How to block IPs with Brute Force Monitor in DirectAdmin using CSF

[zEitEr]

@roly,

I will check from my side and let you know.


@shanky,

1. It is Directadmin BFM which should be configured to detect attacks on wp-login.php. Check https://www.directadmin.com/features.php?id=1695


2. Check:

There will be a set of filter definitions (multiple definitions for each service) stored in:
/usr/local/directadmin/data/templates/brute_filter.list


where you can also create a custom version here:
/usr/local/directadmin/data/templates/custom/brute_filter.list

https://www.directadmin.com/features.php?id=1227

So, it's possible.

 

[zEitEr]

hi

this works fine with USE_PORT_SELECTED_BLOCK=1 but if i change it to USE_PORT_SELECTED_BLOCK=0 it no longer works, any ideas what the problem is? im using centos 6

I did not find any issue on my end. What do you see in /var/log/directadmin/ when searching an IP which is expected to be blocked?

 

[alex2k]

Hi,

My Client's IP has been blocked cause failure login (EMail).
How do I white-list client's IP to avoid blocked ?

Thank you...

 

[Richard G]

You could put the clients ip in the csf.ignore file.
However, totally no checks will be done against that ip anymore. So if the clients machine will be infected with spam malware, they can have a ball.

It's better to teach customers to write down their passwords. Because even whitelisted they won't be able to login with the correct password. I would never whitelist a customers ip, but that's your choice.

 

[zEitEr]

Alex,

If you followed the guide in full and disabled CSF to check logs for brute-force attempts, it will be sufficient to add trusted IPs in a skip-list naively managed by Directadmin. You can find it on a BFM page at admin level in Directadmin.

1. Connect DA as admin
2. Go to Brute Force Monitor
3. Find text area under a list of attacking IPs
4. Specify your IP
5. Click "Add to skip list"

My Client's IP has been blocked cause failure login (EMail).
How do I white-list client's IP to avoid blocked ?

 

[alex2k]

Thank you for your solution Alex

Alex,

If you followed the guide in full and disabled CSF to check logs for brute-force attempts, it will be sufficient to add trusted IPs in a skip-list naively managed by Directadmin. You can find it on a BFM page at admin level in Directadmin.

1. Connect DA as admin
2. Go to Brute Force Monitor
3. Find text area under a list of attacking IPs
4. Specify your IP
5. Click "Add to skip list"

 

[alex2k]

You could put the clients ip in the csf.ignore file.
However, totally no checks will be done against that ip anymore. So if the clients machine will be infected with spam malware, they can have a ball.

It's better to teach customers to write down their passwords. Because even whitelisted they won't be able to login with the correct password. I would never whitelist a customers ip, but that's your choice.

Thank you for your suggestion Richard.

Yes I know the risk and I will teach the client as your suggestion

 

[qba82]

Hi,
I have a problem with implementation, actually it work good, but after I applied that csf stop to add new IP to /etc/csf/csf.deny except # Blocked with Directadmin Brute Force Manager

what might be a problem?

 

[zEitEr]

Using the guide/script you disable CSF/LFD from scanning logs for attacks, since then only Directadmin scans logs for attacking IPs and tell CSF to block them.

Directadmin and CSF/LFD originally do the same work, they duplicate each-other, and the setup address it.

 

[qba82]

Ok great, can I configure it like no of lines for blocked_ips.txt or other options? Does it block ssh brute force attacks?

 

[zEitEr]

Directadmin detects brute-force to Apache/nginx, exim, dovecot, ftp, ssh; and blocks attacking IPs.

 

[Freddy]

I have used your auto installation script and I must say it works great. Thank you so much for making that!

I do have a problem with the skip list. According to this feature I can add an IP range to the skip list. This range does not seem work with your CSF script.

Lets say my brute_skip.list looks like this:

90.1.2.1-255=comments=Test range&type=IP&when=%31%35%35%34%38%38%37%32%36%38
90.1.2.25=comments=Single IP&type=IP&when=%31%35%35%34%38%38%37%32%36%38

When I try to block 90.1.2.24 then it succeeds while it should be within the range. When I try to block 90.1.2.25 it fails because it is listed as a single IP.
FYI: Both lines in the skiplist are added through the BFM user interface within DirectAdmin. The file has not been editted manually.

 

[Freddy]

Are IP address being blocked by the service they use? Is it possible that an IP address appears multiple times in the BFM blocked list? I am seeing some IP addresses multiple times in the blocked list. Is that because they first attack over HTTP (port 80) and after being blocked they attack over HTTPS (port 443)?

 

[zEitEr]

The brute_skip.list is used by Directadmin, if you think it does not filter IPs properly then you need to contact Directadmin developers on the matter.

It is Directadmin to find attacking IPs in logs and tell CSF/LFD to block an IP with iptables. In the current setup CSF/LFD is disabled from scanning logs for attacks.

The IP might appear several times, by default we don't block all ports for an attacking IPs. Only access to the attacked service is blocked.

SMTP has 3 ports: 25, 576, 465
POP has 2 ports, IMAP has 2 ports
HTTP(s) has 2 ports: 80, 443

 

[ditto]

Until now I have disabled BFM and only used CSF. However I need a global solution on my servers for wp-login attacks, so I am thinking about trying BFM + CSF for this. However the way I understand it, is that when using BFM + CSF, and basically all current functions on CSF is lost and not used anymore? What I want is to only use BFM for wp-login attacks, and then continue to use CSF for all other functions. Is that possible?

 

[Cliff Spark]

Until now I have disabled BFM and only used CSF. However I need a global solution on my servers for wp-login attacks, so I am thinking about trying BFM + CSF for this. However the way I understand it, is that when using BFM + CSF, and basically all current functions on CSF is lost and not used anymore? What I want is to only use BFM for wp-login attacks, and then continue to use CSF for all other functions. Is that possible?

Why not just use loginizer plug-in with csf?

I use BFM CSF and loginizer. Works well. Even the Jetpack plug-in does a great job at protecting WP

 

[ditto]

As said I need a global solution. This is shared hosting servers with hundreds of WordPress sites.

 

[Cliff Spark]

Fail2Ban might be what you're looking for.

 

[zEitEr]

Until now I have disabled BFM and only used CSF. However I need a global solution on my servers for wp-login attacks, so I am thinking about trying BFM + CSF for this. However the way I understand it, is that when using BFM + CSF, and basically all current functions on CSF is lost and not used anymore? What I want is to only use BFM for wp-login attacks, and then continue to use CSF for all other functions. Is that possible?

CSF when coupled with BFM is configured to ignore failed AUTH attempts only. All other features are working as usual.

Yes, it is possible to make CSF to keep searching for failed login attempts, for this you need to make sure the following settings are set to 1 in csf.conf.

LF_TRIGGER = "1"
LF_SSHD = "1"
LF_FTPD = "1"
LF_SMTPAUTH = "1"
LF_EXIMSYNTAX = "1"
LF_POP3D = "1"
LF_IMAPD = "1"
LF_HTACCESS = "1"
LF_MODSEC = "1"
LF_DIRECTADMIN = "1"

if you really want it. But it won't stop directadmin from scanning the same logs for attacks.

Do you use cluster mode of CSF/LFD?

 

[Richard G]

@Ditto:

However I need a global solution on my servers for wp-login attacks

I use this in /csf/regex.custom.pm

 # WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("Get lost please",$1,"WPLOGINorWHATEVER","10","80,443","14400");
    }

Works like a charm, server wide. Is that what you're looking for?