How to block n number incorect logins?

[bostko]

I want some how to block automatically several incorrect login attempts.
Now I'm trying to do that with fail2ban but for now with no success because I don't understand much of regex could you help me some how.

/var/log/directadmin/security.log
(some date) has tried to log in * times, unsuccessfully, this time into *

/etc/fail2ban/jail.conf
action = iptables-multiport[name=direct_admin, port="2222", protocol=tcp]
I need a little more help.

 

[GXX]

Why don't you use the built in login fail IP ban option in DA?

Log into DA and click on "Administrator Settings". At the bottom look for "Blacklist IPs for excessive login attempts" and set the # of failed tries before DA blocks the ip. Save and you should be good to go.

 

[bostko]

Thank you!

 

[bostko]

I want to ask you if my directadmin system is vulnerable to r57shell and c99 .
If it is not can you tell me how to patch it or some other defence.

 

[nobaloney]

I've not studied either r57shell or c99.

However: DirectAdmin is written in C++, so it's not vulnerable to any PHP vulnerability. Does that answer your question?

Jeff

 

[johannes]

Does the "login fail IP ban option in DA" work for ftp-accounts?
A customer of mine was bruteforced on his ftp.
What would be the simplest/best way to integrate this function without complex firewall?

 

[nobaloney]

Does the "login fail IP ban option in DA" work for ftp-accounts?

No; DirectAdmin doesn't manage ftp connections; that functionality is provided by the proFTPd daemon.

A customer of mine was bruteforced on his ftp.
What would be the simplest/best way to integrate this function without complex firewall?

I don't know if there's anything written into proFTPd to allow you to set this; you can manually add IP#s to your firewall. If proFTPd works with the hosts.deny file (I think it does but I'm not sure) or if you run ftp through inetd or xinetd, then you can add IP#s to your hosts.deny file (be sure you understand how hosts.deny works before you make any changes to it so you don't block access to your whole server).

Jeff

 

[bdj]

does this work for invalid SSHD logins?

 

[floyd]

There are some scripts out there that can be run as cron jobs to do what you want.

 

[nobaloney]

does this work for invalid SSHD logins?

I believe that sshd reads hosts.deny; you should check it before relying on it.

Be carefuly when checking it that you don't lock yourself out.

Floyd is right, though; you'd get more flexibility from a firwall script.

Jeff

 

[bdj]

Thanks,

I'm going to try fail2ban