How to block IPs with Brute Force Monitor in DirectAdmin using CSF

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
If you don't see a blocked IP on the page then the IP has been blocked by CSF/LFD directly, for port scanning probably. Check logs for more details.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
From CSF/LFD either in directadmin or in a server console. Read official guides and csf/lfd usage for more details.
 

realitsolution

Verified User
Joined
Jul 1, 2019
Messages
61
Location
GMT +6.00
From CSF/LFD either in directadmin or in a server console. Read official guides and csf/lfd usage for more details.
grep '103.237.76.34' /var/log/lfd.log
Sep 18 20:45:42 tofa lfd[995]: (directadmin) Failed DirectAdmin login from 103.237.76.34 (BD/Bangladesh/103.237.76.34.combinedbd.com): 5 in the last 3600 secs - *Blocked in csf* [LF_DIRECTADMIN]

just check log showing.. this .. but i can not find in visul plugin :(
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
The guide you are referring to suggests disabling LF_DIRECTADMIN in CSF/LFD. There is also an auto-installer which disables the check LF_DIRECTADMIN as well.

If you have the check LF_DIRECTADMIN enabled then you should unblock the IP directly from CSF/LFD. And CSf/LFD comes with a visual plugin whenever it's installed on directadmin server.
 

realitsolution

Verified User
Joined
Jul 1, 2019
Messages
61
Location
GMT +6.00
The guide you are referring to suggests disabling LF_DIRECTADMIN in CSF/LFD. There is also an auto-installer which disables the check LF_DIRECTADMIN as well.

If you have the check LF_DIRECTADMIN enabled then you should unblock the IP directly from CSF/LFD. And CSf/LFD comes with a visual plugin whenever it's installed on directadmin server.
thanks how i can enable it?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
If you don't have the CSF/LFD plugin installed, it might mean your installation is not correct. You should either re-install CSF/LFD or enable the plugin manually.

I don't have instructions on any of these two.
You should read official guides and csf/lfd usage for more details.
 

SupportIGC

New member
Joined
Sep 21, 2019
Messages
2
Using BFM with CSF (all together)

I installed CSF to work with BFM using the link above (automated method) :
- https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm

Everything seem's to work well (after 2 days).

Analyzing the log file '/var/log/exim/rejectlog', I found we have too many authentication required from the same IPs

2019-09-21 15:05:21 H=([193.32.160.145]) [193.32.160.135] F=<mkkf6957ild864p9@polizet.ru> rejected RCPT <info@mydomain.eu>:
2019-09-21 15:05:21 H=([193.32.160.145]) [193.32.160.135] F=<mkkf6957ild864p9@polizet.ru> rejected RCPT <admin@mydomain.eu>:
2019-09-21 15:05:21 H=([193.32.160.145]) [193.32.160.135] F=<mkkf6957ild864p9@polizet.ru> rejected RCPT <noreply@mydomain.eu>:
2019-09-21 15:05:21 H=([193.32.160.145]) [193.32.160.135] F=<mkkf6957ild864p9@polizet.ru> rejected RCPT <contact@mydomain.eu>:

So I customized the line above (in '/etc/csf/csf.conf')
- CUSTOM1_LOG = "/var/log/exim/rejectlog"

And added the lines above (in '/etc/csf/regex.custom.pm')

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: authentication required/)) {
return ("RCPT not allowed from ",$2,"RCPT","5",,"3600");
}

I've restarted csf using 'csf -r' and lfd using 'lfd -r'

But even if BFM works, CSF custom scans seem's to be ignored.

I (successfully) tested the regex using the link above :
- https://www.regextester.com/

After reading all this thread, I understood that only bfm is active. The scans provided by csf alone are not.

How is it possible to keep bfm active AND add some custom ones ?

Many thank's for any help,

Jérémy
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
Jérémy,

Automated method disables checks in CSF/LFD letting DirectAdmin BFM to do its job. DirectAdmin BFM does not read settings from
'/etc/csf/csf.conf'. You will need to add your custom settings into Directadmin, you can create a custom file here for this:

/usr/local/directadmin/data/templates/custom/brute_filter.list

See https://www.directadmin.com/features.php?id=1227 for more details.
 

SupportIGC

New member
Joined
Sep 21, 2019
Messages
2
CSF did the job

Thank's for your answer,

It seems that CSF finally did the job after a daemon restart at 00:00

But I will have a look to your solution in setting this in the file 'brute_filter.list' in the folder 'custom' and let you know.

But today I don't have such a logs any more... due to the CSF work (;-)

exim5=ip_after=]) [&ip_until=]&text=: authentication required

Jérémy
 

Game Over!

Verified User
Joined
Jan 19, 2018
Messages
7
Thank for your script and tut.
I have installed CSF from first port and set
Code:
Blacklist IPs for excessive DA login attempts = 3
but it seems it doesn't ban attackers.

I just attached my settings as JPG file and here is my DA messages :

A brute force attack has been detected in one of your service logs.

Code:
A brute force attack has been detected in one of your service logs.

IP 188.165.169.140 has 97 failed login attempts: exim2=97
IP 69.30.221.90 has 22 failed login attempts: wordpress2=22

Check 'Admin Level -> Brute Force Monitor' for more information
http://help.directadmin.com/item.php?id=404
I just wonder why the attacker should can try 97 or 22 attack when I set it to "3" ?

Notes : I changed my SSH port and DA port .

Thanks in advance
 

Attachments

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
See https://help.directadmin.com/item.php?id=404

The option Blacklist IPs for excessive DA login attempts = 3 is responsible only blocking attacks to DirectAdmin port 2222.

ButeForce attacks to other services according to the image should be blocked after 5 attempts.

First make sure CSF/LFD is running, and then try to manually block an IP from DirectAdmin brute force manager page and see results.
 

Game Over!

Verified User
Joined
Jan 19, 2018
Messages
7
See https://help.directadmin.com/item.php?id=404

The option Blacklist IPs for excessive DA login attempts = 3 is responsible only blocking attacks to DirectAdmin port 2222.

ButeForce attacks to other services according to the image should be blocked after 5 attempts.

First make sure CSF/LFD is running, and then try to manually block an IP from DirectAdmin brute force manager page and see results.
Thanks a lot for your reply.
CSF is runnig as you can see in below code
Code:
[root@server ~]# csf -e
csf and lfd are not disabled!
also I tried block this IP in csf :
Code:
A brute force attack has been detected in one of your service logs.

IP 183.150.223.153 has 15 failed login attempts: wordpress2=15

Check 'Admin Level -> Brute Force Monitor' for more information
http://help.directadmin.com/item.php?id=404
and CSF told me :
Code:
Adding 183.150.223.153 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  183.150.223.153  -> 0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 183.150.223.153
but when I did
Code:
cat blocked_ips.txt | grep "183.150.223.153"
it gave me :
Code:
183.150.223.153=dateblocked=1574607782
183.150.223.153=dateblocked=1574649002
183.150.223.153=dateblocked=1574680081
So what should I do now? Is blocking in "blocked_ip.txt" enough ? or it should be also blocke in CSF?
How can I do that?
Why Directadmin is not so smart to monitor changed port?
Where should I request Directadmin for adding this feature?
Where can I do that for CSF ?Adding feature like Akismet in Wordpress to automatically block famous attackers in all servers that installed CSF .

Thanks in advance
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
Directadmin finds attacking IPs and tells CSF/LFd to block them. Meanwhile DirectAdmin manages its own list of blocked IPs, i.e. "blocked_ip.txt" and it is used only for metadata only.

If you changed port for DirectAdmin, it's OK, the option Blacklist IPs for excessive DA login attempts = 3 will still work, what I wanted to say, is that the option works only for login attempts to DirectAdmin panel only, whatever port it s running on.

As for Akismet, refer to CSF/LFD documentation.
 

Game Over!

Verified User
Joined
Jan 19, 2018
Messages
7
Directadmin finds attacking IPs and tells CSF/LFd to block them. Meanwhile DirectAdmin manages its own list of blocked IPs, i.e. "blocked_ip.txt" and it is used only for metadata only.

If you changed port for DirectAdmin, it's OK, the option Blacklist IPs for excessive DA login attempts = 3 will still work, what I wanted to say, is that the option works only for login attempts to DirectAdmin panel only, whatever port it s running on.

As for Akismet, refer to CSF/LFD documentation.
Thanks a lot for your reply dear Alex.
so the main question is :

What should I do to CSF/LFD block IPs listed in "blocked_ip.txt" automatically?
Why the CSF didn't block them because I should seen IP 183.150.223.153 is already exists.


Beside I thought DA will block IPs into
Code:
/usr/local/directadmin/data/admin/ip_blacklist
but I meant "blocked_ip.txt" in root path of my server and I should notice that this file created after installing "CSF"
and another question is
"What should I do to CSF/LFD block other attacks like exim,wordpress , etc ... ?"


Thanks a bunch
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
To me you are asking how to make the things (which should work by default from a box) to work? I don't have an answer, as I would expect them all to be working from a box by default. That's what the script was created for. DirectAdmin protects all the services: FTP, POP, IMAP, HTTP/HTTPS against continuous brute-force attacks.

If the things do not work you should check logs and try to identify where it is broken.
 
Top