How to block IPs with Brute Force Monitor in DirectAdmin using CSF

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,798
Location
A Coruña, Spain
As per error message, you need to disable firewalld, you can't have two firewalls running at the same time.
Code:
systemctl stop firewalld 
systemctl disable firewalld
Once you do this, CSF will be able to start.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
So I tried install CSF manually via this tut but problem still there.
Andrea already gave instructions on how to deal further. My concern is about the method which you used to get CSF/LFD installed. Usually CSF/LFD disables all alternative firewall managers during its installation. I don't recall any case when the "firewalld" failed to get disabled. Whenever using a guide or a script from Poralix for installing CSF/LFD all necessary ports should get opened.

So I guess either something went wrong or you already had CSF/LFD pre-installed, and hence its configs has not been modified during the last attempt to get it installed.
 

ericc

Verified User
Joined
Jan 2, 2018
Messages
92
Location
EU
@zEitEr could you explain why this is done in BFM ("Remove an IP from the BF blacklist after" option, expressed in minutes is multiplied by 3):

Code:
 TTL=$((TTL*3*60));

#It is Directadmin which unblocks IP, so we need to have enough long TTL

# so that Directadmin have a chance to unblock it

# Additionaly convert minutes to seconds *60
And what is minimal time in minutes, so DA would have 100% chance to unblock it?:)
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
@zEitEr could you explain why this is done in BFM ("Remove an IP from the BF blacklist after" option, expressed in minutes is multiplied by 3):
I guess you quoted the text which already explains on why this is done in the script, or not? CSF/LFD has its own functionality to clean IPs from temporary ban-list, and here we want it not to remove IP before DirectAdmin does it.

And what is minimal time in minutes, so DA would have 100% chance to unblock it?:)
The TTL in the script is changeable value taken from Directadmin. You can set as low as you need, and since directadmin save the TTL in minutes, the minimal value is 1 minute. Use 1 minute on your own if it makes any sense for you.
 

ericc

Verified User
Joined
Jan 2, 2018
Messages
92
Location
EU
I guess you quoted the text which already explains on why this is done in the script, or not? CSF/LFD has its own functionality to clean IPs from temporary ban-list, and here we want it not to remove IP before DirectAdmin does it.
Aha. I saw values in CSF, which were 3x longer, that's why I wrote this post. Comes out, I can completely ignore them and rely on DA to do it's job right on time - the time I input in "Remove an IP from the BF blacklist after". Thanks then.
 

qba82

Verified User
Joined
Jun 26, 2018
Messages
53
Hi, how can I remove IP from being blocked? I removed it from blocked_ips.txt and csf -r but it is still blocked.
I also tried add it to exempt_ips.txt and csf -r still the same, should I restart something else?
 

qba82

Verified User
Joined
Jun 26, 2018
Messages
53
Hi, how can I remove IP from being blocked? I removed it from blocked_ips.txt and csf -r but it is still blocked.
I also tried add it to exempt_ips.txt and csf -r still the same, should I restart something else?
This is solved, after I removed IP from blocked_ips.txt, it need 1 or 2 minutes, to unblock that IP.

But there is one more thing.

I noticed that blocked_ips.txt can contain same IP more then 1 time, for example I have now around 14k line now, but when I took all IPs and removed duplicates, there were only around 3k of them, this will not slow down system?
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
If you don't want to have duplicates, you should not use CSF/LFD interface, cli to unblock IPs blocked by DirectAdmin BFM, and should not modify files either. If CSF/LFD is coupled with directadmin then you should use only DirectAdmin WebUI to manage banned IPs, do all the actions only on BruteForce Monitor page.
 

qba82

Verified User
Joined
Jun 26, 2018
Messages
53
That would be fine, but BruteForce Monitor page is loading like 2-3 minutes, also every action take so much time.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
You might need to reduce values for:

Reset count of IP/User failed attempts [___] hours after last attempt.
Clear failed login attempts from log [___] days after entry was made.

As soon you get BFM working number of entries will decrease and speed increase.
 

sufiyanshaikh

Verified User
Joined
Aug 14, 2019
Messages
69
To make Directadmin's BFM compatible with CSF you should do the following:

Auto-installation with the help of the script:

Code:
cd ~
wget -O csf-bfm-install.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/install.sh
chmod 700 csf-bfm-install.sh
./csf-bfm-install.sh
Manual installation:


Code:
cd /usr/local/directadmin/scripts/custom/[/INDENT]
[INDENT]cp block_ip.sh block_ip.sh.bak[/INDENT]
[INDENT]cp unblock_ip.sh unblock_ip.sh.bak
It's OK if you have no block_ip.sh and unblock_ip.sh, and the previous step might fail with a warning:

cp: cannot stat `block_ip.sh': No such file or directory
cp: cannot stat `unblock_ip.sh': No such file or directory

Now fetch the files:
Code:
cd /usr/local/directadmin/scripts/custom/[/INDENT]
[INDENT]wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt[/INDENT]
[INDENT]wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt[/INDENT]
[INDENT]wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt[/INDENT]
[INDENT]chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh

Create the empty block list and exempt list files:
Code:
touch /root/blocked_ips.txt[/INDENT]
[INDENT]touch /root/exempt_ips.txt

This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, install the following script:

Code:
cd /usr/local/directadmin/scripts/custom[/INDENT]
[INDENT]wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh[/INDENT]
[INDENT]chmod 700 brute_force_notice_ip.sh

Now you've got Directadmin which will automatically block IPs of attackers with CSF.

Disable iptables:

That was reported that raw iptables in some cases might overwrite existing rules loaded by CSF/LFD. To avoid it we'd recommend to disable iptables and ip6tables from being loaded at boot time:

CentOS 5, 6:
Code:
chkconfig iptables off[/INDENT]
[INDENT]chkconfig ip6tables off
Code:
mv /etc/init.d/iptables /etc/init.d/iptables~moved[/INDENT]
[INDENT]echo -e '#!/bin/bash\nexit 0;' > /etc/init.d/iptables[/INDENT]
[INDENT]chmod 755 /etc/init.d/iptables

Now you've got Directadmin which will automatically block IPs of attackers with CSF.

Permanent link on this How-To
zEitEr
Is is required to disable IP tables ?
 

ednei13

New member
Joined
Apr 5, 2020
Messages
4
It is standard for CSF to display these alerts after installing the plugin?
Firewall Check
LF_SSHD option check
This option helps prevent brute force attacks on your server services
LF_FTPD option check
This option helps prevent brute force attacks on your server services
LF_SMTPAUTH option check
This option helps prevent brute force attacks on your server services
LF_POP3D option check
This option helps prevent brute force attacks on your server services
LF_IMAPD option check
This option helps prevent brute force attacks on your server services
LF_HTACCESS option check
This option helps prevent brute force attacks on your server services
LF_MODSEC option check
This option helps prevent brute force attacks on your server services
 

sufiyanshaikh

Verified User
Joined
Aug 14, 2019
Messages
69
It is standard for CSF to display these alerts after installing the plugin?
Firewall Check
LF_SSHD option check
This option helps prevent brute force attacks on your server services
LF_FTPD option check
This option helps prevent brute force attacks on your server services
LF_SMTPAUTH option check
This option helps prevent brute force attacks on your server services
LF_POP3D option check
This option helps prevent brute force attacks on your server services
LF_IMAPD option check
This option helps prevent brute force attacks on your server services
LF_HTACCESS option check
This option helps prevent brute force attacks on your server services
LF_MODSEC option check
This option helps prevent brute force attacks on your server services
Where are you getting this?

I guess you are under CSF > Server security
 

sufiyanshaikh

Verified User
Joined
Aug 14, 2019
Messages
69
To make Directadmin's BFM compatible with CSF you should do the following:

Auto-installation with the help of the script:

Code:
cd ~
wget -O csf-bfm-install.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/install.sh
chmod 700 csf-bfm-install.sh
./csf-bfm-install.sh
Manual installation:


Code:
cd /usr/local/directadmin/scripts/custom/[/INDENT]
[INDENT]cp block_ip.sh block_ip.sh.bak[/INDENT]
[INDENT]cp unblock_ip.sh unblock_ip.sh.bak
It's OK if you have no block_ip.sh and unblock_ip.sh, and the previous step might fail with a warning:

cp: cannot stat `block_ip.sh': No such file or directory
cp: cannot stat `unblock_ip.sh': No such file or directory

Now fetch the files:
Code:
cd /usr/local/directadmin/scripts/custom/[/INDENT]
[INDENT]wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt[/INDENT]
[INDENT]wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt[/INDENT]
[INDENT]wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt[/INDENT]
[INDENT]chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh

Create the empty block list and exempt list files:
Code:
touch /root/blocked_ips.txt[/INDENT]
[INDENT]touch /root/exempt_ips.txt

This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, install the following script:

Code:
cd /usr/local/directadmin/scripts/custom[/INDENT]
[INDENT]wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh[/INDENT]
[INDENT]chmod 700 brute_force_notice_ip.sh

Now you've got Directadmin which will automatically block IPs of attackers with CSF.

Disable iptables:

That was reported that raw iptables in some cases might overwrite existing rules loaded by CSF/LFD. To avoid it we'd recommend to disable iptables and ip6tables from being loaded at boot time:

CentOS 5, 6:
Code:
chkconfig iptables off[/INDENT]
[INDENT]chkconfig ip6tables off
Code:
mv /etc/init.d/iptables /etc/init.d/iptables~moved[/INDENT]
[INDENT]echo -e '#!/bin/bash\nexit 0;' > /etc/init.d/iptables[/INDENT]
[INDENT]chmod 755 /etc/init.d/iptables

Now you've got Directadmin which will automatically block IPs of attackers with CSF.

Permanent link on this How-To

Hello,
I have installed comodo modsecurity in server.
Is this okay to keep installed and it will not conflict with CWAF?
 
Top