How to block IPs with Brute Force Monitor in DirectAdmin using CSF

As per error message, you need to disable firewalld, you can't have two firewalls running at the same time.
Code:
systemctl stop firewalld 
systemctl disable firewalld

Once you do this, CSF will be able to start.
 
So I tried install CSF manually via this tut but problem still there.

Andrea already gave instructions on how to deal further. My concern is about the method which you used to get CSF/LFD installed. Usually CSF/LFD disables all alternative firewall managers during its installation. I don't recall any case when the "firewalld" failed to get disabled. Whenever using a guide or a script from Poralix for installing CSF/LFD all necessary ports should get opened.

So I guess either something went wrong or you already had CSF/LFD pre-installed, and hence its configs has not been modified during the last attempt to get it installed.
 
@zEitEr could you explain why this is done in BFM ("Remove an IP from the BF blacklist after" option, expressed in minutes is multiplied by 3):

Code:
 TTL=$((TTL*3*60));

#It is Directadmin which unblocks IP, so we need to have enough long TTL

# so that Directadmin have a chance to unblock it

# Additionaly convert minutes to seconds *60

And what is minimal time in minutes, so DA would have 100% chance to unblock it?:)
 
@zEitEr could you explain why this is done in BFM ("Remove an IP from the BF blacklist after" option, expressed in minutes is multiplied by 3):

I guess you quoted the text which already explains on why this is done in the script, or not? CSF/LFD has its own functionality to clean IPs from temporary ban-list, and here we want it not to remove IP before DirectAdmin does it.

And what is minimal time in minutes, so DA would have 100% chance to unblock it?:)

The TTL in the script is changeable value taken from Directadmin. You can set as low as you need, and since directadmin save the TTL in minutes, the minimal value is 1 minute. Use 1 minute on your own if it makes any sense for you.
 
I guess you quoted the text which already explains on why this is done in the script, or not? CSF/LFD has its own functionality to clean IPs from temporary ban-list, and here we want it not to remove IP before DirectAdmin does it.
Aha. I saw values in CSF, which were 3x longer, that's why I wrote this post. Comes out, I can completely ignore them and rely on DA to do it's job right on time - the time I input in "Remove an IP from the BF blacklist after". Thanks then.
 
Hi, how can I remove IP from being blocked? I removed it from blocked_ips.txt and csf -r but it is still blocked.
I also tried add it to exempt_ips.txt and csf -r still the same, should I restart something else?
 
Hi, how can I remove IP from being blocked? I removed it from blocked_ips.txt and csf -r but it is still blocked.
I also tried add it to exempt_ips.txt and csf -r still the same, should I restart something else?
This is solved, after I removed IP from blocked_ips.txt, it need 1 or 2 minutes, to unblock that IP.

But there is one more thing.

I noticed that blocked_ips.txt can contain same IP more then 1 time, for example I have now around 14k line now, but when I took all IPs and removed duplicates, there were only around 3k of them, this will not slow down system?
 
Last edited:
If you don't want to have duplicates, you should not use CSF/LFD interface, cli to unblock IPs blocked by DirectAdmin BFM, and should not modify files either. If CSF/LFD is coupled with directadmin then you should use only DirectAdmin WebUI to manage banned IPs, do all the actions only on BruteForce Monitor page.
 
That would be fine, but BruteForce Monitor page is loading like 2-3 minutes, also every action take so much time.
 
You might need to reduce values for:

Reset count of IP/User failed attempts [___] hours after last attempt.
Clear failed login attempts from log [___] days after entry was made.

As soon you get BFM working number of entries will decrease and speed increase.
 
To make Directadmin's BFM compatible with CSF you should do the following:

Auto-installation with the help of the script:

Code:
cd ~
wget -O csf-bfm-install.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/install.sh
chmod 700 csf-bfm-install.sh
./csf-bfm-install.sh

Manual installation:


Code:
cd /usr/local/directadmin/scripts/custom/[/INDENT]
[INDENT]cp block_ip.sh block_ip.sh.bak[/INDENT]
[INDENT]cp unblock_ip.sh unblock_ip.sh.bak
It's OK if you have no block_ip.sh and unblock_ip.sh, and the previous step might fail with a warning:

cp: cannot stat `block_ip.sh': No such file or directory
cp: cannot stat `unblock_ip.sh': No such file or directory

Now fetch the files:
Code:
cd /usr/local/directadmin/scripts/custom/[/INDENT]
[INDENT]wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt[/INDENT]
[INDENT]wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt[/INDENT]
[INDENT]wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt[/INDENT]
[INDENT]chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh

Create the empty block list and exempt list files:
Code:
touch /root/blocked_ips.txt[/INDENT]
[INDENT]touch /root/exempt_ips.txt

This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, install the following script:

Code:
cd /usr/local/directadmin/scripts/custom[/INDENT]
[INDENT]wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh[/INDENT]
[INDENT]chmod 700 brute_force_notice_ip.sh

Now you've got Directadmin which will automatically block IPs of attackers with CSF.

Disable iptables:

That was reported that raw iptables in some cases might overwrite existing rules loaded by CSF/LFD. To avoid it we'd recommend to disable iptables and ip6tables from being loaded at boot time:

CentOS 5, 6:
Code:
chkconfig iptables off[/INDENT]
[INDENT]chkconfig ip6tables off
Code:
mv /etc/init.d/iptables /etc/init.d/iptables~moved[/INDENT]
[INDENT]echo -e '#!/bin/bash\nexit 0;' > /etc/init.d/iptables[/INDENT]
[INDENT]chmod 755 /etc/init.d/iptables

Now you've got Directadmin which will automatically block IPs of attackers with CSF.

Permanent link on this How-To

zEitEr
Is is required to disable IP tables ?
 
It is standard for CSF to display these alerts after installing the plugin?
Firewall Check
LF_SSHD option check
This option helps prevent brute force attacks on your server services
LF_FTPD option check
This option helps prevent brute force attacks on your server services
LF_SMTPAUTH option check
This option helps prevent brute force attacks on your server services
LF_POP3D option check
This option helps prevent brute force attacks on your server services
LF_IMAPD option check
This option helps prevent brute force attacks on your server services
LF_HTACCESS option check
This option helps prevent brute force attacks on your server services
LF_MODSEC option check
This option helps prevent brute force attacks on your server services
 
It is standard for CSF to display these alerts after installing the plugin?
Firewall Check
LF_SSHD option check
This option helps prevent brute force attacks on your server services
LF_FTPD option check
This option helps prevent brute force attacks on your server services
LF_SMTPAUTH option check
This option helps prevent brute force attacks on your server services
LF_POP3D option check
This option helps prevent brute force attacks on your server services
LF_IMAPD option check
This option helps prevent brute force attacks on your server services
LF_HTACCESS option check
This option helps prevent brute force attacks on your server services
LF_MODSEC option check
This option helps prevent brute force attacks on your server services

Where are you getting this?

I guess you are under CSF > Server security
 
To make Directadmin's BFM compatible with CSF you should do the following:

Auto-installation with the help of the script:

Code:
cd ~
wget -O csf-bfm-install.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/install.sh
chmod 700 csf-bfm-install.sh
./csf-bfm-install.sh

Manual installation:


Code:
cd /usr/local/directadmin/scripts/custom/[/INDENT]
[INDENT]cp block_ip.sh block_ip.sh.bak[/INDENT]
[INDENT]cp unblock_ip.sh unblock_ip.sh.bak
It's OK if you have no block_ip.sh and unblock_ip.sh, and the previous step might fail with a warning:

cp: cannot stat `block_ip.sh': No such file or directory
cp: cannot stat `unblock_ip.sh': No such file or directory

Now fetch the files:
Code:
cd /usr/local/directadmin/scripts/custom/[/INDENT]
[INDENT]wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt[/INDENT]
[INDENT]wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt[/INDENT]
[INDENT]wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt[/INDENT]
[INDENT]chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh

Create the empty block list and exempt list files:
Code:
touch /root/blocked_ips.txt[/INDENT]
[INDENT]touch /root/exempt_ips.txt

This last step is optional and should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, install the following script:

Code:
cd /usr/local/directadmin/scripts/custom[/INDENT]
[INDENT]wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh[/INDENT]
[INDENT]chmod 700 brute_force_notice_ip.sh

Now you've got Directadmin which will automatically block IPs of attackers with CSF.

Disable iptables:

That was reported that raw iptables in some cases might overwrite existing rules loaded by CSF/LFD. To avoid it we'd recommend to disable iptables and ip6tables from being loaded at boot time:

CentOS 5, 6:
Code:
chkconfig iptables off[/INDENT]
[INDENT]chkconfig ip6tables off
Code:
mv /etc/init.d/iptables /etc/init.d/iptables~moved[/INDENT]
[INDENT]echo -e '#!/bin/bash\nexit 0;' > /etc/init.d/iptables[/INDENT]
[INDENT]chmod 755 /etc/init.d/iptables

Now you've got Directadmin which will automatically block IPs of attackers with CSF.

Permanent link on this How-To


Hello,
I have installed comodo modsecurity in server.
Is this okay to keep installed and it will not conflict with CWAF?
 
Hi, I have this modification installed on my server with directadmin, in csf config I have set LF_SSHD to 5. Question is: where is going to be saved blocked ip, to /etc/csf/csf.deny or /root/blocked_ips.txt?
 
Hello, for a week the server has been blocking the ip in my directadmin,

A brute force attack has been detected in one of your service logs.

IP 108.162.229.15 has 845 failed login attempts: wordpress1=845 & wordpress2=1
IP 141.101.104.12 has 269 failed login attempts: mod_security1=74 & wordpress1=121 & wordpress2=2
IP 141.101.104.120 has 228 failed login attempts: mod_security1=57 & wordpress1=114 & wordpress2=5
IP 141.101.104.152 has 282 failed login attempts: mod_security1=79 & wordpress1=124 & wordpress2=6
IP 141.101.104.6 has 298 failed login attempts: mod_security1=66 & wordpress1=112 & wordpress2=434

I have many notifications every 10 minutes of these crashes, how can I solve it?
 
Back
Top