How to output Brute Force Monitor logs

Roberto

Roberto

Verified User
Joined
Apr 6, 2013
Messages
127
Location
London
I have a new installation of DirectAdmin & CFS on a Centos VPS. At the moment my web design clients' sites still reside on a re-seller server elsewhere, whilst I am learning to make the the VPS system more secure. (may take some time, LOL)

I have had 115 hack attempts from a particular IP which show up on the Brute Force Monitor. I am trying to get these logs and use grep to output lines with the offending IP address to a file, as requested by the network admin where the IP resides. So far, I have looked at the logs...

/usr/local/directadmin/data/admin/brute_log_entries.list

However, the logs have characters in-between the numbers of the IP addresses, like % which makes using the following command ineffective, as the resultant text file is empty:-

grep {IPAddress} /usr/local/directadmin/data/admin/brute_log_entries.list >> hackattempt.txt

Is there a way to get an output as seen in the Brute Force Monitor without all these additional characters?

In addition, how can I get the server to ban the IP earlier than the 115 attempts? Does this have to be done with IP tables, or can CFS be used more easily?

PS - Hope I have posted in the right place.

themadguru
 
scsi,

Example code as requested. Here are 4 lines; I have separated each line with a couple of returns so we can identify where each line begins and ends:-



[UPDATE: Code now removed from this post to protect IP addresses involved, now that scsi has seen]


It goes on and on like that with the hacker attempting different usernames (see end of each line). The output is of course very different from what is seen on the Brute Force Monitor from within Directadmin itself. I may just copy and past the text from that to send to the administrator that requested the info, it would be simpler I think, unless someone has a suggestion?

Why are the logs obfuscated like this?

the mad guru
 
Last edited:
This command should be able to pull all the ips out.

Code: 
cat /usr/local/directadmin/data/admin/brute_log_entries.list | cut -d= -f5 | sed 's/\&.*//' | sed -e's/%\([0-9A-F][0-9A-F]\)/\\\\\x\1/g' | xargs echo -e | sed 's/ /\n/g' | uniq

You might also want to do something like:

http://help.directadmin.com/item.php?id=404
 
Last edited:
Thanks for posting that.

Yes, that command does pull out the IPs, but all it does is end up with a long list of the same IP repeated and no other info. I already know the offending IP, and already gave the IP to the administrator, but want the log to look like the output in DirectAdmins Brute Force monitor screen. I can simply copy and paste the output from Directadmin's screen, but wanted a log file that's legible.... but not just a list of IPs, it needs all the other bits of infor such as this line from Brute Force Monitor:-

13888111210090 {AttackerIP} office 1 dovecot1 Jan 4 04:51:31 serverName dovecot[966]: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=<office>, method=PLAIN, rip={AttackerIP}, lip={ServerIP}, session=<qTANvR3v+ADMvMO3>

The above is how a line needs to look and the info it needs to contain. Not sure why the logfile itself has all those extra characters as in my previous example of 4 lines earlier.
 
What are you doing with this data, because I am sure there is something in directadmin that already does this for you. You should look in the admin section.
 
Here is something that parses all the urlencoded data:

Code: 
for i in `cat /usr/local/directadmin/data/admin/brute_log_entries.list`; do echo $i | sed -e's/%\([0-9A-F][0-9A-F]\)/\\\\\x\1/g' | xargs echo -e ;done

Anything else I would probably have to write a more advanced script.
 
scsi said:
What are you doing with this data, because I am sure there is something in directadmin that already does this for you. You should look in the admin section.
Click to expand...

Sorry if I didn't explain my intentions properly. As per my 1st post... I reported the IP to the administrator of the offending network, who then asks for logs as proof. I wanted to strip out the lines with the offending IP from the Brute Force Monitor using grep. However as mentioned, the logs found in the following location do not look like the output seen from within Directadmin:

/usr/local/directadmin/data/admin/brute_log_entries.list

So as you see, I only needs lines from log with specific IP to be sent to the network admin where the hacker resides. Sending just a file with IP addresses and no other info is not enough. Your original script stripped everything... all the juicy bits of info like what method the attacker was using, protocols etc.
 
You must log in or register to reply here.
Back
Top