grep '18.104.22.168' /var/log/lfd.logFrom CSF/LFD either in directadmin or in a server console. Read official guides and csf/lfd usage for more details.
thanks how i can enable it?The guide you are referring to suggests disabling LF_DIRECTADMIN in CSF/LFD. There is also an auto-installer which disables the check LF_DIRECTADMIN as well.
If you have the check LF_DIRECTADMIN enabled then you should unblock the IP directly from CSF/LFD. And CSf/LFD comes with a visual plugin whenever it's installed on directadmin server.
Blacklist IPs for excessive DA login attempts = 3
A brute force attack has been detected in one of your service logs. IP 22.214.171.124 has 97 failed login attempts: exim2=97 IP 126.96.36.199 has 22 failed login attempts: wordpress2=22 Check 'Admin Level -> Brute Force Monitor' for more information http://help.directadmin.com/item.php?id=404
Thanks a lot for your reply.See https://help.directadmin.com/item.php?id=404
The option Blacklist IPs for excessive DA login attempts = 3 is responsible only blocking attacks to DirectAdmin port 2222.
ButeForce attacks to other services according to the image should be blocked after 5 attempts.
First make sure CSF/LFD is running, and then try to manually block an IP from DirectAdmin brute force manager page and see results.
[root@server ~]# csf -e csf and lfd are not disabled!
A brute force attack has been detected in one of your service logs. IP 188.8.131.52 has 15 failed login attempts: wordpress2=15 Check 'Admin Level -> Brute Force Monitor' for more information http://help.directadmin.com/item.php?id=404
Adding 184.108.40.206 to csf.deny and iptables DROP... DROP all opt -- in !lo out * 220.127.116.11 -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 18.104.22.168
cat blocked_ips.txt | grep "22.214.171.124"
126.96.36.199=dateblocked=1574607782 188.8.131.52=dateblocked=1574649002 184.108.40.206=dateblocked=1574680081
Thanks a lot for your reply dear Alex.Directadmin finds attacking IPs and tells CSF/LFd to block them. Meanwhile DirectAdmin manages its own list of blocked IPs, i.e. "blocked_ip.txt" and it is used only for metadata only.
If you changed port for DirectAdmin, it's OK, the option Blacklist IPs for excessive DA login attempts = 3 will still work, what I wanted to say, is that the option works only for login attempts to DirectAdmin panel only, whatever port it s running on.
As for Akismet, refer to CSF/LFD documentation.
220.127.116.11 # Blocked with Directadmin Brute Force Manager - Sat Jan 18 16:47:02 2020 18.104.22.168 # Blocked with Directadmin Brute Force Manager - Sat Jan 18 16:49:02 2020 22.214.171.124 # Blocked with Directadmin Brute Force Manager - Sat Jan 18 16:50:01 2020 126.96.36.199 # Blocked with Directadmin Brute Force Manager - Sat Jan 18 16:53:02 2020 188.8.131.52 # lfd: (smtpauth) Failed SMTP AUTH login from 184.108.40.206 (CN/China/-): 5 in the last 3600 secs - Sat Jan 18 16:53:31 2020 220.127.116.11 # Blocked with Directadmin Brute Force Manager - Sat Jan 18 17:00:02 2020
Error: *Error* firewalld found to be running. You must stop and disable firewalld when using csf, at line 922