How to block IPs with Brute Force Monitor in DirectAdmin using CSF

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
If you don't see a blocked IP on the page then the IP has been blocked by CSF/LFD directly, for port scanning probably. Check logs for more details.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
From CSF/LFD either in directadmin or in a server console. Read official guides and csf/lfd usage for more details.
 

realitsolution

Verified User
Joined
Jul 1, 2019
Messages
57
Location
GMT +6.00
From CSF/LFD either in directadmin or in a server console. Read official guides and csf/lfd usage for more details.
grep '103.237.76.34' /var/log/lfd.log
Sep 18 20:45:42 tofa lfd[995]: (directadmin) Failed DirectAdmin login from 103.237.76.34 (BD/Bangladesh/103.237.76.34.combinedbd.com): 5 in the last 3600 secs - *Blocked in csf* [LF_DIRECTADMIN]

just check log showing.. this .. but i can not find in visul plugin :(
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
The guide you are referring to suggests disabling LF_DIRECTADMIN in CSF/LFD. There is also an auto-installer which disables the check LF_DIRECTADMIN as well.

If you have the check LF_DIRECTADMIN enabled then you should unblock the IP directly from CSF/LFD. And CSf/LFD comes with a visual plugin whenever it's installed on directadmin server.
 

realitsolution

Verified User
Joined
Jul 1, 2019
Messages
57
Location
GMT +6.00
The guide you are referring to suggests disabling LF_DIRECTADMIN in CSF/LFD. There is also an auto-installer which disables the check LF_DIRECTADMIN as well.

If you have the check LF_DIRECTADMIN enabled then you should unblock the IP directly from CSF/LFD. And CSf/LFD comes with a visual plugin whenever it's installed on directadmin server.
thanks how i can enable it?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
If you don't have the CSF/LFD plugin installed, it might mean your installation is not correct. You should either re-install CSF/LFD or enable the plugin manually.

I don't have instructions on any of these two.
You should read official guides and csf/lfd usage for more details.
 

SupportIGC

New member
Joined
Sep 21, 2019
Messages
2
Using BFM with CSF (all together)

I installed CSF to work with BFM using the link above (automated method) :
- https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm

Everything seem's to work well (after 2 days).

Analyzing the log file '/var/log/exim/rejectlog', I found we have too many authentication required from the same IPs

2019-09-21 15:05:21 H=([193.32.160.145]) [193.32.160.135] F=<mkkf6957ild864p9@polizet.ru> rejected RCPT <info@mydomain.eu>:
2019-09-21 15:05:21 H=([193.32.160.145]) [193.32.160.135] F=<mkkf6957ild864p9@polizet.ru> rejected RCPT <admin@mydomain.eu>:
2019-09-21 15:05:21 H=([193.32.160.145]) [193.32.160.135] F=<mkkf6957ild864p9@polizet.ru> rejected RCPT <noreply@mydomain.eu>:
2019-09-21 15:05:21 H=([193.32.160.145]) [193.32.160.135] F=<mkkf6957ild864p9@polizet.ru> rejected RCPT <contact@mydomain.eu>:

So I customized the line above (in '/etc/csf/csf.conf')
- CUSTOM1_LOG = "/var/log/exim/rejectlog"

And added the lines above (in '/etc/csf/regex.custom.pm')

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: authentication required/)) {
return ("RCPT not allowed from ",$2,"RCPT","5",,"3600");
}

I've restarted csf using 'csf -r' and lfd using 'lfd -r'

But even if BFM works, CSF custom scans seem's to be ignored.

I (successfully) tested the regex using the link above :
- https://www.regextester.com/

After reading all this thread, I understood that only bfm is active. The scans provided by csf alone are not.

How is it possible to keep bfm active AND add some custom ones ?

Many thank's for any help,

Jérémy
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
Jérémy,

Automated method disables checks in CSF/LFD letting DirectAdmin BFM to do its job. DirectAdmin BFM does not read settings from
'/etc/csf/csf.conf'. You will need to add your custom settings into Directadmin, you can create a custom file here for this:

/usr/local/directadmin/data/templates/custom/brute_filter.list

See https://www.directadmin.com/features.php?id=1227 for more details.
 

SupportIGC

New member
Joined
Sep 21, 2019
Messages
2
CSF did the job

Thank's for your answer,

It seems that CSF finally did the job after a daemon restart at 00:00

But I will have a look to your solution in setting this in the file 'brute_filter.list' in the folder 'custom' and let you know.

But today I don't have such a logs any more... due to the CSF work (;-)

exim5=ip_after=]) [&ip_until=]&text=: authentication required

Jérémy
 
Top