How to block IPs with Brute Force Monitor in DirectAdmin using CSF

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
@roly,

I will check from my side and let you know.


@shanky,

1. It is Directadmin BFM which should be configured to detect attacks on wp-login.php. Check https://www.directadmin.com/features.php?id=1695


2. Check:


There will be a set of filter definitions (multiple definitions for each service) stored in:
/usr/local/directadmin/data/templates/brute_filter.list


where you can also create a custom version here:
/usr/local/directadmin/data/templates/custom/brute_filter.list

https://www.directadmin.com/features.php?id=1227

So, it's possible.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
hi

this works fine with USE_PORT_SELECTED_BLOCK=1 but if i change it to USE_PORT_SELECTED_BLOCK=0 it no longer works, any ideas what the problem is? im using centos 6

I did not find any issue on my end. What do you see in /var/log/directadmin/ when searching an IP which is expected to be blocked?
 

alex2k

Verified User
Joined
Oct 28, 2004
Messages
85
Location
Behind You!
Hi,

My Client's IP has been blocked cause failure login (EMail).
How do I white-list client's IP to avoid blocked ?

Thank you...
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
You could put the clients ip in the csf.ignore file.
However, totally no checks will be done against that ip anymore. So if the clients machine will be infected with spam malware, they can have a ball.

It's better to teach customers to write down their passwords. Because even whitelisted they won't be able to login with the correct password. I would never whitelist a customers ip, but that's your choice.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
Alex,

If you followed the guide in full and disabled CSF to check logs for brute-force attempts, it will be sufficient to add trusted IPs in a skip-list naively managed by Directadmin. You can find it on a BFM page at admin level in Directadmin.

1. Connect DA as admin
2. Go to Brute Force Monitor
3. Find text area under a list of attacking IPs
4. Specify your IP
5. Click "Add to skip list"




My Client's IP has been blocked cause failure login (EMail).
How do I white-list client's IP to avoid blocked ?
 

alex2k

Verified User
Joined
Oct 28, 2004
Messages
85
Location
Behind You!
Thank you for your solution Alex

Alex,

If you followed the guide in full and disabled CSF to check logs for brute-force attempts, it will be sufficient to add trusted IPs in a skip-list naively managed by Directadmin. You can find it on a BFM page at admin level in Directadmin.

1. Connect DA as admin
2. Go to Brute Force Monitor
3. Find text area under a list of attacking IPs
4. Specify your IP
5. Click "Add to skip list"
 

alex2k

Verified User
Joined
Oct 28, 2004
Messages
85
Location
Behind You!
You could put the clients ip in the csf.ignore file.
However, totally no checks will be done against that ip anymore. So if the clients machine will be infected with spam malware, they can have a ball.

It's better to teach customers to write down their passwords. Because even whitelisted they won't be able to login with the correct password. I would never whitelist a customers ip, but that's your choice.
Thank you for your suggestion Richard.

Yes I know the risk and I will teach the client as your suggestion :)
 

qba82

Verified User
Joined
Jun 26, 2018
Messages
43
Hi,
I have a problem with implementation, actually it work good, but after I applied that csf stop to add new IP to /etc/csf/csf.deny except # Blocked with Directadmin Brute Force Manager

what might be a problem?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
Using the guide/script you disable CSF/LFD from scanning logs for attacks, since then only Directadmin scans logs for attacking IPs and tell CSF to block them.

Directadmin and CSF/LFD originally do the same work, they duplicate each-other, and the setup address it.
 

qba82

Verified User
Joined
Jun 26, 2018
Messages
43
Ok great, can I configure it like no of lines for blocked_ips.txt or other options? Does it block ssh brute force attacks?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
Directadmin detects brute-force to Apache/nginx, exim, dovecot, ftp, ssh; and blocks attacking IPs.
 

Freddy

Verified User
Joined
Apr 14, 2016
Messages
41
I have used your auto installation script and I must say it works great. Thank you so much for making that!

I do have a problem with the skip list. According to this feature I can add an IP range to the skip list. This range does not seem work with your CSF script.

Lets say my brute_skip.list looks like this:

Code:
90.1.2.1-255=comments=Test range&type=IP&when=%31%35%35%34%38%38%37%32%36%38
90.1.2.25=comments=Single IP&type=IP&when=%31%35%35%34%38%38%37%32%36%38
When I try to block 90.1.2.24 then it succeeds while it should be within the range. When I try to block 90.1.2.25 it fails because it is listed as a single IP.
FYI: Both lines in the skiplist are added through the BFM user interface within DirectAdmin. The file has not been editted manually.
 

Freddy

Verified User
Joined
Apr 14, 2016
Messages
41
Are IP address being blocked by the service they use? Is it possible that an IP address appears multiple times in the BFM blocked list? I am seeing some IP addresses multiple times in the blocked list. Is that because they first attack over HTTP (port 80) and after being blocked they attack over HTTPS (port 443)?
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
The brute_skip.list is used by Directadmin, if you think it does not filter IPs properly then you need to contact Directadmin developers on the matter.

It is Directadmin to find attacking IPs in logs and tell CSF/LFD to block an IP with iptables. In the current setup CSF/LFD is disabled from scanning logs for attacks.

The IP might appear several times, by default we don't block all ports for an attacking IPs. Only access to the attacked service is blocked.

SMTP has 3 ports: 25, 576, 465
POP has 2 ports, IMAP has 2 ports
HTTP(s) has 2 ports: 80, 443



 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,450
Until now I have disabled BFM and only used CSF. However I need a global solution on my servers for wp-login attacks, so I am thinking about trying BFM + CSF for this. However the way I understand it, is that when using BFM + CSF, and basically all current functions on CSF is lost and not used anymore? What I want is to only use BFM for wp-login attacks, and then continue to use CSF for all other functions. Is that possible?
 

r3chn3r

Verified User
Joined
Jan 13, 2013
Messages
104
Until now I have disabled BFM and only used CSF. However I need a global solution on my servers for wp-login attacks, so I am thinking about trying BFM + CSF for this. However the way I understand it, is that when using BFM + CSF, and basically all current functions on CSF is lost and not used anymore? What I want is to only use BFM for wp-login attacks, and then continue to use CSF for all other functions. Is that possible?
Why not just use loginizer plug-in with csf?

I use BFM CSF and loginizer. Works well. Even the Jetpack plug-in does a great job at protecting WP
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,450
As said I need a global solution. This is shared hosting servers with hundreds of WordPress sites.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
Until now I have disabled BFM and only used CSF. However I need a global solution on my servers for wp-login attacks, so I am thinking about trying BFM + CSF for this. However the way I understand it, is that when using BFM + CSF, and basically all current functions on CSF is lost and not used anymore? What I want is to only use BFM for wp-login attacks, and then continue to use CSF for all other functions. Is that possible?
CSF when coupled with BFM is configured to ignore failed AUTH attempts only. All other features are working as usual.

Yes, it is possible to make CSF to keep searching for failed login attempts, for this you need to make sure the following settings are set to 1 in csf.conf.

Code:
LF_TRIGGER = "1"
LF_SSHD = "1"
LF_FTPD = "1"
LF_SMTPAUTH = "1"
LF_EXIMSYNTAX = "1"
LF_POP3D = "1"
LF_IMAPD = "1"
LF_HTACCESS = "1"
LF_MODSEC = "1"
LF_DIRECTADMIN = "1"
if you really want it. But it won't stop directadmin from scanning the same logs for attacks.

Do you use cluster mode of CSF/LFD?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
@Ditto:
However I need a global solution on my servers for wp-login attacks
I use this in /csf/regex.custom.pm
Code:
 # WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("Get lost please",$1,"WPLOGINorWHATEVER","10","80,443","14400");
    }
Works like a charm, server wide. Is that what you're looking for?
 
Top