brute_ip_time" in this file: /usr/local/directadmin/directadmin
Change zero 0 to 3600 if you want an IP be removed after 3600 minutes, or to 60 if you want an IP be removed from ban after an 60 minutes (1 hour). You have now:Q4:
I figured that this script/scripts are using the Security values under CMD_ADMIN_SETTINGS
Any advice on this?
What I want - if an IP get's blocked, I like to see the it in the log for about 7 days.
These are my current settings:
Prevent 127.0.0.1 from being Blacklisted = Yes
Time before failed login count resets = 1200
Remove an IP from the blacklist after = 2880
Parse service logs for brute force attacks = Yes
Notify Admins after an IP has = 200
Notify Admins after a User has = 200
Remove an IP from the BF blacklist after = 0
Reset count of IP/User failed attempts = 168
Clear failed login attempts from log = 7
Scan for WordPress attacks = All logs
I can't seem to find the value 3600 (TTL)?
At this moment, a block will be temporary for 3600 (1 hour) - but some IP's will be blocked directly again, after this 1 hour period, for failing 1 more login. (ei 200 failed logins > block 1 hour> 1 hour later > 201st failed login > blocked again by 1 hour > etc.).
I really like to increase this 3600 seconds (TTL), any advice on this?
Thanks for reading!
cd ~ wget -O csf-bfm-install.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/install.sh chmod 700 csf-bfm-install.sh ./csf-bfm-install.sh